chore(deps): bump @opentelemetry/core, @opentelemetry/sdk-trace-base, @opentelemetry/exporter-metrics-otlp-http, @opentelemetry/exporter-trace-otlp-http, @opentelemetry/instrumentation-http, @opentelemetry/instrumentation-undici, @opentelemetry/resources, @opentelemetry/sdk-metrics and @opentelemetry/sdk-trace-node in /runtimes/langgraph-ts

[dependabot]

Bumps @opentelemetry/core to 2.8.0 and updates ancestor dependencies @opentelemetry/core, @opentelemetry/sdk-trace-base, @opentelemetry/exporter-metrics-otlp-http, @opentelemetry/exporter-trace-otlp-http, @opentelemetry/instrumentation-http, @opentelemetry/instrumentation-undici, @opentelemetry/resources, @opentelemetry/sdk-metrics and @opentelemetry/sdk-trace-node. These dependencies need to be updated together.

Updates @opentelemetry/core from 1.27.0 to 2.8.0

Release notes

Sourced from @​opentelemetry/core's releases.

v2.8.0

2.8.0

🚀 Features

• feat(sdk-trace-base): pretty-print SpanImpl, Tracer, and BasicTracerProvider via util.inspect so they render through diag and console.log #6690 @​mcollina
• feat(sdk-metrics): implement metric reader self-observability metrics #6449 @​anuraaga
• feat(core): add hrTimeToSeconds #6449 @​anuraaga

🐛 Bug Fixes

• fix(core): limit processing of incoming "baggage" header to 8192 bytes @​pichlermarc

v2.7.1

2.7.1

🐛 Bug Fixes

• fix(core, api): defer trace state validation. Deprecate trace state implementation in api #6459 @​david-luna
  • important: this bug fix may be breaking for certain uses of TraceState
    • set now returns the same TraceState instance if key/value are invalid or makes the while trace state invalid.
    • unset now returns the same TraceState instance if key is not present.
    • best-effort parsing of invalid TraceStates has changed: when multiple keys with the same name are present, the most recent one will win.

🏠 Internal

• perf(sdk-trace-base): optimize TraceIdRatioBasedSampler performance #6284 @​AbhiPrasad
• perf(sdk-metrics): reduce loop overhead in sdk hot paths #6593 @​mcollina

v2.7.0

2.7.0

🚀 Features

• feat(sdk-logs): implement log creation metrics #6433 @​anuraaga
• feat(sdk-metrics): add the cardinalitySelector argument to PeriodicExportingMetricReaders #6460 @​starzlocker
• feat(opentelemetry-core): add extra checks on internal merge function for safety #6587 @​maryliag

🐛 Bug Fixes

• fix(opentelemetry-resources): do not discard OTEL_RESOURCE_ATTRIBUTES when it contains empty kv pairs

🏠 Internal

• test(exporter-zipkin): fix broken browser test assertions and add missing coverage #6566 @​overbalance
• fix(sdk-metrics): repair ExponentialHistogram tests #6565 @​overbalance

... (truncated)

Changelog

Sourced from @​opentelemetry/core's changelog.

2.8.0

🚀 Features

• feat(sdk-trace-base): pretty-print SpanImpl, Tracer, and BasicTracerProvider via util.inspect so they render through diag and console.log #6690 @​mcollina
• feat(sdk-metrics): implement metric reader self-observability metrics #6449 @​anuraaga
• feat(core): add hrTimeToSeconds #6449 @​anuraaga

🐛 Bug Fixes

• fix(core): limit processing of incoming "baggage" header to 8192 bytes @​pichlermarc

2.7.1

🐛 Bug Fixes

• fix(core, api): defer trace state validation. Deprecate trace state implementation in api #6459 @​david-luna
  • important: this bug fix may be breaking for certain uses of TraceState
    • set now returns the same TraceState instance if key/value are invalid or makes the while trace state invalid.
    • unset now returns the same TraceState instance if key is not present.
    • best-effort parsing of invalid TraceStates has changed: when multiple keys with the same name are present, the most recent one will win.

🏠 Internal

• perf(sdk-trace-base): optimize TraceIdRatioBasedSampler performance #6284 @​AbhiPrasad
• test: test Node.js 26 in CI #6671 @​cjihrig

2.7.0

🚀 Features

• feat(sdk-logs): implement log creation metrics #6433 @​anuraaga
• feat(sdk-metrics): add the cardinalitySelector argument to PeriodicExportingMetricReaders #6460 @​starzlocker
• feat(opentelemetry-core): add extra checks on internal merge function for safety #6587 @​maryliag

🐛 Bug Fixes

• fix(opentelemetry-resources): do not discard OTEL_RESOURCE_ATTRIBUTES when it contains empty kv pairs

🏠 Internal

• test(exporter-zipkin): fix broken browser test assertions and add missing coverage #6566 @​overbalance
• fix(sdk-metrics): repair ExponentialHistogram tests #6565 @​overbalance
• perf(sdk-metrics): reduce loop overhead in sdk hot paths #6593 @​mcollina

2.6.1

🐛 Bug Fixes

... (truncated)

Commits

• 13a035b chore: prepare next release (#6756)
• 4b13587 Merge commit from fork
• 71d195c chore(renovate): set minimumReleaseAge to 3 days (#6792)
• 555fca6 Update renovate.json to use matchManagers (#6141)
• b711a81 docs(otlp-exporter-base): add typedoc entry points so public API is indexed a...
• da70402 fix(ci): supply-chain sec: disable caching in release-related workflow (#6790)
• 002267b chore: complete the move to the smaller SPDX license header (#6791)
• 056ef9c feat(sdk-metrics): implement metric reader metrics (#6449)
• 3bd69ce fix(configuration): improve environment variable substitution to handle all t...
• bfbda7c docs(exporter-trace-otlp-grpc): import CompressionAlgorithm from otlp-exporte...
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​opentelemetry/core since your current version.

Updates @opentelemetry/sdk-trace-base from 1.30.1 to 2.8.0

Release notes

Sourced from @​opentelemetry/sdk-trace-base's releases.

v2.8.0

2.8.0

🚀 Features

• feat(sdk-trace-base): pretty-print SpanImpl, Tracer, and BasicTracerProvider via util.inspect so they render through diag and console.log #6690 @​mcollina
• feat(sdk-metrics): implement metric reader self-observability metrics #6449 @​anuraaga
• feat(core): add hrTimeToSeconds #6449 @​anuraaga

🐛 Bug Fixes

• fix(core): limit processing of incoming "baggage" header to 8192 bytes @​pichlermarc

v2.7.1

2.7.1

🐛 Bug Fixes

• fix(core, api): defer trace state validation. Deprecate trace state implementation in api #6459 @​david-luna
  • important: this bug fix may be breaking for certain uses of TraceState
    • set now returns the same TraceState instance if key/value are invalid or makes the while trace state invalid.
    • unset now returns the same TraceState instance if key is not present.
    • best-effort parsing of invalid TraceStates has changed: when multiple keys with the same name are present, the most recent one will win.

🏠 Internal

• perf(sdk-trace-base): optimize TraceIdRatioBasedSampler performance #6284 @​AbhiPrasad
• perf(sdk-metrics): reduce loop overhead in sdk hot paths #6593 @​mcollina

v2.7.0

2.7.0

🚀 Features

• feat(sdk-logs): implement log creation metrics #6433 @​anuraaga
• feat(sdk-metrics): add the cardinalitySelector argument to PeriodicExportingMetricReaders #6460 @​starzlocker
• feat(opentelemetry-core): add extra checks on internal merge function for safety #6587 @​maryliag

🐛 Bug Fixes

• fix(opentelemetry-resources): do not discard OTEL_RESOURCE_ATTRIBUTES when it contains empty kv pairs

🏠 Internal

• test(exporter-zipkin): fix broken browser test assertions and add missing coverage #6566 @​overbalance
• fix(sdk-metrics): repair ExponentialHistogram tests #6565 @​overbalance

... (truncated)

Changelog

Sourced from @​opentelemetry/sdk-trace-base's changelog.

2.8.0

🚀 Features

• feat(sdk-trace-base): pretty-print SpanImpl, Tracer, and BasicTracerProvider via util.inspect so they render through diag and console.log #6690 @​mcollina
• feat(sdk-metrics): implement metric reader self-observability metrics #6449 @​anuraaga
• feat(core): add hrTimeToSeconds #6449 @​anuraaga

🐛 Bug Fixes

• fix(core): limit processing of incoming "baggage" header to 8192 bytes @​pichlermarc

2.7.1

🐛 Bug Fixes

• fix(core, api): defer trace state validation. Deprecate trace state implementation in api #6459 @​david-luna
  • important: this bug fix may be breaking for certain uses of TraceState
    • set now returns the same TraceState instance if key/value are invalid or makes the while trace state invalid.
    • unset now returns the same TraceState instance if key is not present.
    • best-effort parsing of invalid TraceStates has changed: when multiple keys with the same name are present, the most recent one will win.

🏠 Internal

• perf(sdk-trace-base): optimize TraceIdRatioBasedSampler performance #6284 @​AbhiPrasad
• test: test Node.js 26 in CI #6671 @​cjihrig

2.7.0

🚀 Features

• feat(sdk-logs): implement log creation metrics #6433 @​anuraaga
• feat(sdk-metrics): add the cardinalitySelector argument to PeriodicExportingMetricReaders #6460 @​starzlocker
• feat(opentelemetry-core): add extra checks on internal merge function for safety #6587 @​maryliag

🐛 Bug Fixes

• fix(opentelemetry-resources): do not discard OTEL_RESOURCE_ATTRIBUTES when it contains empty kv pairs

🏠 Internal

• test(exporter-zipkin): fix broken browser test assertions and add missing coverage #6566 @​overbalance
• fix(sdk-metrics): repair ExponentialHistogram tests #6565 @​overbalance
• perf(sdk-metrics): reduce loop overhead in sdk hot paths #6593 @​mcollina

2.6.1

🐛 Bug Fixes

... (truncated)

Commits

• 13a035b chore: prepare next release (#6756)
• 4b13587 Merge commit from fork
• 71d195c chore(renovate): set minimumReleaseAge to 3 days (#6792)
• 555fca6 Update renovate.json to use matchManagers (#6141)
• b711a81 docs(otlp-exporter-base): add typedoc entry points so public API is indexed a...
• da70402 fix(ci): supply-chain sec: disable caching in release-related workflow (#6790)
• 002267b chore: complete the move to the smaller SPDX license header (#6791)
• 056ef9c feat(sdk-metrics): implement metric reader metrics (#6449)
• 3bd69ce fix(configuration): improve environment variable substitution to handle all t...
• bfbda7c docs(exporter-trace-otlp-grpc): import CompressionAlgorithm from otlp-exporte...
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​opentelemetry/sdk-trace-base since your current version.

Updates @opentelemetry/exporter-metrics-otlp-http from 0.54.2 to 0.219.0

Release notes

Sourced from @​opentelemetry/exporter-metrics-otlp-http's releases.

experimental/v0.219.0

0.219.0

💥 Breaking Changes

• fix(configuration)!: stop removing null values from parsed config object #6679 @​trentm
  • It is now the responsibility of the user of a parsed declarative config object, typically just the sdk-node package, to handle null values.
• fix(api-logs)!: Removed NOOP_LOGGER and NoopLogger exports from @opentelemetry/api-logs. Use createNoopLogger(): Logger instead. #6713 @​dyladan
• feat(api-logs)!: rename scopeAttributes to attributes in LoggerOptions #6573 @​pichlermarc
• fix(sdk-node)!: remove buildSamplerFromConfig export #6784 @​trentm

🚀 Features

• feat(sdk-node): wire up metric producers from declarative config #6712 @​MikeGoldsmith
• feat(sdk-logs)!: add support for attributes in LoggerOptions #6573 @​pichlermarc

🐛 Bug Fixes

• fix(sdk-node): pass all config properties to log record exporters in declarative config #6708 @​MikeGoldsmith
• fix(sdk-node): warn and ignore zero exporter timeout in declarative config #6711 @​MikeGoldsmith
• fix(sdk-node): pass gRPC credentials and headers to span exporter in declarative config #6705 @​MikeGoldsmith
• fix(otlp-transformer): do not attempt to skip groups #6704 @​pichlermarc
• fix(otlp-grpc-exporter-base): recreate client after 5 consecutive DEADLINE_EXCEEDED to recover from connection dropped deadlock #6296 @​afharo
• fix(browser-detector): use the right semantic convention for user agent resource attribute #6729 @​david-luna
• fix(browser-detector): user agent resource attribute always #6754 @​david-luna
• fix(opentelemetry-exporter-prometheus): handle additional edge cases in metric name conversion #6727 @​cjihrig
• fix(sdk-logs): avoid null dereference in BatchLogRecordProcessor._flushAll when an in-flight export completes between awaits #6763 @​Janealter
• fix(configuration): improve environment variable substitution to handle all the cases shown in the spec #6757 @​trentm

📚 Documentation

• docs(otlp-exporter-base): index the package's public API in generated docs so types like OTLPExporterNodeConfigBase resolve and link from consumer exporter pages #6725 @​devareddy05

🏠 Internal

• refactor(configuration): remove redundant env var parsing in EnvironmentConfigFactory #6710 @​MikeGoldsmith

experimental/v0.218.0

0.218.0

🚀 Features

• feat(otlp-transformer): replace protobufjs metrics serialization with custom implementation #6625 @​pichlermarc
• feat(configuration): show all config validation errors, if there are multiple #6683 @​trentm
• feat(sdk-node): allow startNodeSDK() without an arg #6688 @​trentm

🏠 Internal

• refactor(sdk-logs): alias LoggerProviderConfig to LoggerProviderOptions #6691 @​david-luna

... (truncated)

Commits

• 13a035b chore: prepare next release (#6756)
• 4b13587 Merge commit from fork
• 71d195c chore(renovate): set minimumReleaseAge to 3 days (#6792)
• 555fca6 Update renovate.json to use matchManagers (#6141)
• b711a81 docs(otlp-exporter-base): add typedoc entry points so public API is indexed a...
• da70402 fix(ci): supply-chain sec: disable caching in release-related workflow (#6790)
• 002267b chore: complete the move to the smaller SPDX license header (#6791)
• 056ef9c feat(sdk-metrics): implement metric reader metrics (#6449)
• 3bd69ce fix(configuration): improve environment variable substitution to handle all t...
• bfbda7c docs(exporter-trace-otlp-grpc): import CompressionAlgorithm from otlp-exporte...
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​opentelemetry/exporter-metrics-otlp-http since your current version.

Updates @opentelemetry/exporter-trace-otlp-http from 0.54.2 to 0.219.0

Release notes

Sourced from @​opentelemetry/exporter-trace-otlp-http's releases.

experimental/v0.219.0

0.219.0

💥 Breaking Changes

• fix(configuration)!: stop removing null values from parsed config object #6679 @​trentm
  • It is now the responsibility of the user of a parsed declarative config object, typically just the sdk-node package, to handle null values.
• fix(api-logs)!: Removed NOOP_LOGGER and NoopLogger exports from @opentelemetry/api-logs. Use createNoopLogger(): Logger instead. #6713 @​dyladan
• feat(api-logs)!: rename scopeAttributes to attributes in LoggerOptions #6573 @​pichlermarc
• fix(sdk-node)!: remove buildSamplerFromConfig export #6784 @​trentm

🚀 Features

• feat(sdk-node): wire up metric producers from declarative config #6712 @​MikeGoldsmith
• feat(sdk-logs)!: add support for attributes in LoggerOptions #6573 @​pichlermarc

🐛 Bug Fixes

• fix(sdk-node): pass all config properties to log record exporters in declarative config #6708 @​MikeGoldsmith
• fix(sdk-node): warn and ignore zero exporter timeout in declarative config #6711 @​MikeGoldsmith
• fix(sdk-node): pass gRPC credentials and headers to span exporter in declarative config #6705 @​MikeGoldsmith
• fix(otlp-transformer): do not attempt to skip groups #6704 @​pichlermarc
• fix(otlp-grpc-exporter-base): recreate client after 5 consecutive DEADLINE_EXCEEDED to recover from connection dropped deadlock #6296 @​afharo
• fix(browser-detector): use the right semantic convention for user agent resource attribute #6729 @​david-luna
• fix(browser-detector): user agent resource attribute always #6754 @​david-luna
• fix(opentelemetry-exporter-prometheus): handle additional edge cases in metric name conversion #6727 @​cjihrig
• fix(sdk-logs): avoid null dereference in BatchLogRecordProcessor._flushAll when an in-flight export completes between awaits #6763 @​Janealter
• fix(configuration): improve environment variable substitution to handle all the cases shown in the spec #6757 @​trentm

📚 Documentation

• docs(otlp-exporter-base): index the package's public API in generated docs so types like OTLPExporterNodeConfigBase resolve and link from consumer exporter pages #6725 @​devareddy05

🏠 Internal

• refactor(configuration): remove redundant env var parsing in EnvironmentConfigFactory #6710 @​MikeGoldsmith

experimental/v0.218.0

0.218.0

🚀 Features

• feat(otlp-transformer): replace protobufjs metrics serialization with custom implementation #6625 @​pichlermarc
• feat(configuration): show all config validation errors, if there are multiple #6683 @​trentm
• feat(sdk-node): allow startNodeSDK() without an arg #6688 @​trentm

🏠 Internal

• refactor(sdk-logs): alias LoggerProviderConfig to LoggerProviderOptions #6691 @​david-luna

... (truncated)

Commits

• 13a035b chore: prepare next release (#6756)
• 4b13587 Merge commit from fork
• 71d195c chore(renovate): set minimumReleaseAge to 3 days (#6792)
• 555fca6 Update renovate.json to use matchManagers (#6141)
• b711a81 docs(otlp-exporter-base): add typedoc entry points so public API is indexed a...
• da70402 fix(ci): supply-chain sec: disable caching in release-related workflow (#6790)
• 002267b chore: complete the move to the smaller SPDX license header (#6791)
• 056ef9c feat(sdk-metrics): implement metric reader metrics (#6449)
• 3bd69ce fix(configuration): improve environment variable substitution to handle all t...
• bfbda7c docs(exporter-trace-otlp-grpc): import CompressionAlgorithm from otlp-exporte...
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​opentelemetry/exporter-trace-otlp-http since your current version.

Updates @opentelemetry/instrumentation-http from 0.54.2 to 0.219.0

Release notes

Sourced from @​opentelemetry/instrumentation-http's releases.

experimental/v0.219.0

0.219.0

💥 Breaking Changes

• fix(configuration)!: stop removing null values from parsed config object #6679 @​trentm
  • It is now the responsibility of the user of a parsed declarative config object, typically just the sdk-node package, to handle null values.
• fix(api-logs)!: Removed NOOP_LOGGER and NoopLogger exports from @opentelemetry/api-logs. Use createNoopLogger(): Logger instead. #6713 @​dyladan
• feat(api-logs)!: rename scopeAttributes to attributes in LoggerOptions #6573 @​pichlermarc
• fix(sdk-node)!: remove buildSamplerFromConfig export #6784 @​trentm

🚀 Features

• feat(sdk-node): wire up metric producers from declarative config #6712 @​MikeGoldsmith
• feat(sdk-logs)!: add support for attributes in LoggerOptions #6573 @​pichlermarc

🐛 Bug Fixes

• fix(sdk-node): pass all config properties to log record exporters in declarative config #6708 @​MikeGoldsmith
• fix(sdk-node): warn and ignore zero exporter timeout in declarative config #6711 @​MikeGoldsmith
• fix(sdk-node): pass gRPC credentials and headers to span exporter in declarative config #6705 @​MikeGoldsmith
• fix(otlp-transformer): do not attempt to skip groups #6704 @​pichlermarc
• fix(otlp-grpc-exporter-base): recreate client after 5 consecutive DEADLINE_EXCEEDED to recover from connection dropped deadlock #6296 @​afharo
• fix(browser-detector): use the right semantic convention for user agent resource attribute #6729 @​david-luna
• fix(browser-detector): user agent resource attribute always #6754 @​david-luna
• fix(opentelemetry-exporter-prometheus): handle additional edge cases in metric name conversion #6727 @​cjihrig
• fix(sdk-logs): avoid null dereference in BatchLogRecordProcessor._flushAll when an in-flight export completes between awaits #6763 @​Janealter
• fix(configuration): improve environment variable substitution to handle all the cases shown in the spec #6757 @​trentm

📚 Documentation

• docs(otlp-exporter-base): index the package's public API in generated docs so types like OTLPExporterNodeConfigBase resolve and link from consumer exporter pages #6725 @​devareddy05

🏠 Internal

• refactor(configuration): remove redundant env var parsing in EnvironmentConfigFactory #6710 @​MikeGoldsmith

experimental/v0.218.0

0.218.0

🚀 Features

• feat(otlp-transformer): replace protobufjs metrics serialization with custom implementation #6625 @​pichlermarc
• feat(configuration): show all config validation errors, if there are multiple #6683 @​trentm
• feat(sdk-node): allow startNodeSDK() without an arg #6688 @​trentm

🏠 Internal

• refactor(sdk-logs): alias LoggerProviderConfig to LoggerProviderOptions #6691 @​david-luna

... (truncated)

Commits

• 13a035b chore: prepare next release (#6756)
• 4b13587 Merge commit from fork
• 71d195c chore(renovate): set minimumReleaseAge to 3 days (#6792)
• 555fca6 Update renovate.json to use matchManagers (#6141)
• b711a81 docs(otlp-exporter-base): add typedoc entry points so public API is indexed a...
• da70402 fix(ci): supply-chain sec: disable caching in release-related workflow (#6790)
• 002267b chore: complete the move to the smaller SPDX license header (#6791)
• 056ef9c feat(sdk-metrics): implement metric reader metrics (#6449)
• 3bd69ce fix(configuration): improve environment variable substitution to handle all t...
• bfbda7c docs(exporter-trace-otlp-grpc): import CompressionAlgorithm from otlp-exporte...
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​opentelemetry/instrumentation-http since your current version.

Updates @opentelemetry/instrumentation-undici from 0.7.1 to 0.29.0

Release notes

Sourced from @​opentelemetry/instrumentation-undici's releases.

instrumentation-undici: v0.29.0

0.29.0 (2026-06-11)

Features

• deps: update deps matching '@opentelemetry/*' (#3567) (bd569b5)

instrumentation-typeorm: v0.19.0

0.19.0 (2026-06-11)

Features

• deps: update deps matching '@opentelemetry/*' (#3567) (bd569b5)

Dependencies

• The following workspace dependencies were updated
  • devDependencies
    • @​opentelemetry/contrib-test-utils bumped from ^0.65.0 to ^0.66.0

instrumentation-sequelize: v0.12.0

0.12.0 (2026-06-11)

Features

• deps: update deps matching '@opentelemetry/*' (#3567) (bd569b5)

Dependencies

• The following workspace dependencies were updated
  • devDependencies
    • @​opentelemetry/contrib-test-utils bumped from ^0.65.0 to ^0.66.0

instrumentation-kafkajs: v0.28.0

0.28.0 (2026-06-11)

Features

• deps: update deps matching '@opentelemetry/*' (#3567) (bd569b5)

Dependencies

• The following workspace dependencies were updated

... (truncated)

Changelog

Sourced from @​opentelemetry/instrumentation-undici's changelog.

0.29.0 (2026-06-11)

Features

• deps: update deps matching '@opentelemetry/*' (#3567) (bd569b5)

0.28.0 (2026-05-13)

Features

• deps: update deps matching '@opentelemetry/*' (#3523) (e26a90a)

0.27.0 (2026-05-06)

Features

• deps: update deps matching '@opentelemetry/*' (#3507) (e1ef3d1)

Bug Fixes

• instrumentation-undici: do not record aborted requests as errors (#3488) (cdaefde)

0.26.0 (2026-04-29)

Features

• deps: update deps matching '@opentelemetry/*' (#3497) (a91133a)

0.25.0 (2026-04-17)

Features

• deps: update deps matching '@opentelemetry/*' (#3479) (8891261)

0.24.0 (2026-03-25)

Features

• deps: update deps matching '@opentelemetry/*' (#3450) (c8df394)

0.23.0 (2026-03-04)

... (truncated)

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​opentelemetry/instrumentation-undici since your current version.

Updates @opentelemetry/resources from 1.30.1 to 2.8.0

Release notes

Sourced from @​opentelemetry/resources's releases.

v2.8.0

2.8.0

🚀 Features

• feat(sdk-trace-base): pretty-print SpanImpl, Tracer, and BasicTracerProvider via util.inspect so they render through diag and console.log #6690 @​mcollina
• feat(sdk-metrics): implement metric reader self-observability metrics #6449 @​anuraaga
• feat(core): add hrTimeToSeconds #6449 @​anuraaga

🐛 Bug Fixes

• fix(core): limit processing of incoming "baggage" header to 8192 bytes @​pichlermarc

v2.7.1

2.7.1

🐛 Bug Fixes

• fix(core, api): defer trace state validation. Deprecate trace state implementation in api #6459 @​david-luna
  • important: this bug fix may be breaking for certain uses of TraceState
    • set now returns the same TraceState instance if key/value are invalid or makes the while trace state invalid.
    • unset now returns the same TraceState instance if key is not present.
    • best-effort parsing of invalid TraceStates has changed: when multiple keys with the same name are present, the most recent one will win.

🏠 Internal

• perf(sdk-trace-base): optimize TraceIdRatioBasedSampler performance #6284 @​AbhiPrasad
• perf(sdk-metrics): reduce loop overhead in sdk hot paths #6593 @​mcollina

v2.7.0

2.7.0

🚀 Features

• feat(sdk-logs): implement log creation metrics #6433 @​anuraaga
• feat(sdk-metrics): add the cardinalitySelector argument to PeriodicExportingMetricReaders #6460 @​starzlocker
• feat(opentelemetry-core): add extra checks on internal merge function for safety #6587 @​maryliag

🐛 Bug Fixes

• fix(opentelemetry-resources): do not discard OTEL_RESOURCE_ATTRIBUTES when it contains empty kv pairs

🏠 Internal

• test(exporter-zipkin): fix broken browser test assertions and add missing coverage #6566 @​overbalance
• fix(sdk-metrics): repair ExponentialHistogram tests #6565 @​overbalance

... (truncated)

Changelog

Sourced from @​opentelemetry/resources's changelog.

2.8.0

🚀 Features

• feat(sdk-trace-ba...

  Description has been truncated

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Scorecard details

Package	Version	Score	Details
npm/@opentelemetry/api-logs	0.219.0	🟢 7	Details Check Score Reason Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 10 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 9 Found 16/17 approved changesets -- score normalized to 9 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Fuzzing ⚠️ 0 project is not fuzzed SAST 🟢 10 SAST tool is run on all commits License 🟢 10 license file detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Vulnerabilities ⚠️ 0 38 existing vulnerabilities detected CI-Tests 🟢 10 29 out of 29 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 40 contributing companies or organizations
npm/@opentelemetry/context-async-hooks	2.8.0	🟢 7	Details Check Score Reason Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 10 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 9 Found 16/17 approved changesets -- score normalized to 9 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Fuzzing ⚠️ 0 project is not fuzzed SAST 🟢 10 SAST tool is run on all commits License 🟢 10 license file detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Vulnerabilities ⚠️ 0 38 existing vulnerabilities detected CI-Tests 🟢 10 29 out of 29 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 40 contributing companies or organizations
npm/@opentelemetry/core	2.8.0	🟢 7	Details Check Score Reason Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 10 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 9 Found 16/17 approved changesets -- score normalized to 9 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Fuzzing ⚠️ 0 project is not fuzzed SAST 🟢 10 SAST tool is run on all commits License 🟢 10 license file detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Vulnerabilities ⚠️ 0 38 existing vulnerabilities detected CI-Tests 🟢 10 29 out of 29 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 40 contributing companies or organizations
npm/@opentelemetry/exporter-metrics-otlp-http	0.219.0	🟢 7	Details Check Score Reason Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 10 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 9 Found 16/17 approved changesets -- score normalized to 9 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Fuzzing ⚠️ 0 project is not fuzzed SAST 🟢 10 SAST tool is run on all commits License 🟢 10 license file detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Vulnerabilities ⚠️ 0 38 existing vulnerabilities detected CI-Tests 🟢 10 29 out of 29 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 40 contributing companies or organizations
npm/@opentelemetry/exporter-trace-otlp-http	0.219.0	🟢 7	Details Check Score Reason Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 10 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 9 Found 16/17 approved changesets -- score normalized to 9 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Fuzzing ⚠️ 0 project is not fuzzed SAST 🟢 10 SAST tool is run on all commits License 🟢 10 license file detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Vulnerabilities ⚠️ 0 38 existing vulnerabilities detected CI-Tests 🟢 10 29 out of 29 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 40 contributing companies or organizations
npm/@opentelemetry/instrumentation	0.219.0	🟢 7	Details Check Score Reason Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 10 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 9 Found 16/17 approved changesets -- score normalized to 9 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Fuzzing ⚠️ 0 project is not fuzzed SAST 🟢 10 SAST tool is run on all commits License 🟢 10 license file detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Vulnerabilities ⚠️ 0 38 existing vulnerabilities detected CI-Tests 🟢 10 29 out of 29 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 40 contributing companies or organizations
npm/@opentelemetry/instrumentation-http	0.219.0	🟢 7	Details Check Score Reason Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 10 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 9 Found 16/17 approved changesets -- score normalized to 9 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Fuzzing ⚠️ 0 project is not fuzzed SAST 🟢 10 SAST tool is run on all commits License 🟢 10 license file detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Vulnerabilities ⚠️ 0 38 existing vulnerabilities detected CI-Tests 🟢 10 29 out of 29 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 40 contributing companies or organizations
npm/@opentelemetry/instrumentation-undici	0.29.0	🟢 7.8	Details Check Score Reason Dependency-Update-Tool 🟢 10 update tool detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 30 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 9 dependency not pinned by hash detected -- score normalized to 9 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Signed-Releases ⚠️ -1 no releases found Fuzzing ⚠️ 0 project is not fuzzed SAST 🟢 9 SAST tool detected but not run on all commits Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Vulnerabilities ⚠️ 0 93 existing vulnerabilities detected License 🟢 10 license file detected CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 40 contributing companies or organizations
npm/@opentelemetry/otlp-exporter-base	0.219.0	🟢 7	Details Check Score Reason Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 10 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 9 Found 16/17 approved changesets -- score normalized to 9 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Fuzzing ⚠️ 0 project is not fuzzed SAST 🟢 10 SAST tool is run on all commits License 🟢 10 license file detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Vulnerabilities ⚠️ 0 38 existing vulnerabilities detected CI-Tests 🟢 10 29 out of 29 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 40 contributing companies or organizations
npm/@opentelemetry/otlp-transformer	0.219.0	🟢 7	Details Check Score Reason Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 10 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 9 Found 16/17 approved changesets -- score normalized to 9 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Fuzzing ⚠️ 0 project is not fuzzed SAST 🟢 10 SAST tool is run on all commits License 🟢 10 license file detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Vulnerabilities ⚠️ 0 38 existing vulnerabilities detected CI-Tests 🟢 10 29 out of 29 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 40 contributing companies or organizations
npm/@opentelemetry/resources	2.8.0	🟢 7	Details Check Score Reason Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 10 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 9 Found 16/17 approved changesets -- score normalized to 9 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Fuzzing ⚠️ 0 project is not fuzzed SAST 🟢 10 SAST tool is run on all commits License 🟢 10 license file detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Vulnerabilities ⚠️ 0 38 existing vulnerabilities detected CI-Tests 🟢 10 29 out of 29 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 40 contributing companies or organizations
npm/@opentelemetry/sdk-logs	0.219.0	🟢 7	Details Check Score Reason Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 10 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 9 Found 16/17 approved changesets -- score normalized to 9 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Fuzzing ⚠️ 0 project is not fuzzed SAST 🟢 10 SAST tool is run on all commits License 🟢 10 license file detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Vulnerabilities ⚠️ 0 38 existing vulnerabilities detected CI-Tests 🟢 10 29 out of 29 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 40 contributing companies or organizations
npm/@opentelemetry/sdk-metrics	2.8.0	🟢 7	Details Check Score Reason Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 10 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 9 Found 16/17 approved changesets -- score normalized to 9 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Fuzzing ⚠️ 0 project is not fuzzed SAST 🟢 10 SAST tool is run on all commits License 🟢 10 license file detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Vulnerabilities ⚠️ 0 38 existing vulnerabilities detected CI-Tests 🟢 10 29 out of 29 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 40 contributing companies or organizations
npm/@opentelemetry/sdk-trace-base	2.8.0	🟢 7	Details Check Score Reason Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 10 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 9 Found 16/17 approved changesets -- score normalized to 9 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Fuzzing ⚠️ 0 project is not fuzzed SAST 🟢 10 SAST tool is run on all commits License 🟢 10 license file detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Vulnerabilities ⚠️ 0 38 existing vulnerabilities detected CI-Tests 🟢 10 29 out of 29 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 40 contributing companies or organizations
npm/@opentelemetry/sdk-trace-node	2.8.0	🟢 7	Details Check Score Reason Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 10 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 9 Found 16/17 approved changesets -- score normalized to 9 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Fuzzing ⚠️ 0 project is not fuzzed SAST 🟢 10 SAST tool is run on all commits License 🟢 10 license file detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Vulnerabilities ⚠️ 0 38 existing vulnerabilities detected CI-Tests 🟢 10 29 out of 29 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 40 contributing companies or organizations
npm/@types/node	22.19.17	🟢 6.5	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 8 Found 25/28 approved changesets -- score normalized to 8 Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Security-Policy 🟢 10 security policy file detected License 🟢 9 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ -1 no releases found SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Pinned-Dependencies 🟢 8 dependency not pinned by hash detected -- score normalized to 8 Binary-Artifacts 🟢 10 no binaries found in the repo Fuzzing ⚠️ 0 project is not fuzzed
npm/cjs-module-lexer	2.2.0	Unknown	Unknown
npm/import-in-the-middle	3.0.2	Unknown	Unknown
npm/require-in-the-middle	8.0.1	Unknown	Unknown
npm/undici-types	6.21.0	🟢 7.7	Details Check Score Reason Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 15 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 10 security policy file detected Code-Review 🟢 6 Found 17/27 approved changesets -- score normalized to 6 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 8 binaries present in source code CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 Signed-Releases ⚠️ -1 no releases found SAST 🟢 9 SAST tool detected but not run on all commits License 🟢 10 license file detected Vulnerabilities 🟢 5 5 existing vulnerabilities detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Fuzzing 🟢 10 project is fuzzed Packaging 🟢 10 packaging workflow detected CI-Tests 🟢 10 22 out of 22 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 75 contributing companies or organizations

Scanned Files

• runtimes/langgraph-ts/package-lock.json