Skip to content

Bump the nuget group with 1 update#497

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/nuget/e2e/dotnet4/cs/nuget-0419fd176c
Open

Bump the nuget group with 1 update#497
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/nuget/e2e/dotnet4/cs/nuget-0419fd176c

Conversation

@dependabot
Copy link
Copy Markdown

@dependabot dependabot Bot commented on behalf of github Apr 23, 2026
edited by cursor Bot
Loading

Updated OpenTelemetry.Api from 1.11.2 to 1.15.3.

Release notes

Sourced from OpenTelemetry.Api's releases.

1.15.3

For highlights and announcements pertaining to this release see: Release Notes > 1.15.3.

The following changes are from the previous release 1.15.2.

  • NuGet: OpenTelemetry v1.15.3

    • Fix resource leak in batch and periodic exporting task workers for Blazor/WASM.
      (#​7069)

    • Fixed LogRecord.LogLevel to preserve LogLevel.None and handle
      unspecified or out-of-range severities without returning invalid enum values.
      (#​7092)

    • Fixed OTEL_TRACES_SAMPLER_ARG handling to treat out-of-range, NaN, and
      infinite values as invalid and fall back to the default ratio when using
      traceidratio and parentbased_traceidratio samplers.
      (#​7103)

    See CHANGELOG for details.

  • NuGet: OpenTelemetry.Api v1.15.3

    • Fix baggage and trace headers not respecting the maximum length in some cases.
      (#​7061)

    • Improve efficiency of parsing of baggage and B3 propagation headers.
      (#​7061)

    • Breaking change: Fixed tracestate parsing to reject keys that do not
      begin with a lowercase letter, including keys beginning with digits, to
      align with the W3C Trace Context specification.
      (#​7065)

    • Fixed BaggagePropagator to trim optional whitespace (OWS) around =
      separators when parsing the baggage header, as required by the
      W3C Baggage specification.
      (#​7009)

    • Fixed BaggagePropagator to strip baggage properties (e.g. ;metadata)
      from values when parsing the baggage header.
      (#​7009)

    See CHANGELOG for details.

  • NuGet: OpenTelemetry.Api.ProviderBuilderExtensions v1.15.3

    No notable changes.

    See CHANGELOG for details.

... (truncated)

1.15.3-beta.1

The following changes are from the previous release 1.15.2-beta.1.

1.15.2

For highlights and announcements pertaining to this release see: Release Notes > 1.15.2.

The following changes are from the previous release 1.15.1.

... (truncated)

1.15.2-beta.1

The following changes are from the previous release 1.15.1-beta.1.

1.15.1

For highlights and announcements pertaining to this release see: Release Notes > 1.15.1.

The following changes are from the previous release 1.15.0.

... (truncated)

1.15.1-beta.1

The following changes are from the previous release 1.15.0-beta.1.

1.15.0

For highlights and announcements pertaining to this release see: Release Notes > 1.15.0.

The following changes are from the previous release 1.14.0.

  • NuGet: OpenTelemetry v1.15.0

    • Added support for the OTEL_SDK_DISABLED environment variable in TracerProvider,
      MeterProvider, and LoggerProvider. When OTEL_SDK_DISABLED=true,
      the SDK returns no-op implementations for all telemetry signals.
      The OTEL_SDK_DISABLED environment variable is only evaluated upon application
      startup, later changes have no effect.
      (#​6568)

    • Added LowMemory temporality as an option in the OTLP metrics exporter.
      (#​6648)

    • Added support for Meter.TelemetrySchemaUrl property.
      (#​6714)

    • Improve performance and reduce memory consumption for metrics histograms.
      (#​6715)

    • Decode value in OTEL_RESOURCE_ATTRIBUTES environment variable.
      (#​6737)

    See CHANGELOG for details.

  • NuGet: OpenTelemetry.Api v1.15.0

    • Added a new overload for TracerProvider.GetTracer which accepts an optional
      string? schemaUrl parameter, allowing a schema URL to be set on the Tracer.
      (#​6736)

    See CHANGELOG for details.

  • NuGet: OpenTelemetry.Api.ProviderBuilderExtensions v1.15.0

    No notable changes.

    See CHANGELOG for details.

  • NuGet: OpenTelemetry.Exporter.Console v1.15.0

    • Added support for ActivitySource.TelemetrySchemaUrl property.
      (#​6713)

    • Added support for Meter.TelemetrySchemaUrl property.
      (#​6714)

    See CHANGELOG for details.
    ... (truncated)

1.15.0-beta.1

The following changes are from the previous release 1.14.0-beta.1.

1.14.0

For highlights and announcements pertaining to this release see: Release Notes > 1.14.0.

The following changes are from the previous release 1.14.0-rc.1.

  • NuGet: OpenTelemetry v1.14.0

    • Breaking Change NuGet packages now use the Sigstore bundle format
      (.sigstore.json) for digital signatures instead of separate signature
      (.sig) and certificate (.pem) files. This requires cosign 3.0 or later
      for verification. See the Digital signing
      section       for updated verification instructions.
      (#​6623)

    • Update to stable versions for .NET 10.0 NuGet packages.
      (#​6667)

    • Update Microsoft.Extensions.* dependencies to 10.0.0 for .NET Framework
      and .NET Standard.
      (#​6667)

    See CHANGELOG for details.

  • NuGet: OpenTelemetry.Api v1.14.0

    • Breaking Change NuGet packages now use the Sigstore bundle format
      (.sigstore.json) for digital signatures instead of separate signature
      (.sig) and certificate (.pem) files. This requires cosign 3.0 or later
      for verification. See the Digital signing
      section       for updated verification instructions.
      (#​6623)

    • Update System.Diagnostics.DiagnosticSource dependency to 10.0.0
      for all target frameworks.
      (#​6667)

    See CHANGELOG for details.

  • NuGet: OpenTelemetry.Api.ProviderBuilderExtensions v1.14.0

    • Breaking Change NuGet packages now use the Sigstore bundle format
      (.sigstore.json) for digital signatures instead of separate signature
      (.sig) and certificate (.pem) files. This requires cosign 3.0 or later
      for verification. See the Digital signing
      section       for updated verification instructions.
      (#​6623)

    • Update to stable versions for .NET 10.0 NuGet packages.
      (#​6667)

    • Update Microsoft.Extensions.* dependencies to 10.0.0 for .NET Framework
      ... (truncated)

1.14.0-rc.1

The following changes are from the previous release 1.13.1.

... (truncated)

1.14.0-beta.1

The following changes are from the previous release 1.13.1-beta.1.

  • NuGet: OpenTelemetry.Exporter.Prometheus.AspNetCore v1.14.0-beta.1

    • Breaking Change When targeting net8.0, the package now depends on version
      8.0.0 of the Microsoft.Extensions.DependencyInjection.Abstractions,
      Microsoft.Extensions.Diagnostics.Abstractions and
      Microsoft.Extensions.Logging.Configuration NuGet packages.
      (#​6327)

    • Add support for .NET 10.0.
      (#​6307)

    • Added the possibility to disable timestamps via the PrometheusAspNetCoreOptions.
      (#​6600)

    • Breaking Change NuGet packages now use the Sigstore bundle format
      (.sigstore.json) for digital signatures instead of separate signature
      (.sig) and certificate (.pem) files. This requires cosign 3.0 or later
      for verification. See the Digital signing
      section       for updated verification instructions.
      (#​6623)

    • Updated OpenTelemetry core component version(s) to 1.14.0.
      (#​6689)

    See CHANGELOG for details.

  • NuGet: OpenTelemetry.Exporter.Prometheus.HttpListener v1.14.0-beta.1

    • Breaking Change When targeting net8.0, the package now depends on version
      8.0.0 of the Microsoft.Extensions.DependencyInjection.Abstractions,
      Microsoft.Extensions.Diagnostics.Abstractions and
      Microsoft.Extensions.Logging.Configuration NuGet packages.
      (#​6327)

    • Add support for .NET 10.0.
      (#​6307)

    • Added the possibility to disable timestamps via the PrometheusHttpListenerOptions.
      (#​6600)

    • Breaking Change NuGet packages now use the Sigstore bundle format
      (.sigstore.json) for digital signatures instead of separate signature
      (.sig) and certificate (.pem) files. This requires cosign 3.0 or later
      for verification. See the Digital signing
      section       for updated verification instructions.
      (#​6623)

    • Updated OpenTelemetry core component version(s) to 1.14.0.
      ... (truncated)

1.13.1

For highlights and announcements pertaining to this release see: Release Notes > 1.13.1.

The following changes are from the previous release 1.13.0.

... (truncated)

1.13.1-beta.1

The following changes are from the previous release 1.13.0-beta.1.

1.13.0

For highlights and announcements pertaining to this release see: Release Notes > 1.13.0.

The following changes are from the previous release 1.12.0.

  • NuGet: OpenTelemetry v1.13.0

    • Added a verification to ensure that a MetricReader can only be registered
      to a single MeterProvider, as required by the OpenTelemetry specification.
      (#​6458)

    • Added FormatMessage configuration option to self-diagnostics feature. When
      set to true (default is false), log messages will be formatted by replacing
      placeholders with actual parameter values for improved readability.

      Example OTEL_DIAGNOSTICS.json:

      {
    "LogDirectory": ".",
    "FileSize": 32768,
    "LogLevel": "Warning",
    "FormatMessage": true
}

    • Fixed parsing of OTEL_TRACES_SAMPLER_ARG decimal values to always use .
      as the delimiter when using the traceidratio sampler, preventing
      locale-specific parsing issues.
      (#​6444)

    See CHANGELOG for details.

  • NuGet: OpenTelemetry.Api v1.13.0

    • Added AddLink(SpanContext, SpanAttributes?) to TelemetrySpan to support
      linking spans and associating optional attributes for advanced trace relationships.
      (#​6305)

    • Experimental (only in pre-release versions): Added the EventName property
      to LogRecordData
      (#​6306)

    See CHANGELOG for details.

  • NuGet: OpenTelemetry.Api.ProviderBuilderExtensions v1.13.0

    No notable changes.

    See CHANGELOG for details.

... (truncated)

1.13.0-beta.1

The following changes are from the previous release 1.12.0-beta.1.

1.12.0

For highlights and announcements pertaining to this release see: Release Notes > 1.12.0.

The following changes are from the previous release 1.11.2.

1.12.0-beta.1

The following changes are from the previous release 1.11.2-beta.1.

Commits viewable in compare view.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Note

Medium Risk
Dependency-only update, but it changes OpenTelemetry API behavior and related assembly binding redirects, which could affect trace/baggage header parsing and runtime assembly resolution in the .NET Framework e2e app.

Overview
Updates the .NET Framework 4.x projects to use OpenTelemetry.Api 1.15.3 (from 1.11.2), including updating NuGet/package references and adding a Web.config bindingRedirect for OpenTelemetry.Api.

Also refreshes supporting assembly references/redirects for the e2e MVC app: bumps System.Diagnostics.DiagnosticSource (to 10.0.7) and several System.* dependency versions, and adjusts bindingRedirect ranges (including Newtonsoft.Json to 13.0.0.0).

Reviewed by Cursor Bugbot for commit d611888. Bugbot is set up for automated code reviews on this repo. Configure here.

@dependabot
Bump the nuget group with 1 update
d611888 
Bumps OpenTelemetry.Api from 1.11.2 to 1.15.3

---
updated-dependencies:
- dependency-name: OpenTelemetry.Api
  dependency-version: 1.15.3
  dependency-type: direct:production
  dependency-group: nuget
- dependency-name: OpenTelemetry.Api
  dependency-version: 1.15.3
  dependency-type: direct:production
  dependency-group: nuget
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added .NET Pull requests that update .NET code dependencies Pull requests that update a dependency file labels Apr 23, 2026
@dependabot dependabot Bot requested a review from a team as a code owner April 23, 2026 21:46
cursor[bot]
cursor Bot reviewed Apr 23, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 2 potential issues.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit d611888. Configure here.

Comment thread e2e/dotnet4/cs/Web.config
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name="OpenTelemetry.Api" publicKeyToken="7bd6737fe5b67e3c" culture="neutral" />
<bindingRedirect oldVersion="0.0.0.0-1.0.0.0" newVersion="1.0.0.0" />
Copy link
Copy Markdown

@cursor cursor Bot Apr 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing binding redirects for bumped assembly versions

High Severity

The System.Diagnostics.DiagnosticSource package was bumped from 9.0.0 (assembly version 9.0.0.0) to 10.0.7 (assembly version 10.0.0.7), but no binding redirect was added to Web.config. The unchanged OpenTelemetry 1.11.2 package was compiled against assembly version 9.0.0.0. Without a binding redirect mapping 0.0.0.0-10.0.0.7 to 10.0.0.7, the CLR will throw a FileLoadException at runtime. The same issue applies to System.Buffers, System.Memory, System.Numerics.Vectors, and System.Runtime.CompilerServices.Unsafe, all of which were bumped to new assembly versions without corresponding redirects. This project has no AutoGenerateBindingRedirects so redirects must be manually maintained.

Additional Locations (1)
Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit d611888. Configure here.

Comment thread sdk/highlight-dotnet4/Highlight.ASP4.csproj
</PackageReference>
<PackageReference Include="OpenTelemetry.Api">
<Version>1.11.2</Version>
<Version>1.15.3</Version>
Copy link
Copy Markdown

@cursor cursor Bot Apr 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Partial OpenTelemetry version bump creates package skew

Medium Severity

OpenTelemetry.Api is bumped to 1.15.3 while OpenTelemetry, OpenTelemetry.Api.ProviderBuilderExtensions, OpenTelemetry.Exporter.OpenTelemetryProtocol, and OpenTelemetry.Extensions.Hosting all remain at 1.11.2. This version skew means the API assembly was built against System.Diagnostics.DiagnosticSource 10.x while the SDK and other packages were built against 9.x. The shipped app.config still has a stale binding redirect for System.Diagnostics.DiagnosticSource targeting version 8.0.0.1, which won't cover the version range actually needed. Consumers of this NuGet package on .NET Framework may encounter FileLoadException at runtime.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit d611888. Configure here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file .NET Pull requests that update .NET code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants