Skip to content

Bump spdlog to 1.15.3#4852

Merged
Kielek merged 8 commits intoopen-telemetry:mainfrom
Kielek:spdlog-1.15.2
Feb 19, 2026
Merged

Bump spdlog to 1.15.3#4852
Kielek merged 8 commits intoopen-telemetry:mainfrom
Kielek:spdlog-1.15.2

Conversation

@Kielek
Copy link
Member

@Kielek Kielek commented Feb 16, 2026

Why

https://nvd.nist.gov/vuln/detail/CVE-2025-6140

What

Bump spdlog to 1.15.3
utf-8 support needs to be enabled on Windows.

Further updates (1.16.0/1.17.0) leads to

     ROOT\opentelemetry-dotnet-instrumentation\src\OpenTelemetry.AutoInstrumentation.Native\lib\spdlog\include\spdlog\fmt\bundled\format.h(2525,32): warning C4244: 'argument': conversion from 'unsigned __int64' to 'size_t', possible loss of data [C:\dev\opentelemetry-dotnet-instrumentation\src\OpenTelemetry.AutoInstrumentation.Native\OpenTelemetry.AutoInstrumentation.Native.vcxproj]

Tests

CI

Checklist

  • [ ] CHANGELOG.md is updated.
  • Documentation is updated.
  • New features are covered by tests.

@Kielek Kielek requested a review from a team as a code owner February 16, 2026 13:23
@Kielek
Copy link
Member Author

Kielek commented Feb 16, 2026

validate-documentation should be fixed by #4851

Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request upgrades spdlog from version 1.14.1 to 1.15.3 to address CVE-2025-6140 (a security vulnerability). The upgrade includes enabling UTF-8 support on Windows by adding the /utf-8 compiler flag to all build configurations. The PR does not upgrade to versions 1.16.0 or 1.17.0 due to compilation warnings.

Changes:

  • Updated spdlog version from 1.14.1 to 1.15.3
  • Added /utf-8 compiler flag to all Windows build configurations (Debug/Release, x86/x64) for both static library and DLL projects, as well as test projects
  • Updated bundled fmt library to match spdlog 1.15.3 requirements

Reviewed changes

Copilot reviewed 53 out of 56 changed files in this pull request and generated no comments.

Show a summary per file
File Description
docs/internal/native-dependencies.md Updated documentation to reflect spdlog version 1.15.3
src/OpenTelemetry.AutoInstrumentation.Native/lib/spdlog/include/spdlog/version.h Bumped version constants to 1.15.3
src/OpenTelemetry.AutoInstrumentation.Native/OpenTelemetry.AutoInstrumentation.Native.vcxproj Added /utf-8 compiler flag to all build configurations for static library
src/OpenTelemetry.AutoInstrumentation.Native/OpenTelemetry.AutoInstrumentation.Native.DLL.vcxproj Added /utf-8 compiler flag to all build configurations for DLL
test/OpenTelemetry.AutoInstrumentation.Native.Tests/OpenTelemetry.AutoInstrumentation.Native.Tests.vcxproj Added /utf-8 compiler flag to all build configurations for tests
src/OpenTelemetry.AutoInstrumentation.Native/lib/spdlog/include/spdlog/* Updated spdlog library headers to version 1.15.3 including async logger flush behavior, registry API, and OS utilities
src/OpenTelemetry.AutoInstrumentation.Native/lib/spdlog/include/spdlog/fmt/bundled/* Updated bundled fmt library to match spdlog 1.15.3 requirements

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@Kielek Kielek enabled auto-merge (squash) February 19, 2026 07:19
@Kielek Kielek merged commit 9698779 into open-telemetry:main Feb 19, 2026
51 checks passed
@Kielek Kielek deleted the spdlog-1.15.2 branch February 19, 2026 08:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants

Comments