deps(pubsub): bump @opentelemetry/core to ^2.0.0#8766
Conversation
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the @opentelemetry/core dependency in handwritten/pubsub/package.json from ^1.30.1 to ^2.0.0. The review feedback correctly points out that mixing major versions of OpenTelemetry packages (upgrading core to v2.x while keeping API and semantic conventions on v1.x) can lead to duplicate package installations and runtime issues like context propagation loss. It is recommended to coordinate major version upgrades across all OpenTelemetry dependencies to maintain compatibility.
…tests Bumps the @opentelemetry/sdk-trace-base devDependency to ^2.0.0 so the test tree no longer pulls in @opentelemetry/core@1.x alongside the core@2.x bump, removing the duplicate-core install flagged in review. Adapts the tests for the sdk-trace-base v2 breaking changes: - BasicTracerProvider takes spanProcessors via constructor; register() removed (use trace.setGlobalTracerProvider). - ReadableSpan.parentSpanId -> parentSpanContext?.spanId. - The publish RPC span back-link must be created while the parent span is still open (addLink on an ended span is a no-op in v2); reorder the test to match the real publish flow.
1 participant
Motivation
@google-cloud/pubsubdepends on@opentelemetry/core@^1.30.1, which is affected by GHSA-8988-4f7v-96qf (moderate) — Unbounded memory allocation in W3C Baggage propagation. The 2.x line is not affected.This surfaces as a Dependabot /
npm auditadvisory for downstream consumers.Change
@opentelemetry/corefrom^1.30.1to^2.0.0(dependency) — the actual security fix.@opentelemetry/sdk-trace-basefrom^1.17.0to^2.0.0(devDependency) so the test tree no longer pulls@opentelemetry/core@1.xin alongside thecore@2.xbump (addresses the duplicate-coreconcern raised in review). This does not affect consumers.sdk-trace-basev2 breaking changes (see below).Compatibility
Production source is unchanged. The only symbol pubsub imports from
@opentelemetry/coreisW3CTraceContextPropagator(src/telemetry-tracing.ts); its public API is unchanged between v1 and v2.@opentelemetry/core@2.xdeclares the peer dependency@opentelemetry/api: ">=1.0.0 <1.10.0", satisfied by pubsub's existing@opentelemetry/api@~1.9.0.@opentelemetry/apiand@opentelemetry/semantic-conventionsare versioned independently of the SDK and are intentionally kept on 1.x — the context registry / propagation machinery lives in@opentelemetry/api, of which there is a single instance, so there is no duplicate-instance orinstanceofhazard for consumers.Test adaptations for
@opentelemetry/sdk-trace-base@2BasicTracerProvidernow takes span processors via its constructor and no longer exposesregister()— usetrace.setGlobalTracerProvider()(test/tracing.ts).ReadableSpan.parentSpanIdwas replaced byparentSpanContext(test/subscriber.ts,test/telemetry-tracing.ts).addLink()on an already-ended span is now a no-op. One test ended the parent span before the publish RPC span (which adds a back-link onto it) was created; reordered to create the RPC span while the parent is still open, matching the real publish flow inQueue._publish(test/telemetry-tracing.ts).