Update to Go 1.25.9 & OTel Deps

[aphralG]

Proposed changes

Update Go to go1.25.9
Close #1604
#1602
#1601
#1483
#1484
#1481

Checklist

Before creating a PR, run through this checklist and mark each as complete.

• I have read the CONTRIBUTING document
• I have run make install-tools and have attached any dependency changes to this pull request
• If applicable, I have added tests that prove my fix is effective or that my feature works
• If applicable, I have checked that any relevant tests pass after adding my changes
• If applicable, I have updated any relevant documentation (README.md)
• If applicable, I have tested my cross-platform changes on Ubuntu 22, Redhat 8, SUSE 15 and FreeBSD 13

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ❌ 1 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 3 package(s) with unknown licenses.

See the Details below.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 07be532.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

License Issues

go.mod

Package	Version	License	Issue Type
gonum.org/v1/gonum	0.17.0	BSD-3-Clause AND CC0-1.0 AND LicenseRef-scancode-public-domain AND LicenseRef-scancode-w3c-03-bsd-license AND MIT	Incompatible License
github.com/grpc-ecosystem/grpc-gateway/v2	2.28.0	Null	Unknown License
github.com/hashicorp/go-version	1.8.0	Null	Unknown License
go.opentelemetry.io/collector/pdata	1.49.0	Null	Unknown License

Allowed Licenses:

Apache-1.1, Apache-2.0, BSD-2-Clause, BSD-3-Clause, BSL-1.0, ISC, MIT, MPL-2.0, NCSA, OpenSSL, Python-2.0, X11, CC0-1.0, CC-BY-4.0, LicenseRef-scancode-google-patent-license-golang

Excluded from license check:

pkg:githubactions/fossas/fossa-action, pkg:githubactions/opentofu/setup-opentofu, pkg:golang/github.com/shoenig/go-m1cpu, pkg:pypi/pytest-metadata

OpenSSF Scorecard

Scorecard details

Package	Version	Score	Details
gomod/github.com/grpc-ecosystem/grpc-gateway/v2	2.28.0	Unknown	Unknown
gomod/github.com/hashicorp/go-version	1.8.0	Unknown	Unknown
gomod/go.opentelemetry.io/collector/component	1.49.0	🟢 7.6	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 12 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow ⚠️ 0 dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies 🟢 10 all dependencies are pinned CII-Best-Practices 🟢 5 badge detected: Passing SAST 🟢 9 SAST tool detected but not run on all commits Packaging 🟢 10 packaging workflow detected Signed-Releases ⚠️ -1 no releases found Fuzzing 🟢 10 project is fuzzed License 🟢 10 license file detected Security-Policy 🟢 10 security policy file detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 48 contributing companies or organizations
gomod/go.opentelemetry.io/collector/component/componenttest	0.143.0	🟢 7.6	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 12 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow ⚠️ 0 dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies 🟢 10 all dependencies are pinned CII-Best-Practices 🟢 5 badge detected: Passing SAST 🟢 9 SAST tool detected but not run on all commits Packaging 🟢 10 packaging workflow detected Signed-Releases ⚠️ -1 no releases found Fuzzing 🟢 10 project is fuzzed License 🟢 10 license file detected Security-Policy 🟢 10 security policy file detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 48 contributing companies or organizations
gomod/go.opentelemetry.io/collector/extension	1.49.0	🟢 7.6	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 12 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow ⚠️ 0 dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies 🟢 10 all dependencies are pinned CII-Best-Practices 🟢 5 badge detected: Passing SAST 🟢 9 SAST tool detected but not run on all commits Packaging 🟢 10 packaging workflow detected Signed-Releases ⚠️ -1 no releases found Fuzzing 🟢 10 project is fuzzed License 🟢 10 license file detected Security-Policy 🟢 10 security policy file detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 48 contributing companies or organizations
gomod/go.opentelemetry.io/collector/extension/xextension	0.143.0	🟢 7.6	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 12 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow ⚠️ 0 dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies 🟢 10 all dependencies are pinned CII-Best-Practices 🟢 5 badge detected: Passing SAST 🟢 9 SAST tool detected but not run on all commits Packaging 🟢 10 packaging workflow detected Signed-Releases ⚠️ -1 no releases found Fuzzing 🟢 10 project is fuzzed License 🟢 10 license file detected Security-Policy 🟢 10 security policy file detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 48 contributing companies or organizations
gomod/go.opentelemetry.io/collector/featuregate	1.49.0	🟢 7.6	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 12 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow ⚠️ 0 dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies 🟢 10 all dependencies are pinned CII-Best-Practices 🟢 5 badge detected: Passing SAST 🟢 9 SAST tool detected but not run on all commits Packaging 🟢 10 packaging workflow detected Signed-Releases ⚠️ -1 no releases found Fuzzing 🟢 10 project is fuzzed License 🟢 10 license file detected Security-Policy 🟢 10 security policy file detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 48 contributing companies or organizations
gomod/go.opentelemetry.io/collector/pdata	1.49.0	Unknown	Unknown
gomod/go.opentelemetry.io/collector/pipeline	1.49.0	🟢 7.6	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 12 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow ⚠️ 0 dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies 🟢 10 all dependencies are pinned CII-Best-Practices 🟢 5 badge detected: Passing SAST 🟢 9 SAST tool detected but not run on all commits Packaging 🟢 10 packaging workflow detected Signed-Releases ⚠️ -1 no releases found Fuzzing 🟢 10 project is fuzzed License 🟢 10 license file detected Security-Policy 🟢 10 security policy file detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 48 contributing companies or organizations
gomod/go.opentelemetry.io/collector/scraper	0.143.0	🟢 7.6	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 12 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow ⚠️ 0 dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies 🟢 10 all dependencies are pinned CII-Best-Practices 🟢 5 badge detected: Passing SAST 🟢 9 SAST tool detected but not run on all commits Packaging 🟢 10 packaging workflow detected Signed-Releases ⚠️ -1 no releases found Fuzzing 🟢 10 project is fuzzed License 🟢 10 license file detected Security-Policy 🟢 10 security policy file detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 48 contributing companies or organizations
gomod/go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp	0.19.0	🟢 9.3	Details Check Score Reason Dependency-Update-Tool 🟢 10 update tool detected Code-Review 🟢 10 all changesets reviewed Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 10 30 commit(s) and 19 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 10 all dependencies are pinned CII-Best-Practices 🟢 5 badge detected: Passing Signed-Releases 🟢 8 5 out of the last 5 releases have a total of 5 signed artifacts. License 🟢 10 license file detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Security-Policy 🟢 10 security policy file detected SAST 🟢 10 SAST tool is run on all commits Fuzzing 🟢 10 project is fuzzed Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 42 contributing companies or organizations
gomod/go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp	1.43.0	🟢 9.3	Details Check Score Reason Dependency-Update-Tool 🟢 10 update tool detected Code-Review 🟢 10 all changesets reviewed Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 10 30 commit(s) and 19 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 10 all dependencies are pinned CII-Best-Practices 🟢 5 badge detected: Passing Signed-Releases 🟢 8 5 out of the last 5 releases have a total of 5 signed artifacts. License 🟢 10 license file detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Security-Policy 🟢 10 security policy file detected SAST 🟢 10 SAST tool is run on all commits Fuzzing 🟢 10 project is fuzzed Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 42 contributing companies or organizations
gomod/go.opentelemetry.io/otel/exporters/otlp/otlptrace	1.43.0	Unknown	Unknown
gomod/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp	1.43.0	🟢 9.3	Details Check Score Reason Dependency-Update-Tool 🟢 10 update tool detected Code-Review 🟢 10 all changesets reviewed Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 10 30 commit(s) and 19 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 10 all dependencies are pinned CII-Best-Practices 🟢 5 badge detected: Passing Signed-Releases 🟢 8 5 out of the last 5 releases have a total of 5 signed artifacts. License 🟢 10 license file detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Security-Policy 🟢 10 security policy file detected SAST 🟢 10 SAST tool is run on all commits Fuzzing 🟢 10 project is fuzzed Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 42 contributing companies or organizations
gomod/go.opentelemetry.io/otel/log	0.19.0	🟢 9.3	Details Check Score Reason Dependency-Update-Tool 🟢 10 update tool detected Code-Review 🟢 10 all changesets reviewed Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 10 30 commit(s) and 19 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 10 all dependencies are pinned CII-Best-Practices 🟢 5 badge detected: Passing Signed-Releases 🟢 8 5 out of the last 5 releases have a total of 5 signed artifacts. License 🟢 10 license file detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Security-Policy 🟢 10 security policy file detected SAST 🟢 10 SAST tool is run on all commits Fuzzing 🟢 10 project is fuzzed Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 42 contributing companies or organizations
gomod/go.opentelemetry.io/otel/sdk/log	0.19.0	🟢 9.3	Details Check Score Reason Dependency-Update-Tool 🟢 10 update tool detected Code-Review 🟢 10 all changesets reviewed Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 10 30 commit(s) and 19 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 10 all dependencies are pinned CII-Best-Practices 🟢 5 badge detected: Passing Signed-Releases 🟢 8 5 out of the last 5 releases have a total of 5 signed artifacts. License 🟢 10 license file detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Security-Policy 🟢 10 security policy file detected SAST 🟢 10 SAST tool is run on all commits Fuzzing 🟢 10 project is fuzzed Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 42 contributing companies or organizations
gomod/go.opentelemetry.io/proto/otlp	1.10.0	🟢 7.9	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Code-Review 🟢 10 all changesets reviewed Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 Signed-Releases ⚠️ -1 no releases found Vulnerabilities 🟢 10 0 existing vulnerabilities detected License 🟢 10 license file detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed Security-Policy 🟢 10 security policy file detected CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 8 contributing companies or organizations
gomod/golang.org/x/crypto	0.49.0	Unknown	Unknown
gomod/golang.org/x/mod	0.33.0	Unknown	Unknown
gomod/golang.org/x/net	0.52.0	Unknown	Unknown
gomod/golang.org/x/oauth2	0.35.0	Unknown	Unknown
gomod/golang.org/x/sync	0.20.0	Unknown	Unknown
gomod/golang.org/x/telemetry	0.0.0-20260209163413-e7419c687ee4	Unknown	Unknown
gomod/golang.org/x/text	0.35.0	Unknown	Unknown
gomod/golang.org/x/tools	0.42.0	Unknown	Unknown
gomod/gonum.org/v1/gonum	0.17.0	🟢 5.7	Details Check Score Reason Maintained 🟢 5 2 commit(s) and 5 issue activity found in the last 90 days -- score normalized to 5 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review 🟢 10 all changesets reviewed Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 License 🟢 10 license file detected Fuzzing 🟢 10 project is fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
gomod/google.golang.org/genproto/googleapis/api	0.0.0-20260401024825-9d38bb4040a9	🟢 6.7	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 30 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 10 security policy file detected Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 8 branch protection is not maximal on development and all release branches Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST 🟢 5 SAST tool is not run on all commits -- score normalized to 5
gomod/google.golang.org/genproto/googleapis/rpc	0.0.0-20260401024825-9d38bb4040a9	🟢 6.7	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 30 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 10 security policy file detected Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 8 branch protection is not maximal on development and all release branches Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST 🟢 5 SAST tool is not run on all commits -- score normalized to 5
gomod/google.golang.org/grpc	1.80.0	🟢 8.5	Details Check Score Reason Security-Policy 🟢 9 security policy file detected Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 30 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo License 🟢 10 license file detected Fuzzing 🟢 10 project is fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST 🟢 7 SAST tool detected but not run on all commits
gomod/google.golang.org/protobuf	1.36.11	Unknown	Unknown

Scanned Files

• go.mod