Opentelemetry api npm peer dep broken with strict pnpm

[vchernin]

Is there an existing issue for this?

• I have checked for existing issues https://github.com/getsentry/sentry-javascript/issues
• I have reviewed the documentation https://docs.sentry.io/
• I am using the latest SDK release https://github.com/getsentry/sentry-javascript/releases

How do you use Sentry?

Self-hosted/on-premise

Which SDK are you using?

@sentry/node

SDK Version

8.22.0

Framework Version

No response

Link to Sentry event

No response

Reproduction Example/SDK Setup

No response

Steps to Reproduce

.npmrc (despite this originally being for npm, pnpm stores its own config options in this file):

strict-peer-dependencies=true

package.json:

{
  "name": "my-local-package",
  "dependencies": {
    "@sentry/node": "8.22.0"
  }
}

pnpm install

Tested with pnpm 9.6.0.

Expected Result

Correct peer deps versions and successful installation with the strict-peer-dependencies setting enabled.

Perhaps the @opentelemetry/api version from @sentry/node should be downgraded, or maybe the @opentelemetry/instrumentation-mongodb can be upgraded.

The pnpm setting strict-peer-dependencies is not enabled by default and I could set it to false. But it seems like a bug to have potential version mismatch.

Actual Result

Result:

Scope: all 12 workspace projects
Progress: resolved 1, reused 0, downloaded 0, added 0
Progress: resolved 117, reused 0, downloaded 0, added 0
Progress: resolved 472, reused 0, downloaded 0, added 0
Progress: resolved 869, reused 0, downloaded 0, added 0
Progress: resolved 1104, reused 0, downloaded 0, added 0
Progress: resolved 1124, reused 0, downloaded 0, added 0, done
 ERR_PNPM_PEER_DEP_ISSUES  Unmet peer dependencies

my-local-package
└─┬ @sentry/node 8.22.0
  └─┬ @opentelemetry/instrumentation-mongodb 0.46.0
    └─┬ @opentelemetry/sdk-metrics 1.24.1
      ├── ✕ unmet peer @opentelemetry/api@">=1.3.0 <1.9.0": found 1.9.0 in @sentry/node
      ├─┬ @opentelemetry/core 1.24.1
      │ └── ✕ unmet peer @opentelemetry/api@">=1.0.0 <1.9.0": found 1.9.0 in @sentry/node
      └─┬ @opentelemetry/resources 1.24.1
        └── ✕ unmet peer @opentelemetry/api@">=1.0.0 <1.9.0": found 1.9.0 in @sentry/node

hint: If you don't want pnpm to fail on peer dependency issues, add "strict-peer-dependencies=false" to an .npmrc file at the root of your project.

[mydea]

Hey, this is weird, because the mongodb instrumentation has this depednency: "@opentelemetry/sdk-metrics" "^1.9.1", which should resolve to the latest current version (1.25.1)of@opentelemetry/sdk-metrics`, which in turn allows 1.9.0 of the API package. Why is it pulling in 1.24.1 of sdk-metrics? Can you try clearing your cache?

[vchernin]

I could not consistently reproduce following my instructions as I had expected. The only workaround I could find was to delete the pnpm-lock.yaml file and reinstall all the dependencies. (I also happend to purge the node_modules directories and pnpm store just in case).

In any case this is a bug in pnpm and not sentry.

[lenovouser]

I am also experiencing this. With version 8.29.0.

[vchernin]

I am also seeing this with version 8.29.0. This time deleting pnpm-lock.yaml and purging node_modules and the pnpm store does not workaround this. The dependency chain is also a bit simpler.

my-local-package
└─┬ @sentry/node 8.29.0
  └─┬ @sentry/opentelemetry 8.29.0
    └── ✕ unmet peer @opentelemetry/instrumentation@^0.52.1: found 0.53.0

This seems like a problem here since @sentry/node provides 0.53.0 while @sentry/opentelemetry depends on 0.52.1 of @opentelelemtry/instrumentation.

sentry-javascript/packages/node/package.json

Line 71 in 49d95ca

"@opentelemetry/instrumentation": "^0.53.0",

sentry-javascript/packages/opentelemetry/package.json

Line 49 in 49d95ca

"@opentelemetry/instrumentation": "^0.52.1",

The peer dep is specified allowing semver minor ranges, except since this is a 0.x.x version any minor change could be a breaking change according to semver, so pnpm is correct to complain here so I am reopening.

[billyjanitsch]

Seems like an oversight in #13587.

[andreiborza]

Sorry about that, we'll get this resolved as quickly as we can. I opened a PR for it #13640

[AbhiPrasad]

Fix released with https://github.com/getsentry/sentry-javascript/releases/tag/8.30.0 - thanks for your patience

[lenovouser]

I am also experiencing this. With version 8.29.0.

This has happened again with version 8.37.0 (current release, not fixed). Is there a way where a test or something can be added in order to not create releases with this issue again? We can't even prevent this on our side unless we go for pinning minor versions, which we ideally do not want.

[andreiborza]

@lenovouser sorry about that. We used Dependabot and bumped deps here #14174 but alas it didn't catch everything.

I pushed a fix for this and we'll release a patch.

We're thinking of a way to catch these in e2e tests.

[andreiborza]

The fix has been released with 8.37.1, please upgrade. Sorry for the inconvenience again.