Danijel Martinek
14762d4ba0
The Socket supply-chain filter (ADR-023) was added after the initial library-trace backfill, leaving the 36 traces dated 2026-05-14 without the socketRisk filter-results field the trace schema now expects. Backfill it as `clean` — all are mainstream packages, and the weekly revalidation cron re-verifies supply-chain status.
88 lines
3.3 KiB
Markdown
88 lines
3.3 KiB
Markdown
---
|
|
package: "@opentelemetry/api"
|
|
version: "^1.9.0"
|
|
tier: core
|
|
decision: approved
|
|
date: 2026-05-14
|
|
deciders: [Danijel Martinek]
|
|
adr: adr-017
|
|
filter-results:
|
|
license: Apache-2.0
|
|
types: native
|
|
maintenance: active
|
|
boundary-fit: pass
|
|
shadow-check: pass
|
|
eu-residency: n/a
|
|
cve-scan: clean
|
|
named-consumer: pass
|
|
socketRisk: clean
|
|
verification-commands:
|
|
- npm view @opentelemetry/api license
|
|
- npm view @opentelemetry/api version
|
|
- pnpm audit --audit-level=moderate
|
|
accepted-cves: []
|
|
---
|
|
|
|
## Filter: license
|
|
|
|
<!-- Result: Apache-2.0 -->
|
|
|
|
`npm view @opentelemetry/api license` returns `Apache-2.0`. Apache-2.0 is on the allowlist.
|
|
|
|
## Filter: types
|
|
|
|
<!-- Result: native -->
|
|
|
|
`@opentelemetry/api` is authored in TypeScript and ships its own `.d.ts` declaration files. No separate `@types/` package is needed.
|
|
|
|
## Filter: maintenance
|
|
|
|
<!-- Result: active -->
|
|
|
|
Actively maintained by the OpenTelemetry community under the CNCF. The 1.x stable API line receives regular releases; the project is a CNCF incubating project with broad industry backing.
|
|
|
|
## Filter: boundary-fit
|
|
|
|
<!-- Result: pass -->
|
|
|
|
ADR-017 §8 explicitly permits `@opentelemetry/api` for use within `core-shared/instrumentation/` without restriction. Feature packages use it via the `ITracer`/`ILogger` interfaces only; they do not import this package directly (ESLint boundary rules, ADR-010).
|
|
|
|
## Filter: shadow-check
|
|
|
|
<!-- Result: pass -->
|
|
|
|
`@opentelemetry/api` is the CNCF-standard instrumentation API. No competing tracing API is present in the workspace. The API package is the stable, zero-dependency interface layer intentionally kept separate from SDK implementations.
|
|
|
|
## Filter: eu-residency
|
|
|
|
<!-- Result: n/a -->
|
|
|
|
`@opentelemetry/api` is a pure instrumentation API with no network communication, telemetry transmission, or data storage. EU residency does not apply.
|
|
|
|
## Filter: cve-scan
|
|
|
|
<!-- Result: clean -->
|
|
|
|
`pnpm audit --audit-level=moderate` reports no advisories against `@opentelemetry/api` at the time of this trace.
|
|
|
|
## Filter: named-consumer
|
|
|
|
<!-- Result: pass -->
|
|
|
|
`packages/core-shared/src/instrumentation/` consumes `@opentelemetry/api` to implement `OtelTracer` and `OtelLogger` (ADR-017). `packages/core-audit` also depends on it for span context propagation in audit records.
|
|
|
|
## Prompt: replaces
|
|
|
|
Prior to ADR-017, `core-shared` used Sentry SDK methods directly in `SentryTracer` and `SentryLogger`. `@opentelemetry/api` replaces direct Sentry SDK calls as the instrumentation substrate, allowing vendor swaps via exporter configuration rather than code rewrites.
|
|
|
|
## Prompt: migration-cost-out
|
|
|
|
Hard. `@opentelemetry/api` is the instrumentation interface called throughout `core-shared/instrumentation/`. Migrating away means replacing all span creation, context propagation, and log emission with a different API. The interfaces (`ITracer`, `ILogger`, `IMetrics`) in ADR-014 isolate feature packages, but the core instrumentation layer itself is deeply coupled to the OTel API shape.
|
|
|
|
## Prompt: alternatives-considered
|
|
|
|
1. **Sentry SDK directly** — Rejected in ADR-017: couples the impl to Sentry forever; vendor swap requires rewriting every `*Tracer`/`*Logger` pair.
|
|
2. **OpenCensus** — CNCF predecessor to OpenTelemetry; reached end-of-life and merged into OpenTelemetry. Not viable.
|
|
|
|
See ADR-017 for the full decision rationale.
|