chore(deps): bump the patch-and-minor group with 18 updates

[dependabot]

Bumps the patch-and-minor group with 18 updates:

Package	From	To
@ai-sdk/google	3.0.55	3.0.79
@anthropic-ai/sdk	0.78.0	0.98.0
@fastify/static	9.1.1	9.1.3
@modelcontextprotocol/sdk	1.28.0	1.29.0
@opentelemetry/auto-instrumentations-node	0.75.0	0.76.0
@opentelemetry/exporter-trace-otlp-http	0.214.0	0.218.0
@opentelemetry/resources	2.6.1	2.7.1
@opentelemetry/sdk-node	0.217.0	0.218.0
@opentelemetry/semantic-conventions	1.40.0	1.41.1
canvas	3.2.2	3.2.3
ora	9.3.0	9.4.0
zod	4.3.6	4.4.3
@biomejs/biome	2.4.9	2.4.15
@vitest/coverage-v8	4.1.2	4.1.7
jsdom	29.0.1	29.1.1
msw	2.12.14	2.14.6
typedoc	0.28.18	0.28.19
vitest	4.1.2	4.1.7

Updates @ai-sdk/google from 3.0.55 to 3.0.79

Release notes

Sourced from @​ai-sdk/google's releases.

@​ai-sdk/google@​3.0.79

Patch Changes

• cfa0cb2: feat(provider/google): support Google search grounding when using generateImage with Gemini

@​ai-sdk/google@​3.0.78

Patch Changes

• cf63828: fix(google): read serviceTier from usageMetadata.serviceTier in both generate and stream paths

  The previous implementation read serviceTier from the x-gemini-service-tier response header, which is only populated on non-streaming responses. Gemini streaming includes the value in usageMetadata.serviceTier on every chunk, so providerMetadata.google.serviceTier was always null for streams. Read from usageMetadata for both paths instead.

Changelog

Sourced from @​ai-sdk/google's changelog.

3.0.79

Patch Changes

• cfa0cb2: feat(provider/google): support Google search grounding when using generateImage with Gemini

3.0.78

Patch Changes

• cf63828: fix(google): read serviceTier from usageMetadata.serviceTier in both generate and stream paths

  The previous implementation read serviceTier from the x-gemini-service-tier response header, which is only populated on non-streaming responses. Gemini streaming includes the value in usageMetadata.serviceTier on every chunk, so providerMetadata.google.serviceTier was always null for streams. Read from usageMetadata for both paths instead.

3.0.77

Patch Changes

• 0f9f9bf: feat(google): read serviceTier from x-gemini-service-tier response header in Gemini API and use PayGo for Vertex

3.0.76

Patch Changes

• f259bd1: fix(google): fix streaming tool call args
• 756fec1: feat(provider/google): add gemini-3.5-flash

3.0.75

Patch Changes

• ab15576: feat(google): update Interactions API implementation to cater for upstream breaking changes coming May 26

3.0.74

Patch Changes

• 3ca0daa: fix(provider/google): support functionCall.id when returned by Gemini API and provide matching functionResponse.id

3.0.73

Patch Changes

• bb1eb98: feat(google): add fileData support to embedding model

3.0.72

... (truncated)

Commits

• fc83fa3 Version Packages (#15532)
• cfa0cb2 Backport: feat(provider/google): support Google search grounding when using `...
• 93ad540 Version Packages (#15489)
• cf63828 Backport: fix(google): read serviceTier from usageMetadata in stream + genera...
• a15eda9 Version Packages (#15473)
• 0f9f9bf Backport: fix(google): read serviceTier from x-gemini-service-tier response h...
• b9241af Backport: feat(provider/google): add support for managed agents in the Intera...
• e33b836 Version Packages (#15440)
• f259bd1 Backport: fix(google): fix streaming tool call args (#15442)
• 756fec1 Backport: feat(provider/google): add gemini-3.5-flash (#15436)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​ai-sdk/google since your current version.

Updates @anthropic-ai/sdk from 0.78.0 to 0.98.0

Release notes

Sourced from @​anthropic-ai/sdk's releases.

sdk: v0.98.0

0.98.0 (2026-05-21)

Full Changelog: sdk-v0.97.1...sdk-v0.98.0

Features

• api: Add support for thinking-token-count beta for estimated tokens in thinking block deltas when streaming (0528d47)

sdk: v0.97.1

0.97.1 (2026-05-19)

Full Changelog: sdk-v0.97.0...sdk-v0.97.1

Bug Fixes

• runner: skip tool calls SessionToolRunner does not own (9987379)

sdk: v0.97.0

0.97.0 (2026-05-19)

Full Changelog: sdk-v0.96.0...sdk-v0.97.0

Features

• client: Add support for self-hosted sandboxes in CMA with sandbox helpers (659a343)

Bug Fixes

• typescript: upgrade tsc-multi so that it works with Node 26 (623f71c)

Chores

• tests: remove redundant File import (cf821fc)

sdk: v0.96.0

0.96.0 (2026-05-13)

Full Changelog: sdk-v0.95.2...sdk-v0.96.0

Features

• api: Add BetaManagedAgentsSearchResultBlock types (08f02f3)
• api: Add support for cache diagnostics beta (eafbd6d)

Bug Fixes

... (truncated)

Changelog

Sourced from @​anthropic-ai/sdk's changelog.

0.98.0 (2026-05-21)

Full Changelog: sdk-v0.97.1...sdk-v0.98.0

Features

• api: Add support for thinking-token-count beta for estimated tokens in thinking block deltas when streaming (0528d47)

0.97.1 (2026-05-19)

Full Changelog: sdk-v0.97.0...sdk-v0.97.1

Bug Fixes

• runner: skip tool calls SessionToolRunner does not own (9987379)

0.97.0 (2026-05-19)

Full Changelog: sdk-v0.96.0...sdk-v0.97.0

Features

• client: Add support for self-hosted sandboxes in CMA with sandbox helpers (659a343)

Bug Fixes

• typescript: upgrade tsc-multi so that it works with Node 26 (623f71c)

Chores

• tests: remove redundant File import (cf821fc)

0.96.0 (2026-05-13)

Full Changelog: sdk-v0.95.2...sdk-v0.96.0

Features

• api: Add BetaManagedAgentsSearchResultBlock types (08f02f3)
• api: Add support for cache diagnostics beta (eafbd6d)

Bug Fixes

• zod: ensure only zod/v4 types are used (#992) (9e08bcc)

Chores

... (truncated)

Commits

• 32ce8c0 chore: release main
• 1873a96 feat(api): Add support for thinking-token-count beta for estimated tokens in ...
• ac9ece3 chore: release main
• 1987147 fix(runner): skip tool calls SessionToolRunner does not own
• 409ff0e chore: release main (#1052)
• a53f60d chore: release main
• d1b8d04 feat(api): Add support for cache diagnostics beta
• 8e43bf8 chore(api): spec updates
• 697e4d5 codegen metadata
• cd5801c feat(api): Add BetaManagedAgentsSearchResultBlock types
• Additional commits viewable in compare view

Updates @fastify/static from 9.1.1 to 9.1.3

Release notes

Sourced from @​fastify/static's releases.

v9.1.3

What's Changed

• fix: support wildcard prefixes with route params by @​mcollina in fastify/fastify-static#576

Full Changelog: fastify/fastify-static@v9.1.2...v9.1.3

v9.1.2

What's Changed

• fix: resolve wildcard paths in encapsulated contexts by @​mcollina in fastify/fastify-static#574

Full Changelog: fastify/fastify-static@v9.1.1...v9.1.2

Commits

• 880c1a6 Bumped v9.1.3
• 7f92da5 fix: support wildcard prefixes with route params (#576)
• b0a66d5 Bumped v9.1.2
• 32af863 fix: resolve wildcard paths in encapsulated contexts (#574)
• See full diff in compare view

Updates @modelcontextprotocol/sdk from 1.28.0 to 1.29.0

Release notes

Sourced from @​modelcontextprotocol/sdk's releases.

v1.29.0

What's Changed

• fix: treat v1.x as primary branch for npm latest tag (backport #1577) by @​felixweinberger in modelcontextprotocol/typescript-sdk#1749
• [v1.x] fix: disallow null (infinite) requested TTL by @​LucaButBoring in modelcontextprotocol/typescript-sdk#1339
• [v1.x] fix: add missing size field to ResourceSchema by @​olaservo in modelcontextprotocol/typescript-sdk#1575
• Add typings exports by @​tdraier in modelcontextprotocol/typescript-sdk#1623
• v1.x npm audit fix by @​KKonstantinov in modelcontextprotocol/typescript-sdk#1780
• v1.x #1623 follow up -add missing types to package.json by @​KKonstantinov in modelcontextprotocol/typescript-sdk#1773
• [v1.x backport] Allow servers / clients to advertise extensions in the capability object by @​localden in modelcontextprotocol/typescript-sdk#1811
• fix(stdio): always set windowsHide on Windows, not just in Electron by @​jnMetaCode in modelcontextprotocol/typescript-sdk#1640
• chore: bump version to 1.29.0 by @​felixweinberger in modelcontextprotocol/typescript-sdk#1820

New Contributors

• @​tdraier made their first contribution in modelcontextprotocol/typescript-sdk#1623
• @​jnMetaCode made their first contribution in modelcontextprotocol/typescript-sdk#1640

Full Changelog: modelcontextprotocol/typescript-sdk@v1.28.0...v1.29.0

Commits

• e12cbd7 chore: bump version to 1.29.0 (#1820)
• 3913fd4 fix(stdio): always set windowsHide on Windows, not just in Electron (#1640)
• 5608e78 [v1.x backport] Allow servers / clients to advertise extensions in the capabi...
• 7213816 v1.x #1623 follow up -add missing types to package.json (#1773)
• 364f38c v1.x npm audit fix (#1780)
• c95cc09 Add typings exports (#1623)
• ddadaa6 [v1.x] fix: add missing size field to ResourceSchema (#1575)
• 2a15851 [v1.x] fix: disallow null (infinite) requested TTL (#1339)
• 13e30f1 fix: treat v1.x as primary branch for npm latest tag (backport #1577) (#1749)
• See full diff in compare view

Updates @opentelemetry/auto-instrumentations-node from 0.75.0 to 0.76.0

Release notes

Sourced from @​opentelemetry/auto-instrumentations-node's releases.

auto-instrumentations-node: v0.76.0

0.76.0 (2026-05-13)

Features

• deps: update deps matching '@opentelemetry/*' (#3523) (e26a90a)

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • @​opentelemetry/instrumentation-amqplib bumped from ^0.64.0 to ^0.65.0
    • @​opentelemetry/instrumentation-aws-lambda bumped from ^0.69.0 to ^0.70.0
    • @​opentelemetry/instrumentation-aws-sdk bumped from ^0.72.0 to ^0.73.0
    • @​opentelemetry/instrumentation-bunyan bumped from ^0.62.0 to ^0.63.0
    • @​opentelemetry/instrumentation-cassandra-driver bumped from ^0.62.0 to ^0.63.0
    • @​opentelemetry/instrumentation-connect bumped from ^0.60.0 to ^0.61.0
    • @​opentelemetry/instrumentation-cucumber bumped from ^0.33.0 to ^0.34.0
    • @​opentelemetry/instrumentation-dataloader bumped from ^0.34.0 to ^0.35.0
    • @​opentelemetry/instrumentation-dns bumped from ^0.60.0 to ^0.61.0
    • @​opentelemetry/instrumentation-express bumped from ^0.65.0 to ^0.66.0
    • @​opentelemetry/instrumentation-fs bumped from ^0.36.0 to ^0.37.0
    • @​opentelemetry/instrumentation-generic-pool bumped from ^0.60.0 to ^0.61.0
    • @​opentelemetry/instrumentation-graphql bumped from ^0.65.0 to ^0.66.0
    • @​opentelemetry/instrumentation-hapi bumped from ^0.63.0 to ^0.64.0
    • @​opentelemetry/instrumentation-ioredis bumped from ^0.65.0 to ^0.66.0
    • @​opentelemetry/instrumentation-kafkajs bumped from ^0.26.0 to ^0.27.0
    • @​opentelemetry/instrumentation-knex bumped from ^0.61.0 to ^0.62.0
    • @​opentelemetry/instrumentation-koa bumped from ^0.65.0 to ^0.66.0
    • @​opentelemetry/instrumentation-lru-memoizer bumped from ^0.61.0 to ^0.62.0
    • @​opentelemetry/instrumentation-memcached bumped from ^0.60.0 to ^0.61.0
    • @​opentelemetry/instrumentation-mongodb bumped from ^0.70.0 to ^0.71.0
    • @​opentelemetry/instrumentation-mongoose bumped from ^0.63.0 to ^0.64.0
    • @​opentelemetry/instrumentation-mysql bumped from ^0.63.0 to ^0.64.0
    • @​opentelemetry/instrumentation-mysql2 bumped from ^0.63.0 to ^0.64.0
    • @​opentelemetry/instrumentation-nestjs-core bumped from ^0.63.0 to ^0.64.0
    • @​opentelemetry/instrumentation-net bumped from ^0.61.0 to ^0.62.0
    • @​opentelemetry/instrumentation-openai bumped from ^0.15.0 to ^0.16.0
    • @​opentelemetry/instrumentation-oracledb bumped from ^0.42.0 to ^0.43.0
    • @​opentelemetry/instrumentation-pg bumped from ^0.69.0 to ^0.70.0
    • @​opentelemetry/instrumentation-pino bumped from ^0.63.0 to ^0.64.0
    • @​opentelemetry/instrumentation-redis bumped from ^0.65.0 to ^0.66.0
    • @​opentelemetry/instrumentation-restify bumped from ^0.62.0 to ^0.63.0
    • @​opentelemetry/instrumentation-router bumped from ^0.61.0 to ^0.62.0
    • @​opentelemetry/instrumentation-runtime-node bumped from ^0.30.0 to ^0.31.0
    • @​opentelemetry/instrumentation-socket.io bumped from ^0.64.0 to ^0.65.0
    • @​opentelemetry/instrumentation-tedious bumped from ^0.36.0 to ^0.37.0
    • @​opentelemetry/instrumentation-undici bumped from ^0.27.0 to ^0.28.0

... (truncated)

Changelog

Sourced from @​opentelemetry/auto-instrumentations-node's changelog.

0.76.0 (2026-05-13)

Features

• deps: update deps matching '@opentelemetry/*' (#3523) (e26a90a)

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • @​opentelemetry/instrumentation-amqplib bumped from ^0.64.0 to ^0.65.0
    • @​opentelemetry/instrumentation-aws-lambda bumped from ^0.69.0 to ^0.70.0
    • @​opentelemetry/instrumentation-aws-sdk bumped from ^0.72.0 to ^0.73.0
    • @​opentelemetry/instrumentation-bunyan bumped from ^0.62.0 to ^0.63.0
    • @​opentelemetry/instrumentation-cassandra-driver bumped from ^0.62.0 to ^0.63.0
    • @​opentelemetry/instrumentation-connect bumped from ^0.60.0 to ^0.61.0
    • @​opentelemetry/instrumentation-cucumber bumped from ^0.33.0 to ^0.34.0
    • @​opentelemetry/instrumentation-dataloader bumped from ^0.34.0 to ^0.35.0
    • @​opentelemetry/instrumentation-dns bumped from ^0.60.0 to ^0.61.0
    • @​opentelemetry/instrumentation-express bumped from ^0.65.0 to ^0.66.0
    • @​opentelemetry/instrumentation-fs bumped from ^0.36.0 to ^0.37.0
    • @​opentelemetry/instrumentation-generic-pool bumped from ^0.60.0 to ^0.61.0
    • @​opentelemetry/instrumentation-graphql bumped from ^0.65.0 to ^0.66.0
    • @​opentelemetry/instrumentation-hapi bumped from ^0.63.0 to ^0.64.0
    • @​opentelemetry/instrumentation-ioredis bumped from ^0.65.0 to ^0.66.0
    • @​opentelemetry/instrumentation-kafkajs bumped from ^0.26.0 to ^0.27.0
    • @​opentelemetry/instrumentation-knex bumped from ^0.61.0 to ^0.62.0
    • @​opentelemetry/instrumentation-koa bumped from ^0.65.0 to ^0.66.0
    • @​opentelemetry/instrumentation-lru-memoizer bumped from ^0.61.0 to ^0.62.0
    • @​opentelemetry/instrumentation-memcached bumped from ^0.60.0 to ^0.61.0
    • @​opentelemetry/instrumentation-mongodb bumped from ^0.70.0 to ^0.71.0
    • @​opentelemetry/instrumentation-mongoose bumped from ^0.63.0 to ^0.64.0
    • @​opentelemetry/instrumentation-mysql bumped from ^0.63.0 to ^0.64.0
    • @​opentelemetry/instrumentation-mysql2 bumped from ^0.63.0 to ^0.64.0
    • @​opentelemetry/instrumentation-nestjs-core bumped from ^0.63.0 to ^0.64.0
    • @​opentelemetry/instrumentation-net bumped from ^0.61.0 to ^0.62.0
    • @​opentelemetry/instrumentation-openai bumped from ^0.15.0 to ^0.16.0
    • @​opentelemetry/instrumentation-oracledb bumped from ^0.42.0 to ^0.43.0
    • @​opentelemetry/instrumentation-pg bumped from ^0.69.0 to ^0.70.0
    • @​opentelemetry/instrumentation-pino bumped from ^0.63.0 to ^0.64.0
    • @​opentelemetry/instrumentation-redis bumped from ^0.65.0 to ^0.66.0
    • @​opentelemetry/instrumentation-restify bumped from ^0.62.0 to ^0.63.0
    • @​opentelemetry/instrumentation-router bumped from ^0.61.0 to ^0.62.0
    • @​opentelemetry/instrumentation-runtime-node bumped from ^0.30.0 to ^0.31.0
    • @​opentelemetry/instrumentation-socket.io bumped from ^0.64.0 to ^0.65.0
    • @​opentelemetry/instrumentation-tedious bumped from ^0.36.0 to ^0.37.0
    • @​opentelemetry/instrumentation-undici bumped from ^0.27.0 to ^0.28.0
    • @​opentelemetry/instrumentation-winston bumped from ^0.61.0 to ^0.62.0

... (truncated)

Commits

• 15ef750 chore: release main (#3508)
• e26a90a feat(deps): update deps matching '@opentelemetry/*' (#3523)
• See full diff in compare view

Updates @opentelemetry/exporter-trace-otlp-http from 0.214.0 to 0.218.0

Release notes

Sourced from @​opentelemetry/exporter-trace-otlp-http's releases.

experimental/v0.218.0

0.218.0

🚀 Features

• feat(otlp-transformer): replace protobufjs metrics serialization with custom implementation #6625 @​pichlermarc
• feat(configuration): show all config validation errors, if there are multiple #6683 @​trentm
• feat(sdk-node): allow startNodeSDK() without an arg #6688 @​trentm

🏠 Internal

• refactor(sdk-logs): alias LoggerProviderConfig to LoggerProviderOptions #6691 @​david-luna
• refactor(sdk-logs): use Logger.enabled() within Logger.emit() implementation #6680 @​david-luna

experimental/v0.217.0

0.217.0

🚀 Features

• feat(otlp-transformer): replace protobufjs trace serialization with custom implementation #6625 @​pichlermarc
• feat(configuration): auto-generate TypeScript types from OTel declarative config JSON schema (stable v1.0.0) using json-schema-to-typescript and ajv #6533 @​MikeGoldsmith
• feat(configuration, sdk-node): startNodeSDK() code path now uses log_level configuration to setup a DiagConsoleLogger #6668 @​trentm
  • Note that allowed values for log_level in a configuration YAML file are not the same set as for OTEL_LOG_LEVEL. Use log_level: trace to see all logs (equivalent of OTEL_LOG_LEVEL=ALL). Use log_level: fatal to effectively disable the SDK's internal diagnostic logger (equivalent of OTEL_LOG_LEVEL=NONE).
  • If log_level is not specified, a diagnostic console logger at "info" level will be setup.
  • An invalid YAML config file will now result in a noop OTel SDK.

🐛 Bug Fixes

• fix(configuration): do not validate OTEL_CONFIG_FILE value before using it for file config #6643 @​trentm
• fix(configuration): improve how 'additionalProperties' in JSON schema is translated to TS types #6650 @​trentm
• fix(configuration): remove stripMinItems and preprocessNullArrays from validation/parsing #6657 @​trentm
• fix(configuration): improve handling of enums in generated types #6659 @​trentm
• fix(configuration): improve the technique for removing '| null' on types the JSON Schema #6662 @​trentm
• fix(sampler-jaeger-remote): add missing axios dep #6656 @​trentm
• fix(exporter-prometheus): handle malformed URLs in Prometheus exporter request handler #6674 @​homanp

experimental/v0.216.0

0.216.0

🚀 Features

• feat(sdk-node): wire attribute_keys from declarative configuration to ViewOptions.attributesProcessors #6427 @​ravitheja4531-cell
• feat(sdk-node): set TracerProvider in startNodeSDK() #6607 @​maryliag

🐛 Bug Fixes

• fix(instrumentation-xml-http-request): avoid unwrapping XMLHttpRequest API when disabling #6611 @​david-luna
• fix(instrumentation-fetch): tolerate non-writable globalThis.fetch and fix premature _isEnabled / _isFetchPatched flips in enable() @​brunorodmoreira

... (truncated)

Commits

• 06ad0ea chore: prepare next release (#6703)
• 38ca257 feat(otlp-transformer): replace protobufjs metrics serialization with custom ...
• 013c600 chore: prepare next release (#6699)
• b7a0c63 feat(semantic-conventions): update semantic conventions to v1.41.1 (#6695)
• 774143b chore(renovate): add minimumReleaseAge to config (#6697)
• e0dafe0 fix(otlp-exporter-base): remove brackets from IPv6 hostname in HTTP transport...
• f804c93 chore(deps): update github/codeql-action digest to 68bde55 (#6682)
• 95e48e7 refactor(sdk-logs): alias LoggerProviderConfig to LoggerProviderOptions (...
• 907b627 feat(sdk-node): allow startNodeSDK() without an arg (#6688)
• 0d15261 docs: Add SIG meeting info and welcoming language (#6689)
• Additional commits viewable in compare view

Updates @opentelemetry/resources from 2.6.1 to 2.7.1

Release notes

Sourced from @​opentelemetry/resources's releases.

v2.7.1

2.7.1

🐛 Bug Fixes

• fix(core, api): defer trace state validation. Deprecate trace state implementation in api #6459 @​david-luna
  • important: this bug fix may be breaking for certain uses of TraceState
    • set now returns the same TraceState instance if key/value are invalid or makes the while trace state invalid.
    • unset now returns the same TraceState instance if key is not present.
    • best-effort parsing of invalid TraceStates has changed: when multiple keys with the same name are present, the most recent one will win.

🏠 Internal

• perf(sdk-trace-base): optimize TraceIdRatioBasedSampler performance #6284 @​AbhiPrasad
• perf(sdk-metrics): reduce loop overhead in sdk hot paths #6593 @​mcollina

v2.7.0

2.7.0

🚀 Features

• feat(sdk-logs): implement log creation metrics #6433 @​anuraaga
• feat(sdk-metrics): add the cardinalitySelector argument to PeriodicExportingMetricReaders #6460 @​starzlocker
• feat(opentelemetry-core): add extra checks on internal merge function for safety #6587 @​maryliag

🐛 Bug Fixes

• fix(opentelemetry-resources): do not discard OTEL_RESOURCE_ATTRIBUTES when it contains empty kv pairs

🏠 Internal

• test(exporter-zipkin): fix broken browser test assertions and add missing coverage #6566 @​overbalance
• fix(sdk-metrics): repair ExponentialHistogram tests #6565 @​overbalance

Changelog

Sourced from @​opentelemetry/resources's changelog.

2.7.1

🐛 Bug Fixes

• fix(core, api): defer trace state validation. Deprecate trace state implementation in api #6459 @​david-luna
  • important: this bug fix may be breaking for certain uses of TraceState
    • set now returns the same TraceState instance if key/value are invalid or makes the while trace state invalid.
    • unset now returns the same TraceState instance if key is not present.
    • best-effort parsing of invalid TraceStates has changed: when multiple keys with the same name are present, the most recent one will win.

🏠 Internal

• perf(sdk-trace-base): optimize TraceIdRatioBasedSampler performance #6284 @​AbhiPrasad
• test: test Node.js 26 in CI #6671 @​cjihrig

2.7.0

🚀 Features

• feat(sdk-logs): implement log creation metrics #6433 @​anuraaga
• feat(sdk-metrics): add the cardinalitySelector argument to PeriodicExportingMetricReaders #6460 @​starzlocker
• feat(opentelemetry-core): add extra checks on internal merge function for safety #6587 @​maryliag

🐛 Bug Fixes

• fix(opentelemetry-resources): do not discard OTEL_RESOURCE_ATTRIBUTES when it contains empty kv pairs

🏠 Internal

• test(exporter-zipkin): fix broken browser test assertions and add missing coverage #6566 @​overbalance
• fix(sdk-metrics): repair ExponentialHistogram tests #6565 @​overbalance
• perf(sdk-metrics): reduce loop overhead in sdk hot paths #6593 @​mcollina

Commits

• 2400d83 chore: prepare next release (#6647)
• f7a9b7c fix(otlp-transformer): pin protobufjs to 8.0.1 (#6646)
• cb38d7f test(otlp-transformer): add metrics transfrom benchmark (#6628)
• a28f12f fix(opentelemetry-core): defer tracestate vaidation (#6459)
• b27c514 refactor(opentelemetry-exporter-prometheus): do not call `enforcePrometheusNa...
• a2a8186 perf(sdk-trace-base): optimize TraceIdRatioBasedSampler hex parsing (#6284)
• 4c0f3f1 feat(sdk-node): set TracerProvider in startNodeSDK() (#6607)
• 417f2f1 fix(instr-xhr): do not unpatch XHR methods (#6611)
• 47ac523 Revert "chore: allow browser maintainers to approve changelog edits" (#6627)
• 86c621d fix(instrumentation-fetch): tolerate non-writable globalThis.fetch and fix pr...
• Additional commits viewable in compare view

Updates @opentelemetry/sdk-node from 0.217.0 to 0.218.0

Release notes

Sourced from @​opentelemetry/sdk-node's releases.

experimental/v0.218.0

0.218.0

🚀 Features

• feat(otlp-transformer): replace protobufjs metrics serialization with custom implementation #6625 @​pichlermarc
• feat(configuration): show all config validation errors, if there are multiple #6683 @​trentm
• feat(sdk-node): allow startNodeSDK() without an arg #6688 @​trentm

🏠 Internal

• refactor(sdk-logs): alias LoggerProviderConfig to LoggerProviderOptions #6691 @​david-luna
• refactor(sdk-logs): use Logger.enabled() within Logger.emit() implementation #6680 @​david-luna

Commits

• 06ad0ea chore: prepare next release (#6703)
• 38ca257 feat(otlp-transformer): replace protobufjs metrics serialization with custom ...
• 013c600 chore: prepare next release (#6699)
• b7a0c63 feat(semantic-conventions): update semantic conventions to v1.41.1 (#6695)
• 774143b chore(renovate): add minimumReleaseAge to config (#6697)
• e0dafe0 fix(otlp-exporter-base): remove brackets from IPv6 hostname in HTTP transport...
• f804c93 chore(deps): update github/codeql-action digest to 68bde55 (#6682)
• 95e48e7 refactor(sdk-logs): alias LoggerProviderConfig to LoggerProviderOptions (...
• 907b627 feat(sdk-node): allow startNodeSDK() without an arg (#6688)
• 0d15261 docs: Add SIG meeting info and welcoming language (#6689)
• Additional commits viewable in compare view

Updates @opentelemetry/semantic-conventions from 1.40.0 to 1.41.1

Release notes

Sourced from @​opentelemetry/semantic-conventions's releases.

semconv/v1.41.1

1.41.1

🚀 Features

Note: Semantic Conventions v1.41.0 included an issue that prevented publishing a "1.41.0" version of this package.

• feat: update semantic conventions to v1.41.1 #6695 @​trentm
  • Semantic Conventions v1.41.1: changelog v1.41.0 | changelog v1.41.1 | latest docs
  • @opentelemetry/semantic-conventions (stable) changes: 8 added exports
  • @opentelemetry/semantic-conventions/incubating (unstable) changes: 2 exported values changed, 4 newly deprecated exports, 80 added exports

Stable changes in v1.41.1

ATTR_DEPLOYMENT_ENVIRONMENT_NAME              // deployment.environment.name
  DEPLOYMENT_ENVIRONMENT_NAME_VALUE_DEVELOPMENT // "development"
  DEPLOYMENT_ENVIRONMENT_NAME_VALUE_PRODUCTION  // "production"
  DEPLOYMENT_ENVIRONMENT_NAME_VALUE_STAGING     // "staging"
  DEPLOYMENT_ENVIRONMENT_NAME_VALUE_TEST        // "test"
ATTR_OTEL_EVENT_NAME                          // otel.event.name
ATTR_TELEMETRY_DISTRO_NAME                    // telemetry.distro.name
ATTR_TELEMETRY_DISTRO_VERSION                 // telemetry.distro.version

Unstable changes in v1.41.1

METRIC_K8S_CONTAINER_CPU_LIMIT_UTILIZATION   // k8s.container.cpu.limit_utilization -> k8s.container.cpu.limit.utilization
METRIC_K8S_CONTAINER_CPU_REQUEST_UTILIZATION // k8s.container.cpu.request_utilization -> k8s.container.cpu.request.utilization

METRIC_K8S_CONTAINER_CPU_LIMIT      // k8s.container.cpu.limit: Replaced by `k8s.container.cpu.limit.desired`.
METRIC_K8S_CONTAINER_CPU_REQUEST    // k8s.container.cpu.request: Replaced by `k8s.container.cpu.request.desired`.
</tr></table> 

... (truncated)

Commits

• 013c600 chore: prepare next release (#6699)
• b7a0c63 feat(semantic-conventions): update semantic conventions to v1.41.1 (#6695)
• 774143b chore(renovate): add minimumReleaseAge to config (#6697)
• e0dafe0 fix(otlp-exporter-base): remove brackets from IPv6 hostname in HTTP transport...
• f804c93 chore(deps): update github/codeql-action digest to 68bde55 (#6682)
• 95e48e7 refactor(sdk-logs): alias LoggerProviderConfig to LoggerProviderOptions (...
• 907b627 feat(sdk-node): allow startNodeSDK() without an arg (#6688)
• 0d15261 docs: Add SIG meeting info and welcoming language (#6689)
• 0893288 chore(sdk-node): restore skipped test cases (#6685)
• 3b5bfbd feat(configuration): show all config validation errors, if there are multiple...
• Additional commits viewable in compare view

Updates canvas from 3.2.2 to 3.2.3

Release notes

Sourced from canvas's releases.

v3.2.3

Fixed

• Fix building with gcc (#2559)

Changelog

Sourced from canvas's changelog.

3.2.3

Fixed

• Fix building with gcc (#2559)

Commits

• f91598e v3.2.3
• 1541544 PAGE_SIZE shouldn't be unsigned
• See full diff in compare view

Updates ora from 9.3.0 to 9.4.0

Release notes

Sourced from ora's releases.

v9.4.0

• Add successSymbol and failSymbol options to oraPromise 3d2e0a9

---

sindresorhus/ora@v9.3.0...v9.4.0

Commits

• 46a6703 9.4.0
• 3d2e0a9 Add successSymbol and failSymbolDescription has been truncated

[coderabbitai]

Warning

Review limit reached

@dependabot[bot], we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 58 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: b9c082ce-e73a-4e62-967e-cf23bb838d64

📥 Commits

Reviewing files that changed from the base of the PR and between 0e1168d and a6b08a0.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (1)

• package.json

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/npm_and_yarn/patch-and-minor-ffaecdb717

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​anthropic-ai/​sdk@​0.98.0
	jsdom@​29.1.1
	@​ai-sdk/​google@​3.0.79
	@​opentelemetry/​exporter-trace-otlp-http@​0.218.0
	vitest@​4.1.7
	@​vitest/​coverage-v8@​4.1.7
	ora@​9.4.0
	canvas@​3.2.3
	typedoc@​0.28.19
	@​opentelemetry/​semantic-conventions@​1.41.1
	@​fastify/​static@​9.1.3
	msw@​2.14.6
	@​modelcontextprotocol/​sdk@​1.29.0
	zod@​4.4.3
	@​opentelemetry/​sdk-node@​0.218.0
	@​biomejs/​biome@​2.4.15

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm @mswjs/interceptors is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: pnpm-lock.yaml → npm/msw@2.14.6 → npm/@mswjs/interceptors@0.41.9 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@mswjs/interceptors@0.41.9. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm jsdom is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package.json → npm/jsdom@29.1.1 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/jsdom@29.1.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm jsdom is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package.json → npm/jsdom@29.1.1 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/jsdom@29.1.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm markdown-it is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: pnpm-lock.yaml → npm/typedoc@0.28.19 → npm/markdown-it@14.2.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/markdown-it@14.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[github-actions]

👻 Specter Analysis

Metric	Value
Health Score	0/100 🔴
PR Risk	Low 🟢
Files Changed	-
Est. Review Time	~5 min

---

Generated by Specter - Give your codebase a voice

[sentry]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!