-
Notifications
You must be signed in to change notification settings - Fork 821
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore(otlp-proto-exporter-base): update protobufjs to 7.1.2 #3433
chore(otlp-proto-exporter-base): update protobufjs to 7.1.2 #3433
Conversation
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## main #3433 +/- ##
==========================================
+ Coverage 93.28% 93.29% +0.01%
==========================================
Files 247 247
Lines 7352 7352
Branches 1512 1512
==========================================
+ Hits 6858 6859 +1
+ Misses 494 493 -1
|
@@ -65,7 +65,7 @@ | |||
"dependencies": { | |||
"@opentelemetry/core": "1.8.0", | |||
"@opentelemetry/otlp-exporter-base": "0.34.0", | |||
"protobufjs": "7.1.1" | |||
"protobufjs": "^7.1.2" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Dependabot will just open a PR to pin this if you don't change the config. Also, it was an intentional choice to pin dependencies so that our users can effectively pin.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Currently installing @opentelemetry/exporter-trace-otlp-grpc
and @opentelemetry/exporter-trace-otlp-proto
side by side brings in 2 different protobufjs
versions: 7.1.1
and 7.1.2
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems like the problem here is that we can not effectively pin indirect dependencies like @grpc/grpc-js
-> @grpc/proto-loader
-> protobufjs ^7.0.0
.
I noticed that the dependencies on @grpc/grpc-js
are declared as caret range, e.g. https://github.com/open-telemetry/opentelemetry-js/blob/main/experimental/packages/exporter-trace-otlp-grpc/package.json#L71. So I'd find it should be fine for us to apply caret range for protobufjs too.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
usually we pin only dev-dependencies and the otel dependencies which are from same lerna project (and therefore released together).
e.g. @opentelemetry/exporter-jaeger
depends on "jaeger-client": "^3.15.0"
, @opentelemetry/instrumentation
depends on "require-in-the-middle": "^5.0.3"
, "semver": "^7.3.2"
and "shimmer": "^1.2.1"
.
@@ -65,7 +65,7 @@ | |||
"dependencies": { | |||
"@opentelemetry/core": "1.8.0", | |||
"@opentelemetry/otlp-exporter-base": "0.34.0", | |||
"protobufjs": "7.1.1" | |||
"protobufjs": "^7.1.2" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems like the problem here is that we can not effectively pin indirect dependencies like @grpc/grpc-js
-> @grpc/proto-loader
-> protobufjs ^7.0.0
.
I noticed that the dependencies on @grpc/grpc-js
are declared as caret range, e.g. https://github.com/open-telemetry/opentelemetry-js/blob/main/experimental/packages/exporter-trace-otlp-grpc/package.json#L71. So I'd find it should be fine for us to apply caret range for protobufjs too.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK sounds good
Relax protobufjs versioning and update it to the latest version. This avoids pulling in potentially duplicate
protobufjs
packages.