Gathering detailed insights and metrics for @opentelemetry/semantic-conventions
Gathering detailed insights and metrics for @opentelemetry/semantic-conventions
OpenTelemetry JavaScript Client
Installations
npm install @opentelemetry/semantic-conventionsDeveloper Guide
BETA
Typescript
Yes
Module System
CommonJS, ESM
Min. Node Version
>=14
Node Version
18.20.8
NPM Version
lerna/6.6.2/node@v18.20.8+x64 (linux)
Score
99.6
Supply Chain
100
Quality
89.2
Maintenance
100
Vulnerability
100
License
Releases
149
experimental/v0.202.0
experimental/v0.202.0
Updated on Jun 02, 2025
semconv/v1.34.0
semconv/v1.34.0
Updated on May 21, 2025
semconv/v1.33.1
semconv/v1.33.1
Updated on May 20, 2025
experimental/v0.201.1
experimental/v0.201.1
Updated on May 19, 2025
experimental/v0.201.0
experimental/v0.201.0
Updated on May 15, 2025
v2.0.1
v2.0.1
Updated on May 15, 2025
Languages
4
TypeScript
JavaScript
Jinja
Shell
TypeScript (96.66%)
JavaScript (3.06%)
Jinja (0.19%)
Shell (0.08%)
Developer
Download Statistics
Total Downloads
1,851,845,998
Last Day
1,538,444
Last Week
32,832,597
Last Month
140,448,214
Last Year
1,132,373,356
GitHub Statistics
Apache-2.0 License
3,020 Stars
2,702 Commits
899 Forks
53 Watchers
15 Branches
337 Contributors
Updated on Jun 30, 2025
Bundle Size
51.97 kB
Minified
12.41 kB
Minified + Gzipped
Maintainers
3
Package Meta Information
Latest Version
1.34.0
Package Id
@opentelemetry/semantic-conventions@1.34.0
Unpacked Size
7.33 MB
Size
1.09 MB
File Count
111
NPM Version
lerna/6.6.2/node@v18.20.8+x64 (linux)
Node Version
18.20.8
Published on
May 21, 2025
Total Downloads
Cumulative downloads
Total Downloads
1,851,845,998
Last Day
4%
1,538,444
Compared to previous day
Last Week
-6.4%
32,832,597
Compared to previous week
Last Month
4.4%
140,448,214
Compared to previous month
Last Year
149.9%
1,132,373,356
Compared to previous year
Weekly Downloads
Monthly Downloads
Yearly Downloads
OpenTelemetry Semantic Conventions
Semantic Convention constants for use with the OpenTelemetry SDK/APIs. This document defines standard attributes for traces.
Installation
1npm install --save @opentelemetry/semantic-conventions
Import Structure
This package has 2 separate entry-points:
- The main entry-point,
@opentelemetry/semantic-conventions, includes only stable semantic conventions. This entry-point follows semantic versioning 2.0: it will not include breaking changes except with a change in the major version number. - The "incubating" entry-point,
@opentelemetry/semantic-conventions/incubating, contains unstable semantic conventions (sometimes called "experimental") and, for convenience, a re-export of the stable semantic conventions. This entry-point is NOT subject to the restrictions of semantic versioning and MAY contain breaking changes in minor releases. See below for suggested usage of this entry-point.
Exported constants follow this naming scheme:
ATTR_${attributeName}for attributesMETRIC_${metricName}for metric names${attributeName}_VALUE_{$enumValue}for enumerations
The ATTR, METRIC, and VALUE static strings were used to facilitate readability and filtering in auto-complete lists in IDEs.
Usage
Stable SemConv
1npm install --save @opentelemetry/semantic-conventions
1import { 2 ATTR_NETWORK_PEER_ADDRESS, 3 ATTR_NETWORK_PEER_PORT, 4 ATTR_NETWORK_PROTOCOL_NAME, 5 ATTR_NETWORK_PROTOCOL_VERSION, 6 NETWORK_TRANSPORT_VALUE_TCP, 7} from '@opentelemetry/semantic-conventions'; 8 9const span = tracer.startSpan(spanName, spanOptions) 10 .setAttributes({ 11 [ATTR_NETWORK_PEER_ADDRESS]: 'localhost', 12 [ATTR_NETWORK_PEER_PORT]: 8080, 13 [ATTR_NETWORK_PROTOCOL_NAME]: 'http', 14 [ATTR_NETWORK_PROTOCOL_VERSION]: '1.1', 15 [ATTR_NETWORK_TRANSPORT]: NETWORK_TRANSPORT_VALUE_TCP, 16 });
Unstable SemConv
Because the "incubating" entry-point may include breaking changes in minor versions, it is recommended that instrumentation libraries not import @opentelemetry/semantic-conventions/incubating in runtime code, but instead copy relevant definitions into their own code base. (This is the same recommendation as for other languages.)
For example, create a "src/semconv.ts" (or "lib/semconv.js" if implementing in JavaScript) file that copies from experimental_attributes.ts or experimental_metrics.ts:
1// src/semconv.ts 2export const ATTR_DB_NAMESPACE = 'db.namespace'; 3export const ATTR_DB_OPERATION_NAME = 'db.operation.name';
1// src/instrumentation.ts 2import { 3 ATTR_SERVER_PORT, 4 ATTR_SERVER_ADDRESS, 5} from '@opentelemetry/semantic-conventions'; 6import { 7 ATTR_DB_NAMESPACE, 8 ATTR_DB_OPERATION_NAME, 9} from './semconv'; 10 11span.setAttributes({ 12 [ATTR_DB_NAMESPACE]: ..., 13 [ATTR_DB_OPERATION_NAME]: ..., 14 [ATTR_SERVER_PORT]: ..., 15 [ATTR_SERVER_ADDRESS]: ..., 16})
Occasionally, one should review changes to @opentelemetry/semantic-conventions to see if any used unstable conventions have changed or been stabilized. However, an update to a newer minor version of the package will never be breaking.
Why not pin the version?
A considered alternative for using unstable exports is to pin the version. I.e., depend on an exact version, rather than on a version range.
1npm install --save-exact @opentelemetry/semantic-conventions # Don't do this.
Then, import directly from @opentelemetry/semantic-conventions/incubating.
This is not recommended.
In some languages having multiple versions of a package in a single application is not possible. This is possible in JavaScript. The primary argument against pinning this package is that it can easily lead to many copies being installed in an application's node_modules/..., which can cause significant disk usage. In a disk-constrained environment, such as AWS Lambda Layers, that can be a blocker.
Deprecations
There are two main types of deprecations in this package:
- "semconv deprecations": The process of defining the OpenTelemetry Semantic Conventions sometimes involves deprecating a particular field name as conventions are stabilized. For example, the stabilization of HTTP conventions included deprecating the
http.urlspan attribute in favor ofurl.full. When using this JS package, that appears as a deprecation of theATTR_HTTP_URLexport in favour ofATTR_URL_FULL. - "JS package deprecations": Independently, this JavaScript package has twice changed how it exports the Semantic Conventions constants, e.g.
ATTR_HTTP_URLinstead ofSEMATTRS_HTTP_URL. The two older forms are still included in 1.x versions of this package for backwards compatibility. The rest of this section shows how to migrate to the latest form.
Migrating from SEMATTRS_*, SEMRESATTRS_*, ...
Deprecated as of @opentelemetry/semantic-conventions@1.26.0.
Before v1.26.0, constants for each semconv attribute were exported, prefixed with SEMRESATTRS_ (if defined as a Resource Attribute) or SEMATTRS_. As well, constants were exported for each value in an enumeration, of the form ${attributeName}VALUES_${enumValue}. For example:
Deprecated usage:
1import { 2 SEMRESATTRS_SERVICE_NAME, 3 SEMATTRS_HTTP_ROUTE, 4 SEMATTRS_DB_SYSTEM, 5 DBSYSTEMVALUES_POSTGRESQL 6} from '@opentelemetry/semantic-conventions'; 7 8// 'service.name' resource attribute 9console.log(SEMRESATTRS_SERVICE_NAME); // migrate to 'ATTR_SERVICE_NAME' 10 11// 'http.route' attribute 12console.log(SEMATTRS_HTTP_ROUTE); // migrate to 'ATTR_HTTP_ROUTE' 13 14// 'db.system' attribute 15console.log(SEMATTRS_DB_SYSTEM); // migrate to 'ATTR_DB_SYSTEM' (in incubating [*]) 16 17// 'postgresql' enum value for 'db.system' attribute 18console.log(DBSYSTEMVALUES_POSTGRESQL); // migrate to 'DB_SYSTEM_VALUE_POSTGRESQL' (in incubating [*])
See Migrated usage below.
Migrating from SemanticAttributes.*, SemanticResourceAttributes.*, ...
Deprecated as of @opentelemetry/semantic-conventions@1.0.0.
Before v1.0.0, constants were exported in namespace objects SemanticResourceAttributes and SemanticAttributes, and a namespace object for enumerated values for some fields (e.g. DbSystemValues for values of the 'db.system' enum). For example:
Deprecated usage:
1import { 2 SemanticAttributes, 3 SemanticResourceAttributes, 4 DbSystemValues, 5} from '@opentelemetry/semantic-conventions'; 6 7// 'service.name' resource attribute 8console.log(SemanticResourceAttributes.SERVICE_NAME); // migrate to 'ATTR_SERVICE_NAME' 9 10// 'http.route' attribute 11console.log(SemanticAttributes.HTTP_ROUTE); // migrate to 'ATTR_HTTP_ROUTE' 12 13// 'db.system' attribute 14console.log(SemanticAttributes.DB_SYSTEM); // migrate to 'ATTR_DB_SYSTEM' (in incubating [*]) 15 16// 'postgresql' enum value for 'db.system' attribute 17console.log(DbSystemValues.POSTGRESQL); // migrate to 'DB_SYSTEM_VALUE_POSTGRESQL' (in incubating [*])
See Migrated usage below.
Migrated usage
If using any unstable conventions, copy the relevant definitions into your code base (e.g. to "src/semconv.ts", see above):
1// src/semconv.ts 2export const ATTR_DB_SYSTEM = 'db.system' as const; 3export const DB_SYSTEM_VALUE_POSTGRESQL = "postgresql" as const;
then:
1import { 2 ATTR_SERVICE_NAME, 3 ATTR_HTTP_ROUTE, 4 METRIC_HTTP_CLIENT_REQUEST_DURATION 5} from '@opentelemetry/semantic-conventions'; // stable semconv 6import { 7 ATTR_DB_SYSTEM, 8 DB_SYSTEM_VALUE_POSTGRESQL 9} from './semconv'; // unstable semconv 10 11console.log(ATTR_SERVICE_NAME); // 'service.name' 12console.log(ATTR_HTTP_ROUTE); // 'http.route' 13 14// Bonus: the older exports did not include metric names from semconv. 15// 'http.client.request.duration' metric name 16console.log(METRIC_HTTP_CLIENT_REQUEST_DURATION); 17 18console.log(ATTR_DB_SYSTEM); // 'db.system' 19// 'postgresql' enum value for 'db.system' attribute 20console.log(DB_SYSTEM_VALUE_POSTGRESQL);
Useful links
- For more information on OpenTelemetry, visit: https://opentelemetry.io/
- For more about OpenTelemetry JavaScript: https://github.com/open-telemetry/opentelemetry-js
- For help or feedback on this project, join us in GitHub Discussions
License
Apache 2.0 - See LICENSE for more information.
No vulnerabilities found.
Reason
update tool detected
Details
- Info: detected update tool: RenovateBot: renovate.json:1
Reason
30 commit(s) and 7 issue activity found in the last 90 days -- score normalized to 10
Reason
all changesets reviewed
Reason
no dangerous workflow patterns detected
Reason
no binaries found in the repo
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0
Reason
security policy file detected
Details
- Info: security policy file detected: github.com/open-telemetry/.github/SECURITY.md:1
- Info: Found linked content: github.com/open-telemetry/.github/SECURITY.md:1
- Info: Found disclosure, vulnerability, and/or timelines in security policy: github.com/open-telemetry/.github/SECURITY.md:1
- Info: Found text in security policy: github.com/open-telemetry/.github/SECURITY.md:1
Reason
SAST tool is run on all commits
Details
- Info: SAST configuration detected: CodeQL
- Info: all commits (30) are checked with a SAST tool
Reason
30 out of 30 merged PRs checked by a CI test -- score normalized to 10
Reason
project has 43 contributing companies or organizations
Details
- Info: found contributions from: Azure, Dynatrace, MineWeb, Obsifight, Team-Retrospect, VilledeMontreal, WinterTC55, X-Profiler, bloomberg, causely-oss, ccowmu, census-instrumentation, dynatrace, dynatrace-oss, dynatrace-oss-contrib, elastic, emberjs, focale, google, googleapis, googlers, honeycombio, http4ts, mend, microsoft, new relic, nodejs, odigos, open-telemetry, opencensus-integrations, openprofiling, opentracing, rails, reelevant-tech, self-employed, sentry, servicenow, splunk, tc39, tilde inc, tildeio, villedemontreal, w3c
Reason
dependency not pinned by hash detected -- score normalized to 3
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/benchmark.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/benchmark.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/benchmark.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/benchmark.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/benchmark.yml:43: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/benchmark.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/changelog.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/changelog.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/close-stale.yml:10: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/close-stale.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/codeql-analysis.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/codeql-analysis.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/codeql-analysis.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/codeql-analysis.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/create-or-update-release-pr.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/create-or-update-release-pr.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/create-or-update-release-pr.yml:43: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/create-or-update-release-pr.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/docs.yaml:12: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/docs.yaml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/docs.yaml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/docs.yaml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/docs.yaml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/docs.yaml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/e2e.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/e2e.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/lint.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/lint.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/lint.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/lint.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/peer-api.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/peer-api.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish-to-npm.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/publish-to-npm.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish-to-npm.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/publish-to-npm.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/sbom.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/sbom.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/sbom.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/sbom.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/sbom.yml:56: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/sbom.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/sbom.yml:68: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/sbom.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/sbom.yml:72: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/sbom.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/survey-on-merged-pr.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/survey-on-merged-pr.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/unit-test.yml:80: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/unit-test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/unit-test.yml:82: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/unit-test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/unit-test.yml:107: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/unit-test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/unit-test.yml:109: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/unit-test.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/unit-test.yml:125: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/unit-test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/unit-test.yml:136: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/unit-test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/unit-test.yml:137: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/unit-test.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/unit-test.yml:153: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/unit-test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/unit-test.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/unit-test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/unit-test.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/unit-test.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/unit-test.yml:69: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/unit-test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/w3c-integration-test.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/w3c-integration-test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/w3c-integration-test.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/w3c-integration-test.yml/main?enable=pin
- Warn: pipCommand not pinned by hash: integration-tests/tracecontext-integration-test.sh:13
- Warn: pipCommand not pinned by hash: integration-tests/tracecontext-integration-test.sh:14
- Warn: npmCommand not pinned by hash: .github/workflows/benchmark.yml:30
- Warn: npmCommand not pinned by hash: .github/workflows/create-or-update-release-pr.yml:49
- Warn: npmCommand not pinned by hash: .github/workflows/e2e.yml:35
- Warn: npmCommand not pinned by hash: .github/workflows/e2e.yml:41
- Warn: npmCommand not pinned by hash: .github/workflows/peer-api.yml:21
- Warn: npmCommand not pinned by hash: .github/workflows/peer-api.yml:24
- Warn: npmCommand not pinned by hash: .github/workflows/sbom.yml:22
- Warn: npmCommand not pinned by hash: .github/workflows/unit-test.yml:40
- Warn: npmCommand not pinned by hash: .github/workflows/unit-test.yml:46
- Info: 4 out of 39 GitHub-owned GitHubAction dependencies pinned
- Info: 2 out of 7 third-party GitHubAction dependencies pinned
- Info: 0 out of 2 pipCommand dependencies pinned
- Info: 11 out of 20 npmCommand dependencies pinned
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Warn: jobLevel 'contents' permission set to 'write': .github/workflows/sbom.yml:65
- Warn: jobLevel 'contents' permission set to 'write': .github/workflows/survey-on-merged-pr.yml:16
- Warn: no topLevel permission defined: .github/workflows/benchmark.yml:1
- Warn: no topLevel permission defined: .github/workflows/changelog.yml:1
- Warn: no topLevel permission defined: .github/workflows/close-stale.yml:1
- Warn: no topLevel permission defined: .github/workflows/codeql-analysis.yml:1
- Warn: no topLevel permission defined: .github/workflows/create-or-update-release-pr.yml:1
- Warn: no topLevel permission defined: .github/workflows/docs.yaml:1
- Warn: no topLevel permission defined: .github/workflows/e2e.yml:1
- Info: topLevel 'contents' permission set to 'read': .github/workflows/fossa.yml:9
- Warn: no topLevel permission defined: .github/workflows/label-releases.yml:1
- Warn: no topLevel permission defined: .github/workflows/lint.yml:1
- Info: topLevel permissions set to 'read-all': .github/workflows/ossf-scorecard.yml:11
- Warn: no topLevel permission defined: .github/workflows/peer-api.yml:1
- Warn: no topLevel permission defined: .github/workflows/publish-to-npm.yml:1
- Info: topLevel permissions set to 'read-all': .github/workflows/sbom.yml:6
- Warn: no topLevel permission defined: .github/workflows/survey-on-merged-pr.yml:1
- Warn: no topLevel permission defined: .github/workflows/unit-test.yml:1
- Warn: no topLevel permission defined: .github/workflows/w3c-integration-test.yml:1
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
Project has not signed or included provenance with any releases.
Details
- Warn: release artifact experimental/v0.202.0 not signed: https://api.github.com/repos/open-telemetry/opentelemetry-js/releases/222470909
- Warn: release artifact semconv/v1.34.0 not signed: https://api.github.com/repos/open-telemetry/opentelemetry-js/releases/220203794
- Warn: release artifact semconv/v1.33.1 not signed: https://api.github.com/repos/open-telemetry/opentelemetry-js/releases/219906598
- Warn: release artifact experimental/v0.201.1 not signed: https://api.github.com/repos/open-telemetry/opentelemetry-js/releases/219457664
- Warn: release artifact v2.0.1 not signed: https://api.github.com/repos/open-telemetry/opentelemetry-js/releases/218923142
- Warn: release artifact experimental/v0.202.0 does not have provenance: https://api.github.com/repos/open-telemetry/opentelemetry-js/releases/222470909
- Warn: release artifact semconv/v1.34.0 does not have provenance: https://api.github.com/repos/open-telemetry/opentelemetry-js/releases/220203794
- Warn: release artifact semconv/v1.33.1 does not have provenance: https://api.github.com/repos/open-telemetry/opentelemetry-js/releases/219906598
- Warn: release artifact experimental/v0.201.1 does not have provenance: https://api.github.com/repos/open-telemetry/opentelemetry-js/releases/219457664
- Warn: release artifact v2.0.1 does not have provenance: https://api.github.com/repos/open-telemetry/opentelemetry-js/releases/218923142
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
13 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-h5c3-5r3r-rr8q
- Warn: Project is vulnerable to: GHSA-rmvr-2pp2-xj38
- Warn: Project is vulnerable to: GHSA-xx4v-prfh-6cgc
- Warn: Project is vulnerable to: GHSA-67hx-6x53-jw92
- Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw
- Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
- Warn: Project is vulnerable to: GHSA-9c47-m6qq-7p4h
- Warn: Project is vulnerable to: GHSA-mwcw-c2x4-8c55
- Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw
- Warn: Project is vulnerable to: GHSA-f5x3-32g6-xq36
- Warn: Project is vulnerable to: GHSA-pq67-2wwv-3xjx
- Warn: Project is vulnerable to: GHSA-8cj5-5rvv-wf4v
- Warn: Project is vulnerable to: GHSA-3h5v-q93c-6h6q
Score
6.4
/10
Last Scanned on 2025-06-30T07:48:53Z
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More