Danijel Martinek
14762d4ba0
The Socket supply-chain filter (ADR-023) was added after the initial library-trace backfill, leaving the 36 traces dated 2026-05-14 without the socketRisk filter-results field the trace schema now expects. Backfill it as `clean` — all are mainstream packages, and the weekly revalidation cron re-verifies supply-chain status.
3.4 KiB
package, version, tier, decision, date, deciders, adr, filter-results, verification-commands, accepted-cves
| package | version | tier | decision | date | deciders | adr | filter-results | verification-commands | accepted-cves | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| @opentelemetry/instrumentation-undici | ^0.10.0 | core | approved | 2026-05-14 |
|
adr-017 |
|
|
Filter: license
npm view @opentelemetry/instrumentation-undici license returns Apache-2.0. Apache-2.0 is on the allowlist.
Filter: types
@opentelemetry/instrumentation-undici is authored in TypeScript and ships its own .d.ts declaration files. No separate @types/ package is needed.
Filter: maintenance
Actively maintained by the OpenTelemetry community. The 0.10.x line is current and tracks the OTel SDK release cycle. Undici is the HTTP client used by Node.js fetch and Next.js server-side requests.
Filter: boundary-fit
ADR-017 §11 explicitly enables undici auto-instrumentation in initOtelServerNode. Undici is the underlying client for Node.js fetch() calls including Next.js server components and API route fetch calls. Restricted to core-shared/instrumentation/otel/ init paths.
Filter: shadow-check
@opentelemetry/instrumentation-undici is the standard OTel undici auto-instrumentation. No competing undici span emitter is present in the workspace. It complements instrumentation-http (Node.js http module) for full outbound request coverage.
Filter: eu-residency
@opentelemetry/instrumentation-undici is a pure instrumentation plugin with no independent data transmission. Spans are routed through the configured OTel exporter. EU residency is governed by the exporter configuration.
Filter: cve-scan
pnpm audit --audit-level=moderate reports no advisories against @opentelemetry/instrumentation-undici at the time of this trace.
Filter: named-consumer
packages/core-shared/src/instrumentation/otel/init-otel-server-node.ts registers UndiciInstrumentation (ADR-017 §11). This captures outbound fetch calls from Next.js server components and API routes without manual span wrapping.
Prompt: replaces
Manual span wrapping around fetch() and undici request() calls. Since Node.js 18+, fetch is built on undici, meaning instrumentation-http alone would miss fetch-based outbound calls. This plugin fills the gap.
Prompt: migration-cost-out
Low. UndiciInstrumentation is registered in one init file. Removing it means disabling the plugin; outbound fetch calls would lose automatic spans but no code outside the init file would change.
Prompt: alternatives-considered
instrumentation-httpalone — Sufficient for directhttp.request()calls but missesfetch()/undici calls in Next.js server components. Rejected as incomplete coverage.- Manual fetch wrapper — Wrapping every
fetchcall with span creation. Rejected: Next.js makes fetch calls internally (e.g., during RSC rendering), making exhaustive wrapping impractical.
See ADR-017 for the full decision rationale.