fix(deps): bump OpenTelemetry experimental packages to ^0.217.0 (consumer-facing vuln)

[doronkopit5]

Solves #1013

Summary

Addresses Dependabot critical/high alerts with a focus on consumer safety — ensuring nobody who npm installs the published @traceloop/* packages inherits a vulnerable dependency.

The key finding

Of the 5 critical + 54 high open alerts, only one actually reaches consumers in an unfixed state: @opentelemetry/sdk-node (high — Prometheus exporter crash), declared ^0.203.0 in traceloop-sdk (patch is 0.217.0, out of range).

Everything else is either:

• Auto-fixed on fresh install — an in-range patch already exists, so a consumer's npm install resolves to a fixed version (e.g. protobufjs via google-gax ^7.3.2 → 7.5.x, langsmith via @langchain/core → 0.7.x). Only this repo's (unpublished) lockfile showed the old versions.
• Dev/build-only — the other criticals (handlebars, convict, fast-xml-parser) and remaining highs (axios, undici, tar, rollup, minimatch, hono, …) arrive solely through test SDKs and build/release tooling (cohere-ai, @aws-sdk/*, @qdrant/js-client-rest, lerna, nx, rollup, eslint, mocha). They are never in any published package's production closure.

Why so few matter: the lockfile isn't published and pnpm.overrides only affect this repo — consumer safety is governed solely by the declared dependencies ranges in published package.json files.

Changes

• Coordinated OpenTelemetry experimental bump ^0.203.0 → ^0.217.0 for @opentelemetry/sdk-node, @opentelemetry/instrumentation, and @opentelemetry/exporter-trace-otlp-proto across all packages. The coordination prevents two copies of @opentelemetry/instrumentation (0.203 vs 0.217) in a consumer's tree.
• Production dependency floors raised to patched versions: lodash ^4.18.1 (instrumentation-llamaindex), uuid ^11.1.1 (traceloop-sdk) — guarantees consumers get the patched version of these directly-declared prod deps.
• instrumentation-vertexai type fix: @opentelemetry/instrumentation@0.217 tightened the typing of _wrap's wrapper argument, which conflicted with vertexai's explicitly-typed wrapperMethod (it spelled out the predict overload union). Simplified its signature to function method(this: any, ...args: any[]) and dropped the now-unused google-gax type import. Runtime behavior is unchanged (type-only adjustment).

⚠️ Note on breaking-change risk: the OTel bump was assessed low-risk and confirmed so — no InstrumentationBase / registerInstrumentations API changes, no forced stable-package bumps, and @google-cloud/opentelemetry-cloud-trace-exporter@^3 stays compatible. The only fallout was the vertexai type-level mismatch above, fixed with a one-spot change.

Verification

• ✅ pnpm nx run-many -t build — all 17 projects build.
• ✅ pnpm nx run-many -t test — all suites pass except instrumentation-qdrant, which fails locally only with ECONNREFUSED 127.0.0.1:6333 (its tests require a live Qdrant server, provided by the CI service container — pre-existing/environmental, unchanged by this PR).
• ✅ @opentelemetry/{sdk-node,instrumentation,exporter-trace-otlp-proto} resolve to a single 0.217.0; lodash/uuid resolve to patched.

Out of scope (intentionally)

Dev/build-only and auto-fixable lockfile alerts were not chased — they don't reach consumers, and clearing them would mean either pnpm.overrides churn or a full lockfile regeneration for no consumer benefit.

Summary by CodeRabbit

• Chores
  • Upgraded OpenTelemetry packages across instrumentation and sample modules for improved compatibility and stability.
  • Updated related tracing/exporter and runtime dependencies (including a minor UUID patch) to align with the latest OpenTelemetry ecosystem.
  • Performed small internal cleanup (removed deprecated type imports and streamlined wrapper code) to reduce fragility.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR updates OpenTelemetry instrumentation dependencies from ^0.203.0 to ^0.217.0 across all instrumentation packages, core SDK, and sample app. Additionally, lodash is bumped in the llamaindex package, uuid is bumped in the main SDK, and unused type imports are removed from VertexAI instrumentation with simplified type signatures.

Changes

OpenTelemetry Instrumentation Package Version Alignment

Layer / File(s)	Summary
Instrumentation packages OTel dependency updates packages/instrumentation-anthropic/package.json, packages/instrumentation-bedrock/package.json, packages/instrumentation-chromadb/package.json, packages/instrumentation-cohere/package.json, packages/instrumentation-google-generativeai/package.json, packages/instrumentation-langchain/package.json, packages/instrumentation-llamaindex/package.json, packages/instrumentation-mcp/package.json, packages/instrumentation-openai/package.json, packages/instrumentation-pinecone/package.json, packages/instrumentation-qdrant/package.json, packages/instrumentation-together/package.json, packages/instrumentation-vertexai/package.json	Updates @opentelemetry/instrumentation from ^0.203.0 to ^0.217.0 across listed instrumentation packages; also bumps lodash to ^4.18.1 in llamaindex.
Core SDK and sample app OpenTelemetry dependencies packages/sample-app/package.json, packages/traceloop-sdk/package.json	Updates traceloop-sdk peerDependencies and dependencies to ^0.217.0 for OpenTelemetry exporter/instrumentation/SDK packages and bumps uuid to ^11.1.1. Updates sample-app OTel dependency ranges to ^0.217.0.
VertexAI wrapper type signature simplification packages/instrumentation-vertexai/src/aiplatform-instrumentation.ts	Removes google-gax type-only imports (CallOptions, Callback) and simplifies the returned predict wrapper signature to function method(this: any, ...args: any[]).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related issues

• Update @opentelemetry dependencies with security vulnerabilities #1013: The dependency version bumps from ^0.203.0 to ^0.217.0 for @opentelemetry packages address the same vulnerable dependency version family referenced in this issue.

Poem

🐰 Hop along, the packages align,
From point-oh-two-oh-three to point-two-one-seven fine,
Old types removed with a gentle paw,
The SDK now follows nature's law,
Tracing futures, gleaming and bright! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: bumping OpenTelemetry experimental packages from ^0.203.0 to ^0.217.0 to address consumer-facing vulnerabilities.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dk/fix-dependabot-vulns

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/instrumentation-vertexai/src/aiplatform-instrumentation.ts`:
- Line 105: The wrapper functions declare their rest parameter incorrectly as
`...args: any`; update the signatures to `...args: any[]` so the rest parameter
is typed as an array/tuple; specifically change the wrapper signature `function
method(this: any, ...args: any)` in the aiplatform instrumentation (and the
analogous wrapper `method` signatures in the qdrant, cohere, and bedrock
instrumentation files) to `function method(this: any, ...args: any[])`, keeping
all other logic unchanged.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 79b4e005-4967-49e1-bbe0-f40bb8eed703

📥 Commits

Reviewing files that changed from the base of the PR and between 28c4a7a and 47fe042.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (16)

• packages/instrumentation-anthropic/package.json
• packages/instrumentation-bedrock/package.json
• packages/instrumentation-chromadb/package.json
• packages/instrumentation-cohere/package.json
• packages/instrumentation-google-generativeai/package.json
• packages/instrumentation-langchain/package.json
• packages/instrumentation-llamaindex/package.json
• packages/instrumentation-mcp/package.json
• packages/instrumentation-openai/package.json
• packages/instrumentation-pinecone/package.json
• packages/instrumentation-qdrant/package.json
• packages/instrumentation-together/package.json
• packages/instrumentation-vertexai/package.json
• packages/instrumentation-vertexai/src/aiplatform-instrumentation.ts
• packages/sample-app/package.json
• packages/traceloop-sdk/package.json