fix opentelemetry-collector cve: GHSA-cfpf-hrx2-8rv6 update expr deps (#76770)

Signed-off-by: Debasish Biswas <debasishbsws.dev@gmail.com>

Author: debasishbsws

opentelemetry-collector.yaml

@@ -1,7 +1,7 @@
 package:
   name: opentelemetry-collector
   version: "0.142.0"
-  epoch: 0 # CVE-2025-61729
+  epoch: 1 # GHSA-cfpf-hrx2-8rv6
   description: OpenTelemetry Collector
   copyright:
     - license: Apache-2.0
@@ -29,6 +29,11 @@ pipeline:
       tag: v${{package.version}}
       expected-commit: b579eb1cd7f4334b0f460eb05a81373e5635942f
 
+  - runs: |
+      set -x
+      # Use the builder to compile opentelemetry-collector
+      yq eval '.replaces += ["github.com/expr-lang/expr => github.com/expr-lang/expr v1.17.7"]' builder-config.yaml -i
+
   - uses: go/build
     with:
       packages: .