fix(deps): Update module go.opentelemetry.io/otel/sdk to v1.43.0 [SECURITY]

[renovate-sh-app]

This PR contains the following updates:

Package	Change	Age	Confidence
go.opentelemetry.io/otel/sdk	v1.42.0 → v1.43.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2026-39883

Summary

The fix for GHSA-9h8m-3fm2-qjrq (CVE-2026-24051) changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platforms.

Root Cause

sdk/resource/host_id.go line 42:

if result, err := r.execCommand("kenv", "-q", "smbios.system.uuid"); err == nil {

Compare with the fixed Darwin path at line 58:

result, err := r.execCommand("/usr/sbin/ioreg", "-rd1", "-c", "IOPlatformExpertDevice")

The execCommand helper at sdk/resource/host_id_exec.go uses exec.Command(name, arg...) which searches $PATH when the command name contains no path separator.

Affected platforms (per build tag in host_id_bsd.go:4): DragonFly BSD, FreeBSD, NetBSD, OpenBSD, Solaris.

The kenv path is reached when /etc/hostid does not exist (line 38-40), which is common on FreeBSD systems.

Attack

1. Attacker has local access to a system running a Go application that imports go.opentelemetry.io/otel/sdk
2. Attacker places a malicious kenv binary earlier in $PATH
3. Application initializes OpenTelemetry resource detection at startup
4. hostIDReaderBSD.read() calls exec.Command("kenv", ...) which resolves to the malicious binary
5. Arbitrary code executes in the context of the application

Same attack vector and impact as CVE-2026-24051.

Suggested Fix

Use the absolute path:

if result, err := r.execCommand("/bin/kenv", "-q", "smbios.system.uuid"); err == nil {

On FreeBSD, kenv is located at /bin/kenv.

---

opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking

CVE-2026-39883 / GHSA-hfvc-g4fc-pqhx

More information

Details

Summary

The fix for GHSA-9h8m-3fm2-qjrq (CVE-2026-24051) changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platforms.

Root Cause

sdk/resource/host_id.go line 42:

if result, err := r.execCommand("kenv", "-q", "smbios.system.uuid"); err == nil {

Compare with the fixed Darwin path at line 58:

result, err := r.execCommand("/usr/sbin/ioreg", "-rd1", "-c", "IOPlatformExpertDevice")

The execCommand helper at sdk/resource/host_id_exec.go uses exec.Command(name, arg...) which searches $PATH when the command name contains no path separator.

Affected platforms (per build tag in host_id_bsd.go:4): DragonFly BSD, FreeBSD, NetBSD, OpenBSD, Solaris.

The kenv path is reached when /etc/hostid does not exist (line 38-40), which is common on FreeBSD systems.

Attack

1. Attacker has local access to a system running a Go application that imports go.opentelemetry.io/otel/sdk
2. Attacker places a malicious kenv binary earlier in $PATH
3. Application initializes OpenTelemetry resource detection at startup
4. hostIDReaderBSD.read() calls exec.Command("kenv", ...) which resolves to the malicious binary
5. Arbitrary code executes in the context of the application

Same attack vector and impact as CVE-2026-24051.

Suggested Fix

Use the absolute path:

if result, err := r.execCommand("/bin/kenv", "-q", "smbios.system.uuid"); err == nil {

On FreeBSD, kenv is located at /bin/kenv.

Severity

• CVSS Score: 7.3 / 10 (High)
• Vector String: CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

• https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-hfvc-g4fc-pqhx
• https://nvd.nist.gov/vuln/detail/CVE-2026-39883
• https://github.com/open-telemetry/opentelemetry-go
• http://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.43.0

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

open-telemetry/opentelemetry-go (go.opentelemetry.io/otel/sdk)

v1.43.0: /v0.65.0/v0.19.0

Compare Source

Added

• Add IsRandom and WithRandom on TraceFlags, and IsRandom on SpanContext in go.opentelemetry.io/otel/trace
  for W3C Trace Context Level 2 Random Trace ID Flag support. (#​8012)
• Add service detection with WithService in go.opentelemetry.io/otel/sdk/resource. (#​7642)
• Add DefaultWithContext and EnvironmentWithContext in go.opentelemetry.io/otel/sdk/resource to support plumbing context.Context through default and environment detectors. (#​8051)
• Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc. (#​8038)
• Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc. (#​8038)
• Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc. (#​8038)
• Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp. (#​8038)
• Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp. (#​8038)
• Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp. (#​8038)
• Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/sdk/metric/metricdata/metricdatatest. (#​8038)
• Add support for per-series start time tracking for cumulative metrics in go.opentelemetry.io/otel/sdk/metric.
  Set OTEL_GO_X_PER_SERIES_START_TIMESTAMPS=true to enable. (#​8060)
• Add WithCardinalityLimitSelector for metric reader for configuring cardinality limits specific to the instrument kind. (#​7855)

Changed

• Introduce the EMPTY Type in go.opentelemetry.io/otel/attribute to reflect that an empty value is now a valid value, with INVALID remaining as a deprecated alias of EMPTY. (#​8038)
• Refactor slice handling in go.opentelemetry.io/otel/attribute to optimize short slice values with fixed-size fast paths. (#​8039)
• Improve performance of span metric recording in go.opentelemetry.io/otel/sdk/trace by returning early if self-observability is not enabled. (#​8067)
• Improve formatting of metric data diffs in go.opentelemetry.io/otel/sdk/metric/metricdata/metricdatatest. (#​8073)

Deprecated

• Deprecate INVALID in go.opentelemetry.io/otel/attribute. Use EMPTY instead. (#​8038)

Fixed

• Return spec-compliant TraceIdRatioBased description. This is a breaking behavioral change, but it is necessary to
  make the implementation spec-compliant. (#​8027)
• Fix a race condition in go.opentelemetry.io/otel/sdk/metric where the lastvalue aggregation could collect the value 0 even when no zero-value measurements were recorded. (#​8056)
• Limit HTTP response body to 4 MiB in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp to mitigate excessive memory usage caused by a misconfigured or malicious server.
  Responses exceeding the limit are treated as non-retryable errors. (#​8108)
• Limit HTTP response body to 4 MiB in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp to mitigate excessive memory usage caused by a misconfigured or malicious server.
  Responses exceeding the limit are treated as non-retryable errors. (#​8108)
• Limit HTTP response body to 4 MiB in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp to mitigate excessive memory usage caused by a misconfigured or malicious server.
  Responses exceeding the limit are treated as non-retryable errors. (#​8108)
• WithHostID detector in go.opentelemetry.io/otel/sdk/resource to use full path for kenv command on BSD. (#​8113)
• Fix missing request.GetBody in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp to correctly handle HTTP2 GOAWAY frame. (#​8096)

What's Changed

• chore(deps): update module github.com/jgautheron/goconst to v1.9.0 by @​renovate[bot] in #​8014
• fix(deps): update github.com/opentracing-contrib/go-grpc/test digest to 190d7d4 by @​renovate[bot] in #​8013
• chore(deps): update module go.yaml.in/yaml/v2 to v2.4.4 by @​renovate[bot] in #​8016
• fix(deps): update module github.com/golangci/golangci-lint/v2 to v2.11.1 by @​renovate[bot] in #​8011
• fix(deps): update golang.org/x by @​renovate[bot] in #​8023
• fix(deps): update module github.com/golangci/golangci-lint/v2 to v2.11.2 by @​renovate[bot] in #​8020
• chore(deps): update module github.com/mattn/go-runewidth to v0.0.21 by @​renovate[bot] in #​8017
• chore(deps): update module codeberg.org/chavacava/garif to v0.2.1 by @​renovate[bot] in #​8019
• Add doc on how to upgrade to new semconv by @​jmmcorreia in #​7807
• fix(deps): update module go.opentelemetry.io/proto/otlp to v1.10.0 by @​renovate[bot] in #​8028
• resource: add WithService detector option by @​codeboten in #​7642
• fix(deps): update googleapis to a57be14 by @​renovate[bot] in #​8031
• fix(deps): update module github.com/golangci/golangci-lint/v2 to v2.11.3 by @​renovate[bot] in #​8032
• chore(deps): update module github.com/prometheus/procfs to v0.20.1 by @​renovate[bot] in #​8034
• chore(deps): update github.com/securego/gosec/v2 digest to 8895462 by @​renovate[bot] in #​8036
• chore(deps): update module github.com/sonatard/noctx to v0.5.1 by @​renovate[bot] in #​8040
• chore(deps): update github.com/securego/gosec/v2 digest to 6e66a94 by @​renovate[bot] in #​8043
• docs(otlp): document HTTP/protobuf insecure env vars by @​marcschaeferger in #​8037
• Rebuild semconvkit and verifyreadmes on changes by @​MrAlias in #​7995
• chore(sdk/trace): join errors properly by @​ash2k in #​8030
• fix(deps): update googleapis to 84a4fc4 by @​renovate[bot] in #​8048
• attribute: change INVALID Type to EMPTY and mark INVALID as deprecated by @​pellared in #​8038
• fix(sdk/trace): return spec-compliant TraceIdRatioBased description by @​ash2k in #​8027
• linting: add depguard rule to enforce semconv version by @​ajuijas in #​8041
• chore(deps): update actions/download-artifact action to v8.0.1 by @​renovate[bot] in #​8046
• chore(deps): update github.com/securego/gosec/v2 digest to b7b2c7b by @​renovate[bot] in #​8044
• fix(deps): update golang.org/x by @​renovate[bot] in #​8045
• Optimize attribute slice conversion by @​MrAlias in #​8039
• Add benchmarks for end-to-end metrics SDK usage by @​dashpole in #​7768
• fix(deps): update golang.org/x by @​renovate[bot] in #​8052
• chore(deps): update github.com/securego/gosec/v2 digest to befce8d by @​renovate[bot] in #​8053
• trace: add Random Trace ID Flag by @​yuanyuanzhao3 in #​8012
• Improve aggregation concurrent safe tests by @​dashpole in #​8021
• Add tests for exponential histogram concurrent-safety edge-cases by @​dashpole in #​8024
• exphist: replace min, max, sum, and count with atomics by @​dashpole in #​8025
• chore(deps): update github.com/securego/gosec/v2 digest to c2dfcec by @​renovate[bot] in #​8055
• chore(deps): update otel/weaver docker tag to v0.22.0 by @​renovate[bot] in #​8058
• chore(deps): update github.com/securego/gosec/v2 digest to dec52c4 by @​renovate[bot] in #​8063
• chore(deps): update otel/weaver docker tag to v0.22.1 by @​renovate[bot] in #​8061
• chore(deps): update github/codeql-action action to v4.33.0 by @​renovate[bot] in #​8065
• Fix race in the lastvalue aggregation where 0 could be observed by @​dashpole in #​8056
• chore(deps): update github.com/securego/gosec/v2 digest to 744bfb5 by @​renovate[bot] in #​8064
• Migrate to new bare metal runner (Ubuntu 24) by @​trask in #​8068
• sdk/resource: add WithContext variants for Default and Environment (#​7808) by @​ajuijas in #​8051
• Use atomics for exponential histogram buckets by @​dashpole in #​8057
• Added the internal/observ package to stdoutlog by @​yumosx in #​7735
• Add support for the development per-series starttime feature by @​dashpole in #​8060
• sdk/trace/internal/observ: guard SpanStarted and spanLive with Enabled by @​kouji-yoshimura in #​8067
• Cleanup exemplar featuregate readme by @​dashpole in #​8072
• chore(deps): update codecov/codecov-action action to v5.5.3 by @​renovate[bot] in #​8080
• chore(deps): update module github.com/ryanrolds/sqlclosecheck to v0.6.0 by @​renovate[bot] in #​8083
• fix(deps): update github.com/opentracing-contrib/go-grpc/test digest to de6f1cc by @​renovate[bot] in #​8082
• chore(deps): update module go.opentelemetry.io/collector/featuregate to v1.54.0 by @​renovate[bot] in #​8085
• chore(deps): update module github.com/securego/gosec/v2 to v2.25.0 by @​renovate[bot] in #​8084
• chore(deps): update module github.com/protonmail/go-crypto to v1.4.1 by @​renovate[bot] in #​8081
• fix(deps): update module go.opentelemetry.io/collector/pdata to v1.54.0 by @​renovate[bot] in #​8086
• chore(deps): update actions/cache action to v5.0.4 by @​renovate[bot] in #​8079
• chore(deps): update module github.com/fatih/color to v1.19.0 by @​renovate[bot] in #​8087
• fix(deps): update googleapis to d00831a by @​renovate[bot] in #​8078
• chore(deps): update golang.org/x/telemetry digest to b6b0c46 by @​renovate[bot] in #​8076
• fix(deps): update module google.golang.org/grpc to v1.79.3 [security] by @​renovate[bot] in #​8075
• sdk/metric: Support specifying cardinality limits per instrument kinds by @​petern48 in #​7855
• chore(deps): update github/codeql-action action to v4.34.0 by @​renovate[bot] in #​8088
• chore(deps): update codspeedhq/action action to v4.12.1 by @​renovate[bot] in #​8089
• chore(deps): update github/codeql-action action to v4.34.1 by @​renovate[bot] in #​8090
• fix(deps): update module github.com/golangci/golangci-lint/v2 to v2.11.4 by @​renovate[bot] in #​8092
• chore: fix noctx issues by @​mmorel-35 in #​8008
• chore(deps): update module github.com/pelletier/go-toml/v2 to v2.3.0 by @​renovate[bot] in #​8095
• chore(deps): update codecov/codecov-action action to v5.5.4 by @​renovate[bot] in #​8097
• chore(deps): update codecov/codecov-action action to v6 by @​renovate[bot] in #​8098
• chore(deps): update module github.com/tetafro/godot to v1.5.6 by @​renovate[bot] in #​8099
• chore(deps): update module github.com/butuzov/ireturn to v0.4.1 by @​renovate[bot] in #​8100
• chore(deps): update github/codeql-action action to v4.35.0 by @​renovate[bot] in #​8101
• chore(deps): update actions/setup-go action to v6.4.0 by @​renovate[bot] in #​8107
• chore(deps): update module github.com/go-git/go-git/v5 to v5.17.1 by @​renovate[bot] in #​8106
• chore(deps): update module github.com/lucasb-eyer/go-colorful to v1.4.0 by @​renovate[bot] in #​8103
• chore(deps): update github/codeql-action action to v4.35.1 by @​renovate[bot] in #​8102
• chore(deps): update module github.com/hashicorp/go-version to v1.9.0 by @​renovate[bot] in #​8109
• metricdatatest: Improve printing of diffs by @​dashpole in #​8073
• fix(deps): update googleapis to d5a96ad by @​renovate[bot] in #​8112
• chore(deps): update codspeedhq/action action to v4.13.0 by @​renovate[bot] in #​8114
• fix(deps): update module go.opentelemetry.io/collector/pdata to v1.55.0 by @​renovate[bot] in #​8119
• chore(deps): update fossas/fossa-action action to v1.9.0 by @​renovate[bot] in #​8118
• chore(deps): update module github.com/go-git/go-git/v5 to v5.17.2 by @​renovate[bot] in #​8115
• fix(deps): update googleapis to 9d38bb4 by @​renovate[bot] in #​8117
• fix: support getBody in otelploghttp by @​Tpuljak in #​8096
• fix(deps): update module google.golang.org/grpc to v1.80.0 by @​renovate[bot] in #​8121
• Use an absolute path when calling bsd kenv by @​dmathieu in #​8113
• limit response body size for OTLP HTTP exporters by @​pellared in #​8108
• chore(deps): update github.com/golangci/dupl digest to c99c5cf by @​renovate[bot] in #​8122
• chore(deps): update module github.com/mattn/go-runewidth to v0.0.22 by @​renovate[bot] in #​8131
• Release v1.43.0 / v0.65.0 / v0.19.0 by @​dmathieu in #​8128

New Contributors

• @​jmmcorreia made their first contribution in #​7807
• @​marcschaeferger made their first contribution in #​8037
• @​ajuijas made their first contribution in #​8041
• @​yuanyuanzhao3 made their first contribution in #​8012
• @​kouji-yoshimura made their first contribution in #​8067
• @​Tpuljak made their first contribution in #​8096

Full Changelog: open-telemetry/opentelemetry-go@v1.42.0...v1.43.0

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

Need help?

You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section.

[renovate-sh-app]

ℹ️ Artifact update notice

File name: collector/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 4 additional dependencies were updated

Details:

Package	Change
go.opentelemetry.io/otel	v1.42.0 -> v1.43.0
go.opentelemetry.io/otel/metric	v1.42.0 -> v1.43.0
go.opentelemetry.io/otel/sdk/metric	v1.42.0 -> v1.43.0
go.opentelemetry.io/otel/trace	v1.42.0 -> v1.43.0

File name: extension/alloyengine/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 4 additional dependencies were updated

Details:

Package	Change
go.opentelemetry.io/otel	v1.42.0 -> v1.43.0
go.opentelemetry.io/otel/metric	v1.42.0 -> v1.43.0
go.opentelemetry.io/otel/sdk/metric	v1.42.0 -> v1.43.0
go.opentelemetry.io/otel/trace	v1.42.0 -> v1.43.0

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 4 additional dependencies were updated

Details:

Package	Change
go.opentelemetry.io/otel	v1.42.0 -> v1.43.0
go.opentelemetry.io/otel/metric	v1.42.0 -> v1.43.0
go.opentelemetry.io/otel/sdk/metric	v1.42.0 -> v1.43.0
go.opentelemetry.io/otel/trace	v1.42.0 -> v1.43.0

[github-actions]

🔍 Dependency Review

Below are the dependency updates detected in go.mod files across the repo (root, collector/, extension/alloyengine/), along with an assessment of code impact and any required changes.

Note: All of these updates are within the stable v1 line of OpenTelemetry-Go. Per the OpenTelemetry-Go stability guarantees, modules at v1 follow Semantic Versioning and do not introduce breaking API changes in minor releases. This implies existing code using v1.42.0 should continue to compile and run on v1.43.0 without code changes.

---

go.opentelemetry.io/otel 1.42.0 -> 1.43.0 — ✅ Safe

Scope

• Updated in: root go.mod (direct), collector/go.mod (indirect), extension/alloyengine/go.mod (indirect)

Impact

• No breaking API changes expected between v1.42.0 and v1.43.0 for this stable module.
• Existing telemetry setup, context propagation, baggage, and trace/metric API usage should continue to work unchanged.

Evidence

• OpenTelemetry-Go stability guarantee: stable v1 modules adhere to Semantic Versioning; minor updates do not break public APIs.

Required code changes

• None.

Compatibility notes

• Your exporters remain at v1.42.0. OpenTelemetry-Go modules are designed to be cross-minor compatible within v1, so mixing v1.43 core with v1.42 exporters is supported.

Suggested actions

• Rebuild and run tests to confirm behavior parity.

---

go.opentelemetry.io/otel/metric 1.42.0 -> 1.43.0 — ✅ Safe

Scope

• Updated in: root go.mod (direct), collector/go.mod (indirect), extension/alloyengine/go.mod (indirect)

Impact

• No API changes required for MeterProvider/Meter usage, instrument creation (Counter/Histogram/UpDownCounter), or attribute handling.

Evidence

• Module is v1-stable; minor bumps are backward compatible per OpenTelemetry-Go stability guarantees.

Required code changes

• None.

Suggested actions

• Rebuild and run any metric-focused tests/dashboards to verify expected timeseries continuity.

---

go.opentelemetry.io/otel/sdk 1.42.0 -> 1.43.0 — ✅ Safe

Scope

• Updated in: root go.mod (direct), collector/go.mod (indirect), extension/alloyengine/go.mod (indirect)

Impact

• No changes required for TracerProvider/Resource/SpanProcessor configuration or environment variable behavior.

Evidence

• v1-stable SDK minor updates do not break public APIs.

Required code changes

• None.

Compatibility notes

• Exporters pinned at v1.42.0 remain compatible with SDK v1.43.0 within v1.

---

go.opentelemetry.io/otel/sdk/metric 1.42.0 -> 1.43.0 — ✅ Safe

Scope

• Updated in: root go.mod (direct), collector/go.mod (indirect), extension/alloyengine/go.mod (indirect)

Impact

• No code changes needed for View/Reader/Temporality/Aggregation configuration or controller setup.

Evidence

• v1-stable, minor update; no breaking API surface changes per OTel-Go stability guarantees.

Required code changes

• None.

Suggested actions

• If you have golden tests for metric output formats, run them to confirm no behavioral drift.

---

go.opentelemetry.io/otel/trace 1.42.0 -> 1.43.0 — ✅ Safe

Scope

• Updated in: root go.mod (direct), collector/go.mod (indirect), extension/alloyengine/go.mod (indirect)

Impact

• No changes required for span creation, attributes/events/links, or context propagation.

Evidence

• v1-stable package with minor version bump; backward compatible per OpenTelemetry-Go stability guarantees.

Required code changes

• None.

Notes

• Exporter modules remain on v1.42.0. This is acceptable and supported with v1.43.0 core/SDK modules.
• After merging, run go mod tidy, rebuild, and execute the test suite and any telemetry integration checks to validate end-to-end behavior.