fix(deps): update dependency dd-trace to v5

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
dd-trace	^1.0.0 -> ^5.0.0

---

Release Notes

DataDog/dd-trace-js (dd-trace)

v5.5.0

Compare Source

Improvements

• profiling: Use new intake format for profiles (#​4082)

Bug fixes

• opentracing: Fix tracestate decision maker (#​4086)
• ci-visibility: Fix cypress open when passing experimentalInteractiveRunEvents: true (#​4083)
• ci-visibility: Fix intelligent test runner when using jest with a custom test sequencer (#​4088)
• amqplib: Fix typeerror due to missing header properties for amqplib when dsm is enabled (#​4096)
• ci-visibility: Disable telemetry if within a jest worker (#​4098)

Features

• aws-sdk: create DSM checkpoint for each message in batch sends (#​4087)
• ci-visibility: Allow using after:run directly in cypress (#​4090)

v5.4.0

Compare Source

Improvements

• serverless: Benchmark on AWS Lambda (#​4033)
• ci-visibility: Early flake detection for mocha (#​4060)
• ci-visibility: Cypress: do not lose all the trace if testSuiteSpan can't be created (#​4072)
• asm: Enable telemetry logs (#​4079)

Bug Fixes

• core: Fixing the eu endpoint for agentless telemetry (#​4067)
• asm: Avoid Max call stack size exceeded on vulnerability format (#​4068)

Features

• core: Add APM_TRACING_ENABLED capability for remote config (#​4065)
• asm: Support graphql resolver arguments as vulnerability source (#​3835)
• asm: Iast kafka consumer support (#​3977)

v5.3.0

Compare Source

Improvements

• ci-visibility: Attempt to use repository root to find CODEOWNERS file (#​4021)
• ci-visibility: Use gzip for skippable endpoint if it's available (#​4016)
• ci-visibility: Add support for evp_proxy/v4 (gzip compatible) (#​3998)
• ci-visibility: Work around jest's --forceExit (#​4049)
• asm: Supports form data for nextjs request body (#​4008)
• core: allow metrics UDP fallback in case of network errors (#​4042)
• request: Allow accepting gzip (#​3992)
• core: add dsm to rabbitmq integrations (amqplib/rhea) (#​3987)

Bug Fixes

• ci-visibility: Fix test source file to be relative to the repository root (#​4030)
• ci-visibility: Fix DD_TAGS (#​4044)
• ci-visibility: Add browser name as test configuration in playwright (#​4048)
  • Important: This means all playwright tests will now appear as "new tests" since their configuration has changed. This means Flaky Test tracking and failure rates will reset, any monitors or dashboards you had for these specific tests will reset, and long-term performance tracking will be reset.
• asm: Fix location in mysql vulnerability (#​4006)
• asm: Fix rewriter Error.prepareStackTrace overrides (#​4028)
• asm: Fix mongoose exec with callback (#​4045)
• core: grab resolved remote peer in GRPC >=1.1.4 (#​4013)
• core: Fix error due to undefined options (#​4029)

Features

• asm: Shell execution integration (#​3608)
• asm: Api security enabled by default and configurable by non experimental environment variable (#​4005)
• asm: Support API Security rules via RC (#​3981)
• asm: Support schema extraction in express response objects (#​3976)
• core: APM uninstrumentation (#​4014)
• core: allow unix URLs for datastreams (#​4041)
• core: Implement Span Links (#​3924)
• core: add datadog trace context extraction to aws kinesis (#​3874)

v5.2.0: 5.2.0

Compare Source

Security Fixes

lodash: Remove reliance on vulnerable lodash.pick dependency (#​3999), thanks @​Nico385412 for the original PR and for notifying us

Bug Fixes

asm: fix mquery vulnerability location (#​3797)

Features

dsm: add support for sqs/sns/kinesis in aws-sdk (#​3864)

v5.1.0

Compare Source

Bug Fixes

• core: fixed empty strings being kept as valid values in config (#​3952)
• appsec: fixed reuse of requestOptions object (#​3959)

Improvements

• appsec: Appsec reporter now collects the x-amzn-trace-id header (#​3984)
• iast: Added support for weak randomness vulnerability (#​3960)
• iast: Ignore header vulnerabilities in cors headers (#​3962)
• profiler: Added timelines env var, disabled timelines and CPU profiler on Windows (#​3969)
• profiler: Disabled OOM monitoring by default on Windows (#​3974)

v5.0.0

Compare Source

Breaking Changes

More information about the breaking changes from this release can be found in
the migration guide.

• core: drop support for Node 16 (#​3905)
• core: fix TypeScript errors (#​3912)

Features

• profiling: Add experimental CPU profiler (#​3895)

Improvements

• profiling: GA Code hotspots and endpoint collection (#​3940)

Bug Fixes

• core: Handle google-cloud-pubsub subscription closing (#​2716)

v4.29.0

Compare Source

Improvements

• profiling: Use new intake format for profiles (#​4082)

Bug fixes

• opentracing: Fix tracestate decision maker (#​4086)
• ci-visibility: Fix cypress open when passing experimentalInteractiveRunEvents: true (#​4083)
• ci-visibility: Fix intelligent test runner when using jest with a custom test sequencer (#​4088)
• amqplib: Fix typeerror due to missing header properties for amqplib when dsm is enabled (#​4096)
• ci-visibility: Disable telemetry if within a jest worker (#​4098)

Features

• aws-sdk: create DSM checkpoint for each message in batch sends (#​4087)
• ci-visibility: Allow using after:run directly in cypress (#​4090)

v4.28.0

Compare Source

Improvements

• serverless: Benchmark on AWS Lambda (#​4033)
• ci-visibility: Early flake detection for mocha (#​4060)
• ci-visibility: Cypress: do not lose all the trace if testSuiteSpan can't be created (#​4072)
• asm: Enable telemetry logs (#​4079)

Bug Fixes

• core: Fixing the eu endpoint for agentless telemetry (#​4067)
• asm: Avoid Max call stack size exceeded on vulnerability format (#​4068)

Features

• core: Add APM_TRACING_ENABLED capability for remote config (#​4065)
• asm: Support graphql resolver arguments as vulnerability source (#​3835)
• asm: Iast kafka consumer support (#​3977)

v4.27.0

Compare Source

Improvements

• ci-visibility: Attempt to use repository root to find CODEOWNERS file (#​4021)
• ci-visibility: Use gzip for skippable endpoint if it's available (#​4016)
• ci-visibility: Add support for evp_proxy/v4 (gzip compatible) (#​3998)
• ci-visibility: Work around jest's --forceExit (#​4049)
• asm: Supports form data for nextjs request body (#​4008)
• core: allow metrics UDP fallback in case of network errors (#​4042)
• request: Allow accepting gzip (#​3992)
• core: add dsm to rabbitmq integrations (amqplib/rhea) (#​3987)

Bug Fixes

• ci-visibility: Fix test source file to be relative to the repository root (#​4030)
• ci-visibility: Fix DD_TAGS (#​4044)
• ci-visibility: Add browser name as test configuration in playwright (#​4048)
  • Important: This means all playwright tests will now appear as "new tests" since their configuration has changed. This means Flaky Test tracking and failure rates will reset, any monitors or dashboards you had for these specific tests will reset, and long-term performance tracking will be reset.
• asm: Fix location in mysql vulnerability (#​4006)
• asm: Fix rewriter Error.prepareStackTrace overrides (#​4028)
• asm: Fix mongoose exec with callback (#​4045)
• core: grab resolved remote peer in GRPC >=1.1.4 (#​4013)
• core: Fix error due to undefined options (#​4029)

Features

• asm: Shell execution integration (#​3608)
• asm: Api security enabled by default and configurable by non experimental environment variable (#​4005)
• asm: Support API Security rules via RC (#​3981)
• asm: Support schema extraction in express response objects (#​3976)
• core: APM uninstrumentation (#​4014)
• core: allow unix URLs for datastreams (#​4041)
• core: Implement Span Links (#​3924)
• core: add datadog trace context extraction to aws kinesis (#​3874)

v4.26.0: 4.26.0

Compare Source

Security Fixes

lodash: Remove reliance on vulnerable lodash.pick dependency (#​3999), thanks @​Nico385412 for the original PR and for notifying us

Bug Fixes

asm: fix mquery vulnerability location (#​3797)

Features

dsm: add support for sqs/sns/kinesis in aws-sdk (#​3864)

v4.25.0

Compare Source

v4.24.0

Compare Source

Features

• profiling: Add experimental CPU profiler (#​3895)

Improvements

• profiling: GA Code hotspots and endpoint collection (#​3940)

Bug Fixes

• core: Handle google-cloud-pubsub subscription closing (#​2716)

v4.23.0

Compare Source

Features

• core: Add remote config support for custom tags (#​3875)
• profiling: Add a process_id that contains process pid to profiles (#​3911)
• core: Implement extended sampling (#​3904)

Improvements

• core: Add instrumentation support for node:* specifiers (#​3893)
• core: Fix instrumentation support for Fastify versions >= 4.23.0 (#​3893)

Bug Fixes

• profiling: Fix compatibility with node < 14.18 (#​3908)

v4.22.0

Compare Source

Bug Fixes

• pino: ignore pino error tests when node version is 21 (#​3878)
• rhea: fix rhea memory leak concerning inFlightDeliveries (#​3833)
• profiling: Fix recording times (#​3891)
• core: fix memory leak of req and res objects due to setTimeout wrapping repeatedly (#​3896)

Improvements

• appsec: Upgrade iast rewriter version to 2.2.2 (#​3883)
• civisibility: Update repository url validation (#​3876)
• core: flush custom metrics before process exit (#​3842)
• nextjs: Default Error Tagging for Pages in Next.js (#​3892)
• profiling: Add thread id labels to heap and wall profiles (#​3888)

Features

• appsec: GraphQL Blocking (3819)
• appsec: API security sample rate via RC (#​3868)
• appsec: Pass resolver address as ephemeral type (#​3897)
• core: add support for configuring tracing client using remote configuration (#​3395)

v4.21.0

Compare Source

Bug Fixes

• profiling: add source code integration tags to profiles (#​3821)
• core: do not report HTTP requests over 5 seconds as errors on Node 20 (#​3853)
• core: update protobuf for security reasons (#​3851)
• core: resolve the 0th argument of the restify controller promise (#​3818)

Improvements

• core: collapse Next.js static resources to reduce cardinality (#​3809)
• civisibility: waits for git to upload and re-request settings when require_git field is true (#​3790)
• civisibiity: do not report total code. coverage if itr is enabled (#​3828)
• profiling: Add DNS events to timeline (#​3822)
• core: add a new http service configuration option enablePropagationWithAmazonHeaders (#​3836)
• appsec: use existing response header instrumentation to detect Header Injection vulnerability when a unsafe string is written in a header (#​3813)
• profiling: Add Net events to timeline (#​3832)
• core: Partially upgrade instrumentation telemetry from v1 to v2 (#​3827)
• civisibility: Speed up git unshallow (#​3839)
• core: add a new environment variable to enable span leak detection at either logging or logging + manual gc modes (#​3849)
• core: add a GitHub security policy via SECURITY.md (#​3863)
• appsec: Apply new rules for header injection detection to prevent false positives (#​3867)
• dsm: Add Kafka offset lag to metrics sent by datastreams monitoring (#​3761)
• profiling: reduce overhead by removing lane logic from profiler library (#​3880)

Features

• appsec: add support for schema extraction when calling the waf (#​3685)
• core: add automatic instrumentation support for Aerospike v3.16.2 - v3.16.7, v4, v5 (#​3830, #​3804)

v4.20.0

Compare Source

Bug Fixes

• core: always propagate tracestate when tracecontext is configured (#​3810)
• profiling: fix enabling of timeline profiler: (#​3807)

Improvements

• profiling: emit wall sample timestamps even when code hotspots aren't used (#​3808)
• profiling: memoize web tags in all ancestors (#​3792)
• appsec: load appsec rules in appsec/rule_manager.js (#​3805)

v4.19.0

Compare Source

Bug Fixes

• core: modified telemetry.enabled to comply with instrumentation telemetry specs (#​3765)
• appsec: use exact version for @datadog/native-appsec (#​3778)
• ci-visibility: update git metadata extraction (#​3771)
• profiling: only consider the active span and its ancestors when looking for web tags (#​3780)
• core: restify: emit on DC channels w/ async handlers, fixes bug where path names repeat (#​3782)

Improvements

• core: use dc-polyfill instead of diagnostics_channel directly (#​3722)
• appsec: update AppSec rules to 1.9.0 (#​3772)
• ci-visibility: add flags to force code coverage reporting and test skipping (#​3767)
• profiling: restore eager release of tags, adapt endpoint profiling code (#​3759)
• profiling: cache web span lookup, so we only perform it once per span, release eagerly (#​3779 / #​3781)
• core: enable arm builds for single-step (#​3791)
• appsec: obfuscate secret tokens (#​3786)
• appsec: update collected request headers (#​3795)
• profiling: gc events profiler (#​3770)
• core: add DSM pathway hash to kafka spans, payload size for kafka stats (#​3763 / #​3734)
• appsec: update native-iast-taint-tracking to v1.6.4 (#​3787)

Features

• core: enable 128-bit ids by default (#​3656 / #​3800)
• core: otel span name translator (#​3766)

v4.18.0

Compare Source

Bug Fixes

• core: fix next.js build errors by refactoring config (#​3748)
• core: fix error in http plugin when it was enabled after request start (#​3740)
• appsec: Check only query and body parameters in nosql injections (#​3725)
• appsec: Fix knex nested queries (#​3730)
• appsec: Handle headers with array values (#​3751)
• profiling: Call the right method to unsubscribe from a channel (#​3756)

Improvements

• core: report tested integrations and their tested versions (#​3669)
• core: Support for node 21 (#​3729)
• core: Next.js: Don't Trace Middleware (#​3702)
• core: Make telemetry metrics true by default (#​3747)
• core: NextJS error handling (#​3715)
• profiling: Emit thread names in wall profiles (#​3726)
• ci-visibility: Add custom tags capability to playwright tests (#​3741)
• ci-visibility: Instrument suite parsing errors as failed suites (#​3735)
• ci-visibility: Better logs for intelligent test runner (#​3742)
• ci-visibility: Remove user credentials from DD_GIT_REPOSITORY_URL (#​3744)
• ci-visibility: Improve test status in test sessions for jest and mocha (#​3736)
• appsec: Add configurable IAST redaction pattern (#​3720)
• appsec: Generic telemetry logs (#​3647)

Features

• appsec: Hardcoded secret detection (#​3687)

v4.17.0

Compare Source

Bug Fixes

• appsec: Fix SQLi location when using knex (#​3607)
• appsec: Enable appsec telemetry before waf init (#​3693)
• Fixed a problem with release scripts (#​3697, #​3723)

Improvements

• core: Disable memcached.command by default (#​3627)
• appsec: Include the extra services found in spans in the remote config client request payloads (#​3635)
• telemetry: Removed old fields from Instrumentation Telemetry Metrics (#​3367)
• appsec: Change source origin for URL tainted sources from HTTP_REQUEST_PATH to HTTP_REQUEST_URI (#​3644)
• release: dd-trace is now published with NPM provenance statements (#​3645)
• profiler: Emit sample timestamps in wall profiles (#​3651)
• profiler: Code Hotspots and Endpoint Profiling can now be enabled with non-experimental env vars (#​3659)
• ci-visibility: Unskippable tests by ITR: #​3684, #​3681, #​3661 and #​3649
• ci-visibility: Add support for AWS Codepipeline #​3692

Features

• appsec: Support threat detection in nextjs (#​3641)
• appsec Mongodb nosqli detection (#​3483)

v4.16.0

Compare Source

Bug Fixes

• core: fix errors from object shape of pg query being altered (#​3603)
• ci-visibility: Fix playwright latest release (#​3646)
• core: fix Next.js appdir resource name and new version issue (#​3648)
• core: Fix DBM service (#​3634)
• core: esbuild: ensure aws-sdk can be built (#​3591)

Improvements

• core: format peerServiceMapping of config object before emitting telemetry configuration payload (#​3566)
• core: Add _dd.base_service tag (#​3557)
• appsec: Update waf bindings 4.0.0 (libddwaf 1.14.0) & add the ASM_TRUSTED_IPS capability (#​3620)
• core: make Next.js Tracing More In-line with OTel Tracing (#​3632)
• core: fix: add openai to plugins type (#​3633)
• ci-visibility: Remove usage of application key for intelligent test runner (#​3660)

Features

• appsec: Add instrumentation for cookie-parser and send the cookies to the WAF to block potential attacks (#​3346)
• core: add support for graphql-yoga v3 executor (#​3610)

v4.15.0

Compare Source

Bug Fixes

• appsec: Fix LDAPi vulnerability location (#​3593)
• appsec: Fix location for SQLi when using mysql Pool (#​3495)
• core: Fix dogstatsd tag documentation (#​3611)
• core: Only call activeSpan.finish() if there's an activeSpan (#​3617)

Improvements

• appsec: Report appsec metrics via telemetry (#​3519)

Features

• appsec: Graphql threat monitoring (#​3470)

v4.14.0

Compare Source

Bug Fixes

• ci-visibility: Do not modify mocha config if CI visibility fails to init (#​3586)
• ci-visibility: Fix cypress if ci vis init fails (#​3587)
• core: ensure custom/runtime metrics configured similarly (#​3590)

Improvements

• asm-iast: Modify vulnerability location using js file sourcemap (#​3304)
• appsec: Update AppSec rules to 1.7.2 (#​3592)

Features

• profiling: Report occurrence of v8 bug through telemetry (#​3579)

v4.13.1

Compare Source

Bug Fixes

• core: fix esm tracing for kafkajs and add esm integration test (#​3571)
• core: mongodb-core: fix serialization of BigInt values in query (#​3575)
• appsec: Fix evidence redaction with empty sensitive ranges (#​3520)
• appsec: Add vulnerabilities loaded before starting recollect (#​3531)
• core: Send instrumentation telemetry app-heartbeat events in uniform intervals (#​3553)

Improvements

• core: enable lib injection images on v3 release line (#​3573)

v4.13.0

Compare Source

Bug Fixes

• core: add webpack5 for nextjs v9.5 (#​3572)
• core: fix google-cloud-pubsub and startup test (#​3561)
• core: add logging to esm integration tests (#​3559)
• esbuild: early bailout when loading app local modules (#​3551)
• core: fix socketPath for Named Pipe UDS cases (#​3501)
• core: limiting library range (#​3552)
• core: remove wrapObjectProperty wrapper for Next.js (#​3558)

Improvements

• profiling: update pprof version (#​3560)

Features

• core: adding support for Next.js >=13.4.13 (#​3538)
• core: drop v2.x support (#​3544)

v4.12.0

Compare Source

Bug Fixes

• core: fix grpc tests (#​3522)
• esbuild: honor the .external build setting (#​3492)
• iast: fix vulnerability location with pg.Pool (#​3308)
• core: fix duplicate next spans and incorrect req/res in hooks (#​3494)
• core: fix Resource Name Not Bubbling to Web Span in Next.js (#​3537)
• ci-visibility: fix jest parameters being modified (#​3526)
• iast: fix taint object method (#​3505)

Improvements

• iast: enable iast telemetry metrics if iast is enabled (#​3482)
• core: add esm integration test for hapi (#​3509)
• core: esm now should be supported for node 20, so no need for esmTestSkipper (#​3506)
• core: remove hardcoded string literals for tags, use predefined constants instead (#​3503)
• ci-visibility: send suites and tests skipped by ITR (#​3497)
• core: add esm integration tests for many plugins (#​3436)
• core: add Testing To Ensure Support for Next.js Standalone (#​3493)

Features

• core: add custom metrics support (#​3518)
• iast: length based evidence redaction (#​3423)

v4.11.1

Compare Source

Bug Fixes

• update import-in-the-middle to 1.4.2 (#​3511)

v4.11.0

Compare Source

Bug Fixes

• core: fix flush interval in serverless environments other than aws lambda (#​3462)
• http2: fix error in http2 plugin when instrumented mid-request (#​3488), fixes #​3451

Improvements

• pg: add option to truncate query (#​3487)

Features

• core: add support for configuring tracing client using remote configuration (#​3395)

v4.10.0

Compare Source

Features

• Use naming schema for http, http2, next, fetch, couchbase

v4.9.0: 4.9.0

Compare Source

Bug Fixes

• appsec: fix blank usr.id field being reported (#​3442)
• appsec: fix DD_TRACE_CLIENT_IP_ENABLED option having no effect (#​3442)
• core: fix broken distributed tracing when uninstrumented services use w3c propagation (#​3463)
• esbuild: fix instrumentation of internal modules in supported packages (#​3448)
• fetch: fix disable option not having any effect (#​3460)
• fetch: fix distributed tracing when existing headers are set (#​3449), fixes #​3443
• jest: fix broken shard option when skipping tests (#​3452)
• mongodb: fix support for queries containing objects that can be stringified (#​3417), thanks @​ghost91-!

Improvements

• iast: add exclusions for weak hash vulnerabilities (#​3424)
• serverless: add support for azure environments using the consumption plan (#​3200)

v4.8.1

Compare Source

Features

None, this is a patch release

Enhancements

None, this is a patch release

Bug fixes

• serverless: feat: add the lib/core file which each client lib imports directly, s… (#​3434)
• apm: fix fetch integration leaking its async context (#​3438)
• ci-visibility: Fix cache issues with jest and CI Visibility (#​3445)
• tracing: fix incorrect value for fetch method tag (#​3447)

v4.8.0

Compare Source

Features

• profiling: Associate tracing span IDs with samples in the wall profiler (#​3371)
• iast: Taint request URI (#​3302)
• iast: Detect missing header vulnerabilities (#​3269)
• graphql: implement naming schema for graphql plugin (#​3279)

Enhancements

• openai: be defensive about response object shape (#​3408)
• tracing: Ensure OTel span name is copied to resource.name (#​3412)
• config: Fix service representation config (#​3419)
• couchbase: Re-enable Couchbase testing (#​3265)
• ci: Add BITBUCKET_GIT_HTTP_ORIGIN env variable (#​3401)

Bug fixes

• serverless: Handle case where Lambda handler is using callbacks instead of promises (#​3404)
• ci-visibility: Do not modify how jest reports timeouts (#​3399)
• profiling: Allow https datadog agent url in continuous profiling (#​3190)
• tracing: Fix distributed tracing issue caused by single span ingestion changes (#​3413)
• tracing: Make datadog distributed tracing header take priority over tracecontext (#​3414)
• tracing: Exclude empty telemetry metrics (#​3421)
• openai: make services entirely optional when initializing (#​3420)

v4.7.0

Compare Source

Features

• profiling: Adapt to new pprof-nodejs API (#​3368)
• iast: Report IAST metrics via telemetry (#​2805)
• ci-visibility: Change test.type in browser tests (#​3358)

Bug Fixes

• ci-visibility: Intelligent test runner: only report skipped flag if tests were actually skipped (#​3369)
• tracer: add dc store binding polyfill and migrate http2 (#​3284)
• tracer: grpc: Convert grpc to use tracing channel (#​3366)
• ci-visibility: validate CI tags before sending them (#​3310)
• tracer: express: recognize regex with flags (#​3301)

v4.6.0

Compare Source

Improvements

• core/redis: peer service extract host and port (#​3345)
• core/kafka: extract bootstrap servers from producers and use for peer.service (#​3344)
• build: update CI parametric tests (#​3342)

Bug Fixes

• core/openai: do not crash when dogstatsd not configured (#​3361)
• build: increase log benchmark iterations 10x

v4.5.0

Compare Source

Features

• core/kafka: add support for data stream monitoring for kafkajs (#​3092)

Improvements

• build: update docker compose mssql (#​3324)
• core/mongodb: expose peer.service (#​3303)
• core/rdbms: add precursors and test for peer.service calculation (#​3299)
• core/grpc: add peer.service precursor for gprc client (#​3297)
• core/elasticsearch+opensearch: extract connection host for peer.service (#​3309)
• core/cassandra: extract contact points and use for peer.service (#​3326)
• core: use env var to provide consistent service names in naming schema v0 (#​3305)
• core: extract peer service from aws sdk (#​3338)
• core/grpc: service representation naming (#​3327)
• profiling: add support for standard profiling env variables (#​3291)
• ci-visibility: dogfood CI Visibility with integration tests (#​3321)
• ci-visibility: add validation for git metadata env vars (#​3325)
• ci-visibility: improve git unshallow process (#​3335)
• core: add distributions to instrumentation telemetry (#​3341)

Bug Fixes

• core: support latest aws-sdk (#​3336)
• core/openai: make request body parsing more defensive (#​3339)
• core/database: no longer use _tracerConfig (#​3340)

v4.4.0

Compare Source

Features

• core: add instrumentation for the openai package (#​3155)
• waf: automated user events (#​3205)
• ci-visibility: support CI Visibility's manual API (#​3202)
• core: telemetry metrics for OTel (#​3259)

Improvements

• core/service naming: peer service computation (#​3177)
• core/service naming: apply service naming workflow to databases (#​3256)
• core/service naming: make http server plugins ServerPlugins (#​3261)
• core/service naming: moleculer - service naming (#​3281)
• core/service naming: move next plugin to ServerPlugin (#​3287)
• iast: taint express route parameters (#​3187)
• profiling: enable by default export of a last heap profile when Node.js runs out of heap memory (#​3292)
• ci-visibility: more verbose logging for git upload (#​3251)

Bug Fixes

• pg: retain prototype when injecting DBM comment (#​3307)
• build: fix s3 package upload (#​3218)
• pg: update error string comparison in test (#​3295)

v4.3.0

Compare Source

Features

• iast: Unvalidated redirect analyzer (#​3204)
• tracer: Tedious - service naming (#​3061)
• tracer: MySQL databases - service naming (#​3057)
• iast: Taint cookies and headers (#​3232)
• iast: No HttpOnly vulnerability detection (#​3228)
• iast: No SameSite cookie vulnerability detection (#​3246)
• tracer: add external log writer (#​3201)
• tracer: Auto-instrument @​opentelemetry/sdk-trace-node (#​3248)
• tracer: add support for global fetch (#​3258)

Improvements

• tracer: make tracer config available to plugins (#​3235)
• iast: Add _dd.iast.enabled=1 metric out of request vulnerabilities tags (#​3231)
• ci-visibility: Better git commands (#​3236)
• tracer: Add test in shimmer wrap to preserve function name (#​3237)
• tracer: add environment variable to disable instrumentations completely (#​3234)
• profiling: Add debug log listing found source maps (#​3242)

Bug Fixes

• ci-visibility: Fix agentless exporter test (#​3241)
• ci-visibility: Fix windows tracing test (#​3243)
• tracer: fix grpc custom errors not being reported (#​3230)
• tracer: Disable metrics.spec.js tests for windows (#​3250)
• ci-visibility: Use correct repository URL for git metadata upload (#​3253)
• ci-visibility: Fix random cypress integration tests timeouts (#​3255)
• iast: Check store has value before use it (#​3257)
• tracer: Fix setup in integration tests (#​3254)

v4.2.0

Compare Source

Features

• tracer: OTel SDK (#​2498) (#​3233)
• iast: Add exclusions for weak hash vulnerabilities (#​3223)

Fixes

• ci-visibility: [ci-visibility] Fix after and afterEach hooks in Cypress (#​3214)

v4.1.1

Compare Source

Bug Fixes

• pg: do not throw when query contains getter (#​3212)
• esbuild: graceful continue when bundling dead code (#​3215)

Improvemen

---

Configuration

📅 Schedule: Branch creation - "every weekend" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.