Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(opentelemetry-instrumentation): replace semver package with internal semantic versioning check implementation #5305

Open
wants to merge 8 commits into
base: main
Choose a base branch
from

Conversation

serkan-ozal
Copy link
Contributor

@serkan-ozal serkan-ozal commented Jan 8, 2025

Which problem is this PR solving?

I am one of the OTEL FAAS SIG members and working on reducing coldstart overhead of the OTEL Lambda Node.js layer.

During my analysis, I have noticed that semver package has some initialization overhead (~15 ms) and most of it is caused by the semver internal initialization here (You can see that there are many RegExp compiles there) .

So I have been looking for way to reduce it and I believe that getting rid of semver dependency and providing an internal and simpler semantic versioning check implementation makes more sense.

Short description of the changes

This PR removes semver package dependency and replaces its usages with internal semantic versioning implementation.

Some parts of the internal semver implenentation is borrowed from actual semver package code base.

Type of change

Please delete options that are not relevant.

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • This change requires a documentation update

How Has This Been Tested?

Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration

  • experimental/packages/opentelemetry-instrumentation/test/common/semver.test.ts

Checklist:

  • Followed the style guidelines of this project
  • Unit tests have been added
  • Documentation has been updated

@serkan-ozal serkan-ozal requested a review from a team as a code owner January 8, 2025 17:33
@serkan-ozal serkan-ozal force-pushed the feat/get-rid-of-semver branch from d683ca8 to 5a35b91 Compare January 8, 2025 17:56
Comment on lines +1 to +15
/*
* Copyright The OpenTelemetry Authors
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this the correct Licence notice? The original one from semver says you have to mention theirs as well.

The ISC License

Copyright (c) Isaac Z. Schlueter and Contributors

Permission to use, copy, modify, and/or distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.

THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

Same for the other copied and modified files.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, I am not very familiar these license stuff. Shoıld I just append semver License header to the OTEL header? Is there anything I should do?

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unfortunately I don't know either. And a google search didn't give me an answer.
I just wanted to highlight that there is maybe something to do, to mitigate the risk of a license issue.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Per https://github.com/open-telemetry/community/blob/main/guides/contributor/processes.md#copyright-notices

If you make substantial changes to the third-party code, prepend the contributed third party file with OpenTelemetry's copyright notice.

Here is an example:
https://github.com/open-telemetry/opentelemetry-js-contrib/blob/main/plugins/node/opentelemetry-instrumentation-aws-sdk/src/propwrap.ts

However, the same community repo link above also says:

Any contributed third-party code must originally be Apache 2.0-Licensed or must carry a permissive software license that is compatible when combining with Apache 2.0 License. At this moment, BSD and MIT are the only OSI-approved licenses known to be compatible.

Unfortunately this is neither BSD or MIT.
ISC is an OSI approved license (https://opensource.org/license/isc-license-txt) and https://en.wikipedia.org/wiki/ISC_license suggests it is "It is functionally equivalent to the simplified BSD and MIT licenses, but without language deemed unnecessary following the Berne Convention."

Options I see:

  • Ask the OTel TC and/or GC for advice here on whether the ISC license could reasonably be added to that list of licenses "known to be compatible". @mx-psi Do you have any experience here with this kind of license question?
  • Publish this separate simple semver-satisfies as a separate package to npm and add a dependency on it. I don't know if you'd be willing to do that.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@trentm Just pinged @mx-psi in the CNCF Slack about this. Let's see whether this is problematic and if so, how we can handle it.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey, thanks for the ping. I'll preface this by saying that I am just stating my personal opinion and I am not giving legal advice nor representing the GC here.

AIUI this is not contributed code, but rather code you are using as a dependency of some sort. For that case, you can look into the CNCF third party license guidelines. ISC is listed there: https://github.com/cncf/foundation/blob/main/allowed-third-party-license-policy.md#cncf-allowlist-license-policy as an "Approved [License] for Allowlist". If you are able to fulfill the rest of the criteria mentioned in that document (e.g. by "storing [the code] unmodified in a designated third-party folder") and checking that (3) is satisfied, then I think you should be good.

There's also some dependencies that are specifically approved (see here), I don't think this is one of them, but feel free to check it as well.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@trentm As pointed here, I have added license headers and info for the imported codes.

Could you please check that.

Copy link

codecov bot commented Jan 8, 2025

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 94.58%. Comparing base (fc0edd8) to head (235efeb).

Additional details and impacted files
@@           Coverage Diff           @@
##             main    #5305   +/-   ##
=======================================
  Coverage   94.58%   94.58%           
=======================================
  Files         318      318           
  Lines        8069     8069           
  Branches     1701     1701           
=======================================
  Hits         7632     7632           
  Misses        437      437           

Copy link
Contributor

@trentm trentm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm supportive of this.

  1. There is the license/copyright Q to sort out.
  2. I'd love to have some details on the semver.ts implementation to know if I should more closely review it.

Other comments are nits.

@@ -59,13 +59,11 @@
"@protobuf-ts/runtime-rpc": "2.9.4",
"@types/mocha": "10.0.10",
"@types/node": "18.6.5",
"@types/semver": "7.5.8",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, you were doing this too. I noticed that some other packages had now-unused deps on semver and opened #5306
I should have read your patch first. :)

Copy link
Contributor Author

@serkan-ozal serkan-ozal Jan 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep, there were some unused semver deps and some of them are only used by tests and can easily be replaced.

* See the License for the specific language governing permissions and
* limitations under the License.
*/

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As being discussed in a separate thread (on the test file), we will need to decide on the license/copyright.

Is this implementation significantly copied from node-semver?
That's relevant both for license/copyright and for helping review this. I'm not sure how carefully I should review this (it is a fair amount of code). Passing all the semver.satisfies tests is very nice.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@trentm
The following methods have been copied with very minor modifications:

  • replaceTilde
  • replaceCaret
  • replaceXRange
  • replaceHyphen
  • regexp definitions used by them

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@trentm

I have also another custom semver implementation (without any code part is imported from actual semver package, but some parts of it is a little bit hacky) and all semver.satisfies tests are also passing with it too. But the problem is that there are many specific rules by semver package and some of them are not explicitly mentioned in the README and hidden in their code.

So, even though semver.satisfies all tests are passing, I am not very confident about how my other custom semver implementation is compatible with actual semver package if there are cases which are not tested.

}
);
});
});
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

* See the License for the specific language governing permissions and
* limitations under the License.
*/

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A comment that this is meant to mirror https://github.com/npm/node-semver/blob/main/test/functions/satisfies.js would be helpful.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

@serkan-ozal serkan-ozal force-pushed the feat/get-rid-of-semver branch from c1bd858 to 08168bc Compare January 9, 2025 08:33
@serkan-ozal serkan-ozal changed the title Replace semver package with internal semantic versioning check implementation feat(opentelemetry-instrumentation): replace semver package with internal semantic versioning check implementation Jan 9, 2025
@serkan-ozal serkan-ozal force-pushed the feat/get-rid-of-semver branch from cae5bee to 7cb6dd7 Compare January 9, 2025 10:21
@serkan-ozal serkan-ozal force-pushed the feat/get-rid-of-semver branch 3 times, most recently from 512d92b to 098d5cd Compare January 10, 2025 16:39
@serkan-ozal serkan-ozal force-pushed the feat/get-rid-of-semver branch from 098d5cd to 678edf6 Compare January 10, 2025 16:54
@serkan-ozal
Copy link
Contributor Author

Hi all, any update on this PR? Are we OK with the licensing question?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants