Bump ddtrace from 2.13.0 to 2.17.3

[dependabot]

Bumps ddtrace from 2.13.0 to 2.17.3.

Release notes

Sourced from ddtrace's releases.

2.17.3

Bug Fixes

• SCA:

  • Ensure that Telemetry heartbeats are not skipped for forked processes, as doing so could result in the dependency list being lost over time.

• Celery:

  • This fix resolves two issues with context propagation in celery
    • 1. Invalid span parentage when task A calls task B async and task A errors out, causing A's queuing of B, and B itself to not be parented under A.
    • 2. Invalid context propagation from client to workers, and across retries, causing multiple traces instead of a single trace

• Code Security:

  • This fix resolves a patching issue with psycopg3.
  • This fix resolves an issue where the modulo (%) operator would not be replaced correctly for bytes and bytesarray if IAST is enabled.
  • Ensure IAST SSRF vulnerability redacts the url query parameters correctly.

• Profiling:

  • Updates setup.py to ignore int-ptr conversion warnings for the profiler stack.pyx file. This is important because gcc 14 makes these conversions an error, alpine 3.21.0 ships with gcc 14, and any patch version of a Python alpine image cut after December 5th, 2024, will have this issue.

2.17.2

Bug Fixes

• ASM

  • Ensures that common patches for exploit prevention and SCA are only loaded if required, and only loaded once.

• LLM Observability

  • Ensures bedrock spans are finished even when streamed responses are not fully consumed.
  • Fixes an issue where decorators were not tracing generator functions properly.

• Tracing

  • botocore: Resolves an issue in the Bedrock integration where not consuming the full response stream would prevent spans from finishing.
  • celery: Changes celery out.host span tag to point towards broker host url instead of local celery process hostname. Fixes inferred service representation issues when using celery.
  • grpcaio: Resolves a concurrency bug where distributed tracing headers were overwritten resulting in spans being assigned to the wrong trace.

2.17.1

Bug Fixes

• ASM
  • Resolves an issue where some root spans were not appropriately tagged for ASM standalone.
• Code Security
  • Patches the module dir function so original pre-patch results are not changed.
• Tracing
  • Resolves an issue where the default versions of click and jinja2 installed on 3.8 were outside of the allowed minimum versions for autoinstrumentation.

2.17.0

New Features

• ASM

  • Support added for session fingerprints.

• LLM Observability

... (truncated)

Changelog

Sourced from ddtrace's changelog.

Changelog

Changelogs for versions not listed here can be found at https://github.com/DataDog/dd-trace-py/releases

---

2.17.2

Bug Fixes

• ASM

  • Ensures that common patches for exploit prevention and SCA are only loaded if required, and only loaded once.

• LLM Observability

  • Ensures bedrock spans are finished even when streamed responses are not fully consumed.
  • Fixes an issue where decorators were not tracing generator functions properly.

• Tracing

  • botocore: Resolves an issue in the Bedrock integration where not consuming the full response stream would prevent spans from finishing.
  • celery: Changes celery out.host span tag to point towards broker host url instead of local celery process hostname. Fixes inferred service representation issues when using celery.
  • grpcaio: Resolves a concurrency bug where distributed tracing headers were overwritten resulting in spans being assigned to the wrong trace.

---

2.17.1

Bug Fixes

• ASM
  • Resolves an issue where some root spans were not appropriately tagged for ASM standalone.
• Code Security
  • Patches the module dir function so original pre-patch results are not changed.
• Tracing
  • Resolves an issue where the default versions of click and jinja2 installed on 3.8 were outside of the allowed minimum versions for autoinstrumentation.

---

2.17.0

New Features

• ASM

  • Support added for session fingerprints.

• LLM Observability

  • When not using a provider integration (OpenAI, Anthropic, or Bedrock) with the LangChain integration, token metrics will be appended to the LLM Observability llm span.
  • LLM Observability: When langchain's chat_model.with_structured_output(..., method="json_mode") is used, or response_format={"type": "json_object"} is passed into a langchain chat model invocation, the LLM Observability span will be an llm span instead of a workflow span.

• SSI

  • Adds requirements.json to SSI artifact for bailing out on unsupported systems.

... (truncated)

Commits

• bd30bbe fix(setup): suppress int-ptr conversion errors for stack profiler v1 [backpor...
• 69cd420 fix: don't skip heartbeats for forked processes [backport 2.17] (#11637)
• 72efe18 chore(telemetry): fixes namespace for span pointer metric [backport 2.17] (#1...
• 27326af fix(celery): handle upstream celery patch and propagation during an e… [backp...
• bfd0feb ci(test): make serverless tests mandatory again [backport 2.17] (#11626)
• 48ee0c0 fix(iast): fix propagation error in modulo operator [backport 2.17] (#11600)
• bcbccc6 fix(iast): add psycopg and psycopg2 to denylist [backport 2.17] (#11595)
• e3d245a fix(iast): ssrf vulnerability redacts the url query parameters correctly [bac...
• 44f2e46 ci(asm): fix fastapi tests [backport 2.17] (#11587)
• 7b66061 chore(ci): update to run gitlab test suites on any lockfile change [backport ...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Superseded by #239.