Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(opentelemetry-instrumentation): replace semver package with internal semantic versioning check implementation #5305

Open
wants to merge 20 commits into
base: main
Choose a base branch
from

Conversation

serkan-ozal
Copy link
Contributor

@serkan-ozal serkan-ozal commented Jan 8, 2025

Which problem is this PR solving?

I am one of the OTEL FAAS SIG members and working on reducing coldstart overhead of the OTEL Lambda Node.js layer.

During my analysis, I have noticed that semver package has some initialization overhead (~15 ms) and most of it is caused by the semver internal initialization here (You can see that there are many RegExp compiles there) .

So I have been looking for way to reduce it and I believe that getting rid of semver dependency and providing an internal and simpler semantic versioning check implementation makes more sense.

Short description of the changes

This PR removes semver package dependency and replaces its usages with internal semantic versioning implementation.

Some parts of the internal semver implenentation is borrowed from actual semver package code base.

Type of change

Please delete options that are not relevant.

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • This change requires a documentation update

How Has This Been Tested?

Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration

  • experimental/packages/opentelemetry-instrumentation/test/common/semver.test.ts

Checklist:

  • Followed the style guidelines of this project
  • Unit tests have been added
  • Documentation has been updated

@serkan-ozal serkan-ozal requested a review from a team as a code owner January 8, 2025 17:33
@serkan-ozal serkan-ozal force-pushed the feat/get-rid-of-semver branch from d683ca8 to 5a35b91 Compare January 8, 2025 17:56
Comment on lines 1 to 15
/*
* Copyright The OpenTelemetry Authors
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this the correct Licence notice? The original one from semver says you have to mention theirs as well.

The ISC License

Copyright (c) Isaac Z. Schlueter and Contributors

Permission to use, copy, modify, and/or distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.

THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

Same for the other copied and modified files.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, I am not very familiar these license stuff. Shoıld I just append semver License header to the OTEL header? Is there anything I should do?

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unfortunately I don't know either. And a google search didn't give me an answer.
I just wanted to highlight that there is maybe something to do, to mitigate the risk of a license issue.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Per https://github.com/open-telemetry/community/blob/main/guides/contributor/processes.md#copyright-notices

If you make substantial changes to the third-party code, prepend the contributed third party file with OpenTelemetry's copyright notice.

Here is an example:
https://github.com/open-telemetry/opentelemetry-js-contrib/blob/main/plugins/node/opentelemetry-instrumentation-aws-sdk/src/propwrap.ts

However, the same community repo link above also says:

Any contributed third-party code must originally be Apache 2.0-Licensed or must carry a permissive software license that is compatible when combining with Apache 2.0 License. At this moment, BSD and MIT are the only OSI-approved licenses known to be compatible.

Unfortunately this is neither BSD or MIT.
ISC is an OSI approved license (https://opensource.org/license/isc-license-txt) and https://en.wikipedia.org/wiki/ISC_license suggests it is "It is functionally equivalent to the simplified BSD and MIT licenses, but without language deemed unnecessary following the Berne Convention."

Options I see:

  • Ask the OTel TC and/or GC for advice here on whether the ISC license could reasonably be added to that list of licenses "known to be compatible". @mx-psi Do you have any experience here with this kind of license question?
  • Publish this separate simple semver-satisfies as a separate package to npm and add a dependency on it. I don't know if you'd be willing to do that.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@trentm Just pinged @mx-psi in the CNCF Slack about this. Let's see whether this is problematic and if so, how we can handle it.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey, thanks for the ping. I'll preface this by saying that I am just stating my personal opinion and I am not giving legal advice nor representing the GC here.

AIUI this is not contributed code, but rather code you are using as a dependency of some sort. For that case, you can look into the CNCF third party license guidelines. ISC is listed there: https://github.com/cncf/foundation/blob/main/allowed-third-party-license-policy.md#cncf-allowlist-license-policy as an "Approved [License] for Allowlist". If you are able to fulfill the rest of the criteria mentioned in that document (e.g. by "storing [the code] unmodified in a designated third-party folder") and checking that (3) is satisfied, then I think you should be good.

There's also some dependencies that are specifically approved (see here), I don't think this is one of them, but feel free to check it as well.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@trentm As pointed here, I have added license headers and info for the imported codes.

Could you please check that.

Copy link

codecov bot commented Jan 8, 2025

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 94.54%. Comparing base (f927e82) to head (49e4912).

Additional details and impacted files
@@           Coverage Diff           @@
##             main    #5305   +/-   ##
=======================================
  Coverage   94.54%   94.54%           
=======================================
  Files         318      318           
  Lines        8052     8052           
  Branches     1694     1694           
=======================================
  Hits         7613     7613           
  Misses        439      439           

Copy link
Contributor

@trentm trentm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm supportive of this.

  1. There is the license/copyright Q to sort out.
  2. I'd love to have some details on the semver.ts implementation to know if I should more closely review it.

Other comments are nits.

@@ -59,13 +59,11 @@
"@protobuf-ts/runtime-rpc": "2.9.4",
"@types/mocha": "10.0.10",
"@types/node": "18.6.5",
"@types/semver": "7.5.8",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, you were doing this too. I noticed that some other packages had now-unused deps on semver and opened #5306
I should have read your patch first. :)

Copy link
Contributor Author

@serkan-ozal serkan-ozal Jan 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep, there were some unused semver deps and some of them are only used by tests and can easily be replaced.

@serkan-ozal serkan-ozal force-pushed the feat/get-rid-of-semver branch from c1bd858 to 08168bc Compare January 9, 2025 08:33
@serkan-ozal serkan-ozal changed the title Replace semver package with internal semantic versioning check implementation feat(opentelemetry-instrumentation): replace semver package with internal semantic versioning check implementation Jan 9, 2025
@serkan-ozal serkan-ozal force-pushed the feat/get-rid-of-semver branch from cae5bee to 7cb6dd7 Compare January 9, 2025 10:21
@serkan-ozal serkan-ozal force-pushed the feat/get-rid-of-semver branch 3 times, most recently from 512d92b to 098d5cd Compare January 10, 2025 16:39
@serkan-ozal serkan-ozal force-pushed the feat/get-rid-of-semver branch from 098d5cd to 678edf6 Compare January 10, 2025 16:54
@serkan-ozal
Copy link
Contributor Author

Hi all, any update on this PR? Are we OK with the licensing question?

trask pushed a commit to open-telemetry/community that referenced this pull request Jan 16, 2025
… in CNCF repos (#2506)

* Refer to CNCF allowlist for 3rd-party licenses approved for inclusion in CNCF repos

This came up in open-telemetry/opentelemetry-js#5305

Refs: #2504

* mention and refer to the CNCF conditions for including third-party code
Copy link
Contributor

@trentm trentm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@serkan-ozal I made a number of suggestions for the license/copyright questions. Let me know if they seem reasonable to you.

CHANGELOG.md Outdated
@@ -60,6 +60,7 @@ For semantic convention package changes, see the [semconv CHANGELOG](packages/se
* refactor(sdk-trace-base): remove `BasicTracerProvider._registeredSpanProcessors` private property. [#5134](https://github.com/open-telemetry/opentelemetry-js/pull/5134) @david-luna
* refactor(sdk-trace-base): rename `BasicTracerProvider.activeSpanProcessor` private property. [#5211](https://github.com/open-telemetry/opentelemetry-js/pull/5211) @david-luna
* chore(selenium-tests): remove internal selenium-tests/ package, it wasn't being used @trentm
* feat(opentelemetry-instrumentation): replace `semver` package with internal semantic versioning check implementation
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: could add the link to the PR here. COuld also give the reason for the removal in that sentence.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@trentm done

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For licensing of these two fixture files, how about the following?

  1. Move them to a "test/common/third-party/node-semver/range-{exclude,include}.js" to satisfy the "stored unmodified in a designated third-party folder" from https://github.com/cncf/foundation/blob/main/allowed-third-party-license-policy.md#cncf-allowlist-license-policy
  2. Revert them to be an unmodified copy from node-semver.git. Then change the "semver.test.ts" driver to skip a fixture case if its third entry is true or {loose: true} -- rather than the changes you have now to skip those cases.
  3. Add the https://github.com/npm/node-semver/blob/main/LICENSE file to that test/common/third-party/node-semver dir.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@trentm done

@serkan-ozal
Copy link
Contributor Author

@serkan-ozal I made a number of suggestions for the license/copyright questions. Let me know if they seem reasonable to you.

@trentm I have applied your suggestions and updated PR according to your comments. Could you please check?

Copy link
Contributor

@trentm trentm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am happy with the licensing/copyright handling (after the couple suggestions I have here). With those changes, this PR LGTM.

The added semver.ts is a fair chunk of code to add, but hopefully there isn't any maintenance. The node-semver test fixture files that are being used for testing haven't changed in node-semver.git in over a year, so that seems somewhat stable.

@serkan-ozal Did you happen to have an idea of how much this change saves on an AWS Lambda coldstart? Or some data around how the semver init was contributing to cold start time? That data might be interesting for future maintenance.

CHANGELOG.md Outdated Show resolved Hide resolved
Comment on lines 1 to 18
/*
* Copyright The OpenTelemetry Authors
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

// Imported from https://github.com/npm/node-semver/blob/868d4bbe3d318c52544f38d5f9977a1103e924c2/test/fixtures/range-include.js

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually I think this block should be removed. My read of the intent of the "stored unmodified in a designated third-party folder" is that they should be completely unchanged from the source repo, if possible. Then we don't need to apply the OTel copyright and license to these files.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, ok. it is just left over. Just removed.

@serkan-ozal
Copy link
Contributor Author

I am happy with the licensing/copyright handling (after the couple suggestions I have here). With those changes, this PR LGTM.

The added semver.ts is a fair chunk of code to add, but hopefully there isn't any maintenance. The node-semver test fixture files that are being used for testing haven't changed in node-semver.git in over a year, so that seems somewhat stable.

@serkan-ozal Did you happen to have an idea of how much this change saves on an AWS Lambda coldstart? Or some data around how the semver init was contributing to cold start time? That data might be interesting for future maintenance.

I have calculated these module require timings (>= 5ms, requires completed less than 5ms are ignored) with custom require function (by wrapping Node.js module require) from OTEL Lambda layer wrapper.js module init:

|-- require('@opentelemetry/api') took 23 ms
..|-- require('./baggage/utils') took 8 ms
....|-- require('../api/diag') took 6 ms
|-- require('@opentelemetry/core') took 60 ms
..|-- require('./common/time') took 45 ms
....|-- require('../platform') took 44 ms
......|-- require('./node') took 44 ms
........|-- require('./performance') took 15 ms
..........|-- require('perf_hooks') took 15 ms
........|-- require('./sdk-info') took 22 ms
..........|-- require('@opentelemetry/semantic-conventions') took 20 ms
............|-- require('./trace') took 11 ms
..............|-- require('./SemanticAttributes') took 9 ms
|-- require('@opentelemetry/sdk-trace-base') took 51 ms
..|-- require('./Tracer') took 11 ms
....|-- require('./platform') took 5 ms
..|-- require('./BasicTracerProvider') took 38 ms
....|-- require('@opentelemetry/resources') took 35 ms
......|-- require('./detectors') took 28 ms
........|-- require('./platform') took 26 ms
..........|-- require('./node') took 26 ms
............|-- require('./HostDetector') took 8 ms
..............|-- require('./HostDetectorSync') took 8 ms
................|-- require('./machine-id/getMachineId') took 7 ms
..................|-- require('process') took 6 ms
............|-- require('./ServiceInstanceIdDetectorSync') took 15 ms
..............|-- require('crypto') took 14 ms
|-- require('@opentelemetry/sdk-metrics') took 24 ms
..|-- require('./export/MetricReader') took 10 ms
....|-- require('./AggregationSelector') took 9 ms
......|-- require('../view/Aggregation') took 7 ms
........|-- require('../aggregator') took 7 ms
..|-- require('./MeterProvider') took 10 ms
....|-- require('./state/MeterProviderSharedState') took 10 ms
......|-- require('./MeterSharedState') took 8 ms
|-- require('@opentelemetry/sdk-logs') took 6 ms
|-- require('@opentelemetry/resource-detector-aws') took 33 ms
..|-- require('./detectors') took 31 ms
....|-- require('./AwsBeanstalkDetector') took 12 ms
......|-- require('./AwsBeanstalkDetectorSync') took 11 ms
........|-- require('util') took 11 ms
....|-- require('./AwsEc2Detector') took 7 ms
......|-- require('./AwsEc2DetectorSync') took 6 ms
........|-- require('http') took 6 ms
....|-- require('./AwsEksDetector') took 5 ms
|-- require('@opentelemetry/exporter-trace-otlp-http') took 55 ms
..|-- require('./platform') took 54 ms
....|-- require('./node') took 54 ms
......|-- require('./OTLPTraceExporter') took 54 ms
........|-- require('@opentelemetry/otlp-transformer') took 43 ms
..........|-- require('./logs/protobuf') took 37 ms
............|-- require('./logs') took 37 ms
..............|-- require('../../generated/root') took 33 ms
................|-- require('protobufjs/minimal') took 19 ms
..................|-- require('./src/index-minimal') took 19 ms
....................|-- require('./writer') took 11 ms
......................|-- require('./util/minimal') took 10 ms
........|-- require('@opentelemetry/otlp-exporter-base/node-http') took 5 ms
|-- require('@opentelemetry/instrumentation') took 40 ms
..|-- require('./platform/index') took 39 ms
....|-- require('./node') took 39 ms
......|-- require('./instrumentation') took 39 ms
........|-- require('semver') took 13 ms
........|-- require('./RequireInTheMiddleSingleton') took 18 ms
..........|-- require('require-in-the-middle') took 16 ms
............|-- require('resolve') took 10 ms
..............|-- require('./lib/async') took 7 ms
|-- require('@opentelemetry/instrumentation-aws-sdk') took 10 ms
..|-- require('./aws-sdk') took 9 ms
....|-- require('./services') took 6 ms
......|-- require('./ServicesExtensions') took 5 ms
|-- require('@opentelemetry/instrumentation-aws-lambda') took 29 ms
..|-- require('./instrumentation') took 27 ms
....|-- require('@opentelemetry/semantic-conventions/incubating') took 25 ms
......|-- require('./experimental_attributes') took 17 ms
|-- require('@opentelemetry/instrumentation-express') took 18 ms
..|-- require('./instrumentation') took 17 ms
|-- require('@opentelemetry/instrumentation-graphql') took 12 ms
|-- require('@opentelemetry/instrumentation-http') took 7 ms
..|-- require('./http') took 6 ms
|-- require('@opentelemetry/instrumentation-pg') took 34 ms
..|-- require('./instrumentation') took 32 ms
....|-- require('./utils') took 28 ms
......|-- require('@opentelemetry/semantic-conventions') took 8 ms
......|-- require('@opentelemetry/semantic-conventions/incubating') took 17 ms
........|-- require('./experimental_attributes') took 14 ms

As you can see, semver took 13 ms here. You can also see others here.

@serkan-ozal
Copy link
Contributor Author

@trentm Could you please check the PR one more time. Hopefully, it is OK to merge finally.

@trentm
Copy link
Contributor

trentm commented Jan 24, 2025

Thanks for the require() timings data!

Note to self: The 13ms to require('semver') here is about 3% of coldstart time:

# Sum the top-level "NN ms" timings
% cat data.txt | rg '^\|' | gsed -e 's/^.*took \([0-9]\+\) ms$/\1/' | paste -sd+ - | bc
402

% node
> 13 / 402
0.03233830845771144

@@ -74,7 +74,6 @@
"@types/shimmer": "^1.2.0",
"import-in-the-middle": "^1.8.1",
"require-in-the-middle": "^7.1.1",
"semver": "^7.5.2",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if we should include semver as a development dependency to be used in tests. We could assert that our semver replacement functions output matches the semver package.

Copy link
Contributor Author

@serkan-ozal serkan-ozal Jan 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We already have imported tests from semver package and test fixtures also include expected results (results of the actual semver package). That is the reason that why I had removed semver package dependency even from dev dependencies.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants