feat(deps): Bump OpenTelemetry dependencies#20786
Open
andreiborza wants to merge 2 commits into
Open
Conversation
Contributor
size-limit report 📦
|
193da2d to
d3946c8
Compare
This was referenced May 12, 2026
JPeer264
reviewed
May 12, 2026
Member
JPeer264
left a comment
There was a problem hiding this comment.
I have just 3 comments which are all the same.
| // In OTEL we store the sample rand on the trace state because we cannot access scopes for NonRecordingSpans | ||
| // The Sentry OTEL SpanSampler takes care of writing the sample rand on the root span | ||
| traceState?.get('sentry.sample_rand') ?? | ||
| traceState?.get('sentry-sample_rand') ?? |
Member
There was a problem hiding this comment.
q: Shouldn't it be sentry-dsc-sample_rand? The prefix seems to be sentry-dsc-
Member
Author
There was a problem hiding this comment.
No, that's different from the DSC.
Basically what we mapped to was
sentry.->sentry-andsentry.dscwas split intosentry-dsc-*entries.
| // This is so that the downstream traces/services can use parentSampleRate in their `tracesSampler` to make consistent sampling decisions across the entire trace. | ||
| const rootSpanSampleRate = | ||
| traceState?.get('sentry.sample_rate') ?? | ||
| traceState?.get('sentry-sample_rate') ?? |
Member
There was a problem hiding this comment.
q: Shouldn't it be sentry-dsc-sample_rand? The prefix seems to be sentry-dsc-
| expect(actual.traceState?.get('sentry.sampled_not_recording')).toBe('1'); | ||
| expect(actual.traceState?.get('sentry.sample_rand')).toEqual(expect.any(String)); | ||
| expect(actual.traceState?.get('sentry-sampled_not_recording')).toBe('1'); | ||
| expect(actual.traceState?.get('sentry-sample_rand')).toEqual(expect.any(String)); |
Member
There was a problem hiding this comment.
q: Also here, sentry-dsc- prefix?
- Bump @opentelemetry/core from 2.6.1 to 2.7.1 - Bump @opentelemetry/exporter-trace-otlp-http from 0.214.0 to 0.217.0 - Bump @opentelemetry/instrumentation from 0.214.0 to 0.217.0 - Bump @opentelemetry/instrumentation-amqplib from 0.61.0 to 0.64.0 - Bump @opentelemetry/instrumentation-aws-sdk from 0.69.0 to 0.72.0 - Bump @opentelemetry/instrumentation-connect from 0.57.0 to 0.60.0 - Bump @opentelemetry/instrumentation-dataloader from 0.31.0 to 0.34.0 - Bump @opentelemetry/instrumentation-fs from 0.33.0 to 0.36.0 - Bump @opentelemetry/instrumentation-generic-pool from 0.57.0 to 0.60.0 - Bump @opentelemetry/instrumentation-graphql from 0.62.0 to 0.65.0 - Bump @opentelemetry/instrumentation-hapi from 0.60.0 to 0.63.0 - Bump @opentelemetry/instrumentation-http from 0.214.0 to 0.217.0 - Bump @opentelemetry/instrumentation-kafkajs from 0.23.0 to 0.26.0 - Bump @opentelemetry/instrumentation-knex from 0.58.0 to 0.61.0 - Bump @opentelemetry/instrumentation-koa from 0.62.0 to 0.65.0 - Bump @opentelemetry/instrumentation-lru-memoizer from 0.58.0 to 0.61.0 - Bump @opentelemetry/instrumentation-mongodb from 0.67.0 to 0.70.0 - Bump @opentelemetry/instrumentation-mongoose from 0.60.0 to 0.63.0 - Bump @opentelemetry/instrumentation-mysql from 0.60.0 to 0.63.0 - Bump @opentelemetry/instrumentation-mysql2 from 0.60.0 to 0.63.0 - Bump @opentelemetry/instrumentation-nestjs-core from 0.60.0 to 0.63.0 - Bump @opentelemetry/instrumentation-pg from 0.66.0 to 0.69.0 - Bump @opentelemetry/instrumentation-tedious from 0.33.0 to 0.36.0 - Bump @opentelemetry/instrumentation-undici from 0.24.0 to 0.27.0 - Bump @opentelemetry/resources from 2.6.1 to 2.7.1 - Bump @opentelemetry/sdk-node from 0.214.0 to 0.217.0 - Bump @opentelemetry/sdk-trace-base from 2.6.1 to 2.7.1 - Bump @opentelemetry/sdk-trace-node from 2.6.1 to 2.7.1 - Bump @prisma/instrumentation from 7.6.0 to 7.8.0 - Bump @fastify/otel from 0.18.0 to 0.18.1
`@opentelemetry/core` 2.7.1 added strict W3C validation to `TraceState.set()`, rejecting invalid keys with dots and values with `,`, `=` or exceeding 256 characters. This affects the keys we used previously (e.g. `sentry.dsc` contains a dot) and the DSC was stored as a single serialized baggage string containing commas and equals. They also exceed the 256-char limit for typical production payloads. We considered pinning `@opentelemetry/core` to 2.7.0, this however means we can't update any instrumentations until our next major v11 because many instrumentations use exact versions of `@opentelemetry/core`. This also locks us out of supporting newer versions of libraries, e.g. amqplib > 1.0 is only supported on newer version of `@opentelemetry/instrumentation-amqplib`. Instead, we are updating our keys and values to be W3C compliant. These are only used in-memory and do not get serialized and exported as a `tracestate` header so it should be a transparent change. * We renamed keys from dots to hyphens (e.g. `sentry.sample_rate` becomes `sentry-sample_rate`) * We split DSC into individual tracestate entries (e.g. * `sentry-dsc-environment=production`) instead of one serialized string to avoid the 256-char limit and invalid character usage * We encode/decode individual values for fields that may contain invalid charactes (e.g. transaction names with `=`)
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 4674f00. Configure here.
| const url = spanAttributes[SEMATTRS_HTTP_URL] || spanAttributes[ATTR_URL_FULL]; | ||
| if (url && typeof url === 'string') { | ||
| traceState = traceState.set(SENTRY_TRACE_STATE_URL, url); | ||
| traceState = traceState.set(SENTRY_TRACE_STATE_URL, encodeURIComponent(url)); |
There was a problem hiding this comment.
Over-aggressive URL encoding may silently exceed TraceState limit
Medium Severity
encodeURIComponent encodes characters like /, :, ?, @ that are already valid in W3C tracestate values (which only forbid , and =). This unnecessary expansion can push URLs and DSC transaction values past the 256-char tracestate value limit, causing TraceState.set() in OTel 2.7.1 to silently return the same instance (no-op). For unsampled spans where the URL is only available via trace state, this silently breaks tracePropagationTargets filtering. A more targeted encoding escaping only , and = would avoid this.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 4674f00. Configure here.
JPeer264
approved these changes
May 12, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Updates OpenTelemetry dependencies to their latest. Even though we are decoupling from OTel in the future we should keep up to date until then so users get all benefits, e.g. support vor amqplib v1.
TraceState changes
@opentelemetry/core2.7.1 added strict W3C validation toTraceState.set(), rejecting invalid keys with dots and values with,,=or exceeding 256 characters.This affects the keys we used previously (e.g.
sentry.dsccontains a dot) and the DSC was stored as a single serialized baggage string containing commas and equals. They also exceed the 256-char limit for typical production payloads.We considered pinning
@opentelemetry/coreto 2.7.0, this however means we can't update any instrumentations until our next major v11 because many instrumentations use exact versions of@opentelemetry/core. This also locks us out of supporting newer versions of libraries, e.g. amqplib > 1.0 is only supported on newer version of@opentelemetry/instrumentation-amqplib.Instead, we are updating our keys and values to be W3C compliant. These are only used in-memory and do not get serialized and exported as a
tracestateheader so it should be a transparent change with baggage being reconstructed down the line.sentry.sample_ratebecomessentry-sample_rate)sentry-dsc-environment=production) instead of one serialized string to avoid the 256-char limit and invalid character usage=)The caveat is a small increase of about 100~600 bytes in bundle size across packages.
Bump log
Bumps: 9a2ab78
TraceState changes: 4674f00