feat(opentelemetry) add @temporalio/interceptors-opentelemetry-v2

[chris-olszewski]

What was changed

Add a package to provide interceptors that support OpenTelemetry v2.

First commit is a straight copy of the v1 with package bumps and the necessary changes the came along with those bumps.

Note: Histories created with the @temporalio/interceptors-opentelemetry will not be compatible with @temporalio/interceptors-opentelemetry and vice-versa. The crux of the issue is that OpenTelemetry changed their usage of Math.random(). The random number generator was shared by OpenTelemetry for generating span ids as well as the uuid function which is used for generating child workflow ids. This can cause NDE. To prevent future breakages from changes to Math.random usage, we now provide an IdGenerator to OpenTelemetry that uses its own random number generator. This doesn't offer a huge amount of value as we are still vulnerable to changes to the amount of calls to Math.random outside of id creation, but it does offer protection if the number of ids created changes.

Due to histories already being incompatible, I removed the yield point injections from the interceptors to have a cleaner starting point.

Why?

This was done in a separate package to allow us to support both v1 and v2 without forcing users to upgrade.

Checklist

1. Closes [Feature Request] Add support for opentelemetry v2 #1658

2. How was this tested:
   Copied over relevant tests and added an additional test to verify that replaying workflow history that has uuid call doesn't trigger NDE in the future.

3. Any docs updates needed?

[grant0417]

Since you are making a breaking v2 version, could you also align the spanProcessor with how it works in the @opentelemetry/sdk-node package.

The spanProcessor arg is deprecated in favor of spanProcessors which is an array of processors. This would allow using the same arg to both the temporal OpenTelemetryPlugin and NodeSDK.

Example:

const resource = resourceFromAttributes({ [ATTR_SERVICE_NAME]: "temporal-worker" });
const spanProcessors = [new SpanProcessor1(), new SpanProcessor2()];

// exact same args
const sdk = new NodeSDK({ resource, spanProcessors });
const plugin = OpenTelemetryPlugin({ resource, spanProcessors });

[mjameswh]

We need to add nexus interceptors

[mjameswh]

You can get rid of that legacy thing.

[mjameswh]

Are we not injecting bundler options?

Btw, we now have a preloadedModules bundler option, which may help reduce the overhead associated with per-workflow loading of the OpenTelemetry library.

[mjameswh]

Use the new random streams api once it has landed.

[mjameswh]

Use the new Random Streams API, once it has landed.

[semgrep-managed-scans]

High severity vulnerability may affect your project—review required:
Line 637 lists a dependency (@opentelemetry/sdk-node) with a known High severity vulnerability.

ℹ️ Why this matters

Affected versions of @opentelemetry/auto-instrumentations-node, @opentelemetry/exporter-prometheus, and @opentelemetry/sdk-node are vulnerable to Improper Handling of Exceptional Conditions. An attacker on any network that can reach the OpenTelemetry Prometheus exporter metrics port (default 0.0.0.0:9464) can crash the Node.js process by sending a single malformed HTTP request: the exporter's request handler calls new URL(request.url, baseUrl) without a try/catch, so an "Invalid URL" TypeError propagates out of the request callback and terminates the process — an unauthenticated remote denial of service. The vulnerable HTTP server starts either when the application directly constructs PrometheusExporter from @opentelemetry/exporter-prometheus, or when it runs @opentelemetry/sdk-node / @opentelemetry/auto-instrumentations-node/register with the OTEL_METRICS_EXPORTER environment variable set to include prometheus, in which case the SDK instantiates PrometheusExporter internally on the user's behalf.

References: GHSA

To resolve this comment:
Check if you set the OTEL_METRICS_EXPORTER environment variable to include prometheus when relying on auto-configuration via @opentelemetry/sdk-node or @opentelemetry/auto-instrumentations-node/register.

• If you're affected, upgrade this dependency to at least version 0.217.0 at pnpm-lock.yaml.
• If you're not affected, comment /fp we don't use this [condition]

💬 Ignore this finding

To ignore this, reply with:

• /fp <comment> for false positive
• /ar <comment> for acceptable risk
• /other <comment> for all other reasons

_{You can view more details on this finding in the Semgrep AppSec Platform here.}

[semgrep-managed-scans]

High severity vulnerability may affect your project—review required:
Line 289 lists a dependency (@opentelemetry/sdk-node) with a known High severity vulnerability.

ℹ️ Why this matters

Affected versions of @opentelemetry/auto-instrumentations-node, @opentelemetry/exporter-prometheus, and @opentelemetry/sdk-node are vulnerable to Improper Handling of Exceptional Conditions. An attacker on any network that can reach the OpenTelemetry Prometheus exporter metrics port (default 0.0.0.0:9464) can crash the Node.js process by sending a single malformed HTTP request: the exporter's request handler calls new URL(request.url, baseUrl) without a try/catch, so an "Invalid URL" TypeError propagates out of the request callback and terminates the process — an unauthenticated remote denial of service. The vulnerable HTTP server starts either when the application directly constructs PrometheusExporter from @opentelemetry/exporter-prometheus, or when it runs @opentelemetry/sdk-node / @opentelemetry/auto-instrumentations-node/register with the OTEL_METRICS_EXPORTER environment variable set to include prometheus, in which case the SDK instantiates PrometheusExporter internally on the user's behalf.

References: GHSA

To resolve this comment:
Check if you set the OTEL_METRICS_EXPORTER environment variable to include prometheus when relying on auto-configuration via @opentelemetry/sdk-node or @opentelemetry/auto-instrumentations-node/register.

• If you're affected, upgrade this dependency to at least version 0.217.0 at pnpm-lock.yaml.
• If you're not affected, comment /fp we don't use this [condition]

💬 Ignore this finding

To ignore this, reply with:

• /fp <comment> for false positive
• /ar <comment> for acceptable risk
• /other <comment> for all other reasons

_{You can view more details on this finding in the Semgrep AppSec Platform here.}

[semgrep-managed-scans]

High severity vulnerability may affect your project—review required:
Line 135 lists a dependency (@opentelemetry/sdk-node) with a known High severity vulnerability.

ℹ️ Why this matters

Affected versions of @opentelemetry/auto-instrumentations-node, @opentelemetry/exporter-prometheus, and @opentelemetry/sdk-node are vulnerable to Improper Handling of Exceptional Conditions. An attacker on any network that can reach the OpenTelemetry Prometheus exporter metrics port (default 0.0.0.0:9464) can crash the Node.js process by sending a single malformed HTTP request: the exporter's request handler calls new URL(request.url, baseUrl) without a try/catch, so an "Invalid URL" TypeError propagates out of the request callback and terminates the process — an unauthenticated remote denial of service. The vulnerable HTTP server starts either when the application directly constructs PrometheusExporter from @opentelemetry/exporter-prometheus, or when it runs @opentelemetry/sdk-node / @opentelemetry/auto-instrumentations-node/register with the OTEL_METRICS_EXPORTER environment variable set to include prometheus, in which case the SDK instantiates PrometheusExporter internally on the user's behalf.

References: GHSA

To resolve this comment:
Check if you set the OTEL_METRICS_EXPORTER environment variable to include prometheus when relying on auto-configuration via @opentelemetry/sdk-node or @opentelemetry/auto-instrumentations-node/register.

• If you're affected, upgrade this dependency to at least version 0.217.0 at pnpm-lock.yaml.
• If you're not affected, comment /fp we don't use this [condition]

💬 Ignore this finding

To ignore this, reply with:

• /fp <comment> for false positive
• /ar <comment> for acceptable risk
• /other <comment> for all other reasons

_{You can view more details on this finding in the Semgrep AppSec Platform here.}