Skip to content

fix(deps): remediate dependency vulnerabilities#124

Merged
robert-northmind merged 4 commits into
mainfrom
chore/dependency-security-cleanup
Jul 15, 2026
Merged

fix(deps): remediate dependency vulnerabilities#124
robert-northmind merged 4 commits into
mainfrom
chore/dependency-security-cleanup

Conversation

@robert-northmind

@robert-northmind robert-northmind commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Summary

  • update JavaScript, OpenTelemetry, Android, Ruby, and CI dependencies to remediate reported vulnerabilities
  • adapt the Faro trace exporter to OpenTelemetry’s encoder API and harden npm publishing with a pinned, script-disabled npm installation
  • consolidate the safe Renovate updates; keep Jest deferred because its PR fails tests, retain the license-compatible token action because v0.3.1 is classified as AGPL-3.0, and use CocoaPods 1.16.2 because 1.17 conflicts with the current xcodeproj constraint

Supersedes #78, #95, #96, #97, #104, #112, #115, #119, #120, and #122.

Test plan

  • immutable Yarn install
  • build all packages
  • lint and formatting checks
  • 465 unit tests
  • circular dependency checks
  • dependency audit (no active vulnerability advisories)
  • CocoaPods and Ruby dependency validation
  • build, install, and launch the iOS demo
  • build, install, and launch the Android demo

Co-authored-by: Cursor <cursoragent@cursor.com>
@robert-northmind robert-northmind requested a review from a team as a code owner July 14, 2026 11:36
@robert-northmind robert-northmind self-assigned this Jul 14, 2026
robert-northmind and others added 2 commits July 14, 2026 13:41
Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Cursor <cursoragent@cursor.com>

@aranhave aranhave left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good overall! one Ruby/json compatibility follow-up remains.

Comment thread demo/Gemfile
Co-authored-by: Cursor <cursoragent@cursor.com>

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR consolidates multiple dependency/security updates across the monorepo (JS/OpenTelemetry, Android, iOS CocoaPods/Ruby, and CI), and adapts the React Native tracing exporter to the newer OpenTelemetry OTLP encoder API while hardening the npm publishing step.

Changes:

  • Bump core JS/tooling dependencies (Faro core, OpenTelemetry packages, lint/markdown tooling) and update the lockfile accordingly.
  • Update native/demo dependencies (protobuf-javalite/protoc, Gradle wrapper, CocoaPods/Ruby gems, NitroModules) for security remediation.
  • Adjust trace exporting to use OpenTelemetry’s encoder API and pin npm installation in the release workflow.

Reviewed changes

Copilot reviewed 11 out of 14 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
yarn.lock Updates resolved dependency graph for vulnerability remediation and tooling bumps.
README.md Minor markdown formatting change in “Related Projects” list.
packages/test-utils/package.json Bumps @grafana/faro-core dependency.
packages/react-native/package.json Bumps @grafana/faro-core and react-native-nitro-modules.
packages/react-native/android/build.gradle Updates protobuf protoc and protobuf-javalite versions.
packages/react-native-tracing/src/exporters/faroTraceExporter.ts Switches OTLP export request creation to the encoder-based API.
packages/react-native-tracing/package.json Bumps Faro core and OpenTelemetry dependency versions.
package.json Updates dev tooling versions and adds targeted resolution pins.
demo/package.json Bumps react-native-nitro-modules.
demo/ios/Podfile.lock Updates iOS pods lock (FaroReactNative, NitroModules, safe-area-context, checksums).
demo/Gemfile.lock Updates Ruby gems (CocoaPods, concurrent-ruby, json) and records Ruby 3.3.7.
demo/Gemfile Updates Ruby version constraint and tightens gem constraints for security fixes.
demo/android/gradle/wrapper/gradle-wrapper.properties Updates Gradle wrapper to 8.14.5.
.github/workflows/release-please.yml Pins actions/setup-node and installs a pinned npm version with scripts disabled before publish.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread demo/Gemfile

# You may use http://rbenv.org/ or https://rvm.io/ to install and use this version
ruby ">= 2.6.10"
ruby ">= 2.7"
@robert-northmind robert-northmind merged commit bb81fdc into main Jul 15, 2026
16 checks passed
@robert-northmind robert-northmind deleted the chore/dependency-security-cleanup branch July 15, 2026 10:21
@app-o11y-kwl-ci app-o11y-kwl-ci Bot mentioned this pull request Jul 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants