chore: merge main, resolve OpenTelemetry version conflict

Kept full OTel suite at 0.217.0/2.7.1 (our security fix) — main had partially updated exporter-prometheus to 0.217.0 but left the rest at 0.213.0/2.6.1. Full suite update required for consistency and to fix the Prometheus exporter CVE. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
fix: verify all pnpm overrides still needed, bump tar to 7.5.15
2026-05-13 03:16:58 -05:00 · 2026-05-13 09:33:48 +02:00 · 2026-05-13 09:16:25 +02:00 · 2026-05-13 08:45:36 +02:00
3 changed files with 832 additions and 1481 deletions
@@ -46,13 +46,13 @@
    "@lexical/table": "0.41.0",
    "@next-auth/prisma-adapter": "1.0.7",
    "@opentelemetry/auto-instrumentations-node": "0.75.0",
-    "@opentelemetry/exporter-metrics-otlp-http": "0.213.0",
+    "@opentelemetry/exporter-metrics-otlp-http": "0.217.0",
    "@opentelemetry/exporter-prometheus": "0.217.0",
-    "@opentelemetry/exporter-trace-otlp-http": "0.213.0",
-    "@opentelemetry/resources": "2.6.1",
-    "@opentelemetry/sdk-metrics": "2.6.1",
-    "@opentelemetry/sdk-node": "0.213.0",
-    "@opentelemetry/sdk-trace-base": "2.6.1",
+    "@opentelemetry/exporter-trace-otlp-http": "0.217.0",
+    "@opentelemetry/resources": "2.7.1",
+    "@opentelemetry/sdk-metrics": "2.7.1",
+    "@opentelemetry/sdk-node": "0.217.0",
+    "@opentelemetry/sdk-trace-base": "2.7.1",
    "@opentelemetry/semantic-conventions": "1.40.0",
    "@paralleldrive/cuid2": "2.3.1",
    "@prisma/client": "6.19.3",
@@ -84,20 +84,26 @@
  "pnpm": {
    "overrides": {
      "@hono/node-server": "1.19.13",
+      "@protobufjs/utf8": "1.1.1",
      "@tootallnate/once": "3.0.1",
      "@xmldom/xmldom": "0.9.10",
      "ajv@6": "6.14.0",
      "axios": "1.15.2",
      "effect": "3.20.0",
-      "fast-xml-parser": "5.5.7",
-      "hono": "4.12.14",
+      "fast-uri": "3.1.2",
+      "fast-xml-parser": "5.7.0",
+      "hono": "4.12.18",
+      "ip-address": "10.1.1",
      "lodash": "4.18.1",
      "node-forge": "1.4.0",
-      "@opentelemetry/otlp-transformer>protobufjs": "8.0.1",
-      "tar": "7.5.13"
+      "postcss": "8.5.14",
+      "protobufjs@7": "7.5.8",
+      "protobufjs@8": "8.2.0",
+      "tar": "7.5.15",
+      "uuid@11": "11.1.1"
    },
    "comments": {
-      "overrides": "Security fixes for transitive dependencies that still fail a no-override audit. Remove each override when its upstream chain adopts a patched version: @hono/node-server/hono/effect via Prisma dev tooling | @tootallnate/once and tar via sqlite3/BoxyHQ SAML Jackson database tooling | @xmldom/xmldom, axios, lodash, and node-forge via @boxyhq/saml-jackson | ajv via @vercel/style-guide/eslint-plugin-tsdoc | protobufjs via BoxyHQ/OpenTelemetry metrics | fast-xml-parser via AWS SDK XML builder."
+      "overrides": "Security fixes for transitive dependencies that still fail a no-override audit. Remove each override when its upstream chain adopts a patched version: @hono/node-server/hono via Prisma dev tooling | @protobufjs/utf8 (CVE overlong UTF-8) - awaiting @opentelemetry/otlp-transformer update | @tootallnate/once and tar via sqlite3/node-gyp chain | @xmldom/xmldom (XML injection/DoS CVEs) - awaiting @boxyhq/saml20 to pin to >=0.9.10 | axios, lodash, and node-forge via @boxyhq/saml-jackson | ajv@6 via webpack/eslint | effect (GHSA-38f7-945m-qr2g) - awaiting @prisma/config update | fast-uri (CVE-2025-48944/48945) - awaiting ajv/schema-utils update | fast-xml-parser via AWS SDK XML builder | ip-address (XSS in Address6) - awaiting mongodb/socks update | postcss (CVE-2025-62695) - awaiting next.js to unpin postcss | protobufjs@7/8 (GHSA-xq3m-2v4x-88gg et al.) - awaiting @grpc/proto-loader/otlp-transformer update | uuid@11 (CVE-2025-61475) - awaiting typeorm update"
    },
    "patchedDependencies": {
      "next-auth@4.24.13": "patches/next-auth@4.24.13.patch"