chore(deps): update all dependencies

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	Pending	Age	Confidence
cert-manager/cert-manager		patch	1.19.1 -> 1.19.2
docker/metadata-action	action	minor	v5.9.0 -> v5.10.0
docker/setup-buildx-action	action	minor	v3.11.1 -> v3.12.0
gcr.io/distroless/static	final	digest	e8a4044 -> 2b7c93f
github.com/onsi/ginkgo/v2	require	patch	v2.27.2 -> v2.27.3
github.com/onsi/gomega	require	patch	v1.38.2 -> v1.38.3
github.com/open-telemetry/opentelemetry-operator	require	minor	v0.140.0 -> v0.141.0
go.opentelemetry.io/collector/component	require	minor	v1.46.0 -> v1.48.0
go.opentelemetry.io/collector/config/configauth	require	minor	v1.46.0 -> v1.48.0
go.opentelemetry.io/collector/config/configcompression	require	minor	v1.46.0 -> v1.48.0
go.opentelemetry.io/collector/config/configopaque	require	minor	v1.46.0 -> v1.48.0
go.opentelemetry.io/collector/config/configtelemetry	require	minor	v0.140.0 -> v0.142.0
go.opentelemetry.io/collector/otelcol	require	minor	v0.140.0 -> v0.142.0
go.opentelemetry.io/collector/pipeline	require	minor	v1.46.0 -> v1.48.0
go.opentelemetry.io/collector/service	require	minor	v0.140.0 -> v0.142.0
golang	stage	patch	1.25.2-alpine3.22 -> 1.25.5-alpine3.22
golangci/golangci-lint		minor	2.6.2 -> 2.7.2
k8s.io/api	require	patch	v0.34.2 -> v0.34.3	v0.35.0
k8s.io/apimachinery	require	patch	v0.34.2 -> v0.34.3	v0.35.0
k8s.io/client-go	require	patch	v0.34.2 -> v0.34.3	v0.35.0
kubernetes-sigs/controller-tools		minor	0.19.0 -> 0.20.0
opentelemetry-operator (source)		minor	0.99.2 -> 0.102.0

---

Release Notes

cert-manager/cert-manager (cert-manager/cert-manager)

v1.19.2

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

We updated Go to fix some vulnerabilities in the standard library.

📖 Read the full 1.19 release notes on the cert-manager.io website before upgrading.

Changes since v1.19.1

Bug or Regression

• Address false positive vulnerabilities CVE-2025-47914 and CVE-2025-58181 which were reported by Trivy. (#​8283, @​SgtCoDFish)
• Update Go to v1.25.5 to fix CVE-2025-61727 and CVE-2025-61729 (#​8294, @​wallrj-cyberark)
• Update global.nodeSelector to helm chart to perform a merge and allow for a single nodeSelector to be set across all services. (#​8233, @​cert-manager-bot)

Other (Cleanup or Flake)

• Update cert-manager's ACME client, forked from golang/x/crypto (#​8270, @​SgtCoDFish)
• Updated Debian 12 distroless base images (#​8326, @​wallrj-cyberark)

docker/metadata-action (docker/metadata-action)

v5.10.0

Compare Source

• Bump @​docker/actions-toolkit from 0.66.0 to 0.68.0 in #​559 #​569
• Bump js-yaml from 3.14.1 to 3.14.2 in #​564

Full Changelog: docker/metadata-action@v5.9.0...v5.10.0

docker/setup-buildx-action (docker/setup-buildx-action)

v3.12.0

Compare Source

• Deprecate install input by @​crazy-max in #​455
• Bump @​docker/actions-toolkit from 0.62.1 to 0.63.0 in #​434
• Bump brace-expansion from 1.1.11 to 1.1.12 in #​436
• Bump form-data from 2.5.1 to 2.5.5 in #​432
• Bump undici from 5.28.4 to 5.29.0 in #​435

Full Changelog: docker/setup-buildx-action@v3.11.1...v3.12.0

onsi/ginkgo (github.com/onsi/ginkgo/v2)

v2.27.3

Compare Source

2.27.3

Fixes

report exit result in case of failure [1c9f356]
fix data race [ece19c8]

onsi/gomega (github.com/onsi/gomega)

v1.38.3

Compare Source

1.38.3

Fixes

make string formatitng more consistent for users who use format.Object directly

open-telemetry/opentelemetry-operator (github.com/open-telemetry/opentelemetry-operator)

v0.141.0

Compare Source

0.141.0

💡 Enhancements 💡

• collector: Ensure the collector container is always listed first in the podspec (#​4548)
  This is so tools like kubectx logs will always default to the collector container instead of any additional containers that are configured.
• target allocator: make evaluation_interval configurable for Prometheus CR watcher (#​4520)
• operator: Support for Kubernetes 1.34 version. (#​4415)

Components

• OpenTelemetry Collector - v0.141.0
• OpenTelemetry Contrib - v0.141.0
• Java auto-instrumentation - v1.33.6
• .NET auto-instrumentation - v1.2.0
• Node.JS - v0.67.2
• Python - v0.60b0
• Go - v0.22.1
• ApacheHTTPD - 1.0.4
• Nginx - 1.0.4

open-telemetry/opentelemetry-collector (go.opentelemetry.io/collector/component)

v1.48.0

💡 Enhancements 💡

• exporter/debug: Add logging of dropped attributes, events, and links counts in detailed verbosity (#​14202)

• extension/memory_limiter: The memorylimiter extension can be used as an HTTP/GRPC middleware. (#​14081)

• pkg/config/configgrpc: Statically validate gRPC endpoint (#​10451)
  This validation was already done in the OTLP exporter. It will now be applied to any gRPC client.

• pkg/service: Add support to disabling adding resource attributes as zap fields in internal logging (#​13869)
  Note that this does not affect logs exported through OTLP.

v1.47.0

🛑 Breaking changes 🛑

• pkg/config/confighttp: Use configoptional.Optional for confighttp.ClientConfig.Cookies field (#​14021)

💡 Enhancements 💡

• pkg/config/confighttp: Setting compression_algorithms to an empty list now disables automatic decompression, ignoring Content-Encoding (#​14131)
• pkg/service: Update semantic conventions from internal telemetry to v1.37.0 (#​14232)
• pkg/xscraper: Implement xscraper for Profiles. (#​13915)

🧰 Bug fixes 🧰

• pkg/config/configoptional: Ensure that configoptional.None values resulting from unmarshaling are equivalent to configoptional.Optional zero value. (#​14218)

golangci/golangci-lint (golangci/golangci-lint)

v2.7.2

Compare Source

Released on 2025-12-07

1. Linter bug fixes
   • gosec: from 2.22.10 to daccba6

v2.7.1

Compare Source

Released on 2025-12-04

1. Linter bug fixes
   • modernize: disable stringscut analyzer

v2.7.0

Compare Source

Released on 2025-12-03

1. Bug fixes
   • fix: clone args used by custom command
2. Linters new features or changes
   • no-sprintf-host-port: from 0.2.0 to 0.3.1 (ignore string literals without a colon)
   • unqueryvet: from 1.2.1 to 1.3.0 (handles const and var declarations)
   • revive: from 1.12.0 to 1.13.0 (new option: enable-default-rules, new rules: forbidden-call-in-wg-go, unnecessary-if, inefficient-map-lookup)
   • modernize: from 0.38.0 to 0.39.0 (new analyzers: plusbuild, stringscut)
3. Linters bug fixes
   • perfsprint: from 0.10.0 to 0.10.1
   • wrapcheck: from 2.11.0 to 2.12.0
   • godoc-lint: from 0.10.1 to 0.10.2
4. Misc.
   • Add some flags to the custom command
5. Documentation
   • docs: split changelog v1 and v2

kubernetes/api (k8s.io/api)

v0.34.3

Compare Source

kubernetes/apimachinery (k8s.io/apimachinery)

v0.34.3

Compare Source

kubernetes/client-go (k8s.io/client-go)

v0.34.3

Compare Source

kubernetes-sigs/controller-tools (kubernetes-sigs/controller-tools)

v0.20.0

Compare Source

What's Changed

• ⚠️ Bump to k8s.io/* v0.35.0 by @​sbueringer in #​1318
• ⚠️ Start from local type declaration when applying schema by @​JoelSpeed in #​1270
• ⚠️ Revert local override breaking behavioural change by @​JoelSpeed in #​1310
• ✨ Allow title to be set on a type by @​cbandy in #​1282
• ✨ crd/marker: add AtLeastOneOf constraint by @​shashankram in #​1278
• ✨ Add k8s:required and k8s:optional markers by @​lalitc375 in #​1247
• ✨ Publish Windows ARM64 controller-gen and envtest binaries by @​bear-redhat in #​1297
• 🐛 Sort manifest webhooks by @​HaraldNordgren in #​1295
• 🐛 Prevent XValidation duplication by verifying if the rule already exists by @​mcbenjemaa in #​1296

Misc

• 🌱 Change sort to slices package by @​dongjiang1989 in #​1299
• 🌱 Use modernize linter by @​HaraldNordgren in #​1300
• 🌱 Update importas in golangci config by @​dongjiang1989 in #​1309
• 🌱 Stop setting invalid formats int32/int64 for integer types by @​sbueringer in #​1274
• 🌱 Revert "Stop setting invalid formats int32/int64 for integer types" by @​sbueringer in #​1275

envtest

• ✨Release envtest v1.34.1 by @​dongjiang1989 in #​1280
• ✨Release envtest v1.35.0-alpha.3 by @​bear-redhat in #​1303
• ✨Release envtest v1.35.0 by @​dongjiang1989 in #​1317
• 🌱 Promotion of envtest release for Kubernetes v1.34.1 by @​sbueringer in #​1285
• 🌱 Promotion of envtest release for Kubernetes v1.35.0-alpha.3 by @​sbueringer in #​1304
• 🌱 Promotion of envtest release for Kubernetes v1.35.0 by @​sbueringer in #​1319

Dependency bumps

• 🌱 Bump to k8s.io/* v0.34.1 by @​dongjiang1989 in #​1279
• 🌱 Bump golang.org/x/tools from 0.37.0 to 0.38.0 in the all-go-mod-patch-and-minor group by @​dependabot[bot] in #​1291
• 🌱 Bump golang.org/x/tools from 0.38.0 to 0.39.0 in the all-go-mod-patch-and-minor group by @​dependabot[bot] in #​1307
• 🌱 Bump the all-go-mod-patch-and-minor group across 1 directory with 3 updates by @​dependabot[bot] in #​1277
• 🌱 Bump the all-go-mod-patch-and-minor group across 1 directory with 3 updates by @​dependabot[bot] in #​1315
• 🌱 Bump the all-go-mod-patch-and-minor group with 2 updates by @​dependabot[bot] in #​1284
• 🌱Update golangci-lint version to v2.4.0 by @​dongjiang1989 in #​1281
• 🌱Update golangci-lint version to v2.5.0 by @​dongjiang1989 in #​1288
• 🌱 Bump softprops/action-gh-release from 2.3.3 to 2.3.4 in the all-github-actions group by @​dependabot[bot] in #​1290
• 🌱 Bump softprops/action-gh-release from 2.3.4 to 2.4.1 in the all-github-actions group by @​dependabot[bot] in #​1292
• 🌱 Bump the all-github-actions group across 1 directory with 5 updates by @​dependabot[bot] in #​1316
• 🌱 Bump the all-github-actions group with 2 updates by @​dependabot[bot] in #​1305
• 🌱 Bump the all-github-actions group with 3 updates by @​dependabot[bot] in #​1276
• 🌱 Bump the all-github-actions group with 4 updates by @​dependabot[bot] in #​1308
• 🌱 Bump tj-actions/changed-files from 46.0.5 to 47.0.0 in the all-github-actions group by @​dependabot[bot] in #​1283

New Contributors

• @​lalitc375 made their first contribution in #​1247
• @​bear-redhat made their first contribution in #​1297
• @​HaraldNordgren made their first contribution in #​1295
• @​mcbenjemaa made their first contribution in #​1296

Full Changelog: kubernetes-sigs/controller-tools@v0.19.0...v0.20.0

open-telemetry/opentelemetry-helm-charts (opentelemetry-operator)

v0.102.0

Compare Source

OpenTelemetry Operator Helm chart for Kubernetes

What's Changed

• Upgrade otel operator to 0.141.0 by @​vasireddy99 in #​1997

Full Changelog: open-telemetry/opentelemetry-helm-charts@opentelemetry-operator-0.101.0...opentelemetry-operator-0.102.0

v0.101.0

Compare Source

OpenTelemetry Operator Helm chart for Kubernetes

What's Changed

• Upgrade otel operator to v0.140.0 by @​vasireddy99 in #​1985

New Contributors

• @​vasireddy99 made their first contribution in #​1985

Full Changelog: open-telemetry/opentelemetry-helm-charts@opentelemetry-ebpf-instrumentation-0.2.2...opentelemetry-operator-0.101.0

v0.100.0

Compare Source

OpenTelemetry Operator Helm chart for Kubernetes

What's Changed

• [opentelemetry-operator] Upgrade operator to version 0.139.0 by @​jensloe-nhn in #​1982

Full Changelog: open-telemetry/opentelemetry-helm-charts@opentelemetry-demo-0.39.0...opentelemetry-operator-0.100.0

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) in timezone Etc/UTC, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 38 additional dependencies were updated

Details:

Package	Change
go.opentelemetry.io/auto/sdk	v1.1.0 -> v1.2.1
go.opentelemetry.io/collector/component/componentstatus	v0.140.0 -> v0.141.0
go.opentelemetry.io/collector/component/componenttest	v0.140.0 -> v0.141.0
go.opentelemetry.io/collector/confmap	v1.46.0 -> v1.47.0
go.opentelemetry.io/collector/confmap/xconfmap	v0.140.0 -> v0.141.0
go.opentelemetry.io/collector/connector	v0.140.0 -> v0.141.0
go.opentelemetry.io/collector/connector/connectortest	v0.140.0 -> v0.141.0
go.opentelemetry.io/collector/connector/xconnector	v0.140.0 -> v0.141.0
go.opentelemetry.io/collector/consumer	v1.46.0 -> v1.47.0
go.opentelemetry.io/collector/consumer/consumererror	v0.140.0 -> v0.141.0
go.opentelemetry.io/collector/consumer/consumertest	v0.140.0 -> v0.141.0
go.opentelemetry.io/collector/consumer/xconsumer	v0.140.0 -> v0.141.0
go.opentelemetry.io/collector/exporter	v1.46.0 -> v1.47.0
go.opentelemetry.io/collector/exporter/exportertest	v0.140.0 -> v0.141.0
go.opentelemetry.io/collector/exporter/xexporter	v0.140.0 -> v0.141.0
go.opentelemetry.io/collector/extension	v1.46.0 -> v1.47.0
go.opentelemetry.io/collector/extension/extensionauth	v1.46.0 -> v1.47.0
go.opentelemetry.io/collector/extension/extensioncapabilities	v0.140.0 -> v0.141.0
go.opentelemetry.io/collector/extension/extensiontest	v0.140.0 -> v0.141.0
go.opentelemetry.io/collector/featuregate	v1.46.0 -> v1.47.0
go.opentelemetry.io/collector/internal/fanoutconsumer	v0.140.0 -> v0.141.0
go.opentelemetry.io/collector/internal/telemetry	v0.140.0 -> v0.141.0
go.opentelemetry.io/collector/pdata	v1.46.0 -> v1.47.0
go.opentelemetry.io/collector/pdata/pprofile	v0.140.0 -> v0.141.0
go.opentelemetry.io/collector/pdata/testdata	v0.140.0 -> v0.141.0
go.opentelemetry.io/collector/pdata/xpdata	v0.140.0 -> v0.141.0
go.opentelemetry.io/collector/pipeline/xpipeline	v0.140.0 -> v0.141.0
go.opentelemetry.io/collector/processor	v1.46.0 -> v1.47.0
go.opentelemetry.io/collector/processor/processortest	v0.140.0 -> v0.141.0
go.opentelemetry.io/collector/processor/xprocessor	v0.140.0 -> v0.141.0
go.opentelemetry.io/collector/receiver	v1.46.0 -> v1.47.0
go.opentelemetry.io/collector/receiver/receivertest	v0.140.0 -> v0.141.0
go.opentelemetry.io/collector/receiver/xreceiver	v0.140.0 -> v0.141.0
go.opentelemetry.io/collector/service/hostcapabilities	v0.140.0 -> v0.141.0
golang.org/x/oauth2	v0.31.0 -> v0.32.0
google.golang.org/genproto/googleapis/api	v0.0.0-20250825161204-c5933d9347a5 -> v0.0.0-20251022142026-3a174f9686a8
google.golang.org/genproto/googleapis/rpc	v0.0.0-20250825161204-c5933d9347a5 -> v0.0.0-20251022142026-3a174f9686a8
google.golang.org/grpc	v1.76.0 -> v1.77.0

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 57 additional dependencies were updated

Details:

Package	Change
github.com/ebitengine/purego	v0.9.0 -> v0.9.1
github.com/hashicorp/go-version	v1.7.0 -> v1.8.0
github.com/shirou/gopsutil/v4	v4.25.10 -> v4.25.11
github.com/spf13/cobra	v1.10.1 -> v1.10.2
github.com/tklauser/go-sysconf	v0.3.15 -> v0.3.16
github.com/tklauser/numcpus	v0.10.0 -> v0.11.0
go.opentelemetry.io/auto/sdk	v1.1.0 -> v1.2.1
go.opentelemetry.io/collector/component/componentstatus	v0.140.0 -> v0.142.0
go.opentelemetry.io/collector/component/componenttest	v0.140.0 -> v0.142.0
go.opentelemetry.io/collector/confmap	v1.46.0 -> v1.48.0
go.opentelemetry.io/collector/confmap/xconfmap	v0.140.0 -> v0.142.0
go.opentelemetry.io/collector/connector	v0.140.0 -> v0.142.0
go.opentelemetry.io/collector/connector/connectortest	v0.140.0 -> v0.142.0
go.opentelemetry.io/collector/connector/xconnector	v0.140.0 -> v0.142.0
go.opentelemetry.io/collector/consumer	v1.46.0 -> v1.48.0
go.opentelemetry.io/collector/consumer/consumererror	v0.140.0 -> v0.142.0
go.opentelemetry.io/collector/consumer/consumertest	v0.140.0 -> v0.142.0
go.opentelemetry.io/collector/consumer/xconsumer	v0.140.0 -> v0.142.0
go.opentelemetry.io/collector/exporter	v1.46.0 -> v1.48.0
go.opentelemetry.io/collector/exporter/exportertest	v0.140.0 -> v0.142.0
go.opentelemetry.io/collector/exporter/xexporter	v0.140.0 -> v0.142.0
go.opentelemetry.io/collector/extension	v1.46.0 -> v1.48.0
go.opentelemetry.io/collector/extension/extensionauth	v1.46.0 -> v1.48.0
go.opentelemetry.io/collector/extension/extensioncapabilities	v0.140.0 -> v0.142.0
go.opentelemetry.io/collector/extension/extensiontest	v0.140.0 -> v0.142.0
go.opentelemetry.io/collector/featuregate	v1.46.0 -> v1.48.0
go.opentelemetry.io/collector/internal/fanoutconsumer	v0.140.0 -> v0.142.0
go.opentelemetry.io/collector/internal/telemetry	v0.140.0 -> v0.142.0
go.opentelemetry.io/collector/pdata	v1.46.0 -> v1.48.0
go.opentelemetry.io/collector/pdata/pprofile	v0.140.0 -> v0.142.0
go.opentelemetry.io/collector/pdata/testdata	v0.140.0 -> v0.142.0
go.opentelemetry.io/collector/pdata/xpdata	v0.140.0 -> v0.142.0
go.opentelemetry.io/collector/pipeline/xpipeline	v0.140.0 -> v0.142.0
go.opentelemetry.io/collector/processor	v1.46.0 -> v1.48.0
go.opentelemetry.io/collector/processor/processortest	v0.140.0 -> v0.142.0
go.opentelemetry.io/collector/processor/xprocessor	v0.140.0 -> v0.142.0
go.opentelemetry.io/collector/receiver	v1.46.0 -> v1.48.0
go.opentelemetry.io/collector/receiver/receivertest	v0.140.0 -> v0.142.0
go.opentelemetry.io/collector/receiver/xreceiver	v0.140.0 -> v0.142.0
go.opentelemetry.io/collector/service/hostcapabilities	v0.140.0 -> v0.142.0
go.opentelemetry.io/otel	v1.38.0 -> v1.39.0
go.opentelemetry.io/otel/log	v0.14.0 -> v0.15.0
go.opentelemetry.io/otel/metric	v1.38.0 -> v1.39.0
go.opentelemetry.io/otel/sdk	v1.38.0 -> v1.39.0
go.opentelemetry.io/otel/sdk/metric	v1.38.0 -> v1.39.0
go.opentelemetry.io/otel/trace	v1.38.0 -> v1.39.0
golang.org/x/mod	v0.29.0 -> v0.30.0
golang.org/x/net	v0.47.0 -> v0.48.0
golang.org/x/oauth2	v0.31.0 -> v0.32.0
golang.org/x/sync	v0.18.0 -> v0.19.0
golang.org/x/sys	v0.38.0 -> v0.39.0
golang.org/x/term	v0.37.0 -> v0.38.0
golang.org/x/text	v0.31.0 -> v0.32.0
golang.org/x/tools	v0.38.0 -> v0.39.0
google.golang.org/genproto/googleapis/api	v0.0.0-20250825161204-c5933d9347a5 -> v0.0.0-20251022142026-3a174f9686a8
google.golang.org/genproto/googleapis/rpc	v0.0.0-20250825161204-c5933d9347a5 -> v0.0.0-20251022142026-3a174f9686a8
google.golang.org/grpc	v1.76.0 -> v1.77.0