Fix CVE-2026-24051 and CVE-2026-33186

[zhouke1991]

What type of PR is this?

/kind bug

What this PR does / why we need it:

Fix CVE, bump go.opentelemetry.io/otel/sdk and related otel modules from v1.39.0 to v1.42.0, and google.golang.org/grpc from v1.78.0 to v1.79.3. Transitive dependencies (golang.org/x/sys, cel.dev/expr) are updated accordingly.

Which issue(s) this PR fixes:

Fixes:
#9327
#9406

Special notes for your reviewer:

Some of them are all indirect/transitive dependency bumps. No application code changes are included.

Does this PR introduce a user-facing change?

None

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

Scan result by trivy:

trivy image gcr.io/k8s-staging-autoscaling/cluster-autoscaler-amd64:dev
2026-03-26T19:22:46+08:00       INFO    [vulndb] Need to update DB
2026-03-26T19:22:46+08:00       INFO    [vulndb] Downloading vulnerability DB...
2026-03-26T19:22:46+08:00       INFO    [vulndb] Downloading artifact...        repo="mirror.gcr.io/aquasec/trivy-db:2"
88.14 MiB / 88.14 MiB [----------------------------------------------------------------------------------------] 100.00% 18.09 MiB p/s 5.1s
2026-03-26T19:22:53+08:00       INFO    [vulndb] Artifact successfully downloaded       repo="mirror.gcr.io/aquasec/trivy-db:2"
2026-03-26T19:22:53+08:00       INFO    [vuln] Vulnerability scanning is enabled
2026-03-26T19:22:53+08:00       INFO    [secret] Secret scanning is enabled
2026-03-26T19:22:53+08:00       INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2026-03-26T19:22:53+08:00       INFO    [secret] Please see also https://aquasecurity.github.io/trivy/v0.58/docs/scanner/secret#recommendation for faster secret detection
2026-03-26T19:22:56+08:00       INFO    Detected OS     family="debian" version="13.4"
2026-03-26T19:22:56+08:00       INFO    [debian] Detecting vulnerabilities...   os_version="13" pkg_num=5
2026-03-26T19:22:56+08:00       INFO    Number of language-specific files       num=1
2026-03-26T19:22:56+08:00       INFO    [gobinary] Detecting vulnerabilities...

gcr.io/k8s-staging-autoscaling/cluster-autoscaler-amd64:dev (debian 13.4)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: zhouke1991
Once this PR has been reviewed and has the lgtm label, please assign towca for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• cluster-autoscaler/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-ci-robot]

Hi @zhouke1991. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[zhouke1991]

May I know how to backport it to the branch cluster-autoscaler-release-1.35 if it is acceptable?

[Choraden]

Thanks @zhouke1991
/ok-to-test
/lgtm

Regarding the backport, it will be automatically cherry-picked to the right branches once the maintainers decide so.

[k8s-ci-robot]

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.