fix(deps): update dagger-otel

[renovate-sh-app]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
go.opentelemetry.io/otel	v1.43.0 → v1.44.0
go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc	v0.16.0 → v0.20.0
go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc	v0.17.0 → v0.20.0
go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp	v0.16.0 → v0.19.0
go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp	v0.17.0 → v0.19.0
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc	v1.41.0 → v1.44.0
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp	v1.43.0 → v1.44.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc	v1.41.0 → v1.44.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp	v1.43.0 → v1.44.0
go.opentelemetry.io/otel/log	v0.16.0 → v0.20.0
go.opentelemetry.io/otel/log	v0.17.0 → v0.20.0
go.opentelemetry.io/otel/metric	v1.43.0 → v1.44.0
go.opentelemetry.io/otel/sdk	v1.43.0 → v1.44.0
go.opentelemetry.io/otel/sdk/log	v0.16.0 → v0.20.0
go.opentelemetry.io/otel/sdk/log	v0.17.0 → v0.20.0
go.opentelemetry.io/otel/sdk/metric	v1.43.0 → v1.44.0
go.opentelemetry.io/otel/trace	v1.43.0 → v1.44.0

---

opentelemetry-go: OTLP HTTP exporters read unbounded HTTP response bodies

CVE-2026-39882 / GHSA-w8rr-5gcm-pp58 / GO-2026-4985

More information

Details

overview:
this report shows that the otlp HTTP exporters (traces/metrics/logs) read the full HTTP response body into an in-memory bytes.Buffer without a size cap.

this is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can mitm the exporter connection).

severity

HIGH

not claiming: this is a remote dos against every default deployment.
claiming: if the exporter sends traces to an untrusted collector endpoint (or over a network segment where mitm is realistic), that endpoint can crash the process via a large response body.

callsite (pinned):

• exporters/otlp/otlptrace/otlptracehttp/client.go:199
• exporters/otlp/otlptrace/otlptracehttp/client.go:230
• exporters/otlp/otlpmetric/otlpmetrichttp/client.go:170
• exporters/otlp/otlpmetric/otlpmetrichttp/client.go:201
• exporters/otlp/otlplog/otlploghttp/client.go:190
• exporters/otlp/otlplog/otlploghttp/client.go:221

permalinks (pinned):

• https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlptrace/otlptracehttp/client.go#L199
• https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlptrace/otlptracehttp/client.go#L230
• https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlpmetric/otlpmetrichttp/client.go#L170
• https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlpmetric/otlpmetrichttp/client.go#L201
• https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlplog/otlploghttp/client.go#L190
• https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlplog/otlploghttp/client.go#L221

root cause:
each exporter client reads resp.Body using io.Copy(&respData, resp.Body) into a bytes.Buffer on both success and error paths, with no upper bound.

impact:
a malicious collector can force large transient heap allocations during export (peak memory scales with attacker-chosen response size) and can potentially crash the instrumented process (oom).

affected component:

• go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp
• go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp
• go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp

repro (local-only):

unzip poc.zip -d poc
cd poc
make canonical resp_bytes=33554432 chunk_delay_ms=0

expected output contains:

[CALLSITE_HIT]: otlptracehttp.UploadTraces::io.Copy(resp.Body)
[PROOF_MARKER]: resp_bytes=33554432 peak_alloc_bytes=118050512

control (same env, patched target):

unzip poc.zip -d poc
cd poc
make control resp_bytes=33554432 chunk_delay_ms=0

expected control output contains:

[CALLSITE_HIT]: otlptracehttp.UploadTraces::io.Copy(resp.Body)
[NC_MARKER]: resp_bytes=33554432 peak_alloc_bytes=512232

attachments: poc.zip (attached)

PR_DESCRIPTION.md

attack_scenario.md

poc.zip

Fixed in: https://github.com/open-telemetry/opentelemetry-go/pull/8108

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-w8rr-5gcm-pp58
• https://nvd.nist.gov/vuln/detail/CVE-2026-39882
• https://github.com/open-telemetry/opentelemetry-go/pull/8108
• https://github.com/open-telemetry/opentelemetry-go
• http://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.43.0

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Oversized OTLP HTTP response bodies can cause memory exhaustion in go.opentelemetry.io/otel/exporters/otlp

CVE-2026-39882 / GHSA-w8rr-5gcm-pp58 / GO-2026-4985

More information

Details

The OTLP HTTP exporters (traces, metrics, and logs) do not limit the size of the HTTP response body read from the collector. A malicious or misconfigured collector can send a large response body, leading to excessive memory consumption and potential process termination (OOM).

Severity

Unknown

References

• https://github.com/open-telemetry/opentelemetry-go/pull/8108
• https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-w8rr-5gcm-pp58
• http://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.43.0

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

Release Notes

open-telemetry/opentelemetry-go (go.opentelemetry.io/otel)

v1.44.0: /v0.66.0/v0.20.0/v0.0.17

Compare Source

Added

• Add ByteSlice and ByteSliceValue functions for new BYTESLICE attribute type in go.opentelemetry.io/otel/attribute. (#​7948)
• Apply attribute value limit to the KindBytes attribute type in go.opentelemetry.io/otel/sdk/log. (#​7990)
• Apply attribute value limit to the BYTESLICE attribute type in go.opentelemetry.io/otel/sdk/trace. (#​7990)
• Support BYTESLICE attributes in go.opentelemetry.io/otel/trace. (#​8153)
• Support BYTESLICE attributes in go.opentelemetry.io/otel/exporters/otlp/otlptrace. (#​8153)
• Support BYTESLICE attributes in go.opentelemetry.io/otel/exporters/otlp/otlplog. (#​8153)
• Support BYTESLICE attributes in go.opentelemetry.io/otel/exporters/otlp/otlpmetric. (#​8153)
• Support BYTESLICE attributes in go.opentelemetry.io/otel/exporters/zipkin. (#​8153)
• Add String method for Value type in go.opentelemetry.io/otel/attribute. (#​8142)
• Add Slice and SliceValue functions for new SLICE attribute type in go.opentelemetry.io/otel/attribute. (#​8166)
• Support SLICE attributes in go.opentelemetry.io/otel/exporters/otlp/otlptrace. (#​8216)
• Support SLICE attributes in go.opentelemetry.io/otel/exporters/otlp/otlplog. (#​8216)
• Support SLICE attributes in go.opentelemetry.io/otel/exporters/otlp/otlpmetric. (#​8216)
• Support SLICE attributes in go.opentelemetry.io/otel/exporters/zipkin. (#​8216)
• Apply AttributeValueLengthLimit to attribute.SLICE type attribute values in go.opentelemetry.io/otel/sdk/trace, recursively truncating contained string values. (#​8217)
• Add Error field on Record type in go.opentelemetry.io/otel/log/logtest. (#​8148)
• Add WithMaxRequestSize option in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc. (#​8157)
• Add WithMaxRequestSize option in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp. (#​8157)
• Add WithMaxRequestSize option in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc. (#​8157)
• Add WithMaxRequestSize option in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp. (#​8157)
• Add WithMaxRequestSize option in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc. (#​8157)
• Add WithMaxRequestSize option in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp. (#​8157)
• Add Settable to go.opentelemetry.io/otel/metric/x to allow reusing attribute options. (#​8178)
• Add experimental support for splitting metric data across multiple batches in go.opentelemetry.io/otel/sdk/metric.
  Set OTEL_GO_X_METRIC_EXPORT_BATCH_SIZE=<max_size> to enable for all periodic readers.
  See go.opentelemetry.io/otel/sdk/metric/internal/x for feature documentation. (#​8071)
• Add experimental self-observability metrics in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc.
  Enable with OTEL_GO_X_SELF_OBSERVABILITY=true environment variable.
  See go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc/internal/x for feature documentation. (#​8192)
• Add experimental self-observability metrics in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp.
  Enable with OTEL_GO_X_SELF_OBSERVABILITY=true environment variable.
  See go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp/internal/x for feature documentation. (#​8194)
• Add experimental self-observability metrics in go.opentelemetry.io/otel/exporters/stdout/stdoutlog.
  Enable with OTEL_GO_X_SELF_OBSERVABILITY=true environment variable.
  See go.opentelemetry.io/otel/stdout/stdoutlog/internal/x for feature documentation. (#​8263)
• Add WithDefaultAttributes to go.opentelemetry.io/otel/metric/x to support setting default attributes on instruments. (#​8135)
• Add go.opentelemetry.io/otel/semconv/v1.41.0 package.
  The package contains semantic conventions from the v1.41.0 version of the OpenTelemetry Semantic Conventions.
  See the migration documentation for information on how to upgrade from go.opentelemetry.io/otel/semconv/v1.40.0. (#​8324)
• Add Observable variants of instruments to go.opentelemetry.io/otel/semconv/v1.41.0 package. (#​8350)
• Generate explicit histogram bucket boundaries from weaver configuration for HTTP and RPC duration instruments in go.opentelemetry.io/otel/semconv/v1.41.0. (#​8002)

Changed

• ⚠️ Breaking Change: go.opentelemetry.io/otel/sdk/metric now applies a default cardinality limit of 2000 to comply with the Metrics SDK specification recommendation.
  New attribute sets are dropped when the cardinality limit is reached. The measurement of these sets are aggregated into a special attribute set containing attribute.Bool("otel.metric.overflow", true).
  This can break users who relied on the previous unlimited default.
  Set WithCardinalityLimit(0) or the deprecated OTEL_GO_X_CARDINALITY_LIMIT=0 environment variable to preserve unlimited cardinality.
  Note that support for OTEL_GO_X_CARDINALITY_LIMIT may be removed in a future release. (#​8247)
• ErrorType in go.opentelemetry.io/otel/semconv now unwraps errors created with fmt.Errorf when deriving the error.type attribute. (#​8133)
• go.opentelemetry.io/otel/sdk/log now unwraps error chains created with fmt.Errorf when deriving the error.type attribute from errors on log records. (#​8133)
• Set.MarshalLog method in go.opentelemetry.io/otel/attribute now uses Value.String formatting following the OpenTelemetry AnyValue representation for non-OTLP protocols. (#​8169)
• Optimize go.opentelemetry.io/otel/sdk/metric to return a drop reservoir and short-circuit Offer calls to the exemplar reservoir when exemplar.AlwaysOffFilter is configured. (#​8211) (#​8267)
• Optimize go.opentelemetry.io/otel/sdk/metric to return a drop reservoir for asynchronous instruments when exemplar.TraceBasedFilter is configured. (#​8286)

Deprecated

• Deprecate Value.Emit method in go.opentelemetry.io/otel/attribute.
  Use Value.String instead. (#​8176)

Fixed

• Limit OTLP request size to 64 MiB by default in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc.
  The limit applies before compression, oversized requests are treated as non-retryable errors, and the limit can be configured with the new WithMaxRequestSize option. (#​8157, #​8365)
• Limit OTLP request size to 64 MiB by default in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp.
  The limit applies before compression, oversized requests are treated as non-retryable errors, and the limit can be configured with the new WithMaxRequestSize option. (#​8157, #​8365)
• Limit OTLP request size to 64 MiB by default in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc.
  The limit applies before compression, oversized requests are treated as non-retryable errors, and the limit can be configured with the new WithMaxRequestSize option. (#​8157, #​8365)
• Limit OTLP request size to 64 MiB by default in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp.
  The limit applies before compression, oversized requests are treated as non-retryable errors, and the limit can be configured with the new WithMaxRequestSize option. (#​8157, #​8365)
• Limit OTLP request size to 64 MiB by default in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc.
  The limit applies before compression, oversized requests are treated as non-retryable errors, and the limit can be configured with the new WithMaxRequestSize option. (#​8157, #​8365)
• Limit OTLP request size to 64 MiB by default in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp.
  The limit applies before compression, oversized requests are treated as non-retryable errors, and the limit can be configured with the new WithMaxRequestSize option. (#​8157, #​8365)
• Fix gzipped request body replay on redirect in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp. (#​8135)
• Fix gzipped request body replay on redirect in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp. (#​8152)
• go.opentelemetry.io/otel/exporters/prometheus now uses Value.String formatting for label values following the OpenTelemetry AnyValue representation for non-OTLP protocols. (#​8170)
• Propagate errors from the exporter when calling Shutdown on BatchSpanProcessor in go.opentelemetry.io/otel/sdk/trace. (#​8197)
• Fix stale status code reporting on self-observability metrics in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp and go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp. (#​8226)
• Fix a concurrent Collect data race and potential panic in go.opentelemetry.io/otel/exporters/prometheus when WithResourceAsConstantLabels option is used. (#​8227)
• Fix race condition in FixedSizeReservoir in go.opentelemetry.io/otel/sdk/metric/exemplar by reverting #​7447. (#​8249)
• Fix FixedSizeReservoir in go.opentelemetry.io/otel/sdk/metric/exemplar to safely handle zero size.
  A capacity check in the constructor initializes the reservoir safely and skips initialization for zero-cap; early returns in Offer() and Collect() ensure no-op behavior. (#​8295)
• Fix counting of spans and logs in self-observability metrics in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc, go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp, go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc, and go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp. (#​8254)
• Drop conflicting scope attributes named name, version, or schema_url from metric labels in go.opentelemetry.io/otel/exporters/prometheus, preserving the dedicated otel_scope_name, otel_scope_version, and otel_scope_schema_url labels. (#​8264)
• Close schema files opened by ParseFile in go.opentelemetry.io/otel/schema/v1.0 and go.opentelemetry.io/otel/schema/v1.1. (GHSA-995v-fvrw-c78m)
• Enforce the 8192-byte baggage size limit during extraction/parsing, changing behavior when the limit is exceeded in go.opentelemetry.io/otel/baggage and go.opentelemetry.io/otel/propagation. (#​8222)
• Fix go.opentelemetry.io/otel/semconv/v1.41.0 to include Attr* helper methods for required attributes on observable instruments. (#​8361)
• Limit baggage extraction error reporting in go.opentelemetry.io/otel/propagation to prevent malformed or oversized baggage headers from flooding logs. (GHSA-5wrp-cwcj-q835)

What's Changed

• Document how to implement experimental features by @​dashpole in #​8124
• Add support for experimental options in the metrics API by @​dashpole in #​8111
• fix(deps): update github.com/opentracing-contrib/go-grpc/test digest to e5db982 by @​renovate[bot] in #​8136
• fix(deps): update github.com/opentracing-contrib/go-grpc/test digest to 32cd848 by @​renovate[bot] in #​8141
• fix(deps): update googleapis to 6f92a3b by @​renovate[bot] in #​8140
• chore(deps): update module github.com/jgautheron/goconst to v1.10.0 by @​renovate[bot] in #​8134
• attribute: add BYTESLICE type support by @​NesterovYehor in #​7948
• unwrap error chains created with fmt.Errorf by @​pellared in #​8133
• log/logtest: add Error field to Record type by @​pellared in #​8148
• attribute: add String method for Value type by @​pellared in #​8142
• fix(deps): update module golang.org/x/sys to v0.43.0 by @​renovate[bot] in #​8156
• chore(deps): update codspeedhq/action action to v4.13.1 by @​renovate[bot] in #​8155
• fix(otlploghttp): replay gzipped bodies on redirect by @​MrAlias in #​8152
• Improve test coverage for exponential histogram edge cases by @​dashpole in #​8129
• Add example test for the prometheus exporter by @​dashpole in #​8137
• chore(deps): update golang.org/x/telemetry digest to 93c7c8a by @​renovate[bot] in #​8158
• chore(deps): update module github.com/mattn/go-runewidth to v0.0.23 by @​renovate[bot] in #​8161
• chore(deps): update module github.com/mattn/go-isatty to v0.0.21 by @​renovate[bot] in #​8159
• fix(deps): update github.com/opentracing-contrib/go-grpc/test digest to 6b4d2bc by @​renovate[bot] in #​8160
• Add experimental support for batching in periodic reader by @​dashpole in #​8071
• chore(deps): update golang.org/x by @​renovate[bot] in #​8165
• Support BYTESLICE attributes across trace and exporter paths by @​MrAlias in #​8153
• chore(deps): update golang.org/x by @​renovate[bot] in #​8171
• fix(deps): update module golang.org/x/tools to v0.44.0 by @​renovate[bot] in #​8173
• metricdatatest: support BYTESLICE attribute comparisons by @​pellared in #​8167
• test: add test case for ByteSlice in TestValueFromAttribute by @​pellared in #​8168
• attribute: Set.MarshalLog to use Value.String instead of Value.Emit by @​pellared in #​8169
• prometheus: use Value.String instead of Value.Emit by @​pellared in #​8170
• fix(deps): update golang.org/x to 746e56f by @​renovate[bot] in #​8175
• Add support for the development attributes advisory parameter by @​dashpole in #​8135
• chore(deps): update actions/upload-artifact action to v7.0.1 by @​renovate[bot] in #​8177
• attribute: deprecate Value.Emit by @​pellared in #​8176
• chore(deps): update module github.com/manuelarte/funcorder to v0.6.0 by @​renovate[bot] in #​8181
• chore(deps): update module github.com/ashanbrown/makezero/v2 to v2.2.1 by @​renovate[bot] in #​8180
• chore(deps): update module github.com/ashanbrown/forbidigo/v2 to v2.3.1 by @​renovate[bot] in #​8182
• fix(deps): update module go.opentelemetry.io/collector/pdata to v1.56.0 by @​renovate[bot] in #​8184
• Update semconv template and 1.40.0 to use Enabled for metrics by @​dashpole in #​8172
• Add x.Settable to allow reusing attribute options by @​dashpole in #​8178
• chore(deps): update actions/cache action to v5.0.5 by @​renovate[bot] in #​8187
• fix(deps): update googleapis to 3e5c5a5 by @​renovate[bot] in #​8190
• fix(otlpmetrichttp): replay gzipped bodies on redirect by @​pellared in #​8185
• fix(deps): update module golang.org/x/vuln to v1.2.0 by @​renovate[bot] in #​8193
• fix(deps): update googleapis to afd174a by @​renovate[bot] in #​8195
• chore(deps): update module github.com/dave/dst to v0.27.4 by @​renovate[bot] in #​8198
• Fix exemplar tests in containerized environments by @​dashpole in #​8188
• Update contributing to recommend using Enabled by @​dashpole in #​8189
• otlptracehttp: reset pooled gzip writer before reuse by @​pellared in #​8196
• chore(deps): update golang.org/x/telemetry digest to fac6e1c by @​renovate[bot] in #​8202
• fix(deps): update module github.com/opentracing-contrib/go-grpc to v0.1.3 by @​renovate[bot] in #​8207
• fix(deps): update github.com/opentracing-contrib/go-grpc/test digest to 07c9668 by @​renovate[bot] in #​8206
• attribute: make TestHashKVs linear-time by @​pellared in #​8204
• chore(deps): update github/codeql-action action to v4.35.2 by @​renovate[bot] in #​8208
• sdk/trace: propagate SpanExporter.Shutdown error from BatchSpanProcessor by @​alliasgher in #​8197
• add GitHub Copilot code review instructions by @​pellared in #​8212
• chore(deps): update module github.com/grpc-ecosystem/grpc-gateway/v2 to v2.29.0 by @​renovate[bot] in #​8214
• attribute: add SLICE type support by @​pellared in #​8166
• Fix typos found by copilot by @​dashpole in #​8221
• chore(deps): update module github.com/go-git/go-git/v5 to v5.18.0 by @​renovate[bot] in #​8223
• docs: add agent guide for autonomous coding agents by @​pellared in #​8215
• test: truncate attribute string values using Unicode rune count by @​pellared in #​8219
• sdk/trace: apply AttributeValueLengthLimit to attribute.SLICE by @​pellared in #​8217
• chore(deps): update module github.com/dlclark/regexp2 to v1.12.0 by @​renovate[bot] in #​8229
• prometheus: fix Collect data race for constant resource labels by @​pellared in #​8227
• exporters: support SLICE attributes by @​pellared in #​8216
• chore(deps): update codspeedhq/action action to v4.14.0 by @​renovate[bot] in #​8234
• Fix stale status code reporting on self-observability metrics by @​dashpole in #​8226
• fix(deps): update googleapis to e10c466 by @​renovate[bot] in #​8241
• fix(deps): update build-tools to v0.30.0 by @​renovate[bot] in #​8244
• [chore] changelog: re-run workflow on PR title edits by @​cijothomas in #​8246
• stdlog observ: remove partial success handling by @​yumosx in #​8174
• feat: add self-observability metrics to otlpmetrichttp metric exporters by @​dashpole in #​8194
• chore(deps): update golang.org/x/telemetry digest to 392afab by @​renovate[bot] in #​8248
• Use a DropReservoir when an exemplar.AlwaysOffFilter is provided by @​dashpole in #​8211
• metric: clarify sync vs observable Gauge in package godoc by @​alliasgher in #​8225
• sdk/metric: apply default cardinality limit of 2000 by @​pellared in #​8247
• Revert "Optimize fixedsize reservoir (#​7447)" by @​dashpole in #​8249
• fix(deps): update module golang.org/x/vuln to v1.3.0 by @​renovate[bot] in #​8256
• chore(deps): update otel/weaver docker tag to v0.23.0 by @​renovate[bot] in #​8255
• Run benchmarks using Settable for more accurate comparrisons by @​dashpole in #​8252
• Add MaxRequestSize option to OTLP exporters by @​pellared in #​8157
• fix counting of spans/logs in self-observability metrics in otlp trace and log exporters by @​dashpole in #​8254
• fix(deps): update github.com/opentracing-contrib/go-grpc/test digest to 2f88a58 by @​renovate[bot] in #​8260
• chore(deps): update golang.org/x/telemetry digest to 329d219 by @​renovate[bot] in #​8259
• chore(deps): update module github.com/sourcegraph/go-diff to v0.8.0 by @​renovate[bot] in #​8262
• chore(deps): update module github.com/mattn/go-isatty to v0.0.22 by @​renovate[bot] in #​8265
• chore(deps): update module go.uber.org/zap to v1.28.0 by @​renovate[bot] in #​8269
• fix(deps): update googleapis to 7cedc36 by @​renovate[bot] in #​8266
• chore(deps): update module github.com/securego/gosec/v2 to v2.26.1 by @​renovate[bot] in #​8270
• fix(deps): update module go.opentelemetry.io/collector/pdata to v1.57.0 by @​renovate[bot] in #​8275
• chore(deps): update codspeedhq/action action to v4.15.0 by @​renovate[bot] in #​8272
• chore(deps): update golang.org/x/telemetry digest to 76f71b9 by @​renovate[bot] in #​8271
• Apply attribute value limit for BYTESLICE and KindBytes by @​NesterovYehor in #​7990
• chore(deps): update module github.com/alecthomas/chroma/v2 to v2.24.0 by @​renovate[bot] in #​8277
• chore(deps): update module github.com/fsnotify/fsnotify to v1.10.0 by @​renovate[bot] in #​8280
• chore(deps): update module github.com/alecthomas/chroma/v2 to v2.24.1 by @​renovate[bot] in #​8281
• Prometheus Exporter: Drop Scope attributes name, version and schema_url by @​ArthurSens in #​8264
• attribute: split HashKVs benchmark by value type by @​pellared in #​8268
• [chore] metric: document Enabled and WithAttributeSet in package docs by @​cijothomas in #​8245
• chore(deps): update module github.com/bombsimon/wsl/v5 to v5.8.0 by @​renovate[bot] in #​8287
• fix(deps): update module github.com/masterminds/semver/v3 to v3.5.0 by @​renovate[bot] in #​8283
• chore(deps): update module github.com/pjbgf/sha1cd to v0.6.0 by @​renovate[bot] in #​8288
• Optimize metrics sdk measurement with AlwaysOff exemplar filter by @​dashpole in #​8267
• fix(deps): update module github.com/golangci/golangci-lint/v2 to v2.12.0 by @​renovate[bot] in #​8290
• chore(deps): update github/codeql-action action to v4.35.3 by @​renovate[bot] in #​8289
• chore(deps): update github.com/charmbracelet/ultraviolet digest to 6603726 by @​renovate[bot] in #​8291
• chore(deps): update github.com/golangci/rowserrcheck digest to 8d53bbc by @​renovate[bot] in #​8292
• chore(deps): update module github.com/pelletier/go-toml/v2 to v2.3.1 by @​renovate[bot] in #​8293
• fix(deps): update module github.com/golangci/golangci-lint/v2 to v2.12.1 by @​renovate[bot] in #​8294
• chore(deps): update module github.com/ryancurrah/gomodguard/v2 to v2.1.3 by @​renovate[bot] in #​8296
• fix(deps): update module google.golang.org/grpc to v1.81.0 by @​renovate[bot] in #​8298
• chore(deps): update module github.com/fsnotify/fsnotify to v1.10.1 by @​renovate[bot] in #​8300
• chore(deps): update module github.com/uudashr/iface to v1.4.2 by @​renovate[bot] in #​8301
• fix(deps): update googleapis to 60b97b3 by @​renovate[bot] in #​8303
• chore(deps): update codspeedhq/action action to v4.15.1 by @​renovate[bot] in #​8307
• fix(deps): update module github.com/golangci/golangci-lint/v2 to v2.12.2 by @​renovate[bot] in #​8308
• chore(deps): update golang.org/x/telemetry digest to 5a0966d by @​renovate[bot] in #​8310
• chore(deps): update module github.com/ghostiam/protogetter to v0.3.21 by @​renovate[bot] in #​8311
• chore(deps): update module github.com/go-git/go-billy/v5 to v5.9.0 by @​renovate[bot] in [#​8312](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

Need help?

You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section.

[renovate-sh-app]

ℹ️ Artifact update notice

File name: dagger/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 4 additional dependencies were updated

Details:

Package	Change
github.com/grpc-ecosystem/grpc-gateway/v2	v2.28.0 -> v2.29.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace	v1.43.0 -> v1.44.0
google.golang.org/genproto/googleapis/api	v0.0.0-20260401024825-9d38bb4040a9 -> v0.0.0-20260526163538-3dc84a4a5aaa
google.golang.org/genproto/googleapis/rpc	v0.0.0-20260401024825-9d38bb4040a9 -> v0.0.0-20260526163538-3dc84a4a5aaa

[NickAnge]

Note: This PR updates the OTel SDK (v1.43 → v1.44) but does not fix CVE-2026-39882 (otlploghttp v0.16.0 → v0.19.0).

dagger develop generates replace directives that pin otlploghttp and otel/log to v0.16.0 — the Dagger SDK requires those exact versions. Bumping them in go.mod has no effect because the replace directives override it.

This CVE is blocked until Dagger releases a version that uses otlploghttp >= v0.19.0.

[NickAnge]

Update on the fix approach:

The original Renovate PR bumped all OTel packages to v1.44.0, which caused two failures:

1. Drift check — dagger develop generates replace directives pinning OTel log packages to v0.16.0. Renovate's go.sum didn't account for this.
2. Schema conflict in tests — dagger/otel-go was at v1.41.0 (schema 1.40.0) while OTel SDK was bumped to v1.44.0 (schema 1.41.0), causing conflicting Schema URL runtime errors.

What this PR now does:

• Bumps dagger/otel-go v1.41.0 → v1.43.0
• Keeps OTel SDK at v1.43.0 (not v1.44.0) to match dagger/otel-go
• Ran make dagger-develop to regenerate correct replace directives and go.sum

We can't bump both to v1.44.0 because dagger/otel-go only has releases v1.41.0 and v1.43.0 — there's no v1.44.0 yet.

CVE-2026-39882 (otlploghttp v0.16.0 → v0.19.0) remains unfixed. Dagger's replace directives force otlploghttp to v0.16.0 regardless of what go.mod says. This is blocked until Dagger releases a version that upgrades its OTel log dependency.