Skip to content

fix(security): bump @opentelemetry sdk-node/exporter-prometheus to 0.217.0 (with ReadableSpan migration)#702

Open
langwatch-agent wants to merge 1 commit into
mainfrom
security/scenario-otel-0.217
Open

fix(security): bump @opentelemetry sdk-node/exporter-prometheus to 0.217.0 (with ReadableSpan migration)#702
langwatch-agent wants to merge 1 commit into
mainfrom
security/scenario-otel-0.217

Conversation

@langwatch-agent

@langwatch-agent langwatch-agent commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

Raises the OpenTelemetry SDK in the javascript package to close the HIGH OTel advisories, and adapts the judge span code to the new SDK (path C: the bump breaks typecheck, the fix ships in the same PR).

Alerts resolved

Changes

  • Direct dep @opentelemetry/sdk-node 0.212.0 -> 0.217.0 (pulls exporter-prometheus 0.217.0). Both javascript locks regenerated; the only non-OTel addition is import-in-the-middle (OTel's instrumentation helper).
  • Migration: the newer OTel SDK replaces ReadableSpan.parentSpanId (string) with the typed parentSpanContext (SpanContext). The three getParentSpanId helpers (span-utils, judge-span-collector, judge-span-digest-formatter) now read parentSpanContext.spanId, with the flat parentSpanId kept as a fallback for older span implementations.

Verification

  • tsc --noEmit passes (it failed before the migration with Property 'parentSpanId' does not exist on type 'ReadableSpan').
  • tsup build succeeds.
  • Judge span unit suite: 150 tests / 10 files pass on the new SDK.
  • pnpm install --frozen-lockfile and npm ci both clean.

Not included

@coderabbitai

coderabbitai Bot commented Jun 25, 2026

Copy link
Copy Markdown

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 1ab14e16-e70b-4a64-b870-c3518280fb9c

📥 Commits

Reviewing files that changed from the base of the PR and between 901e0f3 and addd7c7.

⛔ Files ignored due to path filters (2)
  • javascript/package-lock.json is excluded by !**/package-lock.json
  • javascript/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (6)
  • javascript/package.json
  • javascript/src/agents/judge/judge-span-collector.ts
  • javascript/src/agents/judge/judge-span-digest-formatter.ts
  • javascript/src/agents/judge/span-utils.ts
  • javascript/src/execution/__tests__/scenario-role-attributes.test.ts
  • javascript/src/execution/__tests__/scenario-scope-attribute.test.ts
🚧 Files skipped from review as they are similar to previous changes (6)
  • javascript/package.json
  • javascript/src/agents/judge/span-utils.ts
  • javascript/src/agents/judge/judge-span-digest-formatter.ts
  • javascript/src/execution/tests/scenario-scope-attribute.test.ts
  • javascript/src/agents/judge/judge-span-collector.ts
  • javascript/src/execution/tests/scenario-role-attributes.test.ts

Walkthrough

The PR bumps @opentelemetry/sdk-node, updates judge span helpers to prefer parentSpanContext.spanId with a legacy parentSpanId fallback, and adjusts execution tests to match the provider’s expected spanProcessors type.

Changes

OpenTelemetry compatibility update

Layer / File(s) Summary
Dependency update
javascript/package.json
@opentelemetry/sdk-node is bumped in the JavaScript package metadata.
Parent span lookup
javascript/src/agents/judge/judge-span-collector.ts, javascript/src/agents/judge/judge-span-digest-formatter.ts, javascript/src/agents/judge/span-utils.ts
getParentSpanId now reads parentSpanContext.spanId first and falls back to legacy parentSpanId handling across the judge span helpers.
Tracer provider test setup
javascript/src/execution/__tests__/scenario-role-attributes.test.ts, javascript/src/execution/__tests__/scenario-scope-attribute.test.ts
The execution tests cast spanProcessors to the provider’s expected type before creating NodeTracerProvider instances.

Poem

A rabbit hopped through OTel trails,
With span IDs tucked in newer veils.
🐇 The judge now peeks, then gently sighs,
And follows parent-shaped surprises.
Thump-thump—compatibility prevails.

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately reflects the SDK bump and ReadableSpan migration in this PR.
Description check ✅ Passed The description is detailed and clearly matches the OpenTelemetry bump and span API migration.
Docstring Coverage ✅ Passed Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch security/scenario-otel-0.217

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@langwatch-agent langwatch-agent force-pushed the security/scenario-otel-0.217 branch from 6e88c4f to 51e5472 Compare June 25, 2026 06:11
@langwatch-agent langwatch-agent changed the title fix(security): bump @opentelemetry to 0.217.0 / core 2.8.0 (with ReadableSpan migration) fix(security): bump @opentelemetry sdk-node/exporter-prometheus to 0.217.0 (with ReadableSpan migration) Jun 25, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
javascript/src/agents/judge/judge-span-collector.ts (1)

75-81: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Reuse the shared getParentSpanId helper.

This compatibility shim is now identical to javascript/src/agents/judge/span-utils.ts. Importing the shared export here instead of keeping a third copy will keep future OpenTelemetry shape changes from drifting across files.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@javascript/src/agents/judge/judge-span-collector.ts` around lines 75 - 81,
The local getParentSpanId compatibility shim in judge-span-collector is
duplicating the shared logic already implemented in span-utils; replace the
inline helper with an import of the shared getParentSpanId export and update the
collector to use that shared function so OpenTelemetry shape handling stays
centralized and consistent.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@javascript/src/agents/judge/judge-span-collector.ts`:
- Around line 75-81: The local getParentSpanId compatibility shim in
judge-span-collector is duplicating the shared logic already implemented in
span-utils; replace the inline helper with an import of the shared
getParentSpanId export and update the collector to use that shared function so
OpenTelemetry shape handling stays centralized and consistent.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 75cd1363-c866-459e-9501-408e03ce0d8b

📥 Commits

Reviewing files that changed from the base of the PR and between 886af57 and 6e88c4f.

⛔ Files ignored due to path filters (2)
  • javascript/package-lock.json is excluded by !**/package-lock.json
  • javascript/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (4)
  • javascript/package.json
  • javascript/src/agents/judge/judge-span-collector.ts
  • javascript/src/agents/judge/judge-span-digest-formatter.ts
  • javascript/src/agents/judge/span-utils.ts

@langwatch-agent langwatch-agent force-pushed the security/scenario-otel-0.217 branch from 51e5472 to 46c113c Compare June 25, 2026 06:14
@langwatch-agent

Copy link
Copy Markdown
Contributor Author

CI fully green. Ready for human review and merge. Resolves the HIGH @opentelemetry/sdk-node (#428) and exporter-prometheus (#427) advisories via the 0.217.0 bump, with the ReadableSpan parent-access migration (now version-agnostic: reads both parentSpanContext.spanId and the legacy parentSpanId via a cast, since the tree carries two sdk-trace-base versions). typecheck + tsup build + 150 judge tests green. The MODERATE @opentelemetry/core <2.8.0 alerts (#442/#450) are intentionally not included; see the PR description for why (old OTel 1.x subtree from the langwatch SDK dep).

@langwatch-agent langwatch-agent added the dependabot-scout Opened by the dependabot-scout security-triage agent (shared langwatch-agent bot identity) label Jul 2, 2026
@langwatch-agent langwatch-agent force-pushed the security/scenario-otel-0.217 branch from 46c113c to 901e0f3 Compare July 3, 2026 06:18
@langwatch-agent

Copy link
Copy Markdown
Contributor Author

Rebased onto main. Two execution tests added on main since this PR opened (scenario-role-attributes, scenario-scope-attribute) construct a NodeTracerProvider with a SimpleSpanProcessor; after the sdk-node 0.217 bump those two symbols resolve to different @opentelemetry/sdk-trace-base copies in the tree (the langwatch SDK pulls an older 1.x subtree), so tsc flagged a SpanProcessor type mismatch. Cast to the provider's expected type to keep tsc happy without disturbing the 1.x subtree. Re-dogfooded: typecheck, tsup build (incl DTS), judge slice (150) and the two edited tests all pass; frozen install clean. Mergeable again.

…217.0

Clears HIGH alerts #427 (exporter-prometheus) and #428 (sdk-node) by
bumping @opentelemetry/sdk-node to 0.217.0.

App-side changes the bump requires:
- ReadableSpan.parentSpanId became parentSpanContext in the newer SDK; the
  judge span utilities read the parent id version-agnostically (span-utils,
  judge-span-collector, judge-span-digest-formatter).
- The tree carries multiple @opentelemetry/sdk-trace-base copies (the
  langwatch SDK pulls an older 1.x subtree), so in the role/scope execution
  tests SimpleSpanProcessor and NodeTracerProvider's expected SpanProcessor
  resolve to different copies. Cast to the provider's expected type to keep
  tsc happy without touching the 1.x subtree (build and runtime are fine).

Dogfooded: typecheck, tsup build (incl DTS), judge unit slice (150), and the
edited execution tests all pass; frozen install clean.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@langwatch-agent langwatch-agent force-pushed the security/scenario-otel-0.217 branch from 901e0f3 to addd7c7 Compare July 3, 2026 06:21

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
javascript/src/execution/__tests__/scenario-role-attributes.test.ts (1)

57-64: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Duplicate cast block — extract into shared test helper.

The identical spanProcessors cast (with the same explanatory comment) appears twice here and again in scenario-scope-attribute.test.ts. Since this is a workaround tied to a specific dependency-tree quirk, consolidating it into a shared helper (e.g., createTestTracerProvider(exporter)) would keep all three sites in sync if the cast ever needs to change or be removed once the duplicate sdk-trace-base copies are resolved.

♻️ Suggested helper extraction
// e.g. in a shared test-utils file
export function createTestSpanProcessors(exporter: InMemorySpanExporter) {
  // Multiple `@opentelemetry/sdk-trace-base` copies coexist in the tree, so
  // SimpleSpanProcessor and NodeTracerProvider's expected SpanProcessor can
  // resolve to different copies. Cast to the type the provider expects.
  return [
    new SimpleSpanProcessor(exporter),
  ] as unknown as NonNullable<
    ConstructorParameters<typeof NodeTracerProvider>[0]
  >["spanProcessors"];
}

Also applies to: 191-198

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@javascript/src/execution/__tests__/scenario-role-attributes.test.ts` around
lines 57 - 64, The same spanProcessors cast and explanatory comment are
duplicated in this test and scenario-scope-attribute.test.ts, so extract that
workaround into a shared helper instead of repeating it. Move the
NodeTracerProvider/SimpleSpanProcessor cast logic into a reusable test utility
such as createTestTracerProvider or createTestSpanProcessors, then update both
tests to call it so any future change to the OpenTelemetry workaround stays in
one place.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@javascript/src/execution/__tests__/scenario-role-attributes.test.ts`:
- Around line 57-64: The same spanProcessors cast and explanatory comment are
duplicated in this test and scenario-scope-attribute.test.ts, so extract that
workaround into a shared helper instead of repeating it. Move the
NodeTracerProvider/SimpleSpanProcessor cast logic into a reusable test utility
such as createTestTracerProvider or createTestSpanProcessors, then update both
tests to call it so any future change to the OpenTelemetry workaround stays in
one place.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 38c683d6-4c85-4039-930d-213871d042e7

📥 Commits

Reviewing files that changed from the base of the PR and between 46c113c and 901e0f3.

⛔ Files ignored due to path filters (2)
  • javascript/package-lock.json is excluded by !**/package-lock.json
  • javascript/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (6)
  • javascript/package.json
  • javascript/src/agents/judge/judge-span-collector.ts
  • javascript/src/agents/judge/judge-span-digest-formatter.ts
  • javascript/src/agents/judge/span-utils.ts
  • javascript/src/execution/__tests__/scenario-role-attributes.test.ts
  • javascript/src/execution/__tests__/scenario-scope-attribute.test.ts
🚧 Files skipped from review as they are similar to previous changes (4)
  • javascript/src/agents/judge/judge-span-collector.ts
  • javascript/src/agents/judge/judge-span-digest-formatter.ts
  • javascript/src/agents/judge/span-utils.ts
  • javascript/package.json

@langwatch-agent

Copy link
Copy Markdown
Contributor Author

CI green after the lock fix (frozen install, typecheck, tsup build, and the execution tests all pass). Ready for human review and merge (closes @opentelemetry/exporter-prometheus #427 and sdk-node #428).

@langwatch-agent langwatch-agent added the hound-checked Triaged by the pr-hound agent at the current head SHA label Jul 3, 2026
@langwatch-agent langwatch-agent assigned md3191 and unassigned md3191 Jul 3, 2026
@langwatch-agent langwatch-agent requested review from md3191 and removed request for md3191 July 3, 2026 15:21
@langwatch-agent langwatch-agent removed the request for review from md3191 July 3, 2026 15:22
@langwatch-agent

Copy link
Copy Markdown
Contributor Author

🐕 PR Hound review brief — assigned reviewer @0xdeafcafe

Review mode: Targeted Review
Scariest prod risk: The OTel SDK bump flips getParentSpanId precedence to read parentSpanContext.spanId first with parentSpanId as fallback; if any live span shape returns a truthy-but-empty parentSpanContext, parent linkage in judge spans could silently break.

Inspection targets (max 3):

  • [Must Check] judge-span-collector.ts / judge-span-digest-formatter.ts / span-utils.ts getParentSpanId — confirm the three copies are identical and the parentSpanContext?.spanId ?? parentSpanId order correctly handles both new SDK spans and older flat-parentSpanId spans.
  • [Probably Fine] lockfiles — verify the only non-OTel addition is import-in-the-middle (OTel's helper) and no unrelated transitive majors moved.
  • [Ask Author] @opentelemetry/core MODERATE (chore(deps): bump actions/cache from 3.5.0 to 5.0.5 #442/fix(deps): bump fast-uri to >=3.1.2 for high severity CVEs #450) left unresolved — confirm this is a conscious deferral (blanket core >=2.8.0 breaks the 1.30.1 subtree) and tracked.

Author questions:

  • Judge span unit suite passing on the new SDK is good; is there any integration/e2e path that exercises real cross-service parent spans to confirm linkage in practice?

@langwatch-agent langwatch-agent added the review: targeted PR Hound review mode label Jul 3, 2026
@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Automated low-risk assessment

This PR was evaluated against the repository's Low-Risk Pull Requests procedure and does not qualify as low risk.

This PR's diff could not be evaluated automatically: Diff too large for automated evaluation (100243 chars exceeds 100000-char limit). Manual review required.

This PR requires a manual review before merging.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependabot-scout Opened by the dependabot-scout security-triage agent (shared langwatch-agent bot identity) hound-checked Triaged by the pr-hound agent at the current head SHA review: targeted PR Hound review mode

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants