Remove pin on opentelemetry-instrumentation-logging

[setu4993]

The package opentelemetry-instrumentation-logging is pinned to v0.39.0 which forces the use of opentelemetry-instrumentation packages with v0.39b. The instrumentation packages have a CVE that affects 0.39 (resolved in v0.41b): GHSA-5rv5-6h4r-h22v

Can the pin please be removed and the package updated to a more recent version?

[ralongit]

Hello @setu4993 ,
Thank you, we have upgraded the version(#92 ) from v0.390b to v0.45b0 in release v4.1.4 of the python handler.
We will leave the pin and keep the versions updated.

[setu4993]

Got it. Thanks. Curious about the reasoning behind keeping the versions pinned when OpenTelemetry follows semantic versioning.

It does seem that'd be stable.

[yotamloe]

Hi @setu4993

Thanks for bringing this up! We keep the version pinned mainly for stability and to avoid any surprises with automatic updates. It helps us ensure everything works smoothly and avoids any unexpected issues.

Pinning also helps us manage security risks better. We can thoroughly test updates before releasing them, ensuring no new security vulnerabilities are introduced.

Even though OpenTelemetry uses semantic versioning, pinning lets us control any potential conflicts and maintain a consistent experience.

Hope this helps! Let us know if you have more questions.

[setu4993]

Thanks for that context and engaging on this.

From the source I can see I don't think it's particularly risky, but I admit I don't have the complete picture.

I hope the Logz.io team will consider removing the pin in the future.

Regardless, given this is now updated to atleast the current latest version, I'm going to close this issue.

Thanks, again, for jumping on this quickly and explaining your reasoning.