Replace custom Loki HTTP push with native OpenTelemetry OTLP exporter

[Copilot]

The Next.js app was pushing logs to Loki via a custom fetch implementation. This replaces it with the OpenTelemetry Logs API using native OpenTelemetry SDK packages.

Changes

• Replaced @vercel/otel: Removed vendor-specific package and replaced with native @opentelemetry/sdk-node, @opentelemetry/exporter-trace-otlp-http, @opentelemetry/resources, and @opentelemetry/semantic-conventions
• Instrumentation: Configured NodeSDK for traces and LoggerProvider for logs in instrumentation.ts, sending traces to {OTEL_EXPORTER_OTLP_ENDPOINT}/v1/traces and logs to {OTEL_EXPORTER_OTLP_ENDPOINT}/v1/logs
• Logging module: Created otel.ts that emits logs via OTel API with severity mapping (info/warn/error → SeverityNumber)
• API compatibility: log.info(), log.warn(), log.error() remain unchanged; now route to OTel instead of Loki
• Cleanup: Removed loki.ts and LOKI_* environment variables

Implementation

// instrumentation.ts - native NodeSDK for traces and logs
const resource = new Resource({
  [ATTR_SERVICE_NAME]: "sam",
  [ATTR_SERVICE_VERSION]: "1.0.0",
});

const sdk = new NodeSDK({
  resource,
  traceExporter: new OTLPTraceExporter({
    url: `${env.OTEL_EXPORTER_OTLP_ENDPOINT}/v1/traces`,
  }),
  instrumentations: [new PrismaInstrumentation()],
});

const loggerProvider = new LoggerProvider({ resource });
loggerProvider.addLogRecordProcessor(
  new BatchLogRecordProcessor(
    new OTLPLogExporter({
      url: `${env.OTEL_EXPORTER_OTLP_ENDPOINT}/v1/logs`,
    }),
  ),
);

// otel.ts - emit logs with attributes preserved
const logger = loggerProvider.getLogger("sam", "1.0.0");
logger.emit({
  severityNumber: getSeverityNumber(level),
  body: message,
  attributes: { host, commitSha, stack, ...attributes },
});

Traces and logs are batched and sent to any OTLP-compatible backend when ENABLE_INSTRUMENTATION=true. Uses pure OpenTelemetry packages with no vendor lock-in.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Replace custom Loki push to OTel</issue_title>
<issue_description>For the Next.js-app only:
Replace the custom fetch request of the logging module for pushing to Loki with an OTel integration. Make use of the existing OTel instrumentation if possible (see instrumentation.ts).</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Replace custom Loki push to OTel #1875

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Review	Updated (UTC)
sam	Ignored		Jan 19, 2026 5:19pm

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	openpgp@​5.11.1
	esbuild@​0.25.2 ⏵ 0.25.0
	esbuild@​0.25.2 ⏵ 0.27.2			+1
	@​types/​web-push@​3.6.4
	@​types/​aws-lambda@​8.10.147
	@​types/​aws-lambda@​8.10.159
	web-push@​3.6.7
	@​types/​node@​16.18.11 ⏵ 22.13.10
	prettier-plugin-organize-imports@​4.3.0
	@​react-email/​components@​0.0.33
	@​prisma/​adapter-pg@​6.19.1
	@​react-email/​render@​1.0.5
	@​prisma/​client@​6.17.1
	@​paralleldrive/​cuid2@​3.0.6
	react-email@​3.0.7
	@​openpgp/​web-stream-tools@​0.1.3
	@​opentelemetry/​resources@​2.2.0 ⏵ 2.4.0
	dotenv@​16.4.7
	serialize-error@​11.0.3
	serialize-error@​12.0.0
	aws-xray-sdk-core@​3.12.0
	typescript@​4.9.5 ⏵ 5.8.2	+1
	typescript@​4.9.5 ⏵ 5.9.3	+1
	prettier@​3.7.4
	mailgun.js@​12.0.1
	@​opentelemetry/​api-logs@​0.208.0 ⏵ 0.210.0
	@​opentelemetry/​semantic-conventions@​1.32.0 ⏵ 1.39.0	+1			+6
	@​biomejs/​biome@​1.9.4
	@​opentelemetry/​exporter-trace-otlp-http@​0.210.0
	@​opentelemetry/​sdk-node@​0.210.0
	@​opentelemetry/​exporter-logs-otlp-http@​0.210.0
	@​opentelemetry/​sdk-logs@​0.208.0 ⏵ 0.210.0	+1		+6
See 8 more rows in the dashboard

View full report

[simonknittel]

@copilot Replace @vercel/otel with the original OTel packages instead of this vendor-specific one

[Copilot]

@copilot Replace @vercel/otel with the original OTel packages instead of this vendor-specific one

Replaced @vercel/otel with native OpenTelemetry packages. Now using @opentelemetry/sdk-node with NodeSDK for traces and the standard OTel APIs for logs. Changes in commits 88ea369 and 99a5b2b.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• checkpoint.prisma.io
  • Triggering command: /usr/local/bin/node /usr/local/bin/node /home/REDACTED/work/sam/sam/app/node_modules/prisma/build/child {"product":"prisma","version":"6.6.0","cli_install_type":"local","information":"","local_timestamp":"2026-01-18T21:57:15Z","project_hash":"f258a905","cli_path":"/home/REDACTED/work/sam/sam/app/node_modules/.bin/prisma","cli_path_hash":"4c49c952","endpoint": (dns block)
  • Triggering command: /usr/local/bin/node /usr/local/bin/node /home/REDACTED/work/sam/sam/app/node_modules/prisma/build/child {"product":"prisma","version":"6.6.0","cli_install_type":"local","information":"","local_timestamp":"2026-01-18T21:57:16Z","project_hash":"f258a905","cli_path":"/home/REDACTED/work/sam/sam/app/node_modules/.bin/prisma","cli_path_hash":"4c49c952","endpoint": (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[Copilot]

Pull request overview

This PR migrates the Next.js app's logging infrastructure from a custom Loki HTTP implementation to the OpenTelemetry (OTel) standard. The change enables vendor-agnostic observability by using native OTel SDK packages instead of Vercel-specific tooling.

Changes:

• Replaced @vercel/otel with native OpenTelemetry SDK packages for traces and logs
• Created new otel.ts module that emits logs via the OTel Logs API with proper severity mapping
• Removed custom Loki HTTP push logic and associated environment variables

Reviewed changes

Copilot reviewed 6 out of 7 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
app/src/modules/logging/otel.ts	New module implementing OTel log emission with severity mapping and attribute handling
app/src/modules/logging/loki.ts	Deleted custom Loki HTTP push implementation
app/src/modules/logging/index.ts	Updated to use logToOTel instead of logToLoki, changed log functions from async to sync
app/src/instrumentation.ts	Replaced @vercel/otel registration with native NodeSDK configuration for traces and LoggerProvider for logs
app/src/env.ts	Removed LOKI_HOST, LOKI_AUTH_USER, and LOKI_AUTH_PASSWORD environment variables
app/package.json	Added native OTel packages and removed @vercel/otel dependency

Files not reviewed (1)

• app/package-lock.json: Language not supported

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Critical CVE: Authorization Bypass in Next.js Middleware CVE: GHSA-f82v-jwr5-mffw Authorization Bypass in Next.js Middleware (CRITICAL) Affected versions: >= 13.0.0 < 13.5.9; >= 14.0.0 < 14.2.25; >= 15.0.0 < 15.2.3; >= 11.1.4 < 12.3.5 Patched version: 15.2.3 From: ? → npm/react-email@3.0.7 → npm/next@15.1.2 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/next@15.1.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Critical CVE: Next.js is vulnerable to RCE in React flight protocol CVE: GHSA-9qr9-h5gf-34mp Next.js is vulnerable to RCE in React flight protocol (CRITICAL) Affected versions: >= 14.3.0-canary.77 < 15.0.5; >= 15.1.0-canary.0 < 15.1.9; >= 15.2.0-canary.0 < 15.2.6; >= 15.3.0-canary.0 < 15.3.6; >= 15.4.0-canary.0 < 15.4.8; >= 15.5.0-canary.0 < 15.5.7; >= 16.0.0-canary.0 < 16.0.7 Patched version: 15.1.9 From: ? → npm/react-email@3.0.7 → npm/next@15.1.2 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/next@15.1.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm entities is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: ? → npm/@react-email/render@1.0.5 → npm/entities@4.5.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/entities@4.5.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm safer-buffer is 94.0% likely obfuscated Confidence: 0.94 Location: Package overview From: pnpm-monorepo/pnpm-lock.yaml → npm/openpgp@5.11.1 → npm/safer-buffer@2.1.2 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/safer-buffer@2.1.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[Copilot]

Pull request overview

Copilot reviewed 8 out of 9 changed files in this pull request and generated 2 comments.

Files not reviewed (1)

• app/package-lock.json: Language not supported

[sonarqubecloud]

Quality Gate passed

Issues
6 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud