Skip to content

v5.103.0 proposal#8436

Merged
rochdev merged 93 commits into
v5.xfrom
v5.103.0-proposal
May 13, 2026
Merged

v5.103.0 proposal#8436
rochdev merged 93 commits into
v5.xfrom
v5.103.0-proposal

Conversation

@dd-octo-sts

@dd-octo-sts dd-octo-sts Bot commented May 12, 2026

Copy link
Copy Markdown
Contributor
  • [03ac52a9a1] - (SEMVER-PATCH) bump native-metrics to 3.1.2 (Roch Devost) #8473
  • [65ca8204f9] - (SEMVER-PATCH) fix(lint): validate config names against both index.d.ts and index.d.v5.ts (Roch Devost) #8465
  • [ba39be2a3f] - (SEMVER-PATCH) ci(llmobs): parallelize openai job by Node version (Roch Devost) #8471
  • [2b8834f73a] - (SEMVER-PATCH) ci: route high-volume CI API calls through dd-octo-sts (Roch Devost) #8391
  • [dc3e2ec89e] - (SEMVER-PATCH) feat(electron): add initial support (Roch Devost) #7002
  • [56b6048e0b] - (SEMVER-PATCH) [test optimization] stabilize web app server lifecycle (Juan Antonio Fernández de Alba) #8444
  • [ae0e0c8872] - (SEMVER-PATCH) [test optimization] Fix playwright v5 tests (Juan Antonio Fernández de Alba) #8458
  • [3325f9eed8] - (SEMVER-PATCH) ci(serverless): use tags for serverless-tools ci (Olivier Nzia) #8213
  • [07cf95645a] - (SEMVER-PATCH) fix(config): keep v5 IAST programmatic aliases working (Ruben Bridgewater) #8457
  • [991d15c649] - (SEMVER-PATCH) refactor(config): route env reads through the config singleton (Ruben Bridgewater) #8241
  • [423ac93b66] - (SEMVER-PATCH) chore(aiguard): Fix ai guard flaky test (Ugaitz Urien) #8454
  • [afdaeed5c2] - (SEMVER-PATCH) chore(deps): bump oxc-parser from 0.128.0 to 0.129.0 in the runtime-minor-and-patch-dependencies group across 1 directory (dependabot[bot]) #8446
  • [0e26510523] - (SEMVER-PATCH) chore(deps-dev): bump sinon from 21.1.2 to 22.0.0 (dependabot[bot]) #8447
  • [0284dcf408] - (SEMVER-PATCH) chore(deps-dev): bump eslint-plugin-n from 17.24.0 to 18.0.1 (dependabot[bot]) #8448
  • [39a17c01e2] - (SEMVER-PATCH) fix(mocha): report test_suite_end for files with no describe wrapper (Sebastián Kay) #8437
  • [b06d144553] - (SEMVER-PATCH) fix: pin specific @datadog/openfeature-node-server version (Ugaitz Urien) #8456
  • [935054053e] - (SEMVER-PATCH) chore(deps): bump the gh-actions-packages group across 2 directories with 1 update (dependabot[bot]) #8449
  • [f3b4edc644] - (SEMVER-PATCH) chore(deps-dev): bump the dev-minor-and-patch-dependencies group across 1 directory with 6 updates (dependabot[bot]) #8445
  • [9e5e475c35] - (SEMVER-PATCH) Revert "ci: replace CodeQL workflow with default setup configuration (ci: remove CodeQL workflow #8380)" (Roch Devost) #8443
  • [aaf5e60a0a] - (SEMVER-PATCH) ci: add dd-octo-sts policies for upcoming workflow rate-limit changes (Roch Devost) #8392
  • [4c42d937ee] - (SEMVER-PATCH) ci: update playwright-tools image to 1.54.1-5 (Roch Devost) #8440
  • [4774cc13ac] - (SEMVER-PATCH) perf(graphql): memoize the apollo signature pipeline (Ruben Bridgewater) #8308
  • [f8e5148693] - (SEMVER-PATCH) test(ci-visibility): wait for cypress child exit before next test (Ruben Bridgewater) #8418
  • [0402d979d8] - (SEMVER-PATCH) fix(kafkajs): read clusterId from existing metadata (Ruben Bridgewater) #8389
  • [6bc8c6cccf] - (SEMVER-PATCH) test(ci-visibility): gather payloads until child exits (Ruben Bridgewater) #8419
  • [e78a6c1e4f] - (SEMVER-PATCH) fix(ci): prevent Buildkite non-PR builds from being tagged as PRs (Juan Antonio Fernández de Alba) #8435
  • [6f1d63ccbc] - (SEMVER-PATCH) fix(pg): stop accumulating DBM comments on reused query objects (Ruben Bridgewater) #8400
  • [89df4e6258] - (SEMVER-PATCH) refactor: drop JSDoc @param defaults (Ruben Bridgewater) #8350
  • [abf97b0011] - (SEMVER-PATCH) implement ai guard telemetry metrics (Ilyas Shabi) #8093
  • [4ab60e2551] - (SEMVER-PATCH) refactor(config): gate experimental.appsec, plugins, ingestion shapes (Ruben Bridgewater) #8318
  • [626ce462f1] - (SEMVER-PATCH) [test optimization] propagate DD_CUSTOM_PARENT_ID for Jenkins (Daniel Fernández) #8433
  • [31899bd0b8] - (SEMVER-PATCH) refactor(config): gate experimental b3, profiling, and b3 single header (Ruben Bridgewater) #8316
  • [3ada9255d9] - (SEMVER-PATCH) bench: fix benchmarks running unsupported Node.js 26 (Ruben Bridgewater) #8430
  • [eeeccd65ce] - (SEMVER-PATCH) fix(kafka): stop mutating caller-owned message.headers (Ruben Bridgewater) #8388
  • [b2f62ef205] - (SEMVER-PATCH) test(setup): isolate getInstrumentation from production addHook (Ruben Bridgewater) #8396
  • [1b83d35bbb] - (SEMVER-PATCH) refactor(lambda): collapse runtime/ritm.js into index.js (Ruben Bridgewater) #8397
  • [7ffc20933c] - (SEMVER-PATCH) ci(benchmarks): fail sirun job when individual variants crash (Fayssal DEFAA) #8292
  • [a78d2d57d7] - (SEMVER-PATCH) perf(couchbase): cache the per-operation channel bag (Ruben Bridgewater) #8373
  • [fc09317297] - (SEMVER-PATCH) docs: fix legacyBaggageEnabled default value and MIGRATING.md (Ruben Bridgewater) #8317
  • [242bdf9f90] - (SEMVER-PATCH) fix(llmobs): avoid malformed x-datadog-tags when carrier header is unset (Grace Williams) #8366
  • [89ae70d027] - (SEMVER-PATCH) perf(graphql): trim per-resolver allocations (Ruben Bridgewater) #8309
  • [6da7add04d] - (SEMVER-PATCH) refactor(config): gate experimental.iast aliases off in v6 (Ruben Bridgewater) #8320
  • [973a882bd3] - (SEMVER-PATCH) test(pg): pin prepared-statement reuse under DBM full mode (Ruben Bridgewater) #8398
  • [c8d56550fd] - (SEMVER-PATCH) chore: support re-runs in the community PR CI script (Ruben Bridgewater) #8385
  • [af652f0ad2] - (SEMVER-PATCH) perf(pg): assign the injectable text directly when configurable (Ruben Bridgewater) #8372
  • [cd377ffa8d] - (SEMVER-PATCH) fix(fetch): rename globalThis.fetch wrapper from "value" to "fetch" (Ruben Bridgewater) #8406
  • [e55e65b7f8] - (SEMVER-PATCH) perf(redis): tighten per-command instrumentation (Ruben Bridgewater) #8310
  • [985b1d0322] - (SEMVER-PATCH) test(http): cover server-side request hook resource.name override (Ruben Bridgewater) #8399
  • [ff25b95aa9] - (SEMVER-PATCH) chore(ci) update one-pipeline (gh-worker-campaigns-3e9aa4[bot]) #8424
  • [5f6e1bb9be] - (SEMVER-PATCH) chore(benchmark): drop Node 18 from sirun matrix and add Node 26 (Ruben Bridgewater) #8423
  • [81e10d12de] - (SEMVER-PATCH) perf(encode): emit span fields and event attributes as compact msgpack ints (Ruben Bridgewater) #8229
  • [f73d984145] - (SEMVER-PATCH) ci: activate codecov coverage minimum for PRs (Ruben Bridgewater) #8209
  • [e8c394c014] - (SEMVER-PATCH) fix(llmobs): bound Bedrock token-headers cache (Ruben Bridgewater) #8161
  • [6b370862a5] - (SEMVER-MINOR) docs(appsec): drop deprecated extended-headers and rasp.bodyCollection types in v6 (Ruben Bridgewater) #8322
  • [2b48b7991f] - (SEMVER-PATCH) fix(benchmark): restore five crashing sirun bench groups (Ruben Bridgewater) #8307
  • [60cfa5c013] - (SEMVER-PATCH) [test optimization] Mitigate vitest flakiness (Juan Antonio Fernández de Alba) #8417
  • [841b085491] - (SEMVER-PATCH) [test optimization] Restore retries to test optimization tests (Juan Antonio Fernández de Alba) #8414
  • [47d6ffedc1] - (SEMVER-PATCH) [test optimization] Mitigate jest flakiness (Juan Antonio Fernández de Alba) #8415
  • [084086b666] - (SEMVER-PATCH) test(ci-visibility): disable real net access in git_metadata (Ruben Bridgewater) #8416
  • [e9eca7962d] - (SEMVER-MINOR) Send hidden tags under _dd.ci.library_configuration_error in every event of a test session (Sebastián Kay) #8274
  • [e276b97573] - (SEMVER-PATCH) [test optimization] bump cypress latest version (Juan Antonio Fernández de Alba) #8365
  • [9fad4a59bd] - (SEMVER-PATCH) [test optimization] bump vitest latest version (Juan Antonio Fernández de Alba) #8383
  • [1407421603] - (SEMVER-PATCH) chore: key the cache on DD_TRACE_GIT_METADATA_ENABLED (Ruben Bridgewater) #8395
  • [b92bdc19fa] - (SEMVER-PATCH) [test optimization] Use duration buckets for cypress EFD retries (Juan Antonio Fernández de Alba) #8290
  • [914484dd16] - (SEMVER-PATCH) docs(iast): drop deprecated securityControls type (Ruben Bridgewater) #8315
  • [0b494e8792] - (SEMVER-PATCH) chore(deps): bump the test-versions group across 1 directory with 2 updates (dependabot[bot]) #8410
  • [807fceb14d] - (SEMVER-PATCH) chore(deps): bump openai (dependabot[bot]) #8360
  • [f5ee7b20de] - (SEMVER-PATCH) fix(tracing): fix TypeError in ritm.js when requiring node:-prefixed built-in modules (Yuichi Uchida) #8304
  • [057685610b] - (SEMVER-PATCH) fix(stacktrace): filter dd-trace instrumentation frames for any repo directory name (Roch Devost) #8301
  • [a39c44ed42] - (SEMVER-PATCH) test(ws): refactor lifecycle hooks to use dynamic ports and separate afterEach (Roch Devost) #8367
  • [e3a718bae7] - (SEMVER-PATCH) chore(deps-dev): bump nock from 13.5.6 to 14.0.14 (dependabot[bot]) #8280
  • [a3bb4cd3af] - (SEMVER-PATCH) ci: replace CodeQL workflow with default setup configuration (Roch Devost) #8380
  • [47591c3fde] - (SEMVER-PATCH) perf(aws-sdk): trim per-response allocations (Ruben Bridgewater) #8328
  • [c05e122cbe] - (SEMVER-PATCH) perf(mongodb): cache the per-connection topology shape (Ruben Bridgewater) #8370
  • [fc437471cc] - (SEMVER-PATCH) perf(database): cache the DBM SQL injection comment per connection (Ruben Bridgewater) #8371
  • [8d6b8824d2] - (SEMVER-PATCH) perf(grpc): cache method metadata, drop banned for-in walks (Ruben Bridgewater) #8377
  • [5c2656c36b] - (SEMVER-PATCH) chore(deps): bump dc-polyfill from 0.1.10 to 0.1.11 (Brian Marks) #8369
  • [e05e6c6784] - (SEMVER-PATCH) perf(pubsub): trim per-message allocations in publish hot path (Ruben Bridgewater) #8374
  • [9fb4d152b2] - (SEMVER-PATCH) perf(mongodb): fold limit-depth and bigint sanitisation into one pass (Ruben Bridgewater) #8375
  • [c610358953] - (SEMVER-PATCH) fix(grpc): require a colon and a strictly numeric tail before tagging… (Ruben Bridgewater) #8378
  • [a46860bc55] - (SEMVER-PATCH) refactor(azure-metadata): parse WEBSITE_OWNER_NAME without regex (Ruben Bridgewater) #8348
  • [8e9d38b0d3] - (SEMVER-PATCH) docs(plugins): drop deprecated whitelist/blacklist plugin types from v6 surface (Ruben Bridgewater) #8321
  • [43de16c356] - (SEMVER-PATCH) chore(couchbase): drop SDK 2.x instrumentation hook (Ruben Bridgewater) #8362
  • [b893e3165d] - (SEMVER-PATCH) test: add a few database tests to cover recent reports better (Ruben Bridgewater) #7534
  • [26f3793cd9] - (SEMVER-PATCH) fix(aws-sdk): global crypto error (Pablo Erhard) #8368
  • [5802bcb274] - (SEMVER-PATCH) fix(plugin-mysql): destructure CLIENT_PORT_KEY from the constants module (Ruben Bridgewater) #8303
  • [5e54f8226f] - (SEMVER-PATCH) [test optimization] Bump playwright support to 1.59 (Juan Antonio Fernández de Alba) #8363
  • [b3c20f8cf1] - (SEMVER-PATCH) [test optimization] Bump cucumber latest version (Juan Antonio Fernández de Alba) #8364
  • [a5834a8f30] - (SEMVER-PATCH) [test optimization] Support Jest 30.4.1 (Juan Antonio Fernández de Alba) #8361
  • [aa3c020225] - (SEMVER-PATCH) fix(config): disable OTLP only when protocolVersion is explicitly set (Ruben Bridgewater) #8335
  • [0b803f55de] - (SEMVER-PATCH) [test-optimization] Propagate ITR skipping enabled tag to suites and tests (Andrey Marchenko) #8332
  • [7350d99b0f] - (SEMVER-PATCH) [test optimization] Use duration buckets for playwright EFD retries (Juan Antonio Fernández de Alba) #8289

juan-fernandez and others added 30 commits May 12, 2026 14:12
…#8335)

* fix(config): disable OTLP only when protocolVersion is explicitly set

The OTLP-disable rule fires on `protocolVersion !== '0.4'`, which proxies
"user typed something" as a value comparison because '0.4' is both the
default and the universally-deployed value. That proxy breaks the moment
the default changes: any user enabling OTLP would have it silently
disabled even though they never touched the protocol version.

Observable behavior change: explicitly setting
`DD_TRACE_AGENT_PROTOCOL_VERSION=0.4` while OTLP is enabled now disables
OTLP. Previously the value-equal-to-default special case slipped through.

---------

Co-authored-by: Brian Marks <bm1549@users.noreply.github.com>
…ule (#8303)

The plugin imported the whole `constants` module as `CLIENT_PORT_KEY`,
so `[CLIENT_PORT_KEY]: ctx.conf.port` coerced the module to its string
form and tagged every mysql / mysql2 span with a literal
`[object Object]: <port>` metric instead of `network.destination.port`.
Peer-service computation, downstream filters, and any product feature
keyed off `network.destination.port` had no port to read on this plugin
since v0.
The database plugin tests had three coverage gaps:

1. mongodb-core, mysql, and pg only exercised dbmPropagationMode
   through plugin config, so the tracer-level wiring through
   plugin_manager._getSharedConfig was never pinned. One case per
   plugin now sets the option through the tracer-config slot
   (third agent.load arg).

2. Prisma's adapter-aware client routing in read-replica setups
   was not covered. The new prisma case spins up two clients on
   different hosts and asserts each db_query span carries the
   active adapter's host/port metadata.

3. Prisma v7 over OTel had no integration-tests entrypoint.
   server-ts-v7-otel.mjs exercises that wiring end-to-end.

Drive-by fix:

* Extract createEngineDbQuerySpan() in the prisma spec to avoid
  re-rolling the same span literal per case.
Couchbase Node.js SDK 2.6.x supports Node 6/8/10 only (`couchnode`
predates N-API), but the tracer's `engines` requires Node >=18, so
the `^2.6.12` hook cannot be reached on any supported runtime. The
CI matrix entry was already commented out and the `<3.0.0` unit-test
block already `describe.skip`ped, both pointing at the same bug.

The plugin's `apm:couchbase:{bucket,cluster}:maybeInvoke:*` binds and
`apm:couchbase:{append,prepend}` command subs have no publisher once
the 2.x hook is gone and are removed with it; the 3.x / 4.x hooks
still cover the surviving paths.

Drive-by fix:

* Tighten the `scripts/install_plugin_modules.js` ARM64-exclusion
  comment to `< 3.2.2` so it matches the remaining `lib/`-style hooks.

Refs: #6400
…v6 surface (#8321)

The runtime keeps accepting the legacy names through the v5 line; the v6 TypeScript surface stops advertising them so users autocomplete only the canonical `allowlist` / `blocklist`.
The greedy `/.+\+(.+)-.+webspace(-Linux)?/` shape made the engine
backtrack through three open-ended `.+` quantifiers to find the right
`-` before `<region>webspace`. Plain string ops (`indexOf('+')` then
`endsWith('webspace')` then `lastIndexOf('-')`) read directly off the
documented format and stop on the first match, with no backtracking
needed.
#8378)

`finish` parsed the peer string with `peer.split(':') + parts.at(-1)`
and tagged `network.destination.port` whenever the last segment
matched the unanchored `/^\d+/`. Two malformed-peer shapes slipped
through:

1. Partially-numeric tails — e.g. `'1.2.3.4:80abc'` matched the
   leading `80` and tagged a mangled `port='80abc'`.
2. Pure-digit peers without a colon — e.g. `'8080'` tagged
   `ip='', port='8080'`, leaking an empty ip into peer-service
   resolution.

Use `peer.lastIndexOf(':')` plus an anchored `/^\d+$/` on the tail;
both shapes now fall through to the catch-all branch that tags the
raw peer as `network.destination.ip`. The hot path also stops
allocating an intermediate `parts` array per call.

Bench (Node 24.13 / V8 13.6, n=200 k+ x 7 trials, drop best+worst):
  split + slice + at(-1)               360.06 ns/op
  lastIndexOf + slice                  166.78 ns/op   speedup: 2.16x
…#8375)

`getQuery` did two full walks per command — `limitDepth` cloned the
filter into a parallel "?-or-object" tree, then `sanitizeBigInt` ran
`JSON.stringify` over the clone — so big `$or` arrays and deep
`$lookup` pipelines paid the per-key allocation twice. Fold both into
one `JSON.stringify` replacer; the native `toJSON` dispatch handles
`ObjectId` / `Decimal128` / `Long` / `Date` / `Timestamp`, the
replacer suppresses `Buffer` / `Binary` toJSON output, and an
ancestor stack tracks depth without a separate clone.

Three behaviour drifts vs `limitDepth`, none covered by existing
specs:

1. Inherited enumerable keys are no longer walked.
2. Shallow cycles render as `{"self":"?"}` instead of a ten-deep
   nested fallback.
3. Arrays of `Buffer` / function are sanitised instead of falling
   through.

Drive-by fix:

* `truncate` short-circuits when the resource already fits under 10
  KB.
Three per-message allocations that compound on a typical batch:

1. `bindStart` called `String(messageCount)` and
   `String(Math.floor(batchSpan._startTime))` on every iteration
   despite both being loop-invariant — on a 100-message batch
   that's 200 redundant string allocations per send. Hoist both
   above the loop.
2. The per-message `Object.assign({...})` over seven attribute
   fields rebuilt a fresh object every iteration. Assign per-key so
   V8 keeps `msg.attributes` on its existing hidden class.
3. The parent-from-message-0 span-link extraction
   (`messages.slice(1).map(...).filter(Boolean)`) allocated three
   intermediate arrays per call. Replace with a single `for` loop.
Co-authored-by: Ruben Bridgewater <ruben@bridgewater.de>
Three coordinated pieces:

1. `getMethodMetadata` re-parsed the path on every call. Cache the
   `{name, service, package}` triple by path in a module-scope `Map`;
   size is bounded by the app's distinct gRPC methods.
2. `addMetadataTags` cloned metadata via `metadata.getMap()` even
   when no filter was configured. Export the `getEmptyObject`
   sentinel and short-circuit on identity before the clone.
3. The remaining `for-in` walks (filter-return iteration in
   `addMetadataTags`, the client `inject` carrier) become `for-of
   Object.keys`.

Bench (Node 24.13 / V8 13.6, n=200 k+ x 7 trials, drop best+worst):
  getMethodMetadata parse on every call    74.50 ns/op
  getMethodMetadata cache hit               5.84 ns/op   speedup: 12.76x
…8371)

`#createDBMPropagationCommentService` rebuilt the same six-segment
comment on every query. Three fields (`dde`, `ddps`, `ddpv`) are
immutable per process; the other three (`dddb`, `dddbs`, `ddh`) are
stable per connection in any real workload.

Three coordinated pieces:

1. `configure()` bakes `dde`, `ddps`, `ddpv` into pre-templated
   fragments; reconfiguring clears them so a new env / version takes
   effect on the next call.
2. A per-`DatabasePlugin` `LRUCache(max=256)` keyed by
   `${db}\0${host}\0${dbmService}` stores the per-connection prefix.
   The cap bounds high-cardinality `db.name` workloads (notably
   MongoDB's `${database}.${collection}`); steady-state working sets
   fit well below it and a missed lookup costs a few hundred ns.
3. `encode` short-circuits names matching `[A-Za-z0-9-_.~]*` —
   exactly what `encodeURIComponent` leaves unchanged.

Bench (worker numbers, steady-state cache hit rate):
  before                                 6.85 Mops/s
  after                                 10.68 Mops/s   speedup: 1.56x

Refs: #8325 (comment)
`wrapConnectionCommand` (mongodb >= 4) rebuilt the same five objects
from `this.address` on every command. The Connection's address is
immutable for its lifetime, so the work lands once on the first
command and reuses a per-Connection envelope thereafter.

The cache lives in a module-scope `WeakMap` instead of a Symbol-keyed
property: the Connection is a foreign object, and an own-key (even a
Symbol) shows up to `Reflect.ownKeys` / `Object.getOwnPropertySymbols`,
forces a hidden-class transition on first hit, and can collide with
another tracer's instrumentation walking the same connection. The
extra `WeakMap.get` is single-digit nanoseconds and the foreign object
stays untouched.

The address parser tightens the previous `length === 2` split to
"exactly one `:`, non-empty parts on both sides" so non-standard
addresses (random UUIDs, IPv6 forms, empty port / host halves) all
collapse to the empty-options topology. `synthesizeTopology` is
exported so the parser is unit-tested directly rather than through the
mongodb integration suite.

Bench (Node 24.15 / V8 13.6, n=500 k x 7 trials, drop best+worst,
warm cache, hit-only):
  per-command rebuild              19.30 ns/op
  cached envelope (WeakMap)         8.32 ns/op   speedup: 2.32x
A win on the AWS SDK response hot path:

addResponseTags: drop the temporary tags object, the empty
{} produced by extraTags = generateTags(...) || {}, and the
redundant 'span.kind': 'client' re-tag. Service-level
generateTags early-returns undefined instead of {}; SQS's
'span.kind': 'consumer'/'producer' override still flows through
addTags unchanged.

Node v24.13.0 V8 13.6.233.17-node.37 (n=200 k+ × 7 trials, drop best+worst)

aws-sdk addResponseTags: per-response tag allocation (no extra tags)
before (alloc tags + addTags)        385.90 ns/op
after  (setTag direct)               178.90 ns/op   speedup: 2.16x
Replaced by GitHub's CodeQL default setup configured in repository
settings.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Bumps [nock](https://github.com/nock/nock) from 13.5.6 to 14.0.14.
- [Release notes](https://github.com/nock/nock/releases)
- [Changelog](https://github.com/nock/nock/blob/main/CHANGELOG.md)
- [Commits](nock/nock@v13.5.6...v14.0.14)

---
updated-dependencies:
- dependency-name: nock
  dependency-version: 14.0.14
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Ruben Bridgewater <ruben@bridgewater.de>
…afterEach (#8367)

- Replace hardcoded ports (6015, 16015) with port 0 so the kernel
  assigns an available port, eliminating inter-run port conflicts
- Move regression-test resource cleanup (server, socket) from test
  bodies into dedicated afterEach hooks
- Split combined afterEach callbacks into one hook per concern so a
  failure in one cleanup step doesn't skip the others
- Load/close the agent in beforeEach/afterEach instead of before/after
  so each test gets a clean agent state
- Move channel declaration to top of file

---------

Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
…built-in modules (#8304)

* fix(tracing): use moduleId as cache key in ritm.js

When a built-in module is required with the `node:` prefix (e.g.
`node:fs`), `moduleId` is normalized (prefix stripped) but `filename`
retains the original value. The cache is keyed by `moduleId`, so
accessing `cache[filename]` results in `undefined`, causing a TypeError:

  TypeError: undefined is not an object (evaluating 'cache[filename].original')

This was missed in commit e92e7f0 which refactored cache keys from
`filename` to `moduleId`. One occurrence on line 104 was not updated.

Reproduces when dd-trace instruments modules that transitively require
node-prefixed built-ins (e.g. @aws-sdk/credential-provider-ini).

* test(tracing): add regression test for node:-prefixed cache key in ritm.js

---------

Co-authored-by: uchida <uchida@nulab.com>
Bumps the test-versions group with 1 update in the /integration-tests/esbuild directory: [openai](https://github.com/openai/openai-node).


Updates `openai` from 6.35.0 to 6.36.0
- [Release notes](https://github.com/openai/openai-node/releases)
- [Changelog](https://github.com/openai/openai-node/blob/master/CHANGELOG.md)
- [Commits](openai/openai-node@v6.35.0...v6.36.0)

---
updated-dependencies:
- dependency-name: openai
  dependency-version: 6.36.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: test-versions
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Ruben Bridgewater <ruben@bridgewater.de>
…pdates (#8410)

Bumps the test-versions group with 2 updates in the /integration-tests/esbuild directory: [@apollo/server](https://github.com/apollographql/apollo-server/tree/HEAD/packages/server) and [openai](https://github.com/openai/openai-node).


Updates `@apollo/server` from 5.5.0 to 5.5.1
- [Release notes](https://github.com/apollographql/apollo-server/releases)
- [Changelog](https://github.com/apollographql/apollo-server/blob/main/packages/server/CHANGELOG.md)
- [Commits](https://github.com/apollographql/apollo-server/commits/@apollo/server@5.5.1/packages/server)

Updates `openai` from 6.36.0 to 6.37.0
- [Release notes](https://github.com/openai/openai-node/releases)
- [Changelog](https://github.com/openai/openai-node/blob/master/CHANGELOG.md)
- [Commits](openai/openai-node@v6.36.0...v6.37.0)

---
updated-dependencies:
- dependency-name: "@apollo/server"
  dependency-version: 5.5.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: test-versions
- dependency-name: openai
  dependency-version: 6.37.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: test-versions
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Types + migration note for the existing v6 env-only IAST security-controls gating.
A single \`let cached\` slot pinned the first call's result for the
lifetime of the process. Once a fresh \`Config\` (different
\`DD_GIT_*\` env, different \`DD_GIT_PROPERTIES_FILE\`, different
\`DD_TRACE_GIT_METADATA_ENABLED\` flip at runtime) reached
\`getGitMetadata\`, it received the previous instance's metadata and
the new options went unread. Two slots — one for the enabled
branch's resolved metadata, one for the disabled branch's empty
result — match the only flag whose runtime value picks a different
resolution path and stay O(1).
rochdev and others added 5 commits May 13, 2026 21:45
Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
…v5.ts (#8465)

Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
@dd-octo-sts dd-octo-sts Bot force-pushed the v5.103.0-proposal branch from b4d74fe to 1a33416 Compare May 13, 2026 21:45
@rochdev rochdev marked this pull request as ready for review May 13, 2026 21:58
@rochdev rochdev requested review from a team as code owners May 13, 2026 21:58
@rochdev rochdev requested review from BridgeAR, greghuels, lym953 and typotter and removed request for a team May 13, 2026 21:58
@rochdev rochdev merged commit eb856ae into v5.x May 13, 2026
897 checks passed
@rochdev rochdev deleted the v5.103.0-proposal branch May 13, 2026 22:00

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 1a334168ab

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

return ch.tracePromise(() => listener.call(this, event, ...args), ctx)
}

const mapping = mappings[channel] || new WeakMap()

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Store IPC listener wrappers before registering callbacks

createWrapAddListener builds mapping from mappings[channel] || new WeakMap() but never writes it back to mappings[channel], so createWrapRemoveListener cannot recover the wrapped callback and falls back to removing the original listener function. In Electron apps that call off/removeListener, wrapped IPC listeners stay registered, which causes leaks and duplicate handler execution after re-registration.

Useful? React with 👍 / 👎.

Comment on lines +67 to +68
for (const header in ctx.req._urlLoaderOptions?.headers || {}) {
reqHeaders[header.name] = header.value

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Iterate Electron header collections by value

asyncStart iterates _urlLoaderOptions.headers and rawHeaders with for...in but then treats the loop variable as a header object (header.name/header.value). With for...in, header is the property key/index string, so both maps are populated with undefined keys/values and request/response headers are effectively lost from span processing.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.