fix(deps): update module go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp to v0.19.0 [security]

[alaudaa-renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp	v0.3.0 -> v0.19.0
go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp	v0.14.0 -> v0.19.0

---

opentelemetry-go: OTLP HTTP exporters read unbounded HTTP response bodies

CVE-2026-39882 / GHSA-w8rr-5gcm-pp58

More information

Details

overview:
this report shows that the otlp HTTP exporters (traces/metrics/logs) read the full HTTP response body into an in-memory bytes.Buffer without a size cap.

this is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can mitm the exporter connection).

severity

HIGH

not claiming: this is a remote dos against every default deployment.
claiming: if the exporter sends traces to an untrusted collector endpoint (or over a network segment where mitm is realistic), that endpoint can crash the process via a large response body.

callsite (pinned):

• exporters/otlp/otlptrace/otlptracehttp/client.go:199
• exporters/otlp/otlptrace/otlptracehttp/client.go:230
• exporters/otlp/otlpmetric/otlpmetrichttp/client.go:170
• exporters/otlp/otlpmetric/otlpmetrichttp/client.go:201
• exporters/otlp/otlplog/otlploghttp/client.go:190
• exporters/otlp/otlplog/otlploghttp/client.go:221

permalinks (pinned):

• https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlptrace/otlptracehttp/client.go#L199
• https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlptrace/otlptracehttp/client.go#L230
• https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlpmetric/otlpmetrichttp/client.go#L170
• https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlpmetric/otlpmetrichttp/client.go#L201
• https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlplog/otlploghttp/client.go#L190
• https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlplog/otlploghttp/client.go#L221

root cause:
each exporter client reads resp.Body using io.Copy(&respData, resp.Body) into a bytes.Buffer on both success and error paths, with no upper bound.

impact:
a malicious collector can force large transient heap allocations during export (peak memory scales with attacker-chosen response size) and can potentially crash the instrumented process (oom).

affected component:

• go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp
• go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp
• go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp

repro (local-only):

unzip poc.zip -d poc
cd poc
make canonical resp_bytes=33554432 chunk_delay_ms=0

expected output contains:

[CALLSITE_HIT]: otlptracehttp.UploadTraces::io.Copy(resp.Body)
[PROOF_MARKER]: resp_bytes=33554432 peak_alloc_bytes=118050512

control (same env, patched target):

unzip poc.zip -d poc
cd poc
make control resp_bytes=33554432 chunk_delay_ms=0

expected control output contains:

[CALLSITE_HIT]: otlptracehttp.UploadTraces::io.Copy(resp.Body)
[NC_MARKER]: resp_bytes=33554432 peak_alloc_bytes=512232

attachments: poc.zip (attached)

PR_DESCRIPTION.md

attack_scenario.md

poc.zip

Fixed in: https://github.com/open-telemetry/opentelemetry-go/pull/8108

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-w8rr-5gcm-pp58
• https://nvd.nist.gov/vuln/detail/CVE-2026-39882
• https://github.com/open-telemetry/opentelemetry-go/pull/8108
• https://github.com/open-telemetry/opentelemetry-go
• http://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.43.0

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

open-telemetry/opentelemetry-go (go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp)

v0.19.0

Compare Source

Added

• Added Marshaler config option to otlphttp to enable otlp over json or protobufs. (#​1586)
• A ForceFlush method to the "go.opentelemetry.io/otel/sdk/trace".TracerProvider to flush all registered SpanProcessors. (#​1608)
• Added WithSampler and WithSpanLimits to tracer provider. (#​1633, #​1702)
• "go.opentelemetry.io/otel/trace".SpanContext now has a remote property, and IsRemote() predicate, that is true when the SpanContext has been extracted from remote context data. (#​1701)
• A Valid method to the "go.opentelemetry.io/otel/attribute".KeyValue type. (#​1703)

Changed

• trace.SpanContext is now immutable and has no exported fields. (#​1573)
  • trace.NewSpanContext() can be used in conjunction with the trace.SpanContextConfig struct to initialize a new SpanContext where all values are known.
• Update the ForceFlush method signature to the "go.opentelemetry.io/otel/sdk/trace".SpanProcessor to accept a context.Context and return an error. (#​1608)
• Update the Shutdown method to the "go.opentelemetry.io/otel/sdk/trace".TracerProvider return an error on shutdown failure. (#​1608)
• The SimpleSpanProcessor will now shut down the enclosed SpanExporter and gracefully ignore subsequent calls to OnEnd after Shutdown is called. (#​1612)
• "go.opentelemetry.io/sdk/metric/controller.basic".WithPusher is replaced with WithExporter to provide consistent naming across project. (#​1656)
• Added non-empty string check for trace Attribute keys. (#​1659)
• Add description to SpanStatus only when StatusCode is set to error. (#​1662)
• Jaeger exporter falls back to resource.Default's service.name if the exported Span does not have one. (#​1673)
• Jaeger exporter populates Jaeger's Span Process from Resource. (#​1673)
• Renamed the LabelSet method of "go.opentelemetry.io/otel/sdk/resource".Resource to Set. (#​1692)
• Changed WithSDK to WithSDKOptions to accept variadic arguments of TracerProviderOption type in go.opentelemetry.io/otel/exporters/trace/jaeger package. (#​1693)
• Changed WithSDK to WithSDKOptions to accept variadic arguments of TracerProviderOption type in go.opentelemetry.io/otel/exporters/trace/zipkin package. (#​1693)
• "go.opentelemetry.io/otel/sdk/resource".NewWithAttributes will now drop any invalid attributes passed. (#​1703)
• "go.opentelemetry.io/otel/sdk/resource".StringDetector will now error if the produced attribute is invalid. (#​1703)

Removed

• Removed serviceName parameter from Zipkin exporter and uses resource instead. (#​1549)
• Removed WithConfig from tracer provider to avoid overriding configuration. (#​1633)
• Removed the exported SimpleSpanProcessor and BatchSpanProcessor structs.
  These are now returned as a SpanProcessor interface from their respective constructors. (#​1638)
• Removed WithRecord() from trace.SpanOption when creating a span. (#​1660)
• Removed setting status to Error while recording an error as a span event in RecordError. (#​1663)
• Removed jaeger.WithProcess configuration option. (#​1673)
• Removed ApplyConfig method from "go.opentelemetry.io/otel/sdk/trace".TracerProvider and the now unneeded Config struct. (#​1693)

Fixed

• Jaeger Exporter: Ensure mapping between OTEL and Jaeger span data complies with the specification. (#​1626)
• SamplingResult.TraceState is correctly propagated to a newly created span's SpanContext. (#​1655)
• The otel-collector example now correctly flushes metric events prior to shutting down the exporter. (#​1678)
• Do not set span status message in SpanStatusFromHTTPStatusCode if it can be inferred from http.status_code. (#​1681)
• Synchronization issues in global trace delegate implementation. (#​1686)
• Reduced excess memory usage by global TracerProvider. (#​1687)

---

Raw changes made between v0.18.0 and v0.19.0

2b4fa96 (HEAD -> main, tag: v0.19.0, tag: trace/v0.19.0, tag: sdk/v0.19.0, tag: sdk/metric/v0.19.0, tag: sdk/export/metric/v0.19.0, tag: oteltest/v0.19.0, tag: metric/v0.19.0, tag: exporters/trace/zipkin/v0.19.0, tag: exporters/trace/jaeger/v0.19.0, tag: exporters/stdout/v0.19.0, tag: exporters/otlp/v0.19.0, tag: exporters/metric/prometheus/v0.19.0, tag: example/zipkin/v0.19.0, tag: example/prometheus/v0.19.0, tag: example/prom-collector/v0.19.0, tag: example/otel-collector/v0.19.0, tag: example/opencensus/v0.19.0, tag: example/namedtracer/v0.19.0, tag: example/jaeger/v0.19.0, tag: bridge/opentracing/v0.19.0, tag: bridge/opencensus/v0.19.0, upstream/main, origin/main) Release v0.19.0 (#​1710)
4beb704 sdk/trace: removing ApplyConfig and Config (#​1693)
1d42be1 Rename WithDefaultSampler TracerProvider option to WithSampler and update docs (#​1702)
860d5d8 Add flag to determine whether SpanContext is remote (#​1701)
0fe65e6 Comply with OpenTelemetry attributes specification (#​1703)
8888435 Bump google.golang.org/api from 0.40.0 to 0.41.0 in /exporters/trace/jaeger (#​1700)
345f264 (global-docs) breaking(zipkin): removes servicName from zipkin exporter. (#​1697)
62cbf0f Populate Jaeger's Span.Process from Resource (#​1673)
28eaaa9 Add a test to prove the Tracer is safe for concurrent calls (#​1665)
8b1be11 Rename resource pkg label vars and methods (#​1692)
a1539d4 OpenCensus metric exporter bridge (#​1444)
77aa218 Fix issue #​1490, apply same logic as in the SDK (#​1687)
9d3416c Fix synchronization issues in global trace delegate implementation (#​1686)
58f69f0 Span status from HTTP code: Do not set status message if it can be inferred (#​1681)
9c305bd Flush metric events prior to shutdown in OTLP example (#​1678)
66b1135 Fix CHANGELOG (#​1680)
90bd4ab Update employer information for maintainers (#​1683)
3684191 Remove WithRecord() option from trace.SpanOption when starting a span (#​1660)
65c7de2 Remove trace prefix from NoOp src files. (#​1679)
e88a091 Make SpanContext Immutable (#​1573)
d75e268 Avoid overriding configuration of tracer provider (#​1633)
2b4d5ac Bump github.com/golangci/golangci-lint in /internal/tools (#​1671)
150b868 Bump github.com/google/go-cmp from 0.5.4 to 0.5.5 (#​1667)
76aa924 Fix the examples target info messaging (#​1676)
a3aa9fd Bump github.com/itchyny/gojq from 0.12.1 to 0.12.2 in /internal/tools (#​1672)
a5edd79 Removed setting error status while recording err as span event (#​1663)
e981475 chore(zipkin): improves zipkin example to not to depend on timeouts. (#​1566)
3dc91f2 Add ForceFlush method to TracerProvider (#​1608)
bd0bba4 exporter: swap pusher for exporter (#​1656)
5690485 Update the SimpleSpanProcessor (#​1612)
a7f7aba SpanStatus description set only when status code is set to Error (#​1662)
05252f4 Jaeger Exporter: Fix minor mapping discrepancies (#​1626)
238e7c6 Add non-empty string check for attribute keys (#​1659)
e9b9aca Add tests for propagation of Sampler Tracestate changes (#​1655)
875a258 Add docs on when reviews should be cleared (#​1556)
7153ef2 Add HTTP/JSON to the otlp exporter (#​1586)
62e2a0f Unexport the simple and batch SpanProcessors (#​1638)
992837f Add TracerProvider tests to oteltest harness (#​1607)

v0.18.0

Compare Source

Added

• Added resource.Default() for use with meter and tracer providers. (#​1507)
• AttributePerEventCountLimit and AttributePerLinkCountLimit for SpanLimits. (#​1535)
• Added Keys() method to propagation.TextMapCarrier and propagation.HeaderCarrier to adapt http.Header to this interface. (#​1544)
• Added code attributes to go.opentelemetry.io/otel/semconv package. (#​1558)
• Compatibility testing suite in the CI system for the following systems. (#​1567)

  OS	Go Version	Architecture
  Ubuntu	1.15	amd64
  Ubuntu	1.14	amd64
  Ubuntu	1.15	386
  Ubuntu	1.14	386
  MacOS	1.15	amd64
  MacOS	1.14	amd64
  Windows	1.15	amd64
  Windows	1.14	amd64
  Windows	1.15	386
  Windows	1.14	386

Changed

• Replaced interface oteltest.SpanRecorder with its existing implementation
  StandardSpanRecorder (#​1542).
• Default span limit values to 128. (#​1535)
• Rename MaxEventsPerSpan, MaxAttributesPerSpan and MaxLinksPerSpan to EventCountLimit, AttributeCountLimit and LinkCountLimit, and move these fields into SpanLimits. (#​1535)
• Renamed the otel/label package to otel/attribute. (#​1541)
• Vendor the Jaeger exporter's dependency on Apache Thrift. (#​1551)
• Parallelize the CI linting and testing. (#​1567)
• Stagger timestamps in exact aggregator tests. (#​1569)
• Changed all examples to use WithBatchTimeout(5 * time.Second) rather than WithBatchTimeout(5). (#​1621)
• Prevent end-users from implementing some interfaces (#​1575)

      "otel/exporters/otlp/otlphttp".Option
      "otel/exporters/stdout".Option
      "otel/oteltest".Option
      "otel/trace".TracerOption
      "otel/trace".SpanOption
      "otel/trace".EventOption
      "otel/trace".LifeCycleOption
      "otel/trace".InstrumentationOption
      "otel/sdk/resource".Option
      "otel/sdk/trace".ParentBasedSamplerOption
      "otel/sdk/trace".ReadOnlySpan
      "otel/sdk/trace".ReadWriteSpan

Removed

• Removed attempt to resample spans upon changing the span name with span.SetName(). (#​1545)
• The test-benchmark is no longer a dependency of the precommit make target. (#​1567)
• Removed the test-386 make target.
  This was replaced with a full compatibility testing suite (i.e. multi OS/arch) in the CI system. (#​1567)

Fixed

• The sequential timing check of timestamps in the stdout exporter are now setup explicitly to be sequential (#​1571). (#​1572)
• Windows build of Jaeger tests now compiles with OS specific functions (#​1576). (#​1577)
• The sequential timing check of timestamps of go.opentelemetry.io/otel/sdk/metric/aggregator/lastvalue are now setup explicitly to be sequential (#​1578). (#​1579)
• Validate tracestate header keys with vedors according to the W3C TraceContext specification (#​1475). (#​1581)
• The OTLP exporter includes related labels for translations of a GaugeArray (#​1563). (#​1570)

Raw changes made between v0.17.0 and v0.18.0

bb4c297 Pre release v0.18.0 (#​1635)
712c3dc Fix makefile ci target and coverage test packages (#​1634)
841d2a5 Rename local var new to not collide with builtin (#​1610)
13938ab Update SpanProcessor docs (#​1611)
e25503a Add compatibility tests to CI (#​1567)
1519d95 Use reasonable interval in sdktrace.WithBatchTimeout (#​1621)
7d4496e Pass metric labels when transforming to gaugeArray (#​1570)
6d4a5e0 Bump google.golang.org/grpc from 1.35.0 to 1.36.0 in /exporters/otlp (#​1619)
a93393a Bump google.golang.org/grpc in /example/prom-collector (#​1620)
e499ca8 Fix validation for tracestate with vendor and add tests (#​1581)
43886e5 Make timestamps sequential in lastvalue agg check (#​1579)
37688ef revent end-users from implementing some interfaces (#​1575)
85e696d Updating documentation with an working example for creating NewExporter (#​1513)
562eb28 Unify the Added sections of the unreleased changes (#​1580)
c4cf1af Fix Windows build of Jaeger tests (#​1577)
4a163be Fix stdout TestStdoutTimestamp failure with sleep (#​1572)
bd4701e Stagger timestamps in exact aggregator tests (#​1569)
b94cd4b add code attributes to semconv package (#​1558)
78c06ce Update docs from gitter to slack for communication (#​1554)
1307c91 Remove vendor exclude from license-check (#​1552)
5d2636e Bump github.com/golangci/golangci-lint in /internal/tools (#​1565)
d7aff47 Vendor Thrift dependency (#​1551)
298c5a1 Update span limits to conform with OpenTelemetry specification (#​1535)
ecf65d7 Rename otel/label -> otel/attribute (#​1541)
1b5b662 Remove resampling on span.SetName (#​1545)
8da5299 fix: grpc reconnection (#​1521)
3bce9c9 Add Keys() method to propagation.TextMapCarrier (#​1544)
0b1a1c7 Make oteltest.SpanRecorder into a concrete type (#​1542)
7d0e3e5 SDK span no modification after ended (#​1543)
7de3b58 Remove extra labels types (#​1314)
73194e4 Bump google.golang.org/api from 0.39.0 to 0.40.0 in /exporters/trace/jaeger (#​1536)
8fae0a6 Create resource.Default() with required attributes/default values (#​1507)

v0.17.0

Compare Source

Changed

• Rename project default branch from master to main.
• Reverse order in which Resource attributes are merged, per change in spec. (#​1501)
• Add tooling to maintain "replace" directives in go.mod files automatically. (#​1528)
• Create new modules: otel/metric, otel/trace, otel/oteltest, otel/sdk/export/metric, otel/sdk/metric (#​1528)
• Move metric-related public global APIs from otel to otel/metric/global. (#​1528)

---

9b242bc (upstream/main, origin/main, main) Organize API into Go modules based on stability and dependencies (#​1528)
e50a1c8 Bump actions/cache from v2 to v2.1.4 (#​1518)
a6aa7f0 Bump google.golang.org/api from 0.38.0 to 0.39.0 in /exporters/trace/jaeger (#​1517)
38efc87 Code Improvement - Error strings should not be capitalized (#​1488)
6b34050 Update default branch name (#​1505)
b39fd05 nit: Fix comment to be up-to-date (#​1510)
186c295 Fix golint error of package comment form (#​1487)
9308d66 Bump google.golang.org/api from 0.37.0 to 0.38.0 in /exporters/trace/jaeger (#​1506)
1952d7b Reverse order of attribute precedence when merging two Resources (#​1501)
ad7b471 Remove build flags for runtime/trace support (#​1498)
4bf4b69 Remove inaccurate and unnecessary import comment (#​1481)
7e19eb6 Bump google.golang.org/api from 0.36.0 to 0.37.0 in /exporters/trace/jaeger (#​1504)
c6a4406 Bump github.com/golangci/golangci-lint in /internal/tools (#​1503)
9524ac0 (upstream/master, origin/master, origin/HEAD) Update workflows to include main branch as trigger (#​1497)
c066f15 Bump github.com/gogo/protobuf from 1.3.1 to 1.3.2 in /internal/tools (#​1478)
894e024 Bump github.com/golangci/golangci-lint in /internal/tools (#​1477)
71ffba3 Bump google.golang.org/grpc from 1.34.0 to 1.35.0 in /exporters/otlp (#​1471)
515809a Bump github.com/itchyny/gojq from 0.12.0 to 0.12.1 in /internal/tools (#​1472)
3e96ad1 gitignore: remove unused example path (#​1474)
c562277 Histogram aggregator functional options (#​1434)
0df8cd6 Rename Makefile.proto to avoid interpretation as proto file (#​1468)
979ff51 Bump github.com/stretchr/testify from 1.6.1 to 1.7.0 (#​1453)
1df8b3b Bump github.com/gogo/protobuf from 1.3.1 to 1.3.2 in /exporters/otlp (#​1456)
4c30a90 Bump github.com/stretchr/testify from 1.6.1 to 1.7.0 in /sdk (#​1455)
5a9f8f6 Bump github.com/stretchr/testify from 1.6.1 to 1.7.0 in /exporters/stdout (#​1454)
7786f34 Bump github.com/stretchr/testify from 1.6.1 to 1.7.0 in /exporters/trace/zipkin (#​1457)
4352a7a Bump github.com/stretchr/testify from 1.6.1 to 1.7.0 in /exporters/otlp (#​1460)
6990b3b Bump github.com/stretchr/testify from 1.6.1 to 1.7.0 in /exporters/metric/prometheus (#​1461)
7af40d2 Bump github.com/stretchr/testify from 1.6.1 to 1.7.0 in /exporters/trace/jaeger (#​1463)
f16f189 Bump google.golang.org/grpc in /example/otel-collector (#​1465)
fe363be Move Span Event to API (#​1452)
4392224 Bump google.golang.org/grpc in /example/prom-collector (#​1466)

v0.16.0

Compare Source

Added

• Add the ReadOnlySpan and ReadWriteSpan interfaces to provide better control for accessing span data. (#​1360)
• NewGRPCDriver function returns a ProtocolDriver that maintains a single gRPC connection to the collector. (#​1369)
• Added documentation about the project's versioning policy. (#​1388)
• Added NewSplitDriver for OTLP exporter that allows sending traces and metrics to different endpoints. (#​1418)
• Added codeql worfklow to GitHub Actions (#​1428)
• Added Gosec workflow to GitHub Actions (#​1429)
• Add new HTTP driver for OTLP exporter in exporters/otlp/otlphttp. Currently it only supports the binary protobuf payloads. (#​1420)

Changed

• Rename internal/testing to internal/internaltest. (#​1449)
• Rename export.SpanData to export.SpanSnapshot and use it only for exporting spans. (#​1360)
• Store the parent's full SpanContext rather than just its span ID in the span struct. (#​1360)
• Improve span duration accuracy. (#​1360)
• Migrated CI/CD from CircleCI to GitHub Actions (#​1382)
• Remove duplicate checkout from GitHub Actions workflow (#​1407)
• Metric array aggregator renamed exact to match its aggregation.Kind (#​1412)
• Metric exact aggregator includes per-point timestamps (#​1412)
• Metric stdout exporter uses MinMaxSumCount aggregator for ValueRecorder instruments (#​1412)
• NewExporter from exporters/otlp now takes a ProtocolDriver as a parameter. (#​1369)
• Many OTLP Exporter options became gRPC ProtocolDriver options. (#​1369)
• Unify endpoint API that related to OTel exporter. (#​1401)
• Optimize metric histogram aggregator to re-use its slice of buckets. (#​1435)
• Metric aggregator Count() and histogram Bucket.Counts are consistently uint64. (1430)
• SamplingResult now passed a Tracestate from the parent SpanContext (#​1432)
• Moved gRPC driver for OTLP exporter to exporters/otlp/otlpgrpc. (#​1420)
• The TraceContext propagator now correctly propagates TraceState through the SpanContext. (#​1447)
• Metric Push and Pull Controller components are combined into a single "basic" Controller:
  • WithExporter() and Start() to configure Push behavior
  • Start() is optional; use Collect() and ForEach() for Pull behavior
  • Start() and Stop() accept Context. (#​1378)

Removed

• Remove errUninitializedSpan as its only usage is now obsolete. (#​1360)
• Remove Metric export functionality related to quantiles and summary data points: this is not specified (#​1412)
• Remove DDSketch metric aggregator; our intention is to re-introduce this as an option of the histogram aggregator after new OTLP histogram data types are released (#​1412)

Fixed

• BatchSpanProcessor.Shutdown() will now shutdown underlying export.SpanExporter. (#​1443)

Raw changes made between v0.15.0 and v0.16.0

0aadfb2 Prepare release v0.16.0 (#​1464)
207587b Metric histogram aggregator: Swap in SynchronizedMove to avoid allocations (#​1435)
c29c6fd Shutdown underlying span exporter while shutting down BatchSpanProcessor (#​1443)
dfece3d Combine the Push and Pull metric controllers (#​1378)
74deedd Handle tracestate in TraceContext propagator (#​1447)
49f699d Remove Quantile aggregation, DDSketch aggregator; add Exact timestamps (#​1412)
9c94941 Rename internal/testing to internal/internaltest (#​1449)
8d80981 Move gRPC driver to a subpackage and add an HTTP driver (#​1420)
9332af1 Bump github.com/golangci/golangci-lint in /internal/tools (#​1445)
5ed96e9 Update exporters/otlp Readme.md (#​1441)
bc9cb5e Switch CircleCI badge to GitHub Actions (#​1440)
716ad08 Remove CircleCI config (#​1439)
0682db1 Adding Security Workflows to GitHub Actions (2/2): gosec workflow (#​1429)
11f732b Adding Security Workflows to GitHub Actions (1/2): codeql workflow (#​1428)
40f1c00 Add Tracestate into the SamplingResult struct (#​1432)
db06c8d Flush metric events before shutdown in collector example (#​1438)
f6f458e Fix golint issue caused by typo in trace.go (#​1436)
fe9d1f7 Use uint64 Count consistently in metric aggregation (#​1430)
3a337d0 Bump github.com/golangci/golangci-lint in /internal/tools (#​1433)
1e4c832 cleanup: drop the removed examples in gitignore (#​1427)
5c9221c Unify endpoint API that related to OTel exporter (#​1401)
045c3ff Build scripts: Replace mapfile with read loop for old bash versions (#​1425)
2def8c3 Add Versioning Documentation (#​1388)
6bcd108 Bump github.com/itchyny/gojq from 0.11.2 to 0.12.0 in /internal/tools (#​1424)
38e76ef Add a split protocol driver for otlp exporter (#​1418)
[`439cd

---

Configuration

📅 Schedule: Branch creation - "" in timezone Asia/Shanghai, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[alaudaa-renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: .dagger/go.sum

Command failed: go get -d -t ./...
go: -d flag is deprecated. -d=true is a no-op
go: dagger/harbor-cli imports
	dagger/harbor-cli/internal/dagger: package dagger/harbor-cli/internal/dagger is not in std (/opt/containerbase/tools/golang/1.26.2/src/dagger/harbor-cli/internal/dagger)

[alaudabot]

[pr-assist-bot] Pending Owner Approval — Release branch security fix

This security dependency update targets alauda-v0.0.18 (a release/alauda branch). Automated merge is not performed on release branches.

The renovate/artifacts check is failing with an Artifact file update failure — the go.sum file needs to be regenerated. A repo owner should:

1. Run go mod tidy locally on this branch and push the updated go.sum, then approve and merge.

This is a security fix and should be prioritized.

[alaudabot]

PR Assist Bot — Owner Approval Needed

This PR targets release branch alauda-v0.0.18. Per policy, release-branch merges require explicit owner approval before the bot proceeds.

PR: AlaudaDevops/harbor-cli#9
Branch: alauda-v0.0.18
Type: Security / Dependency update (Renovate) — otlplog v0.19.0

Please reply with /approve-merge or provide explicit approval for the bot to merge this PR on the next sweep.

[alaudabot]

PR Assist Bot Analysis

Failure Type: Dependency Lock File Mismatch
Failed Checks: renovate/artifacts — Artifact file update failure
Root Cause: The go.sum file is out of sync after the go.opentelemetry.io/otel/exporters/.../otlploghttp v0.19.0 dependency update. Renovate was unable to automatically regenerate the artifact files.
PR Branch: alauda-v0.0.18 (release branch — bot auto-fix not permitted on release branches)
Suggested Fix: Manually run go mod tidy on the alauda-v0.0.18 branch and push the updated go.sum to unblock this PR.

[alaudabot]

PR Assist Bot Analysis

Status: Owner-approved but blocked on renovate/artifacts
Passing checks: lint, test-code, vulnerability-check ✅
Failing check: renovate/artifacts — Artifact file update failure (likely go.sum or lock file out of sync)
Branch: alauda-v0.0.18 (release branch — auto-fix not permitted by bot policy)
Action needed: Run go mod tidy locally on this branch and push the updated go.sum / go.mod to resolve the artifact failure. Once passing, the bot will merge on the next sweep.