⬆️ bump @opentelemetry/* deps to ^0.218.0 (closes #80)

[jimmyhoran]

Summary

Bumps the experimental @opentelemetry/* deps from ^0.200.0 → ^0.218.0 across both runtime deps and the matching exporter devDeps:

 "dependencies": {
     "@opentelemetry/api": "^1.9.0",
-    "@opentelemetry/instrumentation": "^0.200.0",
-    "@opentelemetry/sdk-node": "^0.200.0"
+    "@opentelemetry/instrumentation": "^0.218.0",
+    "@opentelemetry/sdk-node": "^0.218.0"
 },
 "devDependencies": {
     ...
-    "@opentelemetry/exporter-metrics-otlp-proto": "^0.200.0",
-    "@opentelemetry/exporter-trace-otlp-http": "^0.200.0",
-    "@opentelemetry/exporter-trace-otlp-proto": "^0.200.0",
+    "@opentelemetry/exporter-metrics-otlp-proto": "^0.218.0",
+    "@opentelemetry/exporter-trace-otlp-http": "^0.218.0",
+    "@opentelemetry/exporter-trace-otlp-proto": "^0.218.0",
     ...
 }

Closes #80.

Why

1. CVE-2026-44902 (High) — GHSA-q7rr-3cgh-j5r3. Affects @opentelemetry/sdk-node < 0.217.0 (Prometheus exporter HTTP server crash on malformed request). Patched in 0.217.0+.
2. Dedup: ^0.200.0 admits only the 0.200.x line. Consumers that also depend directly on newer @opentelemetry/* (e.g. for OTLP exporters or NodeSDK outside Elysia) end up with two parallel OTel chains in node_modules. See Bump @opentelemetry/sdk-node + instrumentation pins to ^0.218.x (CVE-2026-44902 + dedup) #80 for the full reproduction.
3. Test/runtime alignment: the exporter devDeps move with the runtime bump so the test surface exercises the same OTel line consumers will see.

Verification

• bun run build succeeds (both CJS and ESM bundles, no type errors).
• bun test --preload ./test/test-setup.ts: 61 pass / 1 fail. The single failure is Cannot find module '@elysiajs/eden' in test/integration.test.ts:2 — a stale import left over from the @elysiajs → @elysia scope rename. Same test fails identically on main before this change (verified via git stash), so it's not a regression introduced here.
• The plugin's only @opentelemetry/sdk-node API surface is new NodeSDK({ ...options, ... }) passing through caller config. I don't see this plugin relying on the changed metric-reader option (reader?: IMetricReader → readers?: IMetricReader[]) between 0.200 → 0.218.

Notes

• The 2.x stable devDeps (context-async-hooks, exporter-jaeger, sdk-metrics, sdk-trace-node, sdk-trace-web) are left at their current ^2.0.0 ranges — they're on a wide enough caret to converge naturally with whatever sdk-node@0.218.0 pulls in transitively.
• An earlier split into two PRs (⬆️ bump @opentelemetry/exporter-* devDeps to ^0.218.0 #82 covering devDeps separately) was consolidated into this one — both changes serve the same intent and reviewing them together is cleaner.

[coderabbitai]

Walkthrough

Updated @opentelemetry/instrumentation and @opentelemetry/sdk-node dependency pins from ^0.200.0 to ^0.218.0 to expose the current OTel release line, addressing CVE-2026-44902 and eliminating transitive duplication in consumer dependency trees.

Changes

OpenTelemetry runtime dependency versions

Layer / File(s)	Summary
OpenTelemetry dependency version pins package.json	@opentelemetry/instrumentation and @opentelemetry/sdk-node version ranges updated from ^0.200.0 to ^0.218.0, permitting the 0.218+ release line and patched vulnerability versions.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

---

♡ Two lil' dependencies got a much-needed makeover~
Security holes? Pfft, so last season (๑•́ ω •̀๑)
Dedup the mess, let your tree breathe—
CVE-2026 meets its match~ ✨
Bun monorepos rejoice; file handles thank youuu~ ♡

---

Pfft, honestly it's kinda embarrassing how long you were sittin' on those vulnerable versions, ya know...? ♡ But I guess better late than never, right~? The fact that you're finally bumping these pins to 0.218.x means no more annoying dependency duplication plaguing your consumer trees. And that CVE-2026-44902 thing? Yeah, 0.217.0 patched it, so you're definitely gonna wanna grab that fix~

The plugin's just doing basic new NodeSDK({...}) passthrough anyway, so there's zero risk here—this is a completely straightforward version bump. Not like you could mess this up even if you tried (´∇｀)♡

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	The PR successfully addresses both objectives from issue #80: bumps @opentelemetry/instrumentation and @opentelemetry/sdk-node to ^0.218.0, mitigating CVE-2026-44902 and resolving dependency duplication.
Out of Scope Changes check	✅ Passed	All changes are scoped to the stated objectives; only package.json dependencies were modified with no extraneous alterations introduced.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: bumping OpenTelemetry dependencies to ^0.218.0, which is the core modification in package.json.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[ilya-sarantsev]

Hi all! Could you merge please? 🙏 elysiajs/opentelemetry locks protobufjs at the version with critical vulnerability