chore(deps): bump protobufjs, @opentelemetry/auto-instrumentations-node, @opentelemetry/exporter-logs-otlp-http, @opentelemetry/exporter-metrics-otlp-http, @opentelemetry/exporter-trace-otlp-http and @opentelemetry/sdk-node

[dependabot]

Bumps protobufjs to 7.5.8 and updates ancestor dependencies protobufjs, @opentelemetry/auto-instrumentations-node, @opentelemetry/exporter-logs-otlp-http, @opentelemetry/exporter-metrics-otlp-http, @opentelemetry/exporter-trace-otlp-http and @opentelemetry/sdk-node. These dependencies need to be updated together.

Updates protobufjs from 8.0.0 to 7.5.8

Changelog

Sourced from protobufjs's changelog.

7.5.8 (2026-05-12)

Bug Fixes

• Backport parser hardening to 7.x (#2245) (54b593f)

7.5.7 (2026-05-09)

Bug Fixes

• Restore first-match namespace lookup (#2236) (cc7d595)

7.5.6 (2026-04-27)

Bug Fixes

• Backport input hardening and CLI fixes to 7.x (#2173) (75392ea)

7.5.4 (2025-08-15)

Bug Fixes

• invalid syntax in descriptor.proto (#2092) (5a3769a)

7.5.3 (2025-05-28)

Bug Fixes

• descriptor extensions handling post-editions (#2075) (6e255d4)

7.5.2 (2025-05-14)

Bug Fixes

• ensure that types are always resolved (#2068) (4b51cb2)

7.5.1 (2025-05-08)

Bug Fixes

• optimize regressions from editions implementations (#2066) (6406d4c)
• reserved field inside group blocks fail parsing (#2058) (56782bf)

... (truncated)

Commits

• d7035f9 chore: release protobufjs-v7.x (#2248)
• 54b593f fix: Backport parser hardening to 7.x (#2245)
• e88fcea chore: release protobufjs-v7.x (#2239)
• cc7d595 fix: Restore first-match namespace lookup (#2236)
• 3abc9b5 chore: release protobufjs-v7.x (#2190)
• a0bf2df fix: Update CLI peer dependency (7.x) (#2189)
• 2189e5b chore: release protobufjs-v7.x (#2174)
• 75392ea fix: Backport input hardening and CLI fixes to 7.x (#2173)
• 8af8d7c chore(ci): Fix 7.x release please configuration (#2169)
• e92ca42 chore(ci): Enable release-please for 7.x (#2166)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for protobufjs since your current version.

Updates @opentelemetry/auto-instrumentations-node from 0.69.0 to 0.76.0

Release notes

Sourced from @​opentelemetry/auto-instrumentations-node's releases.

auto-instrumentations-node: v0.76.0

0.76.0 (2026-05-13)

Features

• deps: update deps matching '@opentelemetry/*' (#3523) (e26a90a)

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • @​opentelemetry/instrumentation-amqplib bumped from ^0.64.0 to ^0.65.0
    • @​opentelemetry/instrumentation-aws-lambda bumped from ^0.69.0 to ^0.70.0
    • @​opentelemetry/instrumentation-aws-sdk bumped from ^0.72.0 to ^0.73.0
    • @​opentelemetry/instrumentation-bunyan bumped from ^0.62.0 to ^0.63.0
    • @​opentelemetry/instrumentation-cassandra-driver bumped from ^0.62.0 to ^0.63.0
    • @​opentelemetry/instrumentation-connect bumped from ^0.60.0 to ^0.61.0
    • @​opentelemetry/instrumentation-cucumber bumped from ^0.33.0 to ^0.34.0
    • @​opentelemetry/instrumentation-dataloader bumped from ^0.34.0 to ^0.35.0
    • @​opentelemetry/instrumentation-dns bumped from ^0.60.0 to ^0.61.0
    • @​opentelemetry/instrumentation-express bumped from ^0.65.0 to ^0.66.0
    • @​opentelemetry/instrumentation-fs bumped from ^0.36.0 to ^0.37.0
    • @​opentelemetry/instrumentation-generic-pool bumped from ^0.60.0 to ^0.61.0
    • @​opentelemetry/instrumentation-graphql bumped from ^0.65.0 to ^0.66.0
    • @​opentelemetry/instrumentation-hapi bumped from ^0.63.0 to ^0.64.0
    • @​opentelemetry/instrumentation-ioredis bumped from ^0.65.0 to ^0.66.0
    • @​opentelemetry/instrumentation-kafkajs bumped from ^0.26.0 to ^0.27.0
    • @​opentelemetry/instrumentation-knex bumped from ^0.61.0 to ^0.62.0
    • @​opentelemetry/instrumentation-koa bumped from ^0.65.0 to ^0.66.0
    • @​opentelemetry/instrumentation-lru-memoizer bumped from ^0.61.0 to ^0.62.0
    • @​opentelemetry/instrumentation-memcached bumped from ^0.60.0 to ^0.61.0
    • @​opentelemetry/instrumentation-mongodb bumped from ^0.70.0 to ^0.71.0
    • @​opentelemetry/instrumentation-mongoose bumped from ^0.63.0 to ^0.64.0
    • @​opentelemetry/instrumentation-mysql bumped from ^0.63.0 to ^0.64.0
    • @​opentelemetry/instrumentation-mysql2 bumped from ^0.63.0 to ^0.64.0
    • @​opentelemetry/instrumentation-nestjs-core bumped from ^0.63.0 to ^0.64.0
    • @​opentelemetry/instrumentation-net bumped from ^0.61.0 to ^0.62.0
    • @​opentelemetry/instrumentation-openai bumped from ^0.15.0 to ^0.16.0
    • @​opentelemetry/instrumentation-oracledb bumped from ^0.42.0 to ^0.43.0
    • @​opentelemetry/instrumentation-pg bumped from ^0.69.0 to ^0.70.0
    • @​opentelemetry/instrumentation-pino bumped from ^0.63.0 to ^0.64.0
    • @​opentelemetry/instrumentation-redis bumped from ^0.65.0 to ^0.66.0
    • @​opentelemetry/instrumentation-restify bumped from ^0.62.0 to ^0.63.0
    • @​opentelemetry/instrumentation-router bumped from ^0.61.0 to ^0.62.0
    • @​opentelemetry/instrumentation-runtime-node bumped from ^0.30.0 to ^0.31.0
    • @​opentelemetry/instrumentation-socket.io bumped from ^0.64.0 to ^0.65.0
    • @​opentelemetry/instrumentation-tedious bumped from ^0.36.0 to ^0.37.0
    • @​opentelemetry/instrumentation-undici bumped from ^0.27.0 to ^0.28.0

... (truncated)

Changelog

Sourced from @​opentelemetry/auto-instrumentations-node's changelog.

0.76.0 (2026-05-13)

Features

• deps: update deps matching '@opentelemetry/*' (#3523) (e26a90a)

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • @​opentelemetry/instrumentation-amqplib bumped from ^0.64.0 to ^0.65.0
    • @​opentelemetry/instrumentation-aws-lambda bumped from ^0.69.0 to ^0.70.0
    • @​opentelemetry/instrumentation-aws-sdk bumped from ^0.72.0 to ^0.73.0
    • @​opentelemetry/instrumentation-bunyan bumped from ^0.62.0 to ^0.63.0
    • @​opentelemetry/instrumentation-cassandra-driver bumped from ^0.62.0 to ^0.63.0
    • @​opentelemetry/instrumentation-connect bumped from ^0.60.0 to ^0.61.0
    • @​opentelemetry/instrumentation-cucumber bumped from ^0.33.0 to ^0.34.0
    • @​opentelemetry/instrumentation-dataloader bumped from ^0.34.0 to ^0.35.0
    • @​opentelemetry/instrumentation-dns bumped from ^0.60.0 to ^0.61.0
    • @​opentelemetry/instrumentation-express bumped from ^0.65.0 to ^0.66.0
    • @​opentelemetry/instrumentation-fs bumped from ^0.36.0 to ^0.37.0
    • @​opentelemetry/instrumentation-generic-pool bumped from ^0.60.0 to ^0.61.0
    • @​opentelemetry/instrumentation-graphql bumped from ^0.65.0 to ^0.66.0
    • @​opentelemetry/instrumentation-hapi bumped from ^0.63.0 to ^0.64.0
    • @​opentelemetry/instrumentation-ioredis bumped from ^0.65.0 to ^0.66.0
    • @​opentelemetry/instrumentation-kafkajs bumped from ^0.26.0 to ^0.27.0
    • @​opentelemetry/instrumentation-knex bumped from ^0.61.0 to ^0.62.0
    • @​opentelemetry/instrumentation-koa bumped from ^0.65.0 to ^0.66.0
    • @​opentelemetry/instrumentation-lru-memoizer bumped from ^0.61.0 to ^0.62.0
    • @​opentelemetry/instrumentation-memcached bumped from ^0.60.0 to ^0.61.0
    • @​opentelemetry/instrumentation-mongodb bumped from ^0.70.0 to ^0.71.0
    • @​opentelemetry/instrumentation-mongoose bumped from ^0.63.0 to ^0.64.0
    • @​opentelemetry/instrumentation-mysql bumped from ^0.63.0 to ^0.64.0
    • @​opentelemetry/instrumentation-mysql2 bumped from ^0.63.0 to ^0.64.0
    • @​opentelemetry/instrumentation-nestjs-core bumped from ^0.63.0 to ^0.64.0
    • @​opentelemetry/instrumentation-net bumped from ^0.61.0 to ^0.62.0
    • @​opentelemetry/instrumentation-openai bumped from ^0.15.0 to ^0.16.0
    • @​opentelemetry/instrumentation-oracledb bumped from ^0.42.0 to ^0.43.0
    • @​opentelemetry/instrumentation-pg bumped from ^0.69.0 to ^0.70.0
    • @​opentelemetry/instrumentation-pino bumped from ^0.63.0 to ^0.64.0
    • @​opentelemetry/instrumentation-redis bumped from ^0.65.0 to ^0.66.0
    • @​opentelemetry/instrumentation-restify bumped from ^0.62.0 to ^0.63.0
    • @​opentelemetry/instrumentation-router bumped from ^0.61.0 to ^0.62.0
    • @​opentelemetry/instrumentation-runtime-node bumped from ^0.30.0 to ^0.31.0
    • @​opentelemetry/instrumentation-socket.io bumped from ^0.64.0 to ^0.65.0
    • @​opentelemetry/instrumentation-tedious bumped from ^0.36.0 to ^0.37.0
    • @​opentelemetry/instrumentation-undici bumped from ^0.27.0 to ^0.28.0
    • @​opentelemetry/instrumentation-winston bumped from ^0.61.0 to ^0.62.0

... (truncated)

Commits

• 15ef750 chore: release main (#3508)
• e26a90a feat(deps): update deps matching '@opentelemetry/*' (#3523)
• See full diff in compare view

Updates @opentelemetry/exporter-logs-otlp-http from 0.211.0 to 0.218.0

Release notes

Sourced from @​opentelemetry/exporter-logs-otlp-http's releases.

experimental/v0.218.0

0.218.0

🚀 Features

• feat(otlp-transformer): replace protobufjs metrics serialization with custom implementation #6625 @​pichlermarc
• feat(configuration): show all config validation errors, if there are multiple #6683 @​trentm
• feat(sdk-node): allow startNodeSDK() without an arg #6688 @​trentm

🏠 Internal

• refactor(sdk-logs): alias LoggerProviderConfig to LoggerProviderOptions #6691 @​david-luna
• refactor(sdk-logs): use Logger.enabled() within Logger.emit() implementation #6680 @​david-luna

experimental/v0.217.0

0.217.0

🚀 Features

• feat(otlp-transformer): replace protobufjs trace serialization with custom implementation #6625 @​pichlermarc
• feat(configuration): auto-generate TypeScript types from OTel declarative config JSON schema (stable v1.0.0) using json-schema-to-typescript and ajv #6533 @​MikeGoldsmith
• feat(configuration, sdk-node): startNodeSDK() code path now uses log_level configuration to setup a DiagConsoleLogger #6668 @​trentm
  • Note that allowed values for log_level in a configuration YAML file are not the same set as for OTEL_LOG_LEVEL. Use log_level: trace to see all logs (equivalent of OTEL_LOG_LEVEL=ALL). Use log_level: fatal to effectively disable the SDK's internal diagnostic logger (equivalent of OTEL_LOG_LEVEL=NONE).
  • If log_level is not specified, a diagnostic console logger at "info" level will be setup.
  • An invalid YAML config file will now result in a noop OTel SDK.

🐛 Bug Fixes

• fix(configuration): do not validate OTEL_CONFIG_FILE value before using it for file config #6643 @​trentm
• fix(configuration): improve how 'additionalProperties' in JSON schema is translated to TS types #6650 @​trentm
• fix(configuration): remove stripMinItems and preprocessNullArrays from validation/parsing #6657 @​trentm
• fix(configuration): improve handling of enums in generated types #6659 @​trentm
• fix(configuration): improve the technique for removing '| null' on types the JSON Schema #6662 @​trentm
• fix(sampler-jaeger-remote): add missing axios dep #6656 @​trentm
• fix(exporter-prometheus): handle malformed URLs in Prometheus exporter request handler #6674 @​homanp

experimental/v0.216.0

0.216.0

🚀 Features

• feat(sdk-node): wire attribute_keys from declarative configuration to ViewOptions.attributesProcessors #6427 @​ravitheja4531-cell
• feat(sdk-node): set TracerProvider in startNodeSDK() #6607 @​maryliag

🐛 Bug Fixes

• fix(instrumentation-xml-http-request): avoid unwrapping XMLHttpRequest API when disabling #6611 @​david-luna
• fix(instrumentation-fetch): tolerate non-writable globalThis.fetch and fix premature _isEnabled / _isFetchPatched flips in enable() @​brunorodmoreira

... (truncated)

Commits

• 06ad0ea chore: prepare next release (#6703)
• 38ca257 feat(otlp-transformer): replace protobufjs metrics serialization with custom ...
• 013c600 chore: prepare next release (#6699)
• b7a0c63 feat(semantic-conventions): update semantic conventions to v1.41.1 (#6695)
• 774143b chore(renovate): add minimumReleaseAge to config (#6697)
• e0dafe0 fix(otlp-exporter-base): remove brackets from IPv6 hostname in HTTP transport...
• f804c93 chore(deps): update github/codeql-action digest to 68bde55 (#6682)
• 95e48e7 refactor(sdk-logs): alias LoggerProviderConfig to LoggerProviderOptions (...
• 907b627 feat(sdk-node): allow startNodeSDK() without an arg (#6688)
• 0d15261 docs: Add SIG meeting info and welcoming language (#6689)
• Additional commits viewable in compare view

Updates @opentelemetry/exporter-metrics-otlp-http from 0.211.0 to 0.218.0

Release notes

Sourced from @​opentelemetry/exporter-metrics-otlp-http's releases.

experimental/v0.218.0

0.218.0

🚀 Features

• feat(otlp-transformer): replace protobufjs metrics serialization with custom implementation #6625 @​pichlermarc
• feat(configuration): show all config validation errors, if there are multiple #6683 @​trentm
• feat(sdk-node): allow startNodeSDK() without an arg #6688 @​trentm

🏠 Internal

• refactor(sdk-logs): alias LoggerProviderConfig to LoggerProviderOptions #6691 @​david-luna
• refactor(sdk-logs): use Logger.enabled() within Logger.emit() implementation #6680 @​david-luna

experimental/v0.217.0

0.217.0

🚀 Features

• feat(otlp-transformer): replace protobufjs trace serialization with custom implementation #6625 @​pichlermarc
• feat(configuration): auto-generate TypeScript types from OTel declarative config JSON schema (stable v1.0.0) using json-schema-to-typescript and ajv #6533 @​MikeGoldsmith
• feat(configuration, sdk-node): startNodeSDK() code path now uses log_level configuration to setup a DiagConsoleLogger #6668 @​trentm
  • Note that allowed values for log_level in a configuration YAML file are not the same set as for OTEL_LOG_LEVEL. Use log_level: trace to see all logs (equivalent of OTEL_LOG_LEVEL=ALL). Use log_level: fatal to effectively disable the SDK's internal diagnostic logger (equivalent of OTEL_LOG_LEVEL=NONE).
  • If log_level is not specified, a diagnostic console logger at "info" level will be setup.
  • An invalid YAML config file will now result in a noop OTel SDK.

🐛 Bug Fixes

• fix(configuration): do not validate OTEL_CONFIG_FILE value before using it for file config #6643 @​trentm
• fix(configuration): improve how 'additionalProperties' in JSON schema is translated to TS types #6650 @​trentm
• fix(configuration): remove stripMinItems and preprocessNullArrays from validation/parsing #6657 @​trentm
• fix(configuration): improve handling of enums in generated types #6659 @​trentm
• fix(configuration): improve the technique for removing '| null' on types the JSON Schema #6662 @​trentm
• fix(sampler-jaeger-remote): add missing axios dep #6656 @​trentm
• fix(exporter-prometheus): handle malformed URLs in Prometheus exporter request handler #6674 @​homanp

experimental/v0.216.0

0.216.0

🚀 Features

• feat(sdk-node): wire attribute_keys from declarative configuration to ViewOptions.attributesProcessors #6427 @​ravitheja4531-cell
• feat(sdk-node): set TracerProvider in startNodeSDK() #6607 @​maryliag

🐛 Bug Fixes

• fix(instrumentation-xml-http-request): avoid unwrapping XMLHttpRequest API when disabling #6611 @​david-luna
• fix(instrumentation-fetch): tolerate non-writable globalThis.fetch and fix premature _isEnabled / _isFetchPatched flips in enable() @​brunorodmoreira

... (truncated)

Commits

• 06ad0ea chore: prepare next release (#6703)
• 38ca257 feat(otlp-transformer): replace protobufjs metrics serialization with custom ...
• 013c600 chore: prepare next release (#6699)
• b7a0c63 feat(semantic-conventions): update semantic conventions to v1.41.1 (#6695)
• 774143b chore(renovate): add minimumReleaseAge to config (#6697)
• e0dafe0 fix(otlp-exporter-base): remove brackets from IPv6 hostname in HTTP transport...
• f804c93 chore(deps): update github/codeql-action digest to 68bde55 (#6682)
• 95e48e7 refactor(sdk-logs): alias LoggerProviderConfig to LoggerProviderOptions (...
• 907b627 feat(sdk-node): allow startNodeSDK() without an arg (#6688)
• 0d15261 docs: Add SIG meeting info and welcoming language (#6689)
• Additional commits viewable in compare view

Updates @opentelemetry/exporter-trace-otlp-http from 0.211.0 to 0.218.0

Release notes

Sourced from @​opentelemetry/exporter-trace-otlp-http's releases.

experimental/v0.218.0

0.218.0

🚀 Features

• feat(otlp-transformer): replace protobufjs metrics serialization with custom implementation #6625 @​pichlermarc
• feat(configuration): show all config validation errors, if there are multiple #6683 @​trentm
• feat(sdk-node): allow startNodeSDK() without an arg #6688 @​trentm

🏠 Internal

• refactor(sdk-logs): alias LoggerProviderConfig to LoggerProviderOptions #6691 @​david-luna
• refactor(sdk-logs): use Logger.enabled() within Logger.emit() implementation #6680 @​david-luna

experimental/v0.217.0

0.217.0

🚀 Features

• feat(otlp-transformer): replace protobufjs trace serialization with custom implementation #6625 @​pichlermarc
• feat(configuration): auto-generate TypeScript types from OTel declarative config JSON schema (stable v1.0.0) using json-schema-to-typescript and ajv #6533 @​MikeGoldsmith
• feat(configuration, sdk-node): startNodeSDK() code path now uses log_level configuration to setup a DiagConsoleLogger #6668 @​trentm
  • Note that allowed values for log_level in a configuration YAML file are not the same set as for OTEL_LOG_LEVEL. Use log_level: trace to see all logs (equivalent of OTEL_LOG_LEVEL=ALL). Use log_level: fatal to effectively disable the SDK's internal diagnostic logger (equivalent of OTEL_LOG_LEVEL=NONE).
  • If log_level is not specified, a diagnostic console logger at "info" level will be setup.
  • An invalid YAML config file will now result in a noop OTel SDK.

🐛 Bug Fixes

• fix(configuration): do not validate OTEL_CONFIG_FILE value before using it for file config #6643 @​trentm
• fix(configuration): improve how 'additionalProperties' in JSON schema is translated to TS types #6650 @​trentm
• fix(configuration): remove stripMinItems and preprocessNullArrays from validation/parsing #6657 @​trentm
• fix(configuration): improve handling of enums in generated types #6659 @​trentm
• fix(configuration): improve the technique for removing '| null' on types the JSON Schema #6662 @​trentm
• fix(sampler-jaeger-remote): add missing axios dep #6656 @​trentm
• fix(exporter-prometheus): handle malformed URLs in Prometheus exporter request handler #6674 @​homanp

experimental/v0.216.0

0.216.0

🚀 Features

• feat(sdk-node): wire attribute_keys from declarative configuration to ViewOptions.attributesProcessors #6427 @​ravitheja4531-cell
• feat(sdk-node): set TracerProvider in startNodeSDK() #6607 @​maryliag

🐛 Bug Fixes

• fix(instrumentation-xml-http-request): avoid unwrapping XMLHttpRequest API when disabling #6611 @​david-luna
• fix(instrumentation-fetch): tolerate non-writable globalThis.fetch and fix premature _isEnabled / _isFetchPatched flips in enable() @​brunorodmoreira

... (truncated)

Commits

• 06ad0ea chore: prepare next release (#6703)
• 38ca257 feat(otlp-transformer): replace protobufjs metrics serialization with custom ...
• 013c600 chore: prepare next release (#6699)
• b7a0c63 feat(semantic-conventions): update semantic conventions to v1.41.1 (#6695)
• 774143b chore(renovate): add minimumReleaseAge to config (#6697)
• e0dafe0 fix(otlp-exporter-base): remove brackets from IPv6 hostname in HTTP transport...
• f804c93 chore(deps): update github/codeql-action digest to 68bde55 (#6682)
• 95e48e7 refactor(sdk-logs): alias LoggerProviderConfig to LoggerProviderOptions (...
• 907b627 feat(sdk-node): allow startNodeSDK() without an arg (#6688)
• 0d15261 docs: Add SIG meeting info and welcoming language (#6689)
• Additional commits viewable in compare view

Updates @opentelemetry/sdk-node from 0.211.0 to 0.218.0

Release notes

Sourced from @​opentelemetry/sdk-node's releases.

experimental/v0.218.0

0.218.0

🚀 Features

• feat(otlp-transformer): replace protobufjs metrics serialization with custom implementation #6625 @​pichlermarc
• feat(configuration): show all config validation errors, if there are multiple #6683 @​trentm
• feat(sdk-node): allow startNodeSDK() without an arg #6688 @​trentm

🏠 Internal

• refactor(sdk-logs): alias LoggerProviderConfig to LoggerProviderOptions #6691 @​david-luna
• refactor(sdk-logs): use Logger.enabled() within Logger.emit() implementation #6680 @​david-luna

experimental/v0.217.0

0.217.0

🚀 Features

• feat(otlp-transformer): replace protobufjs trace serialization with custom implementation #6625 @​pichlermarc
• feat(configuration): auto-generate TypeScript types from OTel declarative config JSON schema (stable v1.0.0) using json-schema-to-typescript and ajv #6533 @​MikeGoldsmith
• feat(configuration, sdk-node): startNodeSDK() code path now uses log_level configuration to setup a DiagConsoleLogger #6668 @​trentm
  • Note that allowed values for log_level in a configuration YAML file are not the same set as for OTEL_LOG_LEVEL. Use log_level: trace to see all logs (equivalent of OTEL_LOG_LEVEL=ALL). Use log_level: fatal to effectively disable the SDK's internal diagnostic logger (equivalent of OTEL_LOG_LEVEL=NONE).
  • If log_level is not specified, a diagnostic console logger at "info" level will be setup.
  • An invalid YAML config file will now result in a noop OTel SDK.

🐛 Bug Fixes

• fix(configuration): do not validate OTEL_CONFIG_FILE value before using it for file config #6643 @​trentm
• fix(configuration): improve how 'additionalProperties' in JSON schema is translated to TS types #6650 @​trentm
• fix(configuration): remove stripMinItems and preprocessNullArrays from validation/parsing #6657 @​trentm
• fix(configuration): improve handling of enums in generated types #6659 @​trentm
• fix(configuration): improve the technique for removing '| null' on types the JSON Schema #6662 @​trentm
• fix(sampler-jaeger-remote): add missing axios dep #6656 @​trentm
• fix(exporter-prometheus): handle malformed URLs in Prometheus exporter request handler #6674 @​homanp

experimental/v0.216.0

0.216.0

🚀 Features

• feat(sdk-node): wire attribute_keys from declarative configuration to ViewOptions.attributesProcessors #6427 @​ravitheja4531-cell
• feat(sdk-node): set TracerProvider in startNodeSDK() #6607 @​maryliag

🐛 Bug Fixes

• fix(instrumentation-xml-http-request): avoid unwrapping XMLHttpRequest API when disabling #6611 @​david-luna
• fix(instrumentation-fetch): tolerate non-writable globalThis.fetch and fix premature _isEnabled / _isFetchPatched flips in enable() @​brunorodmoreira

... (truncated)

Commits

• 06ad0ea chore: prepare next release (#6703)
• 38ca257 feat(otlp-transformer): replace protobufjs metrics serialization with custom ...
• 013c600 chore: prepare next release (#6699)
• b7a0c63 feat(semantic-conventions): update semantic conventions to v1.41.1 (#6695)
• 774143b chore(renovate): add minimumReleaseAge to config (#6697)
• e0dafe0 fix(otlp-exporter-base): remove brackets from IPv6 hostname in HTTP transport...
• f804c93 chore(deps): update github/codeql-action digest to 68bde55 (#6682)
• 95e48e7 refactor(sdk-logs): alias LoggerProviderConfig to LoggerProviderOptions (...
• 907b627 feat(sdk-node): allow startNodeSDK() without an arg (#6688)
• 0d15261 docs: Add SIG meeting info and welcoming language (#6689)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[github-actions]

⚠️ Deprecation Warning: The deny-licenses option is deprecated for possible removal in the next major release. For more information, see issue 997.

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 64 package(s) with unknown licenses.
• ⚠️ 2 packages with OpenSSF Scorecard issues.

See the Details below.

License Issues

package-lock.json

Package	Version	License	Issue Type
@opentelemetry/api-logs	0.218.0	Null	Unknown License
@opentelemetry/auto-instrumentations-node	0.76.0	Null	Unknown License
@opentelemetry/configuration	0.218.0	Null	Unknown License
@opentelemetry/exporter-logs-otlp-grpc	0.218.0	Null	Unknown License
@opentelemetry/exporter-logs-otlp-http	0.218.0	Null	Unknown License
@opentelemetry/exporter-logs-otlp-proto	0.218.0	Null	Unknown License
@opentelemetry/exporter-metrics-otlp-grpc	0.218.0	Null	Unknown License
@opentelemetry/exporter-metrics-otlp-http	0.218.0	Null	Unknown License
@opentelemetry/exporter-metrics-otlp-proto	0.218.0	Null	Unknown License
@opentelemetry/exporter-prometheus	0.218.0	Null	Unknown License
@opentelemetry/exporter-trace-otlp-grpc	0.218.0	Null	Unknown License
@opentelemetry/exporter-trace-otlp-http	0.218.0	Null	Unknown License
@opentelemetry/exporter-trace-otlp-proto	0.218.0	Null	Unknown License
@opentelemetry/instrumentation	0.218.0	Null	Unknown License
@opentelemetry/instrumentation-amqplib	0.65.0	Null	Unknown License
@opentelemetry/instrumentation-aws-lambda	0.70.0	Null	Unknown License
@opentelemetry/instrumentation-aws-sdk	0.73.0	Null	Unknown License
@opentelemetry/instrumentation-bunyan	0.63.0	Null	Unknown License
@opentelemetry/instrumentation-cassandra-driver	0.63.0	Null	Unknown License
@opentelemetry/instrumentation-connect	0.61.0	Null	Unknown License
@opentelemetry/instrumentation-cucumber	0.34.0	Null	Unknown License
@opentelemetry/instrumentation-dataloader	0.35.0	Null	Unknown License
@opentelemetry/instrumentation-dns	0.61.0	Null	Unknown License
@opentelemetry/instrumentation-express	0.66.0	Null	Unknown License
@opentelemetry/instrumentation-fs	0.37.0	Null	Unknown License
@opentelemetry/instrumentation-generic-pool	0.61.0	Null	Unknown License
@opentelemetry/instrumentation-graphql	0.66.0	Null	Unknown License
@opentelemetry/instrumentation-grpc	0.218.0	Null	Unknown License
@opentelemetry/instrumentation-hapi	0.64.0	Null	Unknown License
@opentelemetry/instrumentation-http	0.218.0	Null	Unknown License
@opentelemetry/instrumentation-ioredis	0.66.0	Null	Unknown License
@opentelemetry/instrumentation-kafkajs	0.27.0	Null	Unknown License
@opentelemetry/instrumentation-knex	0.62.0	Null	Unknown License
@opentelemetry/instrumentation-koa	0.66.0	Null	Unknown License
@opentelemetry/instrumentation-lru-memoizer	0.62.0	Null	Unknown License
@opentelemetry/instrumentation-memcached	0.61.0	Null	Unknown License
@opentelemetry/instrumentation-mongodb	0.71.0	Null	Unknown License
@opentelemetry/instrumentation-mongoose	0.64.0	Null	Unknown License
@opentelemetry/instrumentation-mysql	0.64.0	Null	Unknown License
@opentelemetry/instrumentation-mysql2	0.64.0	Null	Unknown License
@opentelemetry/instrumentation-nestjs-core	0.64.0	Null	Unknown License
@opentelemetry/instrumentation-net	0.62.0	Null	Unknown License
@opentelemetry/instrumentation-openai	0.16.0	Null	Unknown License
@opentelemetry/instrumentation-oracledb	0.43.0	Null	Unknown License
@opentelemetry/instrumentation-pg	0.70.0	Null	Unknown License
@opentelemetry/instrumentation-pino	0.64.0	Null	Unknown License
@opentelemetry/instrumentation-redis	0.66.0	Null	Unknown License
@opentelemetry/instrumentation-restify	0.63.0	Null	Unknown License
@opentelemetry/instrumentation-router	0.62.0	Null	Unknown License
@opentelemetry/instrumentation-runtime-node	0.31.0	Null	Unknown License
@opentelemetry/instrumentation-socket.io	0.65.0	Null	Unknown License
@opentelemetry/instrumentation-tedious	0.37.0	Null	Unknown License
@opentelemetry/instrumentation-undici	0.28.0	Null	Unknown License
@opentelemetry/instrumentation-winston	0.62.0	Null	Unknown License
@opentelemetry/otlp-exporter-base	0.218.0	Null	Unknown License
@opentelemetry/otlp-grpc-exporter-base	0.218.0	Null	Unknown License
@opentelemetry/otlp-transformer	0.218.0	Null	Unknown License
@opentelemetry/resource-detector-alibaba-cloud	0.33.8	Null	Unknown License
@opentelemetry/resource-detector-aws	2.18.0	Null	Unknown License
@opentelemetry/resource-detector-azure	0.26.0	Null	Unknown License
@opentelemetry/resource-detector-container	0.8.9	Null	Unknown License
@opentelemetry/resource-detector-gcp	0.53.0	Null	Unknown License
@opentelemetry/sdk-logs	0.218.0	Null	Unknown License
@opentelemetry/sdk-node	0.218.0	Null	Unknown License

Denied Licenses:

GPL-2.0, GPL-3.0, AGPL-3.0

OpenSSF Scorecard

Scorecard details

Package	Version	Score	Details
npm/@grpc/proto-loader	0.8.1	🟢 7	Details Check Score Reason Packaging ⚠️ -1 packaging workflow not detected Security-Policy 🟢 9 security policy file detected Code-Review 🟢 8 Found 11/13 approved changesets -- score normalized to 8 Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 10 13 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/@opentelemetry/api-logs	0.218.0	Unknown	Unknown
npm/@opentelemetry/auto-instrumentations-node	0.76.0	Unknown	Unknown
npm/@opentelemetry/configuration	0.218.0	Unknown	Unknown
npm/@opentelemetry/context-async-hooks	2.7.1	🟢 7.2	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 15 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 7 dependency not pinned by hash detected -- score normalized to 7 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected SAST 🟢 10 SAST tool is run on all commits Vulnerabilities ⚠️ 0 28 existing vulnerabilities detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 39 contributing companies or organizations
npm/@opentelemetry/core	2.7.1	🟢 7.2	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 15 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 7 dependency not pinned by hash detected -- score normalized to 7 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected SAST 🟢 10 SAST tool is run on all commits Vulnerabilities ⚠️ 0 28 existing vulnerabilities detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 39 contributing companies or organizations
npm/@opentelemetry/exporter-logs-otlp-grpc	0.218.0	Unknown	Unknown
npm/@opentelemetry/exporter-logs-otlp-http	0.218.0	Unknown	Unknown
npm/@opentelemetry/exporter-logs-otlp-proto	0.218.0	Unknown	Unknown
npm/@opentelemetry/exporter-metrics-otlp-grpc	0.218.0	Unknown	Unknown
npm/@opentelemetry/exporter-metrics-otlp-http	0.218.0	Unknown	Unknown
npm/@opentelemetry/exporter-metrics-otlp-proto	0.218.0	Unknown	Unknown
npm/@opentelemetry/exporter-prometheus	0.218.0	Unknown	Unknown
npm/@opentelemetry/exporter-trace-otlp-grpc	0.218.0	Unknown	Unknown
npm/@opentelemetry/exporter-trace-otlp-http	0.218.0	Unknown	Unknown
npm/@opentelemetry/exporter-trace-otlp-proto	0.218.0	Unknown	Unknown
npm/@opentelemetry/exporter-zipkin	2.7.1	🟢 7.2	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 15 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 7 dependency not pinned by hash detected -- score normalized to 7 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected SAST 🟢 10 SAST tool is run on all commits Vulnerabilities ⚠️ 0 28 existing vulnerabilities detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 39 contributing companies or organizations
npm/@opentelemetry/instrumentation	0.218.0	Unknown	Unknown
npm/@opentelemetry/instrumentation-amqplib	0.65.0	Unknown	Unknown
npm/@opentelemetry/instrumentation-aws-lambda	0.70.0	Unknown	Unknown
npm/@opentelemetry/instrumentation-aws-sdk	0.73.0	Unknown	Unknown
npm/@opentelemetry/instrumentation-bunyan	0.63.0	Unknown	Unknown
npm/@opentelemetry/instrumentation-cassandra-driver	0.63.0	Unknown	Unknown
npm/@opentelemetry/instrumentation-connect	0.61.0	Unknown	Unknown
npm/@opentelemetry/instrumentation-cucumber	0.34.0	Unknown	Unknown
npm/@opentelemetry/instrumentation-dataloader	0.35.0	Unknown	Unknown
npm/@opentelemetry/instrumentation-dns	0.61.0	Unknown	Unknown
npm/@opentelemetry/instrumentation-express	0.66.0	Unknown	Unknown
npm/@opentelemetry/instrumentation-fs	0.37.0	Unknown	Unknown
npm/@opentelemetry/instrumentation-generic-pool	0.61.0	Unknown	Unknown
npm/@opentelemetry/instrumentation-graphql	0.66.0	Unknown	Unknown
npm/@opentelemetry/instrumentation-grpc	0.218.0	Unknown	Unknown
npm/@opentelemetry/instrumentation-hapi	0.64.0	Unknown	Unknown
npm/@opentelemetry/instrumentation-http	0.218.0	Unknown	Unknown
npm/@opentelemetry/instrumentation-ioredis	0.66.0	Unknown	Unknown
npm/@opentelemetry/instrumentation-kafkajs	0.27.0	Unknown	Unknown
npm/@opentelemetry/instrumentation-knex	0.62.0	Unknown	Unknown
npm/@opentelemetry/instrumentation-koa	0.66.0	Unknown	Unknown
npm/@opentelemetry/instrumentation-lru-memoizer	0.62.0	Unknown	Unknown
npm/@opentelemetry/instrumentation-memcached	0.61.0	Unknown	Unknown
npm/@opentelemetry/instrumentation-mongodb	0.71.0	Unknown	Unknown
npm/@opentelemetry/instrumentation-mongoose	0.64.0	Unknown	Unknown
npm/@opentelemetry/instrumentation-mysql	0.64.0	Unknown	Unknown
npm/@opentelemetry/instrumentation-mysql2	0.64.0	Unknown	Unknown
npm/@opentelemetry/instrumentation-nestjs-core	0.64.0	Unknown	Unknown
npm/@opentelemetry/instrumentation-net	0.62.0	Unknown	Unknown
npm/@opentelemetry/instrumentation-openai	0.16.0	Unknown	Unknown
npm/@opentelemetry/instrumentation-oracledb	0.43.0	Unknown	Unknown
npm/@opentelemetry/instrumentation-pg	0.70.0	Unknown	Unknown
npm/@opentelemetry/instrumentation-pino	0.64.0	Unknown	Unknown
npm/@opentelemetry/instrumentation-redis	0.66.0	Unknown	Unknown
npm/@opentelemetry/instrumentation-restify	0.63.0	Unknown	Unknown
npm/@opentelemetry/instrumentation-router	0.62.0	Unknown	Unknown
npm/@opentelemetry/instrumentation-runtime-node	0.31.0	Unknown	Unknown
npm/@opentelemetry/instrumentation-socket.io	0.65.0	Unknown	Unknown
npm/@opentelemetry/instrumentation-tedious	0.37.0	Unknown	Unknown
npm/@opentelemetry/instrumentation-undici	0.28.0	Unknown	Unknown
npm/@opentelemetry/instrumentation-winston	0.62.0	Unknown	Unknown
npm/@opentelemetry/otlp-exporter-base	0.218.0	Unknown	Unknown
npm/@opentelemetry/otlp-grpc-exporter-base	0.218.0	Unknown	Unknown
npm/@opentelemetry/otlp-transformer	0.218.0	Unknown	Unknown
npm/@opentelemetry/propagator-b3	2.7.1	🟢 7.2	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 15 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 7 dependency not pinned by hash detected -- score normalized to 7 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected SAST 🟢 10 SAST tool is run on all commits Vulnerabilities ⚠️ 0 28 existing vulnerabilities detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 39 contributing companies or organizations
npm/@opentelemetry/propagator-jaeger	2.7.1	🟢 7.2	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 15 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 7 dependency not pinned by hash detected -- score normalized to 7 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected SAST 🟢 10 SAST tool is run on all commits Vulnerabilities ⚠️ 0 28 existing vulnerabilities detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 39 contributing companies or organizations
npm/@opentelemetry/redis-common	0.38.3	🟢 7.6	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 10 30 commit(s) and 10 issue activity found in the last 90 days -- score normalized to 10 Dependency-Update-Tool 🟢 10 update tool detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Pinned-Dependencies 🟢 5 dependency not pinned by hash detected -- score normalized to 5 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected SAST 🟢 10 SAST tool is run on all commits Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Signed-Releases ⚠️ -1 no releases found Fuzzing ⚠️ 0 project is not fuzzed Security-Policy 🟢 10 security policy file detected License 🟢 10 license file detected Vulnerabilities ⚠️ 0 69 existing vulnerabilities detected CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 39 contributing companies or organizations
npm/@opentelemetry/resource-detector-alibaba-cloud	0.33.8	Unknown	Unknown
npm/@opentelemetry/resource-detector-aws	2.18.0	Unknown	Unknown
npm/@opentelemetry/resource-detector-azure	0.26.0	Unknown	Unknown
npm/@opentelemetry/resource-detector-container	0.8.9	Unknown	Unknown
npm/@opentelemetry/resource-detector-gcp	0.53.0	Unknown	Unknown
npm/@opentelemetry/resources	2.7.1	🟢 7.2	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 15 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 7 dependency not pinned by hash detected -- score normalized to 7 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected SAST 🟢 10 SAST tool is run on all commits Vulnerabilities ⚠️ 0 28 existing vulnerabilities detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 39 contributing companies or organizations
npm/@opentelemetry/sdk-logs	0.218.0	Unknown	Unknown
npm/@opentelemetry/sdk-metrics	2.7.1	🟢 7.2	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 15 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 7 dependency not pinned by hash detected -- score normalized to 7 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected SAST 🟢 10 SAST tool is run on all commits Vulnerabilities ⚠️ 0 28 existing vulnerabilities detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 39 contributing companies or organizations
npm/@opentelemetry/sdk-node	0.218.0	Unknown	Unknown
npm/@opentelemetry/sdk-trace-base	2.7.1	🟢 7.2	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 15 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 7 dependency not pinned by hash detected -- score normalized to 7 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected SAST 🟢 10 SAST tool is run on all commits Vulnerabilities ⚠️ 0 28 existing vulnerabilities detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 39 contributing companies or organizations
npm/@opentelemetry/sdk-trace-node	2.7.1	🟢 7.2	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 15 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 7 dependency not pinned by hash detected -- score normalized to 7 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected SAST 🟢 10 SAST tool is run on all commits Vulnerabilities ⚠️ 0 28 existing vulnerabilities detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 39 contributing companies or organizations
npm/@protobufjs/codegen	2.0.5	🟢 6.2	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 10 30 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 4 security policy file detected Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 8 Found 25/30 approved changesets -- score normalized to 8 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 License 🟢 9 license file detected Fuzzing 🟢 10 project is fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/@protobufjs/inquire	1.1.1	🟢 6.2	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 10 30 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 4 security policy file detected Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 8 Found 25/30 approved changesets -- score normalized to 8 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 License 🟢 9 license file detected Fuzzing 🟢 10 project is fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/@protobufjs/utf8	1.1.1	🟢 6.2	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 10 30 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 4 security policy file detected Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 8 Found 25/30 approved changesets -- score normalized to 8 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 License 🟢 9 license file detected Fuzzing 🟢 10 project is fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/@types/aws-lambda	8.10.161	🟢 6.6	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 9 Found 27/29 approved changesets -- score normalized to 9 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Security-Policy 🟢 10 security policy file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected License 🟢 9 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 8 dependency not pinned by hash detected -- score normalized to 8 Fuzzing ⚠️ 0 project is not fuzzed
npm/cjs-module-lexer	2.2.0	Unknown	Unknown
npm/data-uri-to-buffer	4.0.1	⚠️ 1.8	Details Check Score Reason Code-Review ⚠️ 2 Found 8/30 approved changesets -- score normalized to 2 Token-Permissions ⚠️ -1 No tokens found Binary-Artifacts 🟢 10 no binaries found in the repo Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies ⚠️ -1 no dependencies found Dangerous-Workflow ⚠️ -1 no workflows found Maintained ⚠️ 0 project is archived CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected License ⚠️ 0 license file not detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/fetch-blob	3.2.0	🟢 3.3	Details Check Score Reason Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Code-Review ⚠️ 2 Found 8/29 approved changesets -- score normalized to 2 Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ -1 no releases found SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/formdata-polyfill	4.0.10	🟢 3.1	Details Check Score Reason Code-Review ⚠️ 1 Found 3/30 approved changesets -- score normalized to 1 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Packaging ⚠️ -1 packaging workflow not detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Security-Policy 🟢 3 security policy file detected Signed-Releases ⚠️ -1 no releases found SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/gaxios	7.1.4	Unknown	Unknown
npm/gcp-metadata	8.1.2	Unknown	Unknown
npm/google-logging-utils	1.1.3	Unknown	Unknown
npm/import-in-the-middle	3.0.1	Unknown	Unknown
npm/node-domexception	1.0.0	⚠️ 2.5	Details Check Score Reason Code-Review ⚠️ 1 Found 2/12 approved changesets -- score normalized to 1 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow ⚠️ -1 no workflows found Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ -1 no dependencies found Maintained ⚠️ 0 project is archived Token-Permissions ⚠️ -1 No tokens found CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Security-Policy 🟢 3 security policy file detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/node-fetch	3.3.2	🟢 4.9	Details Check Score Reason Maintained ⚠️ 0 0 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 0 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 9 security policy file detected Code-Review 🟢 10 all changesets reviewed Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed Packaging ⚠️ -1 packaging workflow not detected License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ -1 no releases found SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/pg-protocol	1.13.0	🟢 5.3	Details Check Score Reason Code-Review 🟢 5 Found 15/28 approved changesets -- score normalized to 5 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Maintained 🟢 10 30 commit(s) and 18 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Signed-Releases ⚠️ -1 no releases found SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/protobufjs	7.5.8	🟢 6.2	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 10 30 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 4 security policy file detected Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 8 Found 25/30 approved changesets -- score normalized to 8 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 License 🟢 9 license file detected Fuzzing 🟢 10 project is fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/web-streams-polyfill	3.3.3	🟢 5	Details Check Score Reason Code-Review ⚠️ 0 Found 0/3 approved changesets -- score normalized to 0 Maintained 🟢 10 30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Pinned-Dependencies 🟢 5 dependency not pinned by hash detected -- score normalized to 5 Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed Packaging 🟢 10 packaging workflow detected License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ -1 no releases found SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0

Scanned Files

• package-lock.json