vendor bundled non-datadog dependencies (#6958)

Author: rochdev

.github/chainguard/dependabot-automation.sts.yaml

@@ -3,7 +3,7 @@ issuer: https://token.actions.githubusercontent.com
 subject: repo:DataDog/dd-trace-js:pull_request
 
 claim_pattern:
-  event_name: pull_request_target
+  event_name: pull_request
   ref: refs/heads/master
   ref_protected: "true"
   job_workflow_ref: DataDog/dd-trace-js/.github/workflows/dependabot-automation.yml@refs/heads/master

.github/dependabot.yml

@@ -60,20 +60,6 @@ updates:
       - dependency-name: "@types/node"
         # Update the types manually with new Node.js version support
         update-types: ["version-update:semver-major"]
-      - dependency-name: "jest-docblock"
-        # 30.0.0 onwards only supports Node.js 18.14.x and above
-        update-types: ["version-update:semver-major"]
-        # The path-to-regexp version has to be the same as used in express v4.
-        # Consider vendoring it instead.
-      - dependency-name: "path-to-regexp"
-      - dependency-name: "lru-cache"
-        # 11.0.0 onwards only supports Node.js 20 and above
-        update-types: ["version-update:semver-major"]
-      - dependency-name: "limiter"
-        # 2.0.0 onwards breaks our tests. 3.0.0 works but it requires Node.js v16.
-        # That breaks cypress in our v5 release line. Update when v5 is EOL.
-        # Reverting this commit should suffice.
-        update-types: ["version-update:semver-major"]
       - dependency-name: "glob"
         # 11.0.0 onwards only supports Node.js 20 and above
         update-types: ["version-update:semver-major"]
@@ -87,6 +73,9 @@ updates:
         # Thus, we ignore them and update them manually.
       - dependency-name: "@opentelemetry/api"
       - dependency-name: "@opentelemetry/api-logs"
+      - dependency-name: "tap"
+        # Contain breaking changes that are incompatible with our test usage
+        update-types: ["version-update:semver-major"]
     groups:
       dev-minor-and-patch-dependencies:
         dependency-type: "development"
@@ -103,6 +92,49 @@ updates:
           - "minor"
           - "patch"
 
+  # Vendored dependencies
+  - package-ecosystem: "npm"
+    directories:
+      - "/vendor"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 100
+    cooldown:
+      default-days: 5
+    labels:
+      - dependabot
+      - dependencies
+      - javascript
+      - semver-patch
+    ignore:
+      - dependency-name: "jest-docblock"
+        # 30.0.0 onwards only supports Node.js 18.14.x and above
+        update-types: ["version-update:semver-major"]
+        # The path-to-regexp version has to be the same as used in express v4.
+      - dependency-name: "path-to-regexp"
+      - dependency-name: "lru-cache"
+        # 11.0.0 onwards only supports Node.js 20 and above
+        update-types: ["version-update:semver-major"]
+      - dependency-name: "limiter"
+        # 2.0.0 onwards breaks our tests. 3.0.0 works but it requires Node.js v16.
+        # That breaks cypress in our v5 release line. Update when v5 is EOL.
+        # Reverting this commit should suffice.
+        update-types: ["version-update:semver-major"]
+      - dependency-name: "@opentelemetry/core"
+        # 2.0.0 onwards only supports Node.js 18.19.0 and above
+        update-types: ["version-update:semver-major"]
+      - dependency-name: "@opentelemetry/resources"
+        # 2.0.0 onwards only supports Node.js 18.19.0 and above
+        update-types: ["version-update:semver-major"]
+    groups:
+      vendor-minor-and-patch-dependencies:
+        dependency-type: "production"
+        patterns:
+          - "*"
+        update-types:
+          - "minor"
+          - "patch"
+
   # Instrumented library support range
   - package-ecosystem: "npm"
     directories:

.github/workflows/audit.yml

@@ -16,3 +16,5 @@ jobs:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       - uses: ./.github/actions/node/latest
       - run: yarn audit
+      - run: yarn audit
+        working-directory: ./vendor

.github/workflows/dependabot-automation.yml

@@ -1,7 +1,7 @@
 name: 'Dependabot Automation'
 
 on:
-  pull_request_target:
+  pull_request:
     types:
       - opened
 
@@ -37,3 +37,36 @@ jobs:
         env:
           PR_URL: ${{ github.event.pull_request.html_url }}
           GH_TOKEN: ${{ steps.octo-sts.outputs.token }}
+
+  vendor:
+    if: github.event.pull_request.user.login == 'dependabot[bot]'
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: write
+    steps:
+      - name: Dependabot metadata
+        id: metadata
+        uses: dependabot/fetch-metadata@08eff52bf64351f401fb50d4972fa95b9f2c2d1b # 2.4.0
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        if: steps.metadata.outputs.dependency-group == 'vendor-minor-and-patch-dependencies'
+      - run: yarn
+        working-directory: ./vendor
+        if: steps.metadata.outputs.dependency-group == 'vendor-minor-and-patch-dependencies'
+      - name: Create commits
+        id: create-commits
+        run: |
+          git config user.name github-actions
+          git config user.email github-actions@github.com
+          git add -A
+          git commit -m "update vendored dependencies with new versions"
+
+          echo "commit=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT
+        if: steps.metadata.outputs.dependency-group == 'vendor-minor-and-patch-dependencies'
+      - name: Push commits
+        uses: DataDog/commit-headless@5a0f3876e0fbdd3a86b3e008acf4ec562db59eee # action/v2.0.1
+        with:
+          branch: ${{ github.ref_name }}
+          command: push
+          commits: "${{ steps.create-commits.outputs.commits }}"
+        if: steps.metadata.outputs.dependency-group == 'vendor-minor-and-patch-dependencies'

.github/workflows/platform.yml

@@ -60,6 +60,16 @@ jobs:
       - run: ./node_modules/.bin/bun pm pack --gzip-level 0 --filename bun.tgz && tar -zxf bun.tgz -C bun
       - run: diff -r npm bun
 
+  bundle-validate:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+      - uses: ./.github/actions/node/active-lts
+      # Running `yarn` also automatically runs `rspack` as a postinstall script.
+      - run: yarn --frozen-lockfile
+        working-directory: vendor
+      - run: git diff --exit-code
+
   core:
     runs-on: ubuntu-latest
     steps:

.github/workflows/project.yml

@@ -51,14 +51,22 @@ jobs:
       - uses: ./.github/actions/install
       - run: npm run lint
 
+  # The package size is especially useful in constrained environments, so the
+  # computation is done only on the package that would be installed there.
+  # In order to do that, the current folder is wiped and replaced with what
+  # would be installed is those environments before running the computation.
   package-size-report:
     runs-on: ubuntu-latest
     permissions:
       pull-requests: write
     steps:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       - uses: ./.github/actions/node/latest
-      - uses: ./.github/actions/install
+      - run: FILENAME=$(npm pack --pack-destination /tmp) && mv /tmp/$FILENAME /tmp/dd-trace.tgz
+      - run: rm -rf *
+      - run: tar -zxf /tmp/dd-trace.tgz -C $(pwd) --strip-components=1
+      - run: yarn --prod --ignore-optional
+      - run: ls -lisa
       - name: Compute module size tree and report
         uses: qard/heaviest-objects-in-the-universe@1e02edbdda803a45537a808ede97866db47756d3 # Unreleased
         with:

.gitignore

@@ -131,6 +131,7 @@ packages/dd-trace/test/plugins/versions/node_modules
 packages/dd-trace/test/plugins/versions/yarn.lock
 !packages/dd-trace/**/telemetry/logs
 packages/datadog-plugin-azure-functions/test/integration-test/fixtures/node_modules
+!packages/node_modules
 __azurite_db_queue__.json
 __azurite_db_queue_extent__.json
 __queuestorage__/AzuriteConfig