Dependabot flagged io.opentelemetry:opentelemetry-api:1.41.0 (GHSA-rcgg-9c38-7xpx, medium) as a vulnerable transitive dependency.
org.jetbrains.kotlin:swift-export-embeddable:2.3.21 (the Kotlin/Native iOS Swift export build-tool worker) declares opentelemetry-api:1.41.0 as a runtime dependency. It lands on the shared:swiftExportClasspathResolvable configuration. Gradle’s default conflict resolution left it at 1.41.0, below the patched floor of 1.62.0. This is build-toolchain only — not on the shipped server, Android, or iOS runtime classpath — but Dependabot still flags it and the project pins all such CVEs.
opentelemetry = "1.62.0" to gradle/libs.versions.toml with a comment naming the GHSA and the transitive chain.allprojects { configurations.configureEach { resolutionStrategy.eachDependency } } block in build.gradle.kts that floors the entire io.opentelemetry group to 1.62.0. The group-level rule covers both opentelemetry-api and the co-versioned opentelemetry-context../gradlew :shared:dependencyInsight --dependency opentelemetry-api --configuration swiftExportClasspathResolvable: shows 1.41.0 -> 1.62.0 with the GHSA reason line.libs.versions.toml with comment + eachDependency rule in root build.gradle.kts — applies to all transitive CVEs regardless of whether the affected jar is on a runtime or build-tool classpath../gradlew :<module>:dependencies 2>&1 | grep -B 30 "<artifact>" reveals which configuration name to use; then --dependencyInsight --configuration <name> confirms the chain and the resolved version.