Update opentelemetry-go monorepo to v1.39.0

[renovate]

Note: This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
go.opentelemetry.io/otel	v1.38.0 -> v1.39.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace	v1.38.0 -> v1.39.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc	v1.38.0 -> v1.39.0
go.opentelemetry.io/otel/sdk	v1.38.0 -> v1.39.0

---

Release Notes

open-telemetry/opentelemetry-go (go.opentelemetry.io/otel)

v1.39.0

Compare Source

Overview

Added

• Greatly reduce the cost of recording metrics in go.opentelemetry.io/otel/sdk/metric using hashing for map keys. (#​7175)
• Add WithInstrumentationAttributeSet option to go.opentelemetry.io/otel/log, go.opentelemetry.io/otel/metric, and go.opentelemetry.io/otel/trace packages. This provides a concurrent-safe and performant alternative to WithInstrumentationAttributes by accepting a pre-constructed attribute.Set. (#​7287)
• Add experimental observability for the Prometheus exporter in go.opentelemetry.io/otel/exporters/prometheus. Check the go.opentelemetry.io/otel/exporters/prometheus/internal/x package documentation for more information. (#​7345)
• Add experimental observability metrics in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc. (#​7353)
• Add temporality selector functions DeltaTemporalitySelector, CumulativeTemporalitySelector, LowMemoryTemporalitySelector to go.opentelemetry.io/otel/sdk/metric. (#​7434)
• Add experimental observability metrics for simple log processor in go.opentelemetry.io/otel/sdk/log. (#​7548)
• Add experimental observability metrics in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc. (#​7459)
• Add experimental observability metrics in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp. (#​7486)
• Add experimental observability metrics for simple span processor in go.opentelemetry.io/otel/sdk/trace. (#​7374)
• Add experimental observability metrics in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp. (#​7512)
• Add experimental observability metrics for manual reader in go.opentelemetry.io/otel/sdk/metric. (#​7524)
• Add experimental observability metrics for periodic reader in go.opentelemetry.io/otel/sdk/metric. (#​7571)
• Support OTEL_EXPORTER_OTLP_LOGS_INSECURE and OTEL_EXPORTER_OTLP_INSECURE environmental variables in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp. (#​7608)
• Add Enabled method to the Processor interface in go.opentelemetry.io/otel/sdk/log. All Processor implementations now include an Enabled method. (#​7639)
• The go.opentelemetry.io/otel/semconv/v1.38.0 package. The package contains semantic conventions from the v1.38.0 version of the OpenTelemetry Semantic Conventions. See the migration documentation for information on how to upgrade from go.opentelemetry.io/otel/semconv/v1.37.0.(#​7648)

Changed

• Distinct in go.opentelemetry.io/otel/attribute is no longer guaranteed to uniquely identify an attribute set. Collisions between Distinct values for different Sets are possible with extremely high cardinality (billions of series per instrument), but are highly unlikely. (#​7175)
• WithInstrumentationAttributes in go.opentelemetry.io/otel/trace synchronously de-duplicates the passed attributes instead of delegating it to the returned TracerOption. (#​7266)
• WithInstrumentationAttributes in go.opentelemetry.io/otel/meter synchronously de-duplicates the passed attributes instead of delegating it to the returned MeterOption. (#​7266)
• WithInstrumentationAttributes in go.opentelemetry.io/otel/log synchronously de-duplicates the passed attributes instead of delegating it to the returned LoggerOption. (#​7266)
• Rename the OTEL_GO_X_SELF_OBSERVABILITY environment variable to OTEL_GO_X_OBSERVABILITY in go.opentelemetry.io/otel/sdk/trace, go.opentelemetry.io/otel/sdk/log, and go.opentelemetry.io/otel/exporters/stdout/stdouttrace. (#​7302)
• Improve performance of histogram Record in go.opentelemetry.io/otel/sdk/metric when min and max are disabled using NoMinMax. (#​7306)
• Improve error handling for dropped data during translation by using prometheus.NewInvalidMetric in go.opentelemetry.io/otel/exporters/prometheus. ⚠️ Breaking Change: Previously, these cases were only logged and scrapes succeeded. Now, when translation would drop data (e.g., invalid label/value), the exporter emits a NewInvalidMetric, and Prometheus scrapes fail with HTTP 500 by default. To preserve the prior behavior (scrapes succeed while errors are logged), configure your Prometheus HTTP handler with: promhttp.HandlerOpts{ ErrorHandling: promhttp.ContinueOnError }. (#​7363)
• Replace fnv hash with xxhash in go.opentelemetry.io/otel/attribute for better performance. (#​7371)
• The default TranslationStrategy in go.opentelemetry.io/exporters/prometheus is changed from otlptranslator.NoUTF8EscapingWithSuffixes to otlptranslator.UnderscoreEscapingWithSuffixes. (#​7421)
• Improve performance of concurrent measurements in go.opentelemetry.io/otel/sdk/metric. (#​7427)
• Include W3C TraceFlags (bits 0–7) in the OTLP Span.Flags field in go.opentelemetry.io/exporters/otlp/otlptrace/otlptracehttp and go.opentelemetry.io/exporters/otlp/otlptrace/otlptracegrpc. (#​7438)
• The ErrorType function in go.opentelemetry.io/otel/semconv/v1.37.0 now handles custom error types.
  If an error implements an ErrorType() string method, the return value of that method will be used as the error type. (#​7442)

Fixed

• Fix WithInstrumentationAttributes options in go.opentelemetry.io/otel/trace, go.opentelemetry.io/otel/metric, and go.opentelemetry.io/otel/log to properly merge attributes when passed multiple times instead of replacing them. Attributes with duplicate keys will use the last value passed. (#​7300)
• The equality of attribute.Set when using the Equal method is not affected by the user overriding the empty set pointed to by attribute.EmptySet in go.opentelemetry.io/otel/attribute. (#​7357)
• Return partial OTLP export errors to the caller in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc. (#​7372)
• Return partial OTLP export errors to the caller in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp. (#​7372)
• Return partial OTLP export errors to the caller in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc. (#​7372)
• Return partial OTLP export errors to the caller in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp. (#​7372)
• Return partial OTLP export errors to the caller in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc. (#​7372)
• Return partial OTLP export errors to the caller in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp. (#​7372)
• Fix AddAttributes, SetAttributes, SetBody on Record in go.opentelemetry.io/otel/sdk/log to not mutate input. (#​7403)
• Do not double record measurements of RecordSet methods in go.opentelemetry.io/otel/semconv/v1.37.0. (#​7655)
• Do not double record measurements of RecordSet methods in go.opentelemetry.io/otel/semconv/v1.36.0. (#​7656)

Removed

• Drop support for [Go 1.23]. (#​7274)
• Remove the FilterProcessor interface in go.opentelemetry.io/otel/sdk/log. The Enabled method has been added to the Processor interface instead. All Processor implementations must now implement the Enabled method. Custom processors that do not filter records can implement Enabled to return true. (#​7639)

What's Changed

• Drop support for Go 1.23 by @​MrAlias in #​7274
• fix(deps): update module go.opentelemetry.io/collector/pdata to v1.40.0 by @​renovate[bot] in #​7275
• chore(deps): update module github.com/securego/gosec/v2 to v2.22.8 by @​renovate[bot] in #​7276
• fix(deps): update module github.com/golangci/golangci-lint/v2 to v2.4.0 by @​renovate[bot] in #​7277
• fix(deps): update golang.org/x by @​renovate[bot] in #​7188
• fix(deps): update module github.com/opentracing-contrib/go-grpc to v0.1.2 by @​renovate[bot] in #​7281
• fix(deps): update googleapis to ef028d9 by @​renovate[bot] in #​7279
• chore(deps): update module github.com/rogpeppe/go-internal to v1.14.1 by @​renovate[bot] in #​7283
• chore(deps): update module github.com/spf13/pflag to v1.0.9 by @​renovate[bot] in #​7282
• fix(deps): update github.com/opentracing-contrib/go-grpc/test digest to 0261db7 by @​renovate[bot] in #​7278
• Fix missing link in changelog by @​MrAlias in #​7273
• chore(deps): update module github.com/spf13/cobra to v1.10.0 by @​renovate[bot] in #​7285
• chore(deps): update github/codeql-action action to v3.30.0 by @​renovate[bot] in #​7284
• chore(deps): update module github.com/spf13/cobra to v1.10.1 by @​renovate[bot] in #​7286
• Add tracetest example for testing instrumentation by @​adity1raut in #​7107
• Fix schema urls by @​dmathieu in #​7288
• chore(deps): update module github.com/spf13/pflag to v1.0.10 by @​renovate[bot] in #​7291
• chore(deps): update benchmark-action/github-action-benchmark action to v1.20.5 by @​renovate[bot] in #​7293
• chore(deps): update module github.com/ghostiam/protogetter to v0.3.16 by @​renovate[bot] in #​7289
• chore(deps): update module github.com/golangci/go-printf-func-name to v0.1.1 by @​renovate[bot] in #​7290
• chore(deps): update module mvdan.cc/gofumpt to v0.9.0 by @​renovate[bot] in #​7292
• fix(deps): update module go.opentelemetry.io/proto/otlp to v1.8.0 by @​renovate[bot] in #​7296
• chore(deps): update actions/stale action to v10 by @​renovate[bot] in #​7299
• chore(deps): update actions/setup-go action to v6 by @​renovate[bot] in #​7298
• fix(deps): update module github.com/prometheus/client_golang to v1.23.1 by @​renovate[bot] in #​7304
• chore(deps): update codecov/codecov-action action to v5.5.1 by @​renovate[bot] in #​7303
• Add Observability section to CONTRIBUTING doc by @​MrAlias in #​7272
• chore(deps): update module github.com/bombsimon/wsl/v5 to v5.2.0 by @​renovate[bot] in #​7309
• chore(deps): update golang.org/x/telemetry digest to 9b996f7 by @​renovate[bot] in #​7308
• chore(deps): update github/codeql-action action to v3.30.1 by @​renovate[bot] in #​7312
• chore(deps): update github.com/grafana/regexp digest to f7b3be9 by @​renovate[bot] in #​7311
• chore(deps): update module github.com/pjbgf/sha1cd to v0.5.0 by @​renovate[bot] in #​7317
• chore(deps): update golang.org/x/telemetry digest to af835b0 by @​renovate[bot] in #​7313
• fix(deps): update module github.com/prometheus/client_golang to v1.23.2 by @​renovate[bot] in #​7314
• chore(deps): update benchmark-action/github-action-benchmark action to v1.20.7 by @​renovate[bot] in #​7319
• Don't track min and max when disabled by @​dashpole in #​7306
• fix(deps): update golang.org/x by @​renovate[bot] in #​7320
• Add benchmark for exponential histogram measurements by @​dashpole in #​7305
• chore(deps): update golang.org/x by @​renovate[bot] in #​7324
• chore(deps): update module mvdan.cc/gofumpt to v0.9.1 by @​renovate[bot] in #​7322
• trace,metric,log: WithInstrumentationAttributes options to merge attributes by @​pellared in #​7300
• Encapsulate observability in Logs SDK by @​MrAlias in #​7315
• trace,metric,log: add WithInstrumentationAttributeSet option by @​pellared in #​7287
• chore(deps): update module github.com/spf13/afero to v1.15.0 by @​renovate[bot] in #​7330
• chore(deps): update module github.com/sagikazarmark/locafero to v0.11.0 by @​renovate[bot] in #​7329
• chore(deps): update module github.com/lucasb-eyer/go-colorful to v1.3.0 by @​renovate[bot] in #​7327
• chore(deps): update module github.com/antonboom/errname to v1.1.1 by @​renovate[bot] in #​7338
• fix(deps): update module go.opentelemetry.io/collector/pdata to v1.41.0 by @​renovate[bot] in #​7337
• chore(deps): update module github.com/spf13/viper to v1.21.0 by @​renovate[bot] in #​7334
• chore(deps): update module github.com/spf13/cast to v1.10.0 by @​renovate[bot] in #​7333
• fix(deps): update googleapis to 9702482 by @​renovate[bot] in #​7335
• chore(deps): update github/codeql-action action to v3.30.2 by @​renovate[bot] in #​7339
• chore(deps): update golang.org/x by @​renovate[bot] in #​7326
• fix(deps): update module google.golang.org/protobuf to v1.36.9 by @​renovate[bot] in #​7340
• Encapsulate stdouttrace.Exporter instrumentation in internal package by @​MrAlias in #​7307
• Do not allocate instrument options if possible in generated semconv packages by @​MrAlias in #​7328
• chore(deps): update module github.com/antonboom/nilnil to v1.1.1 by @​renovate[bot] in #​7343
• chore(deps): update module golang.org/x/net to v0.44.0 by @​renovate[bot] in #​7341
• fix(deps): update module golang.org/x/tools to v0.37.0 by @​renovate[bot] in #​7347
• fix(deps): update module google.golang.org/grpc to v1.75.1 by @​renovate[bot] in #​7344
• chore(deps): update module go.yaml.in/yaml/v2 to v2.4.3 by @​renovate[bot] in #​7349
• chore(deps): update github/codeql-action action to v3.30.3 by @​renovate[bot] in #​7348
• Rename Self-Observability as just Observability by @​MrAlias in #​7302
• fix(deps): update golang.org/x to df92998 by @​renovate[bot] in #​7350
• trace,metric,log: change WithInstrumentationAttributes to not de-depuplicate the passed attributes in a closure by @​axw in #​7266
• sdk/metric: add example for metricdatatest package by @​sanojsubran in #​7323
• chore(deps): update module github.com/antonboom/testifylint to v1.6.4 by @​renovate[bot] in #​7359
• chore(deps): update module github.com/nunnatsa/ginkgolinter to v0.21.0 by @​renovate[bot] in #​7362
• chore(deps): update module github.com/tetafro/godot to v1.5.2 by @​renovate[bot] in #​7360
• Do not use the user-defined empty set when comparing sets. by @​MrAlias in #​7357
• Track context containing span in recordingSpan by @​MrAlias in #​7354
• fix(deps): update module go.opentelemetry.io/auto/sdk to v1.2.1 by @​renovate[bot] in #​7365
• Encapsulate SDK BatchSpanProcessor observability by @​MrAlias in #​7332
• Encapsulate SDK Tracer observability by @​MrAlias in #​7331
• chore: generate feature flag files from shared by @​flc1125 in #​7361
• fix(deps): update module github.com/prometheus/otlptranslator to v1 by @​renovate[bot] in #​7358
• chore(deps): update module github.com/djarvur/go-err113 to v0.1.1 by @​renovate[bot] in #​7368
• Fix the typo in the function name TestNewInstrumentation by @​yumosx in #​7369
• Use Set hash in Distinct (2nd attempt) by @​dashpole in #​7175
• chore(deps): update module github.com/ldez/grignotin to v0.10.1 by @​renovate[bot] in #​7373
• chore(deps): update module github.com/kulti/thelper to v0.7.1 by @​renovate[bot] in #​7376
• chore(deps): update otel/weaver docker tag to v0.18.0 by @​renovate[bot] in #​7377
• fix(deps): update github.com/opentracing-contrib/go-grpc/test digest to a6e64aa by @​renovate[bot] in #​7375
• feat(prometheus): Add observability for prometheus exporter by @​tongoss in #​7345
• Return partial OTLP export errors to the caller by @​MrAlias in #​7372
• sdk/log: add TestRecordMethodsInputConcurrentSafe by @​pellared in #​7378
• chore(deps): update module github.com/sagikazarmark/locafero to v0.12.0 by @​renovate[bot] in #​7390
• chore(deps): update module github.com/tetafro/godot to v1.5.4 by @​renovate[bot] in #​7391
• fix(deps): update module github.com/golangci/golangci-lint/v2 to v2.5.0 by @​renovate[bot] in #​7392
• chore: sdk/log/internal/x - generate x package from x component template by @​nikhilmantri0902 in #​7389
• chore(deps): update module go.opentelemetry.io/build-tools to v0.28.0 by @​renovate[bot] in #​7394
• fix(deps): update build-tools to v0.28.0 by @​renovate[bot] in #​7395
• fix(deps): update googleapis to 9219d12 by @​renovate[bot] in #​7393
• fix(deps): update module go.opentelemetry.io/collector/pdata to v1.42.0 by @​renovate[bot] in #​7397
• refactor: replace context.Background() with t.Context()/b.Context() in tests by @​flc1125 in #​7352
• sdk/log: BenchmarkAddAttributes, BenchmarkSetAttributes, BenchmarkSetBody by @​pellared in #​7387
• Link checker: ignore https localhost uris by @​dmathieu in #​7399
• chore(deps): update module github.com/ldez/gomoddirectives to v0.7.1 by @​renovate[bot] in #​7400
• chore(deps): update module dev.gaijin.team/go/golib to v0.7.0 by @​renovate[bot] in #​7402
• Add experimental x package to otlptracegrpc by @​MrAlias in #​7401
• chore(deps): update actions/cache action to v4.3.0 by @​renovate[bot] in #​7409
• [chore]: Clean-up unused obsScopeName const by @​MrAlias in #​7408
• Add benchmark for synchronous gauge measurement by @​dashpole in #​7407
• Add measure benchmarks with exemplars recorded by @​dashpole in #​7406
• chore(deps): update github/codeql-action action to v3.30.4 by @​renovate[bot] in #​7414
• chore(deps): update module github.com/quasilyte/go-ruleguard to v0.4.5 by @​renovate[bot] in #​7416
• chore(deps): update module github.com/quasilyte/go-ruleguard/dsl to v0.3.23 by @​renovate[bot] in #​7417
• Optimize the return type of ExportSpans by @​MrAlias in #​7405
• Optimize Observability return types in in Prometheus exporter by @​MrAlias in #​7410
• chore(deps): update module github.com/mattn/go-runewidth to v0.0.17 by @​renovate[bot] in #​7418
• chore(deps): update module github.com/cyphar/filepath-securejoin to v0.5.0 by @​renovate[bot] in #​7419
• Add concurrent safe tests for metric aggregations by @​dashpole in #​7379
• chore(deps): update github/codeql-action action to v3.30.5 by @​renovate[bot] in #​7425
• sdk/trace/internal/x: generate x package from x component template #​7385 by @​ternua8 in #​7411
• chore(deps): update module go.augendre.info/fatcontext to v0.9.0 by @​renovate[bot] in #​7426
• Generate gRPC Client target parsing func by @​MrAlias in #​7424
• chore(deps): update module github.com/mattn/go-runewidth to v0.0.19 by @​renovate[bot] in #​7428
• Prometheus exporter: change default translation strategy by @​dashpole in #​7421
• Only enforce cardinality limits when the attribute set does not already exist by @​dashpole in #​7422
• fix(deps): update googleapis to 57b25ae by @​renovate[bot] in #​7429
• chore(deps): update module github.com/charmbracelet/x/ansi to v0.10.2 by @​renovate[bot] in #​7432
• chore(deps): update golang.org/x/telemetry digest to 8e64475 by @​renovate[bot] in #​7431
• chore(deps): update ossf/scorecard-action action to v2.4.3 by @​renovate[bot] in #​7435
• Allow optimizing locking for built-in exemplar reservoirs by @​dashpole in #​7423
• chore(deps): update golang.org/x/telemetry digest to 4eae98a by @​renovate[bot] in #​7439
• chore(deps): update peter-evans/create-issue-from-file action to v6 by @​renovate[bot] in #​7440
• Add temporality selector functions by @​dprotaso in #​7434
• fix(deps): update module google.golang.org/protobuf to v1.36.10 by @​renovate[bot] in #​7445
• chore(deps): update github/codeql-action action to v3.30.6 by @​renovate[bot] in #​7446
• Skip link checking for acm.org which blocks the link checker by @​dashpole in #​7444
• feat: logs SDK observability - otlploggrpc exporter metrics by @​yumosx in #​7353
• fix(deps): update golang.org/x to 27f1f14 by @​renovate[bot] in #​7448
• fix(deps): update googleapis to 7c0ddcb by @​renovate[bot] in #​7449
• chore(deps): update module github.com/grpc-ecosystem/grpc-gateway/v2 to v2.27.3 by @​renovate[bot] in #​7450
• Add exemplar reservoir parallel benchmarks by @​dashpole in #​7441
• chore(deps): update module github.com/ghostiam/protogetter to v0.3.17 by @​renovate[bot] in #​7451
• chore(deps): update actions/stale action to v10.1.0 by @​renovate[bot] in #​7452
• Support custom error type semantics by @​MrAlias in #​7442
• fix(deps): update build-tools to v0.28.1 by @​renovate[bot] in #​7455
• chore(deps): update module github.com/go-git/go-git/v5 to v5.16.3 by @​renovate[bot] in #​7456
• chore(deps): update module github.com/bombsimon/wsl/v5 to v5.3.0 by @​renovate[bot] in #​7457
• sdk/trace: trace id high 64 bit tests by @​mahendrabishnoi2 in #​7212
• Add the internal/observ package to otlptracegrpc by @​MrAlias in #​7404
• fix(deps): update googleapis to 65f7160 by @​renovate[bot] in #​7460
• chore(deps): update module go.opentelemetry.io/collector/featuregate to v1.43.0 by @​renovate[bot] in #​7461
• fix(deps): update module google.golang.org/grpc to v1.76.0 by @​renovate[bot] in #​7463
• fix(deps): update module go.opentelemetry.io/collector/pdata to v1.43.0 by @​renovate[bot] in #​7462
• Use sync.Map and atomics to improve sum performance by @​dashpole in #​7427
• chore(deps): update module github.com/stretchr/objx to v0.5.3 by @​renovate[bot] in #​7464
• chore(deps): update module github.com/prometheus/common to v0.67.1 by @​renovate[bot] in #​7465
• Document the ordering guarantees provided by the metrics SDK by @​dashpole in #​7453
• chore(deps): update github/codeql-action action to v3.30.7 by @​renovate[bot] in #​7467
• chore(deps): update google.golang.org/genproto/googleapis/api digest to 49b9836 by @​renovate[bot] in #​7468
• Instrument the otlptracegrpc exporter by @​MrAlias in #​7459
• fix(deps): update google.golang.org/genproto/googleapis/rpc digest to 49b9836 by @​renovate[bot] in #​7469
• chore(deps): update module golang.org/x/net to v0.45.0 by @​renovate[bot] in #​7470
• chore(deps): update github/codeql-action action to v4 by @​renovate[bot] in #​7472
• chore(deps): update module github.com/skeema/knownhosts to v1.3.2 by @​renovate[bot] in #​7471
• fix(deps): update golang.org/x by @​renovate[bot] in #​7475
• chore(deps): update golang.org/x by @​renovate[bot] in #​7477
• chore(deps): update module github.com/nunnatsa/ginkgolinter to v0.21.2 by @​renovate[bot] in #​7481
• chore(deps): update module github.com/ldez/exptostd to v0.4.5 by @​renovate[bot] in #​7483
• Add the internal x package to otlptracehttp by @​MrAlias in #​7476
• Add a version const to otlptracehttp by @​MrAlias in #​7479
• feat: Improve error handling in prometheus exporter by @​tongoss in #​7363
• Add the internal/observ pkg to otlptracehttp by @​MrAlias in #​7480
• Move sdk/internal/env to sdk/trace/internal/env by @​dmathieu in #​7437
• chore(deps): update module github.com/gofrs/flock to v0.13.0 by @​renovate[bot] in #​7487
• Instrument the otlptracehttp exporter by @​MrAlias in #​7486
• chore(deps): update github/codeql-action action to v4.30.8 by @​renovate[bot] in #​7489
• chore(deps): update module github.com/catenacyber/perfsprint to v0.10.0 by @​renovate[bot] in #​7496
• OTLP trace exporter include W3C trace flags (bits 0–7) in Span.Flags by @​nikhilmantri0902 in #​7438
• Fix typos and linguistic errors in documentation / hacktoberfest by @​survivant in #​7494
• chore(deps): update module github.com/kunwardeep/paralleltest to v1.0.15 by @​renovate[bot] in #​7501
• RELEASING - Remove demo-accounting service from dependency list by @​Kielek in #​7503
• Added the internal/observ package to otlploghttp by @​yumosx in #​7484
• fix(deps): update googleapis to 4626949 by @​renovate[bot] in #​7506
• chore(deps): update module github.com/godoc-lint/godoc-lint to v0.10.1 by @​renovate[bot] in #​7508
• fix(observ): correct rejected items and update comment style by @​yumosx in #​7502
• chore(deps): update module github.com/go-critic/go-critic to v0.14.0 by @​renovate[bot] in #​7509
• Prometheus exporter tests: iterate through all scopes rather than looking only at the first by @​tongoss in #​7510
• chore: sdk/internal/x - generate x package from shared template by @​nikhilmantri0902 in #​7495
• sdk/log: Fix AddAttributes, SetAttributes, SetBody on Record to not mutate input by @​pellared in #​7403
• chore(deps): update github/codeql-action action to v4.30.9 by @​renovate[bot] in #​7515
• feat: sdk/trace: span processed metric for simple span processor by @​mahendrabishnoi2 in #​7374
• Simulate failures for histogram creation paths without risking a nil-interface panic by @​tongoss in #​7518
• fix(deps): update golang.org/x by @​renovate[bot] in #​7482
• fix(deps): update googleapis to 88f65dc by @​renovate[bot] in #​7521
• chore(deps): update module go.opentelemetry.io/collector/featuregate to v1.44.0 by @​renovate[bot] in #​7522
• fix(deps): update module go.opentelemetry.io/collector/pdata to v1.44.0 by @​renovate[bot] in #​7523
• chore(deps): update module github.com/abirdcfly/dupword to v0.1.7 by @​renovate[bot] in #​7525
• Instrument the otlploghttp exporter by @​yumosx in #​7512
• chore(deps): update module mvdan.cc/gofumpt to v0.9.2 by @​renovate[bot] in #​7527
• Move scorpionknifes to emeritus by @​dmathieu in #​7526
• chore(deps): update module github.com/prometheus/procfs to v0.18.0 by @​renovate[bot] in #​7530
• fix(deps): update googleapis to 3a174f9 by @​renovate[bot] in #​7529
• chore(deps): update golang.org/x/telemetry digest to 5be28d7 by @​renovate[bot] in #​7528
• fix(deps): update golang.org/x to a4bb9ff by @​renovate[bot] in #​7533
• Added the internal/observ package to log by @​yumosx in #​7532
• chore(deps): update module github.com/charithe/durationcheck to v0.0.11 by @​renovate[bot] in #​7534
• chore(deps): update github artifact actions (major) by [@&Add common data with the scheme  #8

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 15 additional dependencies were updated

Details:

Package	Change
golang.org/x/tools	v0.36.0 -> v0.38.0
github.com/grpc-ecosystem/grpc-gateway/v2	v2.27.2 -> v2.27.3
go.opentelemetry.io/auto/sdk	v1.1.0 -> v1.2.1
go.opentelemetry.io/otel/metric	v1.38.0 -> v1.39.0
go.opentelemetry.io/otel/trace	v1.38.0 -> v1.39.0
go.opentelemetry.io/proto/otlp	v1.7.1 -> v1.9.0
golang.org/x/mod	v0.27.0 -> v0.29.0
golang.org/x/net	v0.43.0 -> v0.47.0
golang.org/x/sync	v0.17.0 -> v0.18.0
golang.org/x/sys	v0.35.0 -> v0.39.0
golang.org/x/text	v0.29.0 -> v0.31.0
google.golang.org/genproto/googleapis/api	v0.0.0-20250825161204-c5933d9347a5 -> v0.0.0-20251202230838-ff82c1b0f217
google.golang.org/genproto/googleapis/rpc	v0.0.0-20250825161204-c5933d9347a5 -> v0.0.0-20251202230838-ff82c1b0f217
google.golang.org/grpc	v1.75.0 -> v1.77.0
google.golang.org/protobuf	v1.36.8 -> v1.36.10

File name: tests/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 18 additional dependencies were updated

Details:

Package	Change
github.com/grpc-ecosystem/grpc-gateway/v2	v2.27.2 -> v2.27.3
go.opentelemetry.io/auto/sdk	v1.1.0 -> v1.2.1
go.opentelemetry.io/otel/exporters/otlp/otlptrace	v1.38.0 -> v1.39.0
go.opentelemetry.io/otel/metric	v1.38.0 -> v1.39.0
go.opentelemetry.io/otel/sdk	v1.38.0 -> v1.39.0
go.opentelemetry.io/otel/trace	v1.38.0 -> v1.39.0
go.opentelemetry.io/proto/otlp	v1.7.1 -> v1.9.0
golang.org/x/crypto	v0.43.0 -> v0.44.0
golang.org/x/mod	v0.28.0 -> v0.29.0
golang.org/x/net	v0.45.0 -> v0.47.0
golang.org/x/sync	v0.17.0 -> v0.18.0
golang.org/x/sys	v0.37.0 -> v0.39.0
golang.org/x/text	v0.30.0 -> v0.31.0
golang.org/x/tools	v0.37.0 -> v0.38.0
google.golang.org/genproto/googleapis/api	v0.0.0-20250825161204-c5933d9347a5 -> v0.0.0-20251202230838-ff82c1b0f217
google.golang.org/genproto/googleapis/rpc	v0.0.0-20250825161204-c5933d9347a5 -> v0.0.0-20251202230838-ff82c1b0f217
google.golang.org/grpc	v1.75.0 -> v1.77.0
google.golang.org/protobuf	v1.36.8 -> v1.36.10

[github-actions]

Dependency Review

The following issues were found:

• ❌ 1 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 15 package(s) with unknown licenses.

See the Details below.

Vulnerabilities

tests/go.mod

Name	Version	Vulnerability	Severity
golang.org/x/crypto	0.44.0	golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption	moderate
		golang.org/x/crypto/ssh/agent vulnerable to panic if message is malformed due to out of bounds read	moderate

License Issues

go.mod

Package	Version	License	Issue Type
golang.org/x/mod	0.29.0	Null	Unknown License
golang.org/x/net	0.47.0	Null	Unknown License
golang.org/x/sync	0.18.0	Null	Unknown License
golang.org/x/sys	0.39.0	Null	Unknown License
golang.org/x/text	0.31.0	Null	Unknown License
golang.org/x/tools	0.38.0	Null	Unknown License
google.golang.org/protobuf	1.36.10	Null	Unknown License

tests/go.mod

Package	Version	License	Issue Type
golang.org/x/crypto	0.44.0	Null	Unknown License
golang.org/x/mod	0.29.0	Null	Unknown License
golang.org/x/net	0.47.0	Null	Unknown License
golang.org/x/sync	0.18.0	Null	Unknown License
golang.org/x/sys	0.39.0	Null	Unknown License
golang.org/x/text	0.31.0	Null	Unknown License
golang.org/x/tools	0.38.0	Null	Unknown License
google.golang.org/protobuf	1.36.10	Null	Unknown License

Allowed Licenses:

Apache-1.1, Apache-2.0, BSD-2-Clause, BSD-3-Clause, BSL-1.0, ISC, MIT, NCSA, OpenSSL, Python-2.0, X11, CC0-1.0, CC-BY-4.0

Excluded from license check:

pkg:githubactions/fossas/fossa-action, pkg:githubactions/opentofu/setup-opentofu, pkg:golang/github.com/shoenig/go-m1cpu, pkg:pypi/pytest-metadata

OpenSSF Scorecard

Scorecard details

Package	Version	Score	Details
gomod/github.com/cespare/xxhash/v2	2.3.0	🟢 3.6	Details Check Score Reason Code-Review ⚠️ 2 Found 6/28 approved changesets -- score normalized to 2 Binary-Artifacts 🟢 10 no binaries found in the repo Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
gomod/github.com/grpc-ecosystem/grpc-gateway/v2	2.27.3	🟢 5.6	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 11 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review ⚠️ 0 Found 1/29 approved changesets -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo Security-Policy ⚠️ 0 security policy file not detected Fuzzing 🟢 10 project is fuzzed Pinned-Dependencies 🟢 5 dependency not pinned by hash detected -- score normalized to 5 License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Packaging 🟢 10 packaging workflow detected Signed-Releases 🟢 10 5 out of the last 5 releases have a total of 5 signed artifacts. Vulnerabilities ⚠️ 0 39 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
gomod/go.opentelemetry.io/auto/sdk	1.2.1	🟢 8.1	Details Check Score Reason Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Code-Review ⚠️ -1 Found no human activity in the last 30 changesets Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Pinned-Dependencies 🟢 9 dependency not pinned by hash detected -- score normalized to 9 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Packaging 🟢 10 packaging workflow detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities 🟢 10 0 existing vulnerabilities detected Security-Policy 🟢 10 security policy file detected Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Signed-Releases ⚠️ -1 no releases found CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 16 contributing companies or organizations
gomod/go.opentelemetry.io/otel	1.39.0	🟢 9.2	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 17 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed Dependency-Update-Tool 🟢 10 update tool detected Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 10 all dependencies are pinned CII-Best-Practices 🟢 5 badge detected: Passing SAST 🟢 9 SAST tool detected but not run on all commits Vulnerabilities 🟢 10 0 existing vulnerabilities detected Signed-Releases 🟢 8 3 out of the last 3 releases have a total of 3 signed artifacts. License 🟢 10 license file detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Fuzzing 🟢 10 project is fuzzed CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 38 contributing companies or organizations
gomod/go.opentelemetry.io/otel/exporters/otlp/otlptrace	1.39.0	🟢 9.2	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 17 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed Dependency-Update-Tool 🟢 10 update tool detected Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 10 all dependencies are pinned CII-Best-Practices 🟢 5 badge detected: Passing SAST 🟢 9 SAST tool detected but not run on all commits Vulnerabilities 🟢 10 0 existing vulnerabilities detected Signed-Releases 🟢 8 3 out of the last 3 releases have a total of 3 signed artifacts. License 🟢 10 license file detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Fuzzing 🟢 10 project is fuzzed CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 38 contributing companies or organizations
gomod/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc	1.39.0	🟢 9.2	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 17 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed Dependency-Update-Tool 🟢 10 update tool detected Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 10 all dependencies are pinned CII-Best-Practices 🟢 5 badge detected: Passing SAST 🟢 9 SAST tool detected but not run on all commits Vulnerabilities 🟢 10 0 existing vulnerabilities detected Signed-Releases 🟢 8 3 out of the last 3 releases have a total of 3 signed artifacts. License 🟢 10 license file detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Fuzzing 🟢 10 project is fuzzed CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 38 contributing companies or organizations
gomod/go.opentelemetry.io/otel/metric	1.39.0	🟢 9.2	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 17 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed Dependency-Update-Tool 🟢 10 update tool detected Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 10 all dependencies are pinned CII-Best-Practices 🟢 5 badge detected: Passing SAST 🟢 9 SAST tool detected but not run on all commits Vulnerabilities 🟢 10 0 existing vulnerabilities detected Signed-Releases 🟢 8 3 out of the last 3 releases have a total of 3 signed artifacts. License 🟢 10 license file detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Fuzzing 🟢 10 project is fuzzed CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 38 contributing companies or organizations
gomod/go.opentelemetry.io/otel/sdk	1.39.0	🟢 9.2	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 17 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed Dependency-Update-Tool 🟢 10 update tool detected Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 10 all dependencies are pinned CII-Best-Practices 🟢 5 badge detected: Passing SAST 🟢 9 SAST tool detected but not run on all commits Vulnerabilities 🟢 10 0 existing vulnerabilities detected Signed-Releases 🟢 8 3 out of the last 3 releases have a total of 3 signed artifacts. License 🟢 10 license file detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Fuzzing 🟢 10 project is fuzzed CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 38 contributing companies or organizations
gomod/go.opentelemetry.io/otel/trace	1.39.0	🟢 9.2	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 17 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed Dependency-Update-Tool 🟢 10 update tool detected Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 10 all dependencies are pinned CII-Best-Practices 🟢 5 badge detected: Passing SAST 🟢 9 SAST tool detected but not run on all commits Vulnerabilities 🟢 10 0 existing vulnerabilities detected Signed-Releases 🟢 8 3 out of the last 3 releases have a total of 3 signed artifacts. License 🟢 10 license file detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Fuzzing 🟢 10 project is fuzzed CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 38 contributing companies or organizations
gomod/go.opentelemetry.io/proto/otlp	1.9.0	🟢 7.9	Details Check Score Reason Dependency-Update-Tool 🟢 10 update tool detected Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege License 🟢 10 license file detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 Signed-Releases ⚠️ -1 no releases found Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 9 contributing companies or organizations
gomod/golang.org/x/mod	0.29.0	Unknown	Unknown
gomod/golang.org/x/net	0.47.0	Unknown	Unknown
gomod/golang.org/x/sync	0.18.0	Unknown	Unknown
gomod/golang.org/x/sys	0.39.0	Unknown	Unknown
gomod/golang.org/x/text	0.31.0	Unknown	Unknown
gomod/golang.org/x/tools	0.38.0	Unknown	Unknown
gomod/google.golang.org/genproto/googleapis/api	0.0.0-20251202230838-ff82c1b0f217	🟢 6.6	Details Check Score Reason Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 15 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 10 security policy file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST ⚠️ 1 SAST tool is not run on all commits -- score normalized to 1
gomod/google.golang.org/genproto/googleapis/rpc	0.0.0-20251202230838-ff82c1b0f217	🟢 6.6	Details Check Score Reason Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 15 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 10 security policy file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST ⚠️ 1 SAST tool is not run on all commits -- score normalized to 1
gomod/google.golang.org/grpc	1.77.0	🟢 7.9	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 7 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review 🟢 10 all changesets reviewed Packaging ⚠️ -1 packaging workflow not detected Security-Policy 🟢 9 security policy file detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo License 🟢 10 license file detected Fuzzing 🟢 10 project is fuzzed Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST 🟢 7 SAST tool detected but not run on all commits
gomod/google.golang.org/protobuf	1.36.10	Unknown	Unknown
gomod/golang.org/x/crypto	0.44.0	Unknown	Unknown
gomod/github.com/cespare/xxhash/v2	2.3.0	🟢 3.6	Details Check Score Reason Code-Review ⚠️ 2 Found 6/28 approved changesets -- score normalized to 2 Binary-Artifacts 🟢 10 no binaries found in the repo Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
gomod/github.com/grpc-ecosystem/grpc-gateway/v2	2.27.3	🟢 5.6	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 11 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review ⚠️ 0 Found 1/29 approved changesets -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo Security-Policy ⚠️ 0 security policy file not detected Fuzzing 🟢 10 project is fuzzed Pinned-Dependencies 🟢 5 dependency not pinned by hash detected -- score normalized to 5 License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Packaging 🟢 10 packaging workflow detected Signed-Releases 🟢 10 5 out of the last 5 releases have a total of 5 signed artifacts. Vulnerabilities ⚠️ 0 39 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
gomod/go.opentelemetry.io/auto/sdk	1.2.1	🟢 8.1	Details Check Score Reason Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Code-Review ⚠️ -1 Found no human activity in the last 30 changesets Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Pinned-Dependencies 🟢 9 dependency not pinned by hash detected -- score normalized to 9 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Packaging 🟢 10 packaging workflow detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities 🟢 10 0 existing vulnerabilities detected Security-Policy 🟢 10 security policy file detected Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Signed-Releases ⚠️ -1 no releases found CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 16 contributing companies or organizations
gomod/go.opentelemetry.io/otel	1.39.0	🟢 9.2	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 17 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed Dependency-Update-Tool 🟢 10 update tool detected Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 10 all dependencies are pinned CII-Best-Practices 🟢 5 badge detected: Passing SAST 🟢 9 SAST tool detected but not run on all commits Vulnerabilities 🟢 10 0 existing vulnerabilities detected Signed-Releases 🟢 8 3 out of the last 3 releases have a total of 3 signed artifacts. License 🟢 10 license file detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Fuzzing 🟢 10 project is fuzzed CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 38 contributing companies or organizations
gomod/go.opentelemetry.io/otel/exporters/otlp/otlptrace	1.39.0	🟢 9.2	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 17 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed Dependency-Update-Tool 🟢 10 update tool detected Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 10 all dependencies are pinned CII-Best-Practices 🟢 5 badge detected: Passing SAST 🟢 9 SAST tool detected but not run on all commits Vulnerabilities 🟢 10 0 existing vulnerabilities detected Signed-Releases 🟢 8 3 out of the last 3 releases have a total of 3 signed artifacts. License 🟢 10 license file detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Fuzzing 🟢 10 project is fuzzed CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 38 contributing companies or organizations
gomod/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc	1.39.0	🟢 9.2	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 17 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed Dependency-Update-Tool 🟢 10 update tool detected Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 10 all dependencies are pinned CII-Best-Practices 🟢 5 badge detected: Passing SAST 🟢 9 SAST tool detected but not run on all commits Vulnerabilities 🟢 10 0 existing vulnerabilities detected Signed-Releases 🟢 8 3 out of the last 3 releases have a total of 3 signed artifacts. License 🟢 10 license file detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Fuzzing 🟢 10 project is fuzzed CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 38 contributing companies or organizations
gomod/go.opentelemetry.io/otel/metric	1.39.0	🟢 9.2	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 17 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed Dependency-Update-Tool 🟢 10 update tool detected Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 10 all dependencies are pinned CII-Best-Practices 🟢 5 badge detected: Passing SAST 🟢 9 SAST tool detected but not run on all commits Vulnerabilities 🟢 10 0 existing vulnerabilities detected Signed-Releases 🟢 8 3 out of the last 3 releases have a total of 3 signed artifacts. License 🟢 10 license file detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Fuzzing 🟢 10 project is fuzzed CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 38 contributing companies or organizations
gomod/go.opentelemetry.io/otel/sdk	1.39.0	🟢 9.2	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 17 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed Dependency-Update-Tool 🟢 10 update tool detected Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 10 all dependencies are pinned CII-Best-Practices 🟢 5 badge detected: Passing SAST 🟢 9 SAST tool detected but not run on all commits Vulnerabilities 🟢 10 0 existing vulnerabilities detected Signed-Releases 🟢 8 3 out of the last 3 releases have a total of 3 signed artifacts. License 🟢 10 license file detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Fuzzing 🟢 10 project is fuzzed CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 38 contributing companies or organizations
gomod/go.opentelemetry.io/otel/trace	1.39.0	🟢 9.2	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 17 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed Dependency-Update-Tool 🟢 10 update tool detected Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 10 all dependencies are pinned CII-Best-Practices 🟢 5 badge detected: Passing SAST 🟢 9 SAST tool detected but not run on all commits Vulnerabilities 🟢 10 0 existing vulnerabilities detected Signed-Releases 🟢 8 3 out of the last 3 releases have a total of 3 signed artifacts. License 🟢 10 license file detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Fuzzing 🟢 10 project is fuzzed CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 38 contributing companies or organizations
gomod/go.opentelemetry.io/proto/otlp	1.9.0	🟢 7.9	Details Check Score Reason Dependency-Update-Tool 🟢 10 update tool detected Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege License 🟢 10 license file detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 Signed-Releases ⚠️ -1 no releases found Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 9 contributing companies or organizations
gomod/golang.org/x/mod	0.29.0	Unknown	Unknown
gomod/golang.org/x/net	0.47.0	Unknown	Unknown
gomod/golang.org/x/sync	0.18.0	Unknown	Unknown
gomod/golang.org/x/sys	0.39.0	Unknown	Unknown
gomod/golang.org/x/text	0.31.0	Unknown	Unknown
gomod/golang.org/x/tools	0.38.0	Unknown	Unknown
gomod/google.golang.org/genproto/googleapis/api	0.0.0-20251202230838-ff82c1b0f217	🟢 6.6	Details Check Score Reason Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 15 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 10 security policy file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST ⚠️ 1 SAST tool is not run on all commits -- score normalized to 1
gomod/google.golang.org/genproto/googleapis/rpc	0.0.0-20251202230838-ff82c1b0f217	🟢 6.6	Details Check Score Reason Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 15 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 10 security policy file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST ⚠️ 1 SAST tool is not run on all commits -- score normalized to 1
gomod/google.golang.org/grpc	1.77.0	🟢 7.9	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 7 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review 🟢 10 all changesets reviewed Packaging ⚠️ -1 packaging workflow not detected Security-Policy 🟢 9 security policy file detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo License 🟢 10 license file detected Fuzzing 🟢 10 project is fuzzed Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST 🟢 7 SAST tool detected but not run on all commits
gomod/google.golang.org/protobuf	1.36.10	Unknown	Unknown

Scanned Files

• go.mod
• tests/go.mod

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 15 additional dependencies were updated

Details:

Package	Change
golang.org/x/tools	v0.36.0 -> v0.38.0
github.com/grpc-ecosystem/grpc-gateway/v2	v2.27.2 -> v2.27.3
go.opentelemetry.io/auto/sdk	v1.1.0 -> v1.2.1
go.opentelemetry.io/otel/metric	v1.38.0 -> v1.39.0
go.opentelemetry.io/otel/trace	v1.38.0 -> v1.39.0
go.opentelemetry.io/proto/otlp	v1.7.1 -> v1.9.0
golang.org/x/mod	v0.27.0 -> v0.29.0
golang.org/x/net	v0.43.0 -> v0.47.0
golang.org/x/sync	v0.17.0 -> v0.18.0
golang.org/x/sys	v0.35.0 -> v0.39.0
golang.org/x/text	v0.29.0 -> v0.31.0
google.golang.org/genproto/googleapis/api	v0.0.0-20250825161204-c5933d9347a5 -> v0.0.0-20251202230838-ff82c1b0f217
google.golang.org/genproto/googleapis/rpc	v0.0.0-20250825161204-c5933d9347a5 -> v0.0.0-20251202230838-ff82c1b0f217
google.golang.org/grpc	v1.75.0 -> v1.77.0
google.golang.org/protobuf	v1.36.8 -> v1.36.10

File name: tests/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 18 additional dependencies were updated

Details:

Package	Change
github.com/grpc-ecosystem/grpc-gateway/v2	v2.27.2 -> v2.27.3
go.opentelemetry.io/auto/sdk	v1.1.0 -> v1.2.1
go.opentelemetry.io/otel/exporters/otlp/otlptrace	v1.38.0 -> v1.39.0
go.opentelemetry.io/otel/metric	v1.38.0 -> v1.39.0
go.opentelemetry.io/otel/sdk	v1.38.0 -> v1.39.0
go.opentelemetry.io/otel/trace	v1.38.0 -> v1.39.0
go.opentelemetry.io/proto/otlp	v1.7.1 -> v1.9.0
golang.org/x/crypto	v0.43.0 -> v0.44.0
golang.org/x/mod	v0.28.0 -> v0.29.0
golang.org/x/net	v0.45.0 -> v0.47.0
golang.org/x/sync	v0.17.0 -> v0.18.0
golang.org/x/sys	v0.37.0 -> v0.39.0
golang.org/x/text	v0.30.0 -> v0.31.0
golang.org/x/tools	v0.37.0 -> v0.38.0
google.golang.org/genproto/googleapis/api	v0.0.0-20250825161204-c5933d9347a5 -> v0.0.0-20251202230838-ff82c1b0f217
google.golang.org/genproto/googleapis/rpc	v0.0.0-20250825161204-c5933d9347a5 -> v0.0.0-20251202230838-ff82c1b0f217
google.golang.org/grpc	v1.75.0 -> v1.77.0
google.golang.org/protobuf	v1.36.8 -> v1.36.10