Transitive deps pin known-vulnerable versions (OpenTelemetry, ws, express/qs, dompurify) — downstream apps can't remediate via npm audit fix

[grahamlammersIII]

Summary

A fresh app on the latest @databricks/appkit / @databricks/appkit-ui (0.38.1) fails a clean npm audit because several transitive dependencies are pinned to versions under published advisories. Because these are pinned inside the AppKit dependency tree, downstream apps cannot fix them with npm audit fix — npm reports "fixAvailable": false for the OpenTelemetry/ws chain — without hand-overriding AppKit's pins.

Practical severity is moderate for a deployed app (DoS-class / high-privilege preconditions, not RCE in the running app), but it makes every AppKit-based app trip security review. Bumping the pins below would clear it for all consumers.

These advisories are recent (early–mid May 2026), so this is dependency lag rather than a long-standing gap — filing mainly so downstream apps stop tripping npm audit, and to track the bump.

Affected pins (verified on 0.38.1)

Dependency	Pinned by AppKit	Advisory	Suggested bump
@opentelemetry/sdk-node / auto-instrumentations-node / exporter-prometheus	0.208.0 / 0.67.2	GHSA-q7rr-3cgh-j5r3 — Prometheus exporter process crash via malformed HTTP request (HIGH, CVSS 7.5)	OTel >= 0.217.0 (auto-instrumentations >= 0.75.0)
ws	8.18.3 (in range 8.0.0–8.20.0)	GHSA-58qx-3vcg-4xpx — uninitialized memory disclosure (moderate; upstream notes real-world severity low)	ws >= 8.20.1
express → qs, body-parser	express@4.22.0	GHSA-q8mj-m7cp-5q26 — qs.stringify DoS (moderate)	express with qs >= 6.15.2
protobufjs (via OTel → gRPC)	7.5.4	GHSA-q6x5-8v7m-xcrf and related	protobufjs >= 7.6.2
dompurify (in @databricks/appkit-ui)	3.3.3	GHSA-39q2-94rc-95cp, GHSA-v9jr-rg53-9pgp — sanitizer bypass / prototype-pollution→XSS (moderate)	dompurify >= 3.3.4

Why this can't be fixed downstream

These are transitive pins inside the AppKit tree, so a consuming app gets "fixAvailable": false from npm audit for the OTel/ws chain. The only npm audit fix --force path for the dompurify one is a downgrade of @databricks/appkit-ui to 0.21.0 (a major, backward move), which isn't viable. Consumers can add overrides to their own package.json, but that's a per-app workaround for something better fixed once, upstream.

Repro

# any app on @databricks/appkit@0.38.x
npm audit
# observe the OpenTelemetry (high), ws, express/qs, protobufjs, and dompurify advisories,
# all tracing to @databricks/appkit / @databricks/appkit-ui, with fixAvailable:false on the OTel chain

Suggested resolution

Bump the pinned ranges in @databricks/appkit and @databricks/appkit-ui to the patched versions above and cut a release. This is mostly within-range patch movement and would clear the audit for every downstream app.

Notes / scope

• I checked open and closed issues — no existing one tracks these specific advisories (the SBOM/scanner work in chore: add SBOM generation and vulnerability audit to release pipeline #219 / chore(ci): add artifact security scanning to release pipelines #225 and the sanitization hardening in fix: harden cookie flags, sanitize Genie markdown output, fix remote tunnel #216 are related but don't bump these versions).
• Out of scope here: dev-only toolchain advisories that belong to the consuming app (vitest / tsdown / eslint), not AppKit.