chore(deps): bump libdatadog to db05e1f#127
Merged
duncanista merged 1 commit intomainfrom May 5, 2026
Merged
Conversation
duncanista
requested review from
duncanpharvey and
lym953
and removed request for
a team
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the workspace’s libdd-* git dependencies to a newer libdatadog revision (0a70516 → db05e1f...) to pick up upstream TLS feature gating and CI guard improvements, without requiring code changes in this repository.
Changes:
- Bumped
libdd-*gitrevpins todb05e1f8408a76075efb37ecec544d2e74217e57across the affected crates. - Regenerated
Cargo.lockto reflect the updatedlibdatadoggit sources.
Reviewed changes
Copilot reviewed 4 out of 5 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| crates/datadog-trace-agent/Cargo.toml | Updates all libdd-* git rev pins used by the trace agent (and its dev-deps). |
| crates/datadog-serverless-compat/Cargo.toml | Updates libdd-trace-utils git rev pin used by the serverless compat binary. |
| crates/datadog-metrics-collector/Cargo.toml | Updates libdd-common git rev pin (with default-features = false preserved). |
| crates/datadog-agent-config/Cargo.toml | Updates libdd-trace-obfuscation / libdd-trace-utils git rev pins. |
| Cargo.lock | Updates resolved libdatadog git sources to the new revision. |
7 tasks
lym953
approved these changes
May 5, 2026
duncanpharvey
approved these changes
May 5, 2026
duncanista
added a commit
to DataDog/datadog-lambda-extension
that referenced
this pull request
May 5, 2026
…API (#1218) ## Summary Bumps the `libdd-*` git revs in bottlecap from `c8121f42` (~v31.x) to `db05e1f8408a76075efb37ecec544d2e74217e57` (current libdatadog `main`), bumps the `dogstatsd` / `datadog-fips` revs to `5b68f50f49c9defbfed4d25bd621e2a86405a972` (current serverless-components `main`, which already sits on the same libdatadog `db05e1f`), and adapts bottlecap to the breaking changes that ship between those revs. ## What changed and why ### Upstream libdatadog changes that motivated this PR - **DataDog/libdatadog#1555** *(feat: capability traits architecture for HTTP)* — replaced the raw `hyper` client API with an `HttpClientTrait` abstraction. `SendData::send` and `send_with_retry` now require `H: HttpClientTrait`, and `stats_utils::send_stats_payload_with_client` was removed in favor of a generic `send_stats_payload<H: HttpClientTrait>(…)` that constructs its own client. - **`ObfuscationConfig` restructured** — flat fields (`http_remove_path_digits`, `obfuscate_memcached`, …) replaced with nested per-engine structs (`http: HttpConfig`, `memcached: MemcachedConfig`, `redis: RedisConfig`, plus `valkey`, `credit_cards`, `sql`, `elasticsearch`, `opensearch`, `mongodb`). - **DataDog/libdatadog#1816 + #1872 + #1943** *(crypto provider gating)* — moved `ring` behind `libdd-common/https` and `aws-lc-rs` behind `libdd-common/fips`, then progressively gated the internal crates (`libdd-trace-utils`, `libdd-trace-obfuscation`, `libdd-capabilities-impl`, `libdd-trace-stats`, `libdd-data-pipeline`, `libdd-dogstatsd-client`, `libdd-telemetry`) so downstream consumers can pick exactly one provider. **#1943 also added a workspace-wide CI guard** in libdatadog that rejects any PR which puts both `ring` and `aws-lc-rs` in the dep graph at the same time. Other commits in the range (`c8121f42..db05e1f`) are sidecar / FFE / tracer-flare / telemetry changes that don't touch surfaces bottlecap consumes. ### Code changes in this PR #### `bottlecap/src/traces/http_client.rs` — wrap the client to implement `HttpClientTrait` The bottlecap HTTP client must keep proxy + custom CA + skip-SSL support (FIPS, `DD_PROXY_HTTPS`, `DD_TLS_CERT_FILE`, `DD_SKIP_SSL_VALIDATION`). The upstream `DefaultHttpClient` from `libdd-capabilities-impl` hardcodes `Connector::default()` and supports none of those — using it would be a regression. So `HttpClient` is now a newtype around `GenericHttpClient<ProxyConnector<Connector>>` that implements `libdd_capabilities::HttpClientTrait`. The trait's `request()` maps `http::Request<Bytes>` → `Body::from_bytes(…)` → hyper request, then collects the response body back to `Bytes`. ~30 lines, reuses libdatadog's encoding/retry/header logic. `HttpClientTrait::new_client()` is required by the trait but doesn't fit our model (we need a configured client, not a default). It now routes through `create_client(None, None, false)` so the failure surface is consistent with the rest of the module — and it's never invoked on production paths (we always go through `create_client(proxy, tls_cert, skip_ssl)`). #### `bottlecap/src/traces/stats_flusher.rs` — inline the stats POST The new `send_stats_payload<H: HttpClientTrait>(data, target, api_key)` calls `H::new_client()` internally — meaning callers can't supply a pre-configured client anymore. That would lose Lambda's `pool_max_idle_per_host(0)` tuning, which exists specifically to avoid stale connections after Lambda freeze/resume cycles. Replaced the removed call with a tiny in-module `send_stats_payload` helper that builds the same POST request (msgpack + gzip + `DD-API-KEY`) and invokes our `HttpClient`'s `request()` method directly. Per Copilot review: each attempt is wrapped in `tokio::time::timeout(target.timeout_ms, …)` so the retry loop stays bounded by config, and the error-body capture is bounded to 512 bytes (lossy UTF-8) with the HTTP status surfaced in the message instead of silently emptying on non-UTF8 responses. #### `bottlecap/src/bin/bottlecap/main.rs` — flatten → nested `ObfuscationConfig` Maps the two HTTP fields we configure (`apm_config_obfuscation_http_remove_paths_with_digits`, `apm_config_obfuscation_http_remove_query_string`) into the new `HttpConfig`. Everything else flows through `..Default::default()`, which preserves the previous behavior (memcached/redis disabled). #### `bottlecap/Cargo.toml` + `bottlecap/Cargo.lock` - Bumps all `libdd-*` revs to `db05e1f` and `dogstatsd` / `datadog-fips` revs to `5b68f50` (serverless-components `main`). - Adds `libdd-capabilities` (source of `HttpClientTrait`) and `http` (now used directly in `stats_flusher`) as direct dependencies. - Sets `default-features = false` on all `libdd-*` deps and forwards `libdd-*/https` from bottlecap's `default` feature and `libdd-*/fips` from bottlecap's `fips` feature — the consumer-side pattern that #1872's description prescribed. #### `bottlecap/LICENSE-3rdparty.csv` Regenerated via `dd-rust-license-tool write` to include the new `libdd-capabilities` / `libdd-capabilities-impl` / `libdd-shared-runtime` / `http` entries. ## FIPS Previously a known issue — the FIPS clippy job failed because `libdd-trace-stats` (and `libdd-data-pipeline`) pulled `libdd-capabilities-impl` with default features = `https = ring`, with no downstream-side workaround possible. **DataDog/libdatadog#1943 fixed this upstream**, and this PR now forwards `libdd-trace-stats/fips` from the `fips` feature. Verified locally: ``` $ cargo clippy --workspace --all-targets --no-default-features --features fips warning: bottlecap@0.1.0: FIPS feature is enabled, checking for forbidden dependencies... warning: bottlecap@0.1.0: No ring dependency found. FIPS compliance check passed warning: bottlecap@0.1.0: No openssl dependency found. FIPS compliance check passed warning: bottlecap@0.1.0: No boringssl dependency found. FIPS compliance check passed warning: bottlecap@0.1.0: All dependency checks passed. ``` ## Companion PRs (already merged) - **DataDog/libdatadog#1943** — gates the internal libdatadog crates and adds the workspace-wide CI guard. - **DataDog/serverless-components#127** — bumps the `dogstatsd` / `datadog-fips` source workspace to libdatadog `db05e1f`. This PR pins to its merge SHA `5b68f50`, so the whole chain (libdatadog → serverless-components → bottlecap) sits on a consistent baseline. ## Test plan - [x] `cargo check --all-targets` (default features) - [x] `cargo clippy --workspace --all-targets --features default` - [x] `cargo clippy --workspace --all-targets --no-default-features --features fips` — FIPS dependency check now passes locally (was the long-standing CI blocker) - [x] `cargo test --no-run` - [x] `cargo fmt --all -- --check` - [x] Production layer build via `ARCHITECTURE=arm64 FIPS=false ./scripts/build_bottlecap_layer.sh` — built successfully, binary 11.17 MiB stripped / layer zip 5.08 MiB (slightly smaller than `origin/main`'s 11.23 MiB / 5.11 MiB) - [ ] End-to-end smoke test in a real Lambda environment
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Bumps the
libdd-*git revs in this workspace from0a70516todb05e1f8408a76075efb37ecec544d2e74217e57.db05e1fis the merge commit of DataDog/libdatadog#1943, which gateslibdd-trace-stats,libdd-data-pipeline,libdd-dogstatsd-client, andlibdd-telemetry's TLS features behind explicithttps/fipsswitches (the four crates DataDog/libdatadog#1872 had missed) and adds a workspace-wide CI guard so thering + aws-lc-rsco-existence regression cannot reland silently.No code changes are required — this workspace's
datadog-trace-agentalready absorbed the v32 HttpClientTrait migration (crates/datadog-trace-agent/src/trace_flusher.rs::ProxyHttpClient). The bump is mechanical: 4Cargo.tomlrevs +Cargo.lock.What changed and why
Updated
libdd-*revs todb05e1fin:crates/datadog-serverless-compat/Cargo.tomlcrates/datadog-metrics-collector/Cargo.tomlcrates/datadog-trace-agent/Cargo.tomlcrates/datadog-agent-config/Cargo.tomlCargo.lock(regenerated viacargo update --workspace)Range covered by this bump (
0a70516..db05e1f)The notable upstream commit:
default-features = falseon internallibdd-capabilities-impledges inlibdd-trace-statsandlibdd-data-pipeline, and adds afipsfeature on those pluslibdd-dogstatsd-clientandlibdd-telemetry. Net effect for this workspace: zero — neither this repo'sdatadog-trace-agentnordatadog-metrics-collectorenables afipsflag through these crates today, so the existinghttps/ringpath is unchanged.Companion PR
DataDog/datadog-lambda-extension#1218 bumps bottlecap to the same SHA and adds
libdd-trace-stats/fipsto itsfipsfeature flag, which (together with #1943's upstream gates) finally turns its FIPS clippy CI green.Test plan
cargo check --workspace --all-targetscargo clippy --workspace --all-targetscargo fmt --all -- --check