chore(deps): bump remaining minor/patch packages missed by Dependabot (#40)

[Copilot]

Dependabot's minor-and-patch group bump in #40 missed 6 packages that had available updates. This commit adds those to bring all dependencies fully current.

Packages updated

Dependencies

• @opentelemetry/sdk-trace-base: ^2.2.0 → ^2.6.0
• @opentelemetry/sdk-trace-node: ^2.2.0 → ^2.6.0 (sibling packages sdk-metrics/resources were already bumped to 2.6.0 in chore(deps): bump the minor-and-patch group across 1 directory with 23 updates #40)
• express: ^5.0.1 → ^5.2.1
• winston: ^3.18.3 → ^3.19.0

Dev dependencies

• @types/cors: ^2.8.17 → ^2.8.19
• @types/express: ^5.0.0 → ^5.0.6

package-lock.json updated accordingly.

[github-actions]

⚠️ Deprecation Warning: The deny-licenses option is deprecated for possible removal in the next major release. For more information, see issue 997.

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 2 package(s) with unknown licenses.

See the Details below.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 5663f9e.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

License Issues

package.json

Package	Version	License	Issue Type
express	^5.2.1	Null	Unknown License
winston	^3.19.0	Null	Unknown License

Denied Licenses:

GPL-2.0, GPL-3.0, AGPL-3.0

OpenSSF Scorecard

Package	Version	Score	Details
npm/@opentelemetry/context-async-hooks	2.6.0	🟢 7.2	Details Check Score Reason Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 6 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed Packaging ⚠️ -1 packaging workflow not detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 SAST 🟢 10 SAST tool is run on all commits License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities ⚠️ 2 8 existing vulnerabilities detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Security-Policy 🟢 10 security policy file detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 41 contributing companies or organizations
npm/@opentelemetry/core	2.6.0	🟢 7.2	Details Check Score Reason Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 6 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed Packaging ⚠️ -1 packaging workflow not detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 SAST 🟢 10 SAST tool is run on all commits License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities ⚠️ 2 8 existing vulnerabilities detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Security-Policy 🟢 10 security policy file detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 41 contributing companies or organizations
npm/@opentelemetry/resources	2.6.0	🟢 7.2	Details Check Score Reason Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 6 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed Packaging ⚠️ -1 packaging workflow not detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 SAST 🟢 10 SAST tool is run on all commits License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities ⚠️ 2 8 existing vulnerabilities detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Security-Policy 🟢 10 security policy file detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 41 contributing companies or organizations
npm/@opentelemetry/sdk-trace-base	2.6.0	🟢 7.2	Details Check Score Reason Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 6 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed Packaging ⚠️ -1 packaging workflow not detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 SAST 🟢 10 SAST tool is run on all commits License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities ⚠️ 2 8 existing vulnerabilities detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Security-Policy 🟢 10 security policy file detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 41 contributing companies or organizations
npm/@opentelemetry/sdk-trace-node	2.6.0	🟢 7.2	Details Check Score Reason Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 6 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed Packaging ⚠️ -1 packaging workflow not detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 SAST 🟢 10 SAST tool is run on all commits License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities ⚠️ 2 8 existing vulnerabilities detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Security-Policy 🟢 10 security policy file detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 41 contributing companies or organizations
npm/@types/cors	^2.8.19	Unknown	Unknown
npm/@types/express	^5.0.6	Unknown	Unknown
npm/express	^5.2.1	Unknown	Unknown
npm/winston	^3.19.0	Unknown	Unknown

Scanned Files

• package-lock.json
• package.json