Files
AFFiNE-Mirror/packages/backend/server/package.json
T
renovate[bot] ac6d0d35af chore: bump up @opentelemetry/exporter-prometheus version to ^0.217.0 [SECURITY] (#14944)
This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
|
[@opentelemetry/exporter-prometheus](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/experimental/packages/opentelemetry-exporter-prometheus)
([source](https://redirect.github.com/open-telemetry/opentelemetry-js))
| [`^0.215.0` →
`^0.217.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2fexporter-prometheus/0.215.0/0.217.0)
|
![age](https://developer.mend.io/api/mc/badges/age/npm/@opentelemetry%2fexporter-prometheus/0.217.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@opentelemetry%2fexporter-prometheus/0.215.0/0.217.0?slim=true)
|

---

### Prometheus exporter process crash via malformed HTTP request
[CVE-2026-44902](https://nvd.nist.gov/vuln/detail/CVE-2026-44902) /
[GHSA-q7rr-3cgh-j5r3](https://redirect.github.com/advisories/GHSA-q7rr-3cgh-j5r3)

<details>
<summary>More information</summary>

#### Details
##### Summary

A single malformed HTTP request crashes any Node.js process running the
OpenTelemetry JS Prometheus exporter. The metrics endpoint (default
`0.0.0.0:9464`) has no error handling around URL parsing, so a request
with an invalid URI causes an uncaught `TypeError` that terminates the
process.

**You are affected by this vulnerability if either of the following
apply to your application:**

* you directly use `@opentelemetry/exporter-prometheus` in your code
through its built-in server.
* your `OTEL_METRICS_EXPORTER` environment variable includes
`prometheus` **AND**
  * you use `@opentelemetry/sdk-node`
* you use `@opentelemetry/auto-instrumentations-node` via `--require
@&#8203;opentelemetry/auto-instrumentations-node/register`/`--import
@&#8203;opentelemetry/auto-instrumentations-node/register`

##### Impact

**Denial of service.** Any application using the OpenTelemetry
Prometheus exporter’s built-in server can be crashed by a single
unauthenticated network packet sent to the metrics port. No
authentication, special privileges, or prior access is required.

##### Remediation

##### Update to the fixed version

Update `@opentelemetry/exporter-prometheus` and
`@opentelemetry/sdk-node` to version **0.217.0** or later.
Update `@opentelemetry/auto-instrumentations-node` to version **0.75.0**
or later.

This release adds proper error handling around the URL constructor,
returning an HTTP `400` response on parse failure rather than allowing
the exception to propagate and crash the process.

```
npm install @&#8203;opentelemetry/exporter-prometheus@latest
```

##### Do Not Expose the Endpoint to Untrusted Users

> [!IMPORTANT] 
> The following mitigations reduce exposure but do not fully remediate
the vulnerability. Any client that *can* reach the metrics endpoint -
including your own Prometheus scraper host if compromised - could still
trigger the crash. Updating to **0.217.0** is the recommended
resolution.

If updating is not immediately feasible, restrict access to the metrics
endpoint so that it is not reachable by untrusted or unauthenticated
network clients. For example:

* **Bind to localhost only** by setting the `host` option to `127.0.0.1`
when configuring the `PrometheusExporter`, so the port is not exposed on
public or shared network interfaces

* **Use a firewall or network policy** to restrict access to port `9464`
(or whichever port you have configured) to only trusted Prometheus
scrape hosts

* **Place the endpoint behind a reverse proxy** that filters or
validates incoming requests before they reach the exporter

##### Details

In `PrometheusExporter.ts`, the `_requestHandler` calls `new
URL(request.url, this._baseUrl)` without any error handling. Node's HTTP
parser accepts absolute-form URIs (e.g. `http://`) for proxy
compatibility, including malformed ones. When `request.url` is
`"http://"`, the `URL` constructor throws `TypeError: Invalid URL`.
Since there is no try-catch in the handler, the exception propagates as
an uncaught exception and crashes the process.

The Prometheus metrics endpoint is unauthenticated by design (Prometheus
scrapes it) and binds to `0.0.0.0` by default, meaning it is reachable
by any network client that can connect to the metrics port.

##### Proof of Concept

Start any Node.js application with the Prometheus exporter running on
the default port `9464`, then send a single raw TCP packet:

```
echo -ne 'GET http:// HTTP/1.1\r\nHost: localhost\r\n\r\n' | nc localhost 9464
```

The process crashes immediately with:

```
TypeError: Invalid URL
    at new URL (...)
    at PrometheusExporter._requestHandler (...)
```

#### Severity
- CVSS Score: 7.5 / 10 (High)
- Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`

#### References
-
[https://github.com/open-telemetry/opentelemetry-js/security/advisories/GHSA-q7rr-3cgh-j5r3](https://redirect.github.com/open-telemetry/opentelemetry-js/security/advisories/GHSA-q7rr-3cgh-j5r3)
-
[https://github.com/advisories/GHSA-q7rr-3cgh-j5r3](https://redirect.github.com/advisories/GHSA-q7rr-3cgh-j5r3)

This data is provided by the [GitHub Advisory
Database](https://redirect.github.com/advisories/GHSA-q7rr-3cgh-j5r3)
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Release Notes

<details>
<summary>open-telemetry/opentelemetry-js
(@&#8203;opentelemetry/exporter-prometheus)</summary>

###
[`v0.217.0`](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/2400d8389a4469f7a81ccd3be2f0b2c2dd6faaf7...74cde1b674508ccc0ed2601ac43a80ff2d35114c)

[Compare
Source](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/2400d8389a4469f7a81ccd3be2f0b2c2dd6faaf7...74cde1b674508ccc0ed2601ac43a80ff2d35114c)

###
[`v0.216.0`](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/a0476eef3cb973bfcc0c2e41f868dd7b484c2ed8...2400d8389a4469f7a81ccd3be2f0b2c2dd6faaf7)

[Compare
Source](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/a0476eef3cb973bfcc0c2e41f868dd7b484c2ed8...2400d8389a4469f7a81ccd3be2f0b2c2dd6faaf7)

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - ""
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/toeverything/AFFiNE).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNTkuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE1OS4yIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-05-12 16:21:10 +08:00

177 lines
5.7 KiB
JSON

{
"name": "@affine/server",
"private": true,
"version": "0.26.3",
"description": "Affine Node.js server",
"type": "module",
"scripts": {
"build": "affine bundle -p @affine/server",
"dev": "nodemon ./src/index.ts",
"dev:mail": "email dev -d src/mails",
"test": "ava --concurrency 1 --serial",
"test:copilot": "ava \"src/__tests__/copilot/copilot-*.spec.ts\"",
"test:coverage": "c8 ava --concurrency 1 --serial",
"test:copilot:coverage": "c8 ava --timeout=5m \"src/__tests__/copilot/copilot-*.spec.ts\"",
"e2e": "cross-env TEST_MODE=e2e ava --serial",
"e2e:coverage": "cross-env TEST_MODE=e2e c8 ava --serial",
"data-migration": "cross-env NODE_ENV=development SERVER_FLAVOR=script r ./src/index.ts",
"init": "yarn prisma migrate dev && yarn data-migration run",
"seed": "r ./src/seed/index.ts",
"genconfig": "r ./scripts/genconfig.ts",
"cli": "cross-env SERVER_FLAVOR=script node ./dist/main.js",
"predeploy": "yarn prisma migrate deploy && yarn cli run",
"postinstall": "prisma generate"
},
"dependencies": {
"@affine/s3-compat": "workspace:*",
"@affine/server-native": "workspace:*",
"@apollo/server": "^5.5.0",
"@as-integrations/express5": "^1.1.2",
"@google-cloud/opentelemetry-cloud-trace-exporter": "^3.0.0",
"@google-cloud/opentelemetry-resource-util": "^3.0.0",
"@inquirer/prompts": "^7.10.1",
"@nestjs-cls/transactional": "^3.2.0",
"@nestjs-cls/transactional-adapter-prisma": "^1.3.4",
"@nestjs/apollo": "^13.2.4",
"@nestjs/bullmq": "^11.0.4",
"@nestjs/common": "^11.1.18",
"@nestjs/core": "^11.1.18",
"@nestjs/graphql": "^13.2.5",
"@nestjs/platform-express": "^11.1.18",
"@nestjs/platform-socket.io": "^11.1.18",
"@nestjs/schedule": "^6.1.1",
"@nestjs/throttler": "^6.5.0",
"@nestjs/websockets": "^11.1.18",
"@node-rs/argon2": "^2.0.2",
"@node-rs/crc32": "^1.10.6",
"@opentelemetry/api": "^1.9.0",
"@opentelemetry/core": "^2.2.0",
"@opentelemetry/exporter-prometheus": "^0.217.0",
"@opentelemetry/exporter-zipkin": "^2.6.0",
"@opentelemetry/host-metrics": "^0.38.3",
"@opentelemetry/instrumentation": "^0.215.0",
"@opentelemetry/instrumentation-graphql": "^0.63.0",
"@opentelemetry/instrumentation-http": "^0.215.0",
"@opentelemetry/instrumentation-ioredis": "^0.63.0",
"@opentelemetry/instrumentation-nestjs-core": "^0.61.0",
"@opentelemetry/instrumentation-socket.io": "^0.62.0",
"@opentelemetry/resources": "^2.2.0",
"@opentelemetry/sdk-metrics": "^2.2.0",
"@opentelemetry/sdk-node": "^0.215.0",
"@opentelemetry/sdk-trace-node": "^2.2.0",
"@opentelemetry/semantic-conventions": "^1.38.0",
"@prisma/client": "^6.6.0",
"@prisma/instrumentation": "^6.7.0",
"@queuedash/api": "^3.16.0",
"@react-email/components": "^0.5.7",
"@socket.io/redis-adapter": "^8.3.0",
"bullmq": "5.53.0",
"commander": "^13.1.0",
"cookie-parser": "^1.4.7",
"cross-env": "^10.1.0",
"date-fns": "^4.0.0",
"dotenv": "^16.4.7",
"eventemitter2": "^6.4.9",
"exa-js": "^2.4.0",
"express": "^5.0.1",
"fast-xml-parser": "^5.7.2",
"get-stream": "^9.0.1",
"google-auth-library": "^10.2.0",
"graphql": "^16.13.2",
"graphql-scalars": "^1.24.0",
"graphql-upload": "^17.0.0",
"html-validate": "^9.0.0",
"htmlrewriter": "^0.0.12",
"http-errors": "^2.0.0",
"ioredis": "^5.8.2",
"is-mobile": "^5.0.0",
"jose": "^6.1.3",
"jsonwebtoken": "^9.0.3",
"lodash-es": "^4.17.23",
"mustache": "^4.2.0",
"nanoid": "^5.1.6",
"nest-winston": "^1.9.7",
"nestjs-cls": "^6.0.0",
"nodemailer": "^8.0.4",
"on-headers": "^1.1.0",
"piscina": "^5.1.4",
"prisma": "^6.6.0",
"react": "^19.2.1",
"react-dom": "19.2.1",
"reflect-metadata": "^0.2.2",
"rxjs": "^7.8.2",
"semver": "^7.7.4",
"ses": "^1.15.0",
"socket.io": "^4.8.1",
"stripe": "^17.7.0",
"tldts": "^7.0.19",
"winston": "^3.17.0",
"yjs": "^13.6.27",
"zod": "^3.25.76",
"zod-to-json-schema": "^3.20.0"
},
"devDependencies": {
"@affine-tools/cli": "workspace:*",
"@affine-tools/utils": "workspace:*",
"@affine/graphql": "workspace:*",
"@affine/realtime": "workspace:*",
"@faker-js/faker": "^10.1.0",
"@nestjs/swagger": "^11.2.7",
"@nestjs/testing": "patch:@nestjs/testing@npm%3A11.1.18#~/.yarn/patches/@nestjs-testing-npm-11.1.18-32c0f6af12.patch",
"@types/cookie-parser": "^1.4.8",
"@types/express": "^5.0.1",
"@types/express-serve-static-core": "^5.0.6",
"@types/graphql-upload": "^17.0.0",
"@types/http-errors": "^2.0.4",
"@types/jsonwebtoken": "^9.0.9",
"@types/lodash-es": "^4.17.12",
"@types/mustache": "^4.2.5",
"@types/node": "^22.0.0",
"@types/nodemailer": "^7.0.0",
"@types/on-headers": "^1.0.3",
"@types/react": "^19.0.1",
"@types/semver": "^7.7.1",
"@types/sinon": "^21.0.0",
"@types/supertest": "^7.0.0",
"ava": "^7.0.0",
"c8": "^10.1.3",
"nodemon": "^3.1.14",
"react-email": "^4.3.2",
"sinon": "^21.0.1",
"socket.io-client": "^4.8.3",
"supertest": "^7.1.4",
"typescript": "^5.9.3",
"why-is-node-running": "^3.2.2"
},
"nodemonConfig": {
"exec": "node",
"ignore": [
"**/__tests__/**",
"**/dist/**",
"*.gen.*"
],
"env": {
"NODE_ENV": "development",
"AFFINE_ENV": "dev",
"AFFINE_SERVER_EXTERNAL_URL": "http://localhost:8080",
"DEBUG": "affine:*",
"FORCE_COLOR": true,
"DEBUG_COLORS": true
},
"delay": 1000
},
"c8": {
"reporter": [
"text-summary",
"lcov"
],
"report-dir": ".coverage",
"exclude": [
"scripts",
"node_modules",
"**/*.spec.ts",
"**/*.e2e.ts"
]
}
}