WIP: POC to use orchestrion-js for instrumentation#20900
Conversation
| form-data "^4.0.5" | ||
| proxy-from-env "^2.1.0" | ||
|
|
||
| axios@^0.26.1: |
There was a problem hiding this comment.
Medium severity vulnerability introduced by a package you're using:
Line 11806 lists a dependency (axios) with a known Medium severity vulnerability. Fixing requires upgrading or replacing the dependency.
ℹ️ Why this matters
Affected versions of axios are vulnerable to Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') / Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') / Server-Side Request Forgery (SSRF). Axios can be used as a gadget for header injection: if another dependency enables prototype pollution, polluted properties can be merged into Axios request headers and written without CRLF sanitization, allowing request smuggling/SSRF that can reach internal services such as AWS IMDSv2 and potentially lead to credential theft or broader compromise.
To resolve this comment:
Upgrade this dependency to at least version 0.31.0 at yarn.lock.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
| form-data "^4.0.5" | ||
| proxy-from-env "^2.1.0" | ||
|
|
||
| axios@^0.26.1: |
There was a problem hiding this comment.
Medium severity vulnerability may affect your project—review required:
Line 11806 lists a dependency (axios) with a known Medium severity vulnerability.
ℹ️ Why this matters
Affected versions of axios are vulnerable to Server-Side Request Forgery (SSRF) / Unintended Proxy or Intermediary ('Confused Deputy'). Axios does not normalize hostnames before applying NO_PROXY, so requests to loopback or internal hosts such as localhost. or [::1] can be sent through a configured proxy instead of bypassing it. If an attacker can influence request URLs, they may force local/internal Axios traffic through an attacker-controlled proxy, undermining SSRF protections and exposing sensitive responses.
To resolve this comment:
Check if you have NO_PROXY configured in your environment.
- If you're affected, upgrade this dependency to at least version 0.31.0 at yarn.lock.
- If you're not affected, comment
/fp we don't use this [condition]
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
size-limit report 📦
|
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 2aba4d5. Configure here.
|
Note: dependency warning stuff should be addressed when this is merged/released: apm-js-collab/orchestrion-js#54 |
This is a WIP POC trying out usage of orchestrion-js for node SDK instrumentation.
Honestly it seems pretty straightforward... Usage for this POC is:
And then
This will disable the otel instrumentation that is already converted to orchestrion (in this PR, only Mysql) and add the respective orchestrion-based integrations instead. The exact API here is WIP and really just geared towards experimentation, so could change, and it's easy to see how this would be easier in v11 with this being the default.
Some general benefits of this approach:
--importscript only registers the mappings for orchestrion, all actual code registering stuff etc. happens inSentry.init(). This makes a bunch of things easier...--import. This also works when deploying to e.g. cloudflare etc. as long as one of the bundler plugins is used.