← Home

@opentelemetry/configuration

npm Repository Homepage

OpenTelemetry Configuration

10
Versions
Apache-2.0
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

dyladanpichlermarcoverbalancenpmjs-accounttrentmmartinkuba

Keywords

opentelemetryconfiguration

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
source-diff obfuscated-file:build/src/generated/validator.js AI (source-diff): Pre-compiled ajv validator with source map; auto-generated build artifact, stable for this package. ai
source-diff source-size-tripled AI (source-diff): Size increase from adding generated validator + source maps; expected for this package. ai
provenance publisher-changed AI (provenance): OpenTelemetry JS migrated to GitHub Actions CI/CD publishing; SLSA provenance attestation confirms builds originate from the official open-telemetry/opentelemetry-js repo. This transition is stable going forward. ai

Versions (showing 10 of 10)

Version Deps Published
0.218.0 2 / 11
0.217.0 2 / 11
0.216.0 2 / 9
0.215.0 2 / 9
0.214.0 2 / 9
0.213.0 2 / 9
0.212.0 2 / 9
0.211.0 2 / 9
0.210.0 2 / 9
0.209.0 2 / 9

v0.218.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.217.0

2 findings
HIGH New obfuscated file: build/src/generated/validator.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.216.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.215.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.214.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.213.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.212.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.211.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.210.0

2 findings
HIGH Publisher changed: pichlermarc → GitHub Actions (on 2026-01-14) provenance

This version was published by a different npm account than previous versions on 2026-01-14. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.209.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.