
Research
/Security News
jscrambler npm Package Compromised in Supply Chain Attack
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.
@opentelemetry/configuration
Advanced tools
Note: This is an experimental package under active development. New releases may include breaking changes.
This package implements the OpenTelemetry declarative configuration specification for Node.js. It parses configuration from a YAML file or environment variables and produces a ConfigurationModel that the OpenTelemetry SDK uses to initialize providers.
npm install @opentelemetry/configuration
createConfigFactory() selects the configuration source automatically:
OTEL_CONFIG_FILE points to a valid .yaml/.yml file, configuration is read from that file.import { createConfigFactory } from '@opentelemetry/configuration';
const factory = createConfigFactory();
const config = factory.getConfigModel();
Set OTEL_CONFIG_FILE to the path of your configuration file:
OTEL_CONFIG_FILE=./otel-config.yaml node app.js
Example:
file_format: "1.0"
resource:
attributes:
- name: service.name
value: my-service
tracer_provider:
processors:
- batch:
exporter:
otlp_http:
endpoint: http://localhost:4318/v1/traces
Environment variable substitution is supported using ${VAR_NAME}, ${VAR_NAME:-default}, ${env:VAR_NAME}, and ${env:VAR_NAME:-default} syntax. Use $$ for a literal $.
tracer_provider:
processors:
- batch:
exporter:
otlp_http:
endpoint: ${OTEL_EXPORTER_ENDPOINT:-http://localhost:4318}/v1/traces
When no config file is set, the factory reads from the standard OpenTelemetry SDK environment variables:
| Variable | Description |
|---|---|
OTEL_SDK_DISABLED | Disable the SDK entirely |
OTEL_LOG_LEVEL | Internal SDK log level |
OTEL_SERVICE_NAME | Service name resource attribute |
OTEL_RESOURCE_ATTRIBUTES | Comma-separated resource attributes |
OTEL_TRACES_EXPORTER | Traces exporter(s): otlp, console, none |
OTEL_METRICS_EXPORTER | Metrics exporter(s): otlp, prometheus, console, none |
OTEL_LOGS_EXPORTER | Logs exporter(s): otlp, console, none |
OTEL_EXPORTER_OTLP_PROTOCOL | OTLP protocol: grpc, http/protobuf, http/json |
OTEL_PROPAGATORS | Propagators: tracecontext, baggage, b3, b3multi |
src/generated/ is auto-generated — do not edit manually. It contains:
types.ts — TypeScript interfaces derived from the JSON schema (via json-schema-to-typescript)schema.ts — The raw JSON schema exported as a constant (retained for reference; not used at runtime)validator.js — Pre-compiled ajv validator (ahead-of-time compiled from the schema at build time; eliminates runtime ajv.compile())validator.d.ts — TypeScript declarations for validator.jsUpdate the CONFIG_VERSION variable in scripts/config/generate-config.sh
Run from this package directory:
npm run generate:config
Review the diff in src/generated/types.ts, src/generated/schema.ts, and src/generated/validator.js
Update supportedFileVersionPattern in src/FileConfigFactory.ts if the new version falls outside the current regex
Update EnvironmentConfigFactory.ts and utils.ts if new fields need env var mapping
The generation script (scripts/config/generate-config.js) handles several post-processing steps:
OpenTelemetryConfiguration to ConfigurationModelfile_format optional (required at parse time but not needed when constructing the model in code)[k: string]: {} | null) with [k: string]: unknownGrpcTls1/HttpTls1 → GrpcTls/HttpTls)validator.js + validator.d.ts) for use at runtimeBoth config paths apply the same spec-defined defaults so consumers see consistent behaviour regardless of config source:
| Field | Default |
|---|---|
disabled | false |
log_level | info |
attribute_limits.attribute_count_limit | 128 |
FileConfigFactory applies these via applyConfigDefaults() after schema validation. EnvironmentConfigFactory applies them via initializeDefaultConfiguration() in the constructor, then overlays env var values on top.
One intentional exception in both paths: AttributeNameValue.type is not defaulted even though the spec says "if omitted, string is used". This is a semantic default for SDK code interpreting resource attributes, not a config-parser concern. SDK code reading resource.attributes should apply attr.type ?? 'string' at the point of use.
1.0Apache 2.0 - See LICENSE for more information.
FAQs
OpenTelemetry Configuration
The npm package @opentelemetry/configuration receives a total of 6,631,492 weekly downloads. As such, @opentelemetry/configuration popularity was classified as popular.
We found that @opentelemetry/configuration demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 6 open source maintainers collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Research
/Security News
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.

Research
/Security News
A malicious .NET package is typosquatting the Braintree SDK to steal live payment card data, merchant API keys, and host secrets from production apps.

Security News
/Research
Compromised Injective SDK npm version 1.20.21 exfiltrates wallet private keys and mnemonics through fake telemetry functionality.