Skip to content

fix(security): update vulnerability-updates [security]#1934

Merged
renovate[bot] merged 1 commit intomainfrom
renovate/vulnerability-updates
Apr 9, 2026
Merged

fix(security): update vulnerability-updates [security]#1934
renovate[bot] merged 1 commit intomainfrom
renovate/vulnerability-updates

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate bot commented Apr 9, 2026

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.14.0v0.19.0 age confidence
go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.18.0v0.19.0 age confidence
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.40.0v1.43.0 age confidence
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.42.0v1.43.0 age confidence
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.40.0v1.43.0 age confidence
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.42.0v1.43.0 age confidence
go.opentelemetry.io/otel/sdk v1.40.0v1.43.0 age confidence

GitHub Vulnerability Alerts

CVE-2026-39882

overview:
this report shows that the otlp HTTP exporters (traces/metrics/logs) read the full HTTP response body into an in-memory bytes.Buffer without a size cap.

this is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can mitm the exporter connection).

severity

HIGH

not claiming: this is a remote dos against every default deployment.
claiming: if the exporter sends traces to an untrusted collector endpoint (or over a network segment where mitm is realistic), that endpoint can crash the process via a large response body.

callsite (pinned):

  • exporters/otlp/otlptrace/otlptracehttp/client.go:199
  • exporters/otlp/otlptrace/otlptracehttp/client.go:230
  • exporters/otlp/otlpmetric/otlpmetrichttp/client.go:170
  • exporters/otlp/otlpmetric/otlpmetrichttp/client.go:201
  • exporters/otlp/otlplog/otlploghttp/client.go:190
  • exporters/otlp/otlplog/otlploghttp/client.go:221

permalinks (pinned):

root cause:
each exporter client reads resp.Body using io.Copy(&respData, resp.Body) into a bytes.Buffer on both success and error paths, with no upper bound.

impact:
a malicious collector can force large transient heap allocations during export (peak memory scales with attacker-chosen response size) and can potentially crash the instrumented process (oom).

affected component:

  • go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp
  • go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp
  • go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp

repro (local-only):

unzip poc.zip -d poc
cd poc
make canonical resp_bytes=33554432 chunk_delay_ms=0

expected output contains:

[CALLSITE_HIT]: otlptracehttp.UploadTraces::io.Copy(resp.Body)
[PROOF_MARKER]: resp_bytes=33554432 peak_alloc_bytes=118050512

control (same env, patched target):

unzip poc.zip -d poc
cd poc
make control resp_bytes=33554432 chunk_delay_ms=0

expected control output contains:

[CALLSITE_HIT]: otlptracehttp.UploadTraces::io.Copy(resp.Body)
[NC_MARKER]: resp_bytes=33554432 peak_alloc_bytes=512232

attachments: poc.zip (attached)

PR_DESCRIPTION.md

attack_scenario.md

poc.zip

Fixed in: https://github.com/open-telemetry/opentelemetry-go/pull/8108

CVE-2026-39883

Summary

The fix for GHSA-9h8m-3fm2-qjrq (CVE-2026-24051) changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platforms.

Root Cause

sdk/resource/host_id.go line 42:

if result, err := r.execCommand("kenv", "-q", "smbios.system.uuid"); err == nil {

Compare with the fixed Darwin path at line 58:

result, err := r.execCommand("/usr/sbin/ioreg", "-rd1", "-c", "IOPlatformExpertDevice")

The execCommand helper at sdk/resource/host_id_exec.go uses exec.Command(name, arg...) which searches $PATH when the command name contains no path separator.

Affected platforms (per build tag in host_id_bsd.go:4): DragonFly BSD, FreeBSD, NetBSD, OpenBSD, Solaris.

The kenv path is reached when /etc/hostid does not exist (line 38-40), which is common on FreeBSD systems.

Attack

  1. Attacker has local access to a system running a Go application that imports go.opentelemetry.io/otel/sdk
  2. Attacker places a malicious kenv binary earlier in $PATH
  3. Application initializes OpenTelemetry resource detection at startup
  4. hostIDReaderBSD.read() calls exec.Command("kenv", ...) which resolves to the malicious binary
  5. Arbitrary code executes in the context of the application

Same attack vector and impact as CVE-2026-24051.

Suggested Fix

Use the absolute path:

if result, err := r.execCommand("/bin/kenv", "-q", "smbios.system.uuid"); err == nil {

On FreeBSD, kenv is located at /bin/kenv.

Release Notes

open-telemetry/opentelemetry-go (go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp)

v0.19.0

Compare Source

Added
  • Added Marshaler config option to otlphttp to enable otlp over json or protobufs. (#​1586)
  • A ForceFlush method to the "go.opentelemetry.io/otel/sdk/trace".TracerProvider to flush all registered SpanProcessors. (#​1608)
  • Added WithSampler and WithSpanLimits to tracer provider. (#​1633, #​1702)
  • "go.opentelemetry.io/otel/trace".SpanContext now has a remote property, and IsRemote() predicate, that is true when the SpanContext has been extracted from remote context data. (#​1701)
  • A Valid method to the "go.opentelemetry.io/otel/attribute".KeyValue type. (#​1703)
Changed
  • trace.SpanContext is now immutable and has no exported fields. (#​1573)
    • trace.NewSpanContext() can be used in conjunction with the trace.SpanContextConfig struct to initialize a new SpanContext where all values are known.
  • Update the ForceFlush method signature to the "go.opentelemetry.io/otel/sdk/trace".SpanProcessor to accept a context.Context and return an error. (#​1608)
  • Update the Shutdown method to the "go.opentelemetry.io/otel/sdk/trace".TracerProvider return an error on shutdown failure. (#​1608)
  • The SimpleSpanProcessor will now shut down the enclosed SpanExporter and gracefully ignore subsequent calls to OnEnd after Shutdown is called. (#​1612)
  • "go.opentelemetry.io/sdk/metric/controller.basic".WithPusher is replaced with WithExporter to provide consistent naming across project. (#​1656)
  • Added non-empty string check for trace Attribute keys. (#​1659)
  • Add description to SpanStatus only when StatusCode is set to error. (#​1662)
  • Jaeger exporter falls back to resource.Default's service.name if the exported Span does not have one. (#​1673)
  • Jaeger exporter populates Jaeger's Span Process from Resource. (#​1673)
  • Renamed the LabelSet method of "go.opentelemetry.io/otel/sdk/resource".Resource to Set. (#​1692)
  • Changed WithSDK to WithSDKOptions to accept variadic arguments of TracerProviderOption type in go.opentelemetry.io/otel/exporters/trace/jaeger package. (#​1693)
  • Changed WithSDK to WithSDKOptions to accept variadic arguments of TracerProviderOption type in go.opentelemetry.io/otel/exporters/trace/zipkin package. (#​1693)
  • "go.opentelemetry.io/otel/sdk/resource".NewWithAttributes will now drop any invalid attributes passed. (#​1703)
  • "go.opentelemetry.io/otel/sdk/resource".StringDetector will now error if the produced attribute is invalid. (#​1703)
Removed
  • Removed serviceName parameter from Zipkin exporter and uses resource instead. (#​1549)
  • Removed WithConfig from tracer provider to avoid overriding configuration. (#​1633)
  • Removed the exported SimpleSpanProcessor and BatchSpanProcessor structs.
    These are now returned as a SpanProcessor interface from their respective constructors. (#​1638)
  • Removed WithRecord() from trace.SpanOption when creating a span. (#​1660)
  • Removed setting status to Error while recording an error as a span event in RecordError. (#​1663)
  • Removed jaeger.WithProcess configuration option. (#​1673)
  • Removed ApplyConfig method from "go.opentelemetry.io/otel/sdk/trace".TracerProvider and the now unneeded Config struct. (#​1693)
Fixed
  • Jaeger Exporter: Ensure mapping between OTEL and Jaeger span data complies with the specification. (#​1626)
  • SamplingResult.TraceState is correctly propagated to a newly created span's SpanContext. (#​1655)
  • The otel-collector example now correctly flushes metric events prior to shutting down the exporter. (#​1678)
  • Do not set span status message in SpanStatusFromHTTPStatusCode if it can be inferred from http.status_code. (#​1681)
  • Synchronization issues in global trace delegate implementation. (#​1686)
  • Reduced excess memory usage by global TracerProvider. (#​1687)
Raw changes made between v0.18.0 and v0.19.0

2b4fa96 (HEAD -> main, tag: v0.19.0, tag: trace/v0.19.0, tag: sdk/v0.19.0, tag: sdk/metric/v0.19.0, tag: sdk/export/metric/v0.19.0, tag: oteltest/v0.19.0, tag: metric/v0.19.0, tag: exporters/trace/zipkin/v0.19.0, tag: exporters/trace/jaeger/v0.19.0, tag: exporters/stdout/v0.19.0, tag: exporters/otlp/v0.19.0, tag: exporters/metric/prometheus/v0.19.0, tag: example/zipkin/v0.19.0, tag: example/prometheus/v0.19.0, tag: example/prom-collector/v0.19.0, tag: example/otel-collector/v0.19.0, tag: example/opencensus/v0.19.0, tag: example/namedtracer/v0.19.0, tag: example/jaeger/v0.19.0, tag: bridge/opentracing/v0.19.0, tag: bridge/opencensus/v0.19.0, upstream/main, origin/main) Release v0.19.0 (#​1710)
4beb704 sdk/trace: removing ApplyConfig and Config (#​1693)
1d42be1 Rename WithDefaultSampler TracerProvider option to WithSampler and update docs (#​1702)
860d5d8 Add flag to determine whether SpanContext is remote (#​1701)
0fe65e6 Comply with OpenTelemetry attributes specification (#​1703)
8888435 Bump google.golang.org/api from 0.40.0 to 0.41.0 in /exporters/trace/jaeger (#​1700)
345f264 (global-docs) breaking(zipkin): removes servicName from zipkin exporter. (#​1697)
62cbf0f Populate Jaeger's Span.Process from Resource (#​1673)
28eaaa9 Add a test to prove the Tracer is safe for concurrent calls (#​1665)
8b1be11 Rename resource pkg label vars and methods (#​1692)
a1539d4 OpenCensus metric exporter bridge (#​1444)
77aa218 Fix issue #​1490, apply same logic as in the SDK (#​1687)
9d3416c Fix synchronization issues in global trace delegate implementation (#​1686)
58f69f0 Span status from HTTP code: Do not set status message if it can be inferred (#​1681)
9c305bd Flush metric events prior to shutdown in OTLP example (#​1678)
66b1135 Fix CHANGELOG (#​1680)
90bd4ab Update employer information for maintainers (#​1683)
3684191 Remove WithRecord() option from trace.SpanOption when starting a span (#​1660)
65c7de2 Remove trace prefix from NoOp src files. (#​1679)
e88a091 Make SpanContext Immutable (#​1573)
d75e268 Avoid overriding configuration of tracer provider (#​1633)
2b4d5ac Bump github.com/golangci/golangci-lint in /internal/tools (#​1671)
150b868 Bump github.com/google/go-cmp from 0.5.4 to 0.5.5 (#​1667)
76aa924 Fix the examples target info messaging (#​1676)
a3aa9fd Bump github.com/itchyny/gojq from 0.12.1 to 0.12.2 in /internal/tools (#​1672)
a5edd79 Removed setting error status while recording err as span event (#​1663)
e981475 chore(zipkin): improves zipkin example to not to depend on timeouts. (#​1566)
3dc91f2 Add ForceFlush method to TracerProvider (#​1608)
bd0bba4 exporter: swap pusher for exporter (#​1656)
5690485 Update the SimpleSpanProcessor (#​1612)
a7f7aba SpanStatus description set only when status code is set to Error (#​1662)
05252f4 Jaeger Exporter: Fix minor mapping discrepancies (#​1626)
238e7c6 Add non-empty string check for attribute keys (#​1659)
e9b9aca Add tests for propagation of Sampler Tracestate changes (#​1655)
875a258 Add docs on when reviews should be cleared (#​1556)
7153ef2 Add HTTP/JSON to the otlp exporter (#​1586)
62e2a0f Unexport the simple and batch SpanProcessors (#​1638)
992837f Add TracerProvider tests to oteltest harness (#​1607)

v0.18.0

Compare Source

Added
  • Added resource.Default() for use with meter and tracer providers. (#​1507)
  • AttributePerEventCountLimit and AttributePerLinkCountLimit for SpanLimits. (#​1535)
  • Added Keys() method to propagation.TextMapCarrier and propagation.HeaderCarrier to adapt http.Header to this interface. (#​1544)
  • Added code attributes to go.opentelemetry.io/otel/semconv package. (#​1558)
  • Compatibility testing suite in the CI system for the following systems. (#​1567)
    OS Go Version Architecture
    Ubuntu 1.15 amd64
    Ubuntu 1.14 amd64
    Ubuntu 1.15 386
    Ubuntu 1.14 386
    MacOS 1.15 amd64
    MacOS 1.14 amd64
    Windows 1.15 amd64
    Windows 1.14 amd64
    Windows 1.15 386
    Windows 1.14 386
Changed
  • Replaced interface oteltest.SpanRecorder with its existing implementation
    StandardSpanRecorder (#​1542).
  • Default span limit values to 128. (#​1535)
  • Rename MaxEventsPerSpan, MaxAttributesPerSpan and MaxLinksPerSpan to EventCountLimit, AttributeCountLimit and LinkCountLimit, and move these fields into SpanLimits. (#​1535)
  • Renamed the otel/label package to otel/attribute. (#​1541)
  • Vendor the Jaeger exporter's dependency on Apache Thrift. (#​1551)
  • Parallelize the CI linting and testing. (#​1567)
  • Stagger timestamps in exact aggregator tests. (#​1569)
  • Changed all examples to use WithBatchTimeout(5 * time.Second) rather than WithBatchTimeout(5). (#​1621)
  • Prevent end-users from implementing some interfaces (#​1575)
      "otel/exporters/otlp/otlphttp".Option
      "otel/exporters/stdout".Option
      "otel/oteltest".Option
      "otel/trace".TracerOption
      "otel/trace".SpanOption
      "otel/trace".EventOption
      "otel/trace".LifeCycleOption
      "otel/trace".InstrumentationOption
      "otel/sdk/resource".Option
      "otel/sdk/trace".ParentBasedSamplerOption
      "otel/sdk/trace".ReadOnlySpan
      "otel/sdk/trace".ReadWriteSpan
Removed
  • Removed attempt to resample spans upon changing the span name with span.SetName(). (#​1545)
  • The test-benchmark is no longer a dependency of the precommit make target. (#​1567)
  • Removed the test-386 make target.
    This was replaced with a full compatibility testing suite (i.e. multi OS/arch) in the CI system. (#​1567)
Fixed
  • The sequential timing check of timestamps in the stdout exporter are now setup explicitly to be sequential (#​1571). (#​1572)
  • Windows build of Jaeger tests now compiles with OS specific functions (#​1576). (#​1577)
  • The sequential timing check of timestamps of go.opentelemetry.io/otel/sdk/metric/aggregator/lastvalue are now setup explicitly to be sequential (#​1578). (#​1579)
  • Validate tracestate header keys with vedors according to the W3C TraceContext specification (#​1475). (#​1581)
  • The OTLP exporter includes related labels for translations of a GaugeArray (#​1563). (#​1570)

Raw changes made between v0.17.0 and v0.18.0

bb4c297 Pre release v0.18.0 (#​1635)
712c3dc Fix makefile ci target and coverage test packages (#​1634)
841d2a5 Rename local var new to not collide with builtin (#​1610)
13938ab Update SpanProcessor docs (#​1611)
e25503a Add compatibility tests to CI (#​1567)
1519d95 Use reasonable interval in sdktrace.WithBatchTimeout (#​1621)
7d4496e Pass metric labels when transforming to gaugeArray (#​1570)
6d4a5e0 Bump google.golang.org/grpc from 1.35.0 to 1.36.0 in /exporters/otlp (#​1619)
a93393a Bump google.golang.org/grpc in /example/prom-collector (#​1620)
e499ca8 Fix validation for tracestate with vendor and add tests (#​1581)
43886e5 Make timestamps sequential in lastvalue agg check (#​1579)
37688ef revent end-users from implementing some interfaces (#​1575)
85e696d Updating documentation with an working example for creating NewExporter (#​1513)
562eb28 Unify the Added sections of the unreleased changes (#​1580)
c4cf1af Fix Windows build of Jaeger tests (#​1577)
4a163be Fix stdout TestStdoutTimestamp failure with sleep (#​1572)
bd4701e Stagger timestamps in exact aggregator tests (#​1569)
b94cd4b add code attributes to semconv package (#​1558)
78c06ce Update docs from gitter to slack for communication (#​1554)
1307c91 Remove vendor exclude from license-check (#​1552)
5d2636e Bump github.com/golangci/golangci-lint in /internal/tools (#​1565)
d7aff47 Vendor Thrift dependency (#​1551)
298c5a1 Update span limits to conform with OpenTelemetry specification (#​1535)
ecf65d7 Rename otel/label -> otel/attribute (#​1541)
1b5b662 Remove resampling on span.SetName (#​1545)
8da5299 fix: grpc reconnection (#​1521)
3bce9c9 Add Keys() method to propagation.TextMapCarrier (#​1544)
0b1a1c7 Make oteltest.SpanRecorder into a concrete type (#​1542)
7d0e3e5 SDK span no modification after ended (#​1543)
7de3b58 Remove extra labels types (#​1314)
73194e4 Bump google.golang.org/api from 0.39.0 to 0.40.0 in /exporters/trace/jaeger (#​1536)
8fae0a6 Create resource.Default() with required attributes/default values (#​1507)

v0.17.0

Compare Source

Changed
  • Rename project default branch from master to main.
  • Reverse order in which Resource attributes are merged, per change in spec. (#​1501)
  • Add tooling to maintain "replace" directives in go.mod files automatically. (#​1528)
  • Create new modules: otel/metric, otel/trace, otel/oteltest, otel/sdk/export/metric, otel/sdk/metric (#​1528)
  • Move metric-related public global APIs from otel to otel/metric/global. (#​1528)

9b242bc (upstream/main, origin/main, main) Organize API into Go modules based on stability and dependencies (#​1528)
e50a1c8 Bump actions/cache from v2 to v2.1.4 (#​1518)
a6aa7f0 Bump google.golang.org/api from 0.38.0 to 0.39.0 in /exporters/trace/jaeger (#​1517)
38efc87 Code Improvement - Error strings should not be capitalized (#​1488)
6b34050 Update default branch name (#​1505)
b39fd05 nit: Fix comment to be up-to-date (#​1510)
186c295 Fix golint error of package comment form (#​1487)
9308d66 Bump google.golang.org/api from 0.37.0 to 0.38.0 in /exporters/trace/jaeger (#​1506)
1952d7b Reverse order of attribute precedence when merging two Resources (#​1501)
ad7b471 Remove build flags for runtime/trace support (#​1498)
4bf4b69 Remove inaccurate and unnecessary import comment (#​1481)
7e19eb6 Bump google.golang.org/api from 0.36.0 to 0.37.0 in /exporters/trace/jaeger (#​1504)
c6a4406 Bump github.com/golangci/golangci-lint in /internal/tools (#​1503)
9524ac0 (upstream/master, origin/master, origin/HEAD) Update workflows to include main branch as trigger (#​1497)
c066f15 Bump github.com/gogo/protobuf from 1.3.1 to 1.3.2 in /internal/tools (#​1478)
894e024 Bump github.com/golangci/golangci-lint in /internal/tools (#​1477)
71ffba3 Bump google.golang.org/grpc from 1.34.0 to 1.35.0 in /exporters/otlp (#​1471)
515809a Bump github.com/itchyny/gojq from 0.12.0 to 0.12.1 in /internal/tools (#​1472)
3e96ad1 gitignore: remove unused example path (#​1474)
c562277 Histogram aggregator functional options (#​1434)
0df8cd6 Rename Makefile.proto to avoid interpretation as proto file (#​1468)
979ff51 Bump github.com/stretchr/testify from 1.6.1 to 1.7.0 (#​1453)
1df8b3b Bump github.com/gogo/protobuf from 1.3.1 to 1.3.2 in /exporters/otlp (#​1456)
4c30a90 Bump github.com/stretchr/testify from 1.6.1 to 1.7.0 in /sdk (#​1455)
5a9f8f6 Bump github.com/stretchr/testify from 1.6.1 to 1.7.0 in /exporters/stdout (#​1454)
7786f34 Bump github.com/stretchr/testify from 1.6.1 to 1.7.0 in /exporters/trace/zipkin (#​1457)
4352a7a Bump github.com/stretchr/testify from 1.6.1 to 1.7.0 in /exporters/otlp (#​1460)
6990b3b Bump github.com/stretchr/testify from 1.6.1 to 1.7.0 in /exporters/metric/prometheus (#​1461)
7af40d2 Bump github.com/stretchr/testify from 1.6.1 to 1.7.0 in /exporters/trace/jaeger (#​1463)
f16f189 Bump google.golang.org/grpc in /example/otel-collector (#​1465)
fe363be Move Span Event to API (#​1452)
4392224 Bump google.golang.org/grpc in /example/prom-collector (#​1466)

v0.16.0

Compare Source

Added
  • Add the ReadOnlySpan and ReadWriteSpan interfaces to provide better control for accessing span data. (#​1360)
  • NewGRPCDriver function returns a ProtocolDriver that maintains a single gRPC connection to the collector. (#​1369)
  • Added documentation about the project's versioning policy. (#​1388)
  • Added NewSplitDriver for OTLP exporter that allows sending traces and metrics to different endpoints. (#​1418)
  • Added codeql worfklow to GitHub Actions (#​1428)
  • Added Gosec workflow to GitHub Actions (#​1429)
  • Add new HTTP driver for OTLP exporter in exporters/otlp/otlphttp. Currently it only supports the binary protobuf payloads. (#​1420)
Changed
  • Rename internal/testing to internal/internaltest. (#​1449)
  • Rename export.SpanData to export.SpanSnapshot and use it only for exporting spans. (#​1360)
  • Store the parent's full SpanContext rather than just its span ID in the span struct. (#​1360)
  • Improve span duration accuracy. (#​1360)
  • Migrated CI/CD from CircleCI to GitHub Actions (#​1382)
  • Remove duplicate checkout from GitHub Actions workflow (#​1407)
  • Metric array aggregator renamed exact to match its aggregation.Kind (#​1412)
  • Metric exact aggregator includes per-point timestamps (#​1412)
  • Metric stdout exporter uses MinMaxSumCount aggregator for ValueRecorder instruments (#​1412)
  • NewExporter from exporters/otlp now takes a ProtocolDriver as a parameter. (#​1369)
  • Many OTLP Exporter options became gRPC ProtocolDriver options. (#​1369)
  • Unify endpoint API that related to OTel exporter. (#​1401)
  • Optimize metric histogram aggregator to re-use its slice of buckets. (#​1435)
  • Metric aggregator Count() and histogram Bucket.Counts are consistently uint64. (1430)
  • SamplingResult now passed a Tracestate from the parent SpanContext (#​1432)
  • Moved gRPC driver for OTLP exporter to exporters/otlp/otlpgrpc. (#​1420)
  • The TraceContext propagator now correctly propagates TraceState through the SpanContext. (#​1447)
  • Metric Push and Pull Controller components are combined into a single "basic" Controller:
    • WithExporter() and Start() to configure Push behavior
    • Start() is optional; use Collect() and ForEach() for Pull behavior
    • Start() and Stop() accept Context. (#​1378)
Removed
  • Remove errUninitializedSpan as its only usage is now obsolete. (#​1360)
  • Remove Metric export functionality related to quantiles and summary data points: this is not specified (#​1412)
  • Remove DDSketch metric aggregator; our intention is to re-introduce this as an option of the histogram aggregator after new OTLP histogram data types are released (#​1412)
Fixed
  • BatchSpanProcessor.Shutdown() will now shutdown underlying export.SpanExporter. (#​1443)

Raw changes made between v0.15.0 and v0.16.0

0aadfb2 Prepare release v0.16.0 (#​1464)
207587b Metric histogram aggregator: Swap in SynchronizedMove to avoid allocations (#​1435)
c29c6fd Shutdown underlying span exporter while shutting down BatchSpanProcessor (#​1443)
dfece3d Combine the Push and Pull metric controllers (#​1378)
74deedd Handle tracestate in TraceContext propagator (#​1447)
49f699d Remove Quantile aggregation, DDSketch aggregator; add Exact timestamps (#​1412)
9c94941 Rename internal/testing to internal/internaltest ([#​1449](https://redirect.github.com/open-telemetry/open

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the renovate label Apr 9, 2026
@renovate renovate bot requested review from a team as code owners April 9, 2026 00:35
@renovate
Copy link
Copy Markdown
Contributor Author

renovate bot commented Apr 9, 2026

ℹ️ Artifact update notice

File name: core/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 14 additional dependencies were updated

Details:

Package Change
golang.org/x/crypto v0.48.0 -> v0.49.0
golang.org/x/mod v0.32.0 -> v0.33.0
golang.org/x/sync v0.19.0 -> v0.20.0
google.golang.org/grpc v1.79.3 -> v1.80.0
github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.30.0 -> v1.31.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.42.0 -> v1.43.0
go.opentelemetry.io/otel/log v0.18.0 -> v0.19.0
go.opentelemetry.io/otel/sdk/log v0.18.0 -> v0.19.0
go.opentelemetry.io/proto/otlp v1.9.0 -> v1.10.0
golang.org/x/net v0.51.0 -> v0.52.0
golang.org/x/term v0.40.0 -> v0.41.0
golang.org/x/text v0.34.0 -> v0.35.0
google.golang.org/genproto/googleapis/api v0.0.0-20260226221140-a57be14db171 -> v0.0.0-20260401024825-9d38bb4040a9
google.golang.org/genproto/googleapis/rpc v0.0.0-20260226221140-a57be14db171 -> v0.0.0-20260401024825-9d38bb4040a9
File name: flagd-proxy/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 5 additional dependencies were updated

Details:

Package Change
go.opentelemetry.io/otel/metric v1.40.0 -> v1.43.0
go.opentelemetry.io/otel/sdk/metric v1.40.0 -> v1.43.0
go.opentelemetry.io/otel v1.40.0 -> v1.43.0
go.opentelemetry.io/otel/trace v1.40.0 -> v1.43.0
golang.org/x/sys v0.40.0 -> v0.42.0
File name: flagd/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 16 additional dependencies were updated

Details:

Package Change
golang.org/x/net v0.49.0 -> v0.52.0
golang.org/x/sync v0.19.0 -> v0.20.0
google.golang.org/grpc v1.79.3 -> v1.80.0
github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.30.0 -> v1.31.0
github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.7 -> v2.28.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.40.0 -> v1.43.0
go.opentelemetry.io/otel/log v0.14.0 -> v0.19.0
go.opentelemetry.io/otel/sdk/log v0.14.0 -> v0.19.0
go.opentelemetry.io/proto/otlp v1.9.0 -> v1.10.0
golang.org/x/crypto v0.47.0 -> v0.49.0
golang.org/x/mod v0.31.0 -> v0.33.0
golang.org/x/oauth2 v0.34.0 -> v0.35.0
golang.org/x/term v0.39.0 -> v0.41.0
golang.org/x/text v0.33.0 -> v0.35.0
google.golang.org/genproto/googleapis/api v0.0.0-20260128011058-8636f8732409 -> v0.0.0-20260401024825-9d38bb4040a9
google.golang.org/genproto/googleapis/rpc v0.0.0-20260128011058-8636f8732409 -> v0.0.0-20260401024825-9d38bb4040a9

@netlify
Copy link
Copy Markdown

netlify bot commented Apr 9, 2026
edited
Loading

Deploy Preview for polite-licorice-3db33c canceled.

Name Link
🔨 Latest commit 73ac05c
🔍 Latest deploy log https://app.netlify.com/projects/polite-licorice-3db33c/deploys/69d6f44951047b000802d86f

@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud bot commented Apr 9, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@renovate renovate bot merged commit 40d444a into main Apr 9, 2026
17 checks passed
@renovate renovate bot deleted the renovate/vulnerability-updates branch April 9, 2026 04:27
@github-actions github-actions bot mentioned this pull request Apr 9, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@renovate-approve renovate-approve[bot] renovate-approve[bot] approved these changes

@renovate-approve-2 renovate-approve-2[bot] renovate-approve-2[bot] approved these changes

Assignees

No one assigned

Labels

renovate

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants