build(deps): bump @opentelemetry/exporter-prometheus, @opentelemetry/auto-instrumentations-node and @opentelemetry/sdk-node

[dependabot]

Bumps @opentelemetry/exporter-prometheus to 0.217.0 and updates ancestor dependencies @opentelemetry/exporter-prometheus, @opentelemetry/auto-instrumentations-node and @opentelemetry/sdk-node. These dependencies need to be updated together.

Updates @opentelemetry/exporter-prometheus from 0.214.0 to 0.217.0

Release notes

Sourced from @​opentelemetry/exporter-prometheus's releases.

experimental/v0.217.0

0.217.0

🚀 Features

• feat(otlp-transformer): replace protobufjs trace serialization with custom implementation #6625 @​pichlermarc
• feat(configuration): auto-generate TypeScript types from OTel declarative config JSON schema (stable v1.0.0) using json-schema-to-typescript and ajv #6533 @​MikeGoldsmith
• feat(configuration, sdk-node): startNodeSDK() code path now uses log_level configuration to setup a DiagConsoleLogger #6668 @​trentm
  • Note that allowed values for log_level in a configuration YAML file are not the same set as for OTEL_LOG_LEVEL. Use log_level: trace to see all logs (equivalent of OTEL_LOG_LEVEL=ALL). Use log_level: fatal to effectively disable the SDK's internal diagnostic logger (equivalent of OTEL_LOG_LEVEL=NONE).
  • If log_level is not specified, a diagnostic console logger at "info" level will be setup.
  • An invalid YAML config file will now result in a noop OTel SDK.

🐛 Bug Fixes

• fix(configuration): do not validate OTEL_CONFIG_FILE value before using it for file config #6643 @​trentm
• fix(configuration): improve how 'additionalProperties' in JSON schema is translated to TS types #6650 @​trentm
• fix(configuration): remove stripMinItems and preprocessNullArrays from validation/parsing #6657 @​trentm
• fix(configuration): improve handling of enums in generated types #6659 @​trentm
• fix(configuration): improve the technique for removing '| null' on types the JSON Schema #6662 @​trentm
• fix(sampler-jaeger-remote): add missing axios dep #6656 @​trentm
• fix(exporter-prometheus): handle malformed URLs in Prometheus exporter request handler #6674 @​homanp

experimental/v0.216.0

0.216.0

🚀 Features

• feat(sdk-node): wire attribute_keys from declarative configuration to ViewOptions.attributesProcessors #6427 @​ravitheja4531-cell
• feat(sdk-node): set TracerProvider in startNodeSDK() #6607 @​maryliag

🐛 Bug Fixes

• fix(instrumentation-xml-http-request): avoid unwrapping XMLHttpRequest API when disabling #6611 @​david-luna
• fix(instrumentation-fetch): tolerate non-writable globalThis.fetch and fix premature _isEnabled / _isFetchPatched flips in enable() @​brunorodmoreira
• fix(instrumentation-xhr): resolve relative URLs before matching ignoreUrls #6551 @​Maximiliano-Zeballos
• fix(sdk-node): fix setting of ViewOption#name from ConfigurationModel #6620 @​trentm
• fix(web-common): add limit for timeout #6601 @​maryliag
• fix(otlp-transformer): pin protobufjs@8.0.1 as protobufjs@8.0.3 is broken for browser use #6646

🏠 Internal

• test(otlp-transformer): add metrics transform benchmark #6628 @​pichlermarc
• refactor(opentelemetry-exporter-prometheus): do not call enforcePrometheusNamingConvention() multiple times per metric #6636 @​cjihrig

experimental/v0.215.0

0.215.0

💥 Breaking Changes

... (truncated)

Commits

• 74cde1b chore: prepare next release (#6675)
• e8f439a fix: handle malformed URLs in Prometheus exporter request handler (#6674)
• ab3a2e2 feat(sdk-node, configuration): diag log handling updates for startNodeSDK(), ...
• d5b7d1e fix(deps): update dependency axios to v1.15.2 [security] (#6670)
• c163618 chore(deps): update github/codeql-action digest to e46ed2c (#6661)
• ec2bfbe chore(configuration): move config generation scripts into the configuration p...
• acc9ecd chore(configuration): cosmetic changes to generated types.ts (#6663)
• 8f008ec chore: Move inactive members to emeritus (#6649)
• 435431e fix(configuration): improve the technique for removing '| null' on types due ...
• 4222024 fix(configuration): improve handling of enums in generated types (#6659)
• Additional commits viewable in compare view

Updates @opentelemetry/auto-instrumentations-node from 0.72.0 to 0.75.0

Changelog

Sourced from @​opentelemetry/auto-instrumentations-node's changelog.

0.75.0 (2026-05-06)

Features

• deps: update deps matching '@opentelemetry/*' (#3507) (e1ef3d1)

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • @​opentelemetry/instrumentation-amqplib bumped from ^0.63.0 to ^0.64.0
    • @​opentelemetry/instrumentation-aws-lambda bumped from ^0.68.0 to ^0.69.0
    • @​opentelemetry/instrumentation-aws-sdk bumped from ^0.71.0 to ^0.72.0
    • @​opentelemetry/instrumentation-bunyan bumped from ^0.61.0 to ^0.62.0
    • @​opentelemetry/instrumentation-cassandra-driver bumped from ^0.61.0 to ^0.62.0
    • @​opentelemetry/instrumentation-connect bumped from ^0.59.0 to ^0.60.0
    • @​opentelemetry/instrumentation-cucumber bumped from ^0.32.0 to ^0.33.0
    • @​opentelemetry/instrumentation-dataloader bumped from ^0.33.0 to ^0.34.0
    • @​opentelemetry/instrumentation-dns bumped from ^0.59.0 to ^0.60.0
    • @​opentelemetry/instrumentation-express bumped from ^0.64.0 to ^0.65.0
    • @​opentelemetry/instrumentation-fs bumped from ^0.35.0 to ^0.36.0
    • @​opentelemetry/instrumentation-generic-pool bumped from ^0.59.0 to ^0.60.0
    • @​opentelemetry/instrumentation-graphql bumped from ^0.64.0 to ^0.65.0
    • @​opentelemetry/instrumentation-hapi bumped from ^0.62.0 to ^0.63.0
    • @​opentelemetry/instrumentation-ioredis bumped from ^0.64.0 to ^0.65.0
    • @​opentelemetry/instrumentation-kafkajs bumped from ^0.25.0 to ^0.26.0
    • @​opentelemetry/instrumentation-knex bumped from ^0.60.0 to ^0.61.0
    • @​opentelemetry/instrumentation-koa bumped from ^0.64.0 to ^0.65.0
    • @​opentelemetry/instrumentation-lru-memoizer bumped from ^0.60.0 to ^0.61.0
    • @​opentelemetry/instrumentation-memcached bumped from ^0.59.0 to ^0.60.0
    • @​opentelemetry/instrumentation-mongodb bumped from ^0.69.0 to ^0.70.0
    • @​opentelemetry/instrumentation-mongoose bumped from ^0.62.0 to ^0.63.0
    • @​opentelemetry/instrumentation-mysql bumped from ^0.62.0 to ^0.63.0
    • @​opentelemetry/instrumentation-mysql2 bumped from ^0.62.0 to ^0.63.0
    • @​opentelemetry/instrumentation-nestjs-core bumped from ^0.62.0 to ^0.63.0
    • @​opentelemetry/instrumentation-net bumped from ^0.60.0 to ^0.61.0
    • @​opentelemetry/instrumentation-openai bumped from ^0.14.0 to ^0.15.0
    • @​opentelemetry/instrumentation-oracledb bumped from ^0.41.0 to ^0.42.0
    • @​opentelemetry/instrumentation-pg bumped from ^0.68.0 to ^0.69.0
    • @​opentelemetry/instrumentation-pino bumped from ^0.62.0 to ^0.63.0
    • @​opentelemetry/instrumentation-redis bumped from ^0.64.0 to ^0.65.0
    • @​opentelemetry/instrumentation-restify bumped from ^0.61.0 to ^0.62.0
    • @​opentelemetry/instrumentation-router bumped from ^0.60.0 to ^0.61.0
    • @​opentelemetry/instrumentation-runtime-node bumped from ^0.29.0 to ^0.30.0
    • @​opentelemetry/instrumentation-socket.io bumped from ^0.63.0 to ^0.64.0
    • @​opentelemetry/instrumentation-tedious bumped from ^0.35.0 to ^0.36.0
    • @​opentelemetry/instrumentation-undici bumped from ^0.26.0 to ^0.27.0
    • @​opentelemetry/instrumentation-winston bumped from ^0.60.0 to ^0.61.0

... (truncated)

Commits

• See full diff in compare view

Updates @opentelemetry/sdk-node from 0.215.0 to 0.217.0

Release notes

Sourced from @​opentelemetry/sdk-node's releases.

experimental/v0.217.0

0.217.0

🚀 Features

• feat(otlp-transformer): replace protobufjs trace serialization with custom implementation #6625 @​pichlermarc
• feat(configuration): auto-generate TypeScript types from OTel declarative config JSON schema (stable v1.0.0) using json-schema-to-typescript and ajv #6533 @​MikeGoldsmith
• feat(configuration, sdk-node): startNodeSDK() code path now uses log_level configuration to setup a DiagConsoleLogger #6668 @​trentm
  • Note that allowed values for log_level in a configuration YAML file are not the same set as for OTEL_LOG_LEVEL. Use log_level: trace to see all logs (equivalent of OTEL_LOG_LEVEL=ALL). Use log_level: fatal to effectively disable the SDK's internal diagnostic logger (equivalent of OTEL_LOG_LEVEL=NONE).
  • If log_level is not specified, a diagnostic console logger at "info" level will be setup.
  • An invalid YAML config file will now result in a noop OTel SDK.

🐛 Bug Fixes

• fix(configuration): do not validate OTEL_CONFIG_FILE value before using it for file config #6643 @​trentm
• fix(configuration): improve how 'additionalProperties' in JSON schema is translated to TS types #6650 @​trentm
• fix(configuration): remove stripMinItems and preprocessNullArrays from validation/parsing #6657 @​trentm
• fix(configuration): improve handling of enums in generated types #6659 @​trentm
• fix(configuration): improve the technique for removing '| null' on types the JSON Schema #6662 @​trentm
• fix(sampler-jaeger-remote): add missing axios dep #6656 @​trentm
• fix(exporter-prometheus): handle malformed URLs in Prometheus exporter request handler #6674 @​homanp

experimental/v0.216.0

0.216.0

🚀 Features

• feat(sdk-node): wire attribute_keys from declarative configuration to ViewOptions.attributesProcessors #6427 @​ravitheja4531-cell
• feat(sdk-node): set TracerProvider in startNodeSDK() #6607 @​maryliag

🐛 Bug Fixes

• fix(instrumentation-xml-http-request): avoid unwrapping XMLHttpRequest API when disabling #6611 @​david-luna
• fix(instrumentation-fetch): tolerate non-writable globalThis.fetch and fix premature _isEnabled / _isFetchPatched flips in enable() @​brunorodmoreira
• fix(instrumentation-xhr): resolve relative URLs before matching ignoreUrls #6551 @​Maximiliano-Zeballos
• fix(sdk-node): fix setting of ViewOption#name from ConfigurationModel #6620 @​trentm
• fix(web-common): add limit for timeout #6601 @​maryliag
• fix(otlp-transformer): pin protobufjs@8.0.1 as protobufjs@8.0.3 is broken for browser use #6646

🏠 Internal

• test(otlp-transformer): add metrics transform benchmark #6628 @​pichlermarc
• refactor(opentelemetry-exporter-prometheus): do not call enforcePrometheusNamingConvention() multiple times per metric #6636 @​cjihrig

Commits

• 74cde1b chore: prepare next release (#6675)
• e8f439a fix: handle malformed URLs in Prometheus exporter request handler (#6674)
• ab3a2e2 feat(sdk-node, configuration): diag log handling updates for startNodeSDK(), ...
• d5b7d1e fix(deps): update dependency axios to v1.15.2 [security] (#6670)
• c163618 chore(deps): update github/codeql-action digest to e46ed2c (#6661)
• ec2bfbe chore(configuration): move config generation scripts into the configuration p...
• acc9ecd chore(configuration): cosmetic changes to generated types.ts (#6663)
• 8f008ec chore: Move inactive members to emeritus (#6649)
• 435431e fix(configuration): improve the technique for removing '| null' on types due ...
• 4222024 fix(configuration): improve handling of enums in generated types (#6659)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[aegis-gh-agent]

👁️ Argus Review — Changes Requested

Gate Failures

❌ Gate #9 — PR targets main
This PR targets main directly. All dependency PRs must target develop. Please rebase/retarget to develop.

❌ Gate #3 — CI failing

• test (ubuntu-latest, 20) — FAILURE
• test (ubuntu-latest, 22) — FAILURE
• Trivy SCA (root) — FAILURE

Tier Classification

OTel minor/patch bumps (0.214→0.217, 0.72→0.75, 0.215→0.217) → would be Tier 1 (auto-merge if CI green) if targeting develop.

Action Required

1. Retarget this PR to develop (or close and let Dependabot reopen against develop)
2. Fix CI failures after retargeting
3. Once CI green on develop, I will auto-approve (Tier 1)

[OneStepAt4time]

Closing: fast-uri and hono audit findings are false positives (verified by Themis — overrides pin fast-uri@3.1.2, hono@4.12.18). This dependabot PR bumps OTel deps but the lockfile audit noise makes it confusing. Let dependabot regenerate cleanly or Hephaestus will create a manual deps PR.

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.