chore(all): update module go.opentelemetry.io/otel/sdk to v1.40.0 [SECURITY] (main)#14027
Conversation
ℹ️ Artifact update noticeFile name: bigquery/v2/go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
File name: compute/go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
File name: container/go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
File name: containeranalysis/go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
File name: datastore/go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
File name: errorreporting/go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
File name: firestore/go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
File name: grafeas/go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
File name: iam/go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
File name: pubsublite/go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
File name: translate/go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
|
trusted-contributions-gcf
Bot
added
the
kokoro:force-run
kokoro-team
removed
the
kokoro:force-run
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request contains an automated dependency update for go.opentelemetry.io/otel/sdk from v1.39.0 to v1.40.0. This update, which addresses security vulnerability GHSA-9h8m-3fm2-qjrq, is applied across go.mod and go.sum files in multiple modules. I have reviewed the automated changes and have not identified any issues.
renovate-bot
force-pushed
the
renovate/main-go-go.opentelemetry.io-otel-sdk-vulnerability
branch
from
0c5efbc to
d02613f
Compare
trusted-contributions-gcf
Bot
added
the
kokoro:force-run
kokoro-team
removed
the
kokoro:force-run
renovate-bot
force-pushed
the
renovate/main-go-go.opentelemetry.io-otel-sdk-vulnerability
branch
from
d02613f to
5bf5408
Compare
trusted-contributions-gcf
Bot
added
the
kokoro:force-run
kokoro-team
removed
the
kokoro:force-run
renovate-bot
force-pushed
the
renovate/main-go-go.opentelemetry.io-otel-sdk-vulnerability
branch
from
5bf5408 to
43c5601
Compare
trusted-contributions-gcf
Bot
added
the
kokoro:force-run
kokoro-team
removed
the
kokoro:force-run
renovate-bot
deleted the
renovate/main-go-go.opentelemetry.io-otel-sdk-vulnerability
branch
3 participants
This PR contains the following updates:
v1.39.0→v1.40.0GitHub Vulnerability Alerts
CVE-2026-24051
Impact
The OpenTelemetry Go SDK in version
v1.20.0-1.39.0is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code insdk/resource/host_id.goexecutes theioregsystem command using a search path. An attacker with the ability to locally modify the PATH environment variable can achieve Arbitrary Code Execution (ACE) within the context of the application.Patches
This has been patched in d45961b, which was released with
v1.40.0.References
Release Notes
open-telemetry/opentelemetry-go (go.opentelemetry.io/otel/sdk)
v1.40.0Compare Source
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.