Bump OpenTelemetry dependencies to latest (0.219.0 / core 2.8.0)#2649
Conversation
Hello delthas,My role is to assist you with the merge of this Available options
Available commands
Status report is not available. |
Waiting for approvalThe following approvals are needed before I can proceed with the merge:
|
55a78a8 to
475a8e4
Compare
|
LGTM |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## development/8.4 #2649 +/- ##
===================================================
+ Coverage 74.27% 74.30% +0.02%
===================================================
Files 229 229
Lines 18646 18646
Branches 3884 3884
===================================================
+ Hits 13849 13854 +5
+ Misses 4792 4787 -5
Partials 5 5 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
sdk-node 0.219.0 pins @opentelemetry/core 2.8.0, dropping the vulnerable 2.7.1 (GHSA-8988-4f7v-96qf, unbounded memory allocation in W3C Baggage propagation) from the dependency tree. Also move @opentelemetry/api to ^1.9.1 (latest) and dedupe the lone api 1.9.0 left by prom-client, so the whole OTEL tree resolves to a single latest version. Issue: ARSN-598
475a8e4 to
d415b43
Compare
Waiting for approvalThe following approvals are needed before I can proceed with the merge:
|
|
/approve |
Request integration branchesWaiting for integration branch creation to be requested by the user. To request integration branches, please comment on this pull request with the following command: Alternatively, the |
Integration data createdI have created the integration data for the additional destination branches.
The following branches will NOT be impacted:
You can set option The following options are set: approve |
|
I have successfully merged the changeset of this pull request
The following branches have NOT changed:
This pull request did not target the following hotfix branch(es) so they
Please check the status of the associated issue ARSN-598. Goodbye delthas. The following options are set: approve |
What
Bump arsenal's OpenTelemetry dependencies to the latest published versions, in two commits:
@opentelemetry/*dep now resolves to a single latest version (no duplicates):@opentelemetry/sdk-node,@opentelemetry/exporter-trace-otlp-http:^0.218.0→^0.219.0@opentelemetry/resources,@opentelemetry/sdk-trace-base,@opentelemetry/context-async-hooks,@opentelemetry/core:^2.7.1→^2.8.0@opentelemetry/api:^1.9.0→^1.9.1(also dedupes the loneapi@1.9.0thatprom-clientleft in the lockfile)8.4.9→8.4.10Why
The
0.218.0OTEL suite transitively pins@opentelemetry/core@2.7.1, which carries GHSA-8988-4f7v-96qf (moderate — unbounded memory allocation in W3C Baggage propagation, patched in2.8.0).sdk-node@0.219.0pinscore@2.8.0, so the vulnerable2.7.1is removed from the dependency tree entirely (no version skew).This unblocks cloudserver's
dependency-reviewCI, which fails on the transitivecore@2.7.1once arsenal is bumped (CLDSRV-928 / scality/cloudserver#6192).Supersedes the partial dependabot bump (
dependabot/npm_and_yarn/opentelemetry/core-2.8.0), which bumps only the directcoredevDependency and leavescore@2.7.1reachable throughsdk-node@0.218.0.Issue: ARSN-598