Skip to content

build(deps): bump go.opentelemetry.io/otel/sdk from 1.40.0 to 1.43.0 in /pkg/pillar#5778

Closed
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/go_modules/pkg/pillar/go.opentelemetry.io/otel/sdk-1.43.0
Closed

build(deps): bump go.opentelemetry.io/otel/sdk from 1.40.0 to 1.43.0 in /pkg/pillar#5778
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/go_modules/pkg/pillar/go.opentelemetry.io/otel/sdk-1.43.0

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 8, 2026
edited
Loading

Bumps go.opentelemetry.io/otel/sdk from 1.40.0 to 1.43.0.

Changelog

Sourced from go.opentelemetry.io/otel/sdk's changelog.

[1.43.0/0.65.0/0.19.0] 2026-04-02

Added

  • Add IsRandom and WithRandom on TraceFlags, and IsRandom on SpanContext in go.opentelemetry.io/otel/trace for W3C Trace Context Level 2 Random Trace ID Flag support. (#8012)
  • Add service detection with WithService in go.opentelemetry.io/otel/sdk/resource. (#7642)
  • Add DefaultWithContext and EnvironmentWithContext in go.opentelemetry.io/otel/sdk/resource to support plumbing context.Context through default and environment detectors. (#8051)
  • Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc. (#8038)
  • Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc. (#8038)
  • Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc. (#8038)
  • Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp. (#8038)
  • Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp. (#8038)
  • Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp. (#8038)
  • Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/sdk/metric/metricdata/metricdatatest. (#8038)
  • Add support for per-series start time tracking for cumulative metrics in go.opentelemetry.io/otel/sdk/metric. Set OTEL_GO_X_PER_SERIES_START_TIMESTAMPS=true to enable. (#8060)
  • Add WithCardinalityLimitSelector for metric reader for configuring cardinality limits specific to the instrument kind. (#7855)

Changed

  • Introduce the EMPTY Type in go.opentelemetry.io/otel/attribute to reflect that an empty value is now a valid value, with INVALID remaining as a deprecated alias of EMPTY. (#8038)
  • Improve slice handling in go.opentelemetry.io/otel/attribute to optimize short slice values with fixed-size fast paths. (#8039)
  • Improve performance of span metric recording in go.opentelemetry.io/otel/sdk/trace by returning early if self-observability is not enabled. (#8067)
  • Improve formatting of metric data diffs in go.opentelemetry.io/otel/sdk/metric/metricdata/metricdatatest. (#8073)

Deprecated

  • Deprecate INVALID in go.opentelemetry.io/otel/attribute. Use EMPTY instead. (#8038)

Fixed

  • Return spec-compliant TraceIdRatioBased description. This is a breaking behavioral change, but it is necessary to make the implementation spec-compliant. (#8027)
  • Fix a race condition in go.opentelemetry.io/otel/sdk/metric where the lastvalue aggregation could collect the value 0 even when no zero-value measurements were recorded. (#8056)
  • Limit HTTP response body to 4 MiB in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp to mitigate excessive memory usage caused by a misconfigured or malicious server. Responses exceeding the limit are treated as non-retryable errors. (#8108)
  • Limit HTTP response body to 4 MiB in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp to mitigate excessive memory usage caused by a misconfigured or malicious server. Responses exceeding the limit are treated as non-retryable errors. (#8108)
  • Limit HTTP response body to 4 MiB in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp to mitigate excessive memory usage caused by a misconfigured or malicious server. Responses exceeding the limit are treated as non-retryable errors. (#8108)
  • WithHostID detector in go.opentelemetry.io/otel/sdk/resource to use full path for kenv command on BSD. (#8113)
  • Fix missing request.GetBody in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp to correctly handle HTTP2 GOAWAY frame. (#8096)

[1.42.0/0.64.0/0.18.0/0.0.16] 2026-03-06

Added

  • Add go.opentelemetry.io/otel/semconv/v1.40.0 package. The package contains semantic conventions from the v1.40.0 version of the OpenTelemetry Semantic Conventions. See the migration documentation for information on how to upgrade from go.opentelemetry.io/otel/semconv/v1.39.0. (#7985)

... (truncated)

Commits
  • 9276201 Release v1.43.0 / v0.65.0 / v0.19.0 (#8128)
  • 61b8c94 chore(deps): update module github.com/mattn/go-runewidth to v0.0.22 (#8131)
  • 97a086e chore(deps): update github.com/golangci/dupl digest to c99c5cf (#8122)
  • 5e363de limit response body size for OTLP HTTP exporters (#8108)
  • 35214b6 Use an absolute path when calling bsd kenv (#8113)
  • 290024c fix(deps): update module google.golang.org/grpc to v1.80.0 (#8121)
  • e70658e fix: support getBody in otelploghttp (#8096)
  • 4afe468 fix(deps): update googleapis to 9d38bb4 (#8117)
  • b9ca729 chore(deps): update module github.com/go-git/go-git/v5 to v5.17.2 (#8115)
  • 69472ec chore(deps): update fossas/fossa-action action to v1.9.0 (#8118)
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Apr 8, 2026
@dependabot dependabot Bot requested a review from eriknordmark as a code owner April 8, 2026 22:04
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Apr 8, 2026
eriknordmark
eriknordmark approved these changes Apr 9, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@eriknordmark eriknordmark left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@eriknordmark
Copy link
Copy Markdown
Contributor

eriknordmark commented Apr 10, 2026

@dependabot rebase

@eriknordmark
Copy link
Copy Markdown
Contributor

eriknordmark commented Apr 10, 2026

This PR has a golang version issue. Fails with
#37 0.170 go: go.mod requires go >= 1.25.0 (running go 1.24.6; GOTOOLCHAIN=local)

@dependabot dependabot Bot force-pushed the dependabot/go_modules/pkg/pillar/go.opentelemetry.io/otel/sdk-1.43.0 branch from 754c7a1 to 61ee2c2 Compare April 10, 2026 22:06
@github-actions github-actions Bot requested a review from eriknordmark April 10, 2026 22:07
@dependabot dependabot Bot force-pushed the dependabot/go_modules/pkg/pillar/go.opentelemetry.io/otel/sdk-1.43.0 branch 3 times, most recently from f46a0eb to ef04eb3 Compare April 15, 2026 17:31
@eriknordmark eriknordmark marked this pull request as draft April 17, 2026 07:12
@dependabot dependabot Bot force-pushed the dependabot/go_modules/pkg/pillar/go.opentelemetry.io/otel/sdk-1.43.0 branch from ef04eb3 to 2dc6bea Compare April 25, 2026 06:13
@dependabot
build(deps): bump go.opentelemetry.io/otel/sdk in /pkg/pillar
4eb136e 
Bumps [go.opentelemetry.io/otel/sdk](https://github.com/open-telemetry/opentelemetry-go) from 1.40.0 to 1.43.0.
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md)
- [Commits](open-telemetry/opentelemetry-go@v1.40.0...v1.43.0)

---
updated-dependencies:
- dependency-name: go.opentelemetry.io/otel/sdk
  dependency-version: 1.43.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/go_modules/pkg/pillar/go.opentelemetry.io/otel/sdk-1.43.0 branch from 2dc6bea to 4eb136e Compare April 28, 2026 08:03
eriknordmark added a commit to eriknordmark/eve that referenced this pull request May 5, 2026
@eriknordmark @claude
pillar: bump otel/sdk to v1.41.0
3d6a7ab 
Bump go.opentelemetry.io/otel/sdk and go.opentelemetry.io/otel/sdk/metric
from v1.40.0 to v1.41.0. This is the highest version compatible with Go
1.24.x (v1.42.0 and later require Go 1.25.0).

The three CVEs that triggered dependabot PR lf-edge#5778 are not
reachable in EVE at v1.40.0 either: the BSD kenv path-hijack
(GHSA-hfvc-g4fc-pqhx) is gated behind a dragonfly/freebsd/netbsd/openbsd/
solaris build tag; the OTLP HTTP exporter DoS (GHSA-w8rr-5gcm-pp58) affects
packages not imported by pillar; and the baggage-header DoS
(GHSA-mh2q-q3fh-2475) was already patched via go.opentelemetry.io/otel
v1.41.0. This bump aligns sdk with the core otel package version.

Signed-off-by: eriknordmark <erik@zededa.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@eriknordmark eriknordmark mentioned this pull request May 5, 2026
Open
7 tasks
@eriknordmark
Copy link
Copy Markdown
Contributor

eriknordmark commented May 5, 2026

This PR bumps go.opentelemetry.io/otel/sdk to v1.43.0, but that version requires Go ≥ 1.25.0. EVE currently uses Go 1.24.6 (GOTOOLCHAIN=local), so the build fails with:

go: go.mod requires go >= 1.25.0 (running go 1.24.6; GOTOOLCHAIN=local)

As an interim step, #5903 bumps the SDK to v1.41.0 — the highest version compatible with Go 1.24.x.

None of the three CVEs addressed by this PR are actually reachable in EVE:

Advisory Severity Status in EVE
GHSA-hfvc-g4fc-pqhx (CVE-2026-39883) kenv PATH hijack High Not reachable — host_id_bsd.go has build tag dragonfly/freebsd/netbsd/openbsd/solaris; never compiled for Linux
GHSA-w8rr-5gcm-pp58 (CVE-2026-39882) OTLP HTTP unbounded body Moderate Not reachable — pillar does not import otlptracehttp, otlpmetrichttp, or otlploghttp
GHSA-mh2q-q3fh-2475 (CVE-2026-29181) baggage header DoS High Already fixed — patched in go.opentelemetry.io/otel v1.41.0, which pillar already uses

This PR can be merged once the Go toolchain is updated to 1.25+.

@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github May 5, 2026

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@dependabot dependabot Bot deleted the dependabot/go_modules/pkg/pillar/go.opentelemetry.io/otel/sdk-1.43.0 branch May 5, 2026 16:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@eriknordmark eriknordmark Awaiting requested review from eriknordmark eriknordmark is a code owner

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file go Pull requests that update Go code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@eriknordmark