Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
50 of your 186 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 6.17s · analysis 78.44s · 16.3 MB · GitHub API rate-limit (preflight)

open-telemetry/opentelemetry-js

https://github.com/open-telemetry/opentelemetry-js · scanned 2026-06-05 21:05 UTC (4 days, 11 hours ago) · 10 languages

585 raw signals (165 security + 420 graph) 30th percentile · Typescript · large (100-500K LoC) System graph score 59 (higher by 10)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 4 days, 11 hours ago · v2 · 281 actionable findings from 2 signal sources. 94 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
56.1
/100
Security checks
53
80 findings
System graph
59
100.0% cov · 201 findings
Critical
2
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 60.0 0.15 9.00
security_score 28.9 0.25 7.22
testing_score 95.0 0.20 19.00
documentation_score 92.0 0.15 13.80
practices_score 91.0 0.15 13.65
code_quality 69.9 0.10 6.99
Overall 1.00 69.7
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 2 High 79 Medium 37 Low 117 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 80 System graph 201 Crowd 0 Layer: Security 4 Software 105 Cicd 6 Quality 55 Frontend 48 Hardware 1 Api 62
Scan summary Quality grade B- (70/100). Dimensions: security 29, maintainability 60. 165 findings (68 security). 157,427 lines analyzed.

Showing 232 of 281 actionable findings. 375 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Security checks security secrets conf 0.95 Identified a Private Key, which may compromise cryptographic security and sensitive data encryption.
Gitleaks detected a committed secret or credential pattern.
examples/https/server-key.pem:1
critical System graph security Secrets conf 1.00 6 occurrences Possible secret in semantic-conventions/src/experimental_attributes.ts
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
lines 594, 676, 769, 796, 895, 931
semantic-conventions/src/experimental_attributes.ts:594, 676, 769, 796, 895, 931 (6 hits)
high Security checks quality Quality conf 1.00 ✓ Repobility [MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState — React skips re-render on mutated reference.
Review and fix per the pattern semantics. See CWE-682 / for context.
packages/sdk-metrics/src/MeterProvider.ts:58
high Security checks software dependencies conf 0.88 axios: GHSA-35jp-ww65-95wh
axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`
package-lock.json
high Security checks software dependencies conf 0.88 axios: GHSA-3g43-6gmg-66jw
axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge
package-lock.json
high Security checks software dependencies conf 0.88 axios: GHSA-6chq-wfr3-2hj9
Axios: Header Injection via Prototype Pollution
package-lock.json
high Security checks software dependencies conf 0.88 axios: GHSA-777c-7fjr-54vf
Allocation of Resources Without Limits or Throttling in Axios
package-lock.json
high Security checks software dependencies conf 0.88 axios: GHSA-hfxv-24rg-xrqf
Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection
package-lock.json
high Security checks software dependencies conf 0.88 axios: GHSA-j5f8-grm9-p9fc
Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection
package-lock.json
high Security checks software dependencies conf 0.88 axios: GHSA-p92q-9vqr-4j8v
Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter
package-lock.json
high Security checks software dependencies conf 0.88 axios: GHSA-pf86-5x62-jrwf
Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking
package-lock.json
high Security checks software dependencies conf 0.88 axios: GHSA-pjwm-pj3p-43mv
axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)
package-lock.json
high Security checks software dependencies conf 0.88 axios: GHSA-q8qp-cvcw-x6jj
Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking
package-lock.json
high Security checks software dependencies conf 0.90 ✓ Repobility 21 occurrences package.json dep `@opentelemetry/sdk-logs` pulled from URL/Git
`dependencies.@opentelemetry/sdk-logs` = `file:../../../experimental/packages/sdk-logs` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload.
2 files, 21 locations
bundler-tests/node/webpack-5/package.json:1 (11 hits)
bundler-tests/browser/nextjs-16-edge/package.json:1 (10 hits)
high Security checks software dependencies conf 0.88 serialize-javascript: GHSA-5c6j-r48x-rmvq
Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()
package-lock.json
high Security checks software dependencies conf 0.88 tmp: GHSA-ph9p-34f9-6g65
tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape
package-lock.json
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/echo-headers.json (experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:1027)
`experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:1027` calls `GET /api/echo-headers.json` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/echo-headers.json` If this points at an external …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/echo-headers.json (experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:1040)
`experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:1040` calls `GET /api/echo-headers.json` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/echo-headers.json` If this points at an external …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/echo-headers.json (experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:1053)
`experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:1053` calls `GET /api/echo-headers.json` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/echo-headers.json` If this points at an external …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/echo-headers.json (experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:1067)
`experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:1067` calls `GET /api/echo-headers.json` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/echo-headers.json` If this points at an external …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/echo-headers.json (experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:1848)
`experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:1848` calls `GET /api/echo-headers.json` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/echo-headers.json` If this points at an external …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/echo-headers.json (experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:1961)
`experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:1961` calls `GET /api/echo-headers.json` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/echo-headers.json` If this points at an external …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/echo-headers.json (experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:838)
`experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:838` calls `GET /api/echo-headers.json` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/echo-headers.json` If this points at an external A…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/echo-headers.json (experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:937)
`experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:937` calls `GET /api/echo-headers.json` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/echo-headers.json` If this points at an external A…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/echo-headers.json (experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:950)
`experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:950` calls `GET /api/echo-headers.json` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/echo-headers.json` If this points at an external A…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/echo-headers.json (experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:963)
`experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:963` calls `GET /api/echo-headers.json` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/echo-headers.json` If this points at an external A…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/echo-headers.json (experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:977)
`experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:977` calls `GET /api/echo-headers.json` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/echo-headers.json` If this points at an external A…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/echo-headers.json (experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:995)
`experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:995` calls `GET /api/echo-headers.json` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/echo-headers.json` If this points at an external A…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/ignored.json (experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:2057)
`experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:2057` calls `GET /api/ignored.json` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/ignored.json` If this points at an external API, prefi…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/not-ignored.json (experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:2048)
`experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:2048` calls `GET /api/not-ignored.json` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/not-ignored.json` If this points at an external AP…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/payload.json (experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:2798)
`experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:2798` calls `GET /api/payload.json` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/payload.json` If this points at an external API, prefi…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/project-headers.json (experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:1694)
`experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:1694` calls `GET /api/project-headers.json` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/project-headers.json` If this points at an ext…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/status.json (experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:2171)
`experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:2171` calls `GET /api/status.json` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/status.json` If this points at an external API, prefix …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/status.json (experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:2470)
`experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:2470` calls `GET /api/status.json` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/status.json` If this points at an external API, prefix …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/status.json (experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:2627)
`experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:2627` calls `GET /api/status.json` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/status.json` If this points at an external API, prefix …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/status.json (experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:2642)
`experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:2642` calls `GET /api/status.json` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/status.json` If this points at an external API, prefix …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/status.json (experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:2686)
`experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:2686` calls `GET /api/status.json` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/status.json` If this points at an external API, prefix …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/status.json (experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:2741)
`experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:2741` calls `GET /api/status.json` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/status.json` If this points at an external API, prefix …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/status.json (experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:2773)
`experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:2773` calls `GET /api/status.json` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/status.json` If this points at an external API, prefix …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/status.json (experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:440)
`experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:440` calls `GET /api/status.json` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/status.json` If this points at an external API, prefix i…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/stream (experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:2850)
`experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:2850` calls `GET /api/stream` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/stream` If this points at an external API, prefix it with `h…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /boom (experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:783)
`experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:783` calls `GET /boom` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/boom` If this points at an external API, prefix it with `https://` …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /no-such-path (experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:757)
`experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:757` calls `GET /no-such-path` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/no-such-path` If this points at an external API, prefix it …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /not-found.json (experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:2073)
`experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:2073` calls `GET /not-found.json` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/not-found.json` If this points at an external API, prefi…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /null-body-204 (experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:465)
`experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:465` calls `GET /null-body-204` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/null-body-204` If this points at an external API, prefix i…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /null-body-205 (experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:475)
`experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:475` calls `GET /null-body-205` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/null-body-205` If this points at an external API, prefix i…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /null-body-304 (experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:485)
`experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:485` calls `GET /null-body-304` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/null-body-304` If this points at an external API, prefix i…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /post-only.json (experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:2123)
`experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:2123` calls `GET /post-only.json` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/post-only.json` If this points at an external API, prefi…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /redirect-to-status (experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:2720)
`experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:2720` calls `GET /redirect-to-status` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/redirect-to-status` If this points at an external AP…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://example.com/api/echo-headers.json (experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:1345)
`experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:1345` calls `GET http://example.com/api/echo-headers.json` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/example.com/api/echo-head…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://example.com/api/echo-headers.json (experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:1359)
`experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:1359` calls `GET http://example.com/api/echo-headers.json` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/example.com/api/echo-head…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://example.com/api/echo-headers.json (experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:1376)
`experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:1376` calls `GET http://example.com/api/echo-headers.json` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/example.com/api/echo-head…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://example.com/api/status.json (experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:1152)
`experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:1152` calls `GET http://example.com/api/status.json` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/example.com/api/status.json` If…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://example.com/api/status.json (experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:2663)
`experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:2663` calls `GET http://example.com/api/status.json` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/example.com/api/status.json` If…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://localhost:8080/metrics (experimental/packages/opentelemetry-exporter-prometheus/test/PrometheusExporter.test.ts:499)
`experimental/packages/opentelemetry-exporter-prometheus/test/PrometheusExporter.test.ts:499` calls `GET http://localhost:8080/metrics` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/http:/localhost:8080/me…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: GET http://localhost:9464/metrics (experimental/packages/opentelemetry-exporter-prometheus/test/PrometheusExporter.test.ts:214)
`experimental/packages/opentelemetry-exporter-prometheus/test/PrometheusExporter.test.ts:214` calls `GET http://localhost:9464/metrics` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/http:/localhost:9464/me…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: GET http://localhost:9464/metrics (experimental/packages/opentelemetry-exporter-prometheus/test/PrometheusExporter.test.ts:249)
`experimental/packages/opentelemetry-exporter-prometheus/test/PrometheusExporter.test.ts:249` calls `GET http://localhost:9464/metrics` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/http:/localhost:9464/me…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: GET http://localhost:9464/metrics (experimental/packages/opentelemetry-exporter-prometheus/test/PrometheusExporter.test.ts:269)
`experimental/packages/opentelemetry-exporter-prometheus/test/PrometheusExporter.test.ts:269` calls `GET http://localhost:9464/metrics` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/http:/localhost:9464/me…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: GET http://localhost:9464/metrics (experimental/packages/opentelemetry-exporter-prometheus/test/PrometheusExporter.test.ts:292)
`experimental/packages/opentelemetry-exporter-prometheus/test/PrometheusExporter.test.ts:292` calls `GET http://localhost:9464/metrics` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/http:/localhost:9464/me…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: GET http://localhost:9464/metrics (experimental/packages/opentelemetry-exporter-prometheus/test/PrometheusExporter.test.ts:298)
`experimental/packages/opentelemetry-exporter-prometheus/test/PrometheusExporter.test.ts:298` calls `GET http://localhost:9464/metrics` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/http:/localhost:9464/me…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: GET http://localhost:9464/metrics (experimental/packages/opentelemetry-exporter-prometheus/test/PrometheusExporter.test.ts:312)
`experimental/packages/opentelemetry-exporter-prometheus/test/PrometheusExporter.test.ts:312` calls `GET http://localhost:9464/metrics` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/http:/localhost:9464/me…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: GET http://localhost:9464/metrics (experimental/packages/opentelemetry-exporter-prometheus/test/PrometheusExporter.test.ts:329)
`experimental/packages/opentelemetry-exporter-prometheus/test/PrometheusExporter.test.ts:329` calls `GET http://localhost:9464/metrics` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/http:/localhost:9464/me…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: GET http://localhost:9464/metrics (experimental/packages/opentelemetry-exporter-prometheus/test/PrometheusExporter.test.ts:348)
`experimental/packages/opentelemetry-exporter-prometheus/test/PrometheusExporter.test.ts:348` calls `GET http://localhost:9464/metrics` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/http:/localhost:9464/me…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: GET http://localhost:9464/metrics (experimental/packages/opentelemetry-exporter-prometheus/test/PrometheusExporter.test.ts:376)
`experimental/packages/opentelemetry-exporter-prometheus/test/PrometheusExporter.test.ts:376` calls `GET http://localhost:9464/metrics` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/http:/localhost:9464/me…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: GET http://localhost:9464/metrics (experimental/packages/opentelemetry-exporter-prometheus/test/PrometheusExporter.test.ts:407)
`experimental/packages/opentelemetry-exporter-prometheus/test/PrometheusExporter.test.ts:407` calls `GET http://localhost:9464/metrics` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/http:/localhost:9464/me…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: GET http://localhost:9464/metrics (experimental/packages/opentelemetry-exporter-prometheus/test/PrometheusExporter.test.ts:426)
`experimental/packages/opentelemetry-exporter-prometheus/test/PrometheusExporter.test.ts:426` calls `GET http://localhost:9464/metrics` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/http:/localhost:9464/me…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: GET http://localhost:9464/metrics (experimental/packages/opentelemetry-exporter-prometheus/test/PrometheusExporter.test.ts:481)
`experimental/packages/opentelemetry-exporter-prometheus/test/PrometheusExporter.test.ts:481` calls `GET http://localhost:9464/metrics` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/http:/localhost:9464/me…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: GET http://localhost:9464/metrics (experimental/packages/opentelemetry-exporter-prometheus/test/PrometheusExporter.test.ts:534)
`experimental/packages/opentelemetry-exporter-prometheus/test/PrometheusExporter.test.ts:534` calls `GET http://localhost:9464/metrics` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/http:/localhost:9464/me…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: GET http://localhost:9464/metrics (experimental/packages/opentelemetry-exporter-prometheus/test/PrometheusExporter.test.ts:551)
`experimental/packages/opentelemetry-exporter-prometheus/test/PrometheusExporter.test.ts:551` calls `GET http://localhost:9464/metrics` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/http:/localhost:9464/me…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: GET http://localhost:9464/metrics (experimental/packages/opentelemetry-exporter-prometheus/test/PrometheusExporter.test.ts:568)
`experimental/packages/opentelemetry-exporter-prometheus/test/PrometheusExporter.test.ts:568` calls `GET http://localhost:9464/metrics` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/http:/localhost:9464/me…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: GET http://localhost:9464/metrics (experimental/packages/opentelemetry-exporter-prometheus/test/PrometheusExporter.test.ts:583)
`experimental/packages/opentelemetry-exporter-prometheus/test/PrometheusExporter.test.ts:583` calls `GET http://localhost:9464/metrics` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/http:/localhost:9464/me…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: GET http://localhost:9464/metrics (experimental/packages/opentelemetry-exporter-prometheus/test/PrometheusExporter.test.ts:591)
`experimental/packages/opentelemetry-exporter-prometheus/test/PrometheusExporter.test.ts:591` calls `GET http://localhost:9464/metrics` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/http:/localhost:9464/me…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: GET http://localhost:9464/test (experimental/packages/opentelemetry-exporter-prometheus/test/PrometheusExporter.test.ts:517)
`experimental/packages/opentelemetry-exporter-prometheus/test/PrometheusExporter.test.ts:517` calls `GET http://localhost:9464/test` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/http:/localhost:9464/test`…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: GET https://example.com/api/status.json (experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:1635)
`experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:1635` calls `GET https://example.com/api/status.json` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/example.com/api/status.json` …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/echo-body.json (experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:1417)
`experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:1417` calls `POST /api/echo-body.json` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/echo-body.json` If this points at an external API, …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/echo-body.json (experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:1560)
`experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:1560` calls `POST /api/echo-body.json` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/echo-body.json` If this points at an external API, …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: QUERY /api/status.json (experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:806)
`experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:806` calls `QUERY /api/status.json` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/status.json` If this points at an external API, prefix…
Dangling fetchFetch
medium Security checks security auth conf 0.92 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
medium Security checks quality Quality conf 1.00 [SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0).
Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser).
packages/sdk-metrics/src/exemplar/SimpleFixedSizeExemplarReservoir.ts:23
low Security checks quality Quality conf 1.00 [SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws — wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated.
Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows.
scripts/update-ts-configs.js:236
medium Security checks software dependencies conf 0.88 axios: GHSA-3w6x-2g7m-8v23
Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver`
package-lock.json
medium Security checks software dependencies conf 0.88 axios: GHSA-445q-vr5w-6q77
Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream
package-lock.json
medium Security checks software dependencies conf 0.88 axios: GHSA-5c9x-8gcm-mpgx
Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0
package-lock.json
medium Security checks software dependencies conf 0.88 axios: GHSA-62hf-57xw-28j9
Axios: unbounded recursion in toFormData causes DoS via deeply nested request data
package-lock.json
medium Security checks software dependencies conf 0.88 axios: GHSA-898c-q2cr-xwhg
axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions
package-lock.json
medium Security checks software dependencies conf 0.88 axios: GHSA-m7pr-hjqh-92cm
Axios: no_proxy bypass via IP alias allows SSRF
package-lock.json
medium Security checks software dependencies conf 0.88 axios: GHSA-vf2m-468p-8v99
Axios: HTTP adapter streamed responses bypass maxContentLength
package-lock.json
medium Security checks software dependencies conf 0.88 axios: GHSA-w9j2-pvgh-6h63
Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy
package-lock.json
medium Security checks software dependencies conf 0.88 axios: GHSA-xx6v-rp6x-q39c
Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion
package-lock.json
medium Security checks software dependencies conf 0.88 brace-expansion: GHSA-f886-m6hf-6m8v
brace-expansion: Zero-step sequence causes process hang and memory exhaustion
package-lock.json
medium Security checks software dependencies conf 0.88 brace-expansion: GHSA-jxxr-4gwj-5jf2
brace-expansion: Large numeric range defeats documented `max` DoS protection
package-lock.json
medium Security checks cicd CI/CD security conf 0.94 8 occurrences Compose service `otel-collector` image uses the latest tag
The latest tag is mutable and can change without a code review, producing different images from the same source.
4 files, 8 locations
examples/opentelemetry-web/docker/docker-compose.yaml:2, 15, 21 (3 hits)
examples/basic-tracer-node/docker/ot/docker-compose.yaml:4, 17 (2 hits)
examples/otlp-exporter-node/docker/docker-compose.yaml:17, 23 (2 hits)
examples/https/docker/docker-compose.yml:10
CI/CD securitycontainers
medium Security checks software dependencies conf 0.88 follow-redirects: GHSA-r4q5-vmmm-2653
follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets
package-lock.json
medium Security checks software dependencies conf 0.88 markdown-it: GHSA-38c4-r59v-3vqw
markdown-it is has a Regular Expression Denial of Service (ReDoS)
package-lock.json
medium Security checks software dependencies conf 0.90 2 occurrences npm package `@types/sinon` is 4 major version(s) behind (17.0.4 -> 21.0.1)
`@types/sinon` is pinned/resolved at 17.0.4 but the latest stable release on the npm registry is 21.0.1 (4 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
2 files, 2 locations
api/package.json
semantic-conventions/package.json
medium Security checks software dependencies conf 0.90 npm package `eslint-plugin-n` is 1 major version(s) behind (17.24.0 -> 18.0.1)
`eslint-plugin-n` is pinned/resolved at 17.24.0 but the latest stable release on the npm registry is 18.0.1 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.90 npm package `glob` is 2 major version(s) behind (11.1.0 -> 13.0.6)
`glob` is pinned/resolved at 11.1.0 but the latest stable release on the npm registry is 13.0.6 (2 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.90 npm package `globals` is 2 major version(s) behind (15.15.0 -> 17.6.0)
`globals` is pinned/resolved at 15.15.0 but the latest stable release on the npm registry is 17.6.0 (2 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.90 npm package `memfs` is 1 major version(s) behind (3.5.3 -> 4.57.6)
`memfs` is pinned/resolved at 3.5.3 but the latest stable release on the npm registry is 4.57.6 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
api/package.json
medium Security checks software dependencies conf 0.90 npm package `nock` is 1 major version(s) behind (13.5.6 -> 14.0.15)
`nock` is pinned/resolved at 13.5.6 but the latest stable release on the npm registry is 14.0.15 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
semantic-conventions/package.json
medium Security checks software dependencies conf 0.90 2 occurrences npm package `nyc` is 1 major version(s) behind (17.1.0 -> 18.0.0)
`nyc` is pinned/resolved at 17.1.0 but the latest stable release on the npm registry is 18.0.0 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
2 files, 2 locations
api/package.json
semantic-conventions/package.json
medium Security checks software dependencies conf 0.90 npm package `semver` is 1 major version(s) behind (6.3.1 -> 7.8.2)
`semver` is pinned/resolved at 6.3.1 but the latest stable release on the npm registry is 7.8.2 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.90 npm package `typedoc-plugin-missing-exports` is 1 major version(s) behind (3.1.0 -> 4.1.3)
`typedoc-plugin-missing-exports` is pinned/resolved at 3.1.0 but the latest stable release on the npm registry is 4.1.3 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-updat…
package.json
medium Security checks software dependencies conf 0.88 protobufjs: GHSA-jggg-4jg4-v7c6
protobufjs: Denial of Service via unbounded recursive JSON descriptor expansion
package-lock.json
medium Security checks software dependencies conf 0.88 serialize-javascript: GHSA-qj8w-gfj5-8c6v
Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects
package-lock.json
medium Security checks software dependencies conf 0.88 uuid: GHSA-w5hq-g745-h8pq
uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided
package-lock.json
medium Security checks software dependencies conf 0.88 yaml: GHSA-48c2-rrv3-qjmp
yaml is vulnerable to Stack Overflow via deeply nested YAML collections
package-lock.json
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — examples/opentelemetry-web/examples/fetch-proto/index.js:46
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — examples/opentelemetry-web/examples/fetch/index.js:45
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — examples/opentelemetry-web/examples/fetchXhr/index.js:50
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — examples/opentelemetry-web/examples/fetchXhrB3/index.js:52
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — experimental/packages/opentelemetry-instrumentation-fetch/src/fetch.ts:401
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts:302
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — experimental/packages/opentelemetry-instrumentation-fetch/test/mockServiceWorker.js:215
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph cicd CI/CD security conf 1.00 5 occurrences GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
5 files, 5 locations
.github/workflows/benchmark.yml
.github/workflows/docs.yaml
.github/workflows/ossf-scorecard.yml
.github/workflows/publish-to-npm.yml
.github/workflows/sbom.yml
CI/CD securitySupply chainGithub actions
low Security checks software dependencies conf 0.88 axios: GHSA-xhjh-pmcv-23jw
Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams
package-lock.json
high Security checks cicd CI/CD security conf 0.56 11 occurrences Compose service does not declare a runtime user
If the image does not define USER internally, this service may run as root.
5 files, 11 locations
examples/opentelemetry-web/docker/docker-compose.yaml:2, 15, 21 (3 hits)
examples/otlp-exporter-node/docker/docker-compose.yaml:3, 17, 23 (3 hits)
examples/basic-tracer-node/docker/ot/docker-compose.yaml:4, 17 (2 hits)
examples/https/docker/docker-compose.yml:3, 10 (2 hits)
experimental/examples/prometheus/docker-compose.yaml:3
CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.62 11 occurrences Compose service lacks no-new-privileges hardening
no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities.
5 files, 11 locations
examples/opentelemetry-web/docker/docker-compose.yaml:2, 15, 21 (3 hits)
examples/otlp-exporter-node/docker/docker-compose.yaml:3, 17, 23 (3 hits)
examples/basic-tracer-node/docker/ot/docker-compose.yaml:4, 17 (2 hits)
examples/https/docker/docker-compose.yml:3, 10 (2 hits)
experimental/examples/prometheus/docker-compose.yaml:3
CI/CD securitycontainers
low Security checks software dependencies conf 0.88 diff: GHSA-73rr-hh4g-fpgx
jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch
package-lock.json
low Security checks quality Quality conf 0.60 15 occurrences Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
12 files, 12 locations
bundler-tests/browser/webpack-5/src/index.js:12
bundler-tests/node/webpack-5/src/index.js:26
experimental/packages/opentelemetry-instrumentation-xml-http-request/src/utils.ts:8
experimental/packages/opentelemetry-instrumentation-xml-http-request/src/xhr.ts:225
experimental/packages/otlp-grpc-exporter-base/src/configuration/otlp-grpc-env-configuration.ts:30
experimental/packages/otlp-transformer/src/metrics/protobuf/response-deserializer.ts:17
experimental/packages/otlp-transformer/src/trace/protobuf/response-deserializer.ts:17
packages/opentelemetry-core/src/internal/validators.ts:1
duplicationquality
low Security checks software dependencies conf 0.90 2 occurrences npm package `@opentelemetry/api` is minor version(s) behind (^1.3.0 -> 1.9.1)
`@opentelemetry/api` is pinned/resolved at ^1.3.0 but the latest stable release on the npm registry is 1.9.1 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
2 files, 2 locations
e2e-tests/package.json
integration-tests/propagation-validation-server/package.json
low Security checks software dependencies conf 0.90 npm package `@types/webpack-env` is minor version(s) behind (1.16.3 -> 1.18.8)
`@types/webpack-env` is pinned/resolved at 1.16.3 but the latest stable release on the npm registry is 1.18.8 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
api/package.json
low Security checks software dependencies conf 0.90 npm package `dpdm` is minor version(s) behind (4.0.1 -> 4.2.0)
`dpdm` is pinned/resolved at 4.0.1 but the latest stable release on the npm registry is 4.2.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
api/package.json
low Security checks software dependencies conf 0.90 2 occurrences npm package `karma-chrome-launcher` is minor version(s) behind (3.1.0 -> 3.2.0)
`karma-chrome-launcher` is pinned/resolved at 3.1.0 but the latest stable release on the npm registry is 3.2.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
2 files, 2 locations
api/package.json
package.json
low Security checks software dependencies conf 0.90 npm package `markdownlint-cli2` is minor version(s) behind (0.19.1 -> 0.22.1)
`markdownlint-cli2` is pinned/resolved at 0.19.1 but the latest stable release on the npm registry is 0.22.1 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks software dependencies conf 0.90 npm package `prettier` is minor version(s) behind (3.6.2 -> 3.8.3)
`prettier` is pinned/resolved at 3.6.2 but the latest stable release on the npm registry is 3.8.3 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks software dependencies conf 0.90 npm package `process` is minor version(s) behind (0.10.1 -> 0.11.10)
`process` is pinned/resolved at 0.10.1 but the latest stable release on the npm registry is 0.11.10 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks software dependencies conf 0.90 npm package `ts-loader` is minor version(s) behind (9.5.7 -> 9.6.0)
`ts-loader` is pinned/resolved at 9.5.7 but the latest stable release on the npm registry is 9.6.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
api/package.json
low Security checks software dependencies conf 0.90 npm package `typedoc` is minor version(s) behind (0.27.9 -> 0.28.19)
`typedoc` is pinned/resolved at 0.27.9 but the latest stable release on the npm registry is 0.28.19 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks software dependencies conf 0.90 npm package `unionfs` is minor version(s) behind (4.5.4 -> 4.6.0)
`unionfs` is pinned/resolved at 4.5.4 but the latest stable release on the npm registry is 4.6.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
api/package.json
high Security checks quality Quality conf 0.62 Source file name looks like an AI patch artifact
Files named as final, fixed, copy, new, or backup are often temporary patch artifacts. They may be legitimate, but they deserve review before becoming production surface area.
scripts/version-update.js:1
low System graph hardware Coverage conf 1.00 Containers defined but no K8s/orchestration manifest found
Repo has Dockerfiles/compose but no Kubernetes/Nomad manifests. If the target deployment is K8s, the manifests may live in a separate ops repo.
Deployment
low System graph software Dead code candidate conf 1.00 File has no detected symbols: api/karma.conf.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: api/karma.worker.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: api/src/baggage/internal/symbol.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: api/src/baggage/types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: api/src/common/Attributes.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: api/src/common/Exception.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: api/src/common/Time.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: api/src/context-api.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: api/src/context/types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: api/src/diag-api.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: api/src/diag/types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: api/src/metrics-api.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: api/src/metrics/MeterProvider.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: api/src/propagation-api.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: api/src/trace-api.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: api/src/trace/attributes.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: api/src/trace/invalid-span-constants.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: api/src/trace/link.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: api/src/trace/Sampler.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: api/src/trace/SamplingResult.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: api/src/trace/span_context.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: api/src/trace/span_kind.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: api/src/trace/SpanOptions.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: api/src/trace/status.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: api/src/trace/trace_flags.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: api/src/trace/trace_state.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: api/src/trace/tracer_options.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: api/test/common/baggage/Baggage.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: api/test/common/diag/consoleLogger.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: api/test/common/internal/version.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: api/test/common/metrics/Metric.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: api/test/common/noop-implementations/noop-meter.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: api/test/common/noop-implementations/noop-span.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: api/test/common/noop-implementations/noop-tracer-provider.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: api/test/common/trace/spancontext-utils.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: api/test/common/trace/tracestate-validators.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: api/test/common/trace/tracestate.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: api/test/index-webpack.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: api/test/index-webpack.worker.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: api/test/tree-shaking/tree-shaking.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: bundler-tests/browser/nextjs-15-edge/next.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: bundler-tests/browser/nextjs-16-edge/next.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: integration-tests/api/test/api-entries.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: integration-tests/propagation-validation-server/validation-server.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: karma.base.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: karma.worker.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: prettier.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: semantic-conventions/src/index-incubating.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: semantic-conventions/src/stable_events.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: semantic-conventions/src/stable_metrics.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `isDeprecated` in scripts/semconv/changelog-gen.js:54
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `PerformanceLegacy` in packages/opentelemetry-sdk-trace-web/src/index.ts:12
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `PerformanceLegacy` in packages/opentelemetry-sdk-trace-web/src/types.ts:36
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph cicd CI/CD security conf 1.00 package.json defines install-time lifecycle scripts
preinstall/install/postinstall/prepare scripts execute during dependency installation. Review them carefully for network calls, obfuscation, shell execution, or credential access.
package.json CI/CD securitySupply chainNpm
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — api/test/tree-shaking/tree-shaking.test.ts:59
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/esm-http-ts/index.ts:43
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/grpc-js/client.js:18
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/grpc-js/server.js:18
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/http/client.js:21
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/http/server.js:16
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/https/client.js:22
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/https/server.js:21
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/opentelemetry-web/examples/metrics/index.js:12
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/opentelemetry-web/examples/session/index.js:26
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/opentracing-shim/client.js:34
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/opentracing-shim/server.js:19
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — experimental/examples/opencensus-shim/client.js:51
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — experimental/examples/opencensus-shim/server.js:37
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — experimental/examples/prometheus/index.js:13
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — experimental/packages/configuration/scripts/generate-config.js:144
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — experimental/packages/otlp-transformer/test/performance/benchmark/toAnyValue.js:24
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — experimental/packages/otlp-transformer/test/performance/benchmark/transform.js:231
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — integration-tests/propagation-validation-server/validation-server.js:64
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/opentelemetry-core/test/performance/benchmark/parsePairKeyValue.js:23
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/opentelemetry-sdk-trace-base/test/browser/export/BatchSpanProcessor.bench.ts:59
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/opentelemetry-sdk-trace-base/test/browser/RandomIdGenerator.bench.ts:19
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/opentelemetry-sdk-trace-base/test/browser/Span.bench.ts:51
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/opentelemetry-sdk-trace-base/test/node/export/BatchSpanProcessor.bench.ts:59
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/opentelemetry-sdk-trace-base/test/node/RandomIdGenerator.bench.ts:19
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/opentelemetry-sdk-trace-base/test/node/Span.bench.ts:51
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/opentelemetry-sdk-trace-base/test/performance/benchmark/sampler.js:39
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/opentelemetry-sdk-trace-base/test/performance/benchmark/setAttributes.js:26
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — scripts/peer-api-check.js:42
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — scripts/semconv/changelog-gen.js:256
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — scripts/update-ts-configs.js:284
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — semantic-conventions/test/helpers/autoImports.ts:129
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — semantic-conventions/test/sizeLimit.test.ts:177
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph api Wiring conf 1.00 Unused endpoint: POST /verify-tracecontext
`integration-tests/propagation-validation-server/validation-server.js` declares `POST /verify-tracecontext` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or…
Unused endpoint
low System graph quality Complexity conf 1.00 Very large file: experimental/packages/configuration/src/generated/types.ts (1816 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: experimental/packages/configuration/test/EnvironmentConfigFactory.test.ts (1500 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: experimental/packages/opentelemetry-instrumentation-fetch/test/fetch.test.ts (2965 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: experimental/packages/opentelemetry-instrumentation-http/test/functionals/http-enable.test.ts (1861 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: experimental/packages/opentelemetry-instrumentation-xml-http-request/test/xhr.test.ts (2901 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: experimental/packages/opentelemetry-sdk-node/test/sdk.test.ts (2046 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: packages/opentelemetry-sdk-trace-base/test/common/Span.test.ts (1939 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: semantic-conventions/src/experimental_attributes.ts (17057 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: semantic-conventions/src/experimental_metrics.ts (4472 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: semantic-conventions/src/resource/SemanticResourceAttributes.ts (2099 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: semantic-conventions/src/stable_attributes.ts (1374 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: semantic-conventions/src/trace/SemanticAttributes.ts (3982 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/890f7b57-f0a7-4c37-b302-d02b01bb4096/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/890f7b57-f0a7-4c37-b302-d02b01bb4096/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.