chore(deps): update module go.opentelemetry.io/otel/sdk to v1.40.0 [security]

[renovate-sh-app]

This PR contains the following updates:

Package	Change	Age	Confidence
go.opentelemetry.io/otel/sdk	v1.39.0 → v1.40.0

---

OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking in go.opentelemetry.io/otel/sdk

CVE-2026-24051 / GHSA-9h8m-3fm2-qjrq / GO-2026-4394

More information

Details

OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking in go.opentelemetry.io/otel/sdk

Severity

Unknown

References

• https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-9h8m-3fm2-qjrq
• https://nvd.nist.gov/vuln/detail/CVE-2026-24051
• https://github.com/open-telemetry/opentelemetry-go/commit/d45961bcda453fcbdb6469c22d6e88a1f9970a53

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

Release Notes

open-telemetry/opentelemetry-go (go.opentelemetry.io/otel/sdk)

v1.40.0: /v0.62.0/v0.16.0

Compare Source

Overview

Added

• Add Enabled method to all synchronous instrument interfaces (Float64Counter, Float64UpDownCounter, Float64Histogram, Float64Gauge, Int64Counter, Int64UpDownCounter, Int64Histogram, Int64Gauge,) in go.opentelemetry.io/otel/metric. This stabilizes the synchronous instrument enabled feature, allowing users to check if an instrument will process measurements before performing computationally expensive operations. (#​7763)
• Add AlwaysRecord sampler in go.opentelemetry.io/otel/sdk/trace. (#​7724)
• Add go.opentelemetry.io/otel/semconv/v1.39.0 package. The package contains semantic conventions from the v1.39.0 version of the OpenTelemetry Semantic Conventions. See the migration documentation for information on how to upgrade from go.opentelemetry.io/otel/semconv/v1.38.0. (#​7783, #​7789)

Changed

• Exporter in go.opentelemetry.io/otel/exporters/prometheus ignores metrics with the scope go.opentelemetry.io/contrib/bridges/prometheus. This prevents scrape failures when the Prometheus exporter is misconfigured to get data from the Prometheus bridge. (#​7688)
• Improve performance of concurrent histogram measurements in go.opentelemetry.io/otel/sdk/metric. (#​7474)
• Add experimental observability metrics in go.opentelemetry.io/otel/exporters/stdout/stdoutmetric. (#​7492)
• Improve the concurrent performance of HistogramReservoir in go.opentelemetry.io/otel/sdk/metric/exemplar by 4x. (#​7443)
• Improve performance of concurrent synchronous gauge measurements in go.opentelemetry.io/otel/sdk/metric. (#​7478)
• Improve performance of concurrent exponential histogram measurements in go.opentelemetry.io/otel/sdk/metric. (#​7702)
• Improve the concurrent performance of FixedSizeReservoir in go.opentelemetry.io/otel/sdk/metric/exemplar. (#​7447)
• The rpc.grpc.status_code attribute in the experimental metrics emitted from go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc is replaced with the rpc.response.status_code attribute to align with the semantic conventions. (#​7854)
• The rpc.grpc.status_code attribute in the experimental metrics emitted from go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc is replaced with the rpc.response.status_code attribute to align with the semantic conventions. (#​7854)

Fixed

• Fix bad log message when key-value pairs are dropped because of key duplication in go.opentelemetry.io/otel/sdk/log. (#​7662)
• Fix DroppedAttributes on Record in go.opentelemetry.io/otel/sdk/log to not count the non-attribute key-value pairs dropped because of key duplication. (#​7662)
• Fix SetAttributes on Record in go.opentelemetry.io/otel/sdk/log to not log that attributes are dropped when they are actually not dropped. (#​7662)
• WithHostID detector in go.opentelemetry.io/otel/sdk/resource to use full path for ioreg command on Darwin (macOS). (#​7818)
• Fix missing request.GetBody in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp to correctly handle HTTP2 GOAWAY frame. (#​7794)

Deprecated

• Deprecate go.opentelemetry.io/otel/exporters/zipkin. For more information, see the OTel blog post deprecating the Zipkin exporter. (#​7670)

What's Changed

• fix(deps): update opentelemetry-go monorepo to v0.15.0 by @​renovate[bot] in #​7690
• chore(deps): update golang.org/x by @​renovate[bot] in #​7689
• fix(deps): update golang.org/x by @​renovate[bot] in #​7691
• prometheus exporter ignores metrics from the Prometheus bridge by @​dashpole in #​7688
• chore(deps): update codecov/codecov-action action to v5.5.2 by @​renovate[bot] in #​7693
• fix(deps): update golang.org/x to 8475f28 by @​renovate[bot] in #​7692
• chore(deps): update github.com/securego/gosec/v2 digest to b6eea26 by @​renovate[bot] in #​7694
• chore(deps): update module github.com/securego/gosec/v2 to v2.22.11 by @​renovate[bot] in #​7696
• Use sync.Map and atomics for fixed bucket histograms by @​dashpole in #​7474
• chore(deps): update actions/cache action to v5 by @​renovate[bot] in #​7701
• chore(deps): update otel/weaver docker tag to v0.20.0 by @​renovate[bot] in #​7698
• fix(deps): update module google.golang.org/protobuf to v1.36.11 by @​renovate[bot] in #​7704
• chore(deps): update github/codeql-action action to v4.31.8 by @​renovate[bot] in #​7703
• sdk/log: improve Processor documentation by @​pellared in #​7695
• chore(deps): update github artifact actions (major) by @​renovate[bot] in #​7707
• chore(deps): update actions/cache action to v5.0.1 by @​renovate[bot] in #​7705
• fix(deps): update googleapis to 97cd9d5 by @​renovate[bot] in #​7708
• stdoutmetric exporter observability by @​mahendrabishnoi2 in #​7492
• Optimize histogram reservoir by @​dashpole in #​7443
• chore(deps): update golang.org/x/telemetry digest to e75fd47 by @​renovate[bot] in #​7710
• Use sync.Map and atomics for lastvalue aggregations by @​dashpole in #​7478
• chore(deps): update module go.opentelemetry.io/collector/featuregate to v1.48.0 by @​renovate[bot] in #​7713
• fix(deps): update module go.opentelemetry.io/collector/pdata to v1.48.0 by @​renovate[bot] in #​7716
• chore(deps): update module github.com/alecthomas/chroma/v2 to v2.21.0 by @​renovate[bot] in #​7715
• Exponential histogram: defer computing count until collect by @​dashpole in #​7702
• address feedback from #​7478 by @​dashpole in #​7718
• chore(deps): update github/codeql-action action to v4.31.9 by @​renovate[bot] in #​7722
• chore(deps): update module github.com/alecthomas/chroma/v2 to v2.21.1 by @​renovate[bot] in #​7726
• chore(deps): update golang.org/x/telemetry digest to 2adc8cf by @​renovate[bot] in #​7725
• chore(deps): update golang.org/x/telemetry digest to 7004b74 by @​renovate[bot] in #​7727
• chore(deps): update module github.com/burntsushi/toml to v1.6.0 by @​renovate[bot] in #​7728
• chore(deps): update module github.com/ghostiam/protogetter to v0.3.18 by @​renovate[bot] in #​7731
• chore(deps): update golang.org/x/telemetry digest to e0dd3dd by @​renovate[bot] in #​7732
• fix(deps): update golang.org/x to 944ab1f by @​renovate[bot] in #​7733
• fix(deps): update module google.golang.org/grpc to v1.78.0 by @​renovate[bot] in #​7742
• fix(deps): update googleapis to 0a764e5 by @​renovate[bot] in #​7740
• chore(deps): update golang.org/x/telemetry digest to 3f2a21f by @​renovate[bot] in #​7739
• chore(deps): update module github.com/cloudflare/circl to v1.6.2 by @​renovate[bot] in #​7741
• chore(deps): update module github.com/godoc-lint/godoc-lint to v0.11.1 by @​renovate[bot] in #​7746
• chore(deps): update module github.com/grpc-ecosystem/grpc-gateway/v2 to v2.27.4 by @​renovate[bot] in #​7747
• Add test cases to TestEmit in attribute by @​itssaharsh in #​7751
• fix(deps): update module go.opentelemetry.io/collector/pdata to v1.49.0 by @​renovate[bot] in #​7754
• chore(deps): update module github.com/prometheus/common to v0.67.5 by @​renovate[bot] in #​7752
• chore(deps): update module github.com/mirrexone/unqueryvet to v1.4.0 by @​renovate[bot] in #​7756
• fix(deps): update github.com/opentracing-contrib/go-grpc/test digest to 492b5bc by @​renovate[bot] in #​7759
• chore(deps): update module github.com/go-critic/go-critic to v0.14.3 by @​renovate[bot] in #​7757
• fix(deps): update github.com/opentracing-contrib/go-grpc/test digest to 19053a8 by @​renovate[bot] in #​7760
• fix(deps): update module github.com/golangci/golangci-lint/v2 to v2.8.0 by @​renovate[bot] in #​7758
• fix(deps): update module golang.org/x/sys to v0.40.0 by @​renovate[bot] in #​7761
• chore(deps): update module github.com/nunnatsa/ginkgolinter to v0.22.0 by @​renovate[bot] in #​7762
• chore(deps): update module go.augendre.info/arangolint to v0.4.0 by @​renovate[bot] in #​7765
• chore(deps): update golang.org/x by @​renovate[bot] in #​7769
• chore(deps): update module github.com/alexkohler/prealloc to v1.0.2 by @​renovate[bot] in #​7767
• chore(deps): update golang.org/x by @​renovate[bot] in #​7771
• chore(deps): update module github.com/alecthomas/chroma/v2 to v2.22.0 by @​renovate[bot] in #​7772
• sdk/trace: Add AlwaysRecord sampler by @​vitorvasc in #​7724
• metric: add Enabled method to synchronous instruments by @​pellared in #​7763
• chore(deps): update github/codeql-action action to v4.31.10 by @​renovate[bot] in #​7773
• fix(deps): update googleapis to 99fd39f by @​renovate[bot] in #​7774
• chore(deps): update module github.com/go-viper/mapstructure/v2 to v2.5.0 by @​renovate[bot] in #​7775
• fix(deps): update golang.org/x by @​renovate[bot] in #​7776
• chore(deps): update actions/setup-go action to v6.2.0 by @​renovate[bot] in #​7778
• Add TestMergeIdempotent and TestEquivalentStability tests by @​itssaharsh in #​7764
• sdk/log: fix "limit reached" logging and Record.DroppedAttributes by @​mexirica in #​7662
• chore(deps): update module github.com/mirrexone/unqueryvet to v1.5.0 by @​renovate[bot] in #​7779
• chore(deps): update module dev.gaijin.team/go/golib to v0.8.1 by @​renovate[bot] in #​7780
• fix(deps): update googleapis to 3f89685 by @​renovate[bot] in #​7785
• chore(deps): update module github.com/sirupsen/logrus to v1.9.4 by @​renovate[bot] in #​7787
• Generate semconv/v1.39.0 by @​ChrsMark in #​7783
• chore(deps): update module github.com/ghostiam/protogetter to v0.3.19 by @​renovate[bot] in #​7793
• chore(deps): update golang.org/x/telemetry digest to c6413dc by @​renovate[bot] in #​7795
• chore(deps): update actions/cache action to v5.0.2 by @​renovate[bot] in #​7798
• chore(deps): update module github.com/alecthomas/chroma/v2 to v2.23.0 by @​renovate[bot] in #​7802
• chore(deps): update module github.com/clipperhouse/uax29/v2 to v2.3.1 by @​renovate[bot] in #​7805
• Explicitly discourage the use of mutexes inside callbacks by @​agagniere in #​7792
• chore(deps): update module github.com/mirrexone/unqueryvet to v1.5.1 by @​renovate[bot] in #​7809
• chore(deps): update module go.opentelemetry.io/collector/featuregate to v1.50.0 by @​renovate[bot] in #​7814
• fix(deps): update module go.opentelemetry.io/collector/pdata to v1.50.0 by @​renovate[bot] in #​7815
• fix(deps): update googleapis to b8f7ae3 by @​renovate[bot] in #​7819
• chore(deps): update module github.com/mirrexone/unqueryvet to v1.5.2 by @​renovate[bot] in #​7820
• fix(deps): update github.com/opentracing-contrib/go-grpc/test digest to e5a2b31 by @​renovate[bot] in #​7821
• Bump semconv from v1.37.0 to v1.39.0 by @​itssaharsh in #​7789
• support stdlib request.GetBody by @​morus12 in #​7794
• resource: specify full path for ioreg command in Darwin host ID reader by @​pellared in #​7818
• chore(deps): update module github.com/mirrexone/unqueryvet to v1.5.3 by @​renovate[bot] in #​7822
• chore(deps): update module github.com/grpc-ecosystem/grpc-gateway/v2 to v2.27.5 by @​renovate[bot] in #​7823
• chore(deps): update actions/checkout action to v6.0.2 by @​renovate[bot] in #​7826
• chore(deps): update module github.com/bombsimon/wsl/v5 to v5.6.0 by @​renovate[bot] in #​7827
• chore(deps): update module github.com/alecthomas/chroma/v2 to v2.23.1 by @​renovate[bot] in #​7830
• fix(deps): update googleapis to 8e98ce8 by @​renovate[bot] in #​7829
• chore(deps): update module github.com/cloudflare/circl to v1.6.3 by @​renovate[bot] in #​7828
• Optimize fixedsize reservoir by @​dashpole in #​7447
• chore(deps): update github/codeql-action action to v4.31.11 by @​renovate[bot] in #​7832
• chore(deps): update module github.com/clipperhouse/uax29/v2 to v2.4.0 by @​renovate[bot] in #​7835
• fix(x): correct source filename in generated test files by @​flc1125 in #​7766
• chore(deps): update github/codeql-action action to v4.32.0 by @​renovate[bot] in #​7837
• fix(deps): update googleapis to d11affd by @​renovate[bot] in #​7838
• chore(deps): update golang.org/x/telemetry digest to 58372ce by @​renovate[bot] in #​7839
• fix(deps): update googleapis to 8636f87 by @​renovate[bot] in #​7841
• Deprecate the zipkin exporter by @​dmathieu in #​7670
• chore(deps): update golang.org/x/telemetry digest to fcf36f6 by @​renovate[bot] in #​7843
• chore(deps): update module github.com/grpc-ecosystem/grpc-gateway/v2 to v2.27.6 by @​renovate[bot] in #​7844
• chore(deps): update github.com/timakin/bodyclose digest to 73d1f95 by @​renovate[bot] in #​7845
• chore(deps): update actions/cache action to v5.0.3 by @​renovate[bot] in #​7847
• chore(deps): update module github.com/grpc-ecosystem/grpc-gateway/v2 to v2.27.7 by @​renovate[bot] in #​7852
• refactor: modernize code by @​alexandear in #​7850
• Upgrade semconv use to v1.39.0 by @​MrAlias in #​7854
• chore(deps): update module github.com/clipperhouse/uax29/v2 to v2.5.0 by @​renovate[bot] in #​7857
• chore(deps): update github/codeql-action action to v4.32.1 by @​renovate[bot] in #​7858
• Release v1.40.0 by @​MrAlias in #​7859

New Contributors

• @​itssaharsh made their first contribution in #​7751
• @​vitorvasc made their first contribution in #​7724
• @​mexirica made their first contribution in #​7662
• @​ChrsMark made their first contribution in #​7783
• @​agagniere made their first contribution in #​7792
• @​morus12 made their first contribution in #​7794
• @​alexandear made their first contribution in #​7850

Full Changelog: open-telemetry/opentelemetry-go@v1.39.0...v1.40.0

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

Need help?

You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section.

[renovate-sh-app]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 3 additional dependencies were updated

Details:

Package	Change
go.opentelemetry.io/otel	v1.39.0 -> v1.40.0
go.opentelemetry.io/otel/metric	v1.39.0 -> v1.40.0
go.opentelemetry.io/otel/trace	v1.39.0 -> v1.40.0