fix(pubsub): upgrade @opentelemetry/core to address vulnerability#8783
fix(pubsub): upgrade @opentelemetry/core to address vulnerability#8783Gribesh wants to merge 1 commit into
Conversation
Upgrades @opentelemetry/core and @opentelemetry/sdk-trace-base to version ^2.8.0 to address GHSA-8988-4f7v-96qf. Updates tracing tests initialization and span parent reference properties to comply with the OpenTelemetry 2.x API changes.
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request upgrades OpenTelemetry dependencies to version 2.8.0 and updates the test suite to align with the new API, such as using parentSpanContext?.spanId. However, in handwritten/pubsub/test/tracing.ts, the BasicTracerProvider constructor does not accept spanProcessors in its configuration object, which will cause the span processor to be ignored and tests to fail. It is recommended to revert to using provider.addSpanProcessor() as suggested.
| export const provider: BasicTracerProvider = new BasicTracerProvider({ | ||
| spanProcessors: [new SimpleSpanProcessor(exporter)], | ||
| }); |
There was a problem hiding this comment.
The BasicTracerProvider constructor in @opentelemetry/sdk-trace-base does not accept spanProcessors in its configuration object. Passing it here will result in the span processor being ignored, which will cause the tracing tests to fail because no spans will be exported to the InMemorySpanExporter. Instead, use provider.addSpanProcessor() to register the span processor.
export const provider: BasicTracerProvider = new BasicTracerProvider();
provider.addSpanProcessor(new SimpleSpanProcessor(exporter));There was a problem hiding this comment.
In the 2.x SDK release, addSpanProcessor() method was removed
Instead, registering span processors is now constructor-only option in 2.x. Details in OpenTelemetry JS 2.x Upgrade Guide.
|
@gemini-code-assist review this PR against the OpenTelemetry 2.x Migration Guide. also a comprehensive audit of the pubsub layer flag any deviation from the migration spec, deprecated API surface, or compat shims masking incompleteness. Do not defer to legacy code patterns; push back on any pragmatic workarounds that defer the full migration. Document breaking changes and require explicit remediation rather than backwards-compatibility theater. |
There was a problem hiding this comment.
Code Review
This pull request updates the OpenTelemetry dependencies (@opentelemetry/core and @opentelemetry/sdk-trace-base) to version ^2.8.0. It also formats several logging statements, updates the test assertions to access parentSpanContext?.spanId instead of the deprecated parentSpanId, and adjusts the global tracer provider registration in the test suite. There are no review comments, so I have no feedback to provide.
1 participant
Upgrades @opentelemetry/core and @opentelemetry/sdk-trace-base to version ^2.8.0 to address GHSA-8988-4f7v-96qf.
Updates tracing tests initialization and span parent reference properties to comply with the OpenTelemetry 2.x API changes. (refered to the OpenTelemetry 2.x Migration Guide).
Rest are autogenerated protos and formatting.