You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@opentelemetry/resource-detector-gcp (loaded via auto-instrumentations-node) transitively depends on a deprecated, unmaintained chain. Every install emits:
Why bumping gcp-metadata will not fix it this time
Same shape as #3358 (punycode warning, resolved by #3359 bumping gcp-metadata to v8). The current resource-detector-gcp already pulls gcp-metadata@8.1.2, so the deprecation persists.
The chain cannot be repaired upstream:
googleapis/gaxios: archived (archived: true, last push 2025-10-31), no further releases.
node-domexception: maintainer deprecated every published version (1.0.0, 2.0.1, 2.0.2) with message "Use your platform's native DOMException instead". Native DOMException is available since Node 17.
Suggested options
Drop gcp-metadata from resource-detector-gcp and inline a minimal metadata-server call using global fetch. The package already requires node: '^18.19.0 || >=20.6.0' (per its engines field on npm), so global fetch is guaranteed available without bumping the supported Node range.
Wait for a gcp-metadata rewrite that drops gaxios. Unlikely given gaxios is archived and gcp-metadata's maintenance posture is unclear.
Option 1 likely also addresses #2440, since the root cause there is gaxios → require('node-fetch') evaluating before HTTP instrumentation can hook http/https. Removing gaxios/node-fetch from this path eliminates that early require.
What happened
@opentelemetry/resource-detector-gcp(loaded viaauto-instrumentations-node) transitively depends on a deprecated, unmaintained chain. Every install emits:Reproduction
The deprecation warning is emitted by pnpm/npm during install. Verified against latest published versions on npm.
Dependency chain
Why bumping gcp-metadata will not fix it this time
Same shape as #3358 (punycode warning, resolved by #3359 bumping gcp-metadata to v8). The current
resource-detector-gcpalready pullsgcp-metadata@8.1.2, so the deprecation persists.The chain cannot be repaired upstream:
googleapis/gaxios: archived (archived: true, last push 2025-10-31), no further releases.node-fetch/fetch-blob: dormant since 2023-08-14, fix PR fix(deps): remove deprecated node-domexception dependency node-fetch/fetch-blob#176 sits unmerged. Reviewer @YasharF stated: "I don't think node-fetch and related projects are being maintained anymore."node-domexception: maintainer deprecated every published version (1.0.0, 2.0.1, 2.0.2) with message "Use your platform's native DOMException instead". NativeDOMExceptionis available since Node 17.Suggested options
gcp-metadatafromresource-detector-gcpand inline a minimal metadata-server call using globalfetch. The package already requiresnode: '^18.19.0 || >=20.6.0'(per itsenginesfield on npm), so globalfetchis guaranteed available without bumping the supported Node range.gcp-metadatarewrite that drops gaxios. Unlikely given gaxios is archived and gcp-metadata's maintenance posture is unclear.node-fetchby app andresource-detector-gcpcan result inhttpsmodule not getting instrumented #2440 where the same chain causes a real instrumentation problem (not just cosmetic).Option 1 likely also addresses #2440, since the root cause there is
gaxios → require('node-fetch')evaluating before HTTP instrumentation can hookhttp/https. Removinggaxios/node-fetchfrom this path eliminates that early require.Environment