-
Notifications
You must be signed in to change notification settings - Fork 834
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(opentelemetry-instrumentation): replace semver
package with internal semantic versioning check implementation
#5305
base: main
Are you sure you want to change the base?
Conversation
d683ca8
to
5a35b91
Compare
/* | ||
* Copyright The OpenTelemetry Authors | ||
* | ||
* Licensed under the Apache License, Version 2.0 (the "License"); | ||
* you may not use this file except in compliance with the License. | ||
* You may obtain a copy of the License at | ||
* | ||
* https://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, | ||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
* See the License for the specific language governing permissions and | ||
* limitations under the License. | ||
*/ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this the correct Licence notice? The original one from semver says you have to mention theirs as well.
The ISC License
Copyright (c) Isaac Z. Schlueter and Contributors
Permission to use, copy, modify, and/or distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
Same for the other copied and modified files.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm, I am not very familiar these license stuff. Shoıld I just append semver
License header to the OTEL header? Is there anything I should do?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unfortunately I don't know either. And a google search didn't give me an answer.
I just wanted to highlight that there is maybe something to do, to mitigate the risk of a license issue.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you make substantial changes to the third-party code, prepend the contributed third party file with OpenTelemetry's copyright notice.
Here is an example:
https://github.com/open-telemetry/opentelemetry-js-contrib/blob/main/plugins/node/opentelemetry-instrumentation-aws-sdk/src/propwrap.ts
However, the same community repo link above also says:
Any contributed third-party code must originally be Apache 2.0-Licensed or must carry a permissive software license that is compatible when combining with Apache 2.0 License. At this moment, BSD and MIT are the only OSI-approved licenses known to be compatible.
Unfortunately this is neither BSD or MIT.
ISC is an OSI approved license (https://opensource.org/license/isc-license-txt) and https://en.wikipedia.org/wiki/ISC_license suggests it is "It is functionally equivalent to the simplified BSD and MIT licenses, but without language deemed unnecessary following the Berne Convention."
Options I see:
- Ask the OTel TC and/or GC for advice here on whether the ISC license could reasonably be added to that list of licenses "known to be compatible". @mx-psi Do you have any experience here with this kind of license question?
- Publish this separate simple semver-satisfies as a separate package to npm and add a dependency on it. I don't know if you'd be willing to do that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey, thanks for the ping. I'll preface this by saying that I am just stating my personal opinion and I am not giving legal advice nor representing the GC here.
AIUI this is not contributed code, but rather code you are using as a dependency of some sort. For that case, you can look into the CNCF third party license guidelines. ISC is listed there: https://github.com/cncf/foundation/blob/main/allowed-third-party-license-policy.md#cncf-allowlist-license-policy as an "Approved [License] for Allowlist". If you are able to fulfill the rest of the criteria mentioned in that document (e.g. by "storing [the code] unmodified in a designated third-party folder") and checking that (3) is satisfied, then I think you should be good.
There's also some dependencies that are specifically approved (see here), I don't think this is one of them, but feel free to check it as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #5305 +/- ##
=======================================
Coverage 94.58% 94.58%
=======================================
Files 318 318
Lines 8069 8069
Branches 1701 1701
=======================================
Hits 7632 7632
Misses 437 437 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm supportive of this.
- There is the license/copyright Q to sort out.
- I'd love to have some details on the semver.ts implementation to know if I should more closely review it.
Other comments are nits.
@@ -59,13 +59,11 @@ | |||
"@protobuf-ts/runtime-rpc": "2.9.4", | |||
"@types/mocha": "10.0.10", | |||
"@types/node": "18.6.5", | |||
"@types/semver": "7.5.8", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, you were doing this too. I noticed that some other packages had now-unused deps on semver and opened #5306
I should have read your patch first. :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep, there were some unused semver
deps and some of them are only used by tests and can easily be replaced.
* See the License for the specific language governing permissions and | ||
* limitations under the License. | ||
*/ | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As being discussed in a separate thread (on the test file), we will need to decide on the license/copyright.
Is this implementation significantly copied from node-semver?
That's relevant both for license/copyright and for helping review this. I'm not sure how carefully I should review this (it is a fair amount of code). Passing all the semver.satisfies tests is very nice.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@trentm
The following methods have been copied with very minor modifications:
replaceTilde
replaceCaret
replaceXRange
replaceHyphen
- regexp definitions used by them
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have also another custom semver implementation (without any code part is imported from actual semver
package, but some parts of it is a little bit hacky) and all semver.satisfies
tests are also passing with it too. But the problem is that there are many specific rules by semver
package and some of them are not explicitly mentioned in the README and hidden in their code.
So, even though semver.satisfies
all tests are passing, I am not very confident about how my other custom semver implementation is compatible with actual semver
package if there are cases which are not tested.
experimental/packages/opentelemetry-instrumentation/src/types.ts
Outdated
Show resolved
Hide resolved
} | ||
); | ||
}); | ||
}); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should these tests: https://github.com/npm/node-semver/blob/main/test/functions/satisfies.js#L17-L28
also be covered as well?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
* See the License for the specific language governing permissions and | ||
* limitations under the License. | ||
*/ | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A comment that this is meant to mirror https://github.com/npm/node-semver/blob/main/test/functions/satisfies.js would be helpful.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
c1bd858
to
08168bc
Compare
semver
package with internal semantic versioning check implementationsemver
package with internal semantic versioning check implementation
cae5bee
to
7cb6dd7
Compare
512d92b
to
098d5cd
Compare
Co-authored-by: Trent Mick <[email protected]>
098d5cd
to
678edf6
Compare
… in CNCF repos This came up in open-telemetry/opentelemetry-js#5305 Refs: open-telemetry#2504
Hi all, any update on this PR? Are we OK with the licensing question? |
Which problem is this PR solving?
I am one of the OTEL FAAS SIG members and working on reducing coldstart overhead of the OTEL Lambda Node.js layer.
During my analysis, I have noticed that
semver
package has some initialization overhead (~15 ms
) and most of it is caused by thesemver
internal initialization here (You can see that there are many RegExp compiles there) .So I have been looking for way to reduce it and I believe that getting rid of
semver
dependency and providing an internal and simpler semantic versioning check implementation makes more sense.Short description of the changes
This PR removes
semver
package dependency and replaces its usages with internal semantic versioning implementation.Some parts of the internal semver implenentation is borrowed from actual
semver
package code base.Type of change
Please delete options that are not relevant.
How Has This Been Tested?
Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration
experimental/packages/opentelemetry-instrumentation/test/common/semver.test.ts
Checklist: