Update dependency @opentelemetry/core to v2 [SECURITY]

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@opentelemetry/core (source)	^1.25.1 → ^2.8.0

---

OpenTelemetry Core: Unbounded memory allocation in W3C Baggage propagation

CVE-2026-54285 / GHSA-8988-4f7v-96qf

More information

Details

Overview

W3CBaggagePropagator.extract() in @opentelemetry/core does not enforce size limits when parsing inbound baggage HTTP headers. The W3C Baggage specification recommends a maximum of 8,192 bytes and 180 entries; these limits were only enforced on the outbound (inject()) path, not on the inbound (extract()) path. Parsing oversized baggage causes memory allocation proportional to the header size without any cap.

Impact

The practical availability impact for most Node.js deployments is limited. Node.js enforces a default --max-http-header-size of 16,384 bytes on the total combined size of all HTTP headers, constraining what an external attacker can deliver before the propagator is reached. Additionally, the header is already in memory (parsed by the HTTP layer) by the time it reaches the propagator - the additional allocation is the overhead of splitting into entry objects, not an unbounded read.

The risk is higher when transport-layer limits are absent - e.g., non-HTTP transports (messaging systems, custom TextMapGetter implementations) or deployments that have raised --max-http-header-size.

Remediation

Update @opentelemetry/core to version 2.8.0 or later. The fix enforces limits consistent with the W3C Baggage specification at the propagator level:

• Maximum total baggage size: 8,192 bytes
• Maximum number of entries: 180
• Maximum per-entry size: 4,096 bytes

Headers that exceed these limits are truncated at the point the limit is reached.

Workarounds

Ensure header size limits are configured at the server or gateway level. The default Node.js HTTP header limit (16 KB) mitigates external attack vectors independently of this fix. For non-HTTP transports receiving baggage from untrusted sources, validate input size before passing it to the propagator.

References

• W3C Baggage Specification - Limits
• opentelemetry-java: GHSA-rcgg-9c38-7xpx
• opentelemetry-go: GHSA-mh2q-q3fh-2475

Credit

Reported by tonghuaroot.

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

• https://github.com/open-telemetry/opentelemetry-js/security/advisories/GHSA-8988-4f7v-96qf
• https://github.com/advisories/GHSA-8988-4f7v-96qf

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

open-telemetry/opentelemetry-js (@​opentelemetry/core)

v2.8.0

Compare Source

🚀 Features

• feat(sdk-trace-base): pretty-print SpanImpl, Tracer, and BasicTracerProvider via util.inspect so they render through diag and console.log #​6690 @​mcollina
• feat(sdk-metrics): implement metric reader self-observability metrics #​6449 @​anuraaga
• feat(core): add hrTimeToSeconds #​6449 @​anuraaga

🐛 Bug Fixes

• fix(core): limit processing of incoming "baggage" header to 8192 bytes @​pichlermarc

v2.7.1

Compare Source

🐛 Bug Fixes

• fix(core, api): defer trace state validation. Deprecate trace state implementation in api #​6459 @​david-luna
  • important: this bug fix may be breaking for certain uses of TraceState
    • set now returns the same TraceState instance if key/value are invalid or makes the while trace state invalid.
    • unset now returns the same TraceState instance if key is not present.
    • best-effort parsing of invalid TraceStates has changed: when multiple keys with the same name are present, the most recent one will win.

🏠 Internal

• perf(sdk-trace-base): optimize TraceIdRatioBasedSampler performance #​6284 @​AbhiPrasad
• test: test Node.js 26 in CI #​6671 @​cjihrig

v2.7.0

Compare Source

🚀 Features

• feat(sdk-logs): implement log creation metrics #​6433 @​anuraaga
• feat(sdk-metrics): add the cardinalitySelector argument to PeriodicExportingMetricReaders
  #​6460 @​starzlocker
• feat(opentelemetry-core): add extra checks on internal merge function for safety #​6587 @​maryliag

🐛 Bug Fixes

• fix(opentelemetry-resources): do not discard OTEL_RESOURCE_ATTRIBUTES when it contains empty kv pairs

🏠 Internal

• test(exporter-zipkin): fix broken browser test assertions and add missing coverage #​6566 @​overbalance
• fix(sdk-metrics): repair ExponentialHistogram tests #​6565 @​overbalance
• perf(sdk-metrics): reduce loop overhead in sdk hot paths #​6593 @​mcollina

v2.6.1

Compare Source

🐛 Bug Fixes

• fix(opentelemetry-instrumentation): improve _warnOnPreloadedModules function not to show warning logs when the module is not marked as loaded #​6095 @​rlj1202
• fix(sdk-trace-base): derive internal SpanOptions from API type to prevent drift #​6478 @​overbalance
• fix(span): enforce attributePerEventCountLimit, attributePerLinkCountLimit, linkCountLimit, and attributeValueLengthLimit for event/link attributes #​6479 @​overbalance
• fix(context-zone): guard onCancelTask against terminal-state tasks to prevent infinite loop with rc-align (Ant Design) in React 16 dev mode #​6512 @​Renegade2345

🏠 Internal

• chore: enforce import type for type-only imports via ESLint #​6467 @​overbalance
• perf(sdk-trace-base): avoid Object.entries in Span.setAttributes #​6514 @​daniellockyer
• perf(sdk-trace-base): optimize Span.{addEvent,addLink} performance #​6516 @​daniellockyer
• test(bundlers): broaden bundler test coverage and assert known protobuf dynamic-require failures #​6482 @​overbalance

v2.6.0

Compare Source

💥 Breaking Changes

• fix(resources): update OTEL_RESOURCE_ATTRIBUTES parsing to match spec changes (open-telemetry/opentelemetry-specification#4856) #​6261 @​jacksonweber
  • Important: This fix is included in the "breaking changes" section because it can be breaking for some edge case usage of OTEL_RESOURCE_ATTRIBUTES:
    • export OTEL_RESOURCE_ATTRIBUTES=foo=bar,spam will now be fully ignored, because the spam entry is invalid (missing =). Per spec, any parsing error results in ignoring the entire environment variable.
    • export OTEL_RESOURCE_ATTRIBUTES='wat=" spaces "' will now result in {"wat": "\" spaces \""} with the double-quotes included in the value. Before this change the implementation included brittle double-quoting to allow leading and trailing whitespace in the value. To support leading or trailing whitespace now, you must percent-encode the whitespace. Internal whitespace still works without encoding, e.g. export OTEL_RESOURCE_ATTRIBUTES='green=eggs and ham'.

🚀 Features

• feat(sdk-trace): implement span start/end metrics #​6213 @​anuraaga

🐛 Bug Fixes

• fix(sdk-trace-base): enforce StatusCode precedence rules in setStatus per specification #​6461 @​newbee1939
• fix(sdk-trace-web): propagate optimised flag in getElementXPath recursion #​6335 @​akkupratap323

v2.5.1

Compare Source

🐛 Bug Fixes

• fix(opentelemetry-sdk-node): the custom value from env variable for service.instance.id should take priority over random uuid as backup #​6345 @​maryliag

🏠 Internal

• perf(sdk-trace-base): use Uint8Array for browser RandomIdGenerator #​6209 @​overbalance
• test(sdk-trace-base): remove obsolete TypeScript and platform workarounds #​6327 @​overbalance
• fix(example-web): update Docker config and deps for collector #​6342 @​overbalance
• perf(sdk-trace-base): optimize setAttribute performance #​6283 @​AbhiPrasad
• refactor(core): remove unnecessary closure in _export() #​6360 @​cjihrig

v2.5.0

Compare Source

🐛 Bug Fixes

• refactor(resources): use runtime check for default service name #​6257 @​overbalance

🏠 Internal

• chore(context-async-hooks): Deprecate AsyncHooksContextManager #​6298 @​trentm
• chore: fix CODEOWNERS rule ordering #​6297 @​overbalance
• fix(github): fix CODEOWNERS browser package paths #​6303 @​overbalance
• fix(build): update @​types/node to 18.19.130, remove DOM types from base tsconfig #​6280 @​overbalance

v2.4.0

Compare Source

🐛 Bug Fixes

• fix(sdk-metrics): improve PeriodicExportingMetricReader() constructor input validation #​6286 @​cjihrig
• fix(core): Avoid using DOM types for otperformance export #​6278 @​samchungy

🏠 Internal

• chore(browser): fix CODEOWNERS paths for browser-related packages
• refactor(sdk-metrics): remove Promise.allSettled() ponyfill #​6277 @​cjihrig

v2.3.0

Compare Source

🚀 Features

• feat(sdk-trace-base): implement on ending in span processor #​6024 @​majanjua-amzn
  • note: this feature is experimental and subject to change

🐛 Bug Fixes

• fix(sdk-metrics): remove setImmediate usage in ConsoleMetricExporter #​6199 @​overbalance

🏠 Internal

• refactor(bundler-tests): split webpack tests into webpack-4 and webpack-5 #​6098 @​overbalance
• refactor(sdk-metrics): remove isNotNullish() utility function #​6151 @​cjihrig
• refactor(sdk-metrics): remove FlatMap() utility function #​6154 @​cjihrig
• refactor(sdk-metrics): simplify AllowList and DenyList processors #​6159 @​cjihrig
• chore: disallow constructor parameter property syntax #​6187 @​legendecas
• refactor(sdk-metrics): use test() instead of match() in isValidName() #​6205 @​cjihrig
• refactor(core): remove TimeOriginLegacy Safari <15 fallback #​6235 @​overbalance
• chore: remove backcompat workspace #​6238 @​overbalance
• refactor(core,resources): consolidate platform-specific code #​6208 @​overbalance
• test(api): remove unnecessary conditional #​6241 @​cjihrig
• refactor(api): remove several reverse() calls #​6252 @​cjihrig
• refactor(api): remove unnecessary map() call #​6251 @​cjihrig
• chore: add zed to gitignore #​6258 @​overbalance
• chore(deps): update nx to 22.3.0 #​6233 @​overbalance

v2.2.0

Compare Source

🐛 Bug Fixes

• fix(core): avoid leaking Node.js types via unrefTimer() util #​5986 @​pichlermarc
• fix(core): avoid leaking Node.js types via otperformance #​5987 @​pichlermarc
  • important: this bug fix may be breaking for certain uses of otperformance
    • otperformance.now() and otperformance.timeOrigin are not affected.
    • the previously used type was incorrect and overly broad, leading to unexpected run-time behavior runtimes that are not Node.js.
    • these problems are now caught on compile-time: if you have been using this API and this change is breaking to you, please consider using your target platform's performance implementation instead.

🏠 Internal

• test(shim-opentracing): add comparison thresholds in flaky assertions #​5974 @​cjihrig
• test(exporter-jaeger): clean up OTEL_EXPORTER_JAEGER_AGENT_PORT between tests #​6003 @​cjihrig
• test(sdk-trace-base): ensure environment variables are cleaned up between tests #​6011 @​cjihrig
• perf(opentelemetry-core): optimize attribute serialization #​5866 @​43081j
• test: test Node.js 25 in CI #​6019 @​cjihrig

v2.1.0

Compare Source

🚀 Features

• feat(opentelemetry-resources): add schema url #​5070 @​c-ehrlich

🐛 Bug Fixes

• fix(sdk-metrics): Remove invalid default value for startTime param to ExponentialHistogramAccumulation. This only impacted the closurescript compiler. #​5763 @​trentm

🏠 Internal

• refactor(context-zone-peer-dep): remove unnecessary helper methods and use meaningful zone names#​6452 @​dyladan
• chore: enable tsconfig isolatedModules #​5697 @​legendecas

v2.0.1

Compare Source

🐛 Bug Fixes

• fix(resources): guard asynchronous resource attribute rejections from causing unhandled promise rejection #​5544 @​dyladan
• fix(resource): do not trigger Accessing resource attributes before async attributes settled warning when detecting resources #​5546 @​dyladan
  • verbose logging of detected resource removed
• fix(resource): use dynamic import over require to improve ESM compliance #​5298 @​xiaoxiangmoe
• fix(core): getNumberFromEnv should return number | undefined #​5874 @​shubham-vunet

📚 Documentation

• refactor(metrics): Updated metrics samples to no longer treat sdk.start() as async #​5617 @​JacksonWeber

🏠 Internal

• refactor(sdk-trace-base): update semconv usage to ATTR_ exports #​5669 @​trentm
• refactor(sdk-trace-web): update semconv usage to ATTR_ exports #​5672 @​trentm
• refactor(resources): update semconv usage to ATTR_ exports #​5666 @​trentm
• test(sdk-metrics): fix multiple problematic assertRejects() calls #​5611 @​cjihrig
• refactor: replace assertRejects() with assert.rejects() #​5614 @​cjihrig
• refactor(core): migrate from deprecated semconv constants #​5575 @​alumni55748
• refactor(opentelemetry-core): simplify parseKeyPairsIntoRecord() #​5610 @​cjihrig
• refactor(opentelemetry-core): simplify parsePairKeyValue() #​5885 @​sivakumarsc

v2.0.0

Compare Source

Summary

• The minimum supported Node.js has been raised to ^18.19.0 || >=20.6.0. This means that support for Node.js 14 and 16 has been dropped.
• The minimum supported TypeScript version has been raised to 5.0.4.
• The compilation target for transpiled TypeScript has been raised to ES2022 (from ES2017).
• The public interface has changed
  • for notes on migrating to 2.x / 0.200.x see the upgrade guide
• Only experimental versions 0.200.0 are compatible with this release

💥 Breaking Change

• feat(sdk-trace-base)!: Add parentSpanContext and remove parentSpanId from Span and ReadableSpan #​5450 @​JacksonWeber
  • (user-facing): the SDK's Spans parentSpanId was replaced by parentSpanContext, to migrate to the new property, please replace span.parentSpanId -> span.parentSpanContext?.spanId
• feat(sdk-metrics)!: drop deprecated type field on MetricDescriptor #​5291 @​chancancode
• feat(sdk-metrics)!: drop deprecated InstrumentDescriptor type; use MetricDescriptor instead #​5277 @​chancancode
• feat(sdk-metrics)!: bump minimum version of @opentelemetry/api peer dependency to 1.9.0 #​5254 @​chancancode
• chore(shim-opentracing): replace deprecated SpanAttributes #​4430 @​JamieDanielson
• chore(otel-core): replace deprecated SpanAttributes #​4408 @​JamieDanielson
• feat(sdk-metrics)!: remove MeterProvider.addMetricReader() in favor of constructor option #​4419 @​pichlermarc
• chore(otel-resources): replace deprecated SpanAttributes #​4428 @​JamieDanielson
• feat(sdk-metrics)!: remove MeterProvider.addMetricReader() in favor of constructor option #​4419 @​pichlermarc
• feat(sdk-metrics)!: replace attributeKeys with custom processors option #​4532 @​pichlermarc
• refactor(sdk-trace-base)!: replace SpanAttributes with Attributes #​5009 @​david-luna
• refactor(resources)!: replace ResourceAttributes with Attributes #​5016 @​david-luna
• feat(sdk-metrics)!: drop View and Aggregation in favor of ViewOptions and AggregationOption #​4931 @​pichlermarc
• refactor(sdk-trace-base)!: remove new Span constructor in favor of Tracer.startSpan API #​5048 @​david-luna
• refactor(sdk-trace-base)!: remove BasicTracerProvider.addSpanProcessor API in favor of constructor options. #​5134 @​david-luna
• refactor(sdk-trace-base)!: make resource property private in BasicTracerProvider and remove getActiveSpanProcessor API. #​5192 @​david-luna
• feat(sdk-metrics)!: extract IMetricReader interface and use it over abstract class #​5311
  • (user-facing): MeterProviderOptions now provides the more general IMetricReader type over MetricReader
  • If you accept MetricReader in your public interface, consider accepting the more general IMetricReader instead to avoid unintentional breaking changes
• feat(sdk-trace)!: remove ability to have BasicTracerProvider instantiate exporters #​5239 @​pichlermarc
  • When extending BasicTracerProvider, the class offered multiple methods to facilitate the creation of exporters and auto-pairing with SpanProcessors.
    • This functionality has been removed - users may now pass SpanProcessors to the base class constructor when extending
    • (user-facing): _registeredExporters has been removed
    • (user-facing): _getSpanExporter has been removed
    • (user-facing): _buildExporterFromEnv has been removed
• feat(core)!: remove deprecated IdGenerator and RandomIdGenerator #​5309 @​pichlermarc
• feat(core)!: remove deprecated type InstrumentationLibrary #​5308 @​pichlermarc
  • (user-facing): please use equivalent type InstrumentationScope instead
• feat(sdk-trace-base)!: replace usages fo InstrumentationLibrary with InstrumentationScope #​5308 @​pichlermarc
  • (user-facing) rename Tracer.instrumentationLibrary -> Tracer.instrumentationScope
  • (user-facing) rename ReadableSpan.instrumentationLibrary -> ReadableSpan.instrumentationScope
    • also renames the property in implementations of ReadableSpan
• feat(exporter-jaeger): use ReadableSpan.instrumentationScope over ReadableSpan.instrumentationLibrary #​5308 @​pichlermarc
• feat(exporter-zipkin): use ReadableSpan.instrumentationScope over ReadableSpan.instrumentationLibrary #​5308 @​pichlermarc
• chore!: update typescript to version 5.0.4 #​5145 @​david-luna
  • (user-facing) dropped support for typescript@<5.0.4
  • (user-facing) all packages published from this repository will from now on drop support for old versions of typescript in minor releases. We will only drop support for versions that are older than 2 years.
• feat(core)!: remove deprecated samplers #​5316 @​pichlermarc
  • (user-facing): deprecated AlwaysOnSampler has moved to @opentelemetry/sdk-trace-base
  • (user-facing): deprecated AlwaysOffSampler has moved to @opentelemetry/sdk-trace-base
  • (user-facing): deprecated ParentBasedSampler has moved to @opentelemetry/sdk-trace-base
  • (user-facing): deprecated TraceIdRatioSampler has moved to @opentelemetry/sdk-trace-base
• feat(resource): Merge sync and async resource interfaces into a single interface #​5350 @​dyladan
  • Resource constructor now takes a single argument which contains an optional attributes object
  • Detected resource attribute values may be a promise or a synchronous value
  • Resources are now merged by the order in which their detectors are configured instead of async attributes being last
  • Resource detectors now return DetectedResource plain objects instead of new Resource()
• feat(sdk-trace-base)!: drop ability to instantiate propagators beyond defaults #​5355 @​pichlermarc
  • (user-facing): only a non-env-var based default is now used on BasicTracerProvider#register().
    • propagators can now not be configured via OTEL_PROPAGATORS or window.OTEL_PROPAGATORS anymore, please pass the propagator to NodeTracerProvider#register() instead.
    • if not configured directly via code, BasicTracerProvider#register() will now fall back to defaults (tracecontext and baggage)
• feat(sdk-trace-node)!: drop ability to instantiate propagators beyond defaults #​5355 @​pichlermarc
  • (user-facing): only a non-env-var based default is now used on NodeTracerProvider#register().
    • propagators can now not be configured via OTEL_PROPAGATORS anymore, please pass the propagator to NodeTracerProvider#register() instead.
    • if not configured via code, NodeTracerProvider#register() will now fall back to the defaults (tracecontext and baggage)
    • if autoconfiguration based on environment variables is needed, please use NodeSDK from @opentelemetry/sdk-node.
• feat(sdk-trace-web)!: drop ability to instantiate propagators beyond defaults #​5355 @​pichlermarc
  • (user-facing): only a non-env-var based default is now used on WebTracerProvider#register().
    • propagators can now not be configured via window.OTEL_PROPAGATORS anymore, please pass the propagator to WebTracerProvider#register() instead.
    • if not configured via code, WebTracerProvider#register() will now fall back to defaults (tracecontext and baggage)
• feat(sdk-trace)!: drop unnecessary exports #​5405 @​pichlermarc
  • (user-facing): EXPORTER_FACTORY is not used anymore and has been removed
  • (user-facing): PROPAGATOR_FACTORY is not used anymore and has been removed
  • (user-facing): ForceFlushState was intended for internal use and has been removed
  • (user-facing): the Tracer class was unintentionally exported and has been removed
    • to obtain a Tracer, please use BasicTracerProvider#getTracer(), NodeTracerProvider#getTracer() or WebTracerProvider#getTracer()
    • to reference a Tracer, please use the Tracer type from @opentelemetry/api
• chore!: Raise the minimum supported Node.js version to ^18.19.0 || >=20.6.0. Support for Node.js 14, 16, and early minor versions of 18 and 20 have been dropped. This applies to all packages except the 'api' and 'semantic-conventions' packages. #​5395 @​trentm
• feat(core)!: remove TracesSamplerValues from exports #​5406 @​pichlermarc
  • (user-facing): TracesSamplerValues was only consumed internally and has been removed from exports without replacement
• chore(resources)!: Remove deprecated duplicate browser detector from @opentelemetry/resource in favor of @opentelemetry/opentelemetry-browser-detector #​5420
• feat(core)!: remove unused and obsolete functions and types #​5444 @​pichlermarc
  • (user-facing): VERSION was an internal constant that was unintentionally exported. It has been removed without replacement.
  • (user-facing): isWrapped has been removed in favor of isWrapped from @opentelemetry/instrumentation
  • (user-facing): ShimWrapped has been removed in favor of ShimWrapped from @opentelemetry/instrumentation
  • (user-facing): hexToBase64 was a utility function that is not used by the SDK anymore. It has been removed without replacement.
  • (user-facing): hexToBinary was a utility function that now internal to @opentelemetry/otlp-tranformer. It has been removed without replacement.
  • (user-facing): baggageUtils.getKeyParis was an internal utility function that was unintentionally exported. It has been removed without replacement.
  • (user-facing): baggageUtils.serializeKeyPairs was an internal utility function that was unintentionally exported. It has been removed without replacement.
  • (user-facing): baggageUtils.parseKeyPairsIntoRecord, has been removed in favor of parseKeyPairsIntoRecord
  • (user-facing): baggageUtils.parsePairKeyValue was an internal utility function that was unintentionally exported. It has been removed without replacement.
  • (user-facing): TimeOriginLegacy has been removed without replacement.
  • (user-facing): isAttributeKey was an internal utility function that was unintentionally exported. It has been removed without replacement.
• feat(sdk-trace-base)!: do not read environment variables from window in browsers #​5445 @​pichlermarc
  • (user-facing): all configuration previously possible via window.OTEL_* is now not supported anymore, please pass configuration options to constructors instead.
  • Note: Node.js environment variable configuration continues to work as-is.
• feat(exporter-zipkin)!: do not read environment variables from window in browsers #​5465 @​pichlermarc
  • (user-facing): all configuration previously possible via window.OTEL_* is now not supported anymore, please pass configuration options to constructors instead.
  • Note: Node.js environment variable configuration continues to work as-is.
• feat(resource)!: Remove resource class export in favor of functions and types only to aid in cross-version compatibility #​5421
  • Renames Resource class to ResourceImpl and makes it package-private
  • Renames IResource interface to Resource
  • Export function resourceFromAttributes to create a Resource from a DetectedAttributes object
  • Export function defaultResource to create a default resource #​5467 @​pichlermarc
  • Export function emptyResource to create an empty resource #​5467 @​pichlermarc
  • Only export types and functions. This aids in cross-version compatibility and makes it more easily extensible in the future.
• feat(resources)!: do not read environment variables from window in browsers #​5466 @​pichlermarc
  • (user-facing): all configuration previously possible via window.OTEL_* is now not supported anymore
    • If you have been using the envDetector in browser environments, please migrate to manually creating a resource.
    • Note: Node.js environment variable configuration continues to work as-is.
• fix(sdk-trace-base)!: use ParentBasedAlwaysOnSampler over AlwaysOnSampler when bogus data is supplied to OTEL_TRACES_SAMPLER
  • this aligns the SDK implementation with the specification
• feat(core)!: drop getEnv(), getEnvWithoutDefaults() #​5481 @​pichlermarc
  • (user-facing): getEnv() has been replaced by getStringFromEnv(), getNumberFromEnv(), getBooleanFromEnv(), getStringListFromEnv()
    • these new functions do not include defaults, please inline any defaults if necessary (example: getStringFromEnv("OTEL_FOO") ?? "my-default")
    • see the previously used defaults here
  • (user-facing): getEnvWithoutDefaults() has been replaced by getStringFromEnv(), getNumberFromEnv(), getBooleanFromEnv(), getStringListFromEnv()
  • (user-facing): DEFAULT_ENVIRONMENT has been removed, please inline any defaults from now on
    • see the previously used defaults here
  • (user-facing): ENVIRONMENT has been removed without replacement
  • (user-facing): RAW_ENVIRONMENT has been removed without replacement
  • (user-facing): parseEnvironment has been removed without replacement
• feat(sdk-trace-base): remove BasicTracerProvider#register() to improve tree-shaking #​5503 @​pichlermarc
  • (user-facing): BasicTracerProvider#register() has been removed
    • to register a global propagator, please use propagation.setGlobalPropagator() from @opentelemetry/api
    • to register a global context manager, please use context.setGlobalContextManager() from @opentelemetry/api
• feat!: set compilation target to ES2022 for all packages except @opentelemetry/api, @opentelemetry/api-logs, @opentelemetry/api-events, and @opentelemetry/semantic-conventions #​5456 @​david-luna
  • (user-facing): drops browser runtimes which do not support ES2022 features
• feat(core)! drop unused constants #​5504 @​pichlermarc
  • (user-facing): DEFAULT_ATTRIBUTE_VALUE_LENTGHT_LIMIT has been removed, please use Infinity instead
  • (user-facing): DEFAULT_ATTRIBUTE_VALUE_COUNT_LIMIT has been removed, please use 128 instead
  • (user-facing): DEFAULT_SPAN_ATTRIBUTE_PER_EVENT_COUNT_LIMIT has been removed, please use 128 instead
  • (user-facing): DEFAULT_SPAN_ATTRIBUTE_PER_LINK_COUNT_LIMIT has been removed, please use 128 instead

🚀 (Enhancement)

• feat(sdk-trace-web): do not throw when passing extra options #​5357 @​pichlermarc
  • WebTracerProvider constructor now does not throw anymore when contextManager or propagator are passed as extra options to the constructor
• feat(sdk-trace-base): add stack trace warning to debug instrumentation #​5363 @​neilfordyce
• feat(core): add more scalable replacements for getEnv(), getEnvWithoutDefaults() #​5443 @​pichlermarc
• refactor(exporter-jaeger): migrate away from getEnv() #​5464 @​pichlermarc
• feat(core): add diagLogLevelFromString utility #​5475 @​pichlermarc

🐛 (Bug Fix)

• fix(exporter-zipkin): remove usages of deprecated url.parse from node:url #​5390 @​chancancode
• fix(sdk-metrics): do not export from PeriodicExportingMetricReader when there are no metrics to export. #​5288 @​jacksonweber
• fix(sdk-trace-base): always wait on pending export in SimpleSpanProcessor. #​5303 @​anuraaga
• fix(core): avoid using util in configuration.ts for browser compatibility #​5524 @​sriraamas

🏠 (Internal)

• refactor(sdk-metrics): the internal InstrumentDescriptor type now extends MetricDescriptor; moved public InstrumentType type enum into ./src/export/MetricData.ts #​5277
• refactor(sdk-metrics): remove Gauge and MetricAdvice workaround types in favor of the upstream @opentelemetry/api types #​5254 @​chancancode
• chore: remove checks for unsupported node versions #​4341 @​dyladan
• refactor(sdk-trace-base): remove BasicTracerProvider._registeredSpanProcessors private property. #​5134 @​david-luna
• refactor(sdk-trace-base): rename BasicTracerProvider.activeSpanProcessor private property. #​5211 @​david-luna
• chore(selenium-tests): remove internal selenium-tests/ package, it wasn't being used @​trentm
• chore: update typescript module compiler option to node16. #​5347 @​david-luna
• feat(opentelemetry-instrumentation): replace semver package with internal semantic versioning check implementation to get rid of semver package initialization overhead especially in the AWS Lambda environment during coldstart #​5305 @​serkan-ozal
• chore: unpin @opentelemetry/semantic-conventions dep to allow better de-duplication in installs #​5439 @​trentm

v1.30.1

Compare Source

1.30.1

🐛 (Bug Fix)

• fix(sdk-metrics): do not export from PeriodicExportingMetricReader when there are no metrics to export. #​5288 @​jacksonweber

🏠 (Internal)

• ci: make changelog workflow check v1.x #​5338 @​pichlermarc

v1.30.0

Compare Source

🚀 (Enhancement)

• feat(sdk-metrics): PeriodicExportingMetricReader now flushes pending tasks at shutdown #​5242

🐛 (Bug Fix)

• fix(sdk-trace-base): do not load OTEL_ env vars on module load, but when needed #​5233
• fix(instrumentation-xhr, instrumentation-fetch): content length attributes no longer get removed with ignoreNetworkEvents: true being set #​5229

v1.29.0

Compare Source

🚀 (Enhancement)

• feat(sdk-metrics): Add support for aggregation cardinality limit with a default limit of 2000. This limit can be customized via views #​5128

v1.28.0

Compare Source

🚀 (Enhancement)

• feat(sdk-metrics, sdk-trace): add mergeResourceWithDefaults flag, which allows opting-out of resources getting merged with the default resource #​4617

  • default: true (no change in behavior)
  • note: false will become the default behavior in the next major version in order to comply with specification requirements

• feat(sdk-trace-base): add spanProcessors property in TracerConfig interface. #​5138 @​david-luna

🐛 (Bug Fix)

• fix(sdk-metrics): await exports in PeriodicExportingMetricReader when async resource attributes have not yet settled #​5119 @​pichlermarc
• fix(sdk-trace): performance.now() may return the same value for consecutive calls #​5150 @​dyladan
• fix(sdk-trace-base): pass BatchSpanProcessor#forceFlush() errors on visibilitychange/pagehide to globalErrorHandler #​5143 @​pichlermarc
  • fixes a bug where switching browser tabs with a failing exporter would cause an unhandled error

v1.27.0

Compare Source

🚀 (Enhancement)

• feat: add processors for adding session.id attribute to spans and logs #​4972

🐛 (Bug Fix)

• fix(sdk-trace-base): avoid keeping non-string status.message on Span#setStatus() #​4999 @​pichlermarc

• fix(sdk-metrics): Add missing catch and handle error in promise of PeriodicExportingMetricReader #​5006 @​jj22ee

• fix(opentelemetry-core): confusing log extract of composite propagator #​5017 @​rv2673

• fix(propagator-aws-xray-*): move propagators back to contrib repository #​4966 @​pichlermarc

  • The specification prohibits hosting these packages in the core repository
  • @opentelemetry/propagator-aws-xray is now located in open-telemetry/opentelemetry-js-contrib
  • @opentelemetry/propagator-aws-xray-lambda is now located in [open-telemetry/opentelemetry-js-contrib](https://redirect.github.com/open-telemetry/opentelemetry-

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[sonarqubecloud]

Quality Gate failed

Failed conditions
C Security Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE