Summary
@trigger.dev/core@4.4.4 pins @opentelemetry/host-metrics@^0.37.0, which transitively pulls systeminformation@5.23.8. That version has three known command-injection CVEs (GHSA-1111529, GHSA-1113329, GHSA-1113330), all rated HIGH (CVSS 8.1–8.8).
@opentelemetry/host-metrics@0.38.x switched to a newer systeminformation line that fixes them. Bumping the pin in @trigger.dev/core would resolve the entire chain.
Reproduction
mkdir trigger-audit-repro && cd trigger-audit-repro
npm init -y >/dev/null
npm install @trigger.dev/sdk@latest @trigger.dev/build@latest 2>/dev/null
npm audit
Output (Trigger.dev v4.4.4):
7 high severity vulnerabilities
@opentelemetry/host-metrics <=0.15.0 || 0.35.2 - 0.38.0
Depends on vulnerable versions of systeminformation
Depends on vulnerable versions of basic-ftp
Depends on vulnerable versions of fast-xml-builder
node_modules/@opentelemetry/host-metrics
@trigger.dev/core <=0.0.0-prerelease-20260508094307 || >=4.4.1
Depends on vulnerable versions of @opentelemetry/host-metrics
node_modules/@trigger.dev/core
@trigger.dev/build <=0.0.0-prerelease-20260508094307 || >=4.4.1
@trigger.dev/sdk <=0.0.0-prerelease-20260508094307 || >=4.4.1
Why this matters
The CVEs are in systeminformation's argument handling for OS-level calls (fsSize, versions, network interface enumeration). They're not reachable from a typical Trigger.dev task payload, but they show up in every consuming app's npm audit and add noise that hides real findings during security reviews. We just did a pre-launch security audit and these were the only HIGH findings.
Suggested fix
In packages/core/package.json (or wherever @opentelemetry/host-metrics is pinned), bump:
- "@opentelemetry/host-metrics": "^0.37.0",
+ "@opentelemetry/host-metrics": "^0.38.1",
Then re-release @trigger.dev/core and bubble the bump through @trigger.dev/build + @trigger.dev/sdk.
Happy to open the PR if helpful — just need a steer on which package(s) own the pin.
Environment
@trigger.dev/sdk@4.4.4@trigger.dev/build@4.4.4@trigger.dev/core@4.4.4- Node 22, npm 11
Summary
@trigger.dev/core@4.4.4pins@opentelemetry/host-metrics@^0.37.0, which transitively pullssysteminformation@5.23.8. That version has three known command-injection CVEs (GHSA-1111529, GHSA-1113329, GHSA-1113330), all rated HIGH (CVSS 8.1–8.8).@opentelemetry/host-metrics@0.38.xswitched to a newersysteminformationline that fixes them. Bumping the pin in@trigger.dev/corewould resolve the entire chain.Reproduction
Output (Trigger.dev v4.4.4):
Why this matters
The CVEs are in
systeminformation's argument handling for OS-level calls (fsSize,versions, network interface enumeration). They're not reachable from a typical Trigger.dev task payload, but they show up in every consuming app'snpm auditand add noise that hides real findings during security reviews. We just did a pre-launch security audit and these were the only HIGH findings.Suggested fix
In
packages/core/package.json(or wherever@opentelemetry/host-metricsis pinned), bump:Then re-release
@trigger.dev/coreand bubble the bump through@trigger.dev/build+@trigger.dev/sdk.Happy to open the PR if helpful — just need a steer on which package(s) own the pin.
Environment
@trigger.dev/sdk@4.4.4@trigger.dev/build@4.4.4@trigger.dev/core@4.4.4