chore(deps): bump ddtrace from 3.12.4 to 3.13.0

[dependabot]

Bumps ddtrace from 3.12.4 to 3.13.0.

Release notes

Sourced from ddtrace's releases.

3.13.0

Estimated end-of-life date, accurate to within three months: 08-2026 See the support level definitions for more information.

Deprecation Notes

• tracing: ddtrace.tracer.Pin is deprecated and will be removed in version 4.0.0. To manage configuration of the tracer or integrations please use environment variables.

New Features

• opentelemetry

  • Adds experimental support for exporting logs using the OTLP protocol. To enable this feature install the opentelemetry-otlp-exporter and set DD_LOGS_OTEL_ENABLED=true.
  • Ensures that ddtrace log injection is disabled when OpenTelemetry logs are enabled (DD_LOGS_OTEL_ENABLED=true).

• LLM Observability

  • Adds support for collecting tool definitions, tool calls and tool results in the Amazon Bedrock integration.
  • Adds support for collecting tool definitions, tool calls and tool results in the Google GenAI integration.
  • This introduces support for tool calls and tool results in LLMObs message annotations when using custom instrumentation. The LLMObs.annotate() method now accept input and output data with optional to ol_calls and tool_results fields for function calling scenarios.
  • Adds support for collecting tool definitions, tool calls and tool results in the OpenAI integration.
  • Adds support for collecting tool definitions, tool calls and tool results in the VertexAI integration.

• Django: Added the DD_DJANGO_ALWAYS_CREATE_DATABASE_SPANS config option (default: true).

  When enabled, the Django integration always generates a database span for every operation, even if the underlying database engine is already instrumented. This ensures complete coverage but may produce duplicat e spans and extra overhead.

  When disabled, spans are only created if the database engine is not instrumented.

  To avoid multiple spans per database call, we recommend disabling this option. DD_DJANGO_ALWAYS_CREATE_DATABASE_SPANS=false

• AAP

  • This introduces endpoint discovery for Flask applications. It allows the collection of API endpoints of a Flask application at startup.
  • This introduces endpoint discovery for FastAPI applications. It allows the collection of API endpoints of a FastAPI application at startup.

• Bug Fixes

• AAP: Fixes an issue where security signals would be incorrectly reported on an inferred proxy service instead of the current service.

• CI Visibility: This fix resolves an issue where the pytest plugin would hold a reference to test exceptions beyond the end of the test, preventing them from being garbage-collected and increasing memory usage.

• psycopg: This fix resolves a potential circular import with the psycopg3 contrib.

• internal: This fix resolves an issue where the tracer flare was not sent when DD_TRACE_AGENT_URL was not set, as the default URL was not used.

• tracing

  • Fixes issue with websocket.receive span not closing exactly when another websocket.receive span was opened.
  • Fixes duration of websocket handshake span such that the handshake span closes when the connection is upgraded.
  • Fix where websocket.close parent should be the handshake span when configuration is disabled.
  • Resolves an issue where calling ddtrace.trace.tracer.configure(...) resets the trace writer buffer, causing spans to be dropped.

• Code Security: Fixed a crash in the taint-aware modulo aspect when formatting SQLAlchemy objects whose __repr__ can raise (e.g., inside complex CASE expressions).

• LLM Observability: Properly parse DD_TAGS onto LLM Observability span events' tags.

• sampling

  • Fixed a bug where single span sampling rules were completely ignored when stats computation was enabled, causing all single-sampled spans to be dropped. Note that single span sampling is only used to override trace sampling decisions to keep a span where the trace will be dropped.
  • Removed automatic setting of local trace sampling rule tag (_dd.p.dm=-3) during distributed tracing header extraction.

... (truncated)

Changelog

Sourced from ddtrace's changelog.

Changelog

Changelogs for versions not listed here can be found at https://github.com/DataDog/dd-trace-py/releases

---

3.8.0

New Features

• LLM Observability: add processor capability to process span inputs and outputs. See usage documentation [here](https://docs.datadoghq.com/llm_observability/setup/sdk/python/#span-processing).
• CI Visibility: This introduces the ability to gzip the payload when using the evp proxy setup, incurring in less network bandwith consumption.
• Error Tracking: Introduces automatic reporting of handled exceptions. Enabling the feature will report handled exceptions to Error Tracking from the user code, the third party packages code, some specified modules or everything based on configuration. This feature can be controlled using two environment variables: - DD_ERROR_TRACKING_HANDLED_ERRORS=`allthird_party` - DD_ERROR_TRACKING_HANDLED_ERRORS_INCLUDE=`module1, module2, module3.submodule`
• Code Security: IAST support for langchain v0.1.0 and above.
• openai: This introduces tracing support for the OpenAI Responses endpoint.

Bug Fixes

• tracing: Fixes an issue where truncation of span attributes longer than 25000 characters would not consistently count the size of UTF-8 multibyte characters, leading to a unicode string is too large error.

• CI Visibility: This fix resolves an issue where the DD_CIVISIBILITY_ITR_ENABLED was not honored properly.

• tracing: Fixes a bug in distributed tracing where pickling ddtrace.trace.Context fails in coroutines. This regression was introduced in v3.7.0.

• CI Visibility: This fix resolves an issue where pytest-xdist would not exit with the proper status code if ATR was enabled.

• CI Visibility: This fix resolves an issue where ddtrace pytest plugin used with xdist would report test suites as failing even when all tests pass.

• profiling: fixed an issue in the SynchronizedSamplePool where pool could be null when calling into ddog_ArrayQueue_ functions, leading to segfaults in the uWSGI shutdown

• Code Security: IAST: Avoid excessive filtering of stacktrace locations when finding vulnerabilities. After this change, vulnerabilities that were previously discarded will now be reported. In particular, if they were found within code in site-packages or outside of the working directory.

• LLM Observability: Resolves an issue where spans and evaluation metrics were not being sent via Unix sockets.

• dynamic instrumentation: prevent an exception when trying to remove a probe that did not resolve to a valid source code location.

• kafka: This fix resolves an issue where message headers were sent to Kafka brokers that do not support them. Message headers are turned off when the Kafka server responds with UNKNOWN_SERVER_ERROR (-1).

• code origin for spans: fixes a performance issue with exit spans.

• profiling: improve performance of the memory profiler for large heaps. The memory profiler previously did a linear search of tracked allocations for every free, which scaled very poorly with large heaps. Switch to a fast hash map.

---

3.7.2

Bug Fixes

• CI Visibility: This fix resolves an issue where the DD_CIVISIBILITY_ITR_ENABLED was not honored properly.
• tracing: Fixes an issue where truncation of span attributes longer than 25000 characters would not consistently count the size of UTF-8 multibyte characters, leading to a unicode string is too large error.

---

3.7.1

Bug Fixes

... (truncated)

Commits

• 2c2e8d8 ci(llmobs): skip flaky tests hitting faulty endpoint [backport 3.13] (#14500)
• f0b82db chore(iast): add module to excluded imports in test_serverless.py (#14420)
• f10b79e fix(openai): handle empty mode values in azure openai streaming responses (#1...
• 04ae100 chore(CI): update system tests (#14431)
• 3ec641e chore(tracer): add forwarded ip header format support (#14418)
• 7c5fac0 fix(otel): disable log injection when otlp logs are used (#14427)
• fdd3934 chore: add debug logging for llm span type and openai operations (#14386)
• 189052f feat(llmobs): add toolcall and toolresults to messages (#14385)
• ff56508 ci: upgrade cibuildwheel==3.1.4 (#14410)
• bbba80e chore(build): stop setting universal for bdist_wheel (#14422)
• Additional commits viewable in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Superseded by #18680.