Bump the npm-minor-and-patch-updates group across 2 directories with 18 updates

[dependabot]

Bumps the npm-minor-and-patch-updates group with 18 updates in the / directory:

Package	From	To
@opentelemetry/auto-instrumentations-node	0.72.0	0.74.0
@opentelemetry/instrumentation-express	0.62.0	0.64.0
@opentelemetry/instrumentation-http	0.214.0	0.216.0
@opentelemetry/sdk-metrics	2.6.1	2.7.1
@opentelemetry/sdk-node	0.214.0	0.216.0
@opentelemetry/sdk-trace-node	2.6.1	2.7.1
ace-linters	2.1.2	2.1.4
dotenv	17.4.1	17.4.2
express-rate-limit	8.3.2	8.5.0
hmrc-frontend	7.7.0	7.12.0
mongoose	9.4.1	9.6.1
openai	6.33.0	6.36.0
@types/express-session	1.18.2	1.19.0
eslint	10.2.0	10.3.0
eslint-plugin-perfectionist	5.8.0	5.9.0
mongodb-memory-server	11.0.1	11.1.0
prettier	3.8.1	3.8.3
typescript-eslint	8.58.0	8.59.2

Bumps the npm-minor-and-patch-updates group with 3 updates in the /data/zip-download directory: express-rate-limit, hmrc-frontend and @types/express-session.

Updates @opentelemetry/auto-instrumentations-node from 0.72.0 to 0.74.0

Release notes

Sourced from @​opentelemetry/auto-instrumentations-node's releases.

auto-instrumentations-node: v0.74.0

0.74.0 (2026-04-29)

Features

• deps: update deps matching '@opentelemetry/*' (#3497) (a91133a)

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • @​opentelemetry/instrumentation-amqplib bumped from ^0.62.0 to ^0.63.0
    • @​opentelemetry/instrumentation-aws-lambda bumped from ^0.67.0 to ^0.68.0
    • @​opentelemetry/instrumentation-aws-sdk bumped from ^0.70.0 to ^0.71.0
    • @​opentelemetry/instrumentation-bunyan bumped from ^0.60.0 to ^0.61.0
    • @​opentelemetry/instrumentation-cassandra-driver bumped from ^0.60.0 to ^0.61.0
    • @​opentelemetry/instrumentation-connect bumped from ^0.58.0 to ^0.59.0
    • @​opentelemetry/instrumentation-cucumber bumped from ^0.31.0 to ^0.32.0
    • @​opentelemetry/instrumentation-dataloader bumped from ^0.32.0 to ^0.33.0
    • @​opentelemetry/instrumentation-dns bumped from ^0.58.0 to ^0.59.0
    • @​opentelemetry/instrumentation-express bumped from ^0.63.0 to ^0.64.0
    • @​opentelemetry/instrumentation-fs bumped from ^0.34.0 to ^0.35.0
    • @​opentelemetry/instrumentation-generic-pool bumped from ^0.58.0 to ^0.59.0
    • @​opentelemetry/instrumentation-graphql bumped from ^0.63.0 to ^0.64.0
    • @​opentelemetry/instrumentation-hapi bumped from ^0.61.0 to ^0.62.0
    • @​opentelemetry/instrumentation-ioredis bumped from ^0.63.0 to ^0.64.0
    • @​opentelemetry/instrumentation-kafkajs bumped from ^0.24.0 to ^0.25.0
    • @​opentelemetry/instrumentation-knex bumped from ^0.59.0 to ^0.60.0
    • @​opentelemetry/instrumentation-koa bumped from ^0.63.0 to ^0.64.0
    • @​opentelemetry/instrumentation-lru-memoizer bumped from ^0.59.0 to ^0.60.0
    • @​opentelemetry/instrumentation-memcached bumped from ^0.58.0 to ^0.59.0
    • @​opentelemetry/instrumentation-mongodb bumped from ^0.68.0 to ^0.69.0
    • @​opentelemetry/instrumentation-mongoose bumped from ^0.61.0 to ^0.62.0
    • @​opentelemetry/instrumentation-mysql bumped from ^0.61.0 to ^0.62.0
    • @​opentelemetry/instrumentation-mysql2 bumped from ^0.61.0 to ^0.62.0
    • @​opentelemetry/instrumentation-nestjs-core bumped from ^0.61.0 to ^0.62.0
    • @​opentelemetry/instrumentation-net bumped from ^0.59.0 to ^0.60.0
    • @​opentelemetry/instrumentation-openai bumped from ^0.13.0 to ^0.14.0
    • @​opentelemetry/instrumentation-oracledb bumped from ^0.40.0 to ^0.41.0
    • @​opentelemetry/instrumentation-pg bumped from ^0.67.0 to ^0.68.0
    • @​opentelemetry/instrumentation-pino bumped from ^0.61.0 to ^0.62.0
    • @​opentelemetry/instrumentation-redis bumped from ^0.63.0 to ^0.64.0
    • @​opentelemetry/instrumentation-restify bumped from ^0.60.0 to ^0.61.0
    • @​opentelemetry/instrumentation-router bumped from ^0.59.0 to ^0.60.0
    • @​opentelemetry/instrumentation-runtime-node bumped from ^0.28.0 to ^0.29.0
    • @​opentelemetry/instrumentation-socket.io bumped from ^0.62.0 to ^0.63.0
    • @​opentelemetry/instrumentation-tedious bumped from ^0.34.0 to ^0.35.0
    • @​opentelemetry/instrumentation-undici bumped from ^0.25.0 to ^0.26.0

... (truncated)

Changelog

Sourced from @​opentelemetry/auto-instrumentations-node's changelog.

0.74.0 (2026-04-29)

Features

• deps: update deps matching '@opentelemetry/*' (#3497) (a91133a)

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • @​opentelemetry/instrumentation-amqplib bumped from ^0.62.0 to ^0.63.0
    • @​opentelemetry/instrumentation-aws-lambda bumped from ^0.67.0 to ^0.68.0
    • @​opentelemetry/instrumentation-aws-sdk bumped from ^0.70.0 to ^0.71.0
    • @​opentelemetry/instrumentation-bunyan bumped from ^0.60.0 to ^0.61.0
    • @​opentelemetry/instrumentation-cassandra-driver bumped from ^0.60.0 to ^0.61.0
    • @​opentelemetry/instrumentation-connect bumped from ^0.58.0 to ^0.59.0
    • @​opentelemetry/instrumentation-cucumber bumped from ^0.31.0 to ^0.32.0
    • @​opentelemetry/instrumentation-dataloader bumped from ^0.32.0 to ^0.33.0
    • @​opentelemetry/instrumentation-dns bumped from ^0.58.0 to ^0.59.0
    • @​opentelemetry/instrumentation-express bumped from ^0.63.0 to ^0.64.0
    • @​opentelemetry/instrumentation-fs bumped from ^0.34.0 to ^0.35.0
    • @​opentelemetry/instrumentation-generic-pool bumped from ^0.58.0 to ^0.59.0
    • @​opentelemetry/instrumentation-graphql bumped from ^0.63.0 to ^0.64.0
    • @​opentelemetry/instrumentation-hapi bumped from ^0.61.0 to ^0.62.0
    • @​opentelemetry/instrumentation-ioredis bumped from ^0.63.0 to ^0.64.0
    • @​opentelemetry/instrumentation-kafkajs bumped from ^0.24.0 to ^0.25.0
    • @​opentelemetry/instrumentation-knex bumped from ^0.59.0 to ^0.60.0
    • @​opentelemetry/instrumentation-koa bumped from ^0.63.0 to ^0.64.0
    • @​opentelemetry/instrumentation-lru-memoizer bumped from ^0.59.0 to ^0.60.0
    • @​opentelemetry/instrumentation-memcached bumped from ^0.58.0 to ^0.59.0
    • @​opentelemetry/instrumentation-mongodb bumped from ^0.68.0 to ^0.69.0
    • @​opentelemetry/instrumentation-mongoose bumped from ^0.61.0 to ^0.62.0
    • @​opentelemetry/instrumentation-mysql bumped from ^0.61.0 to ^0.62.0
    • @​opentelemetry/instrumentation-mysql2 bumped from ^0.61.0 to ^0.62.0
    • @​opentelemetry/instrumentation-nestjs-core bumped from ^0.61.0 to ^0.62.0
    • @​opentelemetry/instrumentation-net bumped from ^0.59.0 to ^0.60.0
    • @​opentelemetry/instrumentation-openai bumped from ^0.13.0 to ^0.14.0
    • @​opentelemetry/instrumentation-oracledb bumped from ^0.40.0 to ^0.41.0
    • @​opentelemetry/instrumentation-pg bumped from ^0.67.0 to ^0.68.0
    • @​opentelemetry/instrumentation-pino bumped from ^0.61.0 to ^0.62.0
    • @​opentelemetry/instrumentation-redis bumped from ^0.63.0 to ^0.64.0
    • @​opentelemetry/instrumentation-restify bumped from ^0.60.0 to ^0.61.0
    • @​opentelemetry/instrumentation-router bumped from ^0.59.0 to ^0.60.0
    • @​opentelemetry/instrumentation-runtime-node bumped from ^0.28.0 to ^0.29.0
    • @​opentelemetry/instrumentation-socket.io bumped from ^0.62.0 to ^0.63.0
    • @​opentelemetry/instrumentation-tedious bumped from ^0.34.0 to ^0.35.0
    • @​opentelemetry/instrumentation-undici bumped from ^0.25.0 to ^0.26.0
    • @​opentelemetry/instrumentation-winston bumped from ^0.59.0 to ^0.60.0

... (truncated)

Commits

• 03ed3a3 chore: release main (#3481)
• a91133a feat(deps): update deps matching '@opentelemetry/*' (#3497)
• bd017c8 chore: release main (#3451)
• 8891261 feat(deps): update deps matching '@opentelemetry/*' (#3479)
• 36a030c chore: switch to short license header (#3476)
• See full diff in compare view

Updates @opentelemetry/instrumentation-express from 0.62.0 to 0.64.0

Release notes

Sourced from @​opentelemetry/instrumentation-express's releases.

instrumentation-redis: v0.64.0

0.64.0 (2026-04-29)

Features

• deps: update deps matching '@opentelemetry/*' (#3497) (a91133a)

Dependencies

• The following workspace dependencies were updated
  • devDependencies
    • @​opentelemetry/contrib-test-utils bumped from ^0.62.0 to ^0.63.0

Changelog

Sourced from @​opentelemetry/instrumentation-express's changelog.

0.64.0 (2026-04-29)

Features

• deps: update deps matching '@opentelemetry/*' (#3497) (a91133a)

Dependencies

• The following workspace dependencies were updated
  • devDependencies
    • @​opentelemetry/contrib-test-utils bumped from ^0.62.0 to ^0.63.0

0.63.0 (2026-04-17)

Features

• deps: update deps matching '@opentelemetry/*' (#3479) (8891261)

Bug Fixes

• instrumentation-express: end span on close event rather than finish (#3462) (fb1f127)

Dependencies

• The following workspace dependencies were updated
  • devDependencies
    • @​opentelemetry/contrib-test-utils bumped from ^0.61.0 to ^0.62.0

Commits

• c7f4e6c chore: release main (#3107)
• 13c58e9 fix: force new release-please PR (#3098)
• 0994142 chore: release main (#3091)
• 4e49448 chore: lint CHANGELOG.md files a little more loosely (#3086)
• 53e7669 chore: add missing coverage flags (#3042)
• f54a1ba chore: release main (#3033)
• bee0a66 feat(deps): update deps matching '@opentelemetry/*' (#3034)
• 0a45ac1 chore: release main (#3011)
• fd9e262 feat(deps): update otel deps (#3027)
• See full diff in compare view

Updates @opentelemetry/instrumentation-http from 0.214.0 to 0.216.0

Release notes

Sourced from @​opentelemetry/instrumentation-http's releases.

experimental/v0.216.0

0.216.0

🚀 Features

• feat(sdk-node): wire attribute_keys from declarative configuration to ViewOptions.attributesProcessors #6427 @​ravitheja4531-cell
• feat(sdk-node): set TracerProvider in startNodeSDK() #6607 @​maryliag

🐛 Bug Fixes

• fix(instrumentation-xml-http-request): avoid unwrapping XMLHttpRequest API when disabling #6611 @​david-luna
• fix(instrumentation-fetch): tolerate non-writable globalThis.fetch and fix premature _isEnabled / _isFetchPatched flips in enable() @​brunorodmoreira
• fix(instrumentation-xhr): resolve relative URLs before matching ignoreUrls #6551 @​Maximiliano-Zeballos
• fix(sdk-node): fix setting of ViewOption#name from ConfigurationModel #6620 @​trentm
• fix(web-common): add limit for timeout #6601 @​maryliag
• fix(otlp-transformer): pin protobufjs@8.0.1 as protobufjs@8.0.3 is broken for browser use #6646

🏠 Internal

• test(otlp-transformer): add metrics transform benchmark #6628 @​pichlermarc
• refactor(opentelemetry-exporter-prometheus): do not call enforcePrometheusNamingConvention() multiple times per metric #6636 @​cjihrig

experimental/v0.215.0

0.215.0

💥 Breaking Changes

• feat(sdk-logs)!: add required forceFlush() to LogRecordExporter interface #6356 @​pichlermarc
  • (user-facing): LogRecordExporter interface now requires a forceFlush() method to be implemented. Custom exporters will need to implement this method to continue working with the Logs SDK.
• feat(api-logs, sdk-logs)!: add Logger#enabled() #6371 @​david-luna

🚀 Features

• feat(otlp-transformer): add custom protobuf logs serializer #6228 @​pichlermarc
• feat(otlp-transformer): add custom protobuf logs export response deserializer #6530 @​pichlermarc

🐛 Bug Fixes

• fix(instrumentation-fetch): preserve init overrides when input is a Request object #6421 @​akandic47
• fix(otlp-exporter-base): limit Node.js HTTP transport response body to 4 MiB #6552 @​kartikgola
• fix(instrumentation-fetch): avoid unwrapping fetch API when disabling #6575 @​david-luna
• fix(web-common): add check for possible unsafe json parse #6589 @​maryliag
• fix(otlp-transformer): add check for possible unsafe json parse #6588 @​maryliag

Commits

• 2400d83 chore: prepare next release (#6647)
• f7a9b7c fix(otlp-transformer): pin protobufjs to 8.0.1 (#6646)
• cb38d7f test(otlp-transformer): add metrics transfrom benchmark (#6628)
• a28f12f fix(opentelemetry-core): defer tracestate vaidation (#6459)
• b27c514 refactor(opentelemetry-exporter-prometheus): do not call `enforcePrometheusNa...
• a2a8186 perf(sdk-trace-base): optimize TraceIdRatioBasedSampler hex parsing (#6284)
• 4c0f3f1 feat(sdk-node): set TracerProvider in startNodeSDK() (#6607)
• 417f2f1 fix(instr-xhr): do not unpatch XHR methods (#6611)
• 47ac523 Revert "chore: allow browser maintainers to approve changelog edits" (#6627)
• 86c621d fix(instrumentation-fetch): tolerate non-writable globalThis.fetch and fix pr...
• Additional commits viewable in compare view

Updates @opentelemetry/sdk-metrics from 2.6.1 to 2.7.1

Release notes

Sourced from @​opentelemetry/sdk-metrics's releases.

v2.7.1

2.7.1

🐛 Bug Fixes

• fix(core, api): defer trace state validation. Deprecate trace state implementation in api #6459 @​david-luna
  • important: this bug fix may be breaking for certain uses of TraceState
    • set now returns the same TraceState instance if key/value are invalid or makes the while trace state invalid.
    • unset now returns the same TraceState instance if key is not present.
    • best-effort parsing of invalid TraceStates has changed: when multiple keys with the same name are present, the most recent one will win.

🏠 Internal

• perf(sdk-trace-base): optimize TraceIdRatioBasedSampler performance #6284 @​AbhiPrasad
• perf(sdk-metrics): reduce loop overhead in sdk hot paths #6593 @​mcollina

v2.7.0

2.7.0

🚀 Features

• feat(sdk-logs): implement log creation metrics #6433 @​anuraaga
• feat(sdk-metrics): add the cardinalitySelector argument to PeriodicExportingMetricReaders #6460 @​starzlocker
• feat(opentelemetry-core): add extra checks on internal merge function for safety #6587 @​maryliag

🐛 Bug Fixes

• fix(opentelemetry-resources): do not discard OTEL_RESOURCE_ATTRIBUTES when it contains empty kv pairs

🏠 Internal

• test(exporter-zipkin): fix broken browser test assertions and add missing coverage #6566 @​overbalance
• fix(sdk-metrics): repair ExponentialHistogram tests #6565 @​overbalance

Changelog

Sourced from @​opentelemetry/sdk-metrics's changelog.

2.7.1

🐛 Bug Fixes

• fix(core, api): defer trace state validation. Deprecate trace state implementation in api #6459 @​david-luna
  • important: this bug fix may be breaking for certain uses of TraceState
    • set now returns the same TraceState instance if key/value are invalid or makes the while trace state invalid.
    • unset now returns the same TraceState instance if key is not present.
    • best-effort parsing of invalid TraceStates has changed: when multiple keys with the same name are present, the most recent one will win.

🏠 Internal

• perf(sdk-trace-base): optimize TraceIdRatioBasedSampler performance #6284 @​AbhiPrasad

2.7.0

🚀 Features

• feat(sdk-logs): implement log creation metrics #6433 @​anuraaga
• feat(sdk-metrics): add the cardinalitySelector argument to PeriodicExportingMetricReaders #6460 @​starzlocker
• feat(opentelemetry-core): add extra checks on internal merge function for safety #6587 @​maryliag

🐛 Bug Fixes

• fix(opentelemetry-resources): do not discard OTEL_RESOURCE_ATTRIBUTES when it contains empty kv pairs

🏠 Internal

• test(exporter-zipkin): fix broken browser test assertions and add missing coverage #6566 @​overbalance
• fix(sdk-metrics): repair ExponentialHistogram tests #6565 @​overbalance
• perf(sdk-metrics): reduce loop overhead in sdk hot paths #6593 @​mcollina

Commits

• 2400d83 chore: prepare next release (#6647)
• f7a9b7c fix(otlp-transformer): pin protobufjs to 8.0.1 (#6646)
• cb38d7f test(otlp-transformer): add metrics transfrom benchmark (#6628)
• a28f12f fix(opentelemetry-core): defer tracestate vaidation (#6459)
• b27c514 refactor(opentelemetry-exporter-prometheus): do not call `enforcePrometheusNa...
• a2a8186 perf(sdk-trace-base): optimize TraceIdRatioBasedSampler hex parsing (#6284)
• 4c0f3f1 feat(sdk-node): set TracerProvider in startNodeSDK() (#6607)
• 417f2f1 fix(instr-xhr): do not unpatch XHR methods (#6611)
• 47ac523 Revert "chore: allow browser maintainers to approve changelog edits" (#6627)
• 86c621d fix(instrumentation-fetch): tolerate non-writable globalThis.fetch and fix pr...
• Additional commits viewable in compare view

Updates @opentelemetry/sdk-node from 0.214.0 to 0.216.0

Release notes

Sourced from @​opentelemetry/sdk-node's releases.

experimental/v0.216.0

0.216.0

🚀 Features

• feat(sdk-node): wire attribute_keys from declarative configuration to ViewOptions.attributesProcessors #6427 @​ravitheja4531-cell
• feat(sdk-node): set TracerProvider in startNodeSDK() #6607 @​maryliag

🐛 Bug Fixes

• fix(instrumentation-xml-http-request): avoid unwrapping XMLHttpRequest API when disabling #6611 @​david-luna
• fix(instrumentation-fetch): tolerate non-writable globalThis.fetch and fix premature _isEnabled / _isFetchPatched flips in enable() @​brunorodmoreira
• fix(instrumentation-xhr): resolve relative URLs before matching ignoreUrls #6551 @​Maximiliano-Zeballos
• fix(sdk-node): fix setting of ViewOption#name from ConfigurationModel #6620 @​trentm
• fix(web-common): add limit for timeout #6601 @​maryliag
• fix(otlp-transformer): pin protobufjs@8.0.1 as protobufjs@8.0.3 is broken for browser use #6646

🏠 Internal

• test(otlp-transformer): add metrics transform benchmark #6628 @​pichlermarc
• refactor(opentelemetry-exporter-prometheus): do not call enforcePrometheusNamingConvention() multiple times per metric #6636 @​cjihrig

experimental/v0.215.0

0.215.0

💥 Breaking Changes

• feat(sdk-logs)!: add required forceFlush() to LogRecordExporter interface #6356 @​pichlermarc
  • (user-facing): LogRecordExporter interface now requires a forceFlush() method to be implemented. Custom exporters will need to implement this method to continue working with the Logs SDK.
• feat(api-logs, sdk-logs)!: add Logger#enabled() #6371 @​david-luna

🚀 Features

• feat(otlp-transformer): add custom protobuf logs serializer #6228 @​pichlermarc
• feat(otlp-transformer): add custom protobuf logs export response deserializer #6530 @​pichlermarc

🐛 Bug Fixes

• fix(instrumentation-fetch): preserve init overrides when input is a Request object #6421 @​akandic47
• fix(otlp-exporter-base): limit Node.js HTTP transport response body to 4 MiB #6552 @​kartikgola
• fix(instrumentation-fetch): avoid unwrapping fetch API when disabling #6575 @​david-luna
• fix(web-common): add check for possible unsafe json parse #6589 @​maryliag
• fix(otlp-transformer): add check for possible unsafe json parse #6588 @​maryliag

Commits

• 2400d83 chore: prepare next release (#6647)
• f7a9b7c fix(otlp-transformer): pin protobufjs to 8.0.1 (#6646)
• cb38d7f test(otlp-transformer): add metrics transfrom benchmark (#6628)
• a28f12f fix(opentelemetry-core): defer tracestate vaidation (#6459)
• b27c514 refactor(opentelemetry-exporter-prometheus): do not call `enforcePrometheusNa...
• a2a8186 perf(sdk-trace-base): optimize TraceIdRatioBasedSampler hex parsing (#6284)
• 4c0f3f1 feat(sdk-node): set TracerProvider in startNodeSDK() (#6607)
• 417f2f1 fix(instr-xhr): do not unpatch XHR methods (#6611)
• 47ac523 Revert "chore: allow browser maintainers to approve changelog edits" (#6627)
• 86c621d fix(instrumentation-fetch): tolerate non-writable globalThis.fetch and fix pr...
• Additional commits viewable in compare view

Updates @opentelemetry/sdk-trace-node from 2.6.1 to 2.7.1

Release notes

Sourced from @​opentelemetry/sdk-trace-node's releases.

v2.7.1

2.7.1

🐛 Bug Fixes

• fix(core, api): defer trace state validation. Deprecate trace state implementation in api #6459 @​david-luna
  • important: this bug fix may be breaking for certain uses of TraceState
    • set now returns the same TraceState instance if key/value are invalid or makes the while trace state invalid.
    • unset now returns the same TraceState instance if key is not present.
    • best-effort parsing of invalid TraceStates has changed: when multiple keys with the same name are present, the most recent one will win.

🏠 Internal

• perf(sdk-trace-base): optimize TraceIdRatioBasedSampler performance #6284 @​AbhiPrasad
• perf(sdk-metrics): reduce loop overhead in sdk hot paths #6593 @​mcollina

v2.7.0

2.7.0

🚀 Features

• feat(sdk-logs): implement log creation metrics #6433 @​anuraaga
• feat(sdk-metrics): add the cardinalitySelector argument to PeriodicExportingMetricReaders #6460 @​starzlocker
• feat(opentelemetry-core): add extra checks on internal merge function for safety #6587 @​maryliag

🐛 Bug Fixes

• fix(opentelemetry-resources): do not discard OTEL_RESOURCE_ATTRIBUTES when it contains empty kv pairs

🏠 Internal

• test(exporter-zipkin): fix broken browser test assertions and add missing coverage #6566 @​overbalance
• fix(sdk-metrics): repair ExponentialHistogram tests #6565 @​overbalance

Changelog

Sourced from @​opentelemetry/sdk-trace-node's changelog.

2.7.1

🐛 Bug Fixes

• fix(core, api): defer trace state validation. Deprecate trace state implementation in api #6459 @​david-luna
  • important: this bug fix may be breaking for certain uses of TraceState
    • set now returns the same TraceState instance if key/value are invalid or makes the while trace state invalid.
    • unset now returns the same TraceState instance if key is not present.
    • best-effort parsing of invalid TraceStates has changed: when multiple keys with the same name are present, the most recent one will win.

🏠 Internal

• perf(sdk-trace-base): optimize TraceIdRatioBasedSampler performance #6284 @​AbhiPrasad

2.7.0

🚀 Features

• feat(sdk-logs): implement log creation metrics #6433 @​anuraaga
• feat(sdk-metrics): add the cardinalitySelector argument to PeriodicExportingMetricReaders #6460 @​starzlocker
• feat(opentelemetry-core): add extra checks on internal merge function for safety #6587 @​maryliag

🐛 Bug Fixes

• fix(opentelemetry-resources): do not discard OTEL_RESOURCE_ATTRIBUTES when it contains empty kv pairs

🏠 Internal

• test(exporter-zipkin): fix broken browser test assertions and add missing coverage #6566 @​overbalance
• fix(sdk-metrics): repair ExponentialHistogram tests #6565 @​overbalance
• perf(sdk-metrics): reduce loop overhead in sdk hot paths #6593 @​mcollina

Commits

• 2400d83 chore: prepare next release (#6647)
• f7a9b7c fix(otlp-transformer): pin protobufjs to 8.0.1 (#6646)
• cb38d7f test(otlp-transformer): add metrics transfrom benchmark (#6628)
• a28f12f fix(opentelemetry-core): defer tracestate vaidation (#6459)
• b27c514 refactor(opentelemetry-exporter-prometheus): do not call `enforcePrometheusNa...
• a2a8186 perf(sdk-trace-base): optimize TraceIdRatioBasedSampler hex parsing (#6284)
• 4c0f3f1 feat(sdk-node): set TracerProvider in startNodeSDK() (#6607)
• 417f2f1 fix(instr-xhr): do not unpatch XHR methods (#6611)
• 47ac523 Revert "chore: allow browser maintainers to approve changelog edits" (#6627)
• 86c621d fix(instrumentation-fetch): tolerate non-writable globalThis.fetch and fix pr...
• Additional commits viewable in compare view

Updates ace-linters from 2.1.2 to 2.1.4

Commits

• See full diff in compare view

Updates dotenv from 17.4.1 to 17.4.2

Changelog

Sourced from dotenv's changelog.

17.4.2 (2026-04-12)

Changed

• Improved skill files - tightened up details (#1009)

Commits

• f116f70 17.4.2
• 3a81612 fix visual order of faq
• 13f55a8 Merge branch 'skill'
• 4bbbf73 reorganize faq
• c3da64b Merge pull request #1009 from motdotla/skill
• 6f743b1 update source
• fc2c624 update skill
• 972315b Tighten up skill
• 2795fce reorganize faq
• d5495d4 adjust skill
• Additional commits viewable in compare view

Updates express-rate-limit from 8.3.2 to 8.5.0

Release notes

Sourced from express-rate-limit's releases.

v8.5.0

You can view the changelog here.

v8.4.1

You can view the changelog here.

v8.4.0

You can view the changelog here.

Commits

• 807e383 8.5.0
• b844137 v8.5.0 changelog
• ceaffab feat: async store init (#621)
• 69568d4 8.4.1
• c686acd v8.4.1 changelog
• ba71353 test: bump timeout in flakey skipFailedRequests test (#618)
• dd4c894 feat: allow usage of custom logger (#616)
• 2bb343c resolve Jest timeout for server-based tests (#617)
• See full diff in compare view

Updates hmrc-frontend from 7.7.0 to 7.12.0

Release notes

Sourced from hmrc-frontend's releases.

7.12.0

Release : hmrc-frontend 7.12.0

Last commit sha : 0a4fbc6ef1110cc4cb2ce49e17d3e59d61d62558 Last commit author : TimothyFothergill Last commit time : 2026-04-27T08:32:09Z

NOJIRA npm audit fix, update exclusions (#538)

7.11.0

Release : hmrc-frontend 7.11.0

Last commit sha : b7e9228e0ae27789e58bed9e0dc87aa3b0a31143 Last commit author : Joanna Pinto Paul Last commit time : 2026-04-21T08:17:37Z

NOJIRA: Updated npm audit exclusions (#537)

7.10.0

Release : hmrc-frontend 7.10.0

Last commit sha : b4dbda1d245cbe5076dbccceb29cc791e8381615 Last commit author : Timothy Bryan Last commit time : 2026-04-20T09:39:47Z

Updated user research banner heading content (#536)

• updated research banner content

• updating backstop images and new version info

7.9.0

Release : hmrc-frontend 7.9.0

Last commit sha : 5ce26a071a6f94cf6adf80ffcaf0fffc7eb7c906 Last commit author : TimothyFothergill Last commit time : 2026-04-13T14:17:15Z

Nojira npm audit fix and nsprc changes (#535)

NOJIRA audit fixes

7.8.0

Release : hmrc-frontend 7.8.0

... (truncated)

Changelog

Sourced from hmrc-frontend's changelog.

[7.12.0] - 2026-04-27

Changed

• Updated npm audit exclusions

[7.11.0] - 2026-04-20

Changed

• Updated npm audit exclusions

[7.10.0] - 2026-04-20

Changed

• Updated the content of the User Research Banner

[7.9.0] - 2026-04-13

Changed

• Updated npm audit exclusions

[7.8.0] - 2026-04-07

Changed

• Updated npm audit exclusions

Commits

• 0a4fbc6 NOJIRA npm audit fix, update exclusions (#538)
• b7e9228 NOJIRA: Updated npm audit exclusions (#537)
• b4dbda1 Updated user research banner heading content (#536)
• 5ce26a0 Nojira npm audit fix and nsprc changes (#535)
• 7ae7e18 NOJIRA: Updated npm audit exclusions (#534)
• See full diff in compare view

Updates mongoose from 9.4.1 to 9.6.1

Release notes

Sourced from mongoose's releases.

9.6.1 / 2026-04-29

• types(objectid): fix _id getter helper on ObjectId #16251 noseworthy

9.6.0 / 2026-04-28

• feat: upgrade mongodb node driver to 7.2 #16245
• feat(schematype): support allowNull option to disallow null values even if not required #16237 #15905
• types(query): make QueryFilter respect string unions and enums #16242 #16240
• types: export Projector and ArrayProjectionOperators #16243 #16235

9.5.0 / 2026-04-20

• feat(debug): add timestamp option to debug output #16216 rejunp
<...

Description has been truncated