fix(deps): Update module go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp to v1.43.0 [SECURITY]

[cloudquery-ci]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp	v1.21.0 → v1.43.0

---

opentelemetry-go: OTLP HTTP exporters read unbounded HTTP response bodies

CVE-2026-39882 / GHSA-w8rr-5gcm-pp58

More information

Details

overview:
this report shows that the otlp HTTP exporters (traces/metrics/logs) read the full HTTP response body into an in-memory bytes.Buffer without a size cap.

this is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can mitm the exporter connection).

severity

HIGH

not claiming: this is a remote dos against every default deployment.
claiming: if the exporter sends traces to an untrusted collector endpoint (or over a network segment where mitm is realistic), that endpoint can crash the process via a large response body.

callsite (pinned):

• exporters/otlp/otlptrace/otlptracehttp/client.go:199
• exporters/otlp/otlptrace/otlptracehttp/client.go:230
• exporters/otlp/otlpmetric/otlpmetrichttp/client.go:170
• exporters/otlp/otlpmetric/otlpmetrichttp/client.go:201
• exporters/otlp/otlplog/otlploghttp/client.go:190
• exporters/otlp/otlplog/otlploghttp/client.go:221

permalinks (pinned):

• https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlptrace/otlptracehttp/client.go#L199
• https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlptrace/otlptracehttp/client.go#L230
• https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlpmetric/otlpmetrichttp/client.go#L170
• https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlpmetric/otlpmetrichttp/client.go#L201
• https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlplog/otlploghttp/client.go#L190
• https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlplog/otlploghttp/client.go#L221

root cause:
each exporter client reads resp.Body using io.Copy(&respData, resp.Body) into a bytes.Buffer on both success and error paths, with no upper bound.

impact:
a malicious collector can force large transient heap allocations during export (peak memory scales with attacker-chosen response size) and can potentially crash the instrumented process (oom).

affected component:

• go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp
• go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp
• go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp

repro (local-only):

unzip poc.zip -d poc
cd poc
make canonical resp_bytes=33554432 chunk_delay_ms=0

expected output contains:

[CALLSITE_HIT]: otlptracehttp.UploadTraces::io.Copy(resp.Body)
[PROOF_MARKER]: resp_bytes=33554432 peak_alloc_bytes=118050512

control (same env, patched target):

unzip poc.zip -d poc
cd poc
make control resp_bytes=33554432 chunk_delay_ms=0

expected control output contains:

[CALLSITE_HIT]: otlptracehttp.UploadTraces::io.Copy(resp.Body)
[NC_MARKER]: resp_bytes=33554432 peak_alloc_bytes=512232

attachments: poc.zip (attached)

PR_DESCRIPTION.md

attack_scenario.md

poc.zip

Fixed in: https://github.com/open-telemetry/opentelemetry-go/pull/8108

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-w8rr-5gcm-pp58
• http://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.43.0
• https://nvd.nist.gov/vuln/detail/CVE-2026-39882
• https://github.com/open-telemetry/opentelemetry-go/pull/8108
• https://github.com/advisories/GHSA-w8rr-5gcm-pp58

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

open-telemetry/opentelemetry-go (go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp)

v1.43.0: /v0.65.0/v0.19.0

Compare Source

Added

• Add IsRandom and WithRandom on TraceFlags, and IsRandom on SpanContext in go.opentelemetry.io/otel/trace
  for W3C Trace Context Level 2 Random Trace ID Flag support. (#​8012)
• Add service detection with WithService in go.opentelemetry.io/otel/sdk/resource. (#​7642)
• Add DefaultWithContext and EnvironmentWithContext in go.opentelemetry.io/otel/sdk/resource to support plumbing context.Context through default and environment detectors. (#​8051)
• Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc. (#​8038)
• Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc. (#​8038)
• Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc. (#​8038)
• Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp. (#​8038)
• Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp. (#​8038)
• Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp. (#​8038)
• Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/sdk/metric/metricdata/metricdatatest. (#​8038)
• Add support for per-series start time tracking for cumulative metrics in go.opentelemetry.io/otel/sdk/metric.
  Set OTEL_GO_X_PER_SERIES_START_TIMESTAMPS=true to enable. (#​8060)
• Add WithCardinalityLimitSelector for metric reader for configuring cardinality limits specific to the instrument kind. (#​7855)

Changed

• Introduce the EMPTY Type in go.opentelemetry.io/otel/attribute to reflect that an empty value is now a valid value, with INVALID remaining as a deprecated alias of EMPTY. (#​8038)
• Refactor slice handling in go.opentelemetry.io/otel/attribute to optimize short slice values with fixed-size fast paths. (#​8039)
• Improve performance of span metric recording in go.opentelemetry.io/otel/sdk/trace by returning early if self-observability is not enabled. (#​8067)
• Improve formatting of metric data diffs in go.opentelemetry.io/otel/sdk/metric/metricdata/metricdatatest. (#​8073)

Deprecated

• Deprecate INVALID in go.opentelemetry.io/otel/attribute. Use EMPTY instead. (#​8038)

Fixed

• Return spec-compliant TraceIdRatioBased description. This is a breaking behavioral change, but it is necessary to
  make the implementation spec-compliant. (#​8027)
• Fix a race condition in go.opentelemetry.io/otel/sdk/metric where the lastvalue aggregation could collect the value 0 even when no zero-value measurements were recorded. (#​8056)
• Limit HTTP response body to 4 MiB in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp to mitigate excessive memory usage caused by a misconfigured or malicious server.
  Responses exceeding the limit are treated as non-retryable errors. (#​8108)
• Limit HTTP response body to 4 MiB in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp to mitigate excessive memory usage caused by a misconfigured or malicious server.
  Responses exceeding the limit are treated as non-retryable errors. (#​8108)
• Limit HTTP response body to 4 MiB in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp to mitigate excessive memory usage caused by a misconfigured or malicious server.
  Responses exceeding the limit are treated as non-retryable errors. (#​8108)
• WithHostID detector in go.opentelemetry.io/otel/sdk/resource to use full path for kenv command on BSD. (#​8113)
• Fix missing request.GetBody in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp to correctly handle HTTP2 GOAWAY frame. (#​8096)

What's Changed

• chore(deps): update module github.com/jgautheron/goconst to v1.9.0 by @​renovate[bot] in #​8014
• fix(deps): update github.com/opentracing-contrib/go-grpc/test digest to 190d7d4 by @​renovate[bot] in #​8013
• chore(deps): update module go.yaml.in/yaml/v2 to v2.4.4 by @​renovate[bot] in #​8016
• fix(deps): update module github.com/golangci/golangci-lint/v2 to v2.11.1 by @​renovate[bot] in #​8011
• fix(deps): update golang.org/x by @​renovate[bot] in #​8023
• fix(deps): update module github.com/golangci/golangci-lint/v2 to v2.11.2 by @​renovate[bot] in #​8020
• chore(deps): update module github.com/mattn/go-runewidth to v0.0.21 by @​renovate[bot] in #​8017
• chore(deps): update module codeberg.org/chavacava/garif to v0.2.1 by @​renovate[bot] in #​8019
• Add doc on how to upgrade to new semconv by @​jmmcorreia in #​7807
• fix(deps): update module go.opentelemetry.io/proto/otlp to v1.10.0 by @​renovate[bot] in #​8028
• resource: add WithService detector option by @​codeboten in #​7642
• fix(deps): update googleapis to a57be14 by @​renovate[bot] in #​8031
• fix(deps): update module github.com/golangci/golangci-lint/v2 to v2.11.3 by @​renovate[bot] in #​8032
• chore(deps): update module github.com/prometheus/procfs to v0.20.1 by @​renovate[bot] in #​8034
• chore(deps): update github.com/securego/gosec/v2 digest to 8895462 by @​renovate[bot] in #​8036
• chore(deps): update module github.com/sonatard/noctx to v0.5.1 by @​renovate[bot] in #​8040
• chore(deps): update github.com/securego/gosec/v2 digest to 6e66a94 by @​renovate[bot] in #​8043
• docs(otlp): document HTTP/protobuf insecure env vars by @​marcschaeferger in #​8037
• Rebuild semconvkit and verifyreadmes on changes by @​MrAlias in #​7995
• chore(sdk/trace): join errors properly by @​ash2k in #​8030
• fix(deps): update googleapis to 84a4fc4 by @​renovate[bot] in #​8048
• attribute: change INVALID Type to EMPTY and mark INVALID as deprecated by @​pellared in #​8038
• fix(sdk/trace): return spec-compliant TraceIdRatioBased description by @​ash2k in #​8027
• linting: add depguard rule to enforce semconv version by @​ajuijas in #​8041
• chore(deps): update actions/download-artifact action to v8.0.1 by @​renovate[bot] in #​8046
• chore(deps): update github.com/securego/gosec/v2 digest to b7b2c7b by @​renovate[bot] in #​8044
• fix(deps): update golang.org/x by @​renovate[bot] in #​8045
• Optimize attribute slice conversion by @​MrAlias in #​8039
• Add benchmarks for end-to-end metrics SDK usage by @​dashpole in #​7768
• fix(deps): update golang.org/x by @​renovate[bot] in #​8052
• chore(deps): update github.com/securego/gosec/v2 digest to befce8d by @​renovate[bot] in #​8053
• trace: add Random Trace ID Flag by @​yuanyuanzhao3 in #​8012
• Improve aggregation concurrent safe tests by @​dashpole in #​8021
• Add tests for exponential histogram concurrent-safety edge-cases by @​dashpole in #​8024
• exphist: replace min, max, sum, and count with atomics by @​dashpole in #​8025
• chore(deps): update github.com/securego/gosec/v2 digest to c2dfcec by @​renovate[bot] in #​8055
• chore(deps): update otel/weaver docker tag to v0.22.0 by @​renovate[bot] in #​8058
• chore(deps): update github.com/securego/gosec/v2 digest to dec52c4 by @​renovate[bot] in #​8063
• chore(deps): update otel/weaver docker tag to v0.22.1 by @​renovate[bot] in #​8061
• chore(deps): update github/codeql-action action to v4.33.0 by @​renovate[bot] in #​8065
• Fix race in the lastvalue aggregation where 0 could be observed by @​dashpole in #​8056
• chore(deps): update github.com/securego/gosec/v2 digest to 744bfb5 by @​renovate[bot] in #​8064
• Migrate to new bare metal runner (Ubuntu 24) by @​trask in #​8068
• sdk/resource: add WithContext variants for Default and Environment (#​7808) by @​ajuijas in #​8051
• Use atomics for exponential histogram buckets by @​dashpole in #​8057
• Added the internal/observ package to stdoutlog by @​yumosx in #​7735
• Add support for the development per-series starttime feature by @​dashpole in #​8060
• sdk/trace/internal/observ: guard SpanStarted and spanLive with Enabled by @​kouji-yoshimura in #​8067
• Cleanup exemplar featuregate readme by @​dashpole in #​8072
• chore(deps): update codecov/codecov-action action to v5.5.3 by @​renovate[bot] in #​8080
• chore(deps): update module github.com/ryanrolds/sqlclosecheck to v0.6.0 by @​renovate[bot] in #​8083
• fix(deps): update github.com/opentracing-contrib/go-grpc/test digest to de6f1cc by @​renovate[bot] in #​8082
• chore(deps): update module go.opentelemetry.io/collector/featuregate to v1.54.0 by @​renovate[bot] in #​8085
• chore(deps): update module github.com/securego/gosec/v2 to v2.25.0 by @​renovate[bot] in #​8084
• chore(deps): update module github.com/protonmail/go-crypto to v1.4.1 by @​renovate[bot] in #​8081
• fix(deps): update module go.opentelemetry.io/collector/pdata to v1.54.0 by @​renovate[bot] in #​8086
• chore(deps): update actions/cache action to v5.0.4 by @​renovate[bot] in #​8079
• chore(deps): update module github.com/fatih/color to v1.19.0 by @​renovate[bot] in #​8087
• fix(deps): update googleapis to d00831a by @​renovate[bot] in #​8078
• chore(deps): update golang.org/x/telemetry digest to b6b0c46 by @​renovate[bot] in #​8076
• fix(deps): update module google.golang.org/grpc to v1.79.3 [security] by @​renovate[bot] in #​8075
• sdk/metric: Support specifying cardinality limits per instrument kinds by @​petern48 in #​7855
• chore(deps): update github/codeql-action action to v4.34.0 by @​renovate[bot] in #​8088
• chore(deps): update codspeedhq/action action to v4.12.1 by @​renovate[bot] in #​8089
• chore(deps): update github/codeql-action action to v4.34.1 by @​renovate[bot] in #​8090
• fix(deps): update module github.com/golangci/golangci-lint/v2 to v2.11.4 by @​renovate[bot] in #​8092
• chore: fix noctx issues by @​mmorel-35 in #​8008
• chore(deps): update module github.com/pelletier/go-toml/v2 to v2.3.0 by @​renovate[bot] in #​8095
• chore(deps): update codecov/codecov-action action to v5.5.4 by @​renovate[bot] in #​8097
• chore(deps): update codecov/codecov-action action to v6 by @​renovate[bot] in #​8098
• chore(deps): update module github.com/tetafro/godot to v1.5.6 by @​renovate[bot] in #​8099
• chore(deps): update module github.com/butuzov/ireturn to v0.4.1 by @​renovate[bot] in #​8100
• chore(deps): update github/codeql-action action to v4.35.0 by @​renovate[bot] in #​8101
• chore(deps): update actions/setup-go action to v6.4.0 by @​renovate[bot] in #​8107
• chore(deps): update module github.com/go-git/go-git/v5 to v5.17.1 by @​renovate[bot] in #​8106
• chore(deps): update module github.com/lucasb-eyer/go-colorful to v1.4.0 by @​renovate[bot] in #​8103
• chore(deps): update github/codeql-action action to v4.35.1 by @​renovate[bot] in #​8102
• chore(deps): update module github.com/hashicorp/go-version to v1.9.0 by @​renovate[bot] in #​8109
• metricdatatest: Improve printing of diffs by @​dashpole in #​8073
• fix(deps): update googleapis to d5a96ad by @​renovate[bot] in #​8112
• chore(deps): update codspeedhq/action action to v4.13.0 by @​renovate[bot] in #​8114
• fix(deps): update module go.opentelemetry.io/collector/pdata to v1.55.0 by @​renovate[bot] in #​8119
• chore(deps): update fossas/fossa-action action to v1.9.0 by @​renovate[bot] in #​8118
• chore(deps): update module github.com/go-git/go-git/v5 to v5.17.2 by @​renovate[bot] in #​8115
• fix(deps): update googleapis to 9d38bb4 by @​renovate[bot] in #​8117
• fix: support getBody in otelploghttp by @​Tpuljak in #​8096
• fix(deps): update module google.golang.org/grpc to v1.80.0 by @​renovate[bot] in #​8121
• Use an absolute path when calling bsd kenv by @​dmathieu in #​8113
• limit response body size for OTLP HTTP exporters by @​pellared in #​8108
• chore(deps): update github.com/golangci/dupl digest to c99c5cf by @​renovate[bot] in #​8122
• chore(deps): update module github.com/mattn/go-runewidth to v0.0.22 by @​renovate[bot] in #​8131
• Release v1.43.0 / v0.65.0 / v0.19.0 by @​dmathieu in #​8128

New Contributors

• @​jmmcorreia made their first contribution in #​7807
• @​marcschaeferger made their first contribution in #​8037
• @​ajuijas made their first contribution in #​8041
• @​yuanyuanzhao3 made their first contribution in #​8012
• @​kouji-yoshimura made their first contribution in #​8067
• @​Tpuljak made their first contribution in #​8096

Full Changelog: open-telemetry/opentelemetry-go@v1.42.0...v1.43.0

v1.42.0: /v0.64.0/v0.18.0/v0.0.16

Compare Source

Added

• Add go.opentelemetry.io/otel/semconv/v1.40.0 package.
  The package contains semantic conventions from the v1.40.0 version of the OpenTelemetry Semantic Conventions.
  See the migration documentation for information on how to upgrade from go.opentelemetry.io/otel/semconv/v1.39.0. (#​7985)
• Add Err and SetErr on Record in go.opentelemetry.io/otel/log to attach an error and set record exception attributes in go.opentelemetry.io/otel/log/sdk. (#​7924)

Changed

• TracerProvider.ForceFlush in go.opentelemetry.io/otel/sdk/trace joins errors together and continues iteration through SpanProcessors as opposed to returning the first encountered error without attempting exports on subsequent SpanProcessors. (#​7856)

Fixed

• Fix missing request.GetBody in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp to correctly handle HTTP2 GOAWAY frame. (#​7931)
• Fix semconv v1.39.0 generated metric helpers skipping required attributes when extra attributes were empty. (#​7964)
• Preserve W3C TraceFlags bitmask (including the random Trace ID flag) during trace context extraction and injection in go.opentelemetry.io/otel/propagation. (#​7834)

Removed

• Drop support for [Go 1.24]. (#​7984)

What's Changed

• fix changelog protection marker by @​pellared in #​7986
• Drop support for Go 1.24 by @​MrAlias in #​7984
• fix(deps): update golang.org/x by @​renovate[bot] in #​7907
• chore(deps): update module go.opentelemetry.io/collector/featuregate to v1.53.0 by @​renovate[bot] in #​7981
• chore(deps): update benchmark-action/github-action-benchmark action to v1.21.0 by @​renovate[bot] in #​7989
• fix(deps): update module go.opentelemetry.io/collector/pdata to v1.53.0 by @​renovate[bot] in #​7982
• Revert "Revert "Generate semconv/v1.40.0"" by @​MrAlias in #​7985
• support stdlib request.GetBody on metrics by @​marifari-hue in #​7931
• attribute: add TestNotEquivalence and equality operator tests by @​pellared in #​7979
• Refactor benchmark CI by @​XSAM in #​7873
• chore(deps): update module github.com/securego/gosec/v2 to v2.24.7 by @​renovate[bot] in #​7988
• chore(deps): pin codspeedhq/action action to df47568 by @​renovate[bot] in #​7996
• chore(deps): update actions/checkout action to v6.0.2 by @​renovate[bot] in #​7997
• chore(deps): update codspeedhq/action action to v4.11.0 by @​renovate[bot] in #​7999
• Upgrade to semconv/v1.40.0 by @​MrAlias in #​7991
• Regenerate semconv/v1.40.0/MIGRATION.md by @​MrAlias in #​7992
• fix: generated semconv helpers skipping attributes by @​victoraugustolls in #​7964
• Feat: Have SpanContext support the new W3C random flag. by @​nikhilmantri0902 in #​7834
• Semconv metric helper caller-slice mutation fix by @​MrAlias in #​7993
• Fix semconv generated error type to check error chain for custom type declaration by @​MrAlias in #​7994
• refactor: replace uint64 and int32 with atomic types in tests by @​alexandear in #​7941
• chore(deps): update golang.org/x/telemetry digest to 18da590 by @​renovate[bot] in #​8000
• TracerProvider ForceFlush() Error Fix by @​sawamurataxman in #​7856
• log: add error field to Record and make SDK to emit exception attributes by @​iblancasa in #​7924
• chore(deps): update dependency codespell to v2.4.2 by @​renovate[bot] in #​8003
• chore(deps): update github/codeql-action action to v4.32.6 by @​renovate[bot] in #​8004
• chore(deps): update codspeedhq/action action to v4.11.1 by @​renovate[bot] in #​8001
• fix(deps): update module google.golang.org/grpc to v1.79.2 by @​renovate[bot] in #​8007
• chore(deps): update module github.com/mgechev/revive to v1.15.0 by @​renovate[bot] in #​8009
• chore(deps): update golang.org/x/telemetry digest to e526e8a by @​renovate[bot] in #​8010
• Release v1.42.0/v0.64.0/v0.18.0/v0.0.16 by @​pellared in #​8006

New Contributors

• @​marifari-hue made their first contribution in #​7931
• @​victoraugustolls made their first contribution in #​7964
• @​sawamurataxman made their first contribution in #​7856
• @​iblancasa made their first contribution in #​7924

Full Changelog: open-telemetry/opentelemetry-go@v1.41.0...v1.42.0

v1.41.0

Compare Source

Added

• Add ByteSlice and ByteSliceValue functions for new BYTESLICE attribute type in go.opentelemetry.io/otel/attribute. (#​7948)
• Apply attribute value limit to the KindBytes attribute type in go.opentelemetry.io/otel/sdk/log. (#​7990)
• Apply attribute value limit to the BYTESLICE attribute type in go.opentelemetry.io/otel/sdk/trace. (#​7990)
• Support BYTESLICE attributes in go.opentelemetry.io/otel/trace. (#​8153)
• Support BYTESLICE attributes in go.opentelemetry.io/otel/exporters/otlp/otlptrace. (#​8153)
• Support BYTESLICE attributes in go.opentelemetry.io/otel/exporters/otlp/otlplog. (#​8153)
• Support BYTESLICE attributes in go.opentelemetry.io/otel/exporters/otlp/otlpmetric. (#​8153)
• Support BYTESLICE attributes in go.opentelemetry.io/otel/exporters/zipkin. (#​8153)
• Add String method for Value type in go.opentelemetry.io/otel/attribute. (#​8142)
• Add Slice and SliceValue functions for new SLICE attribute type in go.opentelemetry.io/otel/attribute. (#​8166)
• Support SLICE attributes in go.opentelemetry.io/otel/exporters/otlp/otlptrace. (#​8216)
• Support SLICE attributes in go.opentelemetry.io/otel/exporters/otlp/otlplog. (#​8216)
• Support SLICE attributes in go.opentelemetry.io/otel/exporters/otlp/otlpmetric. (#​8216)
• Support SLICE attributes in go.opentelemetry.io/otel/exporters/zipkin. (#​8216)
• Apply AttributeValueLengthLimit to attribute.SLICE type attribute values in go.opentelemetry.io/otel/sdk/trace, recursively truncating contained string values. (#​8217)
• Add Error field on Record type in go.opentelemetry.io/otel/log/logtest. (#​8148)
• Add WithMaxRequestSize option in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc. (#​8157)
• Add WithMaxRequestSize option in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp. (#​8157)
• Add WithMaxRequestSize option in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc. (#​8157)
• Add WithMaxRequestSize option in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp. (#​8157)
• Add WithMaxRequestSize option in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc. (#​8157)
• Add WithMaxRequestSize option in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp. (#​8157)
• Add Settable to go.opentelemetry.io/otel/metric/x to allow reusing attribute options. (#​8178)
• Add experimental support for splitting metric data across multiple batches in go.opentelemetry.io/otel/sdk/metric.
  Set OTEL_GO_X_METRIC_EXPORT_BATCH_SIZE=<max_size> to enable for all periodic readers.
  See go.opentelemetry.io/otel/sdk/metric/internal/x for feature documentation. (#​8071)
• Add experimental self-observability metrics in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc.
  Enable with OTEL_GO_X_SELF_OBSERVABILITY=true environment variable.
  See go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc/internal/x for feature documentation. (#​8192)
• Add experimental self-observability metrics in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp.
  Enable with OTEL_GO_X_SELF_OBSERVABILITY=true environment variable.
  See go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp/internal/x for feature documentation. (#​8194)
• Add experimental self-observability metrics in go.opentelemetry.io/otel/exporters/stdout/stdoutlog.
  Enable with OTEL_GO_X_SELF_OBSERVABILITY=true environment variable.
  See go.opentelemetry.io/otel/stdout/stdoutlog/internal/x for feature documentation. (#​8263)
• Add WithDefaultAttributes to go.opentelemetry.io/otel/metric/x to support setting default attributes on instruments. (#​8135)
• Add go.opentelemetry.io/otel/semconv/v1.41.0 package.
  The package contains semantic conventions from the v1.41.0 version of the OpenTelemetry Semantic Conventions.
  See the migration documentation for information on how to upgrade from go.opentelemetry.io/otel/semconv/v1.40.0. (#​8324)
• Add Observable variants of instruments to go.opentelemetry.io/otel/semconv/v1.41.0 package. (#​8350)
• Generate explicit histogram bucket boundaries from weaver configuration for HTTP and RPC duration instruments in go.opentelemetry.io/otel/semconv/v1.41.0. (#​8002)

Changed

• ⚠️ Breaking Change: go.opentelemetry.io/otel/sdk/metric now applies a default cardinality limit of 2000 to comply with the Metrics SDK specification recommendation.
  New attribute sets are dropped when the cardinality limit is reached. The measurement of these sets are aggregated into a special attribute set containing attribute.Bool("otel.metric.overflow", true).
  This can break users who relied on the previous unlimited default.
  Set WithCardinalityLimit(0) or the deprecated OTEL_GO_X_CARDINALITY_LIMIT=0 environment variable to preserve unlimited cardinality.
  Note that support for OTEL_GO_X_CARDINALITY_LIMIT may be removed in a future release. (#​8247)
• ErrorType in go.opentelemetry.io/otel/semconv now unwraps errors created with fmt.Errorf when deriving the error.type attribute. (#​8133)
• go.opentelemetry.io/otel/sdk/log now unwraps error chains created with fmt.Errorf when deriving the error.type attribute from errors on log records. (#​8133)
• Set.MarshalLog method in go.opentelemetry.io/otel/attribute now uses Value.String formatting following the OpenTelemetry AnyValue representation for non-OTLP protocols. (#​8169)
• Optimize go.opentelemetry.io/otel/sdk/metric to return a drop reservoir and short-circuit Offer calls to the exemplar reservoir when exemplar.AlwaysOffFilter is configured. (#​8211) (#​8267)
• Optimize go.opentelemetry.io/otel/sdk/metric to return a drop reservoir for asynchronous instruments when exemplar.TraceBasedFilter is configured. (#​8286)

Deprecated

• Deprecate Value.Emit method in go.opentelemetry.io/otel/attribute.
  Use Value.String instead. (#​8176)

Fixed

• Limit OTLP request size to 64 MiB by default in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc.
  The limit applies before compression, oversized requests are treated as non-retryable errors, and the limit can be configured with the new WithMaxRequestSize option. (#​8157, #​8365)
• Limit OTLP request size to 64 MiB by default in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp.
  The limit applies before compression, oversized requests are treated as non-retryable errors, and the limit can be configured with the new WithMaxRequestSize option. (#​8157, #​8365)
• Limit OTLP request size to 64 MiB by default in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc.
  The limit applies before compression, oversized requests are treated as non-retryable errors, and the limit can be configured with the new WithMaxRequestSize option. (#​8157, #​8365)
• Limit OTLP request size to 64 MiB by default in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp.
  The limit applies before compression, oversized requests are treated as non-retryable errors, and the limit can be configured with the new WithMaxRequestSize option. (#​8157, #​8365)
• Limit OTLP request size to 64 MiB by default in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc.
  The limit applies before compression, oversized requests are treated as non-retryable errors, and the limit can be configured with the new WithMaxRequestSize option. (#​8157, #​8365)
• Limit OTLP request size to 64 MiB by default in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp.
  The limit applies before compression, oversized requests are treated as non-retryable errors, and the limit can be configured with the new WithMaxRequestSize option. (#​8157, #​8365)
• Fix gzipped request body replay on redirect in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp. (#​8135)
• Fix gzipped request body replay on redirect in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp. (#​8152)
• go.opentelemetry.io/otel/exporters/prometheus now uses Value.String formatting for label values following the OpenTelemetry AnyValue representation for non-OTLP protocols. (#​8170)
• Propagate errors from the exporter when calling Shutdown on BatchSpanProcessor in go.opentelemetry.io/otel/sdk/trace. (#​8197)
• Fix stale status code reportin

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.

[cloudquery-ci]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 29 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.24.0 -> 1.25.0
go.opentelemetry.io/otel/sdk	v1.36.0 -> v1.43.0
golang.org/x/crypto	v0.45.0 -> v0.49.0
golang.org/x/oauth2	v0.30.0 -> v0.35.0
cel.dev/expr	v0.24.0 -> v0.25.1
github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp	v1.27.0 -> v1.31.0
github.com/cncf/xds/go	v0.0.0-20250501225837-2ac532fd4443 -> v0.0.0-20251210132809-ee656c7534f5
github.com/envoyproxy/go-control-plane/envoy	v1.32.4 -> v1.36.0
github.com/envoyproxy/protoc-gen-validate	v1.2.1 -> v1.3.0
github.com/go-jose/go-jose/v4	v4.0.5 -> v4.1.3
github.com/spiffe/go-spiffe/v2	v2.5.0 -> v2.6.0
go.opentelemetry.io/auto/sdk	v1.1.0 -> v1.2.1
go.opentelemetry.io/contrib/detectors/gcp	v1.36.0 -> v1.39.0
cloud.google.com/go/compute/metadata	v0.8.0 -> v0.9.0
github.com/grpc-ecosystem/grpc-gateway/v2	v2.16.0 -> v2.28.0
github.com/prometheus/client_model	v0.6.1 -> v0.6.2
go.opentelemetry.io/otel	v1.36.0 -> v1.43.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace	v1.21.0 -> v1.43.0
go.opentelemetry.io/otel/metric	v1.36.0 -> v1.43.0
go.opentelemetry.io/otel/sdk/metric	v1.36.0 -> v1.43.0
go.opentelemetry.io/otel/trace	v1.36.0 -> v1.43.0
go.opentelemetry.io/proto/otlp	v1.0.0 -> v1.10.0
golang.org/x/net	v0.47.0 -> v0.52.0
golang.org/x/sync	v0.18.0 -> v0.20.0
golang.org/x/sys	v0.38.0 -> v0.42.0
golang.org/x/text	v0.31.0 -> v0.35.0
google.golang.org/genproto/googleapis/api	v0.0.0-20250818200422-3122310a409c -> v0.0.0-20260401024825-9d38bb4040a9
google.golang.org/genproto/googleapis/rpc	v0.0.0-20250818200422-3122310a409c -> v0.0.0-20260401024825-9d38bb4040a9
google.golang.org/grpc	v1.74.3 -> v1.80.0
google.golang.org/protobuf	v1.36.7 -> v1.36.11