@opentelmetry/host-metrics@0.38.0 contains vulnerable systeminformation@5.23.8 #3324
Description
Security Fix Pending Release: @opentelemetry/host-metrics
The currently published version of @opentelemetry/host-metrics@0.38.0 (released Dec 17, 2025) depends on systeminformation@5.23.8, which contains a HIGH severity command injection vulnerability.
The fix has already been merged into the main branch, where @opentelemetry/host-metrics now depends on systeminformation@5.27.14. However, this fix has not yet been published to npm, leaving users exposed to a known vulnerability when installing the latest released version.
Current State (Published)
Package: @opentelemetry/host-metrics@0.38.0
Dependency:
"systeminformation": "5.23.8"
Fixed State (Main Branch, Not Published)
Dependency:
"systeminformation": "5.27.14"
Impact
Installing @opentelemetry/host-metrics@latest pulls in a dependency with a HIGH severity vulnerability
Triggers security alerts in tools like npm audit, Dependabot, and Snyk
Forces downstream consumers to rely on overrides or resolutions
Blocks adoption in environments where HIGH vulnerabilities are not allowed in production
Request
Please publish a new release (e.g. 0.38.1 or 0.39.0) that includes the already-merged systeminformation@5.27.14 update.
Reproduction
npm install @opentelemetry/host-metrics@latest
npm audit
Result: HIGH severity vulnerability reported in systeminformation.
Expected Behavior
After a new release is published, installing @opentelemetry/host-metrics@latest should no longer report HIGH severity vulnerabilities.