chore(deps): update dependency @opentelemetry/sdk-node to v0.217.0 [security] (#1375)

This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
|
[@opentelemetry/sdk-node](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/experimental/packages/opentelemetry-sdk-node)
([source](https://redirect.github.com/open-telemetry/opentelemetry-js))
| [`0.49.1` →
`0.217.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2fsdk-node/0.49.1/0.217.0)
|
![age](https://developer.mend.io/api/mc/badges/age/npm/@opentelemetry%2fsdk-node/0.217.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@opentelemetry%2fsdk-node/0.49.1/0.217.0?slim=true)
|

---

### Prometheus exporter process crash via malformed HTTP request
[CVE-2026-44902](https://nvd.nist.gov/vuln/detail/CVE-2026-44902) /
[GHSA-q7rr-3cgh-j5r3](https://redirect.github.com/advisories/GHSA-q7rr-3cgh-j5r3)

<details>
<summary>More information</summary>

#### Details
##### Summary

A single malformed HTTP request crashes any Node.js process running the
OpenTelemetry JS Prometheus exporter. The metrics endpoint (default
`0.0.0.0:9464`) has no error handling around URL parsing, so a request
with an invalid URI causes an uncaught `TypeError` that terminates the
process.

**You are affected by this vulnerability if either of the following
apply to your application:**

* you directly use `@opentelemetry/exporter-prometheus` in your code
through its built-in server.
* your `OTEL_METRICS_EXPORTER` environment variable includes
`prometheus` **AND**
  * you use `@opentelemetry/sdk-node`
* you use `@opentelemetry/auto-instrumentations-node` via `--require
@&#8203;opentelemetry/auto-instrumentations-node/register`/`--import
@&#8203;opentelemetry/auto-instrumentations-node/register`

##### Impact

**Denial of service.** Any application using the OpenTelemetry
Prometheus exporter’s built-in server can be crashed by a single
unauthenticated network packet sent to the metrics port. No
authentication, special privileges, or prior access is required.

##### Remediation

##### Update to the fixed version

Update `@opentelemetry/exporter-prometheus` and
`@opentelemetry/sdk-node` to version **0.217.0** or later.
Update `@opentelemetry/auto-instrumentations-node` to version **0.75.0**
or later.

This release adds proper error handling around the URL constructor,
returning an HTTP `400` response on parse failure rather than allowing
the exception to propagate and crash the process.

```
npm install @&#8203;opentelemetry/exporter-prometheus@latest
```

##### Do Not Expose the Endpoint to Untrusted Users

> [!IMPORTANT] 
> The following mitigations reduce exposure but do not fully remediate
the vulnerability. Any client that *can* reach the metrics endpoint -
including your own Prometheus scraper host if compromised - could still
trigger the crash. Updating to **0.217.0** is the recommended
resolution.

If updating is not immediately feasible, restrict access to the metrics
endpoint so that it is not reachable by untrusted or unauthenticated
network clients. For example:

* **Bind to localhost only** by setting the `host` option to `127.0.0.1`
when configuring the `PrometheusExporter`, so the port is not exposed on
public or shared network interfaces

* **Use a firewall or network policy** to restrict access to port `9464`
(or whichever port you have configured) to only trusted Prometheus
scrape hosts

* **Place the endpoint behind a reverse proxy** that filters or
validates incoming requests before they reach the exporter

##### Details

In `PrometheusExporter.ts`, the `_requestHandler` calls `new
URL(request.url, this._baseUrl)` without any error handling. Node's HTTP
parser accepts absolute-form URIs (e.g. `http://`) for proxy
compatibility, including malformed ones. When `request.url` is
`"http://"`, the `URL` constructor throws `TypeError: Invalid URL`.
Since there is no try-catch in the handler, the exception propagates as
an uncaught exception and crashes the process.

The Prometheus metrics endpoint is unauthenticated by design (Prometheus
scrapes it) and binds to `0.0.0.0` by default, meaning it is reachable
by any network client that can connect to the metrics port.

##### Proof of Concept

Start any Node.js application with the Prometheus exporter running on
the default port `9464`, then send a single raw TCP packet:

```
echo -ne 'GET http:// HTTP/1.1\r\nHost: localhost\r\n\r\n' | nc localhost 9464
```

The process crashes immediately with:

```
TypeError: Invalid URL
    at new URL (...)
    at PrometheusExporter._requestHandler (...)
```

#### Severity
- CVSS Score: 7.5 / 10 (High)
- Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`

#### References
-
[https://github.com/open-telemetry/opentelemetry-js/security/advisories/GHSA-q7rr-3cgh-j5r3](https://redirect.github.com/open-telemetry/opentelemetry-js/security/advisories/GHSA-q7rr-3cgh-j5r3)
-
[https://github.com/open-telemetry/opentelemetry-js](https://redirect.github.com/open-telemetry/opentelemetry-js)

This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-q7rr-3cgh-j5r3) and the [GitHub
Advisory Database](https://redirect.github.com/github/advisory-database)
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Release Notes

<details>
<summary>open-telemetry/opentelemetry-js
(@&#8203;opentelemetry/sdk-node)</summary>

###
[`v0.217.0`](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/2400d8389a4469f7a81ccd3be2f0b2c2dd6faaf7...74cde1b674508ccc0ed2601ac43a80ff2d35114c)

[Compare
Source](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/2400d8389a4469f7a81ccd3be2f0b2c2dd6faaf7...74cde1b674508ccc0ed2601ac43a80ff2d35114c)

###
[`v0.216.0`](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/a0476eef3cb973bfcc0c2e41f868dd7b484c2ed8...2400d8389a4469f7a81ccd3be2f0b2c2dd6faaf7)

[Compare
Source](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/a0476eef3cb973bfcc0c2e41f868dd7b484c2ed8...2400d8389a4469f7a81ccd3be2f0b2c2dd6faaf7)

###
[`v0.215.0`](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/7e74509a4d848e94b2970bb5262dd3e8efeed0a2...a0476eef3cb973bfcc0c2e41f868dd7b484c2ed8)

[Compare
Source](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/7e74509a4d848e94b2970bb5262dd3e8efeed0a2...a0476eef3cb973bfcc0c2e41f868dd7b484c2ed8)

###
[`v0.214.0`](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/541e1b4ad83ad2093459794a18283228fe58d199...7e74509a4d848e94b2970bb5262dd3e8efeed0a2)

[Compare
Source](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/541e1b4ad83ad2093459794a18283228fe58d199...7e74509a4d848e94b2970bb5262dd3e8efeed0a2)

###
[`v0.213.0`](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/ad92be4c2c1094745a85b0b7eeff1444a11b1b4a...541e1b4ad83ad2093459794a18283228fe58d199)

[Compare
Source](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/ad92be4c2c1094745a85b0b7eeff1444a11b1b4a...541e1b4ad83ad2093459794a18283228fe58d199)

###
[`v0.212.0`](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/38924cbff2a6e924ce8a2a227d3a72de52fbcd35...ad92be4c2c1094745a85b0b7eeff1444a11b1b4a)

[Compare
Source](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/38924cbff2a6e924ce8a2a227d3a72de52fbcd35...ad92be4c2c1094745a85b0b7eeff1444a11b1b4a)

###
[`v0.211.0`](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/5e6504d2a3a7ce3aaa211d9e2a5b002a0e4d7da1...38924cbff2a6e924ce8a2a227d3a72de52fbcd35)

[Compare
Source](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/5e6504d2a3a7ce3aaa211d9e2a5b002a0e4d7da1...38924cbff2a6e924ce8a2a227d3a72de52fbcd35)

###
[`v0.210.0`](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/228cb920bbededf4f3fd6355e88409e84bfd87b6...5e6504d2a3a7ce3aaa211d9e2a5b002a0e4d7da1)

[Compare
Source](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/228cb920bbededf4f3fd6355e88409e84bfd87b6...5e6504d2a3a7ce3aaa211d9e2a5b002a0e4d7da1)

###
[`v0.209.0`](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/5eaa869bf08e6a16eec37eac44084257e8e21209...228cb920bbededf4f3fd6355e88409e84bfd87b6)

[Compare
Source](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/5eaa869bf08e6a16eec37eac44084257e8e21209...228cb920bbededf4f3fd6355e88409e84bfd87b6)

###
[`v0.208.0`](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/fb6476d8243ac8dcaaea74130b9c50c43938275c...5eaa869bf08e6a16eec37eac44084257e8e21209)

[Compare
Source](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/fb6476d8243ac8dcaaea74130b9c50c43938275c...5eaa869bf08e6a16eec37eac44084257e8e21209)

###
[`v0.207.0`](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/8e9b8bb2a7a2d81ae0b5171efdf1644210697fa2...fb6476d8243ac8dcaaea74130b9c50c43938275c)

[Compare
Source](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/8e9b8bb2a7a2d81ae0b5171efdf1644210697fa2...fb6476d8243ac8dcaaea74130b9c50c43938275c)

###
[`v0.206.0`](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/2d3760898cdc4f0e68f9f956603cc5df279eb3a8...8e9b8bb2a7a2d81ae0b5171efdf1644210697fa2)

[Compare
Source](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/2d3760898cdc4f0e68f9f956603cc5df279eb3a8...8e9b8bb2a7a2d81ae0b5171efdf1644210697fa2)

###
[`v0.205.0`](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/98f9d720af84bc38074dfd4ab7760ae83a3e9826...2d3760898cdc4f0e68f9f956603cc5df279eb3a8)

[Compare
Source](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/98f9d720af84bc38074dfd4ab7760ae83a3e9826...2d3760898cdc4f0e68f9f956603cc5df279eb3a8)

###
[`v0.204.0`](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/93187f022457da152becc03dd00db8b2500702db...98f9d720af84bc38074dfd4ab7760ae83a3e9826)

[Compare
Source](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/93187f022457da152becc03dd00db8b2500702db...98f9d720af84bc38074dfd4ab7760ae83a3e9826)

###
[`v0.203.0`](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/55f8c20b19777602f993328fe07f523cf465dea3...93187f022457da152becc03dd00db8b2500702db)

[Compare
Source](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/55f8c20b19777602f993328fe07f523cf465dea3...93187f022457da152becc03dd00db8b2500702db)

###
[`v0.202.0`](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/9dbd1e446be0ecc7c22b00051c5cfb2612d9b0f2...55f8c20b19777602f993328fe07f523cf465dea3)

[Compare
Source](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/9dbd1e446be0ecc7c22b00051c5cfb2612d9b0f2...55f8c20b19777602f993328fe07f523cf465dea3)

###
[`v0.201.1`](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/4ce5bd165195870f292fa95e312cffe05eb9e09d...9dbd1e446be0ecc7c22b00051c5cfb2612d9b0f2)

[Compare
Source](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/4ce5bd165195870f292fa95e312cffe05eb9e09d...9dbd1e446be0ecc7c22b00051c5cfb2612d9b0f2)

###
[`v0.201.0`](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/7fde94081ed141c7d61db269b77d5765887a9665...4ce5bd165195870f292fa95e312cffe05eb9e09d)

[Compare
Source](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/7fde94081ed141c7d61db269b77d5765887a9665...4ce5bd165195870f292fa95e312cffe05eb9e09d)

###
[`v0.200.0`](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/ac8641a5dbb5df1169bd5ed25a6667a6a6f730ca...7fde94081ed141c7d61db269b77d5765887a9665)

[Compare
Source](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/ac8641a5dbb5df1169bd5ed25a6667a6a6f730ca...7fde94081ed141c7d61db269b77d5765887a9665)

###
[`v0.57.2`](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/cbc912d67bda462ca00449d7ce7b80052c20a4fc...ac8641a5dbb5df1169bd5ed25a6667a6a6f730ca)

[Compare
Source](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/cbc912d67bda462ca00449d7ce7b80052c20a4fc...ac8641a5dbb5df1169bd5ed25a6667a6a6f730ca)

###
[`v0.57.1`](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/616d27a0a111c9b813d14c56d8d8f1ffbd7d7156...cbc912d67bda462ca00449d7ce7b80052c20a4fc)

[Compare
Source](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/616d27a0a111c9b813d14c56d8d8f1ffbd7d7156...cbc912d67bda462ca00449d7ce7b80052c20a4fc)

###
[`v0.57.0`](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/85dcbc7c55f002837f1bf1bf01145dbb34a55b40...616d27a0a111c9b813d14c56d8d8f1ffbd7d7156)

[Compare
Source](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/85dcbc7c55f002837f1bf1bf01145dbb34a55b40...616d27a0a111c9b813d14c56d8d8f1ffbd7d7156)

###
[`v0.56.0`](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/4b1ad3fda0cde58907e30fab25c3c767546708e5...85dcbc7c55f002837f1bf1bf01145dbb34a55b40)

[Compare
Source](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/4b1ad3fda0cde58907e30fab25c3c767546708e5...85dcbc7c55f002837f1bf1bf01145dbb34a55b40)

###
[`v0.55.0`](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/72c9af91983e4b7aade98c901bd45c6cefee0da4...4b1ad3fda0cde58907e30fab25c3c767546708e5)

[Compare
Source](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/72c9af91983e4b7aade98c901bd45c6cefee0da4...4b1ad3fda0cde58907e30fab25c3c767546708e5)

###
[`v0.54.2`](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/6f4f3fcefd8e453f0516ba15fe0c2580442dd06a...72c9af91983e4b7aade98c901bd45c6cefee0da4)

[Compare
Source](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/6f4f3fcefd8e453f0516ba15fe0c2580442dd06a...72c9af91983e4b7aade98c901bd45c6cefee0da4)

###
[`v0.54.1`](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/eb3ca4fb07ee31c62093f5fcec56575573c902ce...6f4f3fcefd8e453f0516ba15fe0c2580442dd06a)

[Compare
Source](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/eb3ca4fb07ee31c62093f5fcec56575573c902ce...6f4f3fcefd8e453f0516ba15fe0c2580442dd06a)

###
[`v0.54.0`](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/720bc8c70d47029cb6b41a34ffdc3d25cbaa2f80...eb3ca4fb07ee31c62093f5fcec56575573c902ce)

[Compare
Source](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/720bc8c70d47029cb6b41a34ffdc3d25cbaa2f80...eb3ca4fb07ee31c62093f5fcec56575573c902ce)

###
[`v0.53.0`](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/0608f405573901e54db01e44c533009cf28be262...720bc8c70d47029cb6b41a34ffdc3d25cbaa2f80)

[Compare
Source](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/0608f405573901e54db01e44c533009cf28be262...720bc8c70d47029cb6b41a34ffdc3d25cbaa2f80)

###
[`v0.52.1`](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/c4d3351b6b3f5593c8d7cbfec97b45cea9fe1511...0608f405573901e54db01e44c533009cf28be262)

[Compare
Source](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/c4d3351b6b3f5593c8d7cbfec97b45cea9fe1511...0608f405573901e54db01e44c533009cf28be262)

###
[`v0.52.0`](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/41c2626fe0ed03e2e83bd79ee43c9bdf0ffd80d8...c4d3351b6b3f5593c8d7cbfec97b45cea9fe1511)

[Compare
Source](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/41c2626fe0ed03e2e83bd79ee43c9bdf0ffd80d8...c4d3351b6b3f5593c8d7cbfec97b45cea9fe1511)

###
[`v0.51.1`](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/3ab4f765d8d696327b7d139ae6a45e7bd7edd924...41c2626fe0ed03e2e83bd79ee43c9bdf0ffd80d8)

[Compare
Source](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/3ab4f765d8d696327b7d139ae6a45e7bd7edd924...41c2626fe0ed03e2e83bd79ee43c9bdf0ffd80d8)

###
[`v0.51.0`](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/5231aa255047fbc6ee3d6a299f4423ab2f8a5fbc...3ab4f765d8d696327b7d139ae6a45e7bd7edd924)

[Compare
Source](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/5231aa255047fbc6ee3d6a299f4423ab2f8a5fbc...3ab4f765d8d696327b7d139ae6a45e7bd7edd924)

###
[`v0.50.0`](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/3920b158d08daa776280bde68a79e44bafa4e8ea...5231aa255047fbc6ee3d6a299f4423ab2f8a5fbc)

[Compare
Source](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/3920b158d08daa776280bde68a79e44bafa4e8ea...5231aa255047fbc6ee3d6a299f4423ab2f8a5fbc)

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - ""
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/launchdarkly/js-core).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNzMuNiIsInVwZGF0ZWRJblZlciI6IjQzLjE4NS4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Medium Risk**
> Large OpenTelemetry version bumps can change SDK/runtime behavior and
may subtly affect tracing initialization or test expectations, though
the code changes are limited to dev/test configuration.
> 
> **Overview**
> Updates OpenTelemetry dev dependencies in
`@launchdarkly/node-server-sdk-otel` (`@opentelemetry/sdk-node` to
`0.217.0` and `@opentelemetry/sdk-trace-node` to `2.7.1`).
> 
> Adjusts `TracingHook.test.ts` to disable `NodeSDK` resource
auto-detection (`autoDetectResources: false`) so spans are exported
synchronously under the newer `SimpleSpanProcessor` behavior.
> 
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
10fa937. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Steven Zhang <szhang@launchdarkly.com>

Author: renovate[bot]

packages/telemetry/node-server-sdk-otel/__tests__/TracingHook.test.ts

@@ -10,6 +10,11 @@ const spanExporter = new InMemorySpanExporter();
 const sdk = new NodeSDK({
   serviceName: 'ryan-test',
   spanProcessors: [new SimpleSpanProcessor(spanExporter)],
+  // Skip async resource detection (host/process/env detectors). The new
+  // SimpleSpanProcessor awaits Resource.waitForAsyncAttributes() before
+  // calling the exporter, which makes the first span land after the test
+  // reads getFinishedSpans() synchronously.
+  autoDetectResources: false,
 });
 sdk.start();
 

packages/telemetry/node-server-sdk-otel/package.json

@@ -34,8 +34,8 @@
   "devDependencies": {
     "@launchdarkly/node-server-sdk": "9.11.0",
     "@opentelemetry/api": ">=1.3.0",
-    "@opentelemetry/sdk-node": "0.49.1",
-    "@opentelemetry/sdk-trace-node": "1.22.0",
+    "@opentelemetry/sdk-node": "0.217.0",
+    "@opentelemetry/sdk-trace-node": "2.7.1",
     "@testing-library/dom": "^9.3.1",
     "@testing-library/jest-dom": "^5.16.5",
     "@types/jest": "^29.5.3",