Skip to content

Bump @opentelemetry/core, @opentelemetry/exporter-trace-otlp-proto, @opentelemetry/instrumentation-http and @opentelemetry/sdk-node#2

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/multi-996dd4a79e
Open

Bump @opentelemetry/core, @opentelemetry/exporter-trace-otlp-proto, @opentelemetry/instrumentation-http and @opentelemetry/sdk-node#2
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/multi-996dd4a79e

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 28, 2026

Copy link
Copy Markdown

Bumps @opentelemetry/core to 2.8.0 and updates ancestor dependencies @opentelemetry/core, @opentelemetry/exporter-trace-otlp-proto, @opentelemetry/instrumentation-http and @opentelemetry/sdk-node. These dependencies need to be updated together.

Updates @opentelemetry/core from 2.7.1 to 2.8.0

Release notes

Sourced from @​opentelemetry/core's releases.

v2.8.0

2.8.0

🚀 Features

  • feat(sdk-trace-base): pretty-print SpanImpl, Tracer, and BasicTracerProvider via util.inspect so they render through diag and console.log #6690 @​mcollina
  • feat(sdk-metrics): implement metric reader self-observability metrics #6449 @​anuraaga
  • feat(core): add hrTimeToSeconds #6449 @​anuraaga

🐛 Bug Fixes

  • fix(core): limit processing of incoming "baggage" header to 8192 bytes @​pichlermarc
Changelog

Sourced from @​opentelemetry/core's changelog.

2.8.0

🚀 Features

  • feat(sdk-trace-base): pretty-print SpanImpl, Tracer, and BasicTracerProvider via util.inspect so they render through diag and console.log #6690 @​mcollina
  • feat(sdk-metrics): implement metric reader self-observability metrics #6449 @​anuraaga
  • feat(core): add hrTimeToSeconds #6449 @​anuraaga

🐛 Bug Fixes

  • fix(core): limit processing of incoming "baggage" header to 8192 bytes @​pichlermarc
Commits
  • 13a035b chore: prepare next release (#6756)
  • 4b13587 Merge commit from fork
  • 71d195c chore(renovate): set minimumReleaseAge to 3 days (#6792)
  • 555fca6 Update renovate.json to use matchManagers (#6141)
  • b711a81 docs(otlp-exporter-base): add typedoc entry points so public API is indexed a...
  • da70402 fix(ci): supply-chain sec: disable caching in release-related workflow (#6790)
  • 002267b chore: complete the move to the smaller SPDX license header (#6791)
  • 056ef9c feat(sdk-metrics): implement metric reader metrics (#6449)
  • 3bd69ce fix(configuration): improve environment variable substitution to handle all t...
  • bfbda7c docs(exporter-trace-otlp-grpc): import CompressionAlgorithm from otlp-exporte...
  • Additional commits viewable in compare view

Updates @opentelemetry/exporter-trace-otlp-proto from 0.215.0 to 0.219.0

Release notes

Sourced from @​opentelemetry/exporter-trace-otlp-proto's releases.

experimental/v0.219.0

0.219.0

💥 Breaking Changes

  • fix(configuration)!: stop removing null values from parsed config object #6679 @​trentm
    • It is now the responsibility of the user of a parsed declarative config object, typically just the sdk-node package, to handle null values.
  • fix(api-logs)!: Removed NOOP_LOGGER and NoopLogger exports from @opentelemetry/api-logs. Use createNoopLogger(): Logger instead. #6713 @​dyladan
  • feat(api-logs)!: rename scopeAttributes to attributes in LoggerOptions #6573 @​pichlermarc
  • fix(sdk-node)!: remove buildSamplerFromConfig export #6784 @​trentm

🚀 Features

🐛 Bug Fixes

  • fix(sdk-node): pass all config properties to log record exporters in declarative config #6708 @​MikeGoldsmith
  • fix(sdk-node): warn and ignore zero exporter timeout in declarative config #6711 @​MikeGoldsmith
  • fix(sdk-node): pass gRPC credentials and headers to span exporter in declarative config #6705 @​MikeGoldsmith
  • fix(otlp-transformer): do not attempt to skip groups #6704 @​pichlermarc
  • fix(otlp-grpc-exporter-base): recreate client after 5 consecutive DEADLINE_EXCEEDED to recover from connection dropped deadlock #6296 @​afharo
  • fix(browser-detector): use the right semantic convention for user agent resource attribute #6729 @​david-luna
  • fix(browser-detector): user agent resource attribute always #6754 @​david-luna
  • fix(opentelemetry-exporter-prometheus): handle additional edge cases in metric name conversion #6727 @​cjihrig
  • fix(sdk-logs): avoid null dereference in BatchLogRecordProcessor._flushAll when an in-flight export completes between awaits #6763 @​Janealter
  • fix(configuration): improve environment variable substitution to handle all the cases shown in the spec #6757 @​trentm

📚 Documentation

  • docs(otlp-exporter-base): index the package's public API in generated docs so types like OTLPExporterNodeConfigBase resolve and link from consumer exporter pages #6725 @​devareddy05

🏠 Internal

  • refactor(configuration): remove redundant env var parsing in EnvironmentConfigFactory #6710 @​MikeGoldsmith

experimental/v0.218.0

0.218.0

🚀 Features

  • feat(otlp-transformer): replace protobufjs metrics serialization with custom implementation #6625 @​pichlermarc
  • feat(configuration): show all config validation errors, if there are multiple #6683 @​trentm
  • feat(sdk-node): allow startNodeSDK() without an arg #6688 @​trentm

🏠 Internal

... (truncated)

Commits
  • 13a035b chore: prepare next release (#6756)
  • 4b13587 Merge commit from fork
  • 71d195c chore(renovate): set minimumReleaseAge to 3 days (#6792)
  • 555fca6 Update renovate.json to use matchManagers (#6141)
  • b711a81 docs(otlp-exporter-base): add typedoc entry points so public API is indexed a...
  • da70402 fix(ci): supply-chain sec: disable caching in release-related workflow (#6790)
  • 002267b chore: complete the move to the smaller SPDX license header (#6791)
  • 056ef9c feat(sdk-metrics): implement metric reader metrics (#6449)
  • 3bd69ce fix(configuration): improve environment variable substitution to handle all t...
  • bfbda7c docs(exporter-trace-otlp-grpc): import CompressionAlgorithm from otlp-exporte...
  • Additional commits viewable in compare view

Updates @opentelemetry/instrumentation-http from 0.215.0 to 0.219.0

Release notes

Sourced from @​opentelemetry/instrumentation-http's releases.

experimental/v0.219.0

0.219.0

💥 Breaking Changes

  • fix(configuration)!: stop removing null values from parsed config object #6679 @​trentm
    • It is now the responsibility of the user of a parsed declarative config object, typically just the sdk-node package, to handle null values.
  • fix(api-logs)!: Removed NOOP_LOGGER and NoopLogger exports from @opentelemetry/api-logs. Use createNoopLogger(): Logger instead. #6713 @​dyladan
  • feat(api-logs)!: rename scopeAttributes to attributes in LoggerOptions #6573 @​pichlermarc
  • fix(sdk-node)!: remove buildSamplerFromConfig export #6784 @​trentm

🚀 Features

🐛 Bug Fixes

  • fix(sdk-node): pass all config properties to log record exporters in declarative config #6708 @​MikeGoldsmith
  • fix(sdk-node): warn and ignore zero exporter timeout in declarative config #6711 @​MikeGoldsmith
  • fix(sdk-node): pass gRPC credentials and headers to span exporter in declarative config #6705 @​MikeGoldsmith
  • fix(otlp-transformer): do not attempt to skip groups #6704 @​pichlermarc
  • fix(otlp-grpc-exporter-base): recreate client after 5 consecutive DEADLINE_EXCEEDED to recover from connection dropped deadlock #6296 @​afharo
  • fix(browser-detector): use the right semantic convention for user agent resource attribute #6729 @​david-luna
  • fix(browser-detector): user agent resource attribute always #6754 @​david-luna
  • fix(opentelemetry-exporter-prometheus): handle additional edge cases in metric name conversion #6727 @​cjihrig
  • fix(sdk-logs): avoid null dereference in BatchLogRecordProcessor._flushAll when an in-flight export completes between awaits #6763 @​Janealter
  • fix(configuration): improve environment variable substitution to handle all the cases shown in the spec #6757 @​trentm

📚 Documentation

  • docs(otlp-exporter-base): index the package's public API in generated docs so types like OTLPExporterNodeConfigBase resolve and link from consumer exporter pages #6725 @​devareddy05

🏠 Internal

  • refactor(configuration): remove redundant env var parsing in EnvironmentConfigFactory #6710 @​MikeGoldsmith

experimental/v0.218.0

0.218.0

🚀 Features

  • feat(otlp-transformer): replace protobufjs metrics serialization with custom implementation #6625 @​pichlermarc
  • feat(configuration): show all config validation errors, if there are multiple #6683 @​trentm
  • feat(sdk-node): allow startNodeSDK() without an arg #6688 @​trentm

🏠 Internal

... (truncated)

Commits
  • 13a035b chore: prepare next release (#6756)
  • 4b13587 Merge commit from fork
  • 71d195c chore(renovate): set minimumReleaseAge to 3 days (#6792)
  • 555fca6 Update renovate.json to use matchManagers (#6141)
  • b711a81 docs(otlp-exporter-base): add typedoc entry points so public API is indexed a...
  • da70402 fix(ci): supply-chain sec: disable caching in release-related workflow (#6790)
  • 002267b chore: complete the move to the smaller SPDX license header (#6791)
  • 056ef9c feat(sdk-metrics): implement metric reader metrics (#6449)
  • 3bd69ce fix(configuration): improve environment variable substitution to handle all t...
  • bfbda7c docs(exporter-trace-otlp-grpc): import CompressionAlgorithm from otlp-exporte...
  • Additional commits viewable in compare view

Updates @opentelemetry/sdk-node from 0.218.0 to 0.219.0

Release notes

Sourced from @​opentelemetry/sdk-node's releases.

experimental/v0.219.0

0.219.0

💥 Breaking Changes

  • fix(configuration)!: stop removing null values from parsed config object #6679 @​trentm
    • It is now the responsibility of the user of a parsed declarative config object, typically just the sdk-node package, to handle null values.
  • fix(api-logs)!: Removed NOOP_LOGGER and NoopLogger exports from @opentelemetry/api-logs. Use createNoopLogger(): Logger instead. #6713 @​dyladan
  • feat(api-logs)!: rename scopeAttributes to attributes in LoggerOptions #6573 @​pichlermarc
  • fix(sdk-node)!: remove buildSamplerFromConfig export #6784 @​trentm

🚀 Features

🐛 Bug Fixes

  • fix(sdk-node): pass all config properties to log record exporters in declarative config #6708 @​MikeGoldsmith
  • fix(sdk-node): warn and ignore zero exporter timeout in declarative config #6711 @​MikeGoldsmith
  • fix(sdk-node): pass gRPC credentials and headers to span exporter in declarative config #6705 @​MikeGoldsmith
  • fix(otlp-transformer): do not attempt to skip groups #6704 @​pichlermarc
  • fix(otlp-grpc-exporter-base): recreate client after 5 consecutive DEADLINE_EXCEEDED to recover from connection dropped deadlock #6296 @​afharo
  • fix(browser-detector): use the right semantic convention for user agent resource attribute #6729 @​david-luna
  • fix(browser-detector): user agent resource attribute always #6754 @​david-luna
  • fix(opentelemetry-exporter-prometheus): handle additional edge cases in metric name conversion #6727 @​cjihrig
  • fix(sdk-logs): avoid null dereference in BatchLogRecordProcessor._flushAll when an in-flight export completes between awaits #6763 @​Janealter
  • fix(configuration): improve environment variable substitution to handle all the cases shown in the spec #6757 @​trentm

📚 Documentation

  • docs(otlp-exporter-base): index the package's public API in generated docs so types like OTLPExporterNodeConfigBase resolve and link from consumer exporter pages #6725 @​devareddy05

🏠 Internal

  • refactor(configuration): remove redundant env var parsing in EnvironmentConfigFactory #6710 @​MikeGoldsmith
Commits
  • 13a035b chore: prepare next release (#6756)
  • 4b13587 Merge commit from fork
  • 71d195c chore(renovate): set minimumReleaseAge to 3 days (#6792)
  • 555fca6 Update renovate.json to use matchManagers (#6141)
  • b711a81 docs(otlp-exporter-base): add typedoc entry points so public API is indexed a...
  • da70402 fix(ci): supply-chain sec: disable caching in release-related workflow (#6790)
  • 002267b chore: complete the move to the smaller SPDX license header (#6791)
  • 056ef9c feat(sdk-metrics): implement metric reader metrics (#6449)
  • 3bd69ce fix(configuration): improve environment variable substitution to handle all t...
  • bfbda7c docs(exporter-trace-otlp-grpc): import CompressionAlgorithm from otlp-exporte...
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

…opentelemetry/instrumentation-http and @opentelemetry/sdk-node

Bumps [@opentelemetry/core](https://github.com/open-telemetry/opentelemetry-js) to 2.8.0 and updates ancestor dependencies [@opentelemetry/core](https://github.com/open-telemetry/opentelemetry-js), [@opentelemetry/exporter-trace-otlp-proto](https://github.com/open-telemetry/opentelemetry-js), [@opentelemetry/instrumentation-http](https://github.com/open-telemetry/opentelemetry-js) and [@opentelemetry/sdk-node](https://github.com/open-telemetry/opentelemetry-js). These dependencies need to be updated together.


Updates `@opentelemetry/core` from 2.7.1 to 2.8.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-js/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-js/blob/main/CHANGELOG.md)
- [Commits](open-telemetry/opentelemetry-js@v2.7.1...v2.8.0)

Updates `@opentelemetry/exporter-trace-otlp-proto` from 0.215.0 to 0.219.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-js/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-js/blob/main/CHANGELOG.md)
- [Commits](open-telemetry/opentelemetry-js@experimental/v0.215.0...experimental/v0.219.0)

Updates `@opentelemetry/instrumentation-http` from 0.215.0 to 0.219.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-js/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-js/blob/main/CHANGELOG.md)
- [Commits](open-telemetry/opentelemetry-js@experimental/v0.215.0...experimental/v0.219.0)

Updates `@opentelemetry/sdk-node` from 0.218.0 to 0.219.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-js/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-js/blob/main/CHANGELOG.md)
- [Commits](open-telemetry/opentelemetry-js@experimental/v0.218.0...experimental/v0.219.0)

---
updated-dependencies:
- dependency-name: "@opentelemetry/core"
  dependency-version: 2.8.0
  dependency-type: indirect
- dependency-name: "@opentelemetry/exporter-trace-otlp-proto"
  dependency-version: 0.219.0
  dependency-type: direct:production
- dependency-name: "@opentelemetry/instrumentation-http"
  dependency-version: 0.219.0
  dependency-type: direct:production
- dependency-name: "@opentelemetry/sdk-node"
  dependency-version: 0.219.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 28, 2026
@socket-security

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Updated@​opentelemetry/​instrumentation-http@​0.215.0 ⏵ 0.219.076 +1100100 +196100
Updated@​opentelemetry/​exporter-trace-otlp-proto@​0.218.0 ⏵ 0.219.09910010096100
Updated@​opentelemetry/​sdk-node@​0.218.0 ⏵ 0.219.098100100 +196100

View full report

@socket-security

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: npm yargs is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: package-lock.jsonnpm/@opentelemetry/sdk-node@0.219.0npm/yargs@17.7.3

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/yargs@17.7.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants