chore(deps): update weaver crates to v0.23.0

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
weaver_common	workspace.dependencies	minor	v0.21.2 → v0.23.0
weaver_forge	workspace.dependencies	minor	v0.21.2 → v0.23.0
weaver_resolved_schema	workspace.dependencies	minor	v0.21.2 → v0.23.0
weaver_resolver	workspace.dependencies	minor	v0.21.2 → v0.23.0
weaver_semconv	workspace.dependencies	minor	v0.21.2 → v0.23.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

open-telemetry/weaver (weaver_common)

v0.23.0: 0.23.0 - 2026-04-22

Compare Source

Release Notes

• New feature (#​1247, #​1248) - .weaver.toml project configuration file for live-check. Covers all live-check CLI flags plus [[live_check.finding_filters]] for dropping findings by ID, minimum level, sample name, and signal type. CLI flags take precedence over config values. Use --config or auto-discovery from CWD. (#​1256 by @​jerbly)
• Fix attribute catalog sorting for attributes with the same key when converting from v1 to v2 catalog. (#​1359 by @​michaelvanstraten)
• Fix (#​1323) - Live-check: treat observed int as compatible with expected double attribute type, avoiding false violations from OTLP serializers (e.g. JS) that emit int_value for integral numbers. (#​1331 by @​jerbly)
• Fix CLI so it doesn't error out early when loading a resolved schema. (#​1304 by @​jsuereth)
• 💥 BREAKING CHANGE 💥 Use schema_url to track registries consistently in lineage / provenance (#​1298 by @​jsuereth)
• Publish and document missing JSON schemas. Add head_schema_url/baseline_schema_url to diff v2. (#​1106 by @​lmolkova)
• Add --allow-git-credentials global flag to enable system credential helpers (e.g. osxkeychain, git-credential-manager) when cloning private registries. By default, git operations remain isolated for security. (#​1306 by @​jerbly)
• MCP: Add browse_namespace tool and findings_only output mode for live_check. Add configurable namespace separator via --namespace-separator. (#​1324 by @​jerbly)
• chore(deps): update all patch versions. (#​1379 by @​renovate[bot])
• Remove vendored openssl dependency. (#​1380 by @​sapatrjv)

Install weaver 0.23.0

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://github.com/open-telemetry/weaver/releases/download/v0.23.0/weaver-installer.sh | sh

Install prebuilt binaries via powershell script

powershell -ExecutionPolicy Bypass -c "irm https://github.com/open-telemetry/weaver/releases/download/v0.23.0/weaver-installer.ps1 | iex"

Download weaver 0.23.0

File	Platform	Checksum
weaver-aarch64-apple-darwin.tar.xz	Apple Silicon macOS	checksum
weaver-x86_64-apple-darwin.tar.xz	Intel macOS	checksum
weaver-x86_64-pc-windows-msvc.zip	x64 Windows	checksum
weaver-x86_64-pc-windows-msvc.msi	x64 Windows	checksum
weaver-aarch64-unknown-linux-gnu.tar.xz	ARM64 Linux	checksum
weaver-x86_64-unknown-linux-gnu.tar.xz	x64 Linux	checksum
weaver-aarch64-unknown-linux-musl.tar.xz	ARM64 MUSL Linux	checksum
weaver-x86_64-unknown-linux-musl.tar.xz	x64 MUSL Linux	checksum

Verifying GitHub Artifact Attestations

The artifacts in this release have attestations generated with GitHub Artifact Attestations. These can be verified by using the GitHub CLI:

gh attestation verify <file-path of downloaded artifact> --repo open-telemetry/weaver

You can also download the attestation from GitHub and verify against that directly:

gh attestation verify <file-path of downloaded artifact> --bundle <file-path of downloaded attestation>

v0.22.1: 0.22.1 - 2026-03-13

Compare Source

Release Notes

Note: 0.22.0 release was skipped due to release CI/CD issues.

• Fix: Update release workflow for pnpm migration (use pnpm lockfile instead of npm lockfile). (#​1289 by @​jerbly)
• Add support for git references in the registry url (#​182 by @​sebasnabas)
• New feature (#​1153) - Live-check now has a /health endpoint that can be used in long-running scenarios to confirm readiness and liveness of the live-check server. (#​1193 by @​jerbly)
• New feature (#​1100) - Set --output=http to have live-check send its report as the response to /stop. (#​1193 by @​jerbly)
• Unified output handling across all registry subcommands. Builtin output formats (json, yaml, jsonl) are now available in registry stats, registry diff, and registry resolve. registry stats also supports --templates for custom text output templates. (#​1200 by @​jerbly)
• New feature (#​1152) - Live-check with --emit-otlp-logs will now include the attributes from the resource in the emitted log record, this helps to identify the source of the finding in a multi-source environment. (#​1206 by @​jerbly)
• New Experimental feature: weaver registry infer command that listens for OTLP telemetry and infers a semantic convention registry file from the received data. Supports spans, metrics, events, and resource attributes. Includes configurable gRPC address/port, admin server for graceful shutdown, and inactivity timeout. (#​1138 by @​ArthurSens)
• Fix: Include unit in inferred schema even if empty to prevent live-check failures. (#​1284 by @​ArthurSens)
• Use schema_url in registry manifest, dependencies, and resolved schema instead of registry_url. Parse registry name and version
  from it. (#​1202 by @​lmolkova)
• Default to manifest.yaml for registry manifest file, deprecate registry_manifest.yaml and add warning when it's used. (#​1202 by @​lmolkova)
• 💥 BREAKING CHANGE 💥 (Fixes #​760) - Auto-escaping is now off by default (none) for all templates, regardless of file extension. To opt in, set auto_escape: html or auto_escape: json per template in weaver.yaml. Within a template, {% autoescape false %} blocks can selectively disable escaping for sections. Use |tojson for explicit JSON/YAML value escaping where needed. (#​1239 by @​jerbly)
• 💥 BREAKING CHANGE 💥 Replace version: "2" with file_format: definition/2 for v2 definition schema (#​1154 by @​lmolkova)
• Add JSON schema for resolved registry v2 (#​1261 by @​lmolkova)
• Add weaver registry package command to generate manifest and write resolved schema. (#​1254 by @​lmolkova)
• Fix: weaver registry package command not producing output due to warnings. (#​1271 by @​lmolkova)
• Update JSON Schema v2 to include file_format (#​1262 by @​lmolkova)
• Add JSON schema for PolicyFinding, make context field optional. (#​1270 by @​lmolkova)
• Deprecate weaver registry resolve command, please use weaver registry generate or package instead (#​1255 by @​lmolkova)
• Support imports for all signal types and public attribute groups in v2 registry. (#​1267 by @​jsuereth)
• Support refinements in v2 syntax: metric names, notes, etc. are now copied from the refined group. (#​1250 by @​jsuereth)
• Fix stability/ordering issues in v2 publishing; attributes are now sorted and deduplicated consistently. (#​1282 by @​jsuereth)
• Fix resolution for dependencies: both v1 and v2 resolution now returns the correct attribute from the right registry when using dependencies. (#​1280 by @​lmolkova)
• JQ helper v2 for spans: fixes and improvements. (#​1251 by @​lmolkova)
• Fix 404 on template-type attributes in the weaver serve API. (#​1240 by @​jerbly)
• New Experimental feature: weaver serve UI migrated to React. (#​1147 by @​nicolastakashi)

Install weaver 0.22.1

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://github.com/open-telemetry/weaver/releases/download/v0.22.1/weaver-installer.sh | sh

Install prebuilt binaries via powershell script

powershell -ExecutionPolicy Bypass -c "irm https://github.com/open-telemetry/weaver/releases/download/v0.22.1/weaver-installer.ps1 | iex"

Download weaver 0.22.1

File	Platform	Checksum
weaver-aarch64-apple-darwin.tar.xz	Apple Silicon macOS	checksum
weaver-x86_64-apple-darwin.tar.xz	Intel macOS	checksum
weaver-x86_64-pc-windows-msvc.zip	x64 Windows	checksum
weaver-x86_64-pc-windows-msvc.msi	x64 Windows	checksum
weaver-x86_64-unknown-linux-gnu.tar.xz	x64 Linux	checksum

Verifying GitHub Artifact Attestations

The artifacts in this release have attestations generated with GitHub Artifact Attestations. These can be verified by using the GitHub CLI:

gh attestation verify <file-path of downloaded artifact> --repo open-telemetry/weaver

You can also download the attestation from GitHub and verify against that directly:

gh attestation verify <file-path of downloaded artifact> --bundle <file-path of downloaded attestation>

v0.22.0

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • "before 8am on Monday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[lalitb]

trying luck with copilot - @copilot - Can you fix these CI issues due to bump of weaver to 0.32.0:

--

Checking rustls-symcrypt v0.2.3
Checking typespec_client_core v0.14.0
Checking datafusion-common v53.1.0
Checking azure_identity v0.35.0
Checking weaver_common v0.23.0 (https://github.com/open-telemetry/weaver.git?tag=v0.23.0#3a3b7cc9)
Checking tonic-middleware v0.4.1
Checking jsonschema v0.46.4
Checking parquet v58.2.0
Checking datafusion-expr-common v53.1.0
Checking weaver_semconv v0.23.0 (https://github.com/open-telemetry/weaver.git?tag=v0.23.0#3a3b7cc9)
Checking sysinfo v0.38.4
Checking datafusion-physical-expr-common v53.1.0
Checking datafusion-functions-window-common v53.1.0
Checking datafusion-functions-aggregate-common v53.1.0
Checking datafusion-expr v53.1.0

error[E0004]: non-exhaustive patterns: &&ValidationErrorKind::RegexEngineFailure { .. } not covered
--> C:\Users\runneradmin.cargo\git\checkouts\weaver-718c120ef41f6c7b\3a3b7cc\crates\weaver_semconv\src\json_schema.rs:130:15
|
130 | match &error.kind() {
| ^^^^^^^^^^^^^ pattern &&ValidationErrorKind::RegexEngineFailure { .. } not covered
|
note: ValidationErrorKind defined here
--> C:\Users\runneradmin.cargo\registry\src\index.crates.io-1949cf8c6b5b557f\jsonschema-0.46.4\src\error.rs:258:1
|
258 | pub enum ValidationErrorKind {
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
...
271 | RegexEngineFailure { message: String },
| ------------------ not covered
= note: the matched value is of type &&ValidationErrorKind
help: ensure that all possible cases are being handled by adding a match arm with a wildcard pattern or an explicit pattern as shown
|
244 ~ format!("Error resolving $ref: {e}"),
245 ~ &&ValidationErrorKind::RegexEngineFailure { .. } => todo!(),
|

For more information about this error, try rustc --explain E0004.
error: could not compile weaver_semconv (lib) due to 1 previous error
warning: build failed, waiting for other jobs to finish...
Error: Process completed with exit code 1.

[Copilot]

trying luck with copilot - @copilot - Can you fix these CI issues due to bump of weaver to 0.32.0:

--
...

Fixed in commit 9a4a70e.

The issue: jsonschema v0.46.4 added a new ValidationErrorKind::RegexEngineFailure variant, but the match in weaver_semconv v0.23.0's json_schema.rs doesn't cover it. The fix is already in the weaver main branch (e32047e).

Two changes were made:

1. Pinned the weaver dependencies to the main branch commit (rev = "e32047e...") instead of tag = "v0.23.0" — this includes the RegexEngineFailure fix
2. Updated our RegistryRepo::try_new call sites to use the new API (first arg changed from &str name → Option<SchemaUrl>, plus a new &mut Vec<Error> third parameter for non-fatal errors)

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/repos/open-telemetry/otel-arrow/commits/15371dc7
  • Triggering command: /home/REDACTED/.rustup/toolchains/stable-x86_64-REDACTED-linux-gnu/bin/cargo /home/REDACTED/.rustup/toolchains/stable-x86_64-REDACTED-linux-gnu/bin/cargo check -p otap (http block)
• https://api.github.com/repos/open-telemetry/weaver/commits
  • Triggering command: /usr/bin/curl curl -s REDACTED (http block)
• https://api.github.com/repos/open-telemetry/weaver/tags
  • Triggering command: /usr/bin/curl curl -s REDACTED (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 86.26%. Comparing base (d832988) to head (e01fdc6).

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #2922   +/-   ##
=======================================
  Coverage   86.26%   86.26%           
=======================================
  Files         715      715           
  Lines      272060   272061    +1     
=======================================
+ Hits       234690   234695    +5     
+ Misses      36846    36842    -4     
  Partials      524      524           

Components	Coverage Δ
otap-dataflow	87.23% <100.00%> (+<0.01%)	⬆️
query_abstraction	80.61% <ø> (ø)
query_engine	90.73% <ø> (ø)
otel-arrow-go	52.45% <ø> (ø)
quiver	92.25% <ø> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[lalitb]

@copilot Also fix the fmt
Run cargo fmt --all -- --check
Diff in /home/runner/work/otel-arrow/otel-arrow/rust/otap-dataflow/crates/core-nodes/src/receivers/host_metrics_receiver/procfs/tests.rs:1413:
)),
});

• let registry_repo =

•    RegistryRepo::try_new(None, &registry_path, &mut vec![])
  

•        .expect("semantic convention registry");
  

• let registry_repo = RegistryRepo::try_new(None, &registry_path, &mut vec![])

•    .expect("semantic convention registry");
  

  let registry = match SchemaResolver::load_semconv_repository(registry_repo, false) {
  WResult::Ok(registry) | WResult::OkWithNFEs(registry, _) => registry,
  WResult::FatalErr(err) => panic!("failed to load semantic convention registry: {err}"),
  Error: Process completed with exit code 1.

[Copilot]

@copilot Also fix the fmt
Run cargo fmt --all -- --check
Diff in /home/runner/work/otel-arrow/otel-arrow/rust/otap-dataflow/crates/core-nodes/src/receivers/host_metrics_receiver/procfs/tests.rs:1413...

Fixed in commit 3b86aa8. The RegistryRepo::try_new call in procfs/tests.rs is now formatted to match cargo fmt output.

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.