Gathering detailed insights and metrics for @opentelemetry/instrumentation-http
Gathering detailed insights and metrics for @opentelemetry/instrumentation-http
OpenTelemetry JavaScript Client
Installations
npm install @opentelemetry/instrumentation-httpDeveloper Guide
BETA
Typescript
Yes
Module System
CommonJS
Min. Node Version
^18.19.0 || >=20.6.0
Node Version
18.20.8
NPM Version
lerna/6.6.2/node@v18.20.8+x64 (linux)
Score
93.5
Supply Chain
98.7
Quality
92.5
Maintenance
100
Vulnerability
99.3
License
Releases
149
experimental/v0.202.0
experimental/v0.202.0
Updated on Jun 02, 2025
semconv/v1.34.0
semconv/v1.34.0
Updated on May 21, 2025
semconv/v1.33.1
semconv/v1.33.1
Updated on May 20, 2025
experimental/v0.201.1
experimental/v0.201.1
Updated on May 19, 2025
experimental/v0.201.0
experimental/v0.201.0
Updated on May 15, 2025
v2.0.1
v2.0.1
Updated on May 15, 2025
Languages
4
TypeScript
JavaScript
Jinja
Shell
TypeScript (96.66%)
JavaScript (3.06%)
Jinja (0.19%)
Shell (0.08%)
Developer
Download Statistics
Total Downloads
0
Last Day
0
Last Week
0
Last Month
0
Last Year
0
GitHub Statistics
Apache-2.0 License
3,020 Stars
2,702 Commits
899 Forks
53 Watchers
15 Branches
337 Contributors
Updated on Jun 30, 2025
Bundle Size
102.78 kB
Minified
26.53 kB
Minified + Gzipped
Maintainers
3
Package Meta Information
Latest Version
0.202.0
Package Id
@opentelemetry/instrumentation-http@0.202.0
Unpacked Size
266.24 kB
Size
55.11 kB
File Count
27
NPM Version
lerna/6.6.2/node@v18.20.8+x64 (linux)
Node Version
18.20.8
Published on
Jun 02, 2025
Total Downloads
Cumulative downloads
Total Downloads
NaN
Dependencies
4
Peer Dependencies
1
OpenTelemetry HTTP and HTTPS Instrumentation for Node.js
Note: This is an experimental package under active development. New releases may include breaking changes.
This module provides automatic instrumentation for http and https.
For automatic instrumentation see the @opentelemetry/sdk-trace-node package.
Installation
1npm install --save @opentelemetry/instrumentation-http
Supported Versions
- Nodejs
>=14
Usage
OpenTelemetry HTTP Instrumentation allows the user to automatically collect telemetry and export it to their backend of choice, to give observability to distributed systems.
To load a specific instrumentation (HTTP in this case), specify it in the Node Tracer's configuration.
1const { HttpInstrumentation } = require('@opentelemetry/instrumentation-http'); 2const { 3 ConsoleSpanExporter, 4 NodeTracerProvider, 5 SimpleSpanProcessor, 6} = require('@opentelemetry/sdk-trace-node'); 7const { registerInstrumentations } = require('@opentelemetry/instrumentation'); 8 9const provider = new NodeTracerProvider({ 10 spanProcessors: [new SimpleSpanProcessor(new ConsoleSpanExporter())] 11}); 12 13provider.register(); 14 15registerInstrumentations({ 16 instrumentations: [new HttpInstrumentation()], 17}); 18
See examples/http for a short example.
Http instrumentation Options
Http instrumentation has a few configuration options available to choose from. You can set the following:
| Options | Type | Description |
|---|---|---|
applyCustomAttributesOnSpan | HttpCustomAttributeFunction | Function for adding custom attributes |
requestHook | HttpRequestCustomAttributeFunction | Function for adding custom attributes before request is handled |
responseHook | HttpResponseCustomAttributeFunction | Function for adding custom attributes before response is handled |
startIncomingSpanHook | StartIncomingSpanCustomAttributeFunction | Function for adding custom attributes before a span is started in incomingRequest |
startOutgoingSpanHook | StartOutgoingSpanCustomAttributeFunction | Function for adding custom attributes before a span is started in outgoingRequest |
ignoreIncomingRequestHook | IgnoreIncomingRequestFunction | Http instrumentation will not trace all incoming requests that matched with custom function |
ignoreOutgoingRequestHook | IgnoreOutgoingRequestFunction | Http instrumentation will not trace all outgoing requests that matched with custom function |
disableOutgoingRequestInstrumentation | boolean | Set to true to avoid instrumenting outgoing requests at all. This can be helpful when another instrumentation handles outgoing requests. |
disableIncomingRequestInstrumentation | boolean | Set to true to avoid instrumenting incoming requests at all. This can be helpful when another instrumentation handles incoming requests. |
serverName | string | The primary server name of the matched virtual host. |
requireParentforOutgoingSpans | Boolean | Require that is a parent span to create new span for outgoing requests. |
requireParentforIncomingSpans | Boolean | Require that is a parent span to create new span for incoming requests. |
headersToSpanAttributes | object | List of case insensitive HTTP headers to convert to span attributes. Client (outgoing requests, incoming responses) and server (incoming requests, outgoing responses) headers will be converted to span attributes in the form of http.{request|response}.header.header_name, e.g. http.response.header.content_length |
Semantic Conventions
Prior to version 0.54.0, this instrumentation created spans targeting an experimental semantic convention Version 1.7.0.
HTTP semantic conventions (semconv) were stabilized in v1.23.0, and a migration process was defined.
instrumentation-http versions 0.54.0 and later include support for migrating to stable HTTP semantic conventions, as described below.
The intent is to provide an approximate 6 month time window for users of this instrumentation to migrate to the new HTTP semconv, after which a new minor version will use the new semconv by default and drop support for the old semconv.
See the HTTP semconv migration plan for OpenTelemetry JS instrumentations.
To select which semconv version(s) is emitted from this instrumentation, use the OTEL_SEMCONV_STABILITY_OPT_IN environment variable.
http: emit the new (stable) v1.23.0+ semanticshttp/dup: emit both the old v1.7.0 and the new (stable) v1.23.0+ semantics- By default, if
OTEL_SEMCONV_STABILITY_OPT_INincludes neither of the above tokens, the old v1.7.0 semconv is used.
Attributes collected
| v1.7.0 semconv | v1.23.0 semconv | Short Description |
|---|---|---|
http.client_ip | client.address | The IP address of the original client behind all proxies, if known |
http.flavor | network.protocol.version | Kind of HTTP protocol used |
http.host | server.address | The value of the HTTP host header |
http.method | http.request.method | HTTP request method |
http.request_content_length | (opt-in, headersToSpanAttributes) | The size of the request payload body in bytes. For newer semconv, use the headersToSpanAttributes: option to capture this as http.request.header.content_length. |
http.request_content_length_uncompressed | (not included) | The size of the uncompressed request payload body after transport decoding. (In semconv v1.23.0 this is defined by http.request.body.size, which is experimental and opt-in.) |
http.response_content_length | (opt-in, headersToSpanAttributes) | The size of the response payload body in bytes. For newer semconv, use the headersToSpanAttributes: option to capture this as http.response.header.content_length. |
http.response_content_length_uncompressed | (not included) | The size of the uncompressed response payload body after transport decoding. (In semconv v1.23.0 this is defined by http.response.body.size, which is experimental and opt-in.) |
http.route | no change | The matched route (path template). |
http.scheme | url.scheme | The URI scheme identifying the used protocol |
http.server_name | server.address | The primary server name of the matched virtual host |
http.status_code | http.response.status_code | HTTP response status code |
http.target | url.path and url.query | The URI path and query component |
http.url | url.full | Full HTTP request URL in the form scheme://host[:port]/path?query[#fragment] |
http.user_agent | user_agent.original | Value of the HTTP User-Agent header sent by the client |
net.host.ip | network.local.address | Like net.peer.ip but for the host IP. Useful in case of a multi-IP host |
net.host.name | server.address | Local hostname or similar |
net.host.port | server.port | Like net.peer.port but for the host port |
net.peer.ip. | network.peer.address | Remote address of the peer (dotted decimal for IPv4 or RFC5952 for IPv6) |
net.peer.name | server.address | Server domain name if available without reverse DNS lookup |
net.peer.port | server.port | Server port number |
net.transport | network.transport | Transport protocol used |
Metrics Exported:
Upgrading Semantic Conventions
When upgrading to the new semantic conventions, it is recommended to do so in the following order:
- Upgrade
@opentelemetry/instrumentation-httpto the latest version - Set
OTEL_SEMCONV_STABILITY_OPT_IN=http/dupto emit both old and new semantic conventions - Modify alerts, dashboards, metrics, and other processes to expect the new semantic conventions
- Set
OTEL_SEMCONV_STABILITY_OPT_IN=httpto emit only the new semantic conventions
This will cause both the old and new semantic conventions to be emitted during the transition period.
Useful links
- For more information on OpenTelemetry, visit: https://opentelemetry.io/
- For more about OpenTelemetry JavaScript: https://github.com/open-telemetry/opentelemetry-js
- For help or feedback on this project, join us in GitHub Discussions
License
Apache 2.0 - See LICENSE for more information.
No vulnerabilities found.
Reason
update tool detected
Details
- Info: detected update tool: RenovateBot: renovate.json:1
Reason
30 commit(s) and 7 issue activity found in the last 90 days -- score normalized to 10
Reason
all changesets reviewed
Reason
no dangerous workflow patterns detected
Reason
no binaries found in the repo
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0
Reason
security policy file detected
Details
- Info: security policy file detected: github.com/open-telemetry/.github/SECURITY.md:1
- Info: Found linked content: github.com/open-telemetry/.github/SECURITY.md:1
- Info: Found disclosure, vulnerability, and/or timelines in security policy: github.com/open-telemetry/.github/SECURITY.md:1
- Info: Found text in security policy: github.com/open-telemetry/.github/SECURITY.md:1
Reason
SAST tool is run on all commits
Details
- Info: SAST configuration detected: CodeQL
- Info: all commits (30) are checked with a SAST tool
Reason
30 out of 30 merged PRs checked by a CI test -- score normalized to 10
Reason
project has 43 contributing companies or organizations
Details
- Info: found contributions from: Azure, Dynatrace, MineWeb, Obsifight, Team-Retrospect, VilledeMontreal, WinterTC55, X-Profiler, bloomberg, causely-oss, ccowmu, census-instrumentation, dynatrace, dynatrace-oss, dynatrace-oss-contrib, elastic, emberjs, focale, google, googleapis, googlers, honeycombio, http4ts, mend, microsoft, new relic, nodejs, odigos, open-telemetry, opencensus-integrations, openprofiling, opentracing, rails, reelevant-tech, self-employed, sentry, servicenow, splunk, tc39, tilde inc, tildeio, villedemontreal, w3c
Reason
dependency not pinned by hash detected -- score normalized to 3
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/benchmark.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/benchmark.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/benchmark.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/benchmark.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/benchmark.yml:43: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/benchmark.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/changelog.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/changelog.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/close-stale.yml:10: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/close-stale.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/codeql-analysis.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/codeql-analysis.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/codeql-analysis.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/codeql-analysis.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/create-or-update-release-pr.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/create-or-update-release-pr.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/create-or-update-release-pr.yml:43: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/create-or-update-release-pr.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/docs.yaml:12: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/docs.yaml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/docs.yaml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/docs.yaml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/docs.yaml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/docs.yaml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/e2e.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/e2e.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/lint.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/lint.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/lint.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/lint.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/peer-api.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/peer-api.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish-to-npm.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/publish-to-npm.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish-to-npm.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/publish-to-npm.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/sbom.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/sbom.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/sbom.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/sbom.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/sbom.yml:56: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/sbom.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/sbom.yml:68: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/sbom.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/sbom.yml:72: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/sbom.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/survey-on-merged-pr.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/survey-on-merged-pr.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/unit-test.yml:80: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/unit-test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/unit-test.yml:82: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/unit-test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/unit-test.yml:107: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/unit-test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/unit-test.yml:109: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/unit-test.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/unit-test.yml:125: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/unit-test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/unit-test.yml:136: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/unit-test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/unit-test.yml:137: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/unit-test.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/unit-test.yml:153: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/unit-test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/unit-test.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/unit-test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/unit-test.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/unit-test.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/unit-test.yml:69: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/unit-test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/w3c-integration-test.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/w3c-integration-test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/w3c-integration-test.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/w3c-integration-test.yml/main?enable=pin
- Warn: pipCommand not pinned by hash: integration-tests/tracecontext-integration-test.sh:13
- Warn: pipCommand not pinned by hash: integration-tests/tracecontext-integration-test.sh:14
- Warn: npmCommand not pinned by hash: .github/workflows/benchmark.yml:30
- Warn: npmCommand not pinned by hash: .github/workflows/create-or-update-release-pr.yml:49
- Warn: npmCommand not pinned by hash: .github/workflows/e2e.yml:35
- Warn: npmCommand not pinned by hash: .github/workflows/e2e.yml:41
- Warn: npmCommand not pinned by hash: .github/workflows/peer-api.yml:21
- Warn: npmCommand not pinned by hash: .github/workflows/peer-api.yml:24
- Warn: npmCommand not pinned by hash: .github/workflows/sbom.yml:22
- Warn: npmCommand not pinned by hash: .github/workflows/unit-test.yml:40
- Warn: npmCommand not pinned by hash: .github/workflows/unit-test.yml:46
- Info: 4 out of 39 GitHub-owned GitHubAction dependencies pinned
- Info: 2 out of 7 third-party GitHubAction dependencies pinned
- Info: 0 out of 2 pipCommand dependencies pinned
- Info: 11 out of 20 npmCommand dependencies pinned
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Warn: jobLevel 'contents' permission set to 'write': .github/workflows/sbom.yml:65
- Warn: jobLevel 'contents' permission set to 'write': .github/workflows/survey-on-merged-pr.yml:16
- Warn: no topLevel permission defined: .github/workflows/benchmark.yml:1
- Warn: no topLevel permission defined: .github/workflows/changelog.yml:1
- Warn: no topLevel permission defined: .github/workflows/close-stale.yml:1
- Warn: no topLevel permission defined: .github/workflows/codeql-analysis.yml:1
- Warn: no topLevel permission defined: .github/workflows/create-or-update-release-pr.yml:1
- Warn: no topLevel permission defined: .github/workflows/docs.yaml:1
- Warn: no topLevel permission defined: .github/workflows/e2e.yml:1
- Info: topLevel 'contents' permission set to 'read': .github/workflows/fossa.yml:9
- Warn: no topLevel permission defined: .github/workflows/label-releases.yml:1
- Warn: no topLevel permission defined: .github/workflows/lint.yml:1
- Info: topLevel permissions set to 'read-all': .github/workflows/ossf-scorecard.yml:11
- Warn: no topLevel permission defined: .github/workflows/peer-api.yml:1
- Warn: no topLevel permission defined: .github/workflows/publish-to-npm.yml:1
- Info: topLevel permissions set to 'read-all': .github/workflows/sbom.yml:6
- Warn: no topLevel permission defined: .github/workflows/survey-on-merged-pr.yml:1
- Warn: no topLevel permission defined: .github/workflows/unit-test.yml:1
- Warn: no topLevel permission defined: .github/workflows/w3c-integration-test.yml:1
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
Project has not signed or included provenance with any releases.
Details
- Warn: release artifact experimental/v0.202.0 not signed: https://api.github.com/repos/open-telemetry/opentelemetry-js/releases/222470909
- Warn: release artifact semconv/v1.34.0 not signed: https://api.github.com/repos/open-telemetry/opentelemetry-js/releases/220203794
- Warn: release artifact semconv/v1.33.1 not signed: https://api.github.com/repos/open-telemetry/opentelemetry-js/releases/219906598
- Warn: release artifact experimental/v0.201.1 not signed: https://api.github.com/repos/open-telemetry/opentelemetry-js/releases/219457664
- Warn: release artifact v2.0.1 not signed: https://api.github.com/repos/open-telemetry/opentelemetry-js/releases/218923142
- Warn: release artifact experimental/v0.202.0 does not have provenance: https://api.github.com/repos/open-telemetry/opentelemetry-js/releases/222470909
- Warn: release artifact semconv/v1.34.0 does not have provenance: https://api.github.com/repos/open-telemetry/opentelemetry-js/releases/220203794
- Warn: release artifact semconv/v1.33.1 does not have provenance: https://api.github.com/repos/open-telemetry/opentelemetry-js/releases/219906598
- Warn: release artifact experimental/v0.201.1 does not have provenance: https://api.github.com/repos/open-telemetry/opentelemetry-js/releases/219457664
- Warn: release artifact v2.0.1 does not have provenance: https://api.github.com/repos/open-telemetry/opentelemetry-js/releases/218923142
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
13 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-h5c3-5r3r-rr8q
- Warn: Project is vulnerable to: GHSA-rmvr-2pp2-xj38
- Warn: Project is vulnerable to: GHSA-xx4v-prfh-6cgc
- Warn: Project is vulnerable to: GHSA-67hx-6x53-jw92
- Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw
- Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
- Warn: Project is vulnerable to: GHSA-9c47-m6qq-7p4h
- Warn: Project is vulnerable to: GHSA-mwcw-c2x4-8c55
- Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw
- Warn: Project is vulnerable to: GHSA-f5x3-32g6-xq36
- Warn: Project is vulnerable to: GHSA-pq67-2wwv-3xjx
- Warn: Project is vulnerable to: GHSA-8cj5-5rvv-wf4v
- Warn: Project is vulnerable to: GHSA-3h5v-q93c-6h6q
Score
6.4
/10
Last Scanned on 2025-06-30T07:48:53Z
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More