fix: upgrade OpenTelemetry OTLP deps to 0.209.0 to resolve protobufjs@7.5.5 vulnerability

Updates @opentelemetry OTLP exporter packages from 0.203.0 to 0.209.0
and their co-dependencies (core, resources, SDK packages) to matching
versions. This pulls in @opentelemetry/otlp-transformer@0.209.0 which
depends on protobufjs@8.0.0, resolving the protobufjs@7.5.5
vulnerability.

Affected packages:
  - packages/core/package.json     (10 deps bumped)
  - packages/cli-v3/package.json   (6 deps bumped)
  - apps/webapp/package.json       (12 deps bumped)
  - references/d3-chat/package.json (6 deps bumped)

Author: mdayan8

apps/webapp/package.json

@@ -70,23 +70,23 @@
     "@kapaai/react-sdk": "^0.1.3",
     "@lezer/highlight": "^1.1.6",
     "@opentelemetry/api": "1.9.0",
-    "@opentelemetry/api-logs": "0.203.0",
-    "@opentelemetry/core": "2.0.1",
-    "@opentelemetry/exporter-logs-otlp-http": "0.203.0",
-    "@opentelemetry/exporter-metrics-otlp-proto": "0.203.0",
-    "@opentelemetry/exporter-trace-otlp-http": "0.203.0",
+    "@opentelemetry/api-logs": "0.209.0",
+    "@opentelemetry/core": "2.3.0",
+    "@opentelemetry/exporter-logs-otlp-http": "0.209.0",
+    "@opentelemetry/exporter-metrics-otlp-proto": "0.209.0",
+    "@opentelemetry/exporter-trace-otlp-http": "0.209.0",
     "@opentelemetry/host-metrics": "^0.37.0",
-    "@opentelemetry/instrumentation": "0.203.0",
+    "@opentelemetry/instrumentation": "0.209.0",
     "@opentelemetry/instrumentation-aws-sdk": "^0.57.0",
     "@opentelemetry/instrumentation-express": "^0.52.0",
-    "@opentelemetry/instrumentation-http": "0.203.0",
+    "@opentelemetry/instrumentation-http": "0.209.0",
     "@opentelemetry/resource-detector-aws": "^2.3.0",
-    "@opentelemetry/resources": "2.0.1",
-    "@opentelemetry/sdk-logs": "0.203.0",
-    "@opentelemetry/sdk-metrics": "2.0.1",
-    "@opentelemetry/sdk-node": "0.203.0",
-    "@opentelemetry/sdk-trace-base": "2.0.1",
-    "@opentelemetry/sdk-trace-node": "2.0.1",
+    "@opentelemetry/resources": "2.3.0",
+    "@opentelemetry/sdk-logs": "0.209.0",
+    "@opentelemetry/sdk-metrics": "2.3.0",
+    "@opentelemetry/sdk-node": "0.209.0",
+    "@opentelemetry/sdk-trace-base": "2.3.0",
+    "@opentelemetry/sdk-trace-node": "2.3.0",
     "@opentelemetry/semantic-conventions": "1.36.0",
     "@popperjs/core": "^2.11.8",
     "@prisma/instrumentation": "^6.14.0",

packages/cli-v3/package.json

@@ -87,12 +87,12 @@
     "@depot/cli": "0.0.1-cli.2.80.0",
     "@modelcontextprotocol/sdk": "^1.25.2",
     "@opentelemetry/api": "1.9.0",
-    "@opentelemetry/api-logs": "0.203.0",
-    "@opentelemetry/exporter-trace-otlp-http": "0.203.0",
-    "@opentelemetry/instrumentation": "0.203.0",
-    "@opentelemetry/instrumentation-fetch": "0.203.0",
-    "@opentelemetry/resources": "2.0.1",
-    "@opentelemetry/sdk-trace-node": "2.0.1",
+    "@opentelemetry/api-logs": "0.209.0",
+    "@opentelemetry/exporter-trace-otlp-http": "0.209.0",
+    "@opentelemetry/instrumentation": "0.209.0",
+    "@opentelemetry/instrumentation-fetch": "0.209.0",
+    "@opentelemetry/resources": "2.3.0",
+    "@opentelemetry/sdk-trace-node": "2.3.0",
     "@opentelemetry/semantic-conventions": "1.36.0",
     "@s2-dev/streamstore": "^0.22.5",
     "@trigger.dev/build": "workspace:4.5.0-rc.2",

packages/core/package.json

@@ -193,18 +193,18 @@
     "@google-cloud/precise-date": "^4.0.0",
     "@jsonhero/path": "^1.0.21",
     "@opentelemetry/api": "1.9.0",
-    "@opentelemetry/api-logs": "0.203.0",
-    "@opentelemetry/core": "2.0.1",
-    "@opentelemetry/exporter-logs-otlp-http": "0.203.0",
-    "@opentelemetry/exporter-metrics-otlp-http": "0.203.0",
-    "@opentelemetry/exporter-trace-otlp-http": "0.203.0",
+    "@opentelemetry/api-logs": "0.209.0",
+    "@opentelemetry/core": "2.3.0",
+    "@opentelemetry/exporter-logs-otlp-http": "0.209.0",
+    "@opentelemetry/exporter-metrics-otlp-http": "0.209.0",
+    "@opentelemetry/exporter-trace-otlp-http": "0.209.0",
     "@opentelemetry/host-metrics": "^0.37.0",
-    "@opentelemetry/instrumentation": "0.203.0",
-    "@opentelemetry/resources": "2.0.1",
-    "@opentelemetry/sdk-logs": "0.203.0",
-    "@opentelemetry/sdk-metrics": "2.0.1",
-    "@opentelemetry/sdk-trace-base": "2.0.1",
-    "@opentelemetry/sdk-trace-node": "2.0.1",
+    "@opentelemetry/instrumentation": "0.209.0",
+    "@opentelemetry/resources": "2.3.0",
+    "@opentelemetry/sdk-logs": "0.209.0",
+    "@opentelemetry/sdk-metrics": "2.3.0",
+    "@opentelemetry/sdk-trace-base": "2.3.0",
+    "@opentelemetry/sdk-trace-node": "2.3.0",
     "@opentelemetry/semantic-conventions": "1.36.0",
     "@s2-dev/streamstore": "0.22.5",
     "dequal": "^2.0.3",

references/d3-chat/package.json

@@ -23,13 +23,13 @@
     "@ai-sdk/openai": "2.0.14",
     "@e2b/code-interpreter": "^1.1.0",
     "@opentelemetry/api": "^1.9.0",
-    "@opentelemetry/api-logs": "^0.203.0",
-    "@opentelemetry/exporter-logs-otlp-http": "0.203.0",
-    "@opentelemetry/exporter-trace-otlp-http": "0.203.0",
-    "@opentelemetry/instrumentation-http": "0.203.0",
+    "@opentelemetry/api-logs": "^0.209.0",
+    "@opentelemetry/exporter-logs-otlp-http": "0.209.0",
+    "@opentelemetry/exporter-trace-otlp-http": "0.209.0",
+    "@opentelemetry/instrumentation-http": "0.209.0",
     "@opentelemetry/instrumentation-undici": "0.14.0",
-    "@opentelemetry/instrumentation": "^0.203.0",
-    "@opentelemetry/sdk-logs": "^0.203.0",
+    "@opentelemetry/instrumentation": "^0.209.0",
+    "@opentelemetry/sdk-logs": "^0.209.0",
     "@radix-ui/react-avatar": "^1.1.3",
     "@slack/web-api": "7.9.1",
     "@trigger.dev/python": "workspace:*",