fix: widen opentelemetry pins to ~=1.42.0

[lucasgomide]

The ~=1.34.0 (>=1.34.0,<1.35.0) pin kept us on the unmaintained 1.34 line — last patched as 1.34.1 in June 2025; the resolver now lands on 1.42.1

---

Note

Medium Risk
Touches the telemetry export stack used by crewai_core.telemetry, so OTLP behavior could shift across a large minor jump, but risk is limited to dependency pins and lock updates with no code changes.

Overview
Bumps OpenTelemetry dependency pins from ~=1.34.0 to ~=1.42.0 for opentelemetry-api, opentelemetry-sdk, and opentelemetry-exporter-otlp-proto-http in crewai-core and crewai pyproject.toml files.

The lockfile is refreshed so resolved versions move from 1.34.1 to 1.42.1 (including related OTLP/proto/semantic-convention packages). uv.lock also sets a concrete exclude-newer timestamp instead of the prior no-op placeholder.

No application or telemetry code changes—only dependency constraints and lock resolution.

^{Reviewed by Cursor Bugbot for commit 90e3b62. Bugbot is set up for automated code reviews on this repo. Configure here.}

Summary by CodeRabbit

Summary by CodeRabbit

• Chores
  • Updated OpenTelemetry-related dependency constraints across the project, bumping opentelemetry-api, opentelemetry-sdk, and opentelemetry-exporter-otlp-proto-http from ~=1.34.0 to ~=1.42.0 to align with newer supported versions.

[corridor-security]

Summary: This PR only widens OpenTelemetry dependency version constraints while retaining an upper major-version bound. No exploitable security vulnerabilities were identified in the reviewed changes.

Risk: Low risk. The change affects dependency resolution only and does not modify authentication, authorization, data handling, external request logic, or other security boundaries.

[coderabbitai]

📝 Walkthrough

Walkthrough

In both lib/crewai/pyproject.toml and lib/crewai-core/pyproject.toml, the version specifiers for opentelemetry-api, opentelemetry-sdk, and opentelemetry-exporter-otlp-proto-http are changed from ~=1.34.0 to ~=1.42.0.

Changes

OpenTelemetry Dependency Version Update

Layer / File(s)	Summary
OpenTelemetry version bump lib/crewai/pyproject.toml, lib/crewai-core/pyproject.toml	Updates ~=1.34.0 to ~=1.42.0 for opentelemetry-api, opentelemetry-sdk, and opentelemetry-exporter-otlp-proto-http in both package manifests.

Suggested Reviewers

• greysonlalonde
• vinibrsl

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: widening OpenTelemetry dependency version pins from 1.34.0 to 1.42.0 across multiple packages.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch luzk/bump-otel-pins

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[greysonlalonde]

This breaks downstream :/

[cursor]

@greysonlalonde could you point at what specifically breaks? The pyproject specifiers are getting wider here (~=1.34.0 only allowed 1.34.x; >=1.34.0,<2.0.0 allows everything 1.34.x plus newer minors), so any downstream that resolved against the old pin should still resolve against the new one.

The one observable behavior change is that uv.lock now resolves the OTel stack to 1.42.1 instead of 1.34.1. Is the breakage you're seeing:

1. A sibling/internal package (e.g. crewai-enterprise, crewai-tools) that pins opentelemetry-* ~=1.34.0 and now conflicts on resolution?
2. An actual API/runtime regression on 1.42.x that we missed?
3. Something else (build/CI, transitive on protobuf, semantic-conventions 0.55b1 → 0.63b1, etc.)?

If you can share the failing repo + resolver/error output, we can decide between narrowing the upper bound (e.g. <1.43), pinning the lockfile back to 1.34.x while keeping the wider pyproject range, or reverting outright.

Posted on behalf of @lucasgomide

  

_{Sent by Cursor Automation: Address reviews}

[lucasgomide]

This breaks downstream :/

What exactly breaks? I will be happy to address whatever is wrong

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 852fb48. Configure here.}