Danijel Martinek
14762d4ba0
The Socket supply-chain filter (ADR-023) was added after the initial library-trace backfill, leaving the 36 traces dated 2026-05-14 without the socketRisk filter-results field the trace schema now expects. Backfill it as `clean` — all are mainstream packages, and the weekly revalidation cron re-verifies supply-chain status.
3.5 KiB
package, version, tier, decision, date, deciders, adr, filter-results, verification-commands, accepted-cves
| package | version | tier | decision | date | deciders | adr | filter-results | verification-commands | accepted-cves | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| @opentelemetry/sdk-logs | ^0.55.0 | core | approved | 2026-05-14 |
|
adr-017 |
|
|
Filter: license
npm view @opentelemetry/sdk-logs license returns Apache-2.0. Apache-2.0 is on the allowlist.
Filter: types
@opentelemetry/sdk-logs is authored in TypeScript and ships its own .d.ts declaration files. No separate @types/ package is needed.
Filter: maintenance
Actively maintained by the OpenTelemetry community. The 0.55.x line is current and tracks the OTel JS SDK release cycle. The Logs signal is in active specification development within CNCF.
Filter: boundary-fit
ADR-017 §8 restricts @opentelemetry/sdk-logs to **/instrumentation/otel/** and app init paths. LoggerProvider and SimpleLogRecordProcessor / BatchLogRecordProcessor are configured exclusively in core-shared/instrumentation/otel/init-otel-server-node.ts. Feature packages use only @opentelemetry/api-logs (the stable API), never the SDK directly.
Filter: shadow-check
@opentelemetry/sdk-logs is the OTel Logs SDK implementation. No competing log pipeline SDK is present in the workspace.
Filter: eu-residency
@opentelemetry/sdk-logs is the log pipeline infrastructure with no independent data transmission. All log records it processes are forwarded through the configured exporter (Sentry via @sentry/opentelemetry). EU residency is governed by the exporter's DSN configuration.
Filter: cve-scan
pnpm audit --audit-level=moderate reports no advisories against @opentelemetry/sdk-logs at the time of this trace.
Filter: named-consumer
packages/core-shared/src/instrumentation/otel/init-otel-server-node.ts instantiates LoggerProvider and registers PiiScrubLogRecordProcessor followed by SentryLogRecordProcessor from @sentry/opentelemetry. The PII scrub processor runs before the Sentry exporter (ADR-017 §7).
Prompt: replaces
The former SentryLogger which called Sentry SDK's captureException and breadcrumb APIs directly. @opentelemetry/sdk-logs provides the pipeline infrastructure that decouples log emission from the backend exporter.
Prompt: migration-cost-out
Hard. @opentelemetry/sdk-logs is the log pipeline backbone. Removing it requires replacing the entire log processing chain — provider, processors, and exporter wiring — in core-shared. The ILogger boundary (ADR-014) isolates feature packages, but the core log pipeline is non-trivially coupled to the OTel SDK.
Prompt: alternatives-considered
- Winston + transport — A well-established Node.js logger with pluggable transports. Rejected in ADR-017: separate pipeline from traces means no automatic span-log correlation; correlation requires manual trace ID injection into every log message.
- Pino — High-performance JSON logger. Same rejection reason as Winston: separate pipeline, no automatic context propagation from OTel spans.
See ADR-017 for the full decision rationale.