fix: align dependency versions

[llc1123]

Short description of the changes

Fixed several version mismatches of dependencies.

lerna WARN EHOIST_ROOT_VERSION The repository root depends on [email protected], which differs from the more common semver@^7.3.5.
lerna WARN EHOIST_PKG_VERSION "@opentelemetry/instrumentation-http" package depends on semver@^7.3.5, which differs from the hoisted [email protected].
lerna WARN EHOIST_PKG_VERSION "@opentelemetry/shim-opencensus" package depends on semver@^7.3.5, which differs from the hoisted [email protected].
lerna WARN EHOIST_PKG_VERSION "@opentelemetry/sdk-trace-node" package depends on semver@^7.3.5, which differs from the hoisted [email protected].
lerna WARN EHOIST_PKG_VERSION "@opentelemetry/instrumentation" package depends on semver@^7.3.2, which differs from the hoisted [email protected].
lerna WARN EHOIST_PKG_VERSION "web-opentelemetry-example" package depends on typescript@^4.5.2, which differs from the hoisted [email protected].
lerna WARN EHOIST_PKG_VERSION "@opentelemetry/opentelemetry-browser-detector" package depends on @types/[email protected], which differs from the hoisted @types/[email protected].
lerna WARN EHOIST_PKG_VERSION "backcompat-node14" package depends on @types/[email protected], which differs from the hoisted @types/[email protected].
lerna WARN EHOIST_PKG_VERSION "backcompat-node16" package depends on @types/[email protected], which differs from the hoisted @types/[email protected].
lerna WARN EHOIST_PKG_VERSION "@opentelemetry/exporter-logs-otlp-http" package depends on [email protected], which differs from the hoisted [email protected].
lerna WARN EHOIST_PKG_VERSION "@opentelemetry/sdk-logs" package depends on [email protected], which differs from the hoisted [email protected].
lerna WARN EHOIST_PKG_VERSION "web-opentelemetry-example" package depends on ts-loader@^9.2.6, which differs from the hoisted [email protected].
lerna WARN EHOIST_PKG_VERSION "web-opentelemetry-example" package depends on webpack@^5.65.0, which differs from the hoisted [email protected].
lerna WARN EHOIST_PKG_VERSION "web-opentelemetry-example" package depends on @babel/core@^7.6.0, which differs from the hoisted @babel/[email protected].
lerna WARN EHOIST_PKG_VERSION "web-opentelemetry-example" package depends on babel-loader@^8.0.6, which differs from the hoisted [email protected].
lerna WARN EHOIST_PKG_VERSION "web-opentelemetry-example" package depends on webpack-cli@^4.10.0, which differs from the hoisted [email protected].
lerna WARN EHOIST_PKG_VERSION "web-opentelemetry-example" package depends on webpack-dev-server@^4.5.0, which differs from the hoisted [email protected].
lerna WARN EHOIST_PKG_VERSION "web-opentelemetry-example" package depends on webpack-merge@^5.8.0, which differs from the hoisted [email protected].
lerna WARN EHOIST_PKG_VERSION "@opentelemetry/instrumentation" package depends on require-in-the-middle@^7.1.0, which differs from the hoisted require-in-the-middle@^7.0.0.
lerna WARN EHOIST_PKG_VERSION "@opentelemetry/otlp-grpc-exporter-base" package depends on protobufjs@^7.2.2, which differs from the hoisted protobufjs@^7.1.2.

I will try to refactor web-opentelemetry-example and get rid of webpack@4 (which is incompatible with node 17+) in another PR.

Type of change

• Bug fix (non-breaking change which fixes an issue)

[codecov]

Codecov Report

Merging #3847 (e7aa2d0) into main (e8540c5) will decrease coverage by 1.16%.
The diff coverage is n/a.

❗ Current head e7aa2d0 differs from pull request most recent head 70a553d. Consider uploading reports for the commit 70a553d to get more accurate results

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3847      +/-   ##
==========================================
- Coverage   92.49%   91.34%   -1.16%     
==========================================
  Files         222      120     -102     
  Lines        5610     2587    -3023     
  Branches     1077      543     -534     
==========================================
- Hits         5189     2363    -2826     
+ Misses        421      224     -197     

see 111 files with indirect coverage changes

[dyladan]

Did you intend to change the ^ dependencies to pinned versions?

[llc1123]

Yes, just like most packages.

[pichlermarc]

Looks good, thanks. I'm not entirely sure why some versions were not pinned in the first place 🤔

[Flarna]

At least in the past the strategy was to pin only dependencies from the same lerna project as these dependencies are automatically updated on each release.

On the other hand dev-dependencies were pinned to reduce the risk of autobreaking the build and we were not able to use lock files.

After this PR we seem to have some pinned deps (e.g. protobufjs, semver, require-in-the-middle) and some not pinned (e.g. @grpc/grpc-js).

Pinning likely results in duplication of packages for end users because renovate bot tends to fail in this repo and we are slow in updating. in special for bigger packages like @grpc/grpc-js or protobufjs this is usually not nice.

I think we need a reasoning/guideline regarding this.

[llc1123]

After this PR we seem to have some pinned deps (e.g. protobufjs, semver, require-in-the-middle) and some not pinned (e.g. @grpc/grpc-js).

You are right. I am not sure why some dependencies are pinned and others are not. But at least we should keep the versions of the same package the same. (we have [email protected] somewhere and semver@^7.3.5 elsewhere).

[pichlermarc]

At least in the past the strategy was to pin only dependencies from the same lerna project as these dependencies are automatically updated on each release.

On the other hand dev-dependencies were pinned to reduce the risk of autobreaking the build and we were not able to use lock files.

Ah, that makes sense.

After this PR we seem to have some pinned deps (e.g. protobufjs, semver, require-in-the-middle) and some not pinned (e.g. @grpc/grpc-js).

Pinning likely results in duplication of packages for end users because renovate bot tends to fail in this repo and we are slow in updating. in special for bigger packages like @grpc/grpc-js or protobufjs this is usually not nice.

I think we need a reasoning/guideline regarding this.

I agree, we should have a guideline for this, I'll look into drafting one up. I think it makes sense to unpin larger packages for the reason you stated.

After this PR we seem to have some pinned deps (e.g. protobufjs, semver, require-in-the-middle) and some not pinned (e.g. @grpc/grpc-js).

You are right. I am not sure why some dependencies are pinned and others are not. But at least we should keep the versions of the same package the same. (we have [email protected] somewhere and semver@^7.3.5 elsewhere).

Agreed. @llc1123 would you mind unpinning protobufjs, require-in-the-middle, @types/shimmer and shimmer again while keeping it at caret versions? Looking into it semver is pinned already in most packages in this repo so I think we can pin this one. This way we'd still align but keep most of what's unpinned still unpinned for now.

[pichlermarc]

It looks I made a mistake while searching for dependencies onsemver. Looks like it's actually unpinned for dependencies pretty much everywhere but only pinned in devDependencies, which is seems in-line with what Flarna mentioned.

Intuitively I'd say to

• keep semver dependencies unpinned
• pin semver devDependencies to latest and then see if the situation improves with the new renovate bot config (chore(renovate): improve PR grouping and add @pichlermarc to assignees #3868) that should allow us to merge dependency PRs quicker, which would get rid of the warning should it come back.

[llc1123]

I've updated the code. I unpinned all dependencies except ones in the lerna project.

[llc1123]

@Flarna What do you think of this version?