NO-ISSUE: UPSTREAM: 2911: CVE-2026-33186: bump google.golang.org/grpc v1.80.0

[kunalmemane]

• Fixes CVE-2026-33186
• Upstream - https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/2911/changes#diff-33ef32bf6c23acb95f5902d7097b7a1d5128ca061167ec0716715b0b9eeaa5f6L30

Summary by CodeRabbit

Release Notes

• Chores
  • Updated project and test dependencies to latest compatible versions, including OpenTelemetry components, gRPC libraries, and testing utilities.

[openshift-ci-robot]

@kunalmemane: This pull request explicitly references no jira issue.

Details

In response to this:

• Fixes CVE-2026-33186
• Upstream - https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/2911/changes#diff-33ef32bf6c23acb95f5902d7097b7a1d5128ca061167ec0716715b0b9eeaa5f6L30

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

The PR updates Go module dependencies in both the main module and the e2e test module. OpenTelemetry components, gRPC, protobuf, testing utilities, and standard library packages are upgraded to newer versions. Indirect dependencies across the broader OTEL instrumentation stack, golang.org/x packages, and protocol buffer generation tools are also updated.

Changes

Dependency Version Updates

Layer / File(s)	Summary
Testing and Observability Framework go.mod, tests/e2e/go.mod	testify upgraded from v1.10.0 to v1.11.1; OpenTelemetry core (otel, otel/sdk, otel/metric, otel/trace) upgraded to v1.39.0; OTLP exporters and auto/sdk added or updated to newer releases.
RPC and Serialization go.mod, tests/e2e/go.mod	gRPC upgraded to v1.80.0; protobuf upgraded to v1.36.11; associated genproto and grpc-gateway packages updated to newer revisions to maintain compatibility.
System and Standard Library Extensions go.mod, tests/e2e/go.mod	golang.org/x/sys upgraded to v0.40.0; golang.org/x/net, golang.org/x/oauth2, golang.org/x/term, golang.org/x/text, golang.org/x/tools, and related packages updated to newer versions across both modules.
Indirect and Transitive Dependencies go.mod, tests/e2e/go.mod	Broad set of indirect dependencies added and updated, including OTEL instrumentation (grpc, net/http v0.62.0), go.yaml, go.uber.org/automaxprocs, and associated transitive packages to align the complete dependency graph.
E2E-Specific Updates tests/e2e/go.mod	cel.dev/expr upgraded from v0.24.0 to v0.25.1 in e2e module; Kubernetes/OpenAPI replacement maintained for alignment.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 11 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Single Node Openshift (Sno) Test Compatibility	⚠️ Warning	New test in tests/e2e/dynamic_provisioning.go ("should create multiple PV objects...attach all to different pods") assumes multi-node scheduling without SNO protection mechanisms.	Add [Skipped:SingleReplicaTopology] label to test name or guard with exutil.IsSingleNode() check. Run /payload-job periodic-ci-openshift-release-master-ci-4.22-e2e-aws-upgrade-ovn-single-node to verify SNO compatibility.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically references the main change: upgrading google.golang.org/grpc to v1.80.0 to address CVE-2026-33186, which aligns with the go.mod dependency updates in the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	The PR only modifies go.mod files. All Ginkgo test names use stable values or descriptive language - no dynamic pod IDs, timestamps, UUIDs, namespace names, node names, or IP addresses in test titles.
Test Structure And Quality	✅ Passed	Ginkgo e2e tests follow quality standards: single responsibility per It block, BeforeEach setup, defer cleanup, timeout-aware wait functions, descriptive assertion messages, and consistent patterns.
Microshift Test Compatibility	✅ Passed	28 e2e test files use only standard Kubernetes APIs (Pod, PVC, StorageClass, VolumeSnapshot) with no forbidden OpenShift APIs, namespaces, or unsupported features per the check criteria.
Topology-Aware Scheduling Compatibility	✅ Passed	PR is a dependency update only. Check applies to deployment manifests/operator code/controllers, none of which were modified here.
Ote Binary Stdout Contract	✅ Passed	PR only modifies go.mod, go.sum, and vendor files. No source code changes to process-level code. OTE check not applicable to dependency-only updates.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	28 Ginkgo e2e tests added are compatible with IPv6-only disconnected environments. No hardcoded IPv4 addresses, no IPv4-only parsing, no external internet connectivity requirements detected.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: kunalmemane
Once this PR has been reviewed and has the lgtm label, please assign bertinatto for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 23: Update the OpenTelemetry module versions in go.mod to non-vulnerable
releases: change go.opentelemetry.io/otel to at least v1.41.0 (prefer v1.43.0)
and go.opentelemetry.io/otel/sdk to at least v1.40.0 (prefer v1.43.0); locate
the entries for the modules named "go.opentelemetry.io/otel" and
"go.opentelemetry.io/otel/sdk" (including the occurrences noted around the
current lines 23, 26 and 85-87) and bump their version strings accordingly, then
run go get ./... or go get go.opentelemetry.io/otel@v1.43.0 and go get
go.opentelemetry.io/otel/sdk@v1.43.0 followed by go mod tidy to update go.sum
and ensure dependencies are resolved.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 699200d1-517e-4be1-ae6a-0036b251ba33

📥 Commits

Reviewing files that changed from the base of the PR and between 0927af1 and 9579ff1.

⛔ Files ignored due to path filters (272)

• go.sum is excluded by !**/*.sum
• tests/e2e/go.sum is excluded by !**/*.sum
• vendor/github.com/stretchr/testify/assert/assertion_compare.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/stretchr/testify/assert/assertion_format.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/stretchr/testify/assert/assertion_forward.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/stretchr/testify/assert/assertion_order.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/stretchr/testify/assert/assertions.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/stretchr/testify/assert/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/stretchr/testify/assert/http_assertions.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/stretchr/testify/assert/yaml/yaml_custom.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/stretchr/testify/assert/yaml/yaml_default.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/stretchr/testify/assert/yaml/yaml_fail.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/stretchr/testify/require/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/stretchr/testify/require/require.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/stretchr/testify/require/require_forward.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/id.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/number.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/span.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/status.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/traces.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/value.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/auto/sdk/span.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/auto/sdk/tracer.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/.codespellignore is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/.golangci.yml is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/.lycheeignore is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/CODEOWNERS is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/Makefile is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/RELEASING.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/SECURITY-INSIGHTS.yml is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/VERSIONING.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/encoder.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/filter.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/hash.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/internal/attribute.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/internal/xxhash/xxhash.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/iterator.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/key.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/kv.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/set.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/type_string.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/value.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/baggage/baggage.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/codes/codes.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/dependencies.Dockerfile is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/internal/global/internal_logging.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/internal/global/meter.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/internal/global/trace.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/metric.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/metric/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/metric/config.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/propagation/baggage.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/propagation/propagation.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/propagation/trace_context.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/internal/x/features.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/internal/x/x.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/builtin.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/container.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/env.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/host_id.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/host_id_bsd.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/host_id_linux.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/host_id_unsupported.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/host_id_windows.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/os.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/os_release_unix.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/os_unix.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/os_unsupported.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/process.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/resource.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/batch_span_processor.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/id_generator.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/internal/env/env.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/internal/observ/batch_span_processor.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/internal/observ/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/internal/observ/simple_span_processor.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/internal/observ/tracer.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/provider.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/sampling.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/simple_span_processor.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/snapshot.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/span.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/span_limits.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/tracer.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/version.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/version.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.26.0/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.26.0/attribute_group.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.26.0/metric.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.34.0/attribute_group.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.34.0/error_type.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.34.0/rpcconv/metric.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.37.0/MIGRATION.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.37.0/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.37.0/attribute_group.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.37.0/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.37.0/error_type.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.37.0/exception.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.37.0/otelconv/metric.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.37.0/schema.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/auto.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/config.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/hex.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/internal/telemetry/attr.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/internal/telemetry/id.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/internal/telemetry/value.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/noop.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/noop/noop.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/span.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/trace.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/tracestate.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/version.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/versions.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/html/escape.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/html/parse.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/html/render.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/config.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/config_go124.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/config_go125.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/config_go126.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/config_pre_go124.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/frame.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/gotrack.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/http2.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/server.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/timer.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/transport.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/writesched.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/writesched_priority_rfc7540.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/writesched_priority_rfc9218.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/writesched_roundrobin.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/internal/httpcommon/request.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/trace/events.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/oauth2/deviceauth.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/oauth2/oauth2.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/oauth2/pkce.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/oauth2/token.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/oauth2/transport.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/plan9/pwd_go15_plan9.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/plan9/pwd_plan9.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/affinity_linux.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/fdset.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ifreq_linux.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/mkall.sh is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/mkerrors.sh is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/syscall_linux.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/syscall_netbsd.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/syscall_solaris.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_386.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_arm.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_loong64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_mips.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_mips64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_ppc.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_ppc64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_ppc64le.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_riscv64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_s390x.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_sparc64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsyscall_linux.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsyscall_solaris_amd64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ztypes_netbsd_arm.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/windows/registry/zsyscall_windows.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/windows/syscall_windows.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/windows/types_windows.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/windows/zsyscall_windows.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/term/terminal.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/encoding/japanese/eucjp.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/encoding/japanese/iso2022jp.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/encoding/japanese/shiftjis.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/encoding/korean/euckr.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/encoding/simplifiedchinese/gbk.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/encoding/simplifiedchinese/hzgb2312.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/encoding/traditionalchinese/big5.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/encoding/unicode/unicode.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/unicode/bidi/core.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/go/ast/inspector/cursor.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/go/ast/inspector/inspector.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/go/ast/inspector/typeof.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/MAINTAINERS.md is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/attributes/attributes.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/balancer/balancer.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/balancer/base/balancer.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/balancer/endpointsharding/endpointsharding.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/balancer/pickfirst/internal/internal.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/balancer/pickfirst/pickfirst.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/balancer/pickfirst/pickfirstleaf/pickfirstleaf.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/balancer/roundrobin/roundrobin.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/balancer/subconn.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/balancer_wrapper.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/binarylog/grpc_binarylog_v1/binarylog.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/clientconn.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/credentials/credentials.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/credentials/tls.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/dialoptions.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/encoding/encoding.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/encoding/gzip/gzip.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/encoding/internal/internal.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/encoding/proto/proto.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/experimental/stats/metricregistry.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/experimental/stats/metrics.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/health/grpc_health_v1/health.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/health/grpc_health_v1/health_grpc.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/interceptor.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/balancer/gracefulswitch/gracefulswitch.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/balancer/weight/weight.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/buffer/unbounded.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/channelz/trace.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/envconfig/envconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/envconfig/xds.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/experimental.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/grpcsync/callback_serializer.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/idle/idle.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/internal.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/mem/buffer_pool.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/resolver/delegatingresolver/delegatingresolver.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/resolver/dns/dns_resolver.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/stats/metrics_recorder_list.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/stats/stats.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/transport/client_stream.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/transport/controlbuf.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/transport/defaults.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/transport/flowcontrol.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/transport/handler_server.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/transport/http2_client.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/transport/http2_server.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/transport/http_util.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/transport/server_stream.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/transport/transport.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/mem/buffer_pool.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/mem/buffer_slice.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/mem/buffers.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/picker_wrapper.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/preloader.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/resolver/map.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/resolver/resolver.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/resolver_wrapper.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/rpc_util.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/server.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/stats/stats.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/stream.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/version.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/internal/encoding/tag/tag.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/internal/encoding/text/decode.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/internal/filedesc/desc.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/internal/filedesc/desc_init.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/internal/filedesc/desc_lazy.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/internal/filedesc/editions.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/internal/genid/api_gen.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/internal/genid/descriptor_gen.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/internal/impl/codec_map.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/internal/impl/decode.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/internal/impl/validate.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/internal/version/version.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/proto/decode.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/types/descriptorpb/descriptor.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/types/known/timestamppb/timestamp.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/modules.txt is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (2)

• go.mod
• tests/e2e/go.mod

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

🧩 Analysis chain

🌐 Web query:

What are the latest patched versions of go.opentelemetry.io/otel and go.opentelemetry.io/otel/sdk that fix GHSA-mh2q-q3fh-2475, GHSA-9h8m-3fm2-qjrq, and GHSA-hfvc-g4fc-pqhx?

💡 Result:

The latest patched versions that fix all three vulnerabilities (GHSA-mh2q-q3fh-2475, GHSA-9h8m-3fm2-qjrq, and GHSA-hfvc-g4fc-pqhx) are go.opentelemetry.io/otel v1.41.0+ and go.opentelemetry.io/otel/sdk v1.40.0+. As of 2026-05-06, the latest releases are v1.43.0 for both, which include all fixes.[1][2][3][4]

Citations:

• 1: GHSA-mh2q-q3fh-2475
• 2: https://pkg.go.dev/go.opentelemetry.io/otel/sdk
• 3: https://github.com/open-telemetry/opentelemetry-go
• 4: https://cve.circl.lu/vuln/ghsa-9h8m-3fm2-qjrq

---

Upgrade OpenTelemetry packages to fix HIGH severity vulnerabilities.

The current v1.39.0 versions contain three confirmed HIGH severity vulnerabilities:

• GHSA-mh2q-q3fh-2475 (go.opentelemetry.io/otel): DoS amplification via baggage headers
• GHSA-9h8m-3fm2-qjrq & GHSA-hfvc-g4fc-pqhx (go.opentelemetry.io/otel/sdk): Arbitrary code execution via PATH hijacking

Upgrade to:

• go.opentelemetry.io/otel v1.41.0 or later (latest: v1.43.0)
• go.opentelemetry.io/otel/sdk v1.40.0 or later (latest: v1.43.0)

Also applies to lines 26 and 85-87.

🧰 Tools

🪛 OSV Scanner (2.3.6)

[HIGH] 23-23: go.opentelemetry.io/otel 1.39.0: OpenTelemetry-Go: multi-value baggage header extraction causes excessive allocations (remote dos amplification)

(GHSA-mh2q-q3fh-2475)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 23, Update the OpenTelemetry module versions in go.mod to
non-vulnerable releases: change go.opentelemetry.io/otel to at least v1.41.0
(prefer v1.43.0) and go.opentelemetry.io/otel/sdk to at least v1.40.0 (prefer
v1.43.0); locate the entries for the modules named "go.opentelemetry.io/otel"
and "go.opentelemetry.io/otel/sdk" (including the occurrences noted around the
current lines 23, 26 and 85-87) and bump their version strings accordingly, then
run go get ./... or go get go.opentelemetry.io/otel@v1.43.0 and go get
go.opentelemetry.io/otel/sdk@v1.43.0 followed by go mod tidy to update go.sum
and ensure dependencies are resolved.

[openshift-ci]

@kunalmemane: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.