v4.50.0 proposal #4887
Draft
v4.50.0 proposal #4887
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…" (#4867) - this reverts commit 1d2543c. - reverts a change that would automatically inject tracing headers into AWS requests - this appears to break S3 requests (and DynamoDB?) when using AWS SDK v2 - we don't have any reports of other services or of AWS SDK v3 breaking - for follow up work we need to make this a configurable environment variable instead of just an init setting - this is because folks using the lambda layer need to configure the tracer via env vars - alternatively we only block s3 and dynamo? however there could be other services that fail... - alternatively we only block aws sdk v2? however it seems that a bunch of the services are fine... - internal stuff: APMS-13694, APMS-13713 - more discussion in #4717
* Add exclusions for header injection vulnerability * Rewrite fn to get a partial value from accept-encoding header to reflect it in transfer/content-encoding * Fix linting problems
* Fix integration by preventing unsafe access to properties. --------- Co-authored-by: William Conti <william.conti@datadoghq.com> Co-authored-by: William Conti <58711692+wconti27@users.noreply.github.com>
* Add support for inferred spans to be created for proxies. Initially supports AWS API Gateway and creates a span when the required headers are attached on the received request. --------- Co-authored-by: wantsui <wan.tsui@datadoghq.com>
* add tracer version to top-level payload * fix dd-trace.version to be ddtrace.version tag
Overall package sizeSelf size: 7.99 MB Dependency sizes| name | version | self size | total size | |------|---------|-----------|------------| | @datadog/libdatadog | 0.2.2 | 29.27 MB | 29.27 MB | | @datadog/native-appsec | 8.2.1 | 19.18 MB | 19.19 MB | | @datadog/native-iast-taint-tracking | 3.2.0 | 13.9 MB | 13.91 MB | | @datadog/pprof | 5.4.1 | 9.76 MB | 10.13 MB | | protobufjs | 7.2.5 | 2.77 MB | 7.01 MB | | @datadog/native-iast-rewriter | 2.5.0 | 2.51 MB | 2.65 MB | | @opentelemetry/core | 1.14.0 | 872.87 kB | 1.47 MB | | @datadog/native-metrics | 3.0.1 | 1.06 MB | 1.46 MB | | @opentelemetry/api | 1.8.0 | 1.21 MB | 1.21 MB | | import-in-the-middle | 1.11.2 | 112.74 kB | 826.22 kB | | msgpack-lite | 0.1.26 | 201.16 kB | 281.59 kB | | opentracing | 0.14.7 | 194.81 kB | 194.81 kB | | lru-cache | 7.18.3 | 133.92 kB | 133.92 kB | | pprof-format | 2.1.0 | 111.69 kB | 111.69 kB | | @datadog/sketches-js | 2.1.0 | 109.9 kB | 109.9 kB | | semver | 7.6.3 | 95.82 kB | 95.82 kB | | lodash.sortby | 4.7.0 | 75.76 kB | 75.76 kB | | ignore | 5.3.1 | 51.46 kB | 51.46 kB | | int64-buffer | 0.1.10 | 49.18 kB | 49.18 kB | | shell-quote | 1.8.1 | 44.96 kB | 44.96 kB | | istanbul-lib-coverage | 3.2.0 | 29.34 kB | 29.34 kB | | rfdc | 1.3.1 | 25.21 kB | 25.21 kB | | tlhunter-sorted-set | 0.1.0 | 24.94 kB | 24.94 kB | | limiter | 1.1.5 | 23.17 kB | 23.17 kB | | dc-polyfill | 0.1.4 | 23.1 kB | 23.1 kB | | retry | 0.13.1 | 18.85 kB | 18.85 kB | | jest-docblock | 29.7.0 | 8.99 kB | 12.76 kB | | crypto-randomuuid | 1.0.0 | 11.18 kB | 11.18 kB | | koalas | 1.0.2 | 6.47 kB | 6.47 kB | | path-to-regexp | 0.1.10 | 6.38 kB | 6.38 kB | | module-details-from-path | 1.0.3 | 4.47 kB | 4.47 kB |🤖 This report was automatically generated by heaviest-objects-in-the-universe |
BenchmarksBenchmark execution time: 2024-11-15 15:41:58 Comparing candidate commit a296c29 in PR branch Found 3 performance improvements and 0 performance regressions! Performance is the same for 772 metrics, 23 unstable metrics. scenario:plugin-graphql-with-depth-and-collapse-on-16
scenario:plugin-graphql-with-depth-off-16
scenario:plugin-graphql-with-depth-on-max-16
|
|
could you include #4863? It fixes a customer issue |
…o v4.50.0-proposal
* Template injection vulnerability detection in handlebars * template injection vulnerability detection in pug * fix lint and naming issues * create separate job for template injection * add support to registerPartial function * add tests for pug render function
![datadog-datadog-prod-us1[bot]](https://avatars.githubusercontent.com/u/365230?s=60&v=4){kind=small}
| DD_INJECTION_ENABLED: 'true' | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: actions/setup-node@v3 |
There was a problem hiding this comment.
🟠 Code Vulnerability
Workflow depends on a GitHub actions pinned by tag (...read more)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
25ae8e737e] - (SEMVER-PATCH) Ignore elasticsearch 8.16.0 from esm tests (Ugaitz Urien) #4892985cb1db96] - (SEMVER-MINOR) Template injection vulnerability detection in handlebars and pug (ishabi) #482759e9a2a75f] - (SEMVER-PATCH) [test optimization] Fix active span being null in cypress (Juan Antonio Fernández de Alba) #48639146f26c93] - (SEMVER-PATCH) Removex-forwardedfrom ipHeaderList (simon-id) #488283e11a3e13] - (SEMVER-PATCH) add namespace support for async storage (Roch Devost) #47751ce47d2ba0] - (SEMVER-PATCH) chore(llmobs): tracer version tagging (Sam Brenner) #48857addced607] - (SEMVER-MINOR) add crashtracking with libdatadog native binding (Roch Devost) #469236903cc982] - (SEMVER-PATCH) skip warning if propagator is baggage (Ida Liu) #48669794630aa0] - (SEMVER-PATCH) add more node version test to unsupported guardrails matrix (Roch Devost) #48791e1a2a1014] - (SEMVER-PATCH) add guardrail to completely bail out in very old versions (Roch Devost) #487829ff735a64] - (SEMVER-MINOR) feat(tracing): AWS API Gateway Inferred Span Support (William Conti) #4837b81d9d84bf] - (SEMVER-MINOR) Prevent errors in Express 5.x applications (wantsui) #48720a44e6e4dc] - (SEMVER-PATCH) Have one version tag in metrics (Attila Szegedi) #48570a411ee6e1] - (SEMVER-PATCH) add release proposal script for use locally (Roch Devost) #485370e99bd56b] - (SEMVER-MINOR) Add exclusions for header injection vulnerability (Carles Capell) #4841367bd2d65c] - (SEMVER-PATCH) Discard non-web traces when searching for a vulnerability not being present (Carles Capell) #48711ee8000111] - (SEMVER-PATCH) Revert "always enable tracing header injection for AWS requests (always enable tracing header injection for AWS requests #4717)" (Thomas Hunter II) #4867