fix(deps): bump OpenTelemetry experimental packages to ^0.219.0 (consumer-facing vuln)

[doronkopit5]

Solves #1013

Summary

Addresses Dependabot critical/high alerts with a focus on consumer safety — ensuring nobody who npm installs the published @traceloop/* packages inherits a vulnerable dependency. Refreshed from a fresh sweep on 2026-06-15 (branch is current with main).

The key finding

Of the 5 critical + 60 high open alerts, only one has ever reached consumers in an unfixed state: @opentelemetry/sdk-node (high — Prometheus exporter crash), declared ^0.203.0 on main (patch is 0.217.0, out of range). This PR moves it — and the rest of the OTel experimental set — to the latest line, 0.219.0.

Everything else is either:

• Auto-fixed on fresh install — an in-range patch already exists, so a consumer's npm install resolves to a fixed version (e.g. protobufjs via google-gax, langsmith via @langchain/core). Only this repo's (unpublished) lockfile showed the old versions.
• Dev/build-only or private — the criticals (handlebars, convict, fast-xml-parser) and remaining highs (axios, undici, tar, rollup, langsmith in sample-app, …) arrive solely through test SDKs, build/release tooling, or the private sample-app. They are never in any published package's production closure.

Why so few matter: the lockfile isn't published and pnpm.overrides only affect this repo — consumer safety is governed solely by the declared dependencies ranges in published package.json files.

Changes

• Coordinated OpenTelemetry experimental bump ^0.203.0 → ^0.219.0 (latest) for @opentelemetry/sdk-node, @opentelemetry/instrumentation, and @opentelemetry/exporter-trace-otlp-proto across all packages. The coordination prevents two copies of @opentelemetry/instrumentation in a consumer's tree. (Note: ^0.217.0 would have cleared the vuln, but for 0.x ranges caret caps at <0.218.0; pinning the latest line keeps consumers current.)
• esbuild devDependency bump ^0.25.7 → ^0.28.1 (traceloop-sdk) — clears a newly-filed high advisory (Deno binary integrity bypass, patched 0.28.1). Build-only, not in any consumer's production closure, so zero consumer-runtime impact; bumped to keep the dashboard clean.
• Production dependency floors at patched versions: lodash ^4.18.1 (instrumentation-llamaindex), uuid ^11.1.1 (traceloop-sdk).
• instrumentation-vertexai type fix: @opentelemetry/instrumentation tightened the typing of _wrap's wrapper argument, which conflicted with vertexai's explicitly-typed wrapperMethod. Simplified its signature to function method(this: any, ...args: any[]) and dropped the now-unused google-gax type import. Runtime behavior is unchanged (type-only adjustment); re-confirmed at 0.219.0.

Verification

• ✅ pnpm nx run-many -t build — all 17 projects build (confirms the vertexai type fix still holds at 0.219.0).
• ✅ pnpm nx run-many -t test — all suites pass except instrumentation-qdrant, which fails locally only with ECONNREFUSED 127.0.0.1:6333 (its tests require a live Qdrant server, provided by the CI service container — pre-existing/environmental, unchanged by this PR).
• ✅ @opentelemetry/{sdk-node,instrumentation,exporter-trace-otlp-proto} resolve to a single 0.219.0; esbuild resolves to 0.28.1; lodash/uuid resolve to patched.

Out of scope (intentionally)

Dev/build-only and auto-fixable lockfile alerts (other than the trivial esbuild floor) were not chased — they don't reach consumers, and clearing them would mean either pnpm.overrides churn or a full lockfile regeneration for no consumer benefit.

Summary by CodeRabbit

Summary by CodeRabbit

• Chores
  • Upgraded OpenTelemetry dependencies across instrumentation modules and the sample app for improved compatibility and stability.
  • Updated related tracing/exporter and runtime dependencies (including a patch-level UUID update).
  • Refreshed the VertexAI prediction instrumentation internals to better handle method arguments and reduce fragility.
  • Minor dependency adjustments included in specific integrations (e.g., lodash) to stay aligned with the updated ecosystem.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 8b52a58c-ca4e-460c-b704-220a33bae438

📥 Commits

Reviewing files that changed from the base of the PR and between 2574de6 and e30216d.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (16)

• packages/instrumentation-anthropic/package.json
• packages/instrumentation-bedrock/package.json
• packages/instrumentation-chromadb/package.json
• packages/instrumentation-cohere/package.json
• packages/instrumentation-google-generativeai/package.json
• packages/instrumentation-langchain/package.json
• packages/instrumentation-llamaindex/package.json
• packages/instrumentation-mcp/package.json
• packages/instrumentation-openai/package.json
• packages/instrumentation-pinecone/package.json
• packages/instrumentation-qdrant/package.json
• packages/instrumentation-together/package.json
• packages/instrumentation-vertexai/package.json
• packages/instrumentation-vertexai/src/aiplatform-instrumentation.ts
• packages/sample-app/package.json
• packages/traceloop-sdk/package.json

✅ Files skipped from review due to trivial changes (2)

• packages/instrumentation-bedrock/package.json
• packages/instrumentation-pinecone/package.json

🚧 Files skipped from review as they are similar to previous changes (11)

• packages/instrumentation-llamaindex/package.json
• packages/instrumentation-together/package.json
• packages/instrumentation-langchain/package.json
• packages/instrumentation-cohere/package.json
• packages/sample-app/package.json
• packages/instrumentation-mcp/package.json
• packages/instrumentation-openai/package.json
• packages/instrumentation-qdrant/package.json
• packages/instrumentation-google-generativeai/package.json
• packages/instrumentation-anthropic/package.json
• packages/instrumentation-vertexai/src/aiplatform-instrumentation.ts

---

📝 Walkthrough

Walkthrough

This PR updates OpenTelemetry instrumentation dependencies from ^0.203.0 to ^0.219.0 across all instrumentation packages, core SDK, and sample app. Additionally, lodash is bumped in llamaindex, uuid and esbuild are updated in traceloop-sdk, and unused type imports are removed from VertexAI instrumentation with simplified type signatures.

Changes

OpenTelemetry Instrumentation Package Version Alignment

Layer / File(s)	Summary
Instrumentation packages OTel dependency updates packages/instrumentation-anthropic/package.json, packages/instrumentation-bedrock/package.json, packages/instrumentation-chromadb/package.json, packages/instrumentation-cohere/package.json, packages/instrumentation-google-generativeai/package.json, packages/instrumentation-langchain/package.json, packages/instrumentation-llamaindex/package.json, packages/instrumentation-mcp/package.json, packages/instrumentation-openai/package.json, packages/instrumentation-pinecone/package.json, packages/instrumentation-qdrant/package.json, packages/instrumentation-together/package.json, packages/instrumentation-vertexai/package.json	Updates @opentelemetry/instrumentation from ^0.203.0 to ^0.219.0 across all instrumentation packages; also bumps lodash to ^4.18.1 in llamaindex.
VertexAI wrapper type signature simplification packages/instrumentation-vertexai/src/aiplatform-instrumentation.ts	Removes unused google-gax type-only imports (CallOptions, Callback) and simplifies the returned predict wrapper signature to function method(this: any, ...args: any[]).
Core SDK and sample app OpenTelemetry version alignment packages/sample-app/package.json, packages/traceloop-sdk/package.json	Updates traceloop-sdk peerDependencies and dependencies to ^0.219.0 for OpenTelemetry exporter/instrumentation/SDK packages, bumps uuid to ^11.1.1, and updates esbuild to ^0.28.1 in devDependencies. Updates sample-app OTel dependency ranges to ^0.219.0.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related issues

• Update @opentelemetry dependencies with security vulnerabilities #1013: The dependency version bumps from ^0.203.0 to ^0.219.0 for @opentelemetry packages address the vulnerable dependency version family referenced in this issue.

Poem

🐰 Hop along, the versions align,
From point-oh-two-oh-three to point-two-one-nine shine,
Old types removed with a gentle paw,
The SDK now follows nature's law,
Tracing futures, gleaming and bright! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: bumping OpenTelemetry packages to address consumer-facing vulnerabilities.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dk/fix-dependabot-vulns

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/instrumentation-vertexai/src/aiplatform-instrumentation.ts`:
- Line 105: The wrapper functions declare their rest parameter incorrectly as
`...args: any`; update the signatures to `...args: any[]` so the rest parameter
is typed as an array/tuple; specifically change the wrapper signature `function
method(this: any, ...args: any)` in the aiplatform instrumentation (and the
analogous wrapper `method` signatures in the qdrant, cohere, and bedrock
instrumentation files) to `function method(this: any, ...args: any[])`, keeping
all other logic unchanged.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 79b4e005-4967-49e1-bbe0-f40bb8eed703

📥 Commits

Reviewing files that changed from the base of the PR and between 28c4a7a and 47fe042.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (16)

• packages/instrumentation-anthropic/package.json
• packages/instrumentation-bedrock/package.json
• packages/instrumentation-chromadb/package.json
• packages/instrumentation-cohere/package.json
• packages/instrumentation-google-generativeai/package.json
• packages/instrumentation-langchain/package.json
• packages/instrumentation-llamaindex/package.json
• packages/instrumentation-mcp/package.json
• packages/instrumentation-openai/package.json
• packages/instrumentation-pinecone/package.json
• packages/instrumentation-qdrant/package.json
• packages/instrumentation-together/package.json
• packages/instrumentation-vertexai/package.json
• packages/instrumentation-vertexai/src/aiplatform-instrumentation.ts
• packages/sample-app/package.json
• packages/traceloop-sdk/package.json