Build(deps): Bump go.opentelemetry.io/otel from 1.39.0 to 1.41.0

[dependabot]

Bumps go.opentelemetry.io/otel from 1.39.0 to 1.41.0.

Changelog

Sourced from go.opentelemetry.io/otel's changelog.

[1.41.0/0.63.0/0.17.0/0.0.15] 2026-03-02

This release is the last to support [Go 1.24]. The next release will require at least [Go 1.25].

Added

• Support testing of [Go 1.26]. (#7902)

Fixed

• Update Baggage in go.opentelemetry.io/otel/propagation and Parse and New in go.opentelemetry.io/otel/baggage to comply with W3C Baggage specification limits. New and Parse now return partial baggage along with an error when limits are exceeded. Errors from baggage extraction are reported to the global error handler. (#7880)
• Return an error when the endpoint is configured as insecure and with TLS configuration in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp. (#7914)
• Return an error when the endpoint is configured as insecure and with TLS configuration in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp. (#7914)
• Return an error when the endpoint is configured as insecure and with TLS configuration in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp. (#7914)

[1.40.0/0.62.0/0.16.0] 2026-02-02

Added

• Add AlwaysRecord sampler in go.opentelemetry.io/otel/sdk/trace. (#7724)
• Add Enabled method to all synchronous instrument interfaces (Float64Counter, Float64UpDownCounter, Float64Histogram, Float64Gauge, Int64Counter, Int64UpDownCounter, Int64Histogram, Int64Gauge,) in go.opentelemetry.io/otel/metric. This stabilizes the synchronous instrument enabled feature, allowing users to check if an instrument will process measurements before performing computationally expensive operations. (#7763)
• Add go.opentelemetry.io/otel/semconv/v1.39.0 package. The package contains semantic conventions from the v1.39.0 version of the OpenTelemetry Semantic Conventions. See the migration documentation for information on how to upgrade from go.opentelemetry.io/otel/semconv/v1.38.0. (#7783, #7789)

Changed

• Improve the concurrent performance of HistogramReservoir in go.opentelemetry.io/otel/sdk/metric/exemplar by 4x. (#7443)
• Improve the concurrent performance of FixedSizeReservoir in go.opentelemetry.io/otel/sdk/metric/exemplar. (#7447)
• Improve performance of concurrent histogram measurements in go.opentelemetry.io/otel/sdk/metric. (#7474)
• Improve performance of concurrent synchronous gauge measurements in go.opentelemetry.io/otel/sdk/metric. (#7478)
• Add experimental observability metrics in go.opentelemetry.io/otel/exporters/stdout/stdoutmetric. (#7492)
• Exporter in go.opentelemetry.io/otel/exporters/prometheus ignores metrics with the scope go.opentelemetry.io/contrib/bridges/prometheus. This prevents scrape failures when the Prometheus exporter is misconfigured to get data from the Prometheus bridge. (#7688)
• Improve performance of concurrent exponential histogram measurements in go.opentelemetry.io/otel/sdk/metric. (#7702)
• The rpc.grpc.status_code attribute in the experimental metrics emitted from go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc is replaced with the rpc.response.status_code attribute to align with the semantic conventions. (#7854)
• The rpc.grpc.status_code attribute in the experimental metrics emitted from go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc is replaced with the rpc.response.status_code attribute to align with the semantic conventions. (#7854)

Fixed

• Fix bad log message when key-value pairs are dropped because of key duplication in go.opentelemetry.io/otel/sdk/log. (#7662)
• Fix DroppedAttributes on Record in go.opentelemetry.io/otel/sdk/log to not count the non-attribute key-value pairs dropped because of key duplication. (#7662)
• Fix SetAttributes on Record in go.opentelemetry.io/otel/sdk/log to not log that attributes are dropped when they are actually not dropped. (#7662)
• Fix missing request.GetBody in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp to correctly handle HTTP/2 GOAWAY frame. (#7794)
• WithHostID detector in go.opentelemetry.io/otel/sdk/resource to use full path for ioreg command on Darwin (macOS). (#7818)

... (truncated)

Commits

• 4575a97 Release 1.41.0/0.63.0/0.17.0/0.0.15 (#7977)
• 66fc10d fix: add error handling for insecure HTTP endpoints with TLS client configura...
• 76e6eec chore(deps): update github/codeql-action action to v4.32.5 (#7980)
• 0d50f90 Revert "Generate semconv/v1.40.0" (#7978)
• c38a4a5 Generate semconv/v1.40.0 (#7929)
• 0f1a224 chore(deps): update module github.com/securego/gosec/v2 to v2.23.0 (#7899)
• c79ebf4 chore(deps): update module github.com/daixiang0/gci to v0.14.0 (#7973)
• f758157 chore(deps): update module github.com/sonatard/noctx to v0.5.0 (#7968)
• 92a1164 fix(deps): update github.com/opentracing-contrib/go-grpc/test digest to d566b...
• 3cd7c27 chore(deps): update module github.com/protonmail/go-crypto to v1.4.0 (#7969)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dependabot[bot]
Once this PR has been reviewed and has the lgtm label, please assign rcampos2029 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Summary by CodeRabbit

• Chores
  • Updated observability framework dependencies to improve stability and performance.

Walkthrough

OpenTelemetry Go module dependencies are upgraded from v1.39.0 to v1.41.0 in go.mod. Three modules are updated: go.opentelemetry.io/otel, go.opentelemetry.io/otel/metric, and go.opentelemetry.io/otel/trace.

Changes

Cohort / File(s)	Summary
Dependency Version Updates go.mod	Updated OpenTelemetry module versions from v1.39.0 to v1.41.0 for otel, otel/metric, and otel/trace packages.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title clearly and accurately summarizes the main change: upgrading go.opentelemetry.io/otel from version 1.39.0 to 1.41.0, which directly matches the changeset in go.mod.
Description check	✅ Passed	The PR description is directly related to the changeset, providing detailed changelog information and commit links for the dependency upgrade from 1.39.0 to 1.41.0.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/go_modules/go.opentelemetry.io/otel-1.41.0

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

Hi @dependabot[bot]. Thanks for your PR.

I'm waiting for a openshift-online member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@go.mod`:
- Around line 135-139: Update the vulnerable OpenTelemetry SDK module versions
in go.mod: change the entries for go.opentelemetry.io/otel/sdk and
go.opentelemetry.io/otel/sdk/metric from v1.39.0 to v1.43.0 to include fixes for
GHSA-9h8m-3fm2-qjrq and GHSA-hfvc-g4fc-pqhx; after editing the module lines, run
the Go tooling (e.g., go get go.opentelemetry.io/otel@v1.43.0 and go mod tidy)
to refresh go.sum and ensure the dependency graph and vendor files are updated.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 65c03f38-3d6f-48d2-94eb-7d7d6ab41a26

📥 Commits

Reviewing files that changed from the base of the PR and between 5ad8aaa and 0d62c94.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify current OTel versions in go.mod
rg -n 'go\.opentelemetry\.io/otel(/sdk|/sdk/metric|/metric|/trace)?\s+v' go.mod

# Verify advisory status for the pinned vulnerable package version via OSV
cat <<'JSON' | curl -sS https://api.osv.dev/v1/query -d `@-`
{
  "package": { "name": "go.opentelemetry.io/otel/sdk", "ecosystem": "Go" },
  "version": "1.39.0"
}
JSON

Repository: openshift-online/ocm-cli

Length of output: 6600

---

Bump otel/sdk to v1.43.0 to fix two critical PATH hijacking vulnerabilities

Lines 137–138 pin go.opentelemetry.io/otel/sdk and go.opentelemetry.io/otel/sdk/metric to v1.39.0, which is vulnerable to two separate PATH hijacking CVEs:

1. GHSA-9h8m-3fm2-qjrq (CVE-2026-24051 / GO-2026-4394) affects v1.21.0–v1.39.0 (patched in v1.40.0) — Darwin ioreg command execution vulnerability
2. GHSA-hfvc-g4fc-pqhx (CVE-2026-39883) affects v1.15.0–v1.42.0 (patched in v1.43.0) — BSD/Solaris kenv command execution vulnerability

Bumping to v1.41.0 (as initially suggested) would only fix the first. Bump to v1.43.0 to address both:

Corrected go.mod update

-	go.opentelemetry.io/otel/sdk v1.39.0 // indirect
-	go.opentelemetry.io/otel/sdk/metric v1.39.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.43.0 // indirect
+	go.opentelemetry.io/otel/sdk/metric v1.43.0 // indirect

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	go.opentelemetry.io/otel v1.41.0 // indirect
	go.opentelemetry.io/otel/metric v1.41.0 // indirect
	go.opentelemetry.io/otel/sdk v1.39.0 // indirect
	go.opentelemetry.io/otel/sdk/metric v1.39.0 // indirect
	go.opentelemetry.io/otel/trace v1.39.0 // indirect
	go.opentelemetry.io/otel/trace v1.41.0 // indirect
	go.opentelemetry.io/otel v1.41.0 // indirect
	go.opentelemetry.io/otel/metric v1.41.0 // indirect
	go.opentelemetry.io/otel/sdk v1.43.0 // indirect
	go.opentelemetry.io/otel/sdk/metric v1.43.0 // indirect
	go.opentelemetry.io/otel/trace v1.41.0 // indirect

🧰 Tools

🪛 OSV Scanner (2.3.5)

[HIGH] 137-137: go.opentelemetry.io/otel/sdk 1.39.0: OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking in go.opentelemetry.io/otel/sdk

(GO-2026-4394)

---

[HIGH] 137-137: go.opentelemetry.io/otel/sdk 1.39.0: OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking

(GHSA-9h8m-3fm2-qjrq)

---

[HIGH] 137-137: go.opentelemetry.io/otel/sdk 1.39.0: opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking

(GHSA-hfvc-g4fc-pqhx)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@go.mod` around lines 135 - 139, Update the vulnerable OpenTelemetry SDK
module versions in go.mod: change the entries for go.opentelemetry.io/otel/sdk
and go.opentelemetry.io/otel/sdk/metric from v1.39.0 to v1.43.0 to include fixes
for GHSA-9h8m-3fm2-qjrq and GHSA-hfvc-g4fc-pqhx; after editing the module lines,
run the Go tooling (e.g., go get go.opentelemetry.io/otel@v1.43.0 and go mod
tidy) to refresh go.sum and ensure the dependency graph and vendor files are
updated.