chore(deps): remediate various cves (#863)

Author: galkleinman

package.json

@@ -32,7 +32,8 @@
     "eslint-plugin-prettier": "^5.5.3",
     "globals": "^16.3.0",
     "husky": "^9.1.7",
-    "lerna": "^8.2.3",
+    "js-yaml": "^4.1.1",
+    "lerna": "^9.0.3",
     "nx": "^21.3.0",
     "prettier": "^3.6.2",
     "rollup": "^4.45.1",
@@ -43,5 +44,21 @@
     "commitizen": {
       "path": "./node_modules/cz-conventional-changelog"
     }
+  },
+  "pnpm": {
+    "overrides": {
+      "zod": "^3.25.76",
+      "form-data": "^4.0.4",
+      "glob": "^10.5.0",
+      "jws": "^4.0.1",
+      "undici": "^7.18.2",
+      "diff": "^8.0.3",
+      "cookie": "^0.7.0",
+      "qs": "^6.14.1",
+      "body-parser": "^2.2.1",
+      "tmp": "^0.2.4",
+      "playwright": "^1.55.1",
+      "@smithy/config-resolver": "^4.4.0"
+    }
   }
 }

packages/instrumentation-anthropic/package.json

@@ -54,6 +54,7 @@
     "@pollyjs/core": "^6.0.6",
     "@pollyjs/persister-fs": "^6.0.6",
     "@types/mocha": "^10.0.10",
+    "qs": "^6.14.1",
     "ts-mocha": "^11.1.0"
   },
   "homepage": "https://github.com/traceloop/openllmetry-js/tree/main/packages/instrumentation-anthropic"

packages/instrumentation-bedrock/package.json

@@ -46,7 +46,7 @@
     "tslib": "^2.8.1"
   },
   "devDependencies": {
-    "@aws-sdk/client-bedrock-runtime": "^3.848.0",
+    "@aws-sdk/client-bedrock-runtime": "^3.969.0",
     "@opentelemetry/context-async-hooks": "^2.0.1",
     "@opentelemetry/sdk-trace-node": "^2.0.1",
     "@pollyjs/adapter-fetch": "^6.0.6",

packages/instrumentation-bedrock/tests/meta.test.ts

@@ -207,86 +207,70 @@ describe("Test Meta with AWS Bedrock Instrumentation", () => {
 
     const command = new bedrock.InvokeModelWithResponseStreamCommand(input);
     const response = await bedrockRuntimeClient.send(command);
+
+    // Collect all chunks and find the final one with metrics
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    let finalParsedResponse: any = null;
     if (response.body) {
       for await (const value of response.body!) {
         const jsonString = new TextDecoder().decode(value.chunk?.bytes);
         const parsedResponse = JSON.parse(jsonString);
-
-        const spans = memoryExporter.getFinishedSpans();
-
-        const attributes = spans[0].attributes;
-
-        assert.strictEqual(attributes[ATTR_GEN_AI_SYSTEM], "AWS");
-        assert.strictEqual(
-          attributes[SpanAttributes.LLM_REQUEST_TYPE],
-          "completion",
-        );
-        assert.strictEqual(attributes[ATTR_GEN_AI_REQUEST_MODEL], model);
-        assert.strictEqual(attributes[ATTR_GEN_AI_REQUEST_TOP_P], params.top_p);
-        assert.strictEqual(
-          attributes[ATTR_GEN_AI_REQUEST_TEMPERATURE],
-          params.temperature,
-        );
-        assert.strictEqual(
-          attributes[ATTR_GEN_AI_REQUEST_MAX_TOKENS],
-          params.max_gen_len,
-        );
-        assert.strictEqual(attributes[`${ATTR_GEN_AI_PROMPT}.0.role`], "user");
-        assert.strictEqual(
-          attributes[`${ATTR_GEN_AI_PROMPT}.0.content`],
-          prompt,
-        );
-        assert.strictEqual(attributes[ATTR_GEN_AI_REQUEST_MODEL], model);
-        assert.strictEqual(
-          attributes[`${ATTR_GEN_AI_COMPLETION}.0.role`],
-          "assistant",
-        );
-        assert.strictEqual(
-          attributes[ATTR_GEN_AI_USAGE_PROMPT_TOKENS],
-          parsedResponse["prompt_token_count"],
-        );
-        assert.strictEqual(
-          attributes[ATTR_GEN_AI_USAGE_COMPLETION_TOKENS],
-          parsedResponse["generation_token_count"],
-        );
-        assert.strictEqual(
-          attributes[SpanAttributes.LLM_USAGE_TOTAL_TOKENS],
-          parsedResponse["prompt_token_count"] +
-            parsedResponse["generation_token_count"],
-        );
-        assert.strictEqual(
-          attributes[`${ATTR_GEN_AI_COMPLETION}.0.finish_reason`],
-          parsedResponse["stop_reason"],
-        );
-        assert.strictEqual(
-          attributes[`${ATTR_GEN_AI_COMPLETION}.0.content`],
-          parsedResponse["generation"],
-        );
-
+        // The final chunk contains amazon-bedrock-invocationMetrics
         if ("amazon-bedrock-invocationMetrics" in parsedResponse) {
-          assert.strictEqual(
-            attributes[ATTR_GEN_AI_USAGE_PROMPT_TOKENS],
-            parsedResponse["amazon-bedrock-invocationMetrics"][
-              "inputTokenCount"
-            ],
-          );
-          assert.strictEqual(
-            attributes[ATTR_GEN_AI_USAGE_COMPLETION_TOKENS],
-            parsedResponse["amazon-bedrock-invocationMetrics"][
-              "outputTokenCount"
-            ],
-          );
-          assert.strictEqual(
-            attributes[SpanAttributes.LLM_USAGE_TOTAL_TOKENS],
-            parsedResponse["amazon-bedrock-invocationMetrics"][
-              "inputTokenCount"
-            ] +
-              parsedResponse["amazon-bedrock-invocationMetrics"][
-                "outputTokenCount"
-              ],
-          );
+          finalParsedResponse = parsedResponse;
         }
       }
     }
+
+    // Run assertions only after all chunks have been processed
+    const spans = memoryExporter.getFinishedSpans();
+    const attributes = spans[0].attributes;
+
+    assert.strictEqual(attributes[ATTR_GEN_AI_SYSTEM], "AWS");
+    assert.strictEqual(
+      attributes[SpanAttributes.LLM_REQUEST_TYPE],
+      "completion",
+    );
+    assert.strictEqual(attributes[ATTR_GEN_AI_REQUEST_MODEL], model);
+    assert.strictEqual(attributes[ATTR_GEN_AI_REQUEST_TOP_P], params.top_p);
+    assert.strictEqual(
+      attributes[ATTR_GEN_AI_REQUEST_TEMPERATURE],
+      params.temperature,
+    );
+    assert.strictEqual(
+      attributes[ATTR_GEN_AI_REQUEST_MAX_TOKENS],
+      params.max_gen_len,
+    );
+    assert.strictEqual(attributes[`${ATTR_GEN_AI_PROMPT}.0.role`], "user");
+    assert.strictEqual(attributes[`${ATTR_GEN_AI_PROMPT}.0.content`], prompt);
+    assert.strictEqual(
+      attributes[`${ATTR_GEN_AI_COMPLETION}.0.role`],
+      "assistant",
+    );
+
+    // Token counts should match the final invocation metrics
+    if (finalParsedResponse) {
+      assert.strictEqual(
+        attributes[ATTR_GEN_AI_USAGE_PROMPT_TOKENS],
+        finalParsedResponse["amazon-bedrock-invocationMetrics"][
+          "inputTokenCount"
+        ],
+      );
+      assert.strictEqual(
+        attributes[ATTR_GEN_AI_USAGE_COMPLETION_TOKENS],
+        finalParsedResponse["amazon-bedrock-invocationMetrics"][
+          "outputTokenCount"
+        ],
+      );
+      assert.strictEqual(
+        attributes[SpanAttributes.LLM_USAGE_TOTAL_TOKENS],
+        finalParsedResponse["amazon-bedrock-invocationMetrics"][
+          "inputTokenCount"
+        ] +
+          finalParsedResponse["amazon-bedrock-invocationMetrics"][
+            "outputTokenCount"
+          ],
+      );
+    }
   });
 });

packages/instrumentation-cohere/package.json

@@ -51,8 +51,10 @@
     "@pollyjs/adapter-node-http": "^6.0.6",
     "@pollyjs/core": "^6.0.6",
     "@pollyjs/persister-fs": "^6.0.6",
+    "@smithy/config-resolver": "^4.4.0",
     "@types/mocha": "^10.0.10",
     "cohere-ai": "^7.17.1",
+    "qs": "^6.14.1",
     "ts-mocha": "^11.1.0"
   },
   "homepage": "https://github.com/traceloop/openllmetry-js/tree/main/packages/instrumentation-openai",

packages/instrumentation-langchain/package.json

@@ -38,7 +38,7 @@
     "access": "public"
   },
   "dependencies": {
-    "@langchain/core": "^0.3.70",
+    "@langchain/core": "^0.3.80",
     "@opentelemetry/api": "^1.9.0",
     "@opentelemetry/core": "^2.0.1",
     "@opentelemetry/instrumentation": "^0.203.0",
@@ -47,7 +47,7 @@
     "tslib": "^2.8.1"
   },
   "devDependencies": {
-    "@langchain/community": "^0.3.50",
+    "@langchain/community": "^0.3.59",
     "@langchain/openai": "^0.6.2",
     "@opentelemetry/context-async-hooks": "^2.0.1",
     "@opentelemetry/sdk-trace-node": "^2.0.1",
@@ -58,7 +58,7 @@
     "@traceloop/instrumentation-bedrock": "workspace:*",
     "@types/mocha": "^10.0.10",
     "@types/node": "^24.0.15",
-    "langchain": "^0.3.30",
+    "langchain": "^0.3.37",
     "mocha": "^11.7.1",
     "ts-mocha": "^11.1.0"
   },

packages/instrumentation-llamaindex/package.json

@@ -54,7 +54,7 @@
     "@pollyjs/persister-fs": "^6.0.6",
     "@types/lodash": "^4.14.0",
     "@types/mocha": "^10.0.10",
-    "llamaindex": "^0.11.19",
+    "llamaindex": "^0.12.1",
     "ts-mocha": "^11.1.0"
   },
   "homepage": "https://github.com/traceloop/openllmetry-js/tree/main/packages/instrumentation-llamaindex",

packages/instrumentation-mcp/package.json

@@ -46,7 +46,7 @@
     "tslib": "^2.8.1"
   },
   "devDependencies": {
-    "@modelcontextprotocol/sdk": "^1.0.4",
+    "@modelcontextprotocol/sdk": "^1.25.2",
     "@opentelemetry/context-async-hooks": "^2.0.1",
     "@opentelemetry/sdk-trace-node": "^2.0.1",
     "@pollyjs/adapter-fetch": "^6.0.7",

packages/instrumentation-qdrant/package.json

@@ -51,7 +51,7 @@
     "@pollyjs/adapter-node-http": "^6.0.6",
     "@pollyjs/core": "^6.0.6",
     "@pollyjs/persister-fs": "^6.0.6",
-    "@qdrant/js-client-rest": "^1.15.0",
+    "@qdrant/js-client-rest": "^1.16.2",
     "@types/mocha": "^10.0.10",
     "ts-mocha": "^11.1.0",
     "uuid": "^11.1.0"

packages/sample-app/package.json

@@ -55,34 +55,34 @@
     "node": ">=14"
   },
   "dependencies": {
-    "@ai-sdk/openai": "^1.3.23",
+    "@ai-sdk/openai": "^2.0.19",
     "@anthropic-ai/sdk": "^0.56.0",
-    "@aws-sdk/client-bedrock-runtime": "^3.848.0",
+    "@aws-sdk/client-bedrock-runtime": "^3.969.0",
     "@azure/identity": "^4.4.1",
     "@google-cloud/aiplatform": "^4.4.0",
     "@google-cloud/vertexai": "^1.10.0",
     "@langchain/aws": "^0.1.13",
-    "@langchain/community": "^0.3.50",
-    "@langchain/core": "^0.3.70",
+    "@langchain/community": "^0.3.59",
+    "@langchain/core": "^0.3.80",
     "@langchain/openai": "^0.6.2",
     "@llamaindex/openai": "^0.4.10",
-    "@modelcontextprotocol/sdk": "^1.22.0",
+    "@modelcontextprotocol/sdk": "^1.25.2",
     "@opentelemetry/api": "^1.9.0",
     "@opentelemetry/sdk-node": "^0.203.0",
     "@opentelemetry/sdk-trace-base": "^2.0.1",
     "@pinecone-database/pinecone": "^6.1.1",
     "@traceloop/node-server-sdk": "workspace:*",
     "@traceloop/instrumentation-langchain": "workspace:*",
     "@types/jimp": "^0.2.28",
-    "ai": "^4.3.19",
-    "cheerio": "^1.1.0",
+    "ai": "^5.0.52",
+    "cheerio": "^1.1.2",
     "chromadb": "^3.0.9",
     "cohere-ai": "^7.17.1",
     "dotenv": "^17.2.1",
     "hnswlib-node": "^3.0.0",
     "jimp": "^1.6.0",
-    "langchain": "^0.3.30",
-    "llamaindex": "^0.11.19",
+    "langchain": "^0.3.37",
+    "llamaindex": "^0.12.1",
     "openai": "^5.12.2",
     "eventsource": "^3.0.2",
     "zod": "^3.25.76"