chore(deps): bump @opentelemetry/instrumentation from 0.203.0 to 0.204.0

[dependabot]

Bumps @opentelemetry/instrumentation from 0.203.0 to 0.204.0.

Release notes

Sourced from @​opentelemetry/instrumentation's releases.

experimental/v0.204.0

0.204.0

💥 Breaking Changes

• feat(api-logs)!: Marked private methods as "conventionally private". #5789
• feat(exporter-otlp-*): support custom HTTP agents #5719 @​raphael-theriault-swi
  • OtlpHttpConfiguration.agentOptions has been removed and functionality has been rolled into OtlpHttpConfiguration.agentFactory
    • (old) { agentOptions: myOptions }
    • (new) { agentFactory: httpAgentFactoryFromOptions(myOptions) }

🚀 Features

• feat(otlp-exporter-base): Add fetch transport for fetch-only environments like service workers. #5807
  • when using headers, the Browser exporter now prefers fetch over XMLHttpRequest if present. Sending via XMLHttpRequest will be removed in a future release.
• feat(opentelemetry-configuration): creation of basic ConfigProvider #5809 @​maryliag
• feat(opentelemetry-configuration): creation of basic FileConfigProvider #5863 @​maryliag
• feat(sdk-node): Add support for multiple metric readers via the new metricReaders option in NodeSDK configuration. Users can now register multiple metric readers (e.g., Console, Prometheus) directly through the NodeSDK constructor. The old metricReader (singular) option is now deprecated and will show a warning if used, but remains supported for backward compatibility. Comprehensive tests and documentation have been added. #5760

  • Migration:

    • Before:

      const sdk = new NodeSDK({ metricReader: myMetricReader });

    • After:

      const sdk = new NodeSDK({ metricReaders: [myMetricReader] });

  • Users should migrate to the new metricReaders array option for future compatibility. The old option will be removed in an upcoming experimental version.

• feat(instrumentation-http): Added support for redacting specific url query string values and url credentials #5743 @​rads-1996

🐛 Bug Fixes

• fix(otlp-exporter-base): prioritize esnext export condition as it is more specific #5458
• fix(otlp-exporter-base): consider relative urls as valid in browser environments #5807
• fix(instrumentation-fetch): Use ESM version of semconv instead of CJS. Users expecting mixed ESM and CJS modules will now only get ESM modules. #5878 @​overbalance

🏠 Internal

• refactor(otlp-exporter-base): use getStringFromEnv instead of process.env #5594 @​weyert
• chore(sdk-logs): refactored imports #5801 @​svetlanabrennan
• refactor(instrumentation-grpc): updated path to semconv #5884 @​overbalance

Commits

• 98f9d72 chore: prepare next release (#5903)
• 4636de6 chore(deps): update dependency markdownlint-cli2 to v0.18.1 (#5891)
• ea83923 Add subscript to issue templates (#5831)
• daa4d39 chore(deps): lock file maintenance (#5904)
• af5c2fd chore: prepare next release (#5901)
• 747da91 feat(semantic-conventions): update semantic conventions to v1.37.0 (#5879)
• f2b0d2a chore(config): migrate renovate config (#5900)
• 52ffa04 chore: group packages that need to be updated together (#5896)
• 16c786c chore(deps): lock file maintenance (#5781)
• a171a5c chore(deps): update dependency mocha to v11.7.2 (#5850)
• Additional commits viewable in compare view

Most Recent Ignore Conditions Applied to This Pull Request

Dependency Name	Ignore Conditions
@opentelemetry/instrumentation	[>= 0.200.a, < 0.201]

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
npm/@opentelemetry/api-logs	0.204.0	🟢 7.5	Details Check Score Reason Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 11 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected SAST 🟢 10 SAST tool is run on all commits License 🟢 10 license file detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection ⚠️ -1 internal error: error during GetBranch(v1.x): error during branchesHandler.query: internal error: githubv4.Query: Resource not accessible by integration Fuzzing ⚠️ 0 project is not fuzzed Security-Policy 🟢 10 security policy file detected Vulnerabilities 🟢 4 6 existing vulnerabilities detected CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 42 contributing companies or organizations
npm/@opentelemetry/instrumentation	0.204.0	🟢 7.5	Details Check Score Reason Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 11 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected SAST 🟢 10 SAST tool is run on all commits License 🟢 10 license file detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection ⚠️ -1 internal error: error during GetBranch(v1.x): error during branchesHandler.query: internal error: githubv4.Query: Resource not accessible by integration Fuzzing ⚠️ 0 project is not fuzzed Security-Policy 🟢 10 security policy file detected Vulnerabilities 🟢 4 6 existing vulnerabilities detected CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 42 contributing companies or organizations
npm/@opentelemetry/instrumentation	0.204.0	🟢 7.5	Details Check Score Reason Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 11 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected SAST 🟢 10 SAST tool is run on all commits License 🟢 10 license file detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection ⚠️ -1 internal error: error during GetBranch(v1.x): error during branchesHandler.query: internal error: githubv4.Query: Resource not accessible by integration Fuzzing ⚠️ 0 project is not fuzzed Security-Policy 🟢 10 security policy file detected Vulnerabilities 🟢 4 6 existing vulnerabilities detected CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 42 contributing companies or organizations

Scanned Files

• package-lock.json
• package.json

[github-actions]

Performance results

CDP Performance Tests

	Number of Requests	Size of Requests	Script Duration	Task Duration	Heap Used Size
Requests	+3 requests	+29.16 KB
Page Loaded			+16.71 ms	+6.94 ms	+0.88 MB
Generate 100 fetch requests			+16.96 ms	+66.02 ms	+0.82 MB
Generate 100 XHR requests			+44.43 ms	+114.03 ms	+1.63 MB
Click 100 buttons and generate 100 logs			+28.43 ms	+33.27 ms	+1.98 MB
Throw a 100 exceptions			+1.76 ms	+8.48 ms	+2.01 MB
End Session			+7.70 ms	+15.38 ms	+2.70 MB
Total	+3 requests	+29.16 KB	+116.00 ms	+244.12 ms	+10.00 MB

Lighthouse Startup Performance Tests

	Difference	Description
Total Blocking Time	0 ms	Difference in Total Blocking Time: Sum of all time periods between FCP and Time to Interactive, when task length exceeded 50ms, expressed in milliseconds. Learn more about the Total Blocking Time metric.
Main Thread Time	+66.71 ms	Difference in Main Thread Time: Consider reducing the time spent parsing, compiling and executing JS. You may find delivering smaller JS payloads helps with this. Learn how to minimize main-thread work
Script Evaluation Time	+97.70 ms	Difference in Script Evaluation Time: Consider reducing the time spent parsing, compiling, and executing JS. You may find delivering smaller JS payloads helps with this. Learn how to reduce Javascript execution time.

[github-actions]

build results

vite-7 Platform Tests

	Total Uncompressed Size	Total Gzip Size
vite-7 - esnext	+155.02 KB	+43.84 KB
vite-7 - es2015	+160.28 KB	+45.33 KB

vite-otel-latest Platform Tests

	Total Uncompressed Size	Total Gzip Size
vite-otel-latest - esnext	+154.17 KB	+45.74 KB
vite-otel-latest - es2015	+159.29 KB	+47.05 KB

webpack-5 Platform Tests

	Total Uncompressed Size	Total Gzip Size
webpack-5 - esnext	+146.84 KB	+51.07 KB
webpack-5 - es2015	+155.61 KB	+54.11 KB

[dependabot]

Superseded by #775.