@azure/monitor-opentelemetry

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

azure-sdkmicrosoft1esmicrosoft-oss-releases

Keywords

nodeazuremonitorjavascriptopentelemetrydistrocloud

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
maintainer-change	maintainer-added	AI (maintainer-change): microsoft-oss-releases is Microsoft's OSS release automation account; expected for Azure SDK packages.	ai	2026/05/09
dependencies	unvetted-dep:@azure/monitor-opentelemetry-exporter	AI (dependencies): Official Azure SDK package from Microsoft; core dependency of this Azure Monitor distro.	ai	2026/04/26
dependencies	unvetted-dep:@microsoft/applicationinsights-web-snippet	AI (dependencies): Official Microsoft Application Insights package; expected dependency for Azure Monitor integration.	ai	2026/04/26
dependencies	unvetted-dep:@opentelemetry/winston-transport	AI (dependencies): Legitimate OpenTelemetry ecosystem package; expected dependency for Azure Monitor OpenTelemetry distro.	ai	2026/04/26
phantom-deps	phantom-dep:@opentelemetry/sdk-trace-node	AI (phantom-deps): Declared in dependencies and referenced in config; common pattern in SDK monorepo packages.	ai	2026/04/26
phantom-deps	phantom-dep:@opentelemetry/winston-transport	AI (phantom-deps): Declared in dependencies and referenced in config; common pattern in SDK monorepo packages.	ai	2026/04/26
dependencies	unvetted-dep:@azure/opentelemetry-instrumentation-azure-sdk	AI (dependencies): Official Azure SDK OpenTelemetry instrumentation package; expected dependency for this distro.	ai	2026/04/26