Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
@dash0hq/opentelemetry
Advanced tools
This is the Dash0 OpenTelemetry distribution for Node.js. It is primarily intended to be used by the Dash0 Kubernetes operator to instrument Node.js workloads with OpenTelemetry.
If no OTEL_SERVICE_NAME
has been set, a service name is automatically derived by reading the main package.json
file
(if it is present) as ${packageJson.name}@${packageJson.version}
.
This can be disabled either by setting OTEL_SERVICE_NAME
or by setting DASH0_AUTOMATIC_SERVICE_NAME=false
.
If set to a non-empty string, the distribution will create a span immediately at startup with the span name set to the value of DASH0_BOOTSTRAP_SPAN.
Additional debug logs can be enabled by setting DASH0_DEBUG=true
.
If DASH0_DEBUG_PRINT_SPANS=true
is set, all spans are printed to stdout
via the
ConsoleSpanExporter.
If DASH0_DEBUG_PRINT_SPANS
is set to any other non-empty string, the value is interpreted as a file system path.
Spans will be appended to that file.
The file will be created if it does not exist.
If the file cannot be opened for writing, a message will be printed to stderr
and no spans will be printed to file.
The spans are printed in the same format that the ConsoleSpanExporter
uses.
This facility is meant for troubleshooting and should not be activated in production.
Disables the Dash0 Node.js distribution entirely.
By default, the instrumentation plug-in @opentelemetry/instrumentation-fs
is disabled. Set DASH0_ENABLE_FS_INSTRUMENTATION=true
to enable spans for file system access.
If DASH0_FLUSH_ON_SIGTERM_SIGINT=true
is set, the Dash0 Node.js distribution will install a handler for SIGTERM and
SIGINT that will shutdown the OpenTelemetry SDK gracefully when one of these signals is received.
The SDK shutdown is timeboxed to 500 milliseconds.
The signal handler will call process.exit(0)
after the SDK's shutdown has completed, or after the 500 millisecond
timeout, whichever happens sooner.
This option can be helpful if you care about telemetry that is being produced shortly before the process terminates.
This option must not be used if the application under monitoring has its own handler for SIGTERM or SIGINT, because
Dash0's handler (and in particular the necessary process.exit(0)
call) might interfere with the application's own
signal handler.
By default, the Dash0 Node.js distribution will install a hook that will shutdown the OpenTelemetry SDK gracefully when
the Node.js runtime is about to exit because the event loop is empty.
This can be disabled by setting DASH0_FLUSH_ON_EMPTY_EVENT_LOOP=false
.
The SDK shutdown is timeboxed to 500 milliseconds.
This hook can be helpful if you care about telemetry that is being produced shortly before the process
exits.
Disabling it can be useful if you care about the process terminating as quickly as possible when the event loop is
empty.
In contrast to the handlers for SIGTERM/SIGINT (see above), this hook will not call process.exit
(since the Node.js
runtime will exit on its own anyway).
The base URL of the OpenTelemetry collector that the distribution will send data to.
It defaults to http://dash0-operator-opentelemetry-collector.dash0-operator-system.svc.cluster.local:4318
.
By default, all
supported instrumentations
are enabled (with the exception of @opentelemetry/instrumentation-fs
), but you can use the environment variable
OTEL_NODE_ENABLED_INSTRUMENTATIONS
to enable only certain instrumentations by providing a comma-separated list of the
instrumentation package names without the @opentelemetry/instrumentation-
prefix.
For example, to enable only
@opentelemetry/instrumentation-http
and @opentelemetry/instrumentation-nestjs-core
instrumentations, set OTEL_NODE_ENABLED_INSTRUMENTATIONS="http,nestjs-core"
.
See https://github.com/open-telemetry/opentelemetry-js-contrib/blob/main/metapackages/auto-instrumentations-node/README.md#usage-auto-instrumentation for more information.
FAQs
Dash0 OpenTelemetry Wrapper for Node.js
The npm package @dash0hq/opentelemetry receives a total of 5 weekly downloads. As such, @dash0hq/opentelemetry popularity was classified as not popular.
We found that @dash0hq/opentelemetry demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.