chore(deps): bump the test-versions group across 1 directory with 36 updates

[dependabot]

Bumps the test-versions group with 36 updates in the /packages/dd-trace/test/plugins/versions directory:

Package	From	To
@apollo/gateway	2.14.0	2.14.1
@apollo/subgraph	2.14.0	2.14.1
@babel/core	7.29.0	7.29.7
@babel/preset-typescript	7.28.5	7.29.7
@confluentinc/kafka-javascript	1.9.0	1.9.1
@datadog/openfeature-node-server	1.2.1	2.0.0
@elastic/elasticsearch	9.4.0	9.4.2
@elastic/transport	9.3.5	9.3.7
@electron/packager	20.0.0	20.0.1
@google-cloud/pubsub	5.3.0	5.3.1
@grpc/grpc-js	1.14.3	1.14.4
@hono/node-server	2.0.3	2.0.4
@koa/router	15.5.0	15.6.0
@types/node	25.9.0	25.9.3
aerospike	6.7.0	6.7.1
axios	1.16.1	1.17.0
bullmq	5.76.10	5.78.0
cypress	15.16.0	15.17.0
ejs	5.0.2	6.0.1
electron	42.1.0	42.4.0
esbuild	0.28.0	0.28.1
graphql	16.14.0	16.14.2
graphql-yoga	5.21.0	5.21.2
hono	4.12.19	4.12.25
koa	3.2.0	3.2.1
mariadb	3.4.5	3.5.3
next	16.2.6	16.2.9
npm	11.14.1	11.17.0
oracledb	6.10.0	7.0.0
pnpm	11.1.3	11.6.0
protobufjs	8.4.0	8.6.3
react	19.2.6	19.2.7
react-dom	19.2.6	19.2.7
stripe	22.1.1	22.2.0
undici	8.3.0	8.4.1
ws	8.20.1	8.21.0

Updates @apollo/gateway from 2.14.0 to 2.14.1

Release notes

Sourced from @​apollo/gateway's releases.

@​apollo/gateway@​2.14.1

Patch Changes

• Pass instrumentation scope version as a separate argument when creating the OpenTelemetry meter for telemetry. Fixes #3436. (#3439)

• Updated dependencies [278eb0fc2bc0ef13ba371407df04cfe50fa2887d, 8bb88f9c7b90addd5ef29f9e4a3f9c027e6cf690, 621568719382df6592749168893e0e533a648ba5]:

  • @​apollo/federation-internals@​2.14.1
  • @​apollo/composition@​2.14.1
  • @​apollo/query-planner@​2.14.1

Changelog

Sourced from @​apollo/gateway's changelog.

2.14.1

Patch Changes

• Pass instrumentation scope version as a separate argument when creating the OpenTelemetry meter for telemetry. Fixes #3436. (#3439)

• Updated dependencies [278eb0fc2bc0ef13ba371407df04cfe50fa2887d, 8bb88f9c7b90addd5ef29f9e4a3f9c027e6cf690, 621568719382df6592749168893e0e533a648ba5]:

  • @​apollo/federation-internals@​2.14.1
  • @​apollo/composition@​2.14.1
  • @​apollo/query-planner@​2.14.1

Commits

• 582d2d2 release: on branch main (#3443)
• cdc1810 Update gateway tracing name to match ingestion side expectations (#3446)
• d9c721c Pass scope version as a separate argument in telemetry instantiation (#3439)
• See full diff in compare view

Updates @apollo/subgraph from 2.14.0 to 2.14.1

Release notes

Sourced from @​apollo/subgraph's releases.

@​apollo/subgraph@​2.14.1

Patch Changes

• Updated dependencies [278eb0fc2bc0ef13ba371407df04cfe50fa2887d, 8bb88f9c7b90addd5ef29f9e4a3f9c027e6cf690]:
  • @​apollo/federation-internals@​2.14.1

Changelog

Sourced from @​apollo/subgraph's changelog.

2.14.1

Patch Changes

• Updated dependencies [278eb0fc2bc0ef13ba371407df04cfe50fa2887d, 8bb88f9c7b90addd5ef29f9e4a3f9c027e6cf690]:
  • @​apollo/federation-internals@​2.14.1

Commits

• 582d2d2 release: on branch main (#3443)
• See full diff in compare view

Updates @babel/core from 7.29.0 to 7.29.7

Release notes

Sourced from @​babel/core's releases.

v7.29.7 (2026-05-25)

Re-release all packages with npm provenance attestations

v7.29.6 (2026-05-25)

🐛 Bug Fix

• babel-generator
  • #18014 Catchup source map position in preserveFormat (@​nicolo-ribaudo)
• babel-core
  • #18001 [7.x packport]Improve input source map handling (@​JLHwung)
• babel-core, babel-generator
  • #17998 Preserve original identifier names from input sourcemaps (#17992) (@​Andarist)

Committers: 3

• Huáng Jùnliàng (@​JLHwung)
• Mateusz Burzyński (@​Andarist)
• Nicolò Ribaudo (@​nicolo-ribaudo)

v7.29.5 (2026-05-05)

🏠 Internal

• babel-preset-env
  • Update @babel/* dependencies

v7.29.4 (2026-05-05)

🐛 Bug Fix

• babel-plugin-transform-modules-systemjs
  • #17974 [7.x backport]fix(systemjs): improve module string name support (@​JLHwung)

Committers: 1

• Huáng Jùnliàng (@​JLHwung)

v7.29.3 (2026-04-30)

👓 Spec Compliance

• babel-parser
  • #17923 Support flow extends bound (@​JLHwung)

🐛 Bug Fix

• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators
  • #17931 fix(decorators): replace super within all removed static elements (@​JLHwung)
• babel-register
  • #17915 Fix thread synchronization issues in @babel/register (@​liuxingbaoyu)
• babel-compat-data, babel-plugin-bugfix-safari-rest-destructuring-rhs-array, babel-preset-env
  • #17788 Add bugfix plugin for Safari array rest destructuring bug (@​JLHwung)

💅 Polish

• babel-parser

... (truncated)

Commits

• 4fba754 v7.29.7
• 04ea6b2 v7.29.6
• 99f498a [7.x packport]Improve input source map handling (#18001)
• feba0a3 Preserve original identifier names from input sourcemaps (#17992) (#17998)
• See full diff in compare view

Updates @babel/preset-typescript from 7.28.5 to 7.29.7

Release notes

Sourced from @​babel/preset-typescript's releases.

v7.29.7 (2026-05-25)

Re-release all packages with npm provenance attestations

v7.29.6 (2026-05-25)

🐛 Bug Fix

• babel-generator
  • #18014 Catchup source map position in preserveFormat (@​nicolo-ribaudo)
• babel-core
  • #18001 [7.x packport]Improve input source map handling (@​JLHwung)
• babel-core, babel-generator
  • #17998 Preserve original identifier names from input sourcemaps (#17992) (@​Andarist)

Committers: 3

• Huáng Jùnliàng (@​JLHwung)
• Mateusz Burzyński (@​Andarist)
• Nicolò Ribaudo (@​nicolo-ribaudo)

v7.29.5 (2026-05-05)

🏠 Internal

• babel-preset-env
  • Update @babel/* dependencies

v7.29.4 (2026-05-05)

🐛 Bug Fix

• babel-plugin-transform-modules-systemjs
  • #17974 [7.x backport]fix(systemjs): improve module string name support (@​JLHwung)

Committers: 1

• Huáng Jùnliàng (@​JLHwung)

v7.29.3 (2026-04-30)

👓 Spec Compliance

• babel-parser
  • #17923 Support flow extends bound (@​JLHwung)

🐛 Bug Fix

• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators
  • #17931 fix(decorators): replace super within all removed static elements (@​JLHwung)
• babel-register
  • #17915 Fix thread synchronization issues in @babel/register (@​liuxingbaoyu)
• babel-compat-data, babel-plugin-bugfix-safari-rest-destructuring-rhs-array, babel-preset-env
  • #17788 Add bugfix plugin for Safari array rest destructuring bug (@​JLHwung)

💅 Polish

• babel-parser

... (truncated)

Commits

• 4fba754 v7.29.7
• f3a2226 [babel 7] Delete Babel 8 fixtures (#17729)
• See full diff in compare view

Updates @confluentinc/kafka-javascript from 1.9.0 to 1.9.1

Release notes

Sourced from @​confluentinc/kafka-javascript's releases.

v1.9.1 is a maintenance release. It is supported for all usage.

Enhancements

1. References librdkafka v2.14.2. Refer to the librdkafka v2.14.2 release notes for more information.

Fixes

1. Handle anyOf/allOf in JSON transforms (#479)
2. Preserve custom subjectNameStrategy in serde constructors (#482)
3. Correct the TypeScript return type of admin.fetchTopicMetadata to Promise<Array<ITopicMetadata>> (#367)
4. Correct the TypeScript MemberDescription shape returned by admin.describeGroups so assignment/targetAssignment wrap a topicPartitions array and memberAssignment/memberMetadata are nullable (#487)
5. Correct the TypeScript FetchOffsetsPartition.error type returned by admin.fetchOffsets to LibrdKafkaError | null, matching the runtime which always populates the field. It never returnes undefined. (#489)
6. Correct broken "types" path so TS consumers get types (#484)
7. Resolve IHeaders import for installed clients (#492)
8. Fix error callback passing and object to the logger instead of a string (#483)
9. Fix security vulnerabilities in dependencies (#478)
10. Handle missing Protobuf message index bytes in ProtobufDeserializer (#481)

v1.9.1-rc1 is a maintenance release candidate. It is not supported.

Enhancements

1. References librdkafka v2.14.2-RC3. Refer to the librdkafka v2.14.2-RC3 release notes for more information.

Fixes

1. Handle anyOf/allOf in JSON transforms (#479)
2. Preserve custom subjectNameStrategy in serde constructors (#482)
3. Correct the TypeScript return type of admin.fetchTopicMetadata to Promise<Array<ITopicMetadata>> (#367)
4. Correct the TypeScript MemberDescription shape returned by admin.describeGroups so assignment/targetAssignment wrap a topicPartitions array and memberAssignment/memberMetadata are nullable (#487)
5. Correct the TypeScript FetchOffsetsPartition.error type returned by admin.fetchOffsets to LibrdKafkaError | null, matching the runtime which always populates the field. It never returns undefined. (#489)
6. Correct broken "types" path so TS consumers get types (#484)
7. Resolve IHeaders import for installed clients (#492)
8. Fix error callback passing and object to the logger instead of a string (#483)
9. Fix security vulnerabilities in dependencies (#478)
10. Handle missing Protobuf message index bytes in ProtobufDeserializer (#481)

Changelog

Sourced from @​confluentinc/kafka-javascript's changelog.

confluent-kafka-javascript 1.9.1

v1.9.1 is a maintenance release. It is supported for all usage.

Enhancements

1. References librdkafka v2.14.2. Refer to the librdkafka v2.14.2 release notes for more information.

Fixes

1. Handle anyOf/allOf in JSON transforms (#479)
2. Preserve custom subjectNameStrategy in serde constructors (#482)
3. Correct the TypeScript return type of admin.fetchTopicMetadata to Promise<Array<ITopicMetadata>> (#367)
4. Correct the TypeScript MemberDescription shape returned by admin.describeGroups so assignment/targetAssignment wrap a topicPartitions array and memberAssignment/memberMetadata are nullable (#487)
5. Correct the TypeScript FetchOffsetsPartition.error type returned by admin.fetchOffsets to LibrdKafkaError | null, matching the runtime which always populates the field. It never returnes undefined. (#489)
6. Correct broken "types" path so TS consumers get types (#484)
7. Resolve IHeaders import for installed clients (#492)
8. Fix error callback passing and object to the logger instead of a string (#483)
9. Fix security vulnerabilities in dependencies (#478)
10. Handle missing Protobuf message index bytes in ProtobufDeserializer (#481)

Commits

• cf4cf8f v1.9.1 (#494)
• 1c06ed0 v1.9.1-rc1 (#493)
• eacb098 [fix] pass string as first arg to user logger on error events (#483)
• 9357d60 NONJAVACLI-4353: bump axios and pin transitive deps for CVE fixes (#478)
• ce56a23 Resolve IHeaders import for installed clients (#492)
• 59e3251 fix(package.json): correct broken "types" path (#484)
• f92eace [Typescript] Fix FetchOffsetsPartition.error type from || undefined to `|...
• 2e82d00 Fix the typescript return type for admin.describeGroups() per #487. (#488)
• 685bdb2 Correct the TypeScript return type of admin.fetchTopicMetadata (#486)
• 6ef5fd2 DGS-24227 Preserve custom subjectNameStrategy in serde constructors (#482)
• Additional commits viewable in compare view

Updates @datadog/openfeature-node-server from 1.2.1 to 2.0.0

Release notes

Sourced from @​datadog/openfeature-node-server's releases.

@​datadog/openfeature-node-server@​2.0.0

What's Changed

• ci: add npm compatibility smoke test by @​sameerank in DataDog/openfeature-js-client#282
• chore: pin exact versions for internal dependencies by @​sameerank in DataDog/openfeature-js-client#283
• chore: switch to lerna independent versioning by @​sameerank in DataDog/openfeature-js-client#288

Full Changelog: https://github.com/DataDog/openfeature-js-client/compare/v1.2.1...@​datadog/openfeature-node-server@2.0.0

Changelog

Sourced from @​datadog/openfeature-node-server's changelog.

@​datadog/openfeature-browser@​1.2.2, @​datadog/openfeature-node-server@​2.0.0

Bug Fixes:

• fix: pin @​datadog/flagging-core to exact version to prevent version skew [BROWSER] [NODE-SERVER]

Internal Changes:

• chore: switch to lerna independent versioning (#288)
• chore: pin exact versions for internal dependencies (#283)
• ci: add npm compatibility smoke test (#282)

Note: This is the first stable release with the serialId feature. v1.2.0 had yarn syntax issues, v1.2.1 had loose dependency issues. node-server is bumped to 2.0.0 to prevent automatic upgrades by older dd-trace versions with unpinned dependencies.

v1.2.0

Internal Changes:

• feat(node): expose serial ID in flagMetadata for span enrichment (#269) [NODE-SERVER]
• 👷 ci(deps): Bump dependabot/fetch-metadata (#267)

v1.1.2

Internal Changes:

• 👷 ci(deps)(deps): Bump actions/setup-node in the github-actions group (#222)
• 👷 chore(deps)(deps): Bump follow-redirects from 1.15.11 to 1.16.0 (#245)
• 👷 chore(deps)(deps): Bump tmp from 0.2.3 to 0.2.5 (#228)
• 👷 chore(deps-dev)(deps-dev): Bump glob from 11.1.0 to 13.0.6 (#216)
• 👷 chore(deps): Bump axios from 1.13.4 to 1.15.0 (#244)
• update missed touchpoints on v1.1.1 release
• fix: replace Map<string, string> constraint with CacheDelegate to avoid MapIterator in declarations (#263) [BROWSER] [NODE-SERVER]
• Executing automated changes (#252)
• fix(browser): bump @​datadog/browser-core to ^6.33.0 (#261) [BROWSER] [NODE-SERVER]
• Executing automated changes (#254) [BROWSER] [NODE-SERVER]
• Executing automated changes (#253) [NODE-SERVER]
• chore(browser): move @​types/chrome from dependencies to devDependencies (#250) [BROWSER]
• fix(node): mark open @​openfeature/server-sdk as non-optional (#248) [NODE-SERVER]
• Remove nested attributes from setContext example (#234) [BROWSER]
• chore: Harden npm supply chain with @​lavamoat/allow-scripts (#233)

v1.1.1

*_ Bug Fixes_

• fix: allow null targeting key for static and rule-only flags (#232)

v1.1.0

Behavior Changes:

... (truncated)

Commits

• 208293e Publish
• d81d422 fix: pin @​datadog/flagging-core to exact version
• See full diff in compare view

Updates @elastic/elasticsearch from 9.4.0 to 9.4.2

Release notes

Sourced from @​elastic/elasticsearch's releases.

v9.4.2

Changelog

v9.4.1

Changelog

Commits

• 436cd88 bump 9.4.2 (#3309)
• 6cd7358 fix: bulk operations check too strict [backport] (#3311)
• cabdb66 fix: backport globby removal and junit CI fixes to 9.4 (#3303)
• 47ca4ab Auto-generated API code (#3300)
• 78a4391 [9.4] chore: update ESM patching for apache-arrow (#3294) (#3295)
• b88dca6 Auto-generated API code (#3290)
• bd7b2af 9.4.1 changelog (#3284) (#3285)
• 4ff8dce bump to 9.4.1 (#3283)
• 588c55a [9.4] fix: throw errors properly when bulk helper uses a stream (#3281) (#3282)
• See full diff in compare view

Updates @elastic/transport from 9.3.5 to 9.3.7

Release notes

Sourced from @​elastic/transport's releases.

v9.3.7

Fixes

• mark timed-out nodes dead when retryOnTimeout is false by @​JoshMock in elastic/elastic-transport-js#382

Full Changelog: elastic/elastic-transport-js@v9.3.6...v9.3.7

v9.3.6

Bug fixes

• use Buffer.concat for UTF-8 response body to prevent multi-byte character corruption by @​joecwu in elastic/elastic-transport-js#364
• Prevent false NoLivingConnectionsError in WeightedConnectionPool by @​JoshMock in elastic/elastic-transport-js#369
• prevent ConnectionError with empty message by @​JoshMock in elastic/elastic-transport-js#370
• ensure Error.cause propagates by @​JoshMock in elastic/elastic-transport-js#371
• use correct content-type on empty requests by @​JoshMock in elastic/elastic-transport-js#372

New Contributors

• @​joecwu made their first contribution in elastic/elastic-transport-js#364

Full Changelog: elastic/elastic-transport-js@v9.3.5...v9.3.6

Commits

• 65a2585 fix: mark timed-out nodes dead when retryOnTimeout is false (#382)
• 68389ba chore(deps): pin actions/github-script action to f28e40c (#379)
• a657bd6 chore(deps): update node.js to 8530f76 (#380)
• 668d805 ci: add AI backport resolver (gh-aw prompt + issue_comment trigger) (#377)
• 4fe6d59 ci: point to clients-team-automations instead of devtools (#378)
• eaca5eb fix: remove non-ASCII characters causing workflow parse failure (#375)
• ca6bf3f ci: replace thin caller with full AI backport resolver workflow (#374)
• 5ef792a fix: use correct content-type on empty requests (#372)
• d619d0d fix: ensure Error.cause propagates (#371)
• 5f1eab1 fix: prevent ConnectionError with empty message (#370)
• Additional commits viewable in compare view

Updates @electron/packager from 20.0.0 to 20.0.1

Release notes

Sourced from @​electron/packager's releases.

v20.0.1

20.0.1 (2026-06-04)

Bug Fixes

• swap extract-zip with @electron-internal/extract-zip (#1917) (0ff6c2a)

Commits

• 0ff6c2a fix: swap extract-zip with @electron-internal/extract-zip (#1917)
• 0076a36 chore: bump vitest from 3.2.4 to 4.1.0 (#1916)
• b0413a0 chore: bump brace-expansion from 5.0.5 to 5.0.6 (#1915)
• eed530c ci: add a GitHub Actions Completed job (#1914)
• b0eb94d build(dev-deps): drop tsx (#1908)
• 56f519f build: remove parse-author dependency (#1912)
• 23cb235 chore: bump ip-address from 10.0.1 to 10.1.1 (#1913)
• feb3114 chore: bump the non-major-version-updates group with 4 updates (#1911)
• 5557153 chore: bump postcss from 8.5.6 to 8.5.10 (#1910)
• d71c96b chore: bump @​xmldom/xmldom from 0.8.12 to 0.8.13 (#1909)
• See full diff in compare view

Updates @google-cloud/pubsub from 5.3.0 to 5.3.1

Release notes

Sourced from @​google-cloud/pubsub's releases.

pubsub: v5.3.1

5.3.1 (2026-05-11)

Bug Fixes

• Bump all node submodules (#8178) (9fd76ef)
• pubsub: Remove messages from leasing on nackWithResponse (#7817) (841f0ca)

Changelog

Sourced from @​google-cloud/pubsub's changelog.

5.3.1 (2026-05-11)

Bug Fixes

• Bump all node submodules (#8178) (9fd76ef)
• pubsub: Remove messages from leasing on nackWithResponse (#7817) (841f0ca)

Commits

• See full diff in compare view

Updates @grpc/grpc-js from 1.14.3 to 1.14.4

Release notes

Sourced from @​grpc/grpc-js's releases.

@​grpc/grpc-js 1.14.4

• Fix a bug that could cause servers to crash when handling malformed requests (advisory GHSA-5375-pq7m-f5r2)
• Fix a bug that could cause clients and servers to crash when handling malformed compressed messages (advisory GHSA-99f4-grh7-6pcq)

Commits

• a380735 Merge pull request #3052 from murgatroid99/grpc-js_1.14.4
• 5b8d37b Merge commit from fork
• 6a97456 Merge commit from fork
• e5e0b1d grpc-js: Bump version to 1.14.4
• 5029a26 Make compression error a static string
• 2fe55fd Fix crashes when receiving malformed compressed data
• 234f917 Fix server crash when handling invalid requests
• acef8d4 Merge pull request #3043 from murgatroid99/rbac_types_change_fix_1.14
• 4f3c58f grpc-js-xds: Update RBAC code to handle Node type change, pin @​types/node
• See full diff in compare view

Updates @hono/node-server from 2.0.3 to 2.0.4

Release notes

Sourced from @​hono/node-server's releases.

v2.0.4

What's Changed

• fix: stub ws types to prevent them leaking in public types by @​BlankParticle in honojs/node-server#359

Full Changelog: honojs/node-server@v2.0.3...v2.0.4

Commits

• 9e1cdee 2.0.4
• b4ca622 fix: stub ws types to prevent them leaking in public types (#359)
• See full diff in compare view

Updates @koa/router from 15.5.0 to 15.6.0

Release notes

Sourced from @​koa/router's releases.

v15.6.0

• ci: drop node v20 from ci pipeline b5f9b6c
• chore: update *.md docs files d586f45
• chore: add more tests + bump deps 7148fd1
• fix: hide internal rest param from prefixed middleware 99a6ae6

---

koajs/router@v15.5.0...v15.6.0

Commits

• 5b989fe v15.6.0
• b5f9b6c ci: drop node v20 from ci pipeline
• d586f45 chore: update *.md docs files
• 7148fd1 chore: add more tests + bump deps
• 99a6ae6 fix: hide internal rest param from prefixed middleware
• See full diff in compare view

Updates @types/node from 25.9.0 to 25.9.3

Commits

• See full diff in compare view

Updates aerospike from 6.7.0 to 6.7.1

Release notes

Sourced from aerospike's releases.

[6.7.1]

Release Date: May 26, 2026

Security

• Address node.js client vulnerabilities reported by Dependabot. [CLIENT-4732]
  • Bump minimatch...
    • as a development dependency from 9.0.5 to 9.0.9.
    • as a runtime dependency from 3.1.2 to 3.1.5.
    • This addresses:
      • CVE-2026-27904
      • CVE-2026-27903
      • CVE-2026-26996
  • Bump runtime dependency tar from 7.5.7 to 7.5.15. This addresses:
    • CVE-2026-29786
    • CVE-2026-31802
  • Bump runtime dependency picomatch from 4.0.3 to 4.0.4. This addresses CVE-2026-33671.
  • Bump protobufjs from 7.5.4 to 7.5.8. This addresses the following vulnerabilities where protobufjs...
    • is a runtime dependency:
      • CVE-2026-41242
    • is a development dependency:
      • CVE-2026-44291
      • CVE-2026-44290
      • CVE-2026-44293
      • CVE-2026-44289
  • Bump development dependency flatted from 3.3.3 to 3.4.2. This addresses:
    • CVE-2026-33228
    • CVE-2026-32141

Full Changelog: aerospike/aerospike-client-nodejs@v6.7.0...v6.7.1

Commits

• e64dca8 Forgot to update the rest of the jobs in the stage tests to convert the runne...
• e7e1fdf Fix syntax. TODO should add actionlint
• c906787 Use shared workflow from aerospike/aerospike-client-python from dev commit no...
• 35145f2 Fix syntax error
• 6486f50 Use the same syntax in aerospike-client-python to pass encoded json output to...
• ff05b8c Rename SMA2 self hosted macos runner to the default labels used
• affd51c Bump version to 6.7.1
• c12499b Revert "Bump version to 6.7.1"
• 6b6da3a Fix bug where artifacts for release bundles are built for the wrong revision ...
• 242ad5b Fix usage of promote-and-optionally-tag-release-bundle.yml in stage workflow.
• Additional commits viewable in compare view

Updates axios from 1.16.1 to 1.17.0

Release notes

Sourced from axios's releases.

v1.17.0 — June 1, 2026

This release adds Node HTTP zstd decompression, hardens config and release workflows, and fixes authentication, header, proxy, and type-handling regressions.

🔒 Security Fixes

• Config Hardening: Guarded socketPath, params, and paramsSerializer reads with own-property checks to prevent inherited prototype values from affecting request behavior, including SSRF-sensitive paths. (#10901, #10922)
• Release Publishing: Switched the publish workflow to npm staged publishing for safer, auditable package releases with provenance. (#10926)

🚀 New Features

• HTTP Compression: Added Node HTTP adapter support for zstd response decompression, with transitional.advertiseZstdAcceptEncoding controlling whether zstd is advertised in Accept-Encoding. (#6792, #10920)

🐛 Bug Fixes

• Authentication Handling: Restored Basic auth on same-origin Node redirects while continuing to strip credentials cross-origin, and aligned the fetch adapter with HTTP adapter behavior for URL-embedded Basic auth. (#10929, #10896)
• Proxy TLS: Preserved user httpsAgent TLS options when tunneling HTTPS requests through HTTP CONNECT proxies. (#10957)
• React Native FormData: Cleared default Content-Type for React Native FormData so multipart boundaries can be generated correctly. (#10898)
• Headers: Silently skipped empty or whitespace-only header names instead of throwing, matching parsed-header behavior and avoiding React Native response crashes. (#10875)
• Request Data Merging: Preserved enumerable symbol keys when cloning plain request data through axios merge logic. (#10812)
• Bundler Compatibility: Converted resolveConfig from an arrow default export to a named function export to avoid webpack and Babel transform interop failures. (#10891)
• Types: Corrected AxiosHeaders.toJSON() return types and updated CommonJS isCancel typings to narrow to CanceledError<T>. (#10956, #10952)
• Build Tooling: Avoided emitting a null Authorization header from the GitHub build helper when GITHUB_TOKEN is unset. (#10931)

🔧 Maintenance & Chores

• HTTP/2 Internals: Extracted Http2Sessions into its own helper module and added direct unit coverage for session pooling, timeout, and cleanup behavior. (#10861)
• Package Publishing: Reduced published package size by switching to a files allowlist and dropping unneeded unminified bundle source maps. (#10939)
• CI and Release Automation: Added bundle-size reporting, moved reports to the job summary, fixed bundle-size comparison coverage, added Node 26 to the matrix, pinned npm for staged publishing, and prepared the 1.17.0 release. (#10907, #10911,

[dd-octo-sts]

Overall package size

Self size: 6.2 MB
Deduped: 7.24 MB
No deduping: 7.24 MB

Dependency sizes

| name | version | self size | total size | |------|---------|-----------|------------| | import-in-the-middle | 3.0.2 | 85.93 kB | 825.11 kB | | opentracing | 0.14.7 | 194.81 kB | 194.81 kB | | dc-polyfill | 0.1.11 | 25.74 kB | 25.74 kB |

_{🤖 This report was automatically generated by heaviest-objects-in-the-universe}

[datadog-datadog-prod-us1]

 

✨ Fix all issues with BitsAI

⚠️ Warnings

🚦 3 Pipeline jobs failed

Serverless | google-cloud-pubsub     

APM Integrations | mariadb     

All Green | all-green     

ℹ️ Info

No other issues found (see more)

🧪 All tests passed
❄️ No new flaky tests detected

Useful? React with 👍 / 👎

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 6973ac2 | Docs | Datadog PR Page | Give us feedback!}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 6973ac2bd1

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Regenerate supported integration metadata

Updating this cap changes the source of truth used by scripts/generate-supported-integrations.js (buildRows() reads versions[dependency] as max_tracer_supported), but the generated artifacts are still at the old maxima; for example, supported_versions_table.csv:92 still lists oracledb max 6.10.0. A run of npm run verify:supported-integrations after this bump will report drift, and the published support metadata will stay stale until those files are regenerated.

Useful? React with 👍 / 👎.

[pr-commenter]

Benchmarks

Benchmark execution time: 2026-06-15 01:17:09

Comparing candidate commit 6973ac2 in PR branch dependabot/npm_and_yarn/packages/dd-trace/test/plugins/versions/test-versions-6fcb3304ab with baseline commit 00e74e4 in branch master.

📊 Benchmarking dashboard

Found 0 performance improvements and 0 performance regressions! Performance is the same for 1445 metrics, 22 unstable metrics.

Explanation

This is an A/B test comparing a candidate commit's performance against that of a baseline commit. Performance changes are noted in the tables below as:

• 🟩 = significantly better candidate vs. baseline
• 🟥 = significantly worse candidate vs. baseline

We compute a confidence interval (CI) over the relative difference of means between metrics from the candidate and baseline commits, considering the baseline as the reference.

If the CI is entirely outside the configured SIGNIFICANT_IMPACT_THRESHOLD (or the deprecated UNCONFIDENCE_THRESHOLD), the change is considered significant.

Feel free to reach out to #apm-benchmarking-platform on Slack if you have any questions.

More details about the CI and significant changes

You can imagine this CI as a range of values that is likely to contain the true difference of means between the candidate and baseline commits.

CIs of the difference of means are often centered around 0%, because often changes are not that big:

---------------------------------(------|---^--------)-------------------------------->
                              -0.6%    0%  0.3%     +1.2%
                                 |          |        |
         lower bound of the CI --'          |        |
sample mean (center of the CI) -------------'        |
         upper bound of the CI ----------------------'

As described above, a change is considered significant if the CI is entirely outside the configured SIGNIFICANT_IMPACT_THRESHOLD (or the deprecated UNCONFIDENCE_THRESHOLD).

For instance, for an execution time metric, this confidence interval indicates a significantly worse performance:

----------------------------------------|---------|---(---------^---------)---------->
                                       0%        1%  1.3%      2.2%      3.1%
                                                  |   |         |         |
       significant impact threshold --------------'   |         |         |
                      lower bound of CI --------------'         |         |
       sample mean (center of the CI) --------------------------'         |
                      upper bound of CI ----------------------------------'

Unstable benchmarks

These benchmarks have a confidence interval too wide to call a change; treat them as noise rather than signal.

scenario:debugger-line-probe-with-snapshot-minimal-20

• unstable cpu_user_time [-141.442ms; +427.677ms] or [-2.823%; +8.535%]
• unstable execution_time [-199.664ms; +597.741ms] or [-3.159%; +9.456%]
• unstable max_rss_usage [-4.895MB; +12.135MB] or [-2.977%; +7.381%]

scenario:log-skip-log-24

• unstable cpu_user_time [-3074.029µs; +1796.829µs] or [-6.441%; +3.765%]

scenario:log-skip-log-26

• unstable cpu_user_time [-2081.272µs; +3022.572µs] or [-4.575%; +6.645%]

scenario:log-without-log-20

• unstable cpu_user_time [-3929.964µs; +2003.164µs] or [-7.197%; +3.668%]

scenario:log-without-log-24

• unstable cpu_user_time [-3079.279µs; +4153.579µs] or [-6.573%; +8.866%]

scenario:plugin-graphql-long-with-depth-and-collapse-off-24

• unstable cpu_user_time [-309162.694µs; +309070.894µs] or [-7.150%; +7.148%]
• unstable execution_time [-335.056ms; +322.673ms] or [-7.286%; +7.017%]
• unstable max_rss_usage [-35470.799KB; +33747.999KB] or [-6.828%; +6.496%]

scenario:plugin-graphql-long-with-depth-off-20

• unstable max_rss_usage [-8074.708KB; +9246.708KB] or [-5.875%; +6.728%]

scenario:spans-finish-later-20

• unstable cpu_user_time [-18.545ms; +1588.204ms] or [-0.360%; +30.833%]
• unstable execution_time [+0.001s; +2.121s] or [+0.017%; +35.251%]
• unstable instructions [+0.2G instructions; +4.3G instructions] or [+0.879%; +19.763%]
• unstable max_rss_usage [-5.379MB; +14.772MB] or [-2.796%; +7.678%]

scenario:spans-finish-later-24

• unstable cpu_user_time [-716.538ms; +1200.239ms] or [-29.841%; +49.985%]
• unstable execution_time [-731.983ms; +1219.077ms] or [-28.949%; +48.212%]
• unstable instructions [-1205.1M instructions; +2179.8M instructions] or [-7.973%; +14.423%]
• unstable max_rss_usage [-38.663MB; +17.438MB] or [-12.195%; +5.500%]

scenario:spans-finish-later-26

• unstable cpu_user_time [-184.995ms; +102.112ms] or [-9.850%; +5.437%]
• unstable execution_time [-193.378ms; +99.851ms] or [-9.922%; +5.123%]
• unstable max_rss_usage [-18.230MB; +5.661MB] or [-9.049%; +2.810%]

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 42.20%. Comparing base (00e74e4) to head (6973ac2).

Additional details and impacted files

@@             Coverage Diff             @@
##           master    #8907       +/-   ##
===========================================
- Coverage   93.29%   42.20%   -51.09%     
===========================================
  Files         862      268      -594     
  Lines       49641    16456    -33185     
  Branches     9407     3812     -5595     
===========================================
- Hits        46311     6945    -39366     
- Misses       3330     9511     +6181     

Flag	Coverage Δ
aiguard-integration-active	?
aiguard-integration-latest	?
aiguard-integration-maintenance	?
aiguard-macos	?
aiguard-ubuntu	?
aiguard-windows	?
apm-capabilities-tracing-macos	?
apm-capabilities-tracing-ubuntu-active	?
apm-capabilities-tracing-ubuntu-latest	?
apm-capabilities-tracing-ubuntu-maintenance	?
apm-capabilities-tracing-ubuntu-oldest	?
apm-capabilities-tracing-windows	?
apm-integrations-aerospike-18-gte.5.2.0	?
apm-integrations-aerospike-20-gte.5.5.0	?
apm-integrations-aerospike-22-gte.5.12.1	?
apm-integrations-aerospike-22-gte.6.0.0	?
apm-integrations-aerospike-eol-	?
apm-integrations-child-process	?
apm-integrations-confluentinc-kafka-javascript-18	?
apm-integrations-confluentinc-kafka-javascript-20	?
apm-integrations-confluentinc-kafka-javascript-22	?
apm-integrations-confluentinc-kafka-javascript-24	?
apm-integrations-couchbase-18	?
apm-integrations-couchbase-eol	?
apm-integrations-dns	?
apm-integrations-elasticsearch	?
apm-integrations-http-latest	?
apm-integrations-http-maintenance	?
apm-integrations-http-oldest	?
apm-integrations-http2	?
apm-integrations-kafkajs-latest	?
apm-integrations-kafkajs-oldest	?
apm-integrations-net	?
apm-integrations-next-11.1.4	?
apm-integrations-next-12.3.7	?
apm-integrations-next-13.0.0	?
apm-integrations-next-13.2.0	?
apm-integrations-next-13.5.11	?
apm-integrations-next-14.0.0	?
apm-integrations-next-14.2.35	?
apm-integrations-next-14.2.6	?
apm-integrations-next-14.2.7	?
apm-integrations-next-15.0.0	?
apm-integrations-next-15.4.0	?
apm-integrations-next-latest	?
apm-integrations-oracledb	?
apm-integrations-prisma-18-gte.6.16.0.and.lt.7.0.0	?
apm-integrations-prisma-latest-all	?
apm-integrations-restify	?
apm-integrations-sharedb	?
apm-integrations-tedious	?
appsec-express	?
appsec-fastify	?
appsec-graphql	?
appsec-integration-active	?
appsec-integration-latest	?
appsec-integration-maintenance	?
appsec-integration-oldest	?
appsec-kafka	?
appsec-ldapjs	?
appsec-lodash	?
appsec-macos	?
appsec-mongodb-core	?
appsec-mongoose	?
appsec-mysql	?
appsec-next-latest-11.1.4	?
appsec-next-latest-12.3.7	?
appsec-next-latest-13.0.0	?
appsec-next-latest-13.2.0	?
appsec-next-latest-13.5.11	?
appsec-next-latest-14.0.0	?
appsec-next-latest-14.2.35	?
appsec-next-latest-14.2.6	?
appsec-next-latest-14.2.7	?
appsec-next-latest-15.0.0	?
appsec-next-latest-latest	?
appsec-next-oldest-11.1.4	?
appsec-next-oldest-12.3.7	?
appsec-next-oldest-13.0.0	?
appsec-next-oldest-13.2.0	?
appsec-next-oldest-13.5.11	?
appsec-next-oldest-14.0.0	?
appsec-next-oldest-14.2.35	?
appsec-next-oldest-14.2.6	?
appsec-next-oldest-14.2.7	?
appsec-next-oldest-15.0.0	?
appsec-next-oldest-latest	?
appsec-node-serialize	?
appsec-passport	?
appsec-postgres	?
appsec-sourcing	?
appsec-stripe	?
appsec-template	?
appsec-ubuntu	?
appsec-windows	?
debugger-ubuntu-active	?
debugger-ubuntu-latest	?
debugger-ubuntu-maintenance	?
debugger-ubuntu-oldest	?
instrumentations-instrumentation-ai	?
instrumentations-instrumentation-aws-sdk	?
instrumentations-instrumentation-bluebird	?
instrumentations-instrumentation-body-parser	?
instrumentations-instrumentation-child_process	?
instrumentations-instrumentation-cookie-parser	?
instrumentations-instrumentation-couchbase-18	?
instrumentations-instrumentation-couchbase-eol	?
instrumentations-instrumentation-crypto	?
instrumentations-instrumentation-express	?
instrumentations-instrumentation-express-mongo-sanitize	?
instrumentations-instrumentation-express-multi-version	?
instrumentations-instrumentation-express-session	?
instrumentations-instrumentation-fastify	?
instrumentations-instrumentation-fetch	?
instrumentations-instrumentation-fs	?
instrumentations-instrumentation-generic-pool	?
instrumentations-instrumentation-hono	?
instrumentations-instrumentation-http	?
instrumentations-instrumentation-http-client-options	?
instrumentations-instrumentation-kafkajs	?
instrumentations-instrumentation-knex	?
instrumentations-instrumentation-light-my-request	?
instrumentations-instrumentation-mongoose	?
instrumentations-instrumentation-multer	?
instrumentations-instrumentation-mysql2	?
instrumentations-instrumentation-openai-aiguard	?
instrumentations-instrumentation-otel-sdk-trace	?
instrumentations-instrumentation-passport	?
instrumentations-instrumentation-passport-http	?
instrumentations-instrumentation-passport-local	?
instrumentations-instrumentation-pg	?
instrumentations-instrumentation-promise	?
instrumentations-instrumentation-promise-js	?
instrumentations-instrumentation-q	?
instrumentations-instrumentation-router	?
instrumentations-instrumentation-stripe	?
instrumentations-instrumentation-url	?
instrumentations-instrumentation-when	?
instrumentations-instrumentation-zlib	?
instrumentations-integration-esbuild-0.16.12-latest	?
instrumentations-integration-esbuild-0.16.12-maintenance	?
instrumentations-integration-esbuild-0.16.12-oldest	?
instrumentations-integration-esbuild-latest-active	?
instrumentations-integration-esbuild-latest-latest	?
instrumentations-integration-esbuild-latest-maintenance	?
instrumentations-integration-esbuild-latest-oldest	?
llmobs-ai	?
llmobs-anthropic	?
llmobs-bedrock	?
llmobs-google-genai	?
llmobs-langchain	?
llmobs-openai-latest	?
llmobs-openai-oldest	?
llmobs-sdk-active	?
llmobs-sdk-latest	?
llmobs-sdk-maintenance	?
llmobs-sdk-oldest	?
llmobs-vertex-ai	?
master-coverage	42.20% <ø> (?)
openfeature-macos	?
openfeature-ubuntu	?
openfeature-unit-active	?
openfeature-unit-latest	?
openfeature-unit-maintenance	?
openfeature-unit-oldest	?
openfeature-windows	?
platform-core	?
platform-esbuild	?
platform-instrumentations-misc	?
platform-integration-active	?
platform-integration-latest	?
platform-integration-maintenance	?
platform-integration-oldest	?
platform-shimmer	?
platform-unit-guardrails	?
platform-webpack	?
plugins-axios	?
plugins-azure-cosmos	?
plugins-azure-event-hubs	?
plugins-azure-service-bus	?
plugins-body-parser	?
plugins-bullmq	?
plugins-cassandra	?
plugins-cookie	?
plugins-cookie-parser	?
plugins-crypto	?
plugins-dd-trace-api	?
plugins-express-mongo-sanitize	?
plugins-express-session	?
plugins-fastify	?
plugins-fetch	?
plugins-fs	?
plugins-generic-pool	?
plugins-google-cloud-pubsub	?
plugins-grpc	?
plugins-handlebars	?
plugins-hapi	?
plugins-hono	?
plugins-ioredis	?
plugins-jest	?
plugins-knex	?
plugins-langgraph	?
plugins-ldapjs	?
plugins-light-my-request	?
plugins-limitd-client	?
plugins-lodash	?
plugins-mariadb	?
plugins-memcached	?
plugins-microgateway-core	?
plugins-modelcontextprotocol-sdk	?
plugins-moleculer	?
plugins-mongodb	?
plugins-mongodb-core	?
plugins-mongoose	?
plugins-multer	?
plugins-mysql	?
plugins-nats	?
plugins-node-serialize	?
plugins-opensearch	?
plugins-passport-http	?
plugins-pino	?
plugins-postgres	?
plugins-process	?
plugins-pug	?
plugins-redis	?
plugins-router	?
plugins-sequelize	?
plugins-test-and-upstream-amqp10	?
plugins-test-and-upstream-amqplib	?
plugins-test-and-upstream-apollo	?
plugins-test-and-upstream-avsc	?
plugins-test-and-upstream-connect	?
plugins-test-and-upstream-graphql	?
plugins-test-and-upstream-koa	?
plugins-test-and-upstream-protobufjs	?
plugins-test-and-upstream-rhea	?
plugins-undici	?
plugins-url	?
plugins-valkey	?
plugins-vm	?
plugins-winston	?
plugins-ws	?
profiling-macos	?
profiling-ubuntu	?
profiling-windows	?
serverless-aws-sdk-latest-aws-sdk	?
serverless-aws-sdk-latest-bedrockruntime	?
serverless-aws-sdk-latest-client	?
serverless-aws-sdk-latest-dynamodb	?
serverless-aws-sdk-latest-eventbridge	?
serverless-aws-sdk-latest-kinesis	?
serverless-aws-sdk-latest-lambda	?
serverless-aws-sdk-latest-s3	?
serverless-aws-sdk-latest-serverless-peer-service	?
serverless-aws-sdk-latest-sns	?
serverless-aws-sdk-latest-sqs	?
serverless-aws-sdk-latest-stepfunctions	?
serverless-aws-sdk-latest-util	?
serverless-aws-sdk-oldest-aws-sdk	?
serverless-aws-sdk-oldest-bedrockruntime	?
serverless-aws-sdk-oldest-client	?
serverless-aws-sdk-oldest-dynamodb	?
serverless-aws-sdk-oldest-eventbridge	?
serverless-aws-sdk-oldest-kinesis	?
serverless-aws-sdk-oldest-lambda	?
serverless-aws-sdk-oldest-s3	?
serverless-aws-sdk-oldest-serverless-peer-service	?
serverless-aws-sdk-oldest-sns	?
serverless-aws-sdk-oldest-sqs	?
serverless-aws-sdk-oldest-stepfunctions	?
serverless-aws-sdk-oldest-util	?
serverless-azure-durable-functions	?
serverless-azure-functions-eventhubs	?
serverless-azure-functions-servicebus	?
serverless-lambda	?
test-optimization-cucumber-latest-7.0.0	?
test-optimization-cucumber-latest-latest	?
test-optimization-cucumber-oldest-7.0.0	?
test-optimization-cypress-latest-12.0.0-commonJS	?
test-optimization-cypress-latest-12.0.0-esm	?
test-optimization-cypress-latest-14.5.4-commonJS	?
test-optimization-cypress-latest-14.5.4-esm	?
test-optimization-cypress-latest-latest-commonJS	?
test-optimization-cypress-latest-latest-esm	?
test-optimization-cypress-oldest-12.0.0-commonJS	?
test-optimization-cypress-oldest-12.0.0-esm	?
test-optimization-cypress-oldest-14.5.4-commonJS	?
test-optimization-cypress-oldest-14.5.4-esm	42.20% <ø> (-7.03%)	⬇️
test-optimization-jest-latest-latest	?
test-optimization-jest-latest-oldest	?
test-optimization-jest-oldest-latest	?
test-optimization-jest-oldest-oldest	?
test-optimization-mocha-latest-latest	?
test-optimization-mocha-latest-oldest	?
test-optimization-mocha-oldest-latest	?
test-optimization-mocha-oldest-oldest	?
test-optimization-playwright-latest-latest-playwright-active-test-span	?
test-optimization-playwright-latest-latest-playwright-atr	?
test-optimization-playwright-latest-latest-playwright-efd	?
test-optimization-playwright-latest-latest-playwright-final-status	?
test-optimization-playwright-latest-latest-playwright-impacted-tests	?
test-optimization-playwright-latest-latest-playwright-reporting	?
test-optimization-playwright-latest-latest-playwright-test-management	?
test-optimization-playwright-latest-oldest-playwright-active-test-span	?
test-optimization-playwright-latest-oldest-playwright-atr	?
test-optimization-playwright-latest-oldest-playwright-efd	?
test-optimization-playwright-latest-oldest-playwright-final-status	?
test-optimization-playwright-latest-oldest-playwright-impacted-tests	?
test-optimization-playwright-latest-oldest-playwright-reporting	?
test-optimization-playwright-latest-oldest-playwright-test-management	?
test-optimization-playwright-oldest-latest-playwright-active-test-span	?
test-optimization-playwright-oldest-latest-playwright-atr	?
test-optimization-playwright-oldest-latest-playwright-efd	?
test-optimization-playwright-oldest-latest-playwright-final-status	?
test-optimization-playwright-oldest-latest-playwright-impacted-tests	?
test-optimization-playwright-oldest-latest-playwright-reporting	?
test-optimization-playwright-oldest-latest-playwright-test-management	?
test-optimization-playwright-oldest-oldest-playwright-active-test-span	?
test-optimization-playwright-oldest-oldest-playwright-atr	?
test-optimization-playwright-oldest-oldest-playwright-efd	?
test-optimization-playwright-oldest-oldest-playwright-final-status	?
test-optimization-playwright-oldest-oldest-playwright-impacted-tests	?
test-optimization-selenium-latest	?
test-optimization-selenium-oldest	?
test-optimization-testopt-active	?
test-optimization-testopt-latest	?
test-optimization-testopt-maintenance	?
test-optimization-testopt-oldest	?
test-optimization-vitest-latest	?
test-optimization-vitest-oldest	?

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.