chore(deps): update submissions

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence	Type	Update
anndata	==0.8.0 -> ==0.10.8						minor
ddtrace (changelog)	==2.1.4 -> ==2.9.2						minor
numba	==0.59.1 -> ==0.60.0						minor
numpy (source, changelog)	==1.26.4 -> ==2.0.0						major
pandas (source)	==1.4.4 -> ==2.2.2						major
public.ecr.aws/lambda/python	3.8 -> 3.12					final	minor
public.ecr.aws/lambda/python	3.9 -> 3.12					final	minor
pyvips	==2.2.2 -> ==2.2.3						patch
s3fs	==0.4.2 -> ==2024.6.0						major
scanpy	==1.9.8 -> ==1.10.2						minor
tiledb	==0.25.0 -> ==0.30.1						minor

---

Release Notes

scverse/anndata (anndata)

v0.10.8

Compare Source

v0.10.7

Compare Source

v0.10.6

Compare Source

v0.10.5.post1

Compare Source

v0.10.5

Compare Source

v0.10.4

Compare Source

v0.10.3

Compare Source

v0.10.2

Compare Source

v0.10.1

Compare Source

v0.10.0

Compare Source

v0.9.2

Compare Source

v0.9.1

Compare Source

v0.9.0

Compare Source

DataDog/dd-trace-py (ddtrace)

v2.9.2: 2.9.2

Compare Source

Bug Fixes

• futures: Fixes inconsistent behavior with concurrent.futures.ThreadPoolExecutor context propagation by passing the current trace context instead of the currently active span to tasks. This prevents edge cases of disconnected spans when the task executes after the parent span has finished.

Other Changes

• lib-injection: Updates base Alpine image to 3.20.

v2.9.1: 2.9.1

Compare Source

Deprecation Notes

• Removes the deprecated sqlparse dependency.

v2.9.0: 2.9.0

Compare Source

New Features

• LLM Observability: This introduces the LLM Observability SDK, which enhances the observability of Python-based LLM applications. See the LLM Observability Overview or the SDK documentation for more information about this feature.

• ASM: Application Security Management (ASM) introduces its new "Exploit Prevention" feature in public beta, a new type of in-app security monitoring that detects and blocks vulnerability exploits. This introduces full support for exploit prevention in the python tracer.

  • LFI (via standard API open)
  • SSRF (via standard API urllib or third party requests)

  with monitoring and blocking features, telemetry, and span metrics reports.

• opentelemetry: Adds support for span events.

• tracing: Ensures the following OpenTelemetry environment variables are mapped to an equivalent Datadog configuration (datadog environment variables taking precedence in cases where both are configured):

  OTEL_SERVICE_NAME -> DD_SERVICE
  OTEL_LOG_LEVEL -> DD_TRACE_DEBUG
  OTEL_PROPAGATORS -> DD_TRACE_PROPAGATION_STYLE
  OTEL_TRACES_SAMPLER -> DD_TRACE_SAMPLE_RATE
  OTEL_TRACES_EXPORTER -> DD_TRACE_ENABLED
  OTEL_METRICS_EXPORTER -> DD_RUNTIME_METRICS_ENABLED
  OTEL_RESOURCE_ATTRIBUTES -> DD_TAGS
  OTEL_SDK_DISABLED -> DD_TRACE_OTEL_ENABLED
  

• otel: Adds support for generating Datadog trace metrics using OpenTelemetry instrumentations

• aiomysql, asyncpg, mysql, mysqldb, pymysql: Adds Database Monitoring (DBM) for remaining mysql and postgres integrations lacking support.

• (aiomysql, aiopg): Implements span service naming determination to be consistent with other database integrations.

• ASM: This introduces the capability to enable or disable SCA using the environment variable DD_APPSEC_SCA_ENABLED. By default this env var is unset and in that case it doesn't affect the product.

• Code Security: Taints strings from gRPC messages.

• botocore: This introduces tracing support for bedrock-runtime embedding operations.

• Vulnerability Management for Code-level (IAST): Enables IAST in the application. Needed to start application with ddtrace-run [your-application-run-command] prior to this release. Now, you can also activate IAST with the patch_all function.

• langchain: This adds tracing support for LCEL (LangChain Expression Language) chaining syntax. This change specifically adds synchronous and asynchronous tracing support for the invoke and batch methods.

Known Issues

• Code Security: Security tracing for the builtins.open function is experimental and may not be stable. This aspect is not replaced by default.
• grpc: Tracing for the grpc.aio clients and servers is experimental and may not be stable. This integration is now disabled by default.

Upgrade Notes

• aiopg: Upgrades supported versions to >=1.2. Drops support for 0.x versions.

Deprecation Notes

• LLM Observability: DD_LLMOBS_APP_NAME is deprecated and will be removed in the next major version of ddtrace. As an alternative to DD_LLMOBS_APP_NAME, you can use DD_LLMOBS_ML_APP instead. See the SDK setup documentation for more details on how to configure the LLM Observability SDK.

Bug Fixes

• opentelemetry: Records exceptions on spans in a manner that is consistent with the otel specification
• ASM: Resolves an issue where an org could not customize actions through remote config.
• Resolves an issue where importing asyncio after a trace has already been started will reset the currently active span.
• grpc: Fixes a bug in the grpc.aio integration specific to streaming responses.
• openai: Resolves an issue where specifying n=None for streamed chat completions resulted in a TypeError.
• openai: Removes patching for the edits and fine tunes endpoints, which have been removed from the OpenAI API.
• openai: Resolves an issue where streamed OpenAI responses raised errors when being used as context managers.
• tracing: Fixes an issue where DD_TRACE_SPAN_TRACEBACK_MAX_SIZE was not applied to exception tracebacks.
• Code Security: Ensures IAST propagation does not raise side effects related to Magic methods.
• Code Security: Fixes a potential memory corruption when the context was reset.
• langchain: Resolves an issue where specifying inputs as a keyword argument for batching on chains caused a crash.
• Code Security: Avoids calling terminate on the extend and join aspect when an exception is raised.
• botocore: Adds additional key name checking and appropriate defaults for responses from Cohere and Amazon models.
• telemetry: Resolves an issue when using pytest + gevent where the telemetry writer was eager initialized by pytest entry points loading of our plugin causing a potential dead lock.
• Code Security: Fixes a bug in the AST patching process where ImportError exceptions were being caught, interfering with the proper application cycle if an ImportError was expected."
• RemoteConfig: Resolves an issue where remote config did not work for the tracer when using an agent that would add a flare item to the remote config payload. With this fix, the tracer will now correctly pull out the lib_config we need from the payload in order to implement remote config changes properly.
• Code Security: Fixes setting the wrong source on map elements tainted from taint_structure.
• Code Security: Fixes an issue where the AST patching process fails when the origin of a module is reported as None, raising a FileNotFoundError.
• CI Visibility: Fixes an issue where tests were less likely to be skipped due to ITR skippable tests requests timing out earlier than they should
• Code Security: Solves an issue with fstrings where formatting was not applied to int parameters
• tracing: Resolves an issue where sampling rules were not matching correctly on float values that had a 0 decimal value. Sampling rules now evaluate such values as integers.
• langchain: Resolves an issue where the LangChain integration always attempted to patch LangChain partner
  libraries, even if they were not available.
• langchain: Resolves an issue where tracing Chain.invoke() instead of Chain.__call__() resulted in the an ArgumentError due to an argument name change for inputs between the two methods.
• langchain: Adds error handling for checking if a traced LLM or chat model is an OpenAI instance, as the langchain_community package does not allow automatic submodule importing.
• internal: Resolves an error regarding the remote config module with payloads missing a lib_config entry
• profiling: Fixes a bug that caused the HTTP exporter to crash when attempting to serialize tags.
• grpc: Resolves segfaults raised when grpc.aio interceptors are registered
• Code Security (IAST): Fixes an issue with AES functions from the pycryptodome package that caused the application to crash and stop.
• Code Security: Ensures that when tainting the headers of a Flask application, iterating over the headers (i.e., with headers.items()) does not duplicate them.
• Vulnerability Management for Code-level (IAST): Some native exceptions were not being caught correctly by the python tracer. This fix removes those exceptions to avoid fatal error executions.
• kafka: Resolves an issue where an empty message list returned from consume calls could cause crashes in the Kafka integration. Empty lists from consume can occur when the call times out.
• logging: Resolves an issue where tracer.get_log_correlation_context() incorrectly returned a 128-bit trace_id even with DD_TRACE_128_BIT_TRACEID_LOGGING_ENABLED set to False (the default), breaking log correlation. It now returns a 64-bit trace_id.
• profiling: Fixes a defect where the deprecated path to the Datadog span type was used by the profiler.
• Profiling: Resolves an issue where the profiler was forcing protobuf to load in injected environments,
  causing crashes in configurations which relied on older protobuf versions. The profiler will now detect when injection is used and try loading with the native exporter. If that fails, it will self-disable rather than loading protobuf.
• pymongo: Resolves an issue where the library raised an error in pymongo.pool.validate_session
• ASM: Resolves an issue where lfi attack on request path was not always detected with flask and uwsgi.
• ASM: Removes non-required API security metrics.
• instrumentation: Fixes crashes that could occur in certain integrations with packages that use non-integer components in their version specifiers

v2.8.5

Compare Source

Known Issues

• Code Security: Security tracing for the builtins.open function is experimental and may not be stable. This aspect is not replaced by default.
• grpc: Tracing for the grpc.aio clients and servers is experimental and may not be stable. This integration is now disabled by default.

Bug Fixes

• fix(grpc): This fix a bug in the grpc.aio support specific to streaming responses.
• RemoteConfig: This fix resolves an issue where remote config did not work for the tracer when using an agent that would add a flare item to the remote config payload. With this fix, the tracer will now correctly pull out the lib_config we need from the payload in order to implement remote config changes properly.

---

v2.8.4: 2.8.4

Compare Source

Bug Fixes

• telemetry: This fix resolves an issue when using pytest + gevent where the telemetry writer was eagerly initialized by pytest entrypoints loading of our plugin causing a potential dead lock.

v2.8.3

Compare Source

Bug Fixes

• Code Security: This fix solves an issue with fstrings where formatting was not applied to int parameters
• logging: This fix resolves an issue where tracer.get_log_correlation_context() incorrectly returned a 128-bit trace_id even with DD_TRACE_128_BIT_TRACEID_LOGGING_ENABLED set to False (the default), breaking log correlation. It now returns a 64-bit trace_id.
• profiling: Fixes a defect where the deprecated path to the Datadog span type was used by the profiler.

---

v2.8.2

Compare Source

Bug Fixes

• tracing: This fix resolves an issue where sampling rules were not matching correctly on float values that had a 0 decimal value. Sampling rules now evaluate such values as integers.

• langchain: This fix resolves an issue where the LangChain integration always attempted to patch LangChain partner
  libraries, even if they were not available.

• langchain: This fix resolves an issue where tracing Chain.invoke() instead of Chain.__call__() resulted in the an ArgumentError due to an argument name change for inputs between the two methods.

• langchain: This fix adds error handling for checking if a traced LLM or chat model is an OpenAI instance, as the langchain_community package does not allow automatic submodule importing.

• internal: This fix resolves an error regarding the remote config module with payloads missing a lib_config entry

• profiling: fix a bug that caused the HTTP exporter to crash when attempting to serialize tags.

• grpc: Resolves segfaults raised when grpc.aio interceptors are registered

• Code Security: Ensure that when tainting the headers of a Flask application, iterating over the headers (i.e., with headers.items()) does not duplicate them.

---

v2.8.1

Compare Source

New Features

• Code Security: to enable IAST in the application, you had to start it with the command ddtrace-run [your-application-run-command] so far. Now, you can also activate IAST with the patch_all function.

Bug Fixes

• Code Security: fix setting the wrong source on map elements tainted from taint_structure.
• Code Security: Fixes an issue where the AST patching process fails when the origin of a module is reported as None, raising a FileNotFoundError.
• CI Visibility: fixes an issue where tests were less likely to be skipped due to ITR skippable tests requests timing out earlier than they should
• Code Security: Fixed an issue with AES functions from the pycryptodome package that caused the application to crash and stop.
• kafka: This fix resolves an issue where an empty message list returned from consume calls could cause crashes in the Kafka integration. Empty lists from consume can occur when the call times out.
• ASM: This fix removes unrequired API security metrics.
• instrumentation: fixes crashes that could occur in certain integrations with packages that use non-integer components in their version specifiers

---

v2.8.0

Compare Source

Prelude

tracing: This release adds support for lazy sampling, essentially moving when we make a sampling decision for a trace to the latest possible moment. These include the following: 1. Before encoding a trace chunk to be sent to the agent 2. Before making an outgoing request via HTTP, gRPC, or a DB call for any automatically instrumented integration 3. Before running os.fork() For most users this change shouldn't have any impact on their traces, but it does allow for more flexibility in sampling (see features release note). It should be noted that if a user has application egress points that are not automatically instrumented, to other Datadog components (downstream instrumented services, databases, or execution context changes), and rely on the Python tracer to make the sampling decision (don't have an upstream service doing this), they will need to manually run the sampler for those traces, or use HttpPropagator.inject(). For more information please see the following: https://ddtrace.readthedocs.io/en/stable/advanced_usage.html#distributed-tracing https://ddtrace.readthedocs.io/en/stable/advanced_usage.html#tracing-context-management

New Features

• DSM: Adds base64 format for encoding and decoding DSM context hash.
• botocore: adds dsm payload size stats for botocore messaging services of kinesis, sqs and sns.
• botocore: Adds support to the bedrock integration for tagging input and output messages.
• langchain: This introduces support for langchain==0.1.0. Note that this does not have tracing support for deprecated langchain operations. Please follow the langchain upgrade guide or the langchain integration :ref: docs<langchain> to enable full tracing support.
• dramatiq: Adds automatic tracing of the dramatiq library.
• tracing: Added support for lazy sampling, the benefit of which is the ability to make a sampling decision using DD_TRACE_SAMPLING_RULES based on any span attribute (service, resource, tags, name)regardless of when the value for the attribute is set. This change is particularly beneficial for sampling on tags, since the vast majority of tags are set after the span is created. Since sampling was previously done at span creation time, this meant that those tags could not be used for sampling decisions.
• openai: Adds support for tagging streamed responses for completion and chat completion endpoints.
• profiling: implement an experimental stack sampling feature, which can be enabled by setting DD_PROFILING_STACK_V2_ENABLED=true. This new sampler should resolve segfault issues on Python 3.11 and later, while also decreasing the latency contribution of the profiler in many situations, and also improving the accuracy of stack-sampling data. This feature is currently only available on Linux using CPython 3.8 or greater. Requires DD_PROFILING_EXPORT_LIBDD_ENABLED=true to be set.
• botocore: Changes botocore aws kinesis contrib to set DSM pathway using extracted DSM context, if found, instead of always using a new pathway with default context.
• kafka: Adds tracing and DSM support for confluent_kafka.Consumer.consume(). Previously only confluent_kafka.Consumer.poll was instrumented.

Deprecation Notes

• tracing: Deprecates support for ddtrace.contrib.asyncio.AsyncioContextProvider. ddtrace fully support tracing across asyncio tasks. Asyncio no longer requires additional configurations.
• tracing: tracer.sampler is deprecated and will be removed in the next major version release. To manually sample please call tracer.sample instead.
• gevent: Deprecates ddtrace.contrib.gevent.provider.GeventContextProvider. Drops support for gevent<20.12.0 and greenlet<1.0.

Bug Fixes

• Vulnerability Management for Code-level (IAST): Some native exceptions were not being caught correctly by the python tracer. This fix remove those exceptions to avoid fatal error executions.

• otel: Ensures that the last datadog parent_id is added to w3c distributed tracing headers generated by the OpenTelemetry API.

• ASM: This fix resolves an issue where a valid user may trigger a failed login event.

• ASM: always clear the DDWaf context at the end of the span to avoid gc-induced latency spikes at the end of some requests.

• ASM: This fix resolves an issue where django login failure events may send wrong information of user existence.

• CI Visibility: fixes an issue where git author or committer names containing commas (eg: "Lastname, Firstname") would not work (and log an error) due to the use of comma as a separator.

• propagation: This fix resolves an issue where the sampling decision-maker tag in tracestate propagation headers was clobbered by a default value.

• datastreams: Changed DSM processor error logs to debug logs for a statement which is retried. If all retries fail, the stack trace is included

• internal telemetry: Ensures heartbeat events are sent at regular intervals even when no other events are being sent.

• Fix an incompatibility between the handling of namespace module imports and parts of the functionalities of the standard library importlib module.

• internal: This fix resolves an issue where importing the ddtrace.appsec._iast._patches module would fail raising an ImportError

• internal: This fix resolves an issue where importing the ddtrace.internal.peer_service module would fail raising an ImportError

• langchain: Ensures langchain vision APIs are correctly instrumented

• Fix for the declaration of dependencies for the package.

• internal: This fix resolves an issue where importing the ddtrace.contrib.botocore.services module would fail raising an ImportError

• profiling: handle unexpected stack data to prevent the profiler from stopping.

• starlette: Fix a bug that crashed background tasks started from functions without a __name__ attribute

• ASM: This fix resolves an issue where the asgi middleware could crash with a RuntimeError "Unexpected message received".

• ASM: This fix resolves an issue with Flask instrumentation causing CPU leak with ASM, API Security and Telemetry enabled.

• Vulnerability Management for Code-level (IAST): Addresses an issue where the IAST native module was imported even though IAST was not enabled.

• Vulnerability Management for Code-level (IAST): This fix addresses an issue where tainting objects may fail due to context not being created in the current span.

• Vulnerability Management for Code-level (IAST): This fix addresses an issue where AST patching would generate code that fails to compile, thereby preventing the application from starting correctly.

• Vulnerability Management for Code-level (IAST): This fix addresses AST patching issues where other subscript operations than Load were being unintentionally patched, leading to compilation errors for the patched module.

• Vulnerability Management for Code-level (IAST): Fixes an issue where an atexit handler could lead to a segmentation fault.

• Vulnerability Management for Code-level (IAST): This fix addresses an issue where a vulnerability would be reported at line 0 if we couldn't extract the proper line number, whereas the default line number should be -1.

• kafka: This fix resolves an issue where None messages from confluent-kafka could cause crashes in the Kafka integration.

• appsec: This fix resolves an issue in which the library attempted to finalize twice a context object used by the Application Security Management product.

• tracing: Removes allow_false argument from ddtrace samplers. allow_false allows datadog samplers to return a value that differs from the sampling decision, this behavior is not supported.

• profiling: This fixes a free(): invalid pointer error which would arise as a result of incorrectly linking the C++ runtime.

• starlette: Ensures correct URL tag is set for starlette v0.34.0 and above.

• structlog: Fixes error where multiple loggers would duplicate processors. Also adds processors injection when resetting to defaults.

---

v2.7.10

Compare Source

Bug Fixes

• Code Security: This fix solves an issue with fstrings where formatting was not applied to int parameters
• logging: This fix resolves an issue where tracer.get_log_correlation_context() incorrectly returned a 128-bit trace_id even with DD_TRACE_128_BIT_TRACEID_LOGGING_ENABLED set to False (the default), breaking log correlation. It now returns a 64-bit trace_id.
• profiling: Fixes a defect where the deprecated path to the Datadog span type was used by the profiler.

---

v2.7.9

Compare Source

Bug Fixes

• internal: This fix resolves an error regarding the remote config module with payloads missing a lib_config entry
• grpc: Resolves segfaults raised when grpc.aio interceptors are registered
• Code Security: Ensure that when tainting the headers of a Flask application, iterating over the headers (i.e., with headers.items()) does not duplicate them.
• pymongo: this resolves an issue where the library raised an error in pymongo.pool.validate_session

---

v2.7.8

Compare Source

Bug Fixes

• Code Security: fix setting the wrong source on map elements tainted from taint_structure.
• Code Security: Fixes an issue where the AST patching process fails when the origin of a module is reported as None, raising a FileNotFoundError.
• CI Visibility: fixes an issue where tests were less likely to be skipped due to ITR skippable tests requests timing out earlier than they should
• Code Security: Fixed an issue with AES functions from the pycryptodome package that caused the application to crash and stop.
• ASM: This fix removes unrequired API security metrics.
• instrumentation: fixes crashes that could occur in certain integrations with packages that use non-integer components in their version specifiers

---

v2.7.7

Compare Source

Bug Fixes

• ASM: This fix resolves an issue where django login failure events may send wrong information of user existence.
• datastreams: Changed DSM processor error logs to debug logs for a statement which is retried. If all retries fail, the stack trace is included
• internal: This fix resolves an issue where importing the ddtrace.internal.peer_service module would fail raising an ImportError
• starlette: Fix a bug that crashed background tasks started from functions without a __name__ attribute
• Vulnerability Management for Code-level (IAST): This fix addresses an issue where tainting objects may fail due to context not being created in the current span.
• Vulnerability Management for Code-level (IAST): Some native exceptions were not being caught correctly by the python tracer.
  This fix remove those exceptions to avoid fatal error executions.
• kafka: This fix resolves an issue where an empty message list returned from consume calls could cause crashes in the Kafka integration.
  Empty lists from consume can occur when the call times out.

---

v2.7.6

Compare Source

Bug Fixes

• Profiling: This fix resolves an issue where the profiler was forcing protobuf to load in injected environments,
  causing crashes in configurations which relied on older protobuf versions. The profiler will now detect when injection is used and try loading with the native exporter. If that fails, it will self-disable rather than loading protobuf.

---

v2.7.5

Compare Source

New Features

• kafka: Adds tracing and DSM support for confluent_kafka.Consumer.consume(). Previously only confluent_kafka.Consumer.poll was instrumented.

Bug Fixes

• ASM: always clear the DDWaf context at the end of the span to avoid gc-induced latency spikes at the end of some requests.
• internal: This fix resolves an issue where importing the ddtrace.contrib.botocore.services module would fail raising an ImportError
• setuptools_scm version: Updates the setuptools_scm versioning method to "guess-next-dev" from "release-branch-semver", which was affecting the CI
• structlog: Fixes error where multiple loggers would duplicate processors. Also adds processors injection when resetting to defaults.

---

v2.7.4: 2.7.4

Compare Source

Bug Fixes

• ASM: This fix resolves an issue where a valid user may trigger a failed login event.
• propagation: This fix resolves an issue where the sampling decision-maker tag in tracestate propagation headers was clobbered by a default value.
• langchain: Ensures langchain vision APIs are correctly instrumented
• ASM: This fix resolves an issue where the asgi middleware could crash with a RuntimeError "Unexpected message received".
• kafka: This fix resolves an issue where None messages from confluent-kafka could cause crashes in the Kafka integration.

v2.7.3: 2.7.3

Compare Source

Bug Fixes

• otel: Ensures that the last datadog parent_id is added to w3c distributed tracing headers generated by the OpenTelemetry API.
• internal telemetry: Ensures heartbeat events are sent at regular intervals even when no other events are being sent.
• Fix an incompatibility between the handling of namespace module imports and parts of the functionalities of the standard library importlib module.
• Fix for the declaration of dependencies for the package.
• appsec: This fix resolves an issue in which the library attempted to finalize twice a context object used by the Application Security Management product.
• profiling: This fixes a free(): invalid pointer error which would arise as a result of incorrectly linking the C++ runtime.

v2.7.2: 2.7.2

Compare Source

Bug Fixes

• profiling: handle unexpected stack data to prevent the profiler from stopping.
• profiling: implement an experimental stack sampling feature, which can be enabled by setting DD_PROFILING_STACK_V2_ENABLED=true. This new sampler should resolve segfault issues on Python 3.11 and later, while also decreasing the latency contribution of the profiler in many situations, and also improving the accuracy of stack-sampling data. This feature is currently only available on Linux using CPython 3.8 or greater. Requires DD_PROFILING_EXPORT_LIBDD_ENABLED=true to be set.
• ASM: This fix resolves an issue with Flask instrumentation causing CPU leak with ASM, API Security and Telemetry enabled.
• starlette: Ensures correct URL tag is set for starlette v0.34.0 and above.

v2.7.1

Compare Source

Bug Fixes

• Code Security: This fix solves an issue with fstrings where formatting was not applied to int parameters
• logging: This fix resolves an issue where tracer.get_log_correlation_context() incorrectly returned a 128-bit trace_id even with DD_TRACE_128_BIT_TRACEID_LOGGING_ENABLED set to False (the default), breaking log correlation. It now returns a 64-bit trace_id.
• profiling: Fixes a defect where the deprecated path to the Datadog span type was used by the profiler.

---

v2.7.0: 2.7.0

Compare Source

New Features

• asgi: Trace websockets in asgi middleware behind feature flag. Set DD_ASGI_TRACE_WEBSOCKET=true to enable.
• tracing: Span and trace sampling rules are case insensitive.
• tracing: Tags provided in span and trace sampling rules now attempt to match against span._metrics in addition to span._meta, which was previously the only supported field.
• dbm: adds new ddh and dddb SQL comment attributes to enable connection with APM when using peer.service.
• tracing: Updates DD_TRACE_METHODS to use a new notation with : to differentiate between the base module and the method name (mymod.mysubmod:myclass.myfunc,myclass.otherfunc;...)
• tracing: This adds the Datadog-Entity-ID header to payloads sent to the Datadog Agent. This header can be set to the container ID or the container's cgroup node inode, and serves as a unique identifier for containers running under Linux cgroupv2.
• tracing: This introduces Glob matching support for service, name, and resource passed in with envar DD_TRACE_SAMPLE_RULES. Previously, the service, name, and resource were matched using exact string matching.
• lib-injection: Adds supports for installing ddtrace via single step instrumentation on python3.12

Deprecation Notes

• tracing: Using [] for DD_TRACE_METHODS (mymod.mysubmod.myclass[myfunc,otherfunc];...) is deprecated and will be removed in 3.0.0.
• This deprecates the passing in of methods or regex patterns for service, name, and resource for sampling rules. Please use the new Glob matching support instead.

Bug Fixes

• Vulnerability Management for Code-level (IAST): This fix addresses an issue where AST patching would generate code that fails to compile, thereby preventing the application from starting correctly.
• Vulnerability Management for Code-level (IAST): This fix addresses AST patching issues where other subscript operations than Load were being unintentionally patched, leading to compilation errors for the patched module.
• Vulnerability Management for Code-level (IAST): This fix addresses an issue where a vulnerability would be reported at line 0 if we couldn't extract the proper line number, whereas the default line number should be -1.
• tracing: This fix resolves an issue where previously some traces that were not sampled were not sent to the trace-agent, possibly affecting metrics. With this fix, all traces are sent to the agent.
• IAST: fix potentially empty ranges after executing the decode aspect.
• CI Visibility: fixes issues with pytest~=8.0 that would case crashes in certain scenarios, and returned different module names
• CI Visibility: fix a potential crash for Python<3.10 when a socket.timeout error was raised instead of the expected TimeoutError during CI Visibility API requests
• CI Visibility: This fix makes the CI Visibility system resilient to RuntimeErrors that can occur between pytest tests with coverage enabled.
• IAST: don't patch BytesIO since we don't have any aspects for it.
• tracing: This fix resolves an issue where the tracer could throw an uncaught error during process shutdown.
• botocore: Fixes bug where SQS and Kinesis results and errors were not recorded when DD_BOTOCORE_EMPTY_POLL_ENABLED=false. config.botocore.empty_poll_enabled=false and no records were found.
• profiling: fixes an issue that could have caused the profiler to stop if unable to determine the class name of a profiled function with CPython 3.11 and newer.
• tracing: Resolves telemetry import error raised when DD_INSTRUMENTATION_TELEMETRY_ENABLED is set to False.
• ASM: This fix resolves an issue where rules updated through remote config were not properly updating required waf addresses. This could lead to custom rules being ignored.
• ASM: This fix resolves an issue where remote config update in WAF policy from block attack tools policy to monitoring only policy could be ignored by tracer.
• Vulnerability Management for Code-level (IAST): Fixes an issue where requests stopped being analyzed after some time due.
• Vulnerability Management for Code-level (IAST): Fixes issues derived from AST patching code with type annotations.
• kafka: This fix resolves an issue where the use of a Kafka DeserializingConsumer could result in a crash when the deserializer in use returns a type without a __len__ attribute.

v2.6.12

Compare Source

Bug Fixes

• Code Security: This fix solves an issue with fstrings where formatting was not applied to int parameters

---

v2.6.11

Compare Source

Bug Fixes

• internal: This fix resolves an error regarding the remote config module with payloads missing a lib_config entry
• Code Security: Ensure that when tainting the headers of a Flask application, iterating over the headers (i.e., with headers.items()) does not duplicate them.
• pymongo: this resolves an issue where the library raised an error in pymongo.pool.validate_session

---

v2.6.10

Compare Source

Bug Fixes

• ASM: This fix resolves an issue where django login failure events may send wrong information of user existence.
• Code Security: fix setting the wrong source on map elements tainted from taint_structure.
• datastreams: Changed DSM processor error logs to debug logs for a statement which is retried. If all retries fail, the stack trace is included
• Code Security: Fixes an issue where the AST patching process fails when the origin of a module is reported as None, raising a FileNotFoundError.
• CI Visibility: fixes an issue where tests were less likely to be skipped due to ITR skippable tests requests timing out earlier than they should
• internal: This fix resolves an issue where importing the ddtrace.contrib.botocore.services module would fail raising an ImportError
• starlette: Fix a bug that crashed background tasks started from functions without a __name__ attribute
• Code Security: Fixed an issue with AES functions from the pycryptodome package that caused the application to crash and stop.
• Code Security: This fix addresses an issue where tainting objects may fail due to context not being created in the current span.
• Code Security: Some native exceptions were not being caught correctly by the python tracer. This fix remove those exceptions to avoid fatal error executions.
• ASM: This fix removes unrequired API security metrics.
• structlog: Fixes error where multiple loggers would duplicate processors. Also adds processors injection when resetting to defaults.

---

v2.6.9

Compare Source

Bug Fixes

• propagation: This fix resolves an issue where the sampling decision-maker tag in tracestate propagation headers was clobbered by a default value.
• langchain: Ensures langchain vision APIs are correctly instrumented
• ASM: This fix resolves an issue where the asgi middleware could crash with a RuntimeError "Unexpected message received".
• kafka: This fix resolves an issue where None messages from confluent-kafka could cause crashes in the Kafka integration.

---

v2.6.8: 2.6.8

Compare Source

Bug Fixes

• internal telemetry: Ensures heartbeat events are sent at regular intervals even when no other events are being sent.
• Fix an incompatibility between the handling of namespace module imports and parts of the functionalities of the standard library importlib module.
• Fix for the declaration of dependencies for the package.
• profiling: handle unexpected stack data to prevent the profiler from stopping.
• appsec: This fix resolves an issue in which the library attempted to finalize twice a context object used by the Application Security Management product.

v2.6.7: 2.6.7

Compare Source

Bug Fixes

• ASM: This fix resolves an issue with Flask instrumentation causing CPU leak with ASM, API Security and Telemetry enabled.
• starlette: Ensures correct URL tag is set for starlette v0.34.0 and above.

v2.6.6: 2.6.6

Compare Source

Bug Fixes

• CI Visibility: fixes an issue where git author or committer names containing commas (eg: "Lastname, Firstname") would not work (and log an error) due to the use of comma as a separator.
• ASM: This fix resolves an issue where remote config update in WAF policy from block attack tools policy to monitoring only policy could be ignored by tracer.
• Vulnerability Management for Code-level (IAST): Addresses an issue where the IAST native module was imported even though IAST was not enabled.
• Vulnerability Management for Code-level (IAST): This fix addresses an issue where AST patching would generate code that fails to compile, thereby preventing the application from starting correctly.
• Vulnerability Management for Code-level (IAST): This fix addresses AST patching issues where other subscript operations than Load were being unintentionally patched, leading to compilation errors for the patched module.
• Vulnerability Management for Code-level (IAST): Fixes an issue where an atexit handler could lead to a segmentation fault.
• Vulnerability Management for Code-level (IAST): This fix addresses an issue where a vulnerability would be reported at line 0 if we couldn't extract the proper line number, whereas the default line number should be -1.
• kafka: This fix resolves an issue where the use of a Kafka DeserializingConsumer could result in a crash when the deserializer in use returns a type without a __len__ attribute.

v2.6.5: 2.6.5

Compare Source

Bug Fixes

• Vulnerability Management for Code-level (IAST): fix potentially empty ranges after executing the decode aspect.
• Vulnerability Management for Code-level (IAST): Fixes an issue where requests stopped being analyzed after some time due.

v2.6.4: 2.6.4

Compare Source

Bug Fixes

• CI Visibility: fixes issues with pytest~=8.0 that would case crashes in certain scenarios, and returned different module names
• CI Visibility: fix a potential crash for CPython<3.10 when a socket.timeout error was raised instead of the expected TimeoutError during CI Visibility API requests
• profiling: fixes an issue that could have caused the profiler to stop if unable to determine the class name of a profiled function with CPython 3.11 and newer.

v2.6.3: 2.6.3

Compare Source

Bug Fixes

• tracing: This fix resolves an issue where previously some traces that were not sampled were not sent to the trace-agent, possibly affecting metrics. With this fix, all traces are sent to the agent.
• ASM: This fix resolves an issue where rules updated through remote config were not properly updating required waf addresses. This could lead to custom rules being ignored.

v2.6.2: 2.6.2

Compare Source

Bug Fixes

• botocore: Fixes bug where SQS and Kinesis results and errors were not recorded when DD_BOTOCORE_EMPTY_POLL_ENABLED=false. config.botocore.empty_poll_enabled=false and no records were found.
• tracing: Resolves telemetry import error raised when DD_INSTRUMENTATION_TELEMETRY_ENABLED is set to False.

v2.6.1

Compare Source

Bug Fixes

• Code Security: This fix solves an issue with fstrings where formatting was not applied to int parameters

---

v2.6.0

Compare Source

Upgrade Notes

• CI Visibility: DD_CIVISIBILITY_ITR_ENABLED now defaults to true, and the Datadog API (configured via the Datadog dashboard) now determines whether code coverage and test skipping are enabled.
• CI Visibility: the CI Visibility service is no longer enabled when the initial query to the Datadog test service settings API fails due to a 403 status code.

New Features

• botocore: Adds optional feature to propagate context between producers and consumers for AWS SQS, AWS SNS, and AWS Kinesis via DD_BOTOCORE_PROPAGATION_ENABLED environment variable. Adds optional feature to disable tracing of AWS SQS poll() operation and AWS Kinesis 'get_records()' operation when no data is consumed via DD_BOTOCORE_EMPTY_POLL_ENABLED environment variable.

• tracing: Adds new tag python_main_package containing the name of the main package of the application. profiling: Adds new tag python_main_package containing the name of the main package of the application.

• ASM: API Security schema collection is now officially supported for Django, Flask and FastAPI. It can be enabled in the tracer using environment variable DD_API_SECURITY_ENABLED=true It will only be active when ASM is also enabled.

• elasticsearch: This allows custom tags to be set on Elasticsearch spans via the Pin interface.

• botocore: This introduces tracing support for bedrock-runtime operations.
  See the docs for more information.

• datastreams: this change adds kombu auto-instrumentation for datastreams monitoring. tracing: this change adds the DD_KOMBU_DISTRIBUTED_TRACING flag (default True)

• Vulnerability Management for Code-level (IAST): Add support for CMDi in langchain.

• botocore: Add the ability to inject trace context into the input field of botocore stepfunction start_execution and start_sync_execution calls.

• Removes another place where we always load instrumentation telemetry, even if it is disabled

• tracing: This introduces the ability to disable tracing at runtime based on configuration values sent from the Datadog frontend. Disabling tracing in this way also disables instrumentation telemetry.

• tracing: Adds support for remote configuration of DD_TRACE_HEADER_TAGS

• tracing: Add support for remote configuration of trace-logs correlation.

• grpc/grpc_aio: reports the available target host in client spans as network.destination.ip if only an IP is available, peer.hostname otherwise.

• span: Adds a public api for setting span links

• starlette,fastapi: Trace background tasks using span links

Bug Fixes

• ASM: This fix resolves an issue where an exception would be logged while parsing an empty body JSON request.

• CI Visibility: fixes an issue where coverage data for suites could be lost for long-running test sessions, reducing the possibility of skipping tests when using the Intelligent Test Runner.

• IAST: Don't split AST Assign nodes since it's not needed for propagation to work.

• ASM: This fix resolves an issue where suspicious request blocking on request data was preventing API Security to collect schemas in FastAPI, due to route not being computed.

• ASM: This fix resolves an issue where ASM custom blocking actions with a redirect action could cause the server to drop the response.

• Fixed an incompatible version requirements for one of the internal dependencies that could have caused an exception to be raised at runtime with Python 3.12.

• data_streams: Thi

---

Configuration

📅 Schedule: Branch creation - "every weekend" in timezone UTC, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[github-actions]

Deployment Summary

• backend_url: https://pr-7100-backend.rdev.single-cell.czi.technology
• frontend_url: https://pr-7100-frontend.rdev.single-cell.czi.technology
• delete_db_task_definition_arn: arn:aws:ecs:us-west-2:***:task-definition/dp-rdev-pr-7100-deletion:1
• migrate_db_task_definition_arn: arn:aws:ecs:us-west-2:***:task-definition/dp-rdev-pr-7100-migration:1