chore(deps): update module go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp to v1.43.0 [security]#531
Conversation
…lpmetric/otlpmetrichttp to v1.43.0 [security] | datasource | package | from | to | | ---------- | ----------------------------------------------------------------- | ------- | ------- | | go | go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp | v1.36.0 | v1.43.0 | Signed-off-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com>
ℹ️ Artifact update noticeFile name: go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
|
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix prepared a fix for the issue found in the latest run.
- ✅ Fixed:
go.workversion conflicts with updatedgo.modversion- Updated
go.workfromgo 1.24.4togo 1.25.0to match the module’s minimum Go version and prevent workspace version mismatch issues.
- Updated
Or push these changes by commenting:
@cursor push 396aa07a62
Preview (396aa07a62)
diff --git a/go.work b/go.work
--- a/go.work
+++ b/go.work
@@ -1,4 +1,4 @@
-go 1.24.4
+go 1.25.0
use (
.You can send follow-ups to the cloud agent here.
Reviewed by Cursor Bugbot for commit cd49bd3. Configure here.
| go 1.24.0 | ||
|
|
||
| toolchain go1.24.4 | ||
| go 1.25.0 |
There was a problem hiding this comment.
go.work version conflicts with updated go.mod version
Medium Severity
The go directive in go.mod was bumped from 1.24.0 to 1.25.0 (required by the updated otel v1.43.0 dependencies), but the go.work file was not updated and still declares go 1.24.4. This creates a version mismatch in the Go workspace. Developers using Go 1.24.x in workspace mode will encounter build failures or unexpected toolchain auto-download behavior, since the main module now requires Go 1.25.0. The go.work file needs to be updated to at least go 1.25.0 to stay consistent.
Reviewed by Cursor Bugbot for commit cd49bd3. Configure here.



This PR contains the following updates:
v1.36.0→v1.43.0GitHub Vulnerability Alerts
CVE-2026-39882
overview:
this report shows that the otlp HTTP exporters (traces/metrics/logs) read the full HTTP response body into an in-memory
bytes.Bufferwithout a size cap.this is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can mitm the exporter connection).
severity
HIGH
not claiming: this is a remote dos against every default deployment.
claiming: if the exporter sends traces to an untrusted collector endpoint (or over a network segment where mitm is realistic), that endpoint can crash the process via a large response body.
callsite (pinned):
permalinks (pinned):
root cause:
each exporter client reads
resp.Bodyusingio.Copy(&respData, resp.Body)into abytes.Bufferon both success and error paths, with no upper bound.impact:
a malicious collector can force large transient heap allocations during export (peak memory scales with attacker-chosen response size) and can potentially crash the instrumented process (oom).
affected component:
repro (local-only):
unzip poc.zip -d poc cd poc make canonical resp_bytes=33554432 chunk_delay_ms=0expected output contains:
control (same env, patched target):
unzip poc.zip -d poc cd poc make control resp_bytes=33554432 chunk_delay_ms=0expected control output contains:
attachments: poc.zip (attached)
PR_DESCRIPTION.md
attack_scenario.md
poc.zip
Fixed in: https://github.com/open-telemetry/opentelemetry-go/pull/8108
Severity
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:Hopentelemetry-go: OTLP HTTP exporters read unbounded HTTP response bodies
CVE-2026-39882 / GHSA-w8rr-5gcm-pp58
More information
Details
overview:
this report shows that the otlp HTTP exporters (traces/metrics/logs) read the full HTTP response body into an in-memory
bytes.Bufferwithout a size cap.this is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can mitm the exporter connection).
severity
HIGH
not claiming: this is a remote dos against every default deployment.
claiming: if the exporter sends traces to an untrusted collector endpoint (or over a network segment where mitm is realistic), that endpoint can crash the process via a large response body.
callsite (pinned):
permalinks (pinned):
root cause:
each exporter client reads
resp.Bodyusingio.Copy(&respData, resp.Body)into abytes.Bufferon both success and error paths, with no upper bound.impact:
a malicious collector can force large transient heap allocations during export (peak memory scales with attacker-chosen response size) and can potentially crash the instrumented process (oom).
affected component:
repro (local-only):
unzip poc.zip -d poc cd poc make canonical resp_bytes=33554432 chunk_delay_ms=0expected output contains:
control (same env, patched target):
unzip poc.zip -d poc cd poc make control resp_bytes=33554432 chunk_delay_ms=0expected control output contains:
attachments: poc.zip (attached)
PR_DESCRIPTION.md
attack_scenario.md
poc.zip
Fixed in: https://github.com/open-telemetry/opentelemetry-go/pull/8108
Severity
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
open-telemetry/opentelemetry-go (go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp)
v1.43.0Compare Source
v1.42.0Compare Source
v1.41.0Compare Source
v1.40.0Compare Source
v1.39.0Compare Source
v1.38.0: /v0.60.0/v0.14.0/v0.0.13Compare Source
Overview
This release is the last to support Go 1.23. The next release will require at least Go 1.24.
Added
go.opentelemetry.io/otel/exporters/prometheus. (#6772)go.opentelmetry.io/otel/semconv/v1.34.0package. (#6939)ContainerLabelDBOperationParameterDBSystemParameterHTTPRequestHeaderHTTPResponseHeaderK8SCronJobAnnotationK8SCronJobLabelK8SDaemonSetAnnotationK8SDaemonSetLabelK8SDeploymentAnnotationK8SDeploymentLabelK8SJobAnnotationK8SJobLabelK8SNamespaceAnnotationK8SNamespaceLabelK8SNodeAnnotationK8SNodeLabelK8SPodAnnotationK8SPodLabelK8SReplicaSetAnnotationK8SReplicaSetLabelK8SStatefulSetAnnotationK8SStatefulSetLabelProcessEnvironmentVariableRPCConnectRPCRequestMetadataRPCConnectRPCResponseMetadataRPCGRPCRequestMetadataRPCGRPCResponseMetadataErrorTypeattribute helper function to thego.opentelmetry.io/otel/semconv/v1.34.0package. (#6962)WithAllowKeyDuplicationingo.opentelemetry.io/otel/sdk/logwhich can be used to disable deduplication for log records. (#6968)WithCardinalityLimitoption to configure the cardinality limit ingo.opentelemetry.io/otel/sdk/metric. (#6996, #7065, #7081, #7164, #7165, #7179)Clonemethod toRecordingo.opentelemetry.io/otel/logthat returns a copy of the record with no shared state. (#7001)go.opentelemetry.io/otel/sdk/trace. Check thego.opentelemetry.io/otel/sdk/trace/internal/xpackage documentation for more information. (#7027, #6393, #7209)go.opentelemetry.io/otel/semconv/v1.36.0package. The package contains semantic conventions from thev1.36.0version of the OpenTelemetry Semantic Conventions. See the migration documentation for information on how to upgrade fromgo.opentelemetry.io/otel/semconv/v1.34.0.(#7032, #7041)WithTranslationStrategyoption ingo.opentelemetry.io/otel/exporters/prometheus. The current default translation strategy when UTF-8 mode is enabled isNoUTF8EscapingWithSuffixes, but a future release will change the default strategy toUnderscoreEscapingWithSuffixesfor compliance with the specification. (#7111)go.opentelemetry.io/otel/sdk/log. Check thego.opentelemetry.io/otel/sdk/log/internal/xpackage documentation for more information. (#7121)go.opentelemetry.io/otel/exporters/stdout/stdouttrace. Check thego.opentelemetry.io/otel/exporters/stdout/stdouttrace/internal/xpackage documentation for more information. (#7133)go.opentelemetry.io/otel/semconv/v1.37.0package. The package contains semantic conventions from thev1.37.0version of the OpenTelemetry Semantic Conventions. See the migration documentation for information on how to upgrade fromgo.opentelemetry.io/otel/semconv/v1.36.0.(#7254)Changed
TraceIDFromHexandSpanIDFromHexingo.opentelemetry.io/otel/sdk/trace. (#6791)AssertEqualingo.opentelemetry.io/otel/log/logtestto acceptTestingTin order to support benchmarks and fuzz tests. (#6908)DefaultExemplarReservoirProviderSelectoringo.opentelemetry.io/otel/sdk/metricto useruntime.GOMAXPROCS(0)instead ofruntime.NumCPU()for theFixedSizeReservoirProviderdefault size. (#7094)Fixed
SetBodymethod ofRecordingo.opentelemetry.io/otel/sdk/lognow deduplicates key-value collections (log.Valueoflog.KindMapfromgo.opentelemetry.io/otel/log). (#7002)go.opentelemetry.io/otel/exporters/prometheusto not append a suffix if it's already present in metric name. (#7088)go.opentelemetry.io/otel/exporters/stdout/stdouttraceself-observability component type and name. (#7195)go.opentelemetry.io/otel/exporters/stdout/stdouttrace. (#7199)Deprecated
WithoutUnitsandWithoutCounterSuffixesoptions, preferringWithTranslationStrategyinstead. (#7111)OTEL_GO_X_CARDINALITY_LIMITenvironment variable ingo.opentelemetry.io/otel/sdk/metric. UseWithCardinalityLimitoption instead. (#7166)What's Changed
96f361dby @renovate[bot] in #7054a45f3dfby @renovate[bot] in #705889aa817by @renovate[bot] in #706117c88fdby @renovate[bot] in #7062ba65ee6by @renovate[bot] in #7068fce6240by @renovate[bot] in #7075846d391by @renovate[bot] in #7078ab8d56dby @renovate[bot] in #70881581f0aby @renovate[bot] in #7096f173205by @renovate[bot] in #709728f32e4by @renovate[bot] in #7099a7a43d2by @renovate[bot] in #71269469f96by @renovate[bot] in #713401f7bf4by @renovate[bot] in #7146e98b521by @renovate[bot] in #7151a408d31by @renovate[bot] in #71586b04f9bby @renovate[bot] in #716951f8813by @renovate[bot] in #7173sdk/metric/xFeature Supporting Cardinality Limits by @ysolomchenko in #71665f3141cby @renovate[bot] in #7176ExportSpansfor measurements instdouttraceby @MrAlias in #7198stdouttraceExporter.initSelfObservabilityintoExporter.Newby @MrAlias in #7197tracer.initSelfObservabilityintoTracerProvider.Tracerby @MrAlias in #7205sdk/trace/internal/xREADME.md by @MrAlias in #7211Distinctdocs by @MrAlias in #7203t.Cleanupinstead ofdeferinstdouttraceby @MrAlias in #7204t.Cleanupinstead ofdeferinsdk/traceby @MrAlias in #7208stdouttraceobservability by @MrAlias in #7199stdouttraceself-observability by @MrAlias in #72013122310by @renovate[bot] in #7216d4663adby @renovate[bot] in #7238logger.initSelfObservabilityintologger.newLoggerrand uset.Cleanupinstead of defer by @yumosx in #7228Float64ObservableCounterwithsystem.CPUTimeby @MrAlias in #7235c5933d9by @renovate[bot] in #7246c5933d9by @renovate[bot] in #7250sdk/traceby @MrAlias in #7209AddSetandRecordSetmethods to semconv generated packages by @MrAlias in #7223semconv/v1.37.0packages by @MrAlias in #7254New Contributors
Full Changelog: open-telemetry/opentelemetry-go@exporters/prometheus/v0.59.1...v1.38.0
v1.37.0: Release 1.37.0/0.59.0/0.13.0Compare Source
Added
go.opentelemetry.io/otel/semconv/v1.33.0package.The package contains semantic conventions from the
v1.33.0version of the OpenTelemetry Semantic Conventions.See the migration documentation for information on how to upgrade from
go.opentelemetry.io/otel/semconv/v1.32.0.(#6799)go.opentelemetry.io/otel/semconv/v1.34.0package.The package contains semantic conventions from the
v1.34.0version of the OpenTelemetry Semantic Conventions. (#6812)otel_scope_schema_urllabel ingo.opentelemetry.io/otel/exporters/prometheus. (#5947)otel_scope_[attribute]labels ingo.opentelemetry.io/otel/exporters/prometheus. (#5947)EventNametoEnabledParametersingo.opentelemetry.io/otel/log. (#6825)EventNametoEnabledParametersingo.opentelemetry.io/otel/sdk/log. (#6825)go.opentelemetry.io/otel/exporters/prometheusmetric renaming to add unit suffixes when it doesn't match one of the pre-defined values in the unit suffix map. (#6839)Changed
v1.26.0tov1.34.0ingo.opentelemetry.io/otel/bridge/opentracing. (#6827)v1.26.0tov1.34.0ingo.opentelemetry.io/otel/exporters/zipkin. (#6829)v1.26.0tov1.34.0ingo.opentelemetry.io/otel/metric. (#6832)v1.26.0tov1.34.0ingo.opentelemetry.io/otel/sdk/resource. (#6834)v1.26.0tov1.34.0ingo.opentelemetry.io/otel/sdk/trace. (#6835)v1.26.0tov1.34.0ingo.opentelemetry.io/otel/trace. (#6836)Record.Resourcenow retuConfiguration
📅 Schedule: (UTC)
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
Need help?
You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section.