Skip to content

fix(telemetry): pin @opentelemetry/* deps and group renovate updates#4773

Merged
mcollina merged 5 commits into
mainfrom
fix/telemetry-otel-dedupe
May 8, 2026
Merged

fix(telemetry): pin @opentelemetry/* deps and group renovate updates#4773
mcollina merged 5 commits into
mainfrom
fix/telemetry-otel-dedupe

Conversation

@mcollina
Copy link
Copy Markdown
Member

@mcollina mcollina commented May 8, 2026

Summary

  • @platformatic/telemetry declared most @opentelemetry/* deps with caret ranges (e.g. ^2.0.1) while @opentelemetry/sdk-node pins its sub-deps to exact versions. With resolutionMode: highest, the carets resolved to the highest 2.x while sdk-node still demanded its pinned 2.0.x — producing two parallel copies of @opentelemetry/core, /resources, /sdk-trace-base, and /exporter-zipkin inside @platformatic/telemetry's installed tree. End users npm install-ing this package got the same duplication, which can break OTel context/instrumentation wiring (instrumentations create spans against one copy of sdk-trace-base while the SDK exports from another).
  • Pin every @opentelemetry/* dep (and the express/pg dev-dep instrumentations) to exact versions matching the latest aligned sdk-node@0.217.0 line. This dedupes the whole subtree to a single copy of each package.
  • Add a Renovate group for @opentelemetry/** so every OTel update bumps the entire set in one PR — pinning prevents drift today, the group prevents future drift from a partial bump.

Verification

pnpm why for every @opentelemetry/* package now reports Found 1 version within the telemetry tree:

api                       Found 1 version of @opentelemetry/api
core                      Found 1 version of @opentelemetry/core
resources                 Found 1 version of @opentelemetry/resources
sdk-trace-base            Found 1 version of @opentelemetry/sdk-trace-base
exporter-zipkin           Found 1 version of @opentelemetry/exporter-zipkin
sdk-node                  Found 1 version of @opentelemetry/sdk-node
instrumentation           Found 1 version of @opentelemetry/instrumentation
instrumentation-http      Found 1 version of @opentelemetry/instrumentation-http
instrumentation-undici    Found 1 version of @opentelemetry/instrumentation-undici
instrumentation-express   Found 1 version of @opentelemetry/instrumentation-express
instrumentation-pg        Found 1 version of @opentelemetry/instrumentation-pg
... (all single-version)

Test plan

  • CI green
  • pnpm test in packages/telemetry passes locally
  • Confirm no other workspace package's tree pulls a now-missing pre-0.217 OTel package

Assisted-by: claude-code:claude-opus-4-7

mcollina added 3 commits May 8, 2026 10:48
@mcollina
fix(telemetry): pin @opentelemetry/* deps and group renovate updates
2240158 
The package.json declared most @opentelemetry/* deps with caret ranges
while @opentelemetry/sdk-node pins its sub-deps to exact versions. With
resolutionMode: highest, the carets resolved to the highest 2.x while
sdk-node still demanded its pinned 2.0.x, producing two parallel copies
of @opentelemetry/core, /resources, /sdk-trace-base, and /exporter-zipkin
in @platformatic/telemetry's installed tree. End users got the same
duplication.

Pin every @opentelemetry/* dep (and the express/pg dev-dep
instrumentations) to exact versions matching the latest aligned
sdk-node@0.217.0 line so the whole subtree dedupes to a single copy.

Add a Renovate group for @opentelemetry/** so all OTel packages bump
together in a single PR, preventing this drift from recurring.

Verified with `pnpm why` — single version of every @opentelemetry/*
package within the telemetry tree.

Assisted-by: claude-code:claude-opus-4-7
Signed-off-by: Matteo Collina <hello@matteocollina.com>
@mcollina
fix(telemetry,runtime): bump @opentelemetry/api and add dedup test
906f29d 
Three follow-up changes to fully dedupe OpenTelemetry across the
workspace:

- Bump @platformatic/telemetry's @opentelemetry/api pin from 1.9.0 to
  1.9.1. Other workspace packages declared `^1.9.0` and pnpm
  (resolutionMode: highest) resolved them to 1.9.1, so telemetry's
  exact-1.9.0 pin caused a duplicate copy of the OTel API at the
  workspace root. The OTel API holds global state (tracer/context
  managers), so duplicates here are the most consequential — they cause
  silent loss of context across instrumentation boundaries.

- Bump @platformatic/runtime's pino-opentelemetry-transport from ^2.0.0
  to ^3.0.0. v3 uses otlp-logger@^2.0.0 (newer OTel chain than v2's
  otlp-logger@^1.x), narrowing the duplication coming through this
  transitive path. Full alignment requires otlp-logger@2.1.0, which
  pins ^0.217.0 — outside our control, will resolve through Renovate
  once it clears the workspace's minimumReleaseAge gate.

- Add test/no-duplicate-otel.test.js. The test walks the resolved
  dependency graph from @platformatic/telemetry's package.json (using
  Node's actual module resolution from the test directory, which
  matches what an end user installing telemetry would see) and asserts
  every @opentelemetry/* package appears at exactly one version. This
  guards against future regressions where a caret range or a sub-dep
  pin pulls a second copy.

Verified:
- `pnpm why @opentelemetry/api` reports 1 version workspace-wide
- The new test passes against telemetry's tree
- The remaining 0.212/2.5.1 lockfile entries are confined to
  otlp-logger's own subtree (acceptable per upstream constraints)

Assisted-by: claude-code:claude-opus-4-7
Signed-off-by: Matteo Collina <hello@matteocollina.com>
@mcollina
test(telemetry): update OTLP url assertions for trailing slash
f6adb7d 
@opentelemetry/exporter-trace-otlp-proto@0.217.0 normalizes the
configured endpoint URL by appending a trailing slash. Update the two
assertions in telemetry.test.js to match.

Assisted-by: claude-code:claude-opus-4-7
Signed-off-by: Matteo Collina <hello@matteocollina.com>
@mcollina mcollina requested review from ShogunPanda and marcopiraccini and removed request for ShogunPanda May 8, 2026 10:36
@mcollina
test(telemetry): match pg span by db.statement, not span name
01860a1 
@opentelemetry/instrumentation-pg@0.69.0 captures the migration's
INFORMATION_SCHEMA queries with the same span name format as the
route's SELECT * FROM users, so the existing find-by-name picked the
migration span first and the assertion compared the wrong statement.

Match by attributes['db.statement'] instead — uniquely identifies the
route's query regardless of how many other queries the migrator runs.

Assisted-by: claude-code:claude-opus-4-7
Signed-off-by: Matteo Collina <hello@matteocollina.com>
@socket-security
Copy link
Copy Markdown

socket-security Bot commented May 8, 2026
edited
Loading

All alerts resolved. Learn more about Socket for GitHub.

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

View full report

@mcollina
test(telemetry): drop apostrophe in dedup test message for lint
e88f73f 
@stylistic/quotes prefers single quotes unless the string contains an
apostrophe. The pre-commit autofix converted the message to single
quotes and escaped "telemetry's" as \'s, which then trips the rule on
CI's no-fix lint pass. Reword to avoid the apostrophe.

Assisted-by: claude-code:claude-opus-4-7
Signed-off-by: Matteo Collina <hello@matteocollina.com>
@mcollina mcollina merged commit 258d7a4 into main May 8, 2026
154 of 155 checks passed
@mcollina mcollina deleted the fix/telemetry-otel-dedupe branch May 8, 2026 15:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ShogunPanda ShogunPanda ShogunPanda approved these changes

@marcopiraccini marcopiraccini Awaiting requested review from marcopiraccini

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mcollina @ShogunPanda