Skip to content

fix(ts): telemetry batch upload #2322

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
jkomyno wants to merge 3 commits into
base: next
Choose a base branch
from
Open

fix(ts): telemetry batch upload #2322

jkomyno wants to merge 3 commits into from

Conversation

@jkomyno
Copy link
Collaborator

@jkomyno jkomyno commented Jan 2, 2026
edited
Loading

This PR:

  • closes PLEN-974
  • fixes the TypeScript SDK telemetry batch delivery by making the batch processor awaitable.
  • makes BatchProcessor’s processBatchCallback always async and track in-flight sends.
  • adds BatchProcessor.flush() and exposes TelemetryTransport.flush() to drain pending telemetry on Node.js-incompatible runtimes (e.g., Cloudflare Workers). We might revise this after Cloudflare Workers support is improved (PLEN-1039)
  • extend tests related to async batching and error handling

I've also tested the changes manually with a custom Bun server, replacing const TELEMETRY_URL = 'https://telemetry.composio.dev/v1' with a local one. I didn't add this part to the e2e test suite in @composio/core for simplicity, and to not violate the single responsibility principle.

I'll manually test this implementation on Datadog in PLEN-1057.

@github-actions
Copy link
Contributor

github-actions bot commented Jan 2, 2026
edited
Loading

⚠️ Security Audit Warning

The pnpm audit --prod check found security vulnerabilities in production dependencies.

Please review and fix the vulnerabilities. You can try running:

pnpm audit --fix --prod
Audit output 
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ critical            │ Next.js is vulnerable to RCE in React flight protocol  │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ next                                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=16.0.0-canary.0 <16.0.7                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=16.0.7                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ ts__examples__llamaindex>@llamaindex/                  │
│                     │ workflow>@llamaindex/workflow-core>next                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-9qr9-h5gf-34mp      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ Next Vulnerable to Denial of Service with Server       │
│                     │ Components                                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ next                                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=16.0.0-beta.0 <16.0.9                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=16.0.9                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ ts__examples__llamaindex>@llamaindex/                  │
│                     │ workflow>@llamaindex/workflow-core>next                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-mwv6-3258-q52c      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ LangChain serialization injection vulnerability        │
│                     │ enables secret extraction                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ langchain                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=1.0.0 <1.2.3                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=1.2.3                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ ts__examples__langchain>langchain                      │
│                     │                                                        │
│                     │ ts__examples__tool-router>langchain                    │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-r399-636x-v7f6      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ LangChain serialization injection vulnerability        │
│                     │ enables secret extraction                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ @langchain/core                                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=1.0.0 <1.1.8                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=1.1.8                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ ts__examples__langchain>@langchain/core                │
│                     │                                                        │
│                     │ ts__examples__tool-router>@langchain/                  │
│                     │ anthropic>@langchain/core                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-r399-636x-v7f6      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ qs's arrayLimit bypass in its bracket notation allows  │
│                     │ DoS via memory exhaustion                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ qs                                                     │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <6.14.1                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=6.14.1                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ fern>supergateway>@modelcontextprotocol/sdk>express>qs │
│                     │                                                        │
│                     │ fern>supergateway>body-parser>qs                       │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-6rw7-vpxm-498p      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ Anthropic's MCP TypeScript SDK has a ReDoS             │
│                     │ vulnerability                                          │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ @modelcontextprotocol/sdk                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <=1.25.1                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ <0.0.0                                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ fern>supergateway>@modelcontextprotocol/sdk            │
│                     │                                                        │
│                     │ ts__examples__google>@modelcontextprotocol/sdk         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-8r9q-7v3j-jr4g      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ Next Server Actions Source Code Exposure               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ next                                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=16.0.0-beta.0 <16.0.9                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=16.0.9                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ ts__examples__llamaindex>@llamaindex/                  │
│                     │ workflow>@llamaindex/workflow-core>next                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-w37m-7fhw-fmv9      │
└─────────────────────┴────────────────────────────────────────────────────────┘
11 vulnerabilities found
Severity: 1 moderate | 9 high | 1 critical

@jkomyno jkomyno marked this pull request as ready for review January 2, 2026 15:20
@jkomyno jkomyno requested a review from haxzie as a code owner January 2, 2026 15:20
cursor[bot]
cursor bot reviewed Jan 2, 2026
View reviewed changes
jkomyno added 2 commits January 7, 2026 07:03
@jkomyno
Merge branch 'next' into fix/ts-telemetry
b85deca
@jkomyno
feat(ts/core): fix telemetry implementation handling multiple concurr…
1c77355 
…ent promises, add Node.js-specific auto-flush, with Cloudflare Workers escape hatch
@vercel
Copy link

vercel bot commented Jan 7, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Review Updated (UTC)
fumadocs Error Error Jan 7, 2026 6:18am

cursor[bot]
cursor bot reviewed Jan 7, 2026
View reviewed changes
ts/packages/core/src/telemetry/Telemetry.ts
.finally(() => {
// Re-emit the signal to allow normal process termination
process.removeListener(signal as NodeJS.Signals, () => signalHandler(signal));
process.kill(process.pid, signal);
Copy link

@cursor cursor bot Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Signal handler causes infinite loop on process termination

High Severity

The process.removeListener call on line 315 creates a new arrow function () => signalHandler(signal) which is a different reference than the one registered on lines 320-321 (() => signalHandler('SIGINT')). Since function references don't match, the listener isn't removed. When process.kill(process.pid, signal) re-emits the signal, the original listener catches it again, causing an infinite loop that prevents the process from ever terminating on SIGINT or SIGTERM.

Additional Locations (1)

Fix in Cursor Fix in Web

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

@haxzie haxzie Awaiting requested review from haxzie haxzie is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jkomyno @haxzie