[release-v1.17][gomod]: Bump the minor group across 1 directory with 18 updates

[dependabot]

Bumps the minor group with 7 updates in the / directory:

Package	From	To
github.com/cert-manager/cert-manager	1.16.3	1.20.1
github.com/cloudevents/sdk-go/sql/v2	2.0.0-20240712172937-3ce6b2f1f011	2.16.2
github.com/coreos/go-oidc/v3	3.9.0	3.17.0
github.com/eclipse/paho.golang	0.12.0	0.23.0
github.com/pelletier/go-toml/v2	2.2.4	2.3.0
github.com/rickb777/date	1.13.0	1.22.0
go.uber.org/atomic	1.10.0	1.11.0

Updates github.com/cert-manager/cert-manager from 1.16.3 to 1.20.1

Release notes

Sourced from github.com/cert-manager/cert-manager's releases.

v1.20.1 fixes an issue for OpenShift users that has to do with the finalizer RBAC, bumps gRPC to address a reported non-affecting vulnerability, and fixes a duplicate parentRef bug when both issuer config and annotations are present (Gateway API).

Bug or Regression

• Fixed duplicate parentRef bug when both issuer config and annotations are present. (#8658, @​hjoshi123)
• Add missing issuer finalizer RBAC to the order controller to support owner references. This was preventing OpenShift users from being able to upgrade to v1.20.0. (#8655, @​erikgb)
• Bump google.golang.org/grpc to fix vulnerability reported by scanners. This isn't a vulnerability that affects cert-manager, but we are bumping it because it is reported by scanners. (#8657, @​erikgb)

v1.20.0

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

v1.20.0 adds alpha support for the new ListenerSet resource, adds support for Azure Private DNS; parentRefs are no longer required when using ACME with Gateway API, and OtherNames was promoted to Beta.

Changes by Kind

Feature

• Added a set of flags to permit setting NetworkPolicy across all deployed containers. Remove redundant global IP ranges from example policies. (#8370, @​jcpunk)
• Added selectable fields to custom resource definitions for .spec.issuerRef.{group, kind, name} (#8256, @​tareksha)
• Added support for specifying imagePullSecrets in the startupapicheck-job Helm template to enable pulling images from private registries. (#8186, @​mathieu-clnk)
• Added 'extraContainers' helm chart value, allowing the deployment of arbitrary sidecar containers within the cert-manager operator pod. This can be used to support, for e.g., AWS IAM Roles Anywhere for Route53 DNS01 verification. (#8355, @​dancmeyers)
• Added parentRef override annotations on the Certificate resource. (#8518, @​hjoshi123)
• Added support for azure private zones for dns01 issuer. (#8494, @​hjoshi123)
• Added support for configuring PEM decoding size limits, allowing operators to handle larger certificates and keys. (#7642, @​robertlestak)
• Added support for unhealthyPodEvictionPolicy in PodDisruptionBudget (#7728, @​jcpunk)
• For Venafi provider, read venafi.cert-manager.io/custom-fields annotation on Issuer/ClusterIssuer and use it as base with override/append capabilities on Certificate level. (#8301, @​k0da)
• Improve error message when CA issuers are misconfigured to use a clashing secret name (#8374, @​majiayu000)
• Introduce a new Ingress annotation acme.cert-manager.io/http01-ingress-ingressclassname to override http01.ingress.ingressClassName field in HTTP-01 challenge solvers. (#8244, @​lunarwhite)
• Update global.nodeSelector to helm chart to perform a merge and allow for a single nodeSelector to be set across all services. (#8195, @​StingRayZA)
• Vault issuers will now include the Vault server address as one of the default audiences on generated service account tokens. (#8228, @​terinjokes)
• Added experimental XListenerSets feature gate (#8394, @​hjoshi123)

Documentation

• Add GWAPI documentation to NOTES.TXT in helm chart (#8353, @​jaxels10)

Bug or Regression

• Adds logs for cases when acme server returns us a fatal error in the order controller (#8199, @​Peac36)
• Fixed an issue where kind or group in the issuerRef of a Certificate was omitted, upgrading to 1.19.x incorrectly caused the certificate to be renewed (#8160, @​inteon)
• Changes to the Duration and RenewBefore annotations on ingress and gateway-api resources will now trigger certificate updates. (#8232, @​eleanor-merry)
• Fix an issue where ACME challenge TXT records are not cleaned up when there are many resource records in CloudDNS. (#8456, @​tkna)
• Fix unregulated retries with the DigitalOcean DNS-01 solver Add full detailed DNS-01 errors to the events attached to the Challenge, for easier debugging (#8221, @​wallrj-cyberark)
• Fixed an infinite re-issuance loop that could occur when an issuer returns a certificate with a public key that doesn't match the CSR. The issuing controller now validates the certificate before storing it and fails with backoff on mismatch. (#8403, @​calm329)
• Fixed an issue where HTTP-01 challenges failed when the Host header contains an IPv6 address. This means that users can now issue IP address certificates for IPv6 address subjects. (#8424, @​SlashNephy)
• Fixed the HTTP-01 Gateway solver creating invalid HTTPRoutes by not setting spec.hostnames when the challenge DNSName is an IP address. (#8443, @​alviss7)
• Revert API defaults for issuer reference kind and group introduced in 0.19.0 (#8173, @​erikgb)
• Security (MODERATE): Fix a potential panic in the cert-manager controller when a DNS response in an unexpected order was cached. If an attacker was able to modify DNS responses (or if they controlled the DNS server) it was possible to cause denial of service for the cert-manager controller. (#8469, @​SgtCoDFish)
• Update Go to v1.25.5 to fix CVE-2025-61727 and CVE-2025-61729 (#8290, @​octo-sts[bot])

... (truncated)

Commits

• dc96863 Merge pull request #8658 from cert-manager-bot/cherry-pick-8619-to-release-1.20
• 7e66079 removing duplicate parentRefs
• 75f90e4 Merge pull request #8657 from erikgb/fix-grpc-vuln
• f27364c Update module google.golang.org/grpc to v1.79.3 [security] (release-1.20)
• 5c1ce14 Merge pull request #8655 from cert-manager-bot/cherry-pick-8654-to-release-1.20
• 038260f Fix RBAC to support clusters with OwnerReferencesPermissionEnforcement enabled
• 0d2f215 Merge pull request #8599 from hjoshi123/fix/cherry-pick-1.26
• 992544c cherry picking go 1.26.1 onto release-1.20
• 0ef9dd0 Merge pull request #8598 from cert-manager-bot/cherry-pick-8581-to-release-1.20
• 700e95a Merge pull request #8597 from cert-manager-bot/cherry-pick-8595-to-release-1.20
• Additional commits viewable in compare view

Updates github.com/cloudevents/sdk-go/sql/v2 from 2.0.0-20240712172937-3ce6b2f1f011 to 2.16.2

Release notes

Sourced from github.com/cloudevents/sdk-go/sql/v2's releases.

Release v2.16.2

No release notes provided.

Release v2.16.1

CloudEvents SDK Go v2.16.1

🐛 Bug Fixes and Improvements

• ⚡ NATS JetStream Enhancement: Made send subject optional via context by @​kmpm in cloudevents/sdk-go#1143

  • Added WithSubject function to override the default subject when sending messages
  • Added comprehensive tests and updated samples
  • Non-breaking enhancement that adds flexibility for NATS users

• 📝 CloudEvents JSON Handling Fixes by @​alank-ps:

  • WriteJson Fix in cloudevents/sdk-go#1162: Fixed WriteJson to properly handle data as JSON when dataContentType is application/cloudevents+json or batch
  • ConsumeData Fix in cloudevents/sdk-go#1164: Fixed consumeData functions to properly recognize structured mode JSON content types
  • Improves compatibility with the CloudEvents specification

• 🔧 CI/Test Improvements: Fix failing CI tests by @​embano1 in cloudevents/sdk-go#1156

🔄 Maintenance and Dependency Updates

• 🛠️ Dependency Management Overhaul by @​embano1 in cloudevents/sdk-go#1145
  • Added script (hack/update-deps.sh) to update Go dependencies across all modules
  • Replaced Dependabot with custom script for better dependency management
  • Removed stale and broken OpenTelemetry samples

📦 Key Dependency Updates:

• github.com/google/go-cmp: v0.6.0 → v0.7.0
• golang.org/x/sync: v0.12.0 → v0.13.0
• github.com/nats-io/nats.go: v1.37.0 → v1.41.2
• github.com/IBM/sarama: v1.40.1 → v1.45.1
• github.com/docker/docker: v20.10.17 → v27.1.1
• go.opentelemetry.io/otel: v1.18.0 → v1.35.0
• 🐹 Go version: Updated from 1.22 to 1.23.0 (toolchain 1.23.8)

🚨 Breaking Changes

None. All updates are either backward-compatible improvements, bug fixes, or internal refactors.

👥 New Contributors

• @​github-actions made their first contribution in cloudevents/sdk-go#1147
• @​kmpm made their first contribution in cloudevents/sdk-go#1143
• @​alank-ps made their first contribution in cloudevents/sdk-go#1162

📋 What's Changed

• Dependency Management Improvements by @​embano1 in cloudevents/sdk-go#1145
• chore(deps): Bump the go_modules group across 2 directories with 2 updates by @​dependabot in cloudevents/sdk-go#1146
• chore: update dependencies by @​github-actions in cloudevents/sdk-go#1147
• chore: update dependencies by @​github-actions in cloudevents/sdk-go#1148
• chore: update dependencies by @​github-actions in cloudevents/sdk-go#1149

... (truncated)

Commits

• See full diff in compare view

Updates github.com/coreos/go-oidc/v3 from 3.9.0 to 3.17.0

Release notes

Sourced from github.com/coreos/go-oidc/v3's releases.

v3.17.0

What's Changed

• oidc: improve error message for mismatched issuer URLs by @​ericchiang in coreos/go-oidc#469

Full Changelog: coreos/go-oidc@v3.16.0...v3.17.0

v3.16.0

What's Changed

• refactor: Remove unused time injection from RemoteKeySet by @​ponimas in coreos/go-oidc#466
• bump go to 1.24, remove 1.23 support, bump go-jose dependency, remove x/net dependency by @​wardviaene in coreos/go-oidc#467

New Contributors

• @​wardviaene made their first contribution in coreos/go-oidc#467

Full Changelog: coreos/go-oidc@v3.15.0...v3.16.0

v3.15.0

What's Changed

• oidc: verify the ID Token's signature before processing claims by @​ericchiang in coreos/go-oidc#464

Full Changelog: coreos/go-oidc@v3.14.1...v3.15.0

v3.14.1

What's Changed

• oidctest: fix import by @​ericchiang in coreos/go-oidc#457

Full Changelog: coreos/go-oidc@v3.14.0...v3.14.1

v3.14.0

What's Changed

• oidc/oidctest: add new package by @​ericchiang in coreos/go-oidc#400

Full Changelog: coreos/go-oidc@v3.13.0...v3.14.0

v3.13.0

What's Changed

• *: bump dependency versions by @​ericchiang in coreos/go-oidc#453

Full Changelog: coreos/go-oidc@v3.12.0...v3.13.0

v3.12.0

What's Changed

• oidc: add JSON tags to ProviderConfig by @​ericchiang in coreos/go-oidc#446

... (truncated)

Commits

• 35b8e03 oidc: improve error message for mismatched issuer URLs
• e958473 bump go to 1.24, remove 1.23 support, bump go-jose dependency, remove x/net d...
• 69b1670 refactor: Remove unused time injection from RemoteKeySet
• 8d1e57e oidc: verify the ID Token's signature before processing claims
• a7c457e oidctest: fix import
• aba1ce2 oidc/oidctest: add new package
• 60d436e *: bump dependency versions
• 4b5f82d oidc: add JSON tags to ProviderConfig
• 0fe9887 oidc: ignore cancellation of remote key set context
• 308e778 chore(deps): bump dependencies to address security issues
• Additional commits viewable in compare view

Updates github.com/eclipse/paho.golang from 0.12.0 to 0.23.0

Release notes

Sourced from github.com/eclipse/paho.golang's releases.

0.23

The is a minor release that incorporates fixes/improvements made over the last 10 months. Dependencies have been updated, and Go version 1.24 is now required (matching the "Go release policy").

I don't believe there are any breaking changes. Keepalive behaviour has been changed so that a PING is sent unless a packet has been sent AND received within the keepalive period (to address potential issues where a client is sending constantly, but never receives anything).

Note that one of the fixes addresses a potential security issue where data from one field (e.g. topic, properties) may leak into another (e.g. message body). This issue was raised against paho.mqtt.golang (issue 730) but the same code existed in this library. Thanks to Paul Gerste (Sonar) for reporting the original issue.

Thanks to those who have provided fixes/enhancements included in this release!.

What's Changed

• Comments and unused consts by @​MattBrittan in eclipse-paho/paho.golang#275
• Topicaliases extension - Fix the topic disappear when registering a new topic alias in the TAHandler by @​shirou in eclipse-paho/paho.golang#272
• Topicaliases extension - Add ResetAll() in topicaliases to prevent error on reconnection by @​shirou in eclipse-paho/paho.golang#277
• Add OnConnectionDown callback in autopaho by @​thedevop in eclipse-paho/paho.golang#281
• Update Go version and dependencies by @​MattBrittan in eclipse-paho/paho.golang#290
• Testing - Potential data race in TestServer by @​MattBrittan in eclipse-paho/paho.golang#291
• Ping when no packets received within keep alive period by @​MattBrittan in eclipse-paho/paho.golang#292
• Prevent blocking in responseHandler() after context cancel by @​tinytux in eclipse-paho/paho.golang#293
• add constants for RetainHandling subscribe option by @​agebhar1 in eclipse-paho/paho.golang#299
• build_rpc_cm: update Makefile path issue by @​hiproz in eclipse-paho/paho.golang#296
• Example - fix autopaho Docker example by @​agebhar1 in eclipse-paho/paho.golang#300
• Fix potential for packet corruption with very long strings/binary data by @​MattBrittan in eclipse-paho/paho.golang#305
• fix folder existence check in autopaho file queue by @​alpine-ibex in eclipse-paho/paho.golang#309
• Filestore should attempt to create folder if it does not exist by @​MattBrittan in eclipse-paho/paho.golang#306
• drop redundant stat before MkdirAll by @​alpine-ibex in eclipse-paho/paho.golang#310
• Fix AuthResponse success value being set to true on error by @​nickajacks1 in eclipse-paho/paho.golang#315
• Fix OnServerDisconnect not being called when packet has no properties by @​nickajacks1 in eclipse-paho/paho.golang#312

New Contributors

• @​shirou made their first contribution in eclipse-paho/paho.golang#272
• @​thedevop made their first contribution in eclipse-paho/paho.golang#281
• @​tinytux made their first contribution in eclipse-paho/paho.golang#293
• @​agebhar1 made their first contribution in eclipse-paho/paho.golang#299
• @​hiproz made their first contribution in eclipse-paho/paho.golang#296
• @​alpine-ibex made their first contribution in eclipse-paho/paho.golang#309
• @​nickajacks1 made their first contribution in eclipse-paho/paho.golang#315

Full Changelog: eclipse-paho/paho.golang@v0.22.0...v0.23.0

0.22

The is a minor release that incorporates fixes/improvements made over the last 9 months.

There is one breaking change, autopaho.ConnectPacketBuilder may now return an error (this is useful when the packet cannot be built, for example when auth details are temporarily unavailable).

Thanks to those who have provided fixes/enhanceents included in this release!.

What's Changed

• fix: respect context cancellation while using the provided Dialer by @​Lorderot in eclipse-paho/paho.golang#248
• PublishWithOptions QoS0 return empty PublishRespoonse by @​wic006 in eclipse-paho/paho.golang#255
• Improve default ping handler by @​Lorderot in eclipse-paho/paho.golang#257

... (truncated)

Commits

• 1aa0396 Dependency and go version update.
• b45d25d DISCONNECT packet with missing property length prevented OnServerDisconnect call
• 38d3585 Fix AuthResponse success value being set to true on error
• 6f75464 Fix AuthResponse success value being set to true on error
• 022e144 Fix OnServerDisconnect not being called when packet has no properties
• ab72a18 Simplify Directory creation
• ec5d947 drop redundant stat before MkdirAll
• 16106c7 Filestore should attempt to create folder if it does not exist
• 3b79283 autopaho file queue - fix folder creation
• 9135b2a fix folder existence check in autopaho file queue
• Additional commits viewable in compare view

Updates github.com/gorilla/websocket from 1.5.3 to 1.5.4-0.20250319132907-e064f32e3674

Commits

• See full diff in compare view

Updates github.com/pelletier/go-toml/v2 from 2.2.4 to 2.3.0

Release notes

Sourced from github.com/pelletier/go-toml/v2's releases.

v2.3.0

This is the first release built largely with the help of AI coding agents. Highlights include the complete removal of the unsafe package. go-toml is now fully safe Go code, with a geomean overhead of only ~1.4% vs v2.2.4 and zero additional allocations on benchmarks. This release also adds omitzero struct tag support, improves UnmarshalText/Unmarshaler handling for tables and array tables, and fixes several bugs including nil pointer marshaling, leap second handling, and datetime unmarshaling panics.

What's Changed

What's new

• marshal: don't escape quotes unnecessarily by @​virtuald in pelletier/go-toml#991
• Add omitzero tag support by @​NathanBaulch in pelletier/go-toml#998
• Support custom IsZero() methods with omitzero tag by @​pelletier in pelletier/go-toml#1020
• UnmarshalText fallbacks to struct unmarshaling for tables and arrays by @​pelletier in pelletier/go-toml#1026
• [unstable] Support Unmarshaler interface for tables and array tables by @​pelletier in pelletier/go-toml#1027

Fixed bugs

• Add missing UnmarshalTOML call by @​pelletier in pelletier/go-toml#996
• Handle array table into an empty slice by @​pelletier in pelletier/go-toml#997
• Unwrap strict errors by @​bersace in pelletier/go-toml#1012
• Fix leap second handling found by fuzz by @​pelletier in pelletier/go-toml#1019
• Fix nil pointer map values not being marshaled by @​pelletier in pelletier/go-toml#1025
• Fix panic when unmarshaling datetime values to incompatible types (#1028) by @​pelletier in pelletier/go-toml#1029
• Fix parser error pointing to wrong line at EOF without trailing newline by @​pelletier in pelletier/go-toml#1041

Documentation

• Improve Unmarshaling README by @​heckelson in pelletier/go-toml#1016
• Create AGENTS.md guidelines file by @​pelletier in pelletier/go-toml#1017

Other changes

• Unsafe package removal by @​pelletier in pelletier/go-toml#1021
• Bump CI and test scripts to Go 1.26 by @​pelletier in pelletier/go-toml#1030

New Contributors

• @​virtuald made their first contribution in pelletier/go-toml#991
• @​NathanBaulch made their first contribution in pelletier/go-toml#999
• @​bersace made their first contribution in pelletier/go-toml#1012
• @​flyn-org made their first contribution in pelletier/go-toml#1013
• @​heckelson made their first contribution in pelletier/go-toml#1016

Full Changelog: pelletier/go-toml@v2.2.4...v2.3.0

Commits

• f36a3ec Reduce marshal and unmarshal overhead (#1044)
• 77f3862 Fix benchmark script replacing internal package imports (#1042)
• 16b1ef5 Fix parser error pointing to wrong line when last line has no trailing newlin...
• e14bde7 build(deps): bump docker/login-action from 3 to 4 (#1039)
• 4b1ff01 build(deps): bump docker/setup-buildx-action from 3 to 4 (#1040)
• 048a25f Go 1.26 (#1030)
• b357558 build(deps): bump goreleaser/goreleaser-action from 6 to 7 (#1035)
• a0be52f build(deps): bump actions/upload-artifact from 6 to 7 (#1036)
• 316bfc6 Support Unmarshaler interface for tables and array tables (#1027)
• 2edc61f Fix panic when unmarshaling datetime values to incompatible types (#1028) (#1...
• Additional commits viewable in compare view

Updates github.com/rickb777/date from 1.13.0 to 1.22.0

Release notes

Sourced from github.com/rickb777/date's releases.

v1.22.0

No release notes provided.

v1 ParseISO tweaked

ParseISO now accepts date-time inputs, ignoring the time field.

period.AddTo revised to reduce the impact of subtle behaviours of time.AddDate

Minor bugfix

• resolves issue #19
• updates dependencies

v1.20.2 updated dependencies

No release notes provided.

v1.20.0

No release notes provided.

v1.19.1

No release notes provided.

Bufix: MarshalJSON

Date.MarshalJSON incorrectly wrote the zero value as a blank string, which might raise difficulties at the receiver.

Code that relied on this incorrect behaviour might see this as a breaking change.

v1.18

No release notes provided.

updated dependencies

No release notes provided.

Bug fixed: integer overflow on 32bit architecture

No release notes provided.

v1.14.1

No release notes provided.

Period revised

Improvements to Period, including new methods and improved tests.

Commits

• cedbf7d v1 is now marked as deprecated; updated dependencies
• 57313ad updated dependencies (v1 branch)
• b7388c8 Minor test correction
• db08fef Date ParseISO & AutoParse now accept a date-time input (time is ignored)
• 9a7458e updated dependencies
• 02b87e1 another parse test case
• ff580cf more tests added to period.Between
• b6690e4 period.AddTo revised to reduce the impact of subtle behaviours of time.AddDate
• ad3aa70 Dependencies updated
• a792460 Bugfix: this resolves issue #19 fraction designator parsing bug
• Additional commits viewable in compare view

Updates go.opentelemetry.io/otel from 1.38.0 to 1.40.0

Changelog

Sourced from go.opentelemetry.io/otel's changelog.

[1.40.0/0.62.0/0.16.0] 2026-02-02

Added

• Add AlwaysRecord sampler in go.opentelemetry.io/otel/sdk/trace. (#7724)
• Add Enabled method to all synchronous instrument interfaces (Float64Counter, Float64UpDownCounter, Float64Histogram, Float64Gauge, Int64Counter, Int64UpDownCounter, Int64Histogram, Int64Gauge,) in go.opentelemetry.io/otel/metric. This stabilizes the synchronous instrument enabled feature, allowing users to check if an instrument will process measurements before performing computationally expensive operations. (#7763)
• Add go.opentelemetry.io/otel/semconv/v1.39.0 package. The package contains semantic conventions from the v1.39.0 version of the OpenTelemetry Semantic Conventions. See the migration documentation for information on how to upgrade from go.opentelemetry.io/otel/semconv/v1.38.0. (#7783, #7789)

Changed

• Improve the concurrent performance of HistogramReservoir in go.opentelemetry.io/otel/sdk/metric/exemplar by 4x. (#7443)
• Improve the concurrent performance of FixedSizeReservoir in go.opentelemetry.io/otel/sdk/metric/exemplar. (#7447)
• Improve performance of concurrent histogram measurements in go.opentelemetry.io/otel/sdk/metric. (#7474)
• Improve performance of concurrent synchronous gauge measurements in go.opentelemetry.io/otel/sdk/metric. (#7478)
• Add experimental observability metrics in go.opentelemetry.io/otel/exporters/stdout/stdoutmetric. (#7492)
• Exporter in go.opentelemetry.io/otel/exporters/prometheus ignores metrics with the scope go.opentelemetry.io/contrib/bridges/prometheus. This prevents scrape failures when the Prometheus exporter is misconfigured to get data from the Prometheus bridge. (#7688)
• Improve performance of concurrent exponential histogram measurements in go.opentelemetry.io/otel/sdk/metric. (#7702)
• The rpc.grpc.status_code attribute in the experimental metrics emitted from go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc is replaced with the rpc.response.status_code attribute to align with the semantic conventions. (#7854)
• The rpc.grpc.status_code attribute in the experimental metrics emitted from go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc is replaced with the rpc.response.status_code attribute to align with the semantic conventions. (#7854)

Fixed

• Fix bad log message when key-value pairs are dropped because of key duplication in go.opentelemetry.io/otel/sdk/log. (#7662)
• Fix DroppedAttributes on Record in go.opentelemetry.io/otel/sdk/log to not count the non-attribute key-value pairs dropped because of key duplication. (#7662)
• Fix SetAttributes on Record in go.opentelemetry.io/otel/sdk/log to not log that attributes are dropped when they are actually not dropped. (#7662)
• Fix missing request.GetBody in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp to correctly handle HTTP/2 GOAWAY frame. (#7794)
• WithHostID detector in go.opentelemetry.io/otel/sdk/resource to use full path for ioreg command on Darwin (macOS). (#7818)

Deprecated

• Deprecate go.opentelemetry.io/otel/exporters/zipkin. For more information, see the OTel blog post deprecating the Zipkin exporter. (#7670)

[1.39.0/0.61.0/0.15.0/0.0.14] 2025-12-05

Added

• Greatly reduce the cost of recording metrics in go.opentelemetry.io/otel/sdk/metric using hashing for map keys. (#7175)
• Add WithInstrumentationAttributeSet option to go.opentelemetry.io/otel/log, go.opentelemetry.io/otel/metric, and go.opentelemetry.io/otel/trace packages. This provides a concurrent-safe and performant alternative to WithInstrumentationAttributes by accepting a pre-constructed attribute.Set. (#7287)
• Add experimental observability for the Prometheus exporter in go.opentelemetry.io/otel/exporters/prometheus. Check the go.opentelemetry.io/otel/exporters/prometheus/internal/x package documentation for more information. (#7345)
• Add experimental observability metrics in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc. (#7353)
• Add temporality selector functions DeltaTemporalitySelector, CumulativeTemporalitySelector, LowMemoryTemporalitySelector to go.opentelemetry.io/otel/sdk/metric. (#7434)
• Add experimental observability metrics for simple log processor in go.opentelemetry.io/otel/sdk/log. (#7548)
• Add experimental observability metrics in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc. (#7459)

... (truncated)

Commits

• a3a5317 Release v1.40.0 (#7859)
• 77785da chore(deps): update github/codeql-action action to v4.32.1 (#7858)
• 56fa1c2 chore(deps): update module github.com/clipperhouse/uax29/v2 to v2.5.0 (#7857)
• 298cbed Upgrade semconv use to v1.39.0 (#7854)
• 3264bf1 refactor: modernize code (#7850)
• fd5d030 chore(deps): update module github.com/grpc-ecosystem/grpc-gateway/v2 to v2.27...
• 8d3b4cb chore(deps): update actions/cache action to v5.0.3 (#7847)
• 91f7cad chore(deps): update github.com/timakin/bodyclose digest to 73d1f95 (#7845)
• fdad1eb chore(deps): update module github.com/grpc-ecosystem/grpc-gateway/v2 to v2.27...
• c46d3ba chore(deps): update golang.org/x/telemetry digest to fcf36f6 (#7843)
• Additional commits viewable in compare view

Updates go.opentelemetry.io/otel/trace from 1.38.0 to 1.40.0

Changelog

Sourced from go.opentelemetry.io/otel/trace's changelog.

[1.40.0/0.62.0/0.16.0] 2026-02-02

Added

• Add AlwaysRecord sampler in go.opentelemetry.io/otel/sdk/trace. (#7724)
• Add Enabled method to all synchronous instrument interfaces (Float64Counter, Float64UpDownCounter, Float64Histogram, Float64Gauge, Int64Counter, Int64UpDownCounter, Int64Histogram, Int64Gauge,) in go.opentelemetry.io/otel/metric. This stabilizes the synchronous instrument enabled feature, allowing users to check if an instrument will process measurements before performing computationally expensive operations. (#7763)
• Add go.opentelemetry.io/otel/semconv/v1.39.0 package. The package contains semantic conventions from the v1.39.0 version of the OpenTelemetry Semantic Conventions. See the migration documentation for information on how to upgrade from go.opentelemetry.io/otel/semconv/v1.38.0. (#7783, #7789)

Changed

• Improve the concurrent performance of HistogramReservoir in go.opentelemetry.io/otel/sdk/metric/exemplar by 4x. (#7443)
• Improve the concurrent performance of FixedSizeReservoir in go.opentelemetry.io/otel/sdk/metric/exemplar. (#7447)
• Improve performance of concurrent histogram measurements in go.opentelemetry.io/otel/sdk/metric. (#7474)
• Improve performance of concurrent synchronous gauge measurements in go.opentelemetry.io/otel/sdk/metric. (#7478)
• Add experimental observability metrics in go.opentelemetry.io/otel/exporters/stdout/stdoutmetric. (#7492)
• Exporter in go.opentelemetry.io/otel/exporters/prometheus ignores metrics with the scope go.opentelemetry.io/contrib/bridges/prometheus. This prevents scrape failures when the Prometheus exporter is misconfigured to get data from the Prometheus bridge. (#7688)
• Improve performance of concurrent exponential histogram measurements in go.opentelemetry.io/otel/sdk/metric. (#7702)
• The rpc.grpc.status_code attribute in the experimental metrics emitted from go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc is replaced with the rpc.response.status_code attribute to align with the semantic conventions. (#7854)
• The rpc.grpc.status_code attribute in the experimental metrics emitted from go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc is replaced with the rpc.response.status_code attribute to align with the semantic conventions. (#7854)

Fixed

• Fix bad log message when key-value pairs are dropped because of key duplication in go.opentelemetry.io/otel/sdk/log. (#7662)
• Fix DroppedAttributes on Record in go.opentelemetry.io/otel/sdk/log to not count the non-attribute key-value pairs dropped because of key duplication. (#7662)
• Fix SetAttributes on Record in go.opentelemetry.io/otel/sdk/log to not log that attributes are dropped when they are actually not dropped. (#7662)
• Fix missing request.GetBody in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp to correctly handle HTTP/2 GOAWAY frame. (#7794)
• WithHostID detector in go.opentelemetry.io/otel/sdk/resource to use full path for ioreg command on Darwin (macOS). (#7818)

Deprecated

• Deprecate go.opentelemetry.io/otel/exporters/zipkin. For more information, see the OTel blog post deprecating the Zipkin exporter. (#7670)

[1.39.0/0.61.0/0.15.0/0.0.14] 2025-12-05

Added

• Greatly reduce the cost of recording metrics in go.opentelemetry.io/otel/sdk/metric using hashing for map keys. (#7175)
• Add WithInstrumentationAttributeSet option to go.opentelemetry.io/otel/log, go.opentelemetry.io/otel/metric, and go.opentelemetry.io/otel/trace packages. This provides a concurrent-safe and performant alternative to WithInstrumentationAttributes by accepting a pre-constructed attribute.Set. (#7287)
• Add experimental observability for the Prometheus exporter in go.opentelemetry.io/otel/exporters/prometheus. Check the go.opentelemetry.io/otel/exporters/prometheus/internal/x package documentation for more information. (#7345)
• Add experimental observability metrics in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc. (...

  Description has been truncated

[openshift-ci]

Hi @dependabot[bot]. Thanks for your PR.

I'm waiting for a openshift-knative member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dependabot[bot]
Once this PR has been reviewed and has the lgtm label, please assign lberk for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment