fix(build): use local deps from workspace during build

[galkleinman]

Important

Switches several package dependencies to use local workspace references for development consistency.

• Dependencies:
  • Change @traceloop/ai-semantic-conventions to workspace:* in instrumentation-anthropic/package.json, instrumentation-bedrock/package.json, and instrumentation-chromadb/package.json.
  • Change @traceloop/node-server-sdk to workspace:* in sample-app/package.json.
  • Change all @traceloop/instrumentation-* packages to workspace:* in traceloop-sdk/package.json.

^{This description was created by for 1af5b44. You can customize this summary. It will automatically update as commits are pushed.}

Summary by CodeRabbit

• Chores
  • Updated dependency resolution for several packages to use local workspace references instead of fixed or wildcard versions. This change ensures that the latest local versions are used during development. No user-facing features or functionality are affected.

[coderabbitai]

Walkthrough

The version specifications for several internal @traceloop package dependencies were updated from fixed or wildcard versions to the workspace protocol "workspace:*" in multiple package.json files. This change ensures that these dependencies are resolved from the local workspace rather than from external registries.

Changes

Cohort / File(s)	Change Summary
Instrumentation Packages: ai-semantic-conventions dependency packages/instrumentation-anthropic/package.json, packages/instrumentation-bedrock/package.json, packages/instrumentation-chromadb/package.json, packages/instrumentation-cohere/package.json, packages/instrumentation-langchain/package.json, packages/instrumentation-llamaindex/package.json, packages/instrumentation-openai/package.json, packages/instrumentation-pinecone/package.json, packages/instrumentation-qdrant/package.json, packages/instrumentation-together/package.json, packages/instrumentation-vertexai/package.json	Changed @traceloop/ai-semantic-conventions dependency version from "^0.14.0" to "workspace:*".
Sample App: node-server-sdk dependency packages/sample-app/package.json	Changed @traceloop/node-server-sdk dependency version from "*" to "workspace:*".
traceloop-sdk: all internal dependencies packages/traceloop-sdk/package.json	Updated all @traceloop/* dependencies from fixed versions to "workspace:*".

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Suggested reviewers

• doronkopit5

Poem

🐇
In the warren of workspaces, we hop with delight,
Linking our packages, keeping versions tight.
No more wildcards or numbers to chase—
Just "workspace:*" in every place!
A hop, a skip, dependencies align,
The code is more local, and that suits us fine.
—Rabbit 🥕

Note

⚡️ Unit Test Generation is now available in beta!

Learn more here, or try it out under "Finishing Touches" below.

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch gk/fix-local-deps

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[ellipsis-dev]

Important

Looks good to me! 👍

Reviewed everything up to 1af5b44 in 1 minute and 7 seconds. Click for details.

• Reviewed 191 lines of code in 13 files
• Skipped 1 files when reviewing.
• Skipped posting 3 draft comments. View those below.
• Modify your settings and rules to customize what types of comments Ellipsis leaves. And don't forget to react with 👍 or 👎 to teach Ellipsis.

1. packages/instrumentation-anthropic/package.json:45

• Draft comment:
  Good change – using 'workspace:*' ensures the local version of @traceloop/ai-semantic-conventions is used. Make sure your workspace tooling (e.g. Yarn or pnpm) supports this syntax.
• Reason this comment was not posted:
  Confidence changes required: 0% <= threshold 50% None

2. packages/sample-app/package.json:55

• Draft comment:
  Updated @traceloop/node-server-sdk to use 'workspace:*', ensuring the sample app builds against the local SDK. Confirm that build pipelines support workspace dependency resolution.
• Reason this comment was not posted:
  Confidence changes required: 0% <= threshold 50% None

3. packages/traceloop-sdk/package.json:47

• Draft comment:
  Internal dependencies now reference local workspaces (using 'workspace:*') consistently. This improves dev workflow in the monorepo – just ensure your package manager is configured for workspaces.
• Reason this comment was not posted:
  Confidence changes required: 0% <= threshold 50% None

Workflow ID: wflow_PhaSMYyL3MwXq1mF

^{You can customize by changing your verbosity settings, reacting with 👍 or 👎, replying to comments, or adding code review rules.}

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (8)

packages/instrumentation-qdrant/package.json (1)

43-45: Same publish-time concern as noted for instrumentation-llamaindex

Make sure workspace:* is converted to a concrete version during the release process, otherwise publishing this package will fail.

packages/instrumentation-openai/package.json (1)

43-45: Same publish-time concern as previously mentioned

Ensure that workspace:* is replaced by the real version of @traceloop/ai-semantic-conventions when the package is packed/published.

packages/instrumentation-vertexai/package.json (1)

43-45: Same publish-time concern as previously mentioned

npm publish will reject workspace:*; confirm that your release workflow rewrites this entry before publishing.

packages/instrumentation-chromadb/package.json (1)

43-45: Same publish-time concern as previously mentioned

Verify that the build/release pipeline swaps out workspace:* for the actual semver to avoid publish failures.

packages/instrumentation-pinecone/package.json (1)

45-46: Same workspace:* publish-time caveat applies – see earlier comment for @traceloop/instrumentation-cohere.

packages/instrumentation-together/package.json (1)

44-46: Duplicate of the workspace:* publish caution raised for the Cohere package.

packages/instrumentation-anthropic/package.json (1)

45-46: Duplicate of the workspace:* publish caution raised for the Cohere package.

packages/instrumentation-bedrock/package.json (1)

45-46: Duplicate of the workspace:* publish caution raised for the Cohere package.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5e12228 and 1af5b44.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (13)

• packages/instrumentation-anthropic/package.json (1 hunks)
• packages/instrumentation-bedrock/package.json (1 hunks)
• packages/instrumentation-chromadb/package.json (1 hunks)
• packages/instrumentation-cohere/package.json (1 hunks)
• packages/instrumentation-langchain/package.json (1 hunks)
• packages/instrumentation-llamaindex/package.json (1 hunks)
• packages/instrumentation-openai/package.json (1 hunks)
• packages/instrumentation-pinecone/package.json (1 hunks)
• packages/instrumentation-qdrant/package.json (1 hunks)
• packages/instrumentation-together/package.json (1 hunks)
• packages/instrumentation-vertexai/package.json (1 hunks)
• packages/sample-app/package.json (1 hunks)
• packages/traceloop-sdk/package.json (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Build and test

🔇 Additional comments (4)

packages/instrumentation-cohere/package.json (1)

45-46: Ensure your publish pipeline understands the workspace:* protocol

npm publish executed with plain npm ≤9 will error on unknown protocols, while Yarn Berry/Lerna will rewrite the range to the real version.
Please double-check the CI/publish job uses a toolchain that auto-resolves workspace:* before packing, otherwise consumers will receive an invalid package.json.

No change required here, just a sanity check.

packages/sample-app/package.json (1)

55-55: Switching to workspace:* for the SDK makes sense here.

sample-app is marked "private": true, so resolving the internal SDK from the local workspace is the right approach and avoids pulling a published tarball during CI builds. No concerns on this change.

packages/instrumentation-langchain/package.json (1)

46-46: Confirm publish pipeline rewrites workspace:* to a real semver.

@traceloop/instrumentation-langchain is a public package. When publishing with pnpm (pnpm publish) or Yarn Berry (yarn npm publish), the workspace protocol is automatically replaced with the current version of @traceloop/ai-semantic-conventions.
If your release process ever falls back to plain npm publish, this substitution will not happen and the publish will fail. Double-check the CI release step to be safe.

packages/traceloop-sdk/package.json (1)

47-58: Large-scale swap to workspace:* – verify release tooling.

All internal instrumentation packages are now referenced via the workspace protocol. This is great for local builds but requires that the publish step for @traceloop/node-server-sdk continues to use a toolchain (pnpm / Yarn Berry) that converts workspace:* to the concrete versions at packing time.

Failure to do so will either (a) publish an invalid manifest or (b) abort the publish entirely. Please confirm that the release workflow invokes pnpm publish (or equivalent) rather than plain npm publish.

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Publishing will fail unless workspace:* is stripped out first

npm publish (and pnpm publish) reject manifests that still contain the workspace:* protocol.
Double-check that the release pipeline (e.g. a Changesets bump, or a pre-pack script) rewrites this placeholder to the real semver of @traceloop/ai-semantic-conventions before packing the tarball; otherwise the publish step will error out.

---

🏁 Script executed:

#!/bin/bash
# Search the repo for a script/hook that rewrites workspace versions before publish
rg --line-number --context 2 -e 'workspace:\s*\*' package.json
rg --line-number --context 2 -e 'prepack|prepare|changeset' -tjson

Length of output: 133

---

🏁 Script executed:

#!/bin/bash
# Search all package.json files for workspace:* dependencies
fd --type f --name package.json --exec rg -n "workspace:\*" {} +

# Search all package.json files for publish-related lifecycle scripts
fd --type f --name package.json --exec rg -n '"prepack"' {} +
fd --type f --name package.json --exec rg -n '"prepare"' {} +
fd --type f --name package.json --exec rg -n '"prepublishOnly"' {} +

# Look for any Changesets configuration or hooks across the repo
rg --line-number --context 2 -e 'changeset' 

Length of output: 1321

---

🏁 Script executed:

#!/bin/bash
# Find any workspace:* usage in all package.json files
find . -type f -name "package.json" -exec grep -Hn 'workspace:\*' {} +

# Find publish-related lifecycle scripts in package.json files
find . -type f -name "package.json" -exec grep -Hn '"prepack"' {} +
find . -type f -name "package.json" -exec grep -Hn '"prepare"' {} +
find . -type f -name "package.json" -exec grep -Hn '"prepublishOnly"' {} +

# Search for any Changesets configuration or hooks
grep -R --exclude-dir=node_modules -n 'changeset' .

Length of output: 2808

---

Ensure workspace:* Dependencies Are Stripped Before Publish

Publishing will fail if any package.json still contains workspace:*. We didn’t find any prepack/prepare/prepublishOnly hooks or Changesets-based versioning scripts that rewrite these placeholders. Please add or verify a release step that replaces all workspace:* entries with the actual semver before packing the tarball.

Affected files (examples – repeat for each instrumentation package):

• packages/instrumentation-llamaindex/package.json (line 44)
• packages/traceloop-sdk/package.json (lines 47–58)

Suggested fixes:

• Add a prepack (or prepublishOnly) script in your root or each package:

  "scripts": {
    "prepack": "changeset version && npm install"
  }

• Or integrate a Changesets GitHub Action in CI to bump versions and replace workspace:*.
• Verify your release pipeline actually runs this step before npm publish.

🤖 Prompt for AI Agents

In packages/instrumentation-llamaindex/package.json around lines 43 to 45, the
dependency "@traceloop/ai-semantic-conventions" uses the "workspace:*" version
specifier, which must be replaced with an actual semver before publishing to
avoid failure. To fix this, add a "prepack" or "prepublishOnly" script in the
package.json or root package.json that runs "changeset version && npm install"
to replace all "workspace:*" entries with proper versions before packing. Also,
ensure your release pipeline executes this step before running "npm publish" to
prevent publishing errors.

[galkleinman]

You're wrong. Lerna should replace it on publish command.

[coderabbitai]

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check if Lerna is configured in this repository
find . -name "lerna.json" -o -name ".lernarc" -o -name ".lernarc.json" | head -5

# Check for Lerna in package.json dependencies or scripts
fd --type f --name package.json --exec grep -Hn "lerna" {} +

# Look for pnpm workspace configuration
find . -name "pnpm-workspace.yaml" -o -name "pnpm-lock.yaml" | head -5

# Check root package.json for workspace configuration
cat package.json 2>/dev/null | jq '.workspaces // empty'

# Look for any publish-related scripts that might use Lerna
fd --type f --name package.json --exec grep -A2 -B2 '"publish"' {} +

Length of output: 882

---

🏁 Script executed:

#!/bin/bash
# Check Lerna configuration
cat lerna.json

# Check for Lerna in package.json files using correct fd syntax
fd package.json --exec grep -Hn "lerna" {} +

# Check pnpm workspace configuration
cat pnpm-workspace.yaml

# Check root package.json for workspace and publish configurations
cat package.json | jq '.scripts // {}'

# Look for publish-related scripts using correct fd syntax
fd package.json --exec grep -A2 -B2 '"publish"' {} +

Length of output: 1582

---

🏁 Script executed:

#!/bin/bash
# Fix the fd command syntax issue - use proper format
find . -name package.json -exec grep -Hn "lerna" {} \;

# Look for publish-related scripts in all package.json files
find . -name package.json -exec grep -A2 -B2 '"publish"' {} \;

# Check if there are any GitHub Actions or CI scripts that handle publishing
find . -name "*.yml" -o -name "*.yaml" | grep -E "(workflow|action|ci)" | head -5

# Look for any release or publish related scripts
rg -n "lerna publish|lerna version" --type yaml --type json --type js --type ts

Length of output: 391

---

🏁 Script executed:

#!/bin/bash
# Check the GitHub release workflow to understand the publishing process
cat .github/workflows/release.yml

# Look for any documentation about workspace:* handling in Lerna
rg -A3 -B3 "workspace" .github/workflows/release.yml

# Check if there are any references to workspace protocol handling
rg -n "workspace:\*" --type yaml --type json

Length of output: 5628

---

@galkleinman You're absolutely right, and I apologize for the incorrect analysis.

Looking at the repository structure, I can see that:

1. This project uses Lerna v8.2.3 (from root package.json)
2. The release workflow shows pnpm lerna publish --no-private from-git --yes
3. Lerna automatically handles converting workspace:* dependencies to actual published versions during the publish process

Lerna's publish command indeed replaces workspace:* with the appropriate semantic versions before creating the npm packages, so there's no issue with the current setup. Thank you for the correction!

---

✏️ Learnings added

Learnt from: galkleinman
PR: traceloop/openllmetry-js#620
File: packages/instrumentation-llamaindex/package.json:43-45
Timestamp: 2025-07-28T14:30:21.983Z
Learning: Lerna automatically converts `workspace:*` dependencies to actual published versions during the `lerna publish` command, so `workspace:*` in package.json files is safe and expected in Lerna-managed monorepos.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.