Dependabot not updating dependencies for OpenTelemetry Lambda JS

open-telemetry / opentelemetry-lambda

Create your own Lambda Layer in each OTel language using this starter code. Add the Lambda Layer to your Lamdba Function to get tracing with OpenTelemetry.

https://opentelemetry.io

Apache License 2.0

276 stars 167 forks source link

Dependabot not updating dependencies for OpenTelemetry Lambda JS #1421

Open vasireddy99 opened 2 months ago

vasireddy99 commented 2 months ago

Describe the bug

It appears that Dependabot, is not updating the dependencies for Node.js release. dependencies that are not updated.

Lambda Nodejs Layer 0.7.0 claims to be at version otel js 1.24.1, but the dependencies are not updated in the corresponding release

tylerbenson commented 2 months ago

1.24.1 was the version reported by the build: https://github.com/open-telemetry/opentelemetry-lambda/actions/runs/9355724499 (component-version=1.24.1) (which invokes version.js) Maybe that is reporting the version incorrectly or it's being transitively updated?

rapphil commented 2 months ago

We are using caret in the version of the dependencies: https://github.com/npm/node-semver?tab=readme-ov-file#caret-ranges-123-025-004

This makes the dependency to be resolved in build time.

We could use a package-lock.json or explicitly set the the version instead of using caret. Since this is somewhat a library I would prefer to make it explicit in package.json.