Skip to content

chore(deps): bump @opentelemetry/core, @opentelemetry/auto-instrumentations-node, @opentelemetry/exporter-trace-otlp-http and @opentelemetry/sdk-node#10

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/multi-e0b938d69d
Open

chore(deps): bump @opentelemetry/core, @opentelemetry/auto-instrumentations-node, @opentelemetry/exporter-trace-otlp-http and @opentelemetry/sdk-node#10
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/multi-e0b938d69d

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 17, 2026

Copy link
Copy Markdown

Bumps @opentelemetry/core to 2.8.0 and updates ancestor dependencies @opentelemetry/core, @opentelemetry/auto-instrumentations-node, @opentelemetry/exporter-trace-otlp-http and @opentelemetry/sdk-node. These dependencies need to be updated together.

Updates @opentelemetry/core from 2.7.1 to 2.8.0

Release notes

Sourced from @​opentelemetry/core's releases.

v2.8.0

2.8.0

🚀 Features

  • feat(sdk-trace-base): pretty-print SpanImpl, Tracer, and BasicTracerProvider via util.inspect so they render through diag and console.log #6690 @​mcollina
  • feat(sdk-metrics): implement metric reader self-observability metrics #6449 @​anuraaga
  • feat(core): add hrTimeToSeconds #6449 @​anuraaga

🐛 Bug Fixes

  • fix(core): limit processing of incoming "baggage" header to 8192 bytes @​pichlermarc
Changelog

Sourced from @​opentelemetry/core's changelog.

2.8.0

🚀 Features

  • feat(sdk-trace-base): pretty-print SpanImpl, Tracer, and BasicTracerProvider via util.inspect so they render through diag and console.log #6690 @​mcollina
  • feat(sdk-metrics): implement metric reader self-observability metrics #6449 @​anuraaga
  • feat(core): add hrTimeToSeconds #6449 @​anuraaga

🐛 Bug Fixes

  • fix(core): limit processing of incoming "baggage" header to 8192 bytes @​pichlermarc
Commits
  • 13a035b chore: prepare next release (#6756)
  • 4b13587 Merge commit from fork
  • 71d195c chore(renovate): set minimumReleaseAge to 3 days (#6792)
  • 555fca6 Update renovate.json to use matchManagers (#6141)
  • b711a81 docs(otlp-exporter-base): add typedoc entry points so public API is indexed a...
  • da70402 fix(ci): supply-chain sec: disable caching in release-related workflow (#6790)
  • 002267b chore: complete the move to the smaller SPDX license header (#6791)
  • 056ef9c feat(sdk-metrics): implement metric reader metrics (#6449)
  • 3bd69ce fix(configuration): improve environment variable substitution to handle all t...
  • bfbda7c docs(exporter-trace-otlp-grpc): import CompressionAlgorithm from otlp-exporte...
  • Additional commits viewable in compare view

Updates @opentelemetry/auto-instrumentations-node from 0.76.0 to 0.77.0

Release notes

Sourced from @​opentelemetry/auto-instrumentations-node's releases.

auto-instrumentations-node: v0.77.0

0.77.0 (2026-06-11)

Features

  • add @​opentelemetry/instrumentation-host-metrics and integrate into auto-instrumentations-node (#3492) (16bee31)
  • deps: update deps matching '@opentelemetry/*' (#3567) (bd569b5)

Dependencies

  • The following workspace dependencies were updated
    • dependencies
      • @​opentelemetry/instrumentation-amqplib bumped from ^0.65.0 to ^0.66.0
      • @​opentelemetry/instrumentation-aws-lambda bumped from ^0.70.0 to ^0.71.0
      • @​opentelemetry/instrumentation-aws-sdk bumped from ^0.73.0 to ^0.74.0
      • @​opentelemetry/instrumentation-bunyan bumped from ^0.63.0 to ^0.64.0
      • @​opentelemetry/instrumentation-cassandra-driver bumped from ^0.63.0 to ^0.64.0
      • @​opentelemetry/instrumentation-connect bumped from ^0.61.0 to ^0.62.0
      • @​opentelemetry/instrumentation-cucumber bumped from ^0.34.0 to ^0.35.0
      • @​opentelemetry/instrumentation-dataloader bumped from ^0.35.0 to ^0.36.0
      • @​opentelemetry/instrumentation-dns bumped from ^0.61.0 to ^0.62.0
      • @​opentelemetry/instrumentation-express bumped from ^0.66.0 to ^0.67.0
      • @​opentelemetry/instrumentation-fs bumped from ^0.37.0 to ^0.38.0
      • @​opentelemetry/instrumentation-generic-pool bumped from ^0.61.0 to ^0.62.0
      • @​opentelemetry/instrumentation-graphql bumped from ^0.66.0 to ^0.67.0
      • @​opentelemetry/instrumentation-hapi bumped from ^0.64.0 to ^0.65.0
      • @​opentelemetry/instrumentation-host-metrics bumped from ^0.1.0 to ^0.2.0
      • @​opentelemetry/instrumentation-ioredis bumped from ^0.66.0 to ^0.67.0
      • @​opentelemetry/instrumentation-kafkajs bumped from ^0.27.0 to ^0.28.0
      • @​opentelemetry/instrumentation-knex bumped from ^0.62.0 to ^0.63.0
      • @​opentelemetry/instrumentation-koa bumped from ^0.66.0 to ^0.67.0
      • @​opentelemetry/instrumentation-lru-memoizer bumped from ^0.62.0 to ^0.63.0
      • @​opentelemetry/instrumentation-memcached bumped from ^0.61.0 to ^0.62.0
      • @​opentelemetry/instrumentation-mongodb bumped from ^0.71.0 to ^0.72.0
      • @​opentelemetry/instrumentation-mongoose bumped from ^0.64.0 to ^0.65.0
      • @​opentelemetry/instrumentation-mysql bumped from ^0.64.0 to ^0.65.0
      • @​opentelemetry/instrumentation-mysql2 bumped from ^0.64.0 to ^0.65.0
      • @​opentelemetry/instrumentation-nestjs-core bumped from ^0.64.0 to ^0.65.0
      • @​opentelemetry/instrumentation-net bumped from ^0.62.0 to ^0.63.0
      • @​opentelemetry/instrumentation-openai bumped from ^0.16.0 to ^0.17.0
      • @​opentelemetry/instrumentation-oracledb bumped from ^0.43.0 to ^0.44.0
      • @​opentelemetry/instrumentation-pg bumped from ^0.70.0 to ^0.71.0
      • @​opentelemetry/instrumentation-pino bumped from ^0.64.0 to ^0.65.0
      • @​opentelemetry/instrumentation-redis bumped from ^0.66.0 to ^0.67.0
      • @​opentelemetry/instrumentation-restify bumped from ^0.63.0 to ^0.64.0
      • @​opentelemetry/instrumentation-router bumped from ^0.62.0 to ^0.63.0
      • @​opentelemetry/instrumentation-runtime-node bumped from ^0.31.0 to ^0.32.0
      • @​opentelemetry/instrumentation-socket.io bumped from ^0.65.0 to ^0.66.0

... (truncated)

Changelog

Sourced from @​opentelemetry/auto-instrumentations-node's changelog.

0.77.0 (2026-06-11)

Features

  • add @​opentelemetry/instrumentation-host-metrics and integrate into auto-instrumentations-node (#3492) (16bee31)
  • deps: update deps matching '@opentelemetry/*' (#3567) (bd569b5)

Dependencies

  • The following workspace dependencies were updated
    • dependencies
      • @​opentelemetry/instrumentation-amqplib bumped from ^0.65.0 to ^0.66.0
      • @​opentelemetry/instrumentation-aws-lambda bumped from ^0.70.0 to ^0.71.0
      • @​opentelemetry/instrumentation-aws-sdk bumped from ^0.73.0 to ^0.74.0
      • @​opentelemetry/instrumentation-bunyan bumped from ^0.63.0 to ^0.64.0
      • @​opentelemetry/instrumentation-cassandra-driver bumped from ^0.63.0 to ^0.64.0
      • @​opentelemetry/instrumentation-connect bumped from ^0.61.0 to ^0.62.0
      • @​opentelemetry/instrumentation-cucumber bumped from ^0.34.0 to ^0.35.0
      • @​opentelemetry/instrumentation-dataloader bumped from ^0.35.0 to ^0.36.0
      • @​opentelemetry/instrumentation-dns bumped from ^0.61.0 to ^0.62.0
      • @​opentelemetry/instrumentation-express bumped from ^0.66.0 to ^0.67.0
      • @​opentelemetry/instrumentation-fs bumped from ^0.37.0 to ^0.38.0
      • @​opentelemetry/instrumentation-generic-pool bumped from ^0.61.0 to ^0.62.0
      • @​opentelemetry/instrumentation-graphql bumped from ^0.66.0 to ^0.67.0
      • @​opentelemetry/instrumentation-hapi bumped from ^0.64.0 to ^0.65.0
      • @​opentelemetry/instrumentation-host-metrics bumped from ^0.1.0 to ^0.2.0
      • @​opentelemetry/instrumentation-ioredis bumped from ^0.66.0 to ^0.67.0
      • @​opentelemetry/instrumentation-kafkajs bumped from ^0.27.0 to ^0.28.0
      • @​opentelemetry/instrumentation-knex bumped from ^0.62.0 to ^0.63.0
      • @​opentelemetry/instrumentation-koa bumped from ^0.66.0 to ^0.67.0
      • @​opentelemetry/instrumentation-lru-memoizer bumped from ^0.62.0 to ^0.63.0
      • @​opentelemetry/instrumentation-memcached bumped from ^0.61.0 to ^0.62.0
      • @​opentelemetry/instrumentation-mongodb bumped from ^0.71.0 to ^0.72.0
      • @​opentelemetry/instrumentation-mongoose bumped from ^0.64.0 to ^0.65.0
      • @​opentelemetry/instrumentation-mysql bumped from ^0.64.0 to ^0.65.0
      • @​opentelemetry/instrumentation-mysql2 bumped from ^0.64.0 to ^0.65.0
      • @​opentelemetry/instrumentation-nestjs-core bumped from ^0.64.0 to ^0.65.0
      • @​opentelemetry/instrumentation-net bumped from ^0.62.0 to ^0.63.0
      • @​opentelemetry/instrumentation-openai bumped from ^0.16.0 to ^0.17.0
      • @​opentelemetry/instrumentation-oracledb bumped from ^0.43.0 to ^0.44.0
      • @​opentelemetry/instrumentation-pg bumped from ^0.70.0 to ^0.71.0
      • @​opentelemetry/instrumentation-pino bumped from ^0.64.0 to ^0.65.0
      • @​opentelemetry/instrumentation-redis bumped from ^0.66.0 to ^0.67.0
      • @​opentelemetry/instrumentation-restify bumped from ^0.63.0 to ^0.64.0
      • @​opentelemetry/instrumentation-router bumped from ^0.62.0 to ^0.63.0
      • @​opentelemetry/instrumentation-runtime-node bumped from ^0.31.0 to ^0.32.0
      • @​opentelemetry/instrumentation-socket.io bumped from ^0.65.0 to ^0.66.0
      • @​opentelemetry/instrumentation-tedious bumped from ^0.37.0 to ^0.38.0

... (truncated)

Commits
  • 4e52a90 chore: release main (#3524)
  • bd569b5 feat(deps): update deps matching '@opentelemetry/*' (#3567)
  • 16bee31 feat: add @​opentelemetry/instrumentation-host-metrics and integrate into auto...
  • See full diff in compare view

Updates @opentelemetry/exporter-trace-otlp-http from 0.218.0 to 0.219.0

Release notes

Sourced from @​opentelemetry/exporter-trace-otlp-http's releases.

experimental/v0.219.0

0.219.0

💥 Breaking Changes

  • fix(configuration)!: stop removing null values from parsed config object #6679 @​trentm
    • It is now the responsibility of the user of a parsed declarative config object, typically just the sdk-node package, to handle null values.
  • fix(api-logs)!: Removed NOOP_LOGGER and NoopLogger exports from @opentelemetry/api-logs. Use createNoopLogger(): Logger instead. #6713 @​dyladan
  • feat(api-logs)!: rename scopeAttributes to attributes in LoggerOptions #6573 @​pichlermarc
  • fix(sdk-node)!: remove buildSamplerFromConfig export #6784 @​trentm

🚀 Features

🐛 Bug Fixes

  • fix(sdk-node): pass all config properties to log record exporters in declarative config #6708 @​MikeGoldsmith
  • fix(sdk-node): warn and ignore zero exporter timeout in declarative config #6711 @​MikeGoldsmith
  • fix(sdk-node): pass gRPC credentials and headers to span exporter in declarative config #6705 @​MikeGoldsmith
  • fix(otlp-transformer): do not attempt to skip groups #6704 @​pichlermarc
  • fix(otlp-grpc-exporter-base): recreate client after 5 consecutive DEADLINE_EXCEEDED to recover from connection dropped deadlock #6296 @​afharo
  • fix(browser-detector): use the right semantic convention for user agent resource attribute #6729 @​david-luna
  • fix(browser-detector): user agent resource attribute always #6754 @​david-luna
  • fix(opentelemetry-exporter-prometheus): handle additional edge cases in metric name conversion #6727 @​cjihrig
  • fix(sdk-logs): avoid null dereference in BatchLogRecordProcessor._flushAll when an in-flight export completes between awaits #6763 @​Janealter
  • fix(configuration): improve environment variable substitution to handle all the cases shown in the spec #6757 @​trentm

📚 Documentation

  • docs(otlp-exporter-base): index the package's public API in generated docs so types like OTLPExporterNodeConfigBase resolve and link from consumer exporter pages #6725 @​devareddy05

🏠 Internal

  • refactor(configuration): remove redundant env var parsing in EnvironmentConfigFactory #6710 @​MikeGoldsmith
Commits
  • 13a035b chore: prepare next release (#6756)
  • 4b13587 Merge commit from fork
  • 71d195c chore(renovate): set minimumReleaseAge to 3 days (#6792)
  • 555fca6 Update renovate.json to use matchManagers (#6141)
  • b711a81 docs(otlp-exporter-base): add typedoc entry points so public API is indexed a...
  • da70402 fix(ci): supply-chain sec: disable caching in release-related workflow (#6790)
  • 002267b chore: complete the move to the smaller SPDX license header (#6791)
  • 056ef9c feat(sdk-metrics): implement metric reader metrics (#6449)
  • 3bd69ce fix(configuration): improve environment variable substitution to handle all t...
  • bfbda7c docs(exporter-trace-otlp-grpc): import CompressionAlgorithm from otlp-exporte...
  • Additional commits viewable in compare view

Updates @opentelemetry/sdk-node from 0.218.0 to 0.219.0

Release notes

Sourced from @​opentelemetry/sdk-node's releases.

experimental/v0.219.0

0.219.0

💥 Breaking Changes

  • fix(configuration)!: stop removing null values from parsed config object #6679 @​trentm
    • It is now the responsibility of the user of a parsed declarative config object, typically just the sdk-node package, to handle null values.
  • fix(api-logs)!: Removed NOOP_LOGGER and NoopLogger exports from @opentelemetry/api-logs. Use createNoopLogger(): Logger instead. #6713 @​dyladan
  • feat(api-logs)!: rename scopeAttributes to attributes in LoggerOptions #6573 @​pichlermarc
  • fix(sdk-node)!: remove buildSamplerFromConfig export #6784 @​trentm

🚀 Features

🐛 Bug Fixes

  • fix(sdk-node): pass all config properties to log record exporters in declarative config #6708 @​MikeGoldsmith
  • fix(sdk-node): warn and ignore zero exporter timeout in declarative config #6711 @​MikeGoldsmith
  • fix(sdk-node): pass gRPC credentials and headers to span exporter in declarative config #6705 @​MikeGoldsmith
  • fix(otlp-transformer): do not attempt to skip groups #6704 @​pichlermarc
  • fix(otlp-grpc-exporter-base): recreate client after 5 consecutive DEADLINE_EXCEEDED to recover from connection dropped deadlock #6296 @​afharo
  • fix(browser-detector): use the right semantic convention for user agent resource attribute #6729 @​david-luna
  • fix(browser-detector): user agent resource attribute always #6754 @​david-luna
  • fix(opentelemetry-exporter-prometheus): handle additional edge cases in metric name conversion #6727 @​cjihrig
  • fix(sdk-logs): avoid null dereference in BatchLogRecordProcessor._flushAll when an in-flight export completes between awaits #6763 @​Janealter
  • fix(configuration): improve environment variable substitution to handle all the cases shown in the spec #6757 @​trentm

📚 Documentation

  • docs(otlp-exporter-base): index the package's public API in generated docs so types like OTLPExporterNodeConfigBase resolve and link from consumer exporter pages #6725 @​devareddy05

🏠 Internal

  • refactor(configuration): remove redundant env var parsing in EnvironmentConfigFactory #6710 @​MikeGoldsmith
Commits
  • 13a035b chore: prepare next release (#6756)
  • 4b13587 Merge commit from fork
  • 71d195c chore(renovate): set minimumReleaseAge to 3 days (#6792)
  • 555fca6 Update renovate.json to use matchManagers (#6141)
  • b711a81 docs(otlp-exporter-base): add typedoc entry points so public API is indexed a...
  • da70402 fix(ci): supply-chain sec: disable caching in release-related workflow (#6790)
  • 002267b chore: complete the move to the smaller SPDX license header (#6791)
  • 056ef9c feat(sdk-metrics): implement metric reader metrics (#6449)
  • 3bd69ce fix(configuration): improve environment variable substitution to handle all t...
  • bfbda7c docs(exporter-trace-otlp-grpc): import CompressionAlgorithm from otlp-exporte...
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

…ations-node, @opentelemetry/exporter-trace-otlp-http and @opentelemetry/sdk-node

Bumps [@opentelemetry/core](https://github.com/open-telemetry/opentelemetry-js) to 2.8.0 and updates ancestor dependencies [@opentelemetry/core](https://github.com/open-telemetry/opentelemetry-js), [@opentelemetry/auto-instrumentations-node](https://github.com/open-telemetry/opentelemetry-js-contrib/tree/HEAD/packages/auto-instrumentations-node), [@opentelemetry/exporter-trace-otlp-http](https://github.com/open-telemetry/opentelemetry-js) and [@opentelemetry/sdk-node](https://github.com/open-telemetry/opentelemetry-js). These dependencies need to be updated together.


Updates `@opentelemetry/core` from 2.7.1 to 2.8.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-js/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-js/blob/main/CHANGELOG.md)
- [Commits](open-telemetry/opentelemetry-js@v2.7.1...v2.8.0)

Updates `@opentelemetry/auto-instrumentations-node` from 0.76.0 to 0.77.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-js-contrib/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-js-contrib/blob/main/packages/auto-instrumentations-node/CHANGELOG.md)
- [Commits](https://github.com/open-telemetry/opentelemetry-js-contrib/commits/auto-instrumentations-node-v0.77.0/packages/auto-instrumentations-node)

Updates `@opentelemetry/exporter-trace-otlp-http` from 0.218.0 to 0.219.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-js/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-js/blob/main/CHANGELOG.md)
- [Commits](open-telemetry/opentelemetry-js@experimental/v0.218.0...experimental/v0.219.0)

Updates `@opentelemetry/sdk-node` from 0.218.0 to 0.219.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-js/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-js/blob/main/CHANGELOG.md)
- [Commits](open-telemetry/opentelemetry-js@experimental/v0.218.0...experimental/v0.219.0)

---
updated-dependencies:
- dependency-name: "@opentelemetry/core"
  dependency-version: 2.8.0
  dependency-type: indirect
- dependency-name: "@opentelemetry/auto-instrumentations-node"
  dependency-version: 0.77.0
  dependency-type: direct:production
- dependency-name: "@opentelemetry/exporter-trace-otlp-http"
  dependency-version: 0.219.0
  dependency-type: direct:production
- dependency-name: "@opentelemetry/sdk-node"
  dependency-version: 0.219.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 17, 2026
@socket-security

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Updatednpm/​@​opentelemetry/​exporter-trace-otlp-http@​0.218.0 ⏵ 0.219.07210010097100
Updatednpm/​@​opentelemetry/​auto-instrumentations-node@​0.76.0 ⏵ 0.77.097100100 +198100
Updatednpm/​@​opentelemetry/​sdk-node@​0.218.0 ⏵ 0.219.098100100 +197100

View full report

@socket-security

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: npm rimraf is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: package-lock.jsonnpm/@opentelemetry/auto-instrumentations-node@0.77.0npm/rimraf@5.0.10

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/rimraf@5.0.10. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants