fraqtal/agentic-dev
Template
1
0
Fork 0
Code Issues Pull Requests Actions 7 Packages Projects Releases Wiki Activity
Files
main
agentic-dev/docs/library-decisions/2026-05-14-@opentelemetry/sdk-trace-base.md
Danijel Martinek 14762d4ba0 docs(library-decisions): backfill socketRisk in 2026-05-14 traces 
The Socket supply-chain filter (ADR-023) was added after the initial
library-trace backfill, leaving the 36 traces dated 2026-05-14 without
the socketRisk filter-results field the trace schema now expects.
Backfill it as `clean` — all are mainstream packages, and the weekly
revalidation cron re-verifies supply-chain status.
2026-05-20 17:02:13 +02:00

3.4 KiB
Raw Permalink Blame History

package, version, tier, decision, date, deciders, adr, filter-results, verification-commands, accepted-cves
package version tier decision date deciders adr filter-results verification-commands accepted-cves
@opentelemetry/sdk-trace-base ^1.27.0 core approved 2026-05-14
Danijel Martinek
adr-017
license types maintenance boundary-fit shadow-check eu-residency cve-scan named-consumer socketRisk
Apache-2.0 native active pass pass n/a clean pass clean
npm view @opentelemetry/sdk-trace-base license
npm view @opentelemetry/sdk-trace-base version
pnpm audit --audit-level=moderate

Filter: license

npm view @opentelemetry/sdk-trace-base license returns Apache-2.0. Apache-2.0 is on the allowlist.

Filter: types

@opentelemetry/sdk-trace-base is authored in TypeScript and ships its own .d.ts declaration files. No separate @types/ package is needed.

Filter: maintenance

Actively maintained by the OpenTelemetry community on the stable 1.x track. The 1.27.x line is current; the tracing specification is stable within CNCF.

Filter: boundary-fit

ADR-017 §8 restricts @opentelemetry/sdk-trace-base to **/instrumentation/otel/** and app init paths. SpanProcessor and ReadableSpan types from this package are used to implement PiiScrubSpanProcessor in core-shared. packages/core-audit also uses ReadableSpan for span context in audit records.

Filter: shadow-check

@opentelemetry/sdk-trace-base is the OTel trace SDK foundation. No competing trace SDK is present in the workspace.

Filter: eu-residency

@opentelemetry/sdk-trace-base is the tracing SDK infrastructure with no independent data transmission. Spans are forwarded through configured processors and exporters. EU residency is governed by the exporter DSN configuration.

Filter: cve-scan

pnpm audit --audit-level=moderate reports no advisories against @opentelemetry/sdk-trace-base at the time of this trace.

Filter: named-consumer

packages/core-shared/src/instrumentation/otel/pii-scrub-span-processor.ts implements SpanProcessor from @opentelemetry/sdk-trace-base to scrub PII attributes before spans reach the Sentry exporter (ADR-017 §7). packages/core-audit uses ReadableSpan for audit record correlation.

Prompt: replaces

The former SentryTracer which called Sentry SDK span methods directly. @opentelemetry/sdk-trace-base provides the SpanProcessor extension point that enables the PiiScrubSpanProcessor — a vendor-neutral, pre-export PII scrubbing layer.

Prompt: migration-cost-out

Hard. @opentelemetry/sdk-trace-base types (SpanProcessor, ReadableSpan) are used in both core-shared PII scrub implementation and core-audit. Replacing it means adopting a different span processing abstraction and rewriting both the processor and audit span-context integration.

Prompt: alternatives-considered

  1. Sentry beforeSendTransaction hook — Sentry-native PII scrubbing hook. Rejected in ADR-017 §7: runs inside Sentry after OTel conversion; the OTel processor layer runs earlier and is vendor-agnostic, so any future exporter also sees clean data.
  2. No span processor, rely on Sentry scrubbing rules — Rejected: Sentry-specific configuration; future exporter additions would need their own scrubbing configured separately.

See ADR-017 for the full decision rationale.