chore: Sync fork with upstream grafana/alloy (v1.12 → v1.15+)#3
Merged
chore: Sync fork with upstream grafana/alloy (v1.12 → v1.15+)#3
Conversation
`otelcol.exporter.otlphttp` is what the Grafana databases and Grafana Cloud support. We should steer users towards that component so that they have a smoother onboarding experience. The reason why `otelcol.exporter.otlp` has been used so far is that historically Tempo only supported gRPC, and it was also the first Grafana DB to support OTel. Today Tempo supports HTTP, and Mimir and Loki only support HTTP OTLP. Related to grafana#1310 --------- Co-authored-by: Clayton Cornell <131809008+clayton-cornell@users.noreply.github.com>
…r `logs` collector (grafana#5569) ### Brief description of Pull Request Like we do in other collectors, propagate `exclude_databases` and `exclude_users` config options to the logs collector, allowing to specify databases and/or users that should be excluded from log parsing and metrics generation. ### Pull Request Details <!-- Add a more detailed descripion of the Pull Request here, if needed. --> ### Issue(s) fixed by this Pull Request <!-- Uncomment the following line and fill in an issue number if you want a GitHub issue to be closed automatically when this PR gets merged. --> <!-- Fixes #issue_id --> ### Notes to the Reviewer <!-- Add any relevant notes for the reviewers and testers of this PR. --> ### PR Checklist <!-- Remove items that do not apply. For completed items, change [ ] to [x]. --> - [ ] Documentation added - [ ] Tests updated - [ ] Config converters updated
These were previously in-progress and thus hidden. The first iteration is now complete so we can unhide them **question: ** does this publish the docs for users to see? Or is it available under `alloy/next`? --------- Co-authored-by: Clayton Cornell <131809008+clayton-cornell@users.noreply.github.com> Co-authored-by: Clayton Cornell <clayton.cornell@grafana.com>
This is a really flaky test. `testing/synctest` is sadly a bad fit because we are doing [external I/O](https://go.dev/blog/synctest#io).
Currently the docker version used in our ci for publishing alloy containers is broken due to version being to old. We need to update apline version in build image to be able to get a newer version.
This should fix out issues with publishing new containers
This PR contains the following updates: | Package | Type | Update | Change | Pending | |---|---|---|---|---| | [actions/cache](https://redirect.github.com/actions/cache) | action | patch | `v5.0.1` → `v5.0.3` | | | [actions/checkout](https://redirect.github.com/actions/checkout) | action | patch | `v6.0.1` → `v6.0.2` | | | [actions/checkout](https://redirect.github.com/actions/checkout) ([changelog](https://redirect.github.com/actions/checkout/compare/8e8c483db84b4bee98b60c0593521ed34d9990e8..de0fac2e4500dabe0009e67214ff5f5447ce83dd)) | action | digest | `8e8c483` → `de0fac2` | | | [docker/build-push-action](https://redirect.github.com/docker/build-push-action) | action | minor | `v6.18.0` → `v6.19.2` | | | [github/codeql-action](https://redirect.github.com/github/codeql-action) | action | minor | `v3.31.9` → `v3.32.2` | `v3.32.3` | | grafana/security-github-actions | action | digest | `b2c3d03` → `00b4cb4` | | | [helm/kind-action](https://redirect.github.com/helm/kind-action) | action | minor | `v1.13.0` → `v1.14.0` | | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>actions/cache (actions/cache)</summary> ### [`v5.0.3`](https://redirect.github.com/actions/cache/releases/tag/v5.0.3) [Compare Source](https://redirect.github.com/actions/cache/compare/v5.0.2...v5.0.3) ##### What's Changed - Bump `@actions/cache` to v5.0.5 (Resolves: <https://github.com/actions/cache/security/dependabot/33>) - Bump `@actions/core` to v2.0.3 **Full Changelog**: <actions/cache@v5...v5.0.3> ### [`v5.0.2`](https://redirect.github.com/actions/cache/releases/tag/v5.0.2): v.5.0.2 [Compare Source](https://redirect.github.com/actions/cache/compare/v5.0.1...v5.0.2) ### v5.0.2 #### What's Changed When creating cache entries, 429s returned from the cache service will not be retried. </details> <details> <summary>actions/checkout (actions/checkout)</summary> ### [`v6.0.2`](https://redirect.github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v602) [Compare Source](https://redirect.github.com/actions/checkout/compare/v6.0.1...v6.0.2) - Fix tag handling: preserve annotations and explicit fetch-tags by [@​ericsciple](https://redirect.github.com/ericsciple) in [#​2356](https://redirect.github.com/actions/checkout/pull/2356) </details> <details> <summary>docker/build-push-action (docker/build-push-action)</summary> ### [`v6.19.2`](https://redirect.github.com/docker/build-push-action/releases/tag/v6.19.2) [Compare Source](https://redirect.github.com/docker/build-push-action/compare/v6.19.1...v6.19.2) - Preserve port in `GIT_AUTH_TOKEN` host by [@​crazy-max](https://redirect.github.com/crazy-max) in [#​1458](https://redirect.github.com/docker/build-push-action/pull/1458) **Full Changelog**: <docker/build-push-action@v6.19.1...v6.19.2> ### [`v6.19.1`](https://redirect.github.com/docker/build-push-action/releases/tag/v6.19.1) [Compare Source](https://redirect.github.com/docker/build-push-action/compare/v6.19.0...v6.19.1) - Derive `GIT_AUTH_TOKEN` host from GitHub server URL by [@​crazy-max](https://redirect.github.com/crazy-max) in [#​1456](https://redirect.github.com/docker/build-push-action/pull/1456) **Full Changelog**: <docker/build-push-action@v6.19.0...v6.19.1> ### [`v6.19.0`](https://redirect.github.com/docker/build-push-action/releases/tag/v6.19.0) [Compare Source](https://redirect.github.com/docker/build-push-action/compare/v6.18.0...v6.19.0) - Scope default git auth token to `github.com` by [@​crazy-max](https://redirect.github.com/crazy-max) in [#​1451](https://redirect.github.com/docker/build-push-action/pull/1451) - Bump brace-expansion from 1.1.11 to 1.1.12 in [#​1396](https://redirect.github.com/docker/build-push-action/pull/1396) - Bump form-data from 2.5.1 to 2.5.5 in [#​1391](https://redirect.github.com/docker/build-push-action/pull/1391) - Bump js-yaml from 3.14.1 to 3.14.2 in [#​1429](https://redirect.github.com/docker/build-push-action/pull/1429) - Bump lodash from 4.17.21 to 4.17.23 in [#​1446](https://redirect.github.com/docker/build-push-action/pull/1446) - Bump tmp from 0.2.3 to 0.2.4 in [#​1398](https://redirect.github.com/docker/build-push-action/pull/1398) - Bump undici from 5.28.4 to 5.29.0 in [#​1397](https://redirect.github.com/docker/build-push-action/pull/1397) **Full Changelog**: <docker/build-push-action@v6.18.0...v6.19.0> </details> <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v3.32.2`](https://redirect.github.com/github/codeql-action/releases/tag/v3.32.2) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.32.1...v3.32.2) - Update default CodeQL bundle version to [2.24.1](https://redirect.github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.1). [#​3460](https://redirect.github.com/github/codeql-action/pull/3460) ### [`v3.32.1`](https://redirect.github.com/github/codeql-action/releases/tag/v3.32.1) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.32.0...v3.32.1) - A warning is now shown in Default Setup workflow logs if a [private package registry is configured](https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries) using a GitHub Personal Access Token (PAT), but no username is configured. [#​3422](https://redirect.github.com/github/codeql-action/pull/3422) - Fixed a bug which caused the CodeQL Action to fail when repository properties cannot successfully be retrieved. [#​3421](https://redirect.github.com/github/codeql-action/pull/3421) ### [`v3.32.0`](https://redirect.github.com/github/codeql-action/releases/tag/v3.32.0) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.31.11...v3.32.0) - Update default CodeQL bundle version to [2.24.0](https://redirect.github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.0). [#​3425](https://redirect.github.com/github/codeql-action/pull/3425) ### [`v3.31.11`](https://redirect.github.com/github/codeql-action/releases/tag/v3.31.11) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.31.10...v3.31.11) - When running a Default Setup workflow with [Actions debugging enabled](https://docs.github.com/en/actions/how-tos/monitor-workflows/enable-debug-logging), the CodeQL Action will now use more unique names when uploading logs from the Dependabot authentication proxy as workflow artifacts. This ensures that the artifact names do not clash between multiple jobs in a build matrix. [#​3409](https://redirect.github.com/github/codeql-action/pull/3409) - Improved error handling throughout the CodeQL Action. [#​3415](https://redirect.github.com/github/codeql-action/pull/3415) - Added experimental support for automatically excluding [generated files](https://docs.github.com/en/repositories/working-with-files/managing-files/customizing-how-changed-files-appear-on-github) from the analysis. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for some GitHub-managed analyses. [#​3318](https://redirect.github.com/github/codeql-action/pull/3318) - The changelog extracts that are included with releases of the CodeQL Action are now shorter to avoid duplicated information from appearing in Dependabot PRs. [#​3403](https://redirect.github.com/github/codeql-action/pull/3403) ### [`v3.31.10`](https://redirect.github.com/github/codeql-action/releases/tag/v3.31.10) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.31.9...v3.31.10) ### CodeQL Action Changelog See the [releases page](https://redirect.github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. #### 3.31.10 - 12 Jan 2026 - Update default CodeQL bundle version to 2.23.9. [#​3393](https://redirect.github.com/github/codeql-action/pull/3393) See the full [CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.31.10/CHANGELOG.md) for more information. </details> <details> <summary>helm/kind-action (helm/kind-action)</summary> ### [`v1.14.0`](https://redirect.github.com/helm/kind-action/releases/tag/v1.14.0) [Compare Source](https://redirect.github.com/helm/kind-action/compare/v1.13.0...v1.14.0) ##### What's Changed - Bump actions/checkout from 5.0.0 to 6.0.1 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​153](https://redirect.github.com/helm/kind-action/pull/153) - bump kind to v0.31.0 and k8s to v1.35.0 by [@​MrFreezeex](https://redirect.github.com/MrFreezeex) in [#​155](https://redirect.github.com/helm/kind-action/pull/155) - Bump actions/checkout from 6.0.1 to 6.0.2 in the actions group by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​156](https://redirect.github.com/helm/kind-action/pull/156) ##### New Contributors - [@​MrFreezeex](https://redirect.github.com/MrFreezeex) made their first contribution in [#​155](https://redirect.github.com/helm/kind-action/pull/155) **Full Changelog**: <helm/kind-action@v1...v1.14.0> </details> --- ### Configuration 📅 **Schedule**: Branch creation - Between 06:00 AM and 10:59 AM, only on Monday ( * 6-10 * * 1 ) (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- ## Need help? You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section. <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi44Mi4zIiwidXBkYXRlZEluVmVyIjoiNDMuOS4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJnaXRodWItYWN0aW9ucyIsInVwZGF0ZS1taW5vciIsInVwZGF0ZS1wYXRjaCJdfQ==--> Signed-off-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com> Co-authored-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com>
<!-- CONTRIBUTORS GUIDE: https://github.com/grafana/alloy/blob/main/docs/developer/contributing.md If this is your first PR or you have not contributed in a while, we recommend taking the time to review the guide. **NOTE** Your PR title must adhere to Conventional Commit style. For details on this, check out the Contributors Guide linked above. --> ### Brief description of Pull Request Adds a new Grafana dashboard to the Alloy mixin for monitoring the embedded OpenTelemetry engine, along with regenerated rendered dashboards and a small docker-compose path fix. Changes: - Introduce the source (otel-engine-overview.libsonnet) and rendered (alloy-otel-engine-overview.json) “Alloy / OTel Engine Overview” dashboard. - Update the dashboard template variable helper to change query-variable sorting (reflected in regenerated rendered dashboards). - Fix the watch-dashboards volume mount path in the docker-compose Grafana setup. <!-- Add a human-readable description of the PR that may be used as the commit body (i.e. "Extended description") when it gets merged. --> ### Pull Request Details Screenshot. Note that logs panels are empty because we are not receiveing logs traffic in this test instance <img width="3840" height="11558" alt="screencapture-localhost-3000-d-975a324565222be2906d572d6fc960ff-alloy-otel-engine-overview-2026-02-18-16_40_01" src="https://github.com/user-attachments/assets/6349ccee-5cff-41ad-bffd-488d3b9c51f3" /> <!-- Add a more detailed descripion of the Pull Request here, if needed. --> ### Issue(s) fixed by this Pull Request <!-- Uncomment the following line and fill in an issue number if you want a GitHub issue to be closed automatically when this PR gets merged. --> <!-- Fixes #issue_id --> Fixes grafana#4724 ### Notes to the Reviewer <!-- Add any relevant notes for the reviewers and testers of this PR. --> ### PR Checklist <!-- Remove items that do not apply. For completed items, change [ ] to [x]. --> - [ ] Documentation added - [ ] Tests updated - [ ] Config converters updated --------- Co-authored-by: Cursor <cursoragent@cursor.com>
### Pull Request Details When using the windows installer to upgrade alloy it's not possible to update arguments, environment etc if it was previously written. I added a flag that will force set these in windows registry. ### Issue(s) fixed by this Pull Request <!-- Fixes #issue_id --> ### Notes to the Reviewer <!-- Add any relevant notes for the reviewers and testers of this PR. --> ### PR Checklist <!-- Remove items that do not apply. For completed items, change [ ] to [x]. --> - [x] Documentation added - [ ] Tests updated - [ ] Config converters updated --------- Co-authored-by: Clayton Cornell <131809008+clayton-cornell@users.noreply.github.com>
…a#5446) ### Brief description of Pull Request This PR prevents a panic case where we create multiple loaders for the same controller. We can identify when we have created duplicate loaders when the prometheus metrics owned by the loader already exist. Attempting the register the metrics a second time resulted in the panic. ### Issue(s) fixed by this Pull Request Fixes: grafana#2801 ### Notes to the Reviewer This issue can be reproduced consistently by, 1. Run alloy in docker with minimal resources + remotecfg 2. Create a pipeline in fleet management which uses a component that bind a resource on Build (ex loki.source.api binds a port) 3. Rename the pipeline in fleet management 4. The new config fails to load because the port is already bound 5. The remotecfg component attempts to load the old config 6. Duplicate loader is created resulting in panic Abridged logs for what will happen now, ``` alloy-1 | ts=2026-02-04T19:23:55.07699636Z level=debug msg="fetching remote configuration" service=remotecfg alloy-1 | ts=2026-02-04T19:23:55.202305809Z level=info msg="attempting to parse and load new remote configuration" service=remotecfg config_hash=bace1e80 alloy-1 | ts=2026-02-04T19:23:55.34085171Z level=info msg="finished node evaluation" controller_path=/remotecfg controller_id=source_api.default trace_id=166fa51994d6f7723fe329ca53ea9b9a node_id=loki.write.grafana_cloud_loki duration=92.039756ms alloy-1 | ts=2026-02-04T19:23:55.345658677Z level=info msg="starting push API server" component_path=/remotecfg/source_api.default component_id=loki.source.api.loki_push_api alloy-1 | ts=2026-02-04T19:23:55.345713885Z level=info msg="starting server" component_path=/remotecfg/source_api.default component_id=loki.source.api.loki_push_api alloy-1 | ts=2026-02-04T19:23:55.349334402Z level=error msg="failed to evaluate config" controller_path=/remotecfg controller_id=source_api.default trace_id=166fa51994d6f7723fe329ca53ea9b9a node=loki.source.api.loki_push_api err="building component: failed to run embedded server: listen tcp 0.0.0.0:9999: bind: address already in use" alloy-1 | ts=2026-02-04T19:23:55.349425319Z level=info msg="finished node evaluation" controller_path=/remotecfg controller_id=source_api.default trace_id=166fa51994d6f7723fe329ca53ea9b9a node_id=loki.source.api.loki_push_api duration=8.420068ms alloy-1 | ts=2026-02-04T19:23:55.349562734Z level=error msg="failed to evaluate config" controller_path=/ controller_id=remotecfg trace_id=747e92eb01b59f96fe555b578fc9fb6c node=source_api.default err="updating custom component: 129:2: Failed to build component: building component: failed to run embedded server: listen tcp 0.0.0.0:9999: bind: address already in use" alloy-1 | ts=2026-02-04T19:23:55.349575859Z level=info msg="finished node evaluation" controller_path=/ controller_id=remotecfg trace_id=747e92eb01b59f96fe555b578fc9fb6c node_id=source_api.default duration=101.567234ms alloy-1 | ts=2026-02-04T19:23:55.353856414Z level=error msg="failed to parse and load configuration" service=remotecfg config_size=8280 err="129:2: Failed to build component: building component: failed to run embedded server: listen tcp 0.0.0.0:9999: bind: address already in use" alloy-1 | ts=2026-02-04T19:23:55.353934996Z level=error msg="failed to parse and load new remote configuration" service=remotecfg received_hash=bace1e80 loaded_hash=775b38f6 err="129:2: Failed to build component: building component: failed to run embedded server: listen tcp 0.0.0.0:9999: bind: address already in use" alloy-1 | ts=2026-02-04T19:23:55.353956746Z level=info msg="attempting to reload cached configuration to restore component health" service=remotecfg alloy-1 | ts=2026-02-04T19:23:55.354616409Z level=info msg="finished node evaluation" controller_path=/ controller_id=remotecfg trace_id=cd603bde9ef19de4c6bc63e6f03685ed node_id=declare.source_api_rename duration=2.5µs alloy-1 | ts=2026-02-04T19:23:55.446986412Z level=error msg="failed to evaluate config" controller_path=/ controller_id=remotecfg trace_id=cd603bde9ef19de4c6bc63e6f03685ed node=source_api_rename.default err="creating custom component controller: failed to create module controller: failed to build loader: a loader exists already exists for \"remotecfg/source_api_rename.default\"" alloy-1 | ts=2026-02-04T19:23:55.447288993Z level=info msg="finished node evaluation" controller_path=/ controller_id=remotecfg trace_id=cd603bde9ef19de4c6bc63e6f03685ed node_id=source_api_rename.default duration=92.65121ms alloy-1 | ts=2026-02-04T19:23:55.450888052Z level=error msg="failed to parse and load configuration" service=remotecfg config_size=8294 err="157:1: Failed to build component: creating custom component controller: failed to create module controller: failed to build loader: a loader exists already exists for \"remotecfg/source_api_rename.default\"" alloy-1 | ts=2026-02-04T19:23:55.452185752Z level=error msg="failed to reload cached configuration" service=remotecfg err="157:1: Failed to build component: creating custom component controller: failed to create module controller: failed to build loader: a loader exists already exists for \"remotecfg/source_api_rename.default\"" alloy-1 | ts=2026-02-04T19:23:55.45219946Z level=error msg="failed to fetch remote config, continuing with current config" service=remotecfg err="157:1: Failed to build component: creating custom component controller: failed to create module controller: failed to build loader: a loader exists already exists for \"remotecfg/source_api_rename.default\"" alloy-1 | ts=2026-02-04T19:23:55.452297418Z level=debug msg="making immediate GetConfig call to report status update" service=remotecfg ``` The PR also includes some small changes to add more support for structured logging in the controller. ### PR Checklist - [x] Tests updated
### Brief description of Pull Request Improve Docker Compose health checks and startup reliability for the integration tests. ### Pull Request Details Replaces the grafana#3354. Key changes include: * Added `mimir`, `tempo`, and `redis` health checks to `docker-compose.yaml`. * Updated the `loki` health check to use `/ready`. * Configured `kafka-gen` and `redis-init` to wait for their respective dependencies to be healthy. * Replaced the hardcoded `sleep` in `main.go` with `docker compose up -d --wait` for key services, improving startup reliability and providing setup timing. ### Issue(s) fixed by this Pull Request ### Notes to the Reviewer ### PR Checklist - [ ] Documentation added - [x] Tests updated (test runner logic) - [ ] Config converters updated --- <p><a href="https://cursor.com/background-agent?bcId=bc-c2b8e74f-a56f-43ec-b561-ae098284ed48"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-cursor-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-cursor-light.png"><img alt="Open in Cursor" width="131" height="28" src="https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> <a href="https://cursor.com/agents?id=bc-c2b8e74f-a56f-43ec-b561-ae098284ed48"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-web-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-web-light.png"><img alt="Open in Web" width="114" height="28" src="https://cursor.com/assets/images/open-in-web-dark.png"></picture></a></p>
…5392) ### Pull Request Details Main change is to use non strict Unmarshal for position file. If we want to be able to change this format like adding new properties in the future while still being able to downgrade alloy we need to change this. For more details read grafana#5367 ### Issue(s) fixed by this Pull Request Part of: grafana#5367 ### Notes to the Reviewer <!-- Add any relevant notes for the reviewers and testers of this PR. --> ### PR Checklist <!-- Remove items that do not apply. For completed items, change [ ] to [x]. --> - [ ] Documentation added - [x] Tests updated - [ ] Config converters updated --------- Co-authored-by: Piotr <17101802+thampiotr@users.noreply.github.com>
…a#5606) ### Brief description of Pull Request feat(otelcol): Expose missing tail_sampling drop and bytes_limiting options ### Pull Request Details Expose pre-existing missing tail sampling options and policy types in Alloy’s otelcol wrapper and docs. - Add `sample_on_first_match` and `drop_pending_traces_on_shutdown` to `otelcol.processor.tail_sampling` arguments and converter mapping. - Add `bytes_limiting` policy support (`bytes_per_second`, `burst_capacity`) across top-level policies and nested `and`, `drop`, and `composite` sub-policies. - Add `drop` policy support with `drop_sub_policy` blocks. - Update the component reference docs for new arguments, blocks, policy decisions, and example config. - Extend and update tail sampling tests and converter snapshots to cover the new options/policies. ### Issue(s) fixed by this Pull Request <!-- Fixes #issue_id --> ### Notes to the Reviewer These changes align the `otelcol.processor.tail_sampling` component with the features available in upstream `tailsamplingprocessor` v0.142.0. ### PR Checklist - [x] Documentation added - [x] Tests updated - [x] Config converters updated
### Brief description of Pull Request Add integration tests for the new otel engine using a native otel pipeline and also the alloyengine extension with a similar alloy config file. Also includes some niceties for the integration testing framework allowing test-specific compose setups to be used in addition to the one used to define base services like mimir. ### Issue(s) fixed by this Pull Request Closes grafana#5232 --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
<!-- CONTRIBUTORS GUIDE: https://github.com/grafana/alloy/blob/main/docs/developer/contributing.md If this is your first PR or you have not contributed in a while, we recommend taking the time to review the guide. **NOTE** Your PR title must adhere to Conventional Commit style. For details on this, check out the Contributors Guide linked above. --> ### Brief description of Pull Request The new exporter component batching in OTel collector is added to OTel Engine dashboard. We still support the old style of batching for now. <!-- Add a human-readable description of the PR that may be used as the commit body (i.e. "Extended description") when it gets merged. --> ### Pull Request Details <img width="487" height="351" alt="image" src="https://github.com/user-attachments/assets/79c5f25b-3b51-474d-b0f8-157b71511c05" /> <!-- Add a more detailed descripion of the Pull Request here, if needed. --> ### Issue(s) fixed by this Pull Request <!-- Uncomment the following line and fill in an issue number if you want a GitHub issue to be closed automatically when this PR gets merged. --> <!-- Fixes #issue_id --> ### Notes to the Reviewer <!-- Add any relevant notes for the reviewers and testers of this PR. --> ### PR Checklist <!-- Remove items that do not apply. For completed items, change [ ] to [x]. --> - [ ] Documentation added - [ ] Tests updated - [ ] Config converters updated
Fix the forwardport logic by pushing a temp branch and polling until the required zizmor check completes, then proceeding as per usual with the forwardport job.
This PR configures GitHub Actions to publish the rendered mixin dashboards from `operations/alloy-mixin/rendered/dashboards/` as a zip archive in GitHub releases. Previously, these dashboards were only available in the source code. This change makes them easily downloadable as a release artifact, allowing users to fetch them all when importing to Grafana. ### Issue(s) fixed by this Pull Request Related grafana#5074 Co-authored-by: Piotr <thampiotr@users.noreply.github.com>
### Brief description of Pull Request Make sure prometheus.echo always returns zero for SeriesRefs. The current implementation will return an non-zero unstable SeriesRef which will interfere with the implementation of grafana#5062. This component shouldn't be returning a SeriesRef as it's not creating or managing one and when it's the only component in use in a pipeline this will prevent unnecessary overhead to manage these unstable refs in fanout + prometheus.scrape. ### Issue(s) fixed by this Pull Request Related to grafana#5062 ### PR Checklist - [x] Tests updated
<!-- CONTRIBUTORS GUIDE: https://github.com/grafana/alloy/blob/main/docs/developer/contributing.md If this is your first PR or you have not contributed in a while, we recommend taking the time to review the guide. **NOTE** Your PR title must adhere to Conventional Commit style. For details on this, check out the Contributors Guide linked above. --> ### Brief description of Pull Request This PR implements SeriesRefMappingStore which was proposed in grafana#5062. The PR introduces `--feature.series-ref-mapping.enabled` experimental flag to disable label store in favor of the new series ref mapping store. ### Pull Request Details <!-- Add a more detailed descripion of the Pull Request here, if needed. --> ### Issue(s) fixed by this Pull Request Fixes grafana#5062 ### Notes to the Reviewer <!-- Add any relevant notes for the reviewers and testers of this PR. --> ### PR Checklist <!-- Remove items that do not apply. For completed items, change [ ] to [x]. --> - [x] Documentation added - [x] Tests updated --------- Co-authored-by: Kyle Eckhart <kgeckhart@users.noreply.github.com>
…s to v1.0.1 (grafana#5604) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [grafana/shared-workflows](https://redirect.github.com/grafana/shared-workflows) | action | major | `login-to-gar-v0.2.2` → `login-to-gar/v1.0.1` | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>grafana/shared-workflows (grafana/shared-workflows)</summary> ### [`vlogin-to-gar/v1.0.1`](https://redirect.github.com/grafana/shared-workflows/releases/tag/login-to-gar/v1.0.1): login-to-gar: v1.0.1 [Compare Source](https://redirect.github.com/grafana/shared-workflows/compare/azure-trusted-signing/v1.0.0...login-to-gar/v1.0.1) ##### 🔧 Miscellaneous Chores - **deps:** update google-github-actions/auth action to v2.1.11 ([#​1150](https://redirect.github.com/grafana/shared-workflows/issues/1150)) ([895722b](https://redirect.github.com/grafana/shared-workflows/commit/895722b12337ee97909efa8a78886ee69297ed50)) - **deps:** update google-github-actions/auth action to v2.1.12 ([#​1184](https://redirect.github.com/grafana/shared-workflows/issues/1184)) ([ee464c5](https://redirect.github.com/grafana/shared-workflows/commit/ee464c522eba7d1a22b82d27739f4bf789102900)) - **deps:** update google-github-actions/auth action to v3 ([#​1285](https://redirect.github.com/grafana/shared-workflows/issues/1285)) ([9f0b61a](https://redirect.github.com/grafana/shared-workflows/commit/9f0b61a459b2106ee915a3c482e493c7f659312f)) - **deps:** update google-github-actions/setup-gcloud action to v2.1.5 ([#​1151](https://redirect.github.com/grafana/shared-workflows/issues/1151)) ([84f55b1](https://redirect.github.com/grafana/shared-workflows/commit/84f55b125e875869f7aead3c1ed900eaae2735bb)) - **deps:** update google-github-actions/setup-gcloud action to v2.2.0 ([#​1211](https://redirect.github.com/grafana/shared-workflows/issues/1211)) ([dc9441f](https://redirect.github.com/grafana/shared-workflows/commit/dc9441f43be7baaf190c5b1b6c0fa3589a988907)) - **deps:** update google-github-actions/setup-gcloud action to v2.2.1 ([#​1266](https://redirect.github.com/grafana/shared-workflows/issues/1266)) ([8bb65cb](https://redirect.github.com/grafana/shared-workflows/commit/8bb65cb7cc5b627ec350a229de34aee58872650a)) - **deps:** update google-github-actions/setup-gcloud action to v3 ([#​1267](https://redirect.github.com/grafana/shared-workflows/issues/1267)) ([ac79b81](https://redirect.github.com/grafana/shared-workflows/commit/ac79b814a3c74384d24bb0431a3d99caa948e806)) - **deps:** update google-github-actions/setup-gcloud action to v3.0.1 ([#​1283](https://redirect.github.com/grafana/shared-workflows/issues/1283)) ([3a233ec](https://redirect.github.com/grafana/shared-workflows/commit/3a233ece646e1a9715d9e4ff27f7d8f98ae8b232)) ### [`vlogin-to-gar/v1.0.0`](https://redirect.github.com/grafana/shared-workflows/releases/tag/login-to-gar/v1.0.0): login-to-gar: v1.0.0 [Compare Source](https://redirect.github.com/grafana/shared-workflows/compare/login-to-gar/v0.4.3...azure-trusted-signing/v1.0.0) ##### ⚠ BREAKING CHANGES - **login-to-gar:** Update configurations which specify `delete-credentials: false` to have `workspace-credentials: true` instead. If you don't have the option, you are not affected. - only allow direct workload identity federation in login-to-gar ([#​1009](https://redirect.github.com/grafana/shared-workflows/issues/1009)) ##### 🎉 Features - **login-to-gar:** store credentials in temporary location by default ([#​1023](https://redirect.github.com/grafana/shared-workflows/issues/1023)) ([fe29dde](https://redirect.github.com/grafana/shared-workflows/commit/fe29dde24ab0697084e75883d351eca1c961e352)) - only allow direct workload identity federation in login-to-gar ([#​1009](https://redirect.github.com/grafana/shared-workflows/issues/1009)) ([0789629](https://redirect.github.com/grafana/shared-workflows/commit/078962963e9e785bbe565287f41f96c23ba03274)) ##### 🐛 Bug Fixes - **login-to-gar:** check if delete\_credentials\_file is set ([#​1020](https://redirect.github.com/grafana/shared-workflows/issues/1020)) ([7803c2c](https://redirect.github.com/grafana/shared-workflows/commit/7803c2ce62f8d6d5da83cac0ae9af3d57b70a0ff)) ##### 📝 Documentation - add warning about using `checkout` action before `login-to-gar` ([#​1012](https://redirect.github.com/grafana/shared-workflows/issues/1012)) ([cb40def](https://redirect.github.com/grafana/shared-workflows/commit/cb40def95f3c449ae8c7f23fa302c22bf9355fb5)) ##### 🤖 Continuous Integration - add section for gha-creds jsons and .gitignore ([#​1021](https://redirect.github.com/grafana/shared-workflows/issues/1021)) ([f008500](https://redirect.github.com/grafana/shared-workflows/commit/f008500f574f01cf9fcc5054be2464d6f5d6dcec)) ### [`vlogin-to-gar/v0.4.3`](https://redirect.github.com/grafana/shared-workflows/releases/tag/login-to-gar/v0.4.3): login-to-gar: v0.4.3 [Compare Source](https://redirect.github.com/grafana/shared-workflows/compare/login-to-gar-v0.4.2...login-to-gar/v0.4.3) ##### 📝 Documentation - update all readmes to replace hyphen with slash ([#​1008](https://redirect.github.com/grafana/shared-workflows/issues/1008)) ([472df76](https://redirect.github.com/grafana/shared-workflows/commit/472df76fb1cbb92a17fb9e055bdf0d1399109ee3)) ### [`vlogin-to-gar-v0.4.2`](https://redirect.github.com/grafana/shared-workflows/releases/tag/login-to-gar-v0.4.2): login-to-gar: v0.4.2 [Compare Source](https://redirect.github.com/grafana/shared-workflows/compare/build-push-to-dockerhub/v0.4.1...login-to-gar-v0.4.2) ##### 🐛 Bug Fixes - **login-to-gar:** replace hardcoded opt dir with runner temp env var ([#​1001](https://redirect.github.com/grafana/shared-workflows/issues/1001)) ([d03fbe2](https://redirect.github.com/grafana/shared-workflows/commit/d03fbe21194b8bae035dabfba8fdabe19c122660)) ### [`vlogin-to-gar-v0.4.1`](https://redirect.github.com/grafana/shared-workflows/releases/tag/login-to-gar-v0.4.1): login-to-gar: v0.4.1 [Compare Source](https://redirect.github.com/grafana/shared-workflows/compare/build-push-to-dockerhub/v0.4.0...build-push-to-dockerhub/v0.4.1) ##### 🐛 Bug Fixes - use custom step for docker-credential-gcr ([#​996](https://redirect.github.com/grafana/shared-workflows/issues/996)) ([36bbb4c](https://redirect.github.com/grafana/shared-workflows/commit/36bbb4c0ab04a493b5b76ee6e00d4476a0e954f5)) ##### 📝 Documentation - add inputs section in login-to-gar action ([#​961](https://redirect.github.com/grafana/shared-workflows/issues/961)) ([3ce65db](https://redirect.github.com/grafana/shared-workflows/commit/3ce65db098d2e00917a8b98c49a5417dd7a8797a)) - **multiple-actions:** move permissions to job level in workflow examples ([49c90b1](https://redirect.github.com/grafana/shared-workflows/commit/49c90b10fcbce463983bed45932cf468b8bd06ce)) - **multiple-actions:** move permissions to job level in workflows ([#​969](https://redirect.github.com/grafana/shared-workflows/issues/969)) ([49c90b1](https://redirect.github.com/grafana/shared-workflows/commit/49c90b10fcbce463983bed45932cf468b8bd06ce)) ### [`vlogin-to-gar-v0.4.0`](https://redirect.github.com/grafana/shared-workflows/releases/tag/login-to-gar-v0.4.0): login-to-gar: v0.4.0 [Compare Source](https://redirect.github.com/grafana/shared-workflows/compare/docker-build-push-image/v0.3.0...build-push-to-dockerhub/v0.4.0) ##### 🎉 Features - use `docker-credential-gcr` instead of `auth_token` for `login-to-gar` action ([#​921](https://redirect.github.com/grafana/shared-workflows/issues/921)) ([cac9a09](https://redirect.github.com/grafana/shared-workflows/commit/cac9a09f00dfb7c7743500f1986d8faebca72f9f)) ##### 🐛 Bug Fixes - **everything:** fix all things for zizmor ([af9b0c5](https://redirect.github.com/grafana/shared-workflows/commit/af9b0c52635d39023136fb9312a354f91d9b2bfd)) - make default `delete_credentials_file` value false ([#​950](https://redirect.github.com/grafana/shared-workflows/issues/950)) ([71ec5a1](https://redirect.github.com/grafana/shared-workflows/commit/71ec5a1861019932272c4ec12a8d7903049797c5)) ##### 🤖 Continuous Integration - remove gcp credentials after composite action finishes ([#​925](https://redirect.github.com/grafana/shared-workflows/issues/925)) ([62f8dda](https://redirect.github.com/grafana/shared-workflows/commit/62f8ddaa78b23147b22ba6a38df2b97963dab4b3)) ##### 🔧 Miscellaneous Chores - **deps:** update google-github-actions/auth action to v2.1.10 ([#​926](https://redirect.github.com/grafana/shared-workflows/issues/926)) ([fa48192](https://redirect.github.com/grafana/shared-workflows/commit/fa48192dac470ae356b3f7007229f3ac28c48a25)) - **deps:** update google-github-actions/auth action to v2.1.9 ([#​924](https://redirect.github.com/grafana/shared-workflows/issues/924)) ([2774f26](https://redirect.github.com/grafana/shared-workflows/commit/2774f26e2321f825e20c85e424a1c6fa8298d820)) ### [`vlogin-to-gar-v0.3.0`](https://redirect.github.com/grafana/shared-workflows/releases/tag/login-to-gar-v0.3.0): login-to-gar: v0.3.0 [Compare Source](https://redirect.github.com/grafana/shared-workflows/compare/create-github-app-token/v0.2.2...docker-build-push-image/v0.3.0) ##### 🎉 Features - use auth\_token in login-to-gar action ([#​846](https://redirect.github.com/grafana/shared-workflows/issues/846)) ([e65ba18](https://redirect.github.com/grafana/shared-workflows/commit/e65ba18704a12d05c4c5ad00439c31d5861ba9a1)) ##### 🤖 Continuous Integration - make configure-docker less verbose ([#​824](https://redirect.github.com/grafana/shared-workflows/issues/824)) ([623010a](https://redirect.github.com/grafana/shared-workflows/commit/623010ae889725b324e1ae1b3572d1be621b76b9)) - stop persisting credentials in google auth steps ([#​916](https://redirect.github.com/grafana/shared-workflows/issues/916)) ([4d185da](https://redirect.github.com/grafana/shared-workflows/commit/4d185da792dd4520730b3b60ceedb1c9cb16cb6c)) ##### 🔧 Miscellaneous Chores - **deps:** update docker/login-action action to v3.4.0 ([#​848](https://redirect.github.com/grafana/shared-workflows/issues/848)) ([117d851](https://redirect.github.com/grafana/shared-workflows/commit/117d8511cbc5da0337972deeb400c4298b057af3)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - Between 06:00 AM and 10:59 AM, only on Monday ( * 6-10 * * 1 ) (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- ## Need help? You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section. <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My45LjAiLCJ1cGRhdGVkSW5WZXIiOiI0My45LjAiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbInNoYXJlZC13b3JrZmxvd3MiXX0=--> Signed-off-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com> Co-authored-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com>
Also add better polling debug lines
Fix some spelling errors that were discovered in the Alloy docs
Snake case words in the docs are almost always a reference to an argument, variable, or other value that should be wrapped with backticks (to render as inline code). This PR adds backticks to the snake_case words that were found with a grep.
…Y] (grafana#5587) This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [filippo.io/edwards25519](https://redirect.github.com/FiloSottile/edwards25519) | `v1.1.0` → `v1.1.1` |  |  | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. ### GitHub Vulnerability Alerts #### [CVE-2026-26958](https://redirect.github.com/FiloSottile/edwards25519/security/advisories/GHSA-fw7p-63qq-7hpr) `(*Point).MultiScalarMult` failed to initialize its receiver. If the method was called on an initialized point that is not the identity point, MultiScalarMult produced an incorrect result. If the method was called on an uninitialized point, the behavior was undefined. In particular, if the receiver was the zero value, MultiScalarMult returned an invalid point that compared Equal to every point. *Note that MultiScalarMult is a rarely used advanced API. For example, if you only depend on `filippo.io/edwards25519` via `github.com/go-sql-driver/mysql`, **you are not affected**. If you were notified of this issue despite not being affected, consider switching to a vulnerability scanner that is more precise and respectful of your attention, like [govulncheck](https://go.dev/doc/tutorial/govulncheck).* --- ### Invalid result or undefined behavior in filippo.io/edwards25519 [CVE-2026-26958](https://nvd.nist.gov/vuln/detail/CVE-2026-26958) / [GHSA-fw7p-63qq-7hpr](https://redirect.github.com/advisories/GHSA-fw7p-63qq-7hpr) / [GO-2026-4503](https://pkg.go.dev/vuln/GO-2026-4503) <details> <summary>More information</summary> #### Details Previously, if MultiScalarMult was invoked on an initialized point who was not the identity point, MultiScalarMult produced an incorrect result. If called on an uninitialized point, MultiScalarMult exhibited undefined behavior. #### Severity Unknown #### References - [https://github.com/FiloSottile/edwards25519/security/advisories/GHSA-fw7p-63qq-7hpr](https://redirect.github.com/FiloSottile/edwards25519/security/advisories/GHSA-fw7p-63qq-7hpr) - [https://github.com/FiloSottile/edwards25519/commit/d1c650afb95fad0742b98d95f2eb2cf031393abb](https://redirect.github.com/FiloSottile/edwards25519/commit/d1c650afb95fad0742b98d95f2eb2cf031393abb) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-4503) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### filippo.io/edwards25519 MultiScalarMult produces invalid results or undefined behavior if receiver is not the identity [CVE-2026-26958](https://nvd.nist.gov/vuln/detail/CVE-2026-26958) / [GHSA-fw7p-63qq-7hpr](https://redirect.github.com/advisories/GHSA-fw7p-63qq-7hpr) / [GO-2026-4503](https://pkg.go.dev/vuln/GO-2026-4503) <details> <summary>More information</summary> #### Details `(*Point).MultiScalarMult` failed to initialize its receiver. If the method was called on an initialized point that is not the identity point, MultiScalarMult produced an incorrect result. If the method was called on an uninitialized point, the behavior was undefined. In particular, if the receiver was the zero value, MultiScalarMult returned an invalid point that compared Equal to every point. *Note that MultiScalarMult is a rarely used advanced API. For example, if you only depend on `filippo.io/edwards25519` via `github.com/go-sql-driver/mysql`, **you are not affected**. If you were notified of this issue despite not being affected, consider switching to a vulnerability scanner that is more precise and respectful of your attention, like [govulncheck](https://go.dev/doc/tutorial/govulncheck).* #### Severity - CVSS Score: Unknown - Vector String: `CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U` #### References - [https://github.com/FiloSottile/edwards25519/security/advisories/GHSA-fw7p-63qq-7hpr](https://redirect.github.com/FiloSottile/edwards25519/security/advisories/GHSA-fw7p-63qq-7hpr) - [https://nvd.nist.gov/vuln/detail/CVE-2026-26958](https://nvd.nist.gov/vuln/detail/CVE-2026-26958) - [https://github.com/FiloSottile/edwards25519/commit/d1c650afb95fad0742b98d95f2eb2cf031393abb](https://redirect.github.com/FiloSottile/edwards25519/commit/d1c650afb95fad0742b98d95f2eb2cf031393abb) - [https://github.com/FiloSottile/edwards25519](https://redirect.github.com/FiloSottile/edwards25519) - [https://github.com/FiloSottile/edwards25519/releases/tag/v1.1.1](https://redirect.github.com/FiloSottile/edwards25519/releases/tag/v1.1.1) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-fw7p-63qq-7hpr) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>FiloSottile/edwards25519 (filippo.io/edwards25519)</summary> ### [`v1.1.1`](https://redirect.github.com/FiloSottile/edwards25519/compare/v1.1.0...v1.1.1) [Compare Source](https://redirect.github.com/FiloSottile/edwards25519/compare/v1.1.0...v1.1.1) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- ## Need help? You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section. <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My45LjAiLCJ1cGRhdGVkSW5WZXIiOiI0My45LjAiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbImF1dG9tZXJnZS1zZWN1cml0eS11cGRhdGUiLCJzZXZlcml0eTpVTktOT1dOIl19--> Signed-off-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com> Co-authored-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com>
…9 [SECURITY] (grafana#5497) > ℹ️ **Note** > > This PR body was truncated due to platform limits. This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [github.com/containerd/containerd](https://redirect.github.com/containerd/containerd) | `v1.7.18` → `v1.7.29` |  |  | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. ### GitHub Vulnerability Alerts #### [CVE-2024-40635](https://redirect.github.com/containerd/containerd/security/advisories/GHSA-265r-hfxg-fhmg) ### Impact A bug was found in containerd where containers launched with a User set as a `UID:GID` larger than the maximum 32-bit signed integer can cause an overflow condition where the container ultimately runs as root (UID 0). This could cause unexpected behavior for environments that require containers to run as a non-root user. ### Patches This bug has been fixed in the following containerd versions: * 2.0.4 (Fixed in https://github.com/containerd/containerd/commit/1a43cb6a1035441f9aca8f5666a9b3ef9e70ab20) * 1.7.27 (Fixed in https://github.com/containerd/containerd/commit/05044ec0a9a75232cad458027ca83437aae3f4da) * 1.6.38 (Fixed in https://github.com/containerd/containerd/commit/cf158e884cfe4812a6c371b59e4ea9bc4c46e51a) Users should update to these versions to resolve the issue. ### Workarounds Ensure that only trusted images are used and that only trusted users have permissions to import images. ### Credits The containerd project would like to thank [Benjamin Koltermann](https://redirect.github.com/p4ck3t0) and [emxll](https://redirect.github.com/emxll) for responsibly disclosing this issue in accordance with the [containerd security policy](https://redirect.github.com/containerd/project/blob/main/SECURITY.md). ### References * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40635 ### For more information If you have any questions or comments about this advisory: * Open an issue in [containerd](https://redirect.github.com/containerd/containerd/issues/new/choose) * Email us at [security@containerd.io](mailto:security@containerd.io) To report a security issue in containerd: * [Report a new vulnerability](https://redirect.github.com/containerd/containerd/security/advisories/new) * Email us at [security@containerd.io](mailto:security@containerd.io) #### [CVE-2024-25621](https://redirect.github.com/containerd/containerd/security/advisories/GHSA-pwhc-rpq9-4c8w) ### Impact An overly broad default permission vulnerability was found in containerd. - `/var/lib/containerd` was created with the permission bits 0o711, while it should be created with 0o700 - Allowed local users on the host to potentially access the metadata store and the content store - `/run/containerd/io.containerd.grpc.v1.cri` was created with 0o755, while it should be created with 0o700 - Allowed local users on the host to potentially access the contents of Kubernetes local volumes. The contents of volumes might include setuid binaries, which could allow a local user on the host to elevate privileges on the host. - `/run/containerd/io.containerd.sandbox.controller.v1.shim` was created with 0o711, while it should be created with 0o700 The directory paths may differ depending on the daemon configuration. When the `temp` directory path is specified in the daemon configuration, that directory was also created with 0o711, while it should be created with 0o700. ### Patches This bug has been fixed in the following containerd versions: * 2.2.0 * 2.1.5 * 2.0.7 * 1.7.29 Users should update to these versions to resolve the issue. These updates automatically change the permissions of the existing directories. > [!NOTE] > > `/run/containerd` and `/run/containerd/io.containerd.runtime.v2.task` are still created with 0o711. > This is an expected behavior for supporting userns-remapped containers. ### Workarounds The system administrator on the host can manually chmod the directories to not have group or world accessible permisisons: ``` chmod 700 /var/lib/containerd chmod 700 /run/containerd/io.containerd.grpc.v1.cri chmod 700 /run/containerd/io.containerd.sandbox.controller.v1.shim ``` An alternative mitigation would be to run containerd in [rootless mode](https://redirect.github.com/containerd/containerd/blob/main/docs/rootless.md). ### Credits The containerd project would like to thank David Leadbeater for responsibly disclosing this issue in accordance with the [containerd security policy](https://redirect.github.com/containerd/project/blob/main/SECURITY.md). ### For more information If you have any questions or comments about this advisory: * Open an issue in [containerd](https://redirect.github.com/containerd/containerd/issues/new/choose) * Email us at [security@containerd.io](mailto:security@containerd.io) To report a security issue in containerd: * [Report a new vulnerability](https://redirect.github.com/containerd/containerd/security/advisories/new) #### [CVE-2025-64329](https://redirect.github.com/containerd/containerd/security/advisories/GHSA-m6hq-p25p-ffr2) ### Impact A bug was found in containerd's CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks. Repetitive calls of CRI Attach (e.g., [`kubectl attach`](https://kubernetes.io/docs/reference/kubectl/generated/kubectl_attach/)) could increase the memory usage of containerd. ### Patches This bug has been fixed in the following containerd versions: * 2.2.0 * 2.1.5 * 2.0.7 * 1.7.29 Users should update to these versions to resolve the issue. ### Workarounds Set up an admission controller to control accesses to `pods/attach` resources. e.g., [Validating Admission Policy](https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/). ### Credits The containerd project would like to thank @​Wheat2018 for responsibly disclosing this issue in accordance with the [containerd security policy](https://redirect.github.com/containerd/project/blob/main/SECURITY.md). ### References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64329 ### For more information If you have any questions or comments about this advisory: * Open an issue in [containerd](https://redirect.github.com/containerd/containerd/issues/new/choose) * Email us at [security@containerd.io](mailto:security@containerd.io) To report a security issue in containerd: * [Report a new vulnerability](https://redirect.github.com/containerd/containerd/security/advisories/new) --- ### containerd has an integer overflow in User ID handling [CVE-2024-40635](https://nvd.nist.gov/vuln/detail/CVE-2024-40635) / [GHSA-265r-hfxg-fhmg](https://redirect.github.com/advisories/GHSA-265r-hfxg-fhmg) / [GO-2025-3528](https://pkg.go.dev/vuln/GO-2025-3528) <details> <summary>More information</summary> #### Details ##### Impact A bug was found in containerd where containers launched with a User set as a `UID:GID` larger than the maximum 32-bit signed integer can cause an overflow condition where the container ultimately runs as root (UID 0). This could cause unexpected behavior for environments that require containers to run as a non-root user. ##### Patches This bug has been fixed in the following containerd versions: * 2.0.4 (Fixed in https://github.com/containerd/containerd/commit/1a43cb6a1035441f9aca8f5666a9b3ef9e70ab20) * 1.7.27 (Fixed in https://github.com/containerd/containerd/commit/05044ec0a9a75232cad458027ca83437aae3f4da) * 1.6.38 (Fixed in https://github.com/containerd/containerd/commit/cf158e884cfe4812a6c371b59e4ea9bc4c46e51a) Users should update to these versions to resolve the issue. ##### Workarounds Ensure that only trusted images are used and that only trusted users have permissions to import images. ##### Credits The containerd project would like to thank [Benjamin Koltermann](https://redirect.github.com/p4ck3t0) and [emxll](https://redirect.github.com/emxll) for responsibly disclosing this issue in accordance with the [containerd security policy](https://redirect.github.com/containerd/project/blob/main/SECURITY.md). ##### References * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40635 ##### For more information If you have any questions or comments about this advisory: * Open an issue in [containerd](https://redirect.github.com/containerd/containerd/issues/new/choose) * Email us at [security@containerd.io](mailto:security@containerd.io) To report a security issue in containerd: * [Report a new vulnerability](https://redirect.github.com/containerd/containerd/security/advisories/new) * Email us at [security@containerd.io](mailto:security@containerd.io) #### Severity - CVSS Score: Unknown - Vector String: `CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N` #### References - [https://github.com/containerd/containerd/security/advisories/GHSA-265r-hfxg-fhmg](https://redirect.github.com/containerd/containerd/security/advisories/GHSA-265r-hfxg-fhmg) - [https://nvd.nist.gov/vuln/detail/CVE-2024-40635](https://nvd.nist.gov/vuln/detail/CVE-2024-40635) - [https://github.com/containerd/containerd/commit/05044ec0a9a75232cad458027ca83437aae3f4da](https://redirect.github.com/containerd/containerd/commit/05044ec0a9a75232cad458027ca83437aae3f4da) - [https://github.com/containerd/containerd/commit/1a43cb6a1035441f9aca8f5666a9b3ef9e70ab20](https://redirect.github.com/containerd/containerd/commit/1a43cb6a1035441f9aca8f5666a9b3ef9e70ab20) - [https://github.com/containerd/containerd/commit/cf158e884cfe4812a6c371b59e4ea9bc4c46e51a](https://redirect.github.com/containerd/containerd/commit/cf158e884cfe4812a6c371b59e4ea9bc4c46e51a) - [https://github.com/containerd/containerd](https://redirect.github.com/containerd/containerd) - [https://lists.debian.org/debian-lts-announce/2025/05/msg00005.html](https://lists.debian.org/debian-lts-announce/2025/05/msg00005.html) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-265r-hfxg-fhmg) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### containerd has an integer overflow in User ID handling in github.com/containerd/containerd [CVE-2024-40635](https://nvd.nist.gov/vuln/detail/CVE-2024-40635) / [GHSA-265r-hfxg-fhmg](https://redirect.github.com/advisories/GHSA-265r-hfxg-fhmg) / [GO-2025-3528](https://pkg.go.dev/vuln/GO-2025-3528) <details> <summary>More information</summary> #### Details containerd has an integer overflow in User ID handling in github.com/containerd/containerd #### Severity Unknown #### References - [https://github.com/containerd/containerd/security/advisories/GHSA-265r-hfxg-fhmg](https://redirect.github.com/containerd/containerd/security/advisories/GHSA-265r-hfxg-fhmg) - [https://github.com/containerd/containerd/commit/05044ec0a9a75232cad458027ca83437aae3f4da](https://redirect.github.com/containerd/containerd/commit/05044ec0a9a75232cad458027ca83437aae3f4da) - [https://github.com/containerd/containerd/commit/1a43cb6a1035441f9aca8f5666a9b3ef9e70ab20](https://redirect.github.com/containerd/containerd/commit/1a43cb6a1035441f9aca8f5666a9b3ef9e70ab20) - [https://github.com/containerd/containerd/commit/cf158e884cfe4812a6c371b59e4ea9bc4c46e51a](https://redirect.github.com/containerd/containerd/commit/cf158e884cfe4812a6c371b59e4ea9bc4c46e51a) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2025-3528) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### containerd affected by a local privilege escalation via wide permissions on CRI directory [CVE-2024-25621](https://nvd.nist.gov/vuln/detail/CVE-2024-25621) / [GHSA-pwhc-rpq9-4c8w](https://redirect.github.com/advisories/GHSA-pwhc-rpq9-4c8w) / [GO-2025-4100](https://pkg.go.dev/vuln/GO-2025-4100) <details> <summary>More information</summary> #### Details ##### Impact An overly broad default permission vulnerability was found in containerd. - `/var/lib/containerd` was created with the permission bits 0o711, while it should be created with 0o700 - Allowed local users on the host to potentially access the metadata store and the content store - `/run/containerd/io.containerd.grpc.v1.cri` was created with 0o755, while it should be created with 0o700 - Allowed local users on the host to potentially access the contents of Kubernetes local volumes. The contents of volumes might include setuid binaries, which could allow a local user on the host to elevate privileges on the host. - `/run/containerd/io.containerd.sandbox.controller.v1.shim` was created with 0o711, while it should be created with 0o700 The directory paths may differ depending on the daemon configuration. When the `temp` directory path is specified in the daemon configuration, that directory was also created with 0o711, while it should be created with 0o700. ##### Patches This bug has been fixed in the following containerd versions: * 2.2.0 * 2.1.5 * 2.0.7 * 1.7.29 Users should update to these versions to resolve the issue. These updates automatically change the permissions of the existing directories. > [!NOTE] > > `/run/containerd` and `/run/containerd/io.containerd.runtime.v2.task` are still created with 0o711. > This is an expected behavior for supporting userns-remapped containers. ##### Workarounds The system administrator on the host can manually chmod the directories to not have group or world accessible permisisons: ``` chmod 700 /var/lib/containerd chmod 700 /run/containerd/io.containerd.grpc.v1.cri chmod 700 /run/containerd/io.containerd.sandbox.controller.v1.shim ``` An alternative mitigation would be to run containerd in [rootless mode](https://redirect.github.com/containerd/containerd/blob/main/docs/rootless.md). ##### Credits The containerd project would like to thank David Leadbeater for responsibly disclosing this issue in accordance with the [containerd security policy](https://redirect.github.com/containerd/project/blob/main/SECURITY.md). ##### For more information If you have any questions or comments about this advisory: * Open an issue in [containerd](https://redirect.github.com/containerd/containerd/issues/new/choose) * Email us at [security@containerd.io](mailto:security@containerd.io) To report a security issue in containerd: * [Report a new vulnerability](https://redirect.github.com/containerd/containerd/security/advisories/new) #### Severity - CVSS Score: Unknown - Vector String: `CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H` #### References - [https://github.com/containerd/containerd/security/advisories/GHSA-pwhc-rpq9-4c8w](https://redirect.github.com/containerd/containerd/security/advisories/GHSA-pwhc-rpq9-4c8w) - [https://nvd.nist.gov/vuln/detail/CVE-2024-25621](https://nvd.nist.gov/vuln/detail/CVE-2024-25621) - [https://github.com/containerd/containerd/commit/7c59e8e9e970d38061a77b586b23655c352bfec5](https://redirect.github.com/containerd/containerd/commit/7c59e8e9e970d38061a77b586b23655c352bfec5) - [https://github.com/containerd/containerd](https://redirect.github.com/containerd/containerd) - [https://github.com/containerd/containerd/blob/main/docs/rootless.md](https://redirect.github.com/containerd/containerd/blob/main/docs/rootless.md) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-pwhc-rpq9-4c8w) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### containerd CRI server: Host memory exhaustion through Attach goroutine leak in github.com/containerd/containerd [CVE-2025-64329](https://nvd.nist.gov/vuln/detail/CVE-2025-64329) / [GHSA-m6hq-p25p-ffr2](https://redirect.github.com/advisories/GHSA-m6hq-p25p-ffr2) / [GO-2025-4108](https://pkg.go.dev/vuln/GO-2025-4108) <details> <summary>More information</summary> #### Details containerd CRI server: Host memory exhaustion through Attach goroutine leak in github.com/containerd/containerd #### Severity Unknown #### References - [https://github.com/containerd/containerd/security/advisories/GHSA-m6hq-p25p-ffr2](https://redirect.github.com/containerd/containerd/security/advisories/GHSA-m6hq-p25p-ffr2) - [https://nvd.nist.gov/vuln/detail/CVE-2025-64329](https://nvd.nist.gov/vuln/detail/CVE-2025-64329) - [https://github.com/containerd/containerd/commit/083b53cd6f19b5de7717b0ce92c11bdf95e612df](https://redirect.github.com/containerd/containerd/commit/083b53cd6f19b5de7717b0ce92c11bdf95e612df) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2025-4108) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### containerd affected by a local privilege escalation via wide permissions on CRI directory in github.com/containerd/containerd [CVE-2024-25621](https://nvd.nist.gov/vuln/detail/CVE-2024-25621) / [GHSA-pwhc-rpq9-4c8w](https://redirect.github.com/advisories/GHSA-pwhc-rpq9-4c8w) / [GO-2025-4100](https://pkg.go.dev/vuln/GO-2025-4100) <details> <summary>More information</summary> #### Details containerd affected by a local privilege escalation via wide permissions on CRI directory in github.com/containerd/containerd #### Severity Unknown #### References - [https://github.com/containerd/containerd/security/advisories/GHSA-pwhc-rpq9-4c8w](https://redirect.github.com/containerd/containerd/security/advisories/GHSA-pwhc-rpq9-4c8w) - [https://nvd.nist.gov/vuln/detail/CVE-2024-25621](https://nvd.nist.gov/vuln/detail/CVE-2024-25621) - [https://github.com/containerd/containerd/commit/7c59e8e9e970d38061a77b586b23655c352bfec5](https://redirect.github.com/containerd/containerd/commit/7c59e8e9e970d38061a77b586b23655c352bfec5) - [https://github.com/containerd/containerd/blob/main/docs/rootless.md](https://redirect.github.com/containerd/containerd/blob/main/docs/rootless.md) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2025-4100) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### containerd CRI server: Host memory exhaustion through Attach goroutine leak [CVE-2025-64329](https://nvd.nist.gov/vuln/detail/CVE-2025-64329) / [GHSA-m6hq-p25p-ffr2](https://redirect.github.com/advisories/GHSA-m6hq-p25p-ffr2) / [GO-2025-4108](https://pkg.go.dev/vuln/GO-2025-4108) <details> <summary>More information</summary> #### Details ##### Impact A bug was found in containerd's CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks. Repetitive calls of CRI Attach (e.g., [`kubectl attach`](https://kubernetes.io/docs/reference/kubectl/generated/kubectl_attach/)) could increase the memory usage of containerd. ##### Patches This bug has been fixed in the following containerd versions: * 2.2.0 * 2.1.5 * 2.0.7 * 1.7.29 Users should update to these versions to resolve the issue. ##### Workarounds Set up an admission controller to control accesses to `pods/attach` resources. e.g., [Validating Admission Policy](https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/). ##### Credits The containerd project would like to thank @​Wheat2018 for responsibly disclosing this issue in accordance with the [containerd security policy](https://redirect.github.com/containerd/project/blob/main/SECURITY.md). ##### References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64329 ##### For more information If you have any questions or comments about this advisory: * Open an issue in [containerd](https://redirect.github.com/containerd/containerd/issues/new/choose) * Email us at [security@containerd.io](mailto:security@containerd.io) To report a security issue in containerd: * [Report a new vulnerability](https://redirect.github.com/containerd/containerd/security/advisories/new) #### Severity - CVSS Score: Unknown - Vector String: `CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N` #### References - [https://github.com/containerd/containerd/security/advisories/GHSA-m6hq-p25p-ffr2](https://redirect.github.com/containerd/containerd/security/advisories/GHSA-m6hq-p25p-ffr2) - [https://nvd.nist.gov/vuln/detail/CVE-2025-64329](https://nvd.nist.gov/vuln/detail/CVE-2025-64329) - [https://github.com/containerd/containerd/commit/083b53cd6f19b5de7717b0ce92c11bdf95e612df](https://redirect.github.com/containerd/containerd/commit/083b53cd6f19b5de7717b0ce92c11bdf95e612df) - [https://github.com/containerd/containerd](https://redirect.github.com/containerd/containerd) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-m6hq-p25p-ffr2) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>containerd/containerd (github.com/containerd/containerd)</summary> ### [`v1.7.29`](https://redirect.github.com/containerd/containerd/releases/tag/v1.7.29): containerd 1.7.29 [Compare Source](https://redirect.github.com/containerd/containerd/compare/v1.7.28...v1.7.29) Welcome to the v1.7.29 release of containerd! The twenty-ninth patch release for containerd 1.7 contains various fixes and updates including security patches. ##### Security Updates - **containerd** - [**GHSA-pwhc-rpq9-4c8w**](https://redirect.github.com/containerd/containerd/security/advisories/GHSA-pwhc-rpq9-4c8w) - [**GHSA-m6hq-p25p-ffr2**](https://redirect.github.com/containerd/containerd/security/advisories/GHSA-m6hq-p25p-ffr2) - **runc** - [**GHSA-qw9x-cqr3-wc7r**](https://redirect.github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r) - [**GHSA-cgrx-mc8f-2prm**](https://redirect.github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm) - [**GHSA-9493-h29p-rfm2**](https://redirect.github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2) ##### Highlights ##### Image Distribution - **Update differ to handle zstd media types** ([#​12018](https://redirect.github.com/containerd/containerd/pull/12018)) ##### Runtime - **Update runc binary to v1.3.3** ([#​12480](https://redirect.github.com/containerd/containerd/pull/12480)) - **Fix lost container logs from quickly closing io** ([#​12375](https://redirect.github.com/containerd/containerd/pull/12375)) Please try out the release binaries and report any issues at <https://github.com/containerd/containerd/issues>. ##### Contributors - Derek McGowan - Akihiro Suda - Phil Estes - Austin Vazquez - Sebastiaan van Stijn - ningmingxiao - Maksym Pavlenko - StepSecurity Bot - wheat2018 ##### Changes <details><summary>38 commits</summary> <p> - [`442cb34bd`](https://redirect.github.com/containerd/containerd/commit/442cb34bda9a6a0fed82a2ca7cade05c5c749582) Merge commit from fork - [`0450f046e`](https://redirect.github.com/containerd/containerd/commit/0450f046e6942e513d0ebf1ef5c2aff13daa187f) Fix directory permissions - [`e5cb6ddb7`](https://redirect.github.com/containerd/containerd/commit/e5cb6ddb7a7730c24253a94d7fdb6bbe13dba6f7) Merge commit from fork - [`c575d1b5f`](https://redirect.github.com/containerd/containerd/commit/c575d1b5f4011f33b32f71ace75367a92b08c750) fix goroutine leak of container Attach - Prepare release notes for v1.7.29 ([#​12486](https://redirect.github.com/containerd/containerd/pull/12486)) - [`1fc2daaf3`](https://redirect.github.com/containerd/containerd/commit/1fc2daaf3ed53f4c9e76fbc5786a6f1ae3bb885f) Prepare release notes for v1.7.29 - Update runc binary to v1.3.3 ([#​12480](https://redirect.github.com/containerd/containerd/pull/12480)) - [`3f5f9f872`](https://redirect.github.com/containerd/containerd/commit/3f5f9f872707a743563d316e85e530193a2e30ac) runc: Update runc binary to v1.3.3 - Update GHA images and bump Go 1.24.9; 1.25.3 ([#​12471](https://redirect.github.com/containerd/containerd/pull/12471)) - [`667409fb6`](https://redirect.github.com/containerd/containerd/commit/667409fb63098cb80280940ab06038114e7712da) ci: bump Go 1.24.9, 1.25.3 - [`294f8c027`](https://redirect.github.com/containerd/containerd/commit/294f8c027b607c4450b3e52f44280581a737a73f) Update GHA runners to use latest images for basic binaries build - [`cf66b4141`](https://redirect.github.com/containerd/containerd/commit/cf66b4141defb757dee0fc5653bfd0a7ba1e8fed) Update GHA runners to use latest image for most jobs - [`fa3e6fa18`](https://redirect.github.com/containerd/containerd/commit/fa3e6fa18aa8dc7e699428958e1fb1d38e832e15) pkg/epoch: extract parsing SOURCE\_DATE\_EPOCH to a function - [`ac334bffc`](https://redirect.github.com/containerd/containerd/commit/ac334bffc4e759f188afb58efd74a603ade0855a) pkg/epoch: fix tests on macOS - [`d04b8721f`](https://redirect.github.com/containerd/containerd/commit/d04b8721fc5bff2677beadb4f3d15d7c0ec989ca) pkg/epoch: replace some fmt.Sprintfs with strconv - CI: update Fedora to 43 ([#​12450](https://redirect.github.com/containerd/containerd/pull/12450)) - [`5cfedbf52`](https://redirect.github.com/containerd/containerd/commit/5cfedbf52300d09f77a51f02a0c784c37284302c) CI: update Fedora to 43 - CI: skip ubuntu-24.04-arm on private repos ([#​12429](https://redirect.github.com/containerd/containerd/pull/12429)) - [`cf99a012d`](https://redirect.github.com/containerd/containerd/commit/cf99a012d6f7fcb51afdea641d87474dae95f50d) CI: skip ubuntu-24.04-arm on private repos - runc:Update runc binary to v1.3.1 ([#​12276](https://redirect.github.com/containerd/containerd/pull/12276)) - [`4c77b8d07`](https://redirect.github.com/containerd/containerd/commit/4c77b8d078a65a5e99e40847a9eaa18a944ff68e) runc:Update runc binary to v1.3.1 - Fix lost container logs from quickly closing io ([#​12375](https://redirect.github.com/containerd/containerd/pull/12375)) - [`d30024db2`](https://redirect.github.com/containerd/containerd/commit/d30024db25590e6ec74b639746a5dc792f5c1403) bugfix:fix container logs lost because io close too quickly - ci: bump Go 1.24.8 ([#​12362](https://redirect.github.com/containerd/containerd/pull/12362)) - [`f4b3d96f3`](https://redirect.github.com/containerd/containerd/commit/f4b3d96f3d83a0ac7bde03ae9eec749aa1936a59) ci: bump Go 1.24.8 - [`334fd8e4b`](https://redirect.github.com/containerd/containerd/commit/334fd8e4b974d88ebea43a998d76760aad49773a) update golangci-lint to v1.64.2 - [`8a67abc4c`](https://redirect.github.com/containerd/containerd/commit/8a67abc4cac67bf806da0b2b55ac7159e91f6996) Drop inactivated linter exportloopref - [`e4dbf08f0`](https://redirect.github.com/containerd/containerd/commit/e4dbf08f0ff3dc9f6b2a9a36eab71d73ac707956) build(deps): bump golangci/golangci-lint-action from 6.3.2 to 6.5.0 - [`d7db2ba06`](https://redirect.github.com/containerd/containerd/commit/d7db2ba063385d06132ec80890eb6c1fe4126692) build(deps): bump golangci/golangci-lint-action from 6.2.0 to 6.3.2 - [`d7182888f`](https://redirect.github.com/containerd/containerd/commit/d7182888f0071cce86d40fcf09cd9a247ac15c41) build(deps): bump golangci/golangci-lint-action from 6.1.1 to 6.2.0 - [`4be6c7e3b`](https://redirect.github.com/containerd/containerd/commit/4be6c7e3b5d5da7be8c1c87e1c16450b7ea8dadb) build(deps): bump actions/cache from 4.1.2 to 4.2.0 - [`a2e097e86`](https://redirect.github.com/containerd/containerd/commit/a2e097e865887382c2fc29ee0cea0053e6152a12) build(deps): bump actions/checkout from 4.2.1 to 4.2.2 - [`6de404d11`](https://redirect.github.com/containerd/containerd/commit/6de404d11b8e237a7867c7fbe535579c5736bfde) build(deps): bump actions/cache from 4.1.1 to 4.1.2 - [`038a25584`](https://redirect.github.com/containerd/containerd/commit/038a25584e7f66272114ec0801b071e6149ef841) \[StepSecurity] ci: Harden GitHub Actions - Update differ to handle zstd media types ([#​12018](https://redirect.github.com/containerd/containerd/pull/12018)) - [`eaeb4b6ac`](https://redirect.github.com/containerd/containerd/commit/eaeb4b6ac581c0704bed0ff96ee7e53170345e84) Update differ to handle zstd media types - ci: bump Go 1.23.12, 1.24.6 ([#​12188](https://redirect.github.com/containerd/containerd/pull/12188)) - [`83c535339`](https://redirect.github.com/containerd/containerd/commit/83c535339bbe253ce9e7a616a90f770994b754e5) ci: bump Go 1.23.12, 1.24.6 </p> </details> ##### Dependency Changes This release has no dependency changes Previous release can be found at [v1.7.28](https://redirect.github.com/containerd/containerd/releases/tag/v1.7.28) ### [`v1.7.28`](https://redirect.github.com/containerd/containerd/releases/tag/v1.7.28): containerd 1.7.28 [Compare Source](https://redirect.github.com/containerd/containerd/compare/v1.7.27...v1.7.28) Welcome to the v1.7.28 release of containerd! The twenty-eighth patch release for containerd 1.7 contains various fixes and updates. ##### Highlights ##### Image Distribution - Refresh OAuth tokens when they expire during registry operations ([#​11721](https://redirect.github.com/containerd/containerd/pull/11721)) - Set default differ for the default unpack config of transfer service ([#​11689](https://redirect.github.com/containerd/containerd/pull/11689)) ##### Runtime - Update runc binary to v1.3.0 ([#​11800](https://redirect.github.com/containerd/containerd/pull/11800)) - Remove invalid error log when stopping container after containerd restart ([#​11620](https://redirect.github.com/containerd/containerd/pull/11620)) Please try out the release binaries and report any issues at <https://github.com/containerd/containerd/issues>. ##### Contributors - Akhil Mohan - Akihiro Suda - Austin Vazquez - Maksym Pavlenko - Phil Estes - Derek McGowan - Kirtana Ashok - Henry Wang - Iain Macdonald - Jin Dong - Swagat Bora - Wei Fu - Yang Yang - madraceee ##### Changes <details><summary>57 commits</summary> <p> - Prepare release notes for v1.7.28 ([#​12134](https://redirect.github.com/containerd/containerd/pull/12134)) - [`b01b809f8`](https://redirect.github.com/containerd/containerd/commit/b01b809f89a27e19ff7531e1b88df07d2f40de97) Prepare release notes for v1.7.28 - ci: bump Go 1.23.11, 1.24.5 ([#​12117](https://redirect.github.com/containerd/containerd/pull/12117)) - [`ce2373176`](https://redirect.github.com/containerd/containerd/commit/ce2373176b0db7cdcc3e289f57aeb59927ad0efb) ci: bump Go 1.23.11, 1.24.5 - Backport windows test fixes ([#​12121](https://redirect.github.com/containerd/containerd/pull/12121)) - [`3c06bcc4d`](https://redirect.github.com/containerd/containerd/commit/3c06bcc4d2f5b55c501f9c5333596c5a6d0a980a) Fix intermittent test failures on Windows CIs - [`c6c0c6854`](https://redirect.github.com/containerd/containerd/commit/c6c0c6854ff663deb46363a8884a9015598c9f9b) Remove WS2025 from CIs due to regression - ci: use fedora 39 archive ([#​12123](https://redirect.github.com/containerd/containerd/pull/12123)) - [`6d7e021cf`](https://redirect.github.com/containerd/containerd/commit/6d7e021cf0f0f6ba1d14f0b4f76ecdf7a005feaa) ci: use fedora/39-cloud-base image from archive - update runners to ubuntu 24.04 ([#​11802](https://redirect.github.com/containerd/containerd/pull/11802)) - [`c362e18cc`](https://redirect.github.com/containerd/containerd/commit/c362e18ccd613b5baf04fff87832b871edfdecd5) CI: install OVMF for Vagrant - [`1d99bec21`](https://redirect.github.com/containerd/containerd/commit/1d99bec213063acdad8d7ad96ea4cbb78ab6b560) CI: fix "Unable to find a source package for vagrant" error - [`dafa3c48d`](https://redirect.github.com/containerd/containerd/commit/dafa3c48dffaff915bea2293eecd949fbdd94228) add debian sources for ubuntu-24 - [`b03301d85`](https://redirect.github.com/containerd/containerd/commit/b03301d851a5492808f36e5233a808a39575a1a0) partial: enable ubuntu 24 runners - [`13fbc5f97`](https://redirect.github.com/containerd/containerd/commit/13fbc5f970d1dee5425443a9b346d56ccc98db45) update release runners to ubuntu 24.04 - go.mod: golang.org/x/\* latest ([#​12096](https://redirect.github.com/containerd/containerd/pull/12096)) - [`da5d1a371`](https://redirect.github.com/containerd/containerd/commit/da5d1a3714ac06f6280740f668ebe95c62863c01) go.mod: golang.org/x/\* latest - Remove additional fuzzers from instrumentation repo ([#​12099](https://redirect.github.com/containerd/containerd/pull/12099)) - [`5fef123ba`](https://redirect.github.com/containerd/containerd/commit/5fef123ba77e3d9fd83f78fd34bdb80549034756) Remove additional fuzzers from CI - backport windows runner and golang toolchain updates ([#​11972](https://redirect.github.com/containerd/containerd/pull/11972)) - [`a35978f5a`](https://redirect.github.com/containerd/containerd/commit/a35978f5af147f279280b34082c3781904bfd4cd) ci: bump golang \[1.23.10, 1.24.4] in build and release - [`df035aa3e`](https://redirect.github.com/containerd/containerd/commit/df035aa3ef3d98eb48310d548439eb59c8b6d887) ci: bump golang \[1.23.9, 1.24.3] in build and release - [`2a6d9fc71`](https://redirect.github.com/containerd/containerd/commit/2a6d9fc71e97ff0d742b21d0f62a05a70126aa21) use go1.23.8 as the default go version - [`15d4d6eba`](https://redirect.github.com/containerd/containerd/commit/15d4d6eba30565274e1ade4d545abab2dbbcf1f9) update to go 1.24.2, 1.23.8 - [`1613a3b1a`](https://redirect.github.com/containerd/containerd/commit/1613a3b1addf8fb8a50cef46860a1b7642d81589) Enable CIs to run on WS2022 and WS2025 - test: added runc v1 tests using vagrant ([#​11896](https://redirect.github.com/containerd/containerd/pull/11896)) - [`60e73122c`](https://redirect.github.com/containerd/containerd/commit/60e73122c1f74524178ff1ea819a893d7cdb4372) test: added runc v1 tests using vagrant - Revert "disable portmap test in ubuntu-22 to make CI happy" ([#​11803](https://redirect.github.com/containerd/containerd/pull/11803)) - [`10e1b515e`](https://redirect.github.com/containerd/containerd/commit/10e1b515ec9c497bcfd7b0758bff3f6c840b303a) Revert "Disable port mapping tests in CRI-in-UserNS" - [`7a680e884`](https://redirect.github.com/containerd/containerd/commit/7a680e88494d90896322e09d4070ed86d221e25b) fix unbound SKIP\_TEST variable error - [`e5f8cc995`](https://redirect.github.com/containerd/containerd/commit/e5f8cc9953f28f1abdc2f7975a9f5833cc83ee9c) Revert "disable portmap test in ubuntu-22 to make CI happy" - Update runc binary to v1.3.0 ([#​11800](https://redirect.github.com/containerd/containerd/pull/11800)) - [`b001469c7`](https://redirect.github.com/containerd/containerd/commit/b001469c70a4489c1453cfe856055b15c536645f) Update runc binary to v1.3.0 - Refresh OAuth tokens when they expire during registry operations ([#​11721](https://redirect.github.com/containerd/containerd/pull/11721)) - [`a6421da84`](https://redirect.github.com/containerd/containerd/commit/a6421da84bb59dcf3680eb472b78f2eae8086f9b) remotes/docker/authorizer.go: invalidate auth tokens when they expire. - \[CI] Fix vagrant ([#​11739](https://redirect.github.com/containerd/containerd/pull/11739)) - [`effc49e8b`](https://redirect.github.com/containerd/containerd/commit/effc49e8b096bebfd73effb9257ad4fd80aa4e84) Fix vagrant setup - Fix CI ([#​11722](https://redirect.github.com/containerd/containerd/pull/11722)) - [`d3e7dd716`](https://redirect.github.com/containerd/containerd/commit/d3e7dd716a7988bf49f92972998a5260fd538505) Skip criu on Arms - [`7cf9ebe94`](https://redirect.github.com/containerd/containerd/commit/7cf9ebe94676a443f5df2802f2c784a93dba6b9a) Disable port mapping tests in CRI-in-UserNS - [`42657a4ed`](https://redirect.github.com/containerd/containerd/commit/42657a4ed1bcc2a5162264cb820d97bdd0a56a6b) disable portmap test in ubuntu-22 to make CI happy - [`b300fd37b`](https://redirect.github.com/containerd/containerd/commit/b300fd37b840dcad8c0635e1f8ce848413441445) add option to skip tests in critest - [`6f4ffad27`](https://redirect.github.com/containerd/containerd/commit/6f4ffad27695c7e297c0052091b0d5e7fad7e48a) Address cgroup mountpoint does not exist - [`cef298331`](https://redirect.github.com/containerd/containerd/commit/cef2983317494d0a7b67e89ef81e083f75102066) Update Ubuntu to 24 - [`2dd9be16e`](https://redirect.github.com/containerd/containerd/commit/2dd9be16e71e97b922ae42b05a7ae837c28563ca) ci: update GitHub Actions release runner to ubuntu-24.04 - Set default differ for the default unpack config of transfer service ([#​11689](https://redirect.github.com/containerd/containerd/pull/11689)) - [`e40e59e4e`](https://redirect.github.com/containerd/containerd/commit/e40e59e4ee8e7fb00213065c6fabbec8d4e7fc7f) Set default differ for the default unpack config of transfer service - silence govulncheck false positives ([#​11679](https://redirect.github.com/containerd/containerd/pull/11679)) - [`ff097d5a4`](https://redirect.github.com/containerd/containerd/commit/ff097d5a4c1a427d10fa989895d05f78c0b52893) silence govulncheck false positives - vendor: github.com/go-jose/go-jose/v3 v3.0.4 ([#​11619](https://redirect.github.com/containerd/containerd/pull/11619)) - [`52dd4dc51`](https://redirect.github.com/containerd/containerd/commit/52dd4dc51070fc93f13f048d3a919ccbf2b042aa) vendor: github.com/go-jose/go-jose/v3 v3.0.4 - Remove invalid error log when stopping container after containerd restart ([#​11620](https://redirect.github.com/containerd/containerd/pull/11620)) - [`24f41d2d5`](https://redirect.github.com/containerd/containerd/commit/24f41d2d5c6514e2f0a6f553f80183ff274ec230) use shimCtx for fifo copy - Update runc binary to v1.2.6 ([#​11584](https://redirect.github.com/containerd/containerd/pull/11584)) - [`1e1e78ad7`](https://redirect.github.com/containerd/containerd/commit/1e1e78ad7cab8d6f50be6bcf0ef7178a2ba3e207) Update runc binary to v1.2.6 - Use RWMutex in NSMap and reduce lock area ([#​11556](https://redirect.github.com/containerd/containerd/pull/11556)) - [`9a8d1d44a`](https://redirect.github.com/containerd/containerd/commit/9a8d1d44a1dee8f805ad0b071b686887222a1fe7) Use RWMutex in NSMap and reduce lock area </p> </details> ##### Dependency Changes - **github.com/go-jose/go-jose/v3** v3.0.3 -> v3.0.4 - **golang.org/x/crypto** v0.31.0 -> v0.40.0 - **golang.org/x/mod** v0.17.0 -> v0.26.0 - **golang.org/x/net** v0.33.0 -> v0.42.0 - **golang.org/x/oauth2** v0.11.0 -> v0.30.0 - **golang.org/x/sync** v0.10.0 -> v0.16.0 - **golang.org/x/sys** v0.28.0 -> v0.34.0 - **golang.org/x/term** v0.27.0 -> v0.33.0 - **golang.org/x/text** v0.21.0 -> v0.27.0 - **golang.org/x/time** [`90d013b`](https://redirect.github.com/containerd/containerd/commit/90d013bbcef8) -> v0.12.0 Previous release can be found at [v1.7.27](https://redirect.github.com/containerd/containerd/releases/tag/v1.7.27) ### [`v1.7.27`](https://redirect.github.com/containerd/containerd/releases/tag/v1.7.27): containerd 1.7.27 [Compare Source](https://redirect.github.com/containerd/containerd/compare/v1.7.26...v1.7.27) Welcome to the v1.7.27 release of containerd! The twenty-seventh patch release for containerd 1.7 contains various fixes and updates. ##### Highlights - Fix integer overflow in User ID handling ([GHSA-265r-hfxg-fhmg](https://redirect.github.com/containerd/containerd/security/advisories/GHSA-265r-hfxg-fhmg)) - Update image type checks to avoid unnecessary logs for attestations ([#​11538](https://redirect.github.com/containerd/containerd/pull/11538)) Please try out the release binaries and report any issues at <https://github.com/containerd/containerd/issues>. ##### Contributors - Jin Dong - Akhil Mohan - Derek McGowan - Maksym Pavlenko - Paweł Gronowski - Phil Estes - Akihiro Suda - Craig Ingram - Krisztian Litkey - Samuel Karp ##### Changes <details><summary>20 commits</summary> <p> - [`05044ec0a`](https://redirect.github.com/containerd/containerd/commit/05044ec0a9a75232cad458027ca83437aae3f4da) Merge commit from fork - [`11504c3fc`](https://redirect.github.com/containerd/containerd/commit/11504c3fc5f45634f2d93d57743a998194430b82) validate uid/gid - Prepare release notes for v1.7.27 ([#​11540](https://redirect.github.com/containerd/containerd/pull/11540)) - [`1be04be6c`](https://redirect.github.com/containerd/containerd/commit/1be04be6c307a7f67423574ca1b9744e57377753) Prepare release notes for v1.7.27 - Update image type checks to avoid unnecessary logs for attestations ([#​11538](https://redirect.github.com/containerd/containerd/pull/11538)) - [`82b5c43fe`](https://redirect.github.com/containerd/containerd/commit/82b5c43fed40d1f32e88215a3f0acbaf8cd9af10) core/remotes: Handle attestations in MakeRefKey - [`2c670e79b`](https://redirect.github.com/containerd/containerd/commit/2c670e79bf19bc7716c8b9f1f82c700ad8233af3) core/images: Ignore attestations when traversing children - update build to go1.23.7, test go1.24.1 ([#​11515](https://redirect.github.com/containerd/containerd/pull/11515)) - [`a39863c9f`](https://redirect.github.com/containerd/containerd/commit/a39863c9fd52abb50895a4b6f653cf501a2e3388) update build to go1.23.7, test go1.24.1 - Remove hashicorp/go-multierror dependency and fix CI ([#​11499](https://redirect.github.com/containerd/containerd/pull/11499)) - [`49537b3a7`](https://redirect.github.com/containerd/containerd/commit/49537b3a75bdcd982e7e26855779b346bb363a54) e2e: use the shim bundled with containerd artifact - [`fe490b76f`](https://redirect.github.com/containerd/containerd/commit/fe490b76fd78cc1461f20aab89951be5f88fc454) Bump up github.com/intel/goresctrl to 0.5.0 - [`13fc9d313`](https://redirect.github.com/containerd/containerd/commit/13fc9d3132fc4c77f6533551049d2d865d4e4b45) update containerd/project-checks to 1.2.1 - [`585699c94`](https://redirect.github.com/containerd/containerd/commit/585699c94f68649a89b0af46d675d6e998d67ccd) Remove unnecessary joinError unwrap - [`4b9df59be`](https://redirect.github.com/containerd/containerd/commit/4b9df59be202a011c4f65604bbeab75eeb85ab46) Remove hashicorp/go-multierror - go.{mod,sum}: bump CDI deps to v0.8.1. ([#​11422](https://redirect.github.com/containerd/containerd/pull/11422)) - [`5ba28f8dc`](https://redirect.github.com/containerd/containerd/commit/5ba28f8dc1d007059ed3eb1a7b55025e72abd525) go.{mod,sum}: bump CDI deps to v0.8.1, re-vendor. - CI: arm64-8core-32gb -> ubuntu-24.04-arm ([#​11437](https://redirect.github.com/containerd/containerd/pull/11437)) - [`85f10bd92`](https://redirect.github.com/containerd/containerd/commit/85f10bd9221f35ef1c2b8ec2d67520f461aa51a0) CI: arm64-8core-32gb -> ubuntu-24.04-arm - [`561ed520e`](https://redirect.github.com/containerd/containerd/commit/561ed520eaef2974aa8008b7a18a0944e6f90872) increase xfs base image size to 300Mb </p> </details> ##### Dependency Changes - **github.com/intel/goresctrl** v0.3.0 -> v0.5.0 - **github.com/prometheus/client\_golang** v1.14.0 -> v1.16.0 - **github.com/prometheus/common** v0.37.0 -> v0.42.0 - **github.com/prometheus/procfs** v0.8.0 -> v0.10.1 - **k8s.io/apimachinery** v0.26.2 -> v0.27.4 - **sigs.k8s.io/json** [`f223a00`](https://redirect.github.com/containerd/containerd/commit/f223a00ba0e2) -> [`bc3834c`](https://redirect.github.com/containerd/containerd/commit/bc3834ca7abd) - **tags.cncf.io/container-device-interface** v0.7.2 -> v0.8.1 - **tags.cncf.io/container-device-interface/specs-go** v0.7.0 -> v0.8.0 Previous release can be found at [v1.7.26](https://redirect.github.com/containerd/containerd/releases/tag/v1.7.26) ### [`v1.7.26`](https://redirect.github.com/containerd/containerd/releases/tag/v1.7.26): containerd 1.7.26 [Compare Source](https://redirect.github.com/containerd/containerd/compare/v1.7.25...v1.7.26) Welcome to the v1.7.26 release of containerd! The twenty-sixth patch release for containerd 1.7 contains various fixes and updates. ##### Highlights - Add support for syncfs after unpack ([#​11267](https://redirect.github.com/containerd/containerd/pull/11267)) - Update runc binary to v1.2.5 ([#​11395](https://redirect.github.com/containerd/containerd/pull/11395)) - Fix race between serve and immediate shutdown on the server ([containerd/ttrpc#175](https://redirect.github.com/containerd/ttrpc/pull/175)) - Reject oversized messages from the sender ([containerd/ttrpc#171](https://redirect.github.com/containerd/ttrpc/pull/171)) ##### Container Runtime Interface (CRI) - Fix fatal concurrency error in port forwarding ([#​11306](https://redirect.github.com/containerd/containerd/pull/11306)) ##### Node Resource Interface (NRI) - Fix initial sync race when registering NRI plugins ([#​11326](https://redirect.github.com/containerd/containerd/pull/11326)) - Add API support for reading Pod IPs ([containerd/nri#119](https://redirect.github.com/containerd/nri/pull/119)) - Fix plugin sync to use multiple messages if ttrpc max message limit is hit ([containerd/nri#111](https://redirect.github.com/containerd/nri/pull/111)) - Update API to pass configured timeouts to plugins. ([containerd/nri#109](https://redirect.github.com/containerd/nri/pull/109)) - Fix mount removal in adjustments ([containerd/nri#107](https://redirect.github.com/containerd/nri/pull/107)) - Close plugin if initial synchronization fails ([containerd/nri#103](https://redirect.github.com/containerd/nri/pull/103)) - Add support for adjusting OOM score ([containerd/nri#94](https://redirect.github.com/containerd/nri/pull/94)) - Add API support for NRI-native CDI injection ([containerd/nri#98](https://redirect.github.com/containerd/nri/pull/98)) - Add support for pids cgroup ([containerd/nri#76](https://redirect.github.com/containerd/nri/pull/76)) ##### Runtime - Fix console TTY leak in runc shim ([#​11250](https://redirect.github.com/containerd/containerd/pull/11250)) Please try out the release binaries and report any issues at <https://github.com/containerd/containerd/issues>. ##### Contributors - Krisztian Litkey - Mike Brown - Samuel Karp - Wei Fu - Phil Estes - Derek McGowan - Iceber Gu - Akhil Mohan - Antonio Ojea - Austin Vazquez - Henry Wang - Jin Dong - Xiaojin Zhang - ningmingxiao - AbdelrahmanElawady - Akihiro Suda - Antti Kervinen - Jing Xu - Jitang Lei - Justin Alvarez - Lei Liu - Maksym Pavlenko - Yang Yang - Yuhang Wei - cormick - jingtao.liang ##### Changes <details><summary>24 commits</summary> <p> - Prepare release notes for v1.7.26 ([#​11356](https://redirect.github.com/containerd/containerd/pull/11356)) - [`ceba197f5`](https://redirect.github.com/containerd/containerd/commit/ceba197f5fa0b76b0f181c24f81c67c43d34bff2) Prepare release notes for v1.7.26 - Upgrade x/net to 0.33.0 to fix vulnerability GHSA-w32m-9786-jp63 ([#​11434](https://redirect.github.com/containerd/containerd/pull/11434)) - [`3486bc8dd`](https://redirect.github.com/containerd/containerd/commit/3486bc8dd19acbde278ed6c4c4fa42c7299e1278) Upgrade x/net to 0.33.0 - update build to go1.23.6, test go1.24.0 ([#​11419](https://redirect.github.com/containerd/containerd/pull/11419)) - [`9025d3075`](https://redirect.github.com/containerd/containerd/commit/9025d3075b91b0806ff15f27f28bbce8af4f1a76) update build to go1.23.6, test go1.24.0 - Update install-imgcrypt to allow change install repo ([#​11358](https://redirect.github.com/containerd/containerd/pull/11358)) - [`83eaab482`](https://redirect.github.com/containerd/containerd/commit/83eaab4822188e019efe68c29a6d77f37f099d6e) Update install-imgcrypt to allow change install repo - Add support for syncfs after unpack ([#​11267](https://redirect.github.com/containerd/containerd/pull/11267)) - [`8bc21cba7`](https://redirect.github.com/containerd/containerd/commit/8bc21cba7516727b294d4dd6a3e8859cbdd146a8) support to syncfs after pull by using diff plugin - Update runc binary to v1.2.5 ([#​11395](https://redirect.github.com/containerd/containerd/pull/11395)) - [`27c472acf`](https://redirect.github.com/containerd/containerd/commit/27c472acf59c4d86e2b446ae554691149ac43661) Update runc binary to v1.2.5 - Move `run.skip-dirs` to `issues.exclude-dirs` in golangci-lint config ([#​11400](https://redirect.github.com/containerd/containerd/pull/11400)) - [`8d8034b66`](https://redirect.github.com/containerd/containerd/commit/8d8034b66e2790ef0149207acb7c92a033d7f1f8) move skip-dirs to issues.exclude-dirs - Fix initial sync race when registering NRI plugins ([#​11326](https://redirect.github.com/containerd/containerd/pull/11326)) - [`11af05177`](https://redirect.github.com/containerd/containerd/commit/11af05177545dbb97d87aa861b15d70ab911307c) cri,nri: block NRI plugin sync. during event processing. - [`d4036cd3d`](https://redirect.github.com/containerd/containerd/commit/d4036cd3d1eb174ea379c8e1d139c25cfe9f18d8) go.{mod,sum}: bump NRI to v0.8.0, re-vendor. - Fix console TTY leak in runc shim ([#​11250](https://redirect.github.com/containerd/containerd/pull/11250)) - [`c3e24e024`](https://redirect.github.com/containerd/containerd/commit/c3e24e0248f0ca83d0bfbb0262862c2a06a632e2) Add integ test to check tty leak - [`4e45a463d`](https://redirect.github.com/containerd/containerd/commit/4e45a463d90fd44f6b92978721779d7b09045cee) fix master tty leak due to leaking init container object - Fix fatal concurrency error in port forwarding ([#​11306](https://redirect.github.com/containerd/containerd/pull/11306)) - [`0fe9f0b52`](https://redirect.github.com/containerd/containerd/commit/0fe9f0b52f7b700689df46d13de36e67b62486e1) fix fatal error: concurrent map iteration and map write - update build to go1.22.11, test go1.23.5 ([#​11298](https://redirect.github.com/containerd/containerd/pull/11298)) - [`441b92636`](https://redirect.github.com/containerd/containerd/commit/441b92636a806d71655945137210126de723e4fe) update build to go1.22.11, test go1.23.5 </p> </details> ##### Changes from containerd/nri <details><summary>77 commits</summary> <p> - Add API support for reading Pod IPs ([containerd/nri#119](https://redirect.github.com/containerd/nri/pull/119)) - [`eaf78a9`](https://redirect.github.com/containerd/nri/commit/eaf78a9afe9ebac28a68d1163dd00183525801a3) api: support Pod IPs - generate: do not set OOMScoreAdj if no adjustment ([containerd/nri#116](https://redirect.github.com/containerd/nri/pull/116)) - [`07bfc18`](https://redirect.github.com/containerd/nri/commit/07bfc18129a3cc9c4b44e1aced9972279a50ddb5) wip: generate: add test for oom score adj - [`b5fc359`](https://redirect.github.com/containerd/nri/commit/b5fc359973c0e8c599b12c1d118546c267894b3b) generate: do not set OOMScoreAdj if no adjustment - device-injector: remove unreachable code. ([containerd/nri#115](https://redirect.github.com/containerd/nri/pull/115)) - [`235aa11`](https://redirect.github.com/containerd/nri/commit/235aa114dffc784073ec8b2f88fbd4ecfba06450) chore: remove unreachable code and fmt files - Fix plugin sync to use multiple messages if ttrpc max message limit is hit ([containerd/nri#111](https://redirect.github.com/containerd/nri/pull/111)) - [`159f575`](https://redirect.github.com/containerd/nri/commit/159f5754db397e32ce886cd07985ffd95f1bd823) template: dump pod/container count in sync message. - [`bf267e3`](https://redirect.github.com/containerd/nri/commit/bf267e336f2ec2f5045fd396fb68f9853d2b5db9) stub: collect/handle split sync messages. - [`ed78ae9`](https://redirect.github.com/containerd/nri/commit/ed78ae9231cb603031f66921559ca6f38ef77bb5) adaptation: use multiple sync messages if necessary. - [`6fd59d6`](https://redirect.github.com/containerd/nri/commit/6fd59d6d7701cdadeae4db0058b3fde84c02e94b) api: add support for multiple sync messages. - [`a7fcccc`](https://redirect.github.com/containerd/nri/commit/a7fcccc4ba35f69ea2af790b6cb4b46385c50ce4) mux: split oversized messages. - [`5fe9b06`](https://redirect.github.com/containerd/nri/commit/5fe9b06401fb7fce78c41b95df04e05dffc22e5b) mux: fix maximum allowed message size. - [`693d64e`](https://redirect.github.com/containerd/nri/commit/693d64e2565cc14c00fae2de904ffc030fc2b894) go.{mod,sum}, plugins: update ttrpc and NRI deps. - Update API to pass configured timeouts to plugins. ([containerd/nri#109](https://redirect.github.com/containerd/nri/pull/109)) - [`320e4e7`](https://redirect.github.com/containerd/nri/commit/320e4e7e52a856b119cfa1c06a4a135ab5f88f56) adaptation: tests for runtime version, timeouts. - [`f86d982`](https://redirect.github.com/containerd/nri/commit/f86d98210749556ef562776fde784d2250d1190e) api,adaptation,stub: let plugin know configured timeouts. - [`cfcd2af`](https://redirect.github.com/containerd/nri/commit/cfcd2af3c80db6667f2d1a291225cc616b6049c3) Makefile: fix ginkgo-tests target. - [`8cd9504`](https://redirect.github.com/containerd/nri/commit/8cd9504a48e1b79625ff5fce3d058c6662bc34d6) adaptation: block plugin sync/registration in test suite. - [`966ac92`](https://redirect.github.com/containerd/nri/commit/966ac92b01fca271373e2088695538dcef0edb2b) adaptation: implement plugin synchronization blocks. - ci: verify that code generation works and results match ([containerd/nri#113](https://redirect.github.com/containerd/nri/pull/113)) - [`f74ce31`](https://redirect.github.com/containerd/nri/commit/f74ce31ef9b048d69702b954912122a0597598a8) ci: verify code generation and generated files in repo - deps: bump gingko to v2.19.1, golang to v1.21.x. ([containerd/nri#110](https://redirect.github.com/containerd/nri/pull/110)) - [`e4d5c36`](https://redirect.github.com/containerd/nri/commit/e4d5c36429c495c5d61d0183ba1c1a908ed598f4) ci: stop testing with golang 1.20.x. - [`6578149`](https://redirect.github.com/containerd/nri/commit/65781492cc1b0cf5a6a6166a81ba638e45b7f93f) go.{mod,sum}: bump golang requirement to 1.21. - [`442e812`](https://redirect.github.com/containerd/nri/commit/442e81239436c53689e14d9a641099a4aeec7cbe) go.{mod,sum}: update to ginkgo v2.19.1. - sync sandboxes and containers after starting the pre-installed plugins ([containerd/nri#43](https://redirect.github.com/containerd/nri/pull/43)) - [`eada085`](https://redirect.github.com/containerd/nri/commit/eada085db3965057686def58fd8993c70030dd7f) ignore pre-installed plugins that did not sync successfully - [`b881bc4`](https://redirect.github.com/containerd/nri/commit/b881bc4ba69e3bfe718939d97f327f3c72670fad) sync sandboxes and containers after starting the pre-installed plugins - Fix mount removal in adjustments ([containerd/nri#107](https://redirect.github.com/containerd/nri/pull/107)) - [`3880f1d`](https://redirect.github.com/containerd/nri/commit/3880f1df504f4b3ceedd3a36172162c886a00564) adaptation: add test case for mount removal. - [`0d3b376`](https://redirect.github.com/containerd/nri/commit/0d3b37631b9fb913e95a9a0efd31b27117208e40) adaptation: fix mount removal in adjustments. - codespell: add codespell config, workflow, fix spelling errors. ([containerd/nri#105](https://redirect.github.com/containerd/nri/pull/105)) - [`df84c47`](https://redirect.github.com/containerd/nri/commit/df84c475025e3fc536701aa99f6ca6d14dbea648) .github: add codespell workflow. - [`a03dc93`](https://redirect.github.com/containerd/nri/commit/a03dc9359c2d526924e56a9d167445a69588d3ae) pkg,plugins,.codespellrc: add codespellrc, fix spelling. - Close plugin if initial synchronization fails ([containerd/nri#103](https://redirect.github.com/containerd/nri/pull/103)) - [`4aec208`](https://redirect.github.com/containerd/nri/commit/4aec208281ac3630b02d737005778527aec8abae) adaptation: log plugin as connected and synchronized. - [`4e60cd0`](https://redirect.github.com/containerd/nri/commit/4e60cd0fb845ffefa9590084bb5261a113ad6858) adaptation: close plugin if initial synchronization fails. - Reset source path of api.pb.go to pkg/api/api.proto ([containerd/nri#104](https://redirect.github.com/containerd/nri/pull/104)) - [`1cc026f`](https://redirect.github.com/containerd/nri/commit/1cc026f8a3773b9e0d4ca80f9c3e978ef7d54bef) Reset source path of api.pb.go to pkg/api/api.proto - Add support for adjusting OOM score ([containerd/nri#94](https://redirect.github.com/containerd/nri/pull/94)) - [`efcb2da`](https://redirect.github.com/containerd/nri/commit/efcb2dad664293bd3fbad1557cac2dcfd15a86dc) NRI plugins support adjust oom\_score\_adj - Add API support for NRI-na </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- ## Need help? You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section. <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4zLjYiLCJ1cGRhdGVkSW5WZXIiOiI0My45LjAiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbImF1dG9tZXJnZS1zZWN1cml0eS11cGRhdGUiLCJzZXZlcml0eTpVTktOT1dOIl19--> Signed-off-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com> Co-authored-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com>
…ana#5511) Restructure Modules topic and add more info for new users Add info about when to use Modules and set some expectations about what modules can/can't do. Shuffle info into a more logical flow/order, and simplify some statements. Fixes: grafana/support-escalations#15661
### Pull Request Details Followup to grafana#5895. Port `loki.source.heroku` to use the shared server abstraction. This will also make it so that this server don't require a restart if labels, relabel rules or timestamp config changes. ### Issue(s) fixed by this Pull Request Part of grafana#5803 ### Notes to the Reviewer Changes so that each component pass the `EntriesWritten` counter since they unfortunately have different naming conventions.. ### PR Checklist <!-- Remove items that do not apply. For completed items, change [ ] to [x]. --> - [ ] Documentation added - [x] Tests updated - [ ] Config converters updated
…same metadata several times (grafana#5965) ### Pull Request Details I was working with increasing test coverage for `loki.process`. I wanted to setup more full pipeline tests for this component. When writing the first test case "simple cri pipeline" I notcied that `stage.structured_metadata` can add metadata several times. StructuredMetadata is stored as a slice and we would just append to it. So when using something like `stage.cri` before this one we will have `stream` both as a label _and_ in the extracted map. To fix this we check if it already exists and if it does we replace it otherwise we append. I also cleanup both the stage and tests for it and added regression test to make sure we don't add metadata several times. ### Issue(s) fixed by this Pull Request Relates to grafana#4953 ### Notes to the Reviewer Part of cleaning up this stage is to have similar function for every place / way we try to extract metadata. Before we had `processLabelsConfigs`, inline regex check for extracted map and later we called `extractFromLabels`. I created a function for each combination of source and config instead so we have: * `processExtractedLabelsByConfig` - source is extracted using labelConfig * `processExtractedLabelsByRegex` - source is extracted using regex * `processEntryLabelsByConfig` - source is labels using labelConfig * `processEntryLabelsByRegex` - source is labels using regex ### PR Checklist <!-- Remove items that do not apply. For completed items, change [ ] to [x]. --> - [ ] Documentation added - [x] Tests updated - [ ] Config converters updated --------- Co-authored-by: Piotr <17101802+thampiotr@users.noreply.github.com>
…otal` and `secrets_redacted_by_origin metrics` (grafana#5970) The `loki_secretfilter_secrets_redacted_by_category_total` metric (introduced in grafana#5855) partitions by both `rule` and `origin`, making the two single-dimension metrics redundant. Any query with them can be expressed via `sum by (rule|origin) (...)` on the category metric.
…5994) Two small performance improvements to the `loki.secretfilter` hot path: - Move origin label lookup out of the per-finding loop in `redactLine` - Remove per-redaction overhead of new hasher and `fmt.Sprintf`
…1.97.3 [SECURITY] (grafana#6004) > ℹ️ **Note** > > This PR body was truncated due to platform limits. This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [github.com/aws/aws-sdk-go-v2/service/s3](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.97.2` → `v1.97.3` |  |  | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/4569) for more information. ### GitHub Vulnerability Alerts #### [GHSA-xmrv-pmrh-hhx2](https://redirect.github.com/aws/aws-sdk-go-v2/security/advisories/GHSA-xmrv-pmrh-hhx2) **CVSSv3.1 Rating**: [Medium] **CVSSv3.1 Score**: [5.9] **CVSSv3.1 Vector String**: [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H] ## Summary and Impact An issue exists in the the EventStream header decoder in AWS SDK for Go v2 in versions predating [2026-03-23](https://redirect.github.com/aws/aws-sdk-go-v2/releases/tag/release-2026-03-23). An actor can send a malformed EventStream response frame containing a crafted header value type byte outside the valid range, which can cause the host process to terminate. Impacted versions: < [2026-03-23](https://redirect.github.com/aws/aws-sdk-go-v2/releases/tag/release-2026-03-23) ## Patches This issue has been addressed in versions [2026-03-23](https://redirect.github.com/aws/aws-sdk-go-v2/releases/tag/release-2026-03-23) and above. We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes. ## Workarounds Not Applicable ## References If you have any questions or comments about this advisory, we ask that you contact [AWS/Amazon] Security via our [vulnerability reporting page](https://aws.amazon.com/security/vulnerability-reporting) or directly via email to [aws-security@amazon.com](mailto:aws-security@amazon.com). Please do not create a public GitHub issue. --- ### Denial of Service due to Panic in AWS SDK for Go v2 SDK EventStream Decoder [GHSA-xmrv-pmrh-hhx2](https://redirect.github.com/advisories/GHSA-xmrv-pmrh-hhx2) <details> <summary>More information</summary> #### Details **CVSSv3.1 Rating**: [Medium] **CVSSv3.1 Score**: [5.9] **CVSSv3.1 Vector String**: [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H] ##### Summary and Impact An issue exists in the the EventStream header decoder in AWS SDK for Go v2 in versions predating [2026-03-23](https://redirect.github.com/aws/aws-sdk-go-v2/releases/tag/release-2026-03-23). An actor can send a malformed EventStream response frame containing a crafted header value type byte outside the valid range, which can cause the host process to terminate. Impacted versions: < [2026-03-23](https://redirect.github.com/aws/aws-sdk-go-v2/releases/tag/release-2026-03-23) ##### Patches This issue has been addressed in versions [2026-03-23](https://redirect.github.com/aws/aws-sdk-go-v2/releases/tag/release-2026-03-23) and above. We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes. ##### Workarounds Not Applicable ##### References If you have any questions or comments about this advisory, we ask that you contact [AWS/Amazon] Security via our [vulnerability reporting page](https://aws.amazon.com/security/vulnerability-reporting) or directly via email to [aws-security@amazon.com](mailto:aws-security@amazon.com). Please do not create a public GitHub issue. #### Severity - CVSS Score: 5.9 / 10 (Medium) - Vector String: `CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H` #### References - [https://github.com/aws/aws-sdk-go-v2/security/advisories/GHSA-xmrv-pmrh-hhx2](https://redirect.github.com/aws/aws-sdk-go-v2/security/advisories/GHSA-xmrv-pmrh-hhx2) - [https://github.com/aws/aws-sdk-go-v2](https://redirect.github.com/aws/aws-sdk-go-v2) - [https://github.com/aws/aws-sdk-go-v2/releases/tag/release-2026-03-23](https://redirect.github.com/aws/aws-sdk-go-v2/releases/tag/release-2026-03-23) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-xmrv-pmrh-hhx2) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>aws/aws-sdk-go-v2 (github.com/aws/aws-sdk-go-v2/service/s3)</summary> ### [`v1.97.3`](https://redirect.github.com/aws/aws-sdk-go-v2/blob/HEAD/CHANGELOG.md#Release-2026-03-26) #### General Highlights - **Dependency Update**: Updated to the latest SDK module versions #### Module Highlights - `github.com/aws/aws-sdk-go-v2`: v1.41.5 - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/accessanalyzer`: [v1.45.12](service/accessanalyzer/CHANGELOG.md#v14512-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/account`: [v1.30.5](service/account/CHANGELOG.md#v1305-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/acm`: [v1.37.23](service/acm/CHANGELOG.md#v13723-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/acmpca`: [v1.46.12](service/acmpca/CHANGELOG.md#v14612-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/aiops`: [v1.6.21](service/aiops/CHANGELOG.md#v1621-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/amp`: [v1.42.9](service/amp/CHANGELOG.md#v1429-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/amplify`: [v1.38.14](service/amplify/CHANGELOG.md#v13814-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/amplifybackend`: [v1.32.20](service/amplifybackend/CHANGELOG.md#v13220-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/amplifyuibuilder`: [v1.28.20](service/amplifyuibuilder/CHANGELOG.md#v12820-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/apigateway`: [v1.39.1](service/apigateway/CHANGELOG.md#v1391-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/apigatewaymanagementapi`: [v1.29.14](service/apigatewaymanagementapi/CHANGELOG.md#v12914-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/apigatewayv2`: [v1.34.1](service/apigatewayv2/CHANGELOG.md#v1341-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/appconfig`: [v1.43.13](service/appconfig/CHANGELOG.md#v14313-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/appconfigdata`: [v1.23.22](service/appconfigdata/CHANGELOG.md#v12322-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/appfabric`: [v1.16.21](service/appfabric/CHANGELOG.md#v11621-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/appflow`: [v1.51.12](service/appflow/CHANGELOG.md#v15112-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/appintegrations`: [v1.37.7](service/appintegrations/CHANGELOG.md#v1377-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/applicationautoscaling`: [v1.41.14](service/applicationautoscaling/CHANGELOG.md#v14114-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/applicationcostprofiler`: [v1.27.12](service/applicationcostprofiler/CHANGELOG.md#v12712-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/applicationdiscoveryservice`: [v1.35.13](service/applicationdiscoveryservice/CHANGELOG.md#v13513-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/applicationinsights`: [v1.34.20](service/applicationinsights/CHANGELOG.md#v13420-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/applicationsignals`: [v1.19.1](service/applicationsignals/CHANGELOG.md#v1191-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/appmesh`: [v1.35.12](service/appmesh/CHANGELOG.md#v13512-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/apprunner`: [v1.39.14](service/apprunner/CHANGELOG.md#v13914-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/appstream`: [v1.54.4](service/appstream/CHANGELOG.md#v1544-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/appsync`: [v1.53.5](service/appsync/CHANGELOG.md#v1535-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/arcregionswitch`: [v1.6.3](service/arcregionswitch/CHANGELOG.md#v163-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/arczonalshift`: [v1.22.23](service/arczonalshift/CHANGELOG.md#v12223-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/artifact`: [v1.15.5](service/artifact/CHANGELOG.md#v1155-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/athena`: [v1.57.4](service/athena/CHANGELOG.md#v1574-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/auditmanager`: [v1.46.12](service/auditmanager/CHANGELOG.md#v14612-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/autoscaling`: [v1.64.4](service/autoscaling/CHANGELOG.md#v1644-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/autoscalingplans`: [v1.30.14](service/autoscalingplans/CHANGELOG.md#v13014-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/b2bi`: [v1.0.0-preview.100](service/b2bi/CHANGELOG.md#v100-preview100-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/backup`: [v1.54.11](service/backup/CHANGELOG.md#v15411-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/backupgateway`: [v1.26.3](service/backupgateway/CHANGELOG.md#v1263-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/backupsearch`: [v1.6.23](service/backupsearch/CHANGELOG.md#v1623-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/batch`: [v1.63.2](service/batch/CHANGELOG.md#v1632-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/bcmdashboards`: [v1.1.4](service/bcmdashboards/CHANGELOG.md#v114-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/bcmdataexports`: [v1.14.0](service/bcmdataexports/CHANGELOG.md#v1140-2026-03-26) - **Feature**: With this release we are providing an option to accounts to have their export delivered to an S3 bucket that is not owned by the account. - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/bcmpricingcalculator`: [v1.10.9](service/bcmpricingcalculator/CHANGELOG.md#v1109-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/bcmrecommendedactions`: [v1.1.5](service/bcmrecommendedactions/CHANGELOG.md#v115-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/bedrock`: [v1.57.1](service/bedrock/CHANGELOG.md#v1571-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/bedrockagent`: [v1.52.7](service/bedrockagent/CHANGELOG.md#v1527-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/bedrockagentcore`: [v1.15.2](service/bedrockagentcore/CHANGELOG.md#v1152-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/bedrockagentcorecontrol`: [v1.25.1](service/bedrockagentcorecontrol/CHANGELOG.md#v1251-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/bedrockagentruntime`: [v1.51.8](service/bedrockagentruntime/CHANGELOG.md#v1518-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/bedrockdataautomation`: [v1.13.5](service/bedrockdataautomation/CHANGELOG.md#v1135-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/bedrockdataautomationruntime`: [v1.10.4](service/bedrockdataautomationruntime/CHANGELOG.md#v1104-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/bedrockruntime`: [v1.50.4](service/bedrockruntime/CHANGELOG.md#v1504-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/billing`: [v1.10.4](service/billing/CHANGELOG.md#v1104-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/billingconductor`: [v1.28.5](service/billingconductor/CHANGELOG.md#v1285-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/braket`: [v1.39.8](service/braket/CHANGELOG.md#v1398-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/budgets`: [v1.43.4](service/budgets/CHANGELOG.md#v1434-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/chatbot`: [v1.14.21](service/chatbot/CHANGELOG.md#v11421-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/chime`: [v1.41.12](service/chime/CHANGELOG.md#v14112-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/chimesdkidentity`: [v1.27.20](service/chimesdkidentity/CHANGELOG.md#v12720-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/chimesdkmediapipelines`: [v1.26.21](service/chimesdkmediapipelines/CHANGELOG.md#v12621-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/chimesdkmeetings`: [v1.33.15](service/chimesdkmeetings/CHANGELOG.md#v13315-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/chimesdkmessaging`: [v1.32.17](service/chimesdkmessaging/CHANGELOG.md#v13217-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/chimesdkvoice`: [v1.28.13](service/chimesdkvoice/CHANGELOG.md#v12813-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/cleanrooms`: [v1.42.4](service/cleanrooms/CHANGELOG.md#v1424-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/cleanroomsml`: [v1.22.5](service/cleanroomsml/CHANGELOG.md#v1225-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/cloud9`: [v1.33.20](service/cloud9/CHANGELOG.md#v13320-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/cloudcontrol`: [v1.29.13](service/cloudcontrol/CHANGELOG.md#v12913-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/clouddirectory`: [v1.30.12](service/clouddirectory/CHANGELOG.md#v13012-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/cloudformation`: [v1.71.9](service/cloudformation/CHANGELOG.md#v1719-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/cloudfront`: [v1.60.4](service/cloudfront/CHANGELOG.md#v1604-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/cloudfrontkeyvaluestore`: [v1.12.24](service/cloudfrontkeyvaluestore/CHANGELOG.md#v11224-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/cloudhsm`: [v1.29.21](service/cloudhsm/CHANGELOG.md#v12921-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/cloudhsmv2`: [v1.34.21](service/cloudhsmv2/CHANGELOG.md#v13421-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/cloudsearch`: [v1.32.12](service/cloudsearch/CHANGELOG.md#v13212-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/cloudsearchdomain`: [v1.28.20](service/cloudsearchdomain/CHANGELOG.md#v12820-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/cloudtrail`: [v1.55.9](service/cloudtrail/CHANGELOG.md#v1559-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/cloudtraildata`: [v1.17.13](service/cloudtraildata/CHANGELOG.md#v11713-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/cloudwatch`: [v1.55.3](service/cloudwatch/CHANGELOG.md#v1553-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/cloudwatchevents`: [v1.32.23](service/cloudwatchevents/CHANGELOG.md#v13223-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs`: [v1.65.0](service/cloudwatchlogs/CHANGELOG.md#v1650-2026-03-26) - **Feature**: This release adds parameter support to saved queries in CloudWatch Logs Insights. Define reusable query templates with named placeholders, invoke them using start query. Available in Console, CLI and SDK - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/codeartifact`: [v1.38.21](service/codeartifact/CHANGELOG.md#v13821-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/codebuild`: [v1.68.13](service/codebuild/CHANGELOG.md#v16813-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/codecatalyst`: [v1.21.12](service/codecatalyst/CHANGELOG.md#v12112-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/codecommit`: [v1.33.12](service/codecommit/CHANGELOG.md#v13312-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/codeconnections`: [v1.10.20](service/codeconnections/CHANGELOG.md#v11020-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/codedeploy`: [v1.35.13](service/codedeploy/CHANGELOG.md#v13513-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/codeguruprofiler`: [v1.29.20](service/codeguruprofiler/CHANGELOG.md#v12920-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/codegurureviewer`: [v1.34.20](service/codegurureviewer/CHANGELOG.md#v13420-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/codegurusecurity`: [v1.16.24](service/codegurusecurity/CHANGELOG.md#v11624-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/codepipeline`: [v1.46.21](service/codepipeline/CHANGELOG.md#v14621-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/codestarconnections`: [v1.35.13](service/codestarconnections/CHANGELOG.md#v13513-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/codestarnotifications`: [v1.31.21](service/codestarnotifications/CHANGELOG.md#v13121-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/cognitoidentity`: [v1.33.22](service/cognitoidentity/CHANGELOG.md#v13322-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider`: [v1.59.3](service/cognitoidentityprovider/CHANGELOG.md#v1593-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/cognitosync`: [v1.29.12](service/cognitosync/CHANGELOG.md#v12912-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/comprehend`: [v1.40.21](service/comprehend/CHANGELOG.md#v14021-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/comprehendmedical`: [v1.31.21](service/comprehendmedical/CHANGELOG.md#v13121-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/computeoptimizer`: [v1.49.8](service/computeoptimizer/CHANGELOG.md#v1498-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/computeoptimizerautomation`: [v1.0.8](service/computeoptimizerautomation/CHANGELOG.md#v108-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/configservice`: [v1.62.1](service/configservice/CHANGELOG.md#v1621-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/connect`: [v1.166.1](service/connect/CHANGELOG.md#v11661-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/connectcampaigns`: [v1.20.20](service/connectcampaigns/CHANGELOG.md#v12020-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/connectcampaignsv2`: [v1.11.4](service/connectcampaignsv2/CHANGELOG.md#v1114-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/connectcases`: [v1.39.1](service/connectcases/CHANGELOG.md#v1391-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/connectcontactlens`: [v1.33.13](service/connectcontactlens/CHANGELOG.md#v13313-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/connecthealth`: [v1.0.3](service/connecthealth/CHANGELOG.md#v103-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/connectparticipant`: [v1.36.7](service/connectparticipant/CHANGELOG.md#v1367-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/controlcatalog`: [v1.14.9](service/controlcatalog/CHANGELOG.md#v1149-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/controltower`: [v1.28.9](service/controltower/CHANGELOG.md#v1289-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/costandusagereportservice`: [v1.34.13](service/costandusagereportservice/CHANGELOG.md#v13413-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/costexplorer`: [v1.63.6](service/costexplorer/CHANGELOG.md#v1636-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/costoptimizationhub`: [v1.22.8](service/costoptimizationhub/CHANGELOG.md#v1228-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/customerprofiles`: [v1.57.2](service/customerprofiles/CHANGELOG.md#v1572-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/databasemigrationservice`: [v1.61.10](service/databasemigrationservice/CHANGELOG.md#v16110-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/databrew`: [v1.39.14](service/databrew/CHANGELOG.md#v13914-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/dataexchange`: [v1.40.14](service/dataexchange/CHANGELOG.md#v14014-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/datapipeline`: [v1.30.20](service/datapipeline/CHANGELOG.md#v13020-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/datasync`: [v1.58.2](service/datasync/CHANGELOG.md#v1582-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/datazone`: [v1.54.2](service/datazone/CHANGELOG.md#v1542-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/dax`: [v1.29.16](service/dax/CHANGELOG.md#v12916-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/deadline`: [v1.26.2](service/deadline/CHANGELOG.md#v1262-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/detective`: [v1.38.13](service/detective/CHANGELOG.md#v13813-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/devicefarm`: [v1.38.8](service/devicefarm/CHANGELOG.md#v1388-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/devopsguru`: [v1.40.12](service/devopsguru/CHANGELOG.md#v14012-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/directconnect`: [v1.38.15](service/directconnect/CHANGELOG.md#v13815-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/directoryservice`: [v1.38.16](service/directoryservice/CHANGELOG.md#v13816-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/directoryservicedata`: [v1.7.21](service/directoryservicedata/CHANGELOG.md#v1721-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/dlm`: [v1.35.16](service/dlm/CHANGELOG.md#v13516-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/docdb`: [v1.48.13](service/docdb/CHANGELOG.md#v14813-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/docdbelastic`: [v1.20.13](service/docdbelastic/CHANGELOG.md#v12013-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/drs`: [v1.36.13](service/drs/CHANGELOG.md#v13613-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/dsql`: [v1.12.8](service/dsql/CHANGELOG.md#v1128-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/dynamodb`: [v1.57.1](service/dynamodb/CHANGELOG.md#v1571-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/dynamodbstreams`: [v1.32.14](service/dynamodbstreams/CHANGELOG.md#v13214-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/ebs`: [v1.33.14](service/ebs/CHANGELOG.md#v13314-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/ec2`: [v1.296.1](service/ec2/CHANGELOG.md#v12961-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/ec2instanceconnect`: [v1.32.20](service/ec2instanceconnect/CHANGELOG.md#v13220-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/ecr`: [v1.56.2](service/ecr/CHANGELOG.md#v1562-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/ecrpublic`: [v1.38.13](service/ecrpublic/CHANGELOG.md#v13813-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/ecs`: [v1.74.1](service/ecs/CHANGELOG.md#v1741-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/efs`: [v1.41.14](service/efs/CHANGELOG.md#v14114-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/eks`: [v1.81.2](service/eks/CHANGELOG.md#v1812-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/eksauth`: [v1.12.13](service/eksauth/CHANGELOG.md#v11213-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/elasticache`: [v1.51.13](service/elasticache/CHANGELOG.md#v15113-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/elasticbeanstalk`: [v1.34.2](service/elasticbeanstalk/CHANGELOG.md#v1342-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/elasticloadbalancing`: [v1.33.23](service/elasticloadbalancing/CHANGELOG.md#v13323-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2`: [v1.54.10](service/elasticloadbalancingv2/CHANGELOG.md#v15410-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/elasticsearchservice`: [v1.39.2](service/elasticsearchservice/CHANGELOG.md#v1392-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/elementalinference`: [v1.0.3](service/elementalinference/CHANGELOG.md#v103-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/emr`: [v1.59.0](service/emr/CHANGELOG.md#v1590-2026-03-26) - **Feature**: Add StepExecutionRoleArn to RunJobFlow API - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/emrcontainers`: [v1.40.17](service/emrcontainers/CHANGELOG.md#v14017-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/emrserverless`: [v1.39.6](service/emrserverless/CHANGELOG.md#v1396-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/entityresolution`: [v1.26.5](service/entityresolution/CHANGELOG.md#v1265-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/eventbridge`: [v1.45.23](service/eventbridge/CHANGELOG.md#v14523-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/evs`: [v1.6.4](service/evs/CHANGELOG.md#v164-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/finspace`: [v1.33.21](service/finspace/CHANGELOG.md#v13321-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/finspacedata`: [v1.33.21](service/finspacedata/CHANGELOG.md#v13321-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/firehose`: [v1.42.13](service/firehose/CHANGELOG.md#v14213-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/fis`: [v1.37.20](service/fis/CHANGELOG.md#v13720-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/fms`: [v1.44.22](service/fms/CHANGELOG.md#v14422-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/forecast`: [v1.41.21](service/forecast/CHANGELOG.md#v14121-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/forecastquery`: [v1.29.21](service/forecastquery/CHANGELOG.md#v12921-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/frauddetector`: [v1.41.12](service/frauddetector/CHANGELOG.md#v14112-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/freetier`: [v1.13.14](service/freetier/CHANGELOG.md#v11314-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/fsx`: [v1.65.7](service/fsx/CHANGELOG.md#v1657-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/gamelift`: [v1.51.3](service/gamelift/CHANGELOG.md#v1513-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/gameliftstreams`: [v1.11.1](service/gameliftstreams/CHANGELOG.md#v1111-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/geomaps`: [v1.9.4](service/geomaps/CHANGELOG.md#v194-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/geoplaces`: [v1.8.5](service/geoplaces/CHANGELOG.md#v185-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/georoutes`: [v1.7.14](service/georoutes/CHANGELOG.md#v1714-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/glacier`: [v1.32.6](service/glacier/CHANGELOG.md#v1326-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/globalaccelerator`: [v1.35.15](service/globalaccelerator/CHANGELOG.md#v13515-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/glue`: [v1.139.1](service/glue/CHANGELOG.md#v11391-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/grafana`: [v1.33.4](service/grafana/CHANGELOG.md#v1334-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/greengrass`: [v1.32.21](service/greengrass/CHANGELOG.md#v13221-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/greengrassv2`: [v1.42.12](service/greengrassv2/CHANGELOG.md#v14212-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/groundstation`: [v1.40.4](service/groundstation/CHANGELOG.md#v1404-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/guardduty`: [v1.74.2](service/guardduty/CHANGELOG.md#v1742-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/health`: [v1.37.4](service/health/CHANGELOG.md#v1374-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/healthlake`: [v1.36.13](service/healthlake/CHANGELOG.md#v13613-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/iam`: [v1.53.7](service/iam/CHANGELOG.md#v1537-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/identitystore`: [v1.36.5](service/identitystore/CHANGELOG.md#v1365-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/imagebuilder`: [v1.51.4](service/imagebuilder/CHANGELOG.md#v1514-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/inspector`: [v1.30.20](service/inspector/CHANGELOG.md#v13020-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/inspector2`: [v1.47.4](service/inspector2/CHANGELOG.md#v1474-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/inspectorscan`: [v1.13.5](service/inspectorscan/CHANGELOG.md#v1135-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/internetmonitor`: [v1.26.14](service/internetmonitor/CHANGELOG.md#v12614-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/invoicing`: [v1.9.8](service/invoicing/CHANGELOG.md#v198-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/iot`: [v1.72.5](service/iot/CHANGELOG.md#v1725-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/iotdataplane`: [v1.32.21](service/iotdataplane/CHANGELOG.md#v13221-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/iotdeviceadvisor`: [v1.36.21](service/iotdeviceadvisor/CHANGELOG.md#v13621-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/iotevents`: [v1.33.13](service/iotevents/CHANGELOG.md#v13313-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/ioteventsdata`: [v1.30.12](service/ioteventsdata/CHANGELOG.md#v13012-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/iotfleetwise`: [v1.31.20](service/iotfleetwise/CHANGELOG.md#v13120-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/iotjobsdataplane`: [v1.30.13](service/iotjobsdataplane/CHANGELOG.md#v13013-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/iotmanagedintegrations`: [v1.8.4](service/iotmanagedintegrations/CHANGELOG.md#v184-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/iotsecuretunneling`: [v1.33.21](service/iotsecuretunneling/CHANGELOG.md#v13321-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/iotsitewise`: [v1.52.19](service/iotsitewise/CHANGELOG.md#v15219-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/iotthingsgraph`: [v1.30.21](service/iotthingsgraph/CHANGELOG.md#v13021-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/iottwinmaker`: [v1.29.21](service/iottwinmaker/CHANGELOG.md#v12921-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/iotwireless`: [v1.54.9](service/iotwireless/CHANGELOG.md#v1549-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/ivs`: [v1.48.14](service/ivs/CHANGELOG.md#v14814-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/ivschat </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- ## Need help? You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section. <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My45Mi4xIiwidXBkYXRlZEluVmVyIjoiNDMuOTIuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiYXV0b21lcmdlLXNlY3VyaXR5LXVwZGF0ZSIsInNldmVyaXR5Ok1FRElVTSIsInVwZGF0ZS1wYXRjaCJdfQ==--> Signed-off-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com> Co-authored-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com>
…watchlogs to v1.65.0 [SECURITY] (grafana#6005) This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.63.2` → `v1.65.0` |  |  | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](..grafana/issues/4569) for more information. ### GitHub Vulnerability Alerts #### [GHSA-xmrv-pmrh-hhx2](https://redirect.github.com/aws/aws-sdk-go-v2/security/advisories/GHSA-xmrv-pmrh-hhx2) **CVSSv3.1 Rating**: [Medium] **CVSSv3.1 Score**: [5.9] **CVSSv3.1 Vector String**: [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H] ## Summary and Impact An issue exists in the the EventStream header decoder in AWS SDK for Go v2 in versions predating [2026-03-23](https://redirect.github.com/aws/aws-sdk-go-v2/releases/tag/release-2026-03-23). An actor can send a malformed EventStream response frame containing a crafted header value type byte outside the valid range, which can cause the host process to terminate. Impacted versions: < [2026-03-23](https://redirect.github.com/aws/aws-sdk-go-v2/releases/tag/release-2026-03-23) ## Patches This issue has been addressed in versions [2026-03-23](https://redirect.github.com/aws/aws-sdk-go-v2/releases/tag/release-2026-03-23) and above. We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes. ## Workarounds Not Applicable ## References If you have any questions or comments about this advisory, we ask that you contact [AWS/Amazon] Security via our [vulnerability reporting page](https://aws.amazon.com/security/vulnerability-reporting) or directly via email to [aws-security@amazon.com](mailto:aws-security@amazon.com). Please do not create a public GitHub issue. --- ### Denial of Service due to Panic in AWS SDK for Go v2 SDK EventStream Decoder [GHSA-xmrv-pmrh-hhx2](https://redirect.github.com/advisories/GHSA-xmrv-pmrh-hhx2) <details> <summary>More information</summary> #### Details **CVSSv3.1 Rating**: [Medium] **CVSSv3.1 Score**: [5.9] **CVSSv3.1 Vector String**: [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H] ##### Summary and Impact An issue exists in the the EventStream header decoder in AWS SDK for Go v2 in versions predating [2026-03-23](https://redirect.github.com/aws/aws-sdk-go-v2/releases/tag/release-2026-03-23). An actor can send a malformed EventStream response frame containing a crafted header value type byte outside the valid range, which can cause the host process to terminate. Impacted versions: < [2026-03-23](https://redirect.github.com/aws/aws-sdk-go-v2/releases/tag/release-2026-03-23) ##### Patches This issue has been addressed in versions [2026-03-23](https://redirect.github.com/aws/aws-sdk-go-v2/releases/tag/release-2026-03-23) and above. We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes. ##### Workarounds Not Applicable ##### References If you have any questions or comments about this advisory, we ask that you contact [AWS/Amazon] Security via our [vulnerability reporting page](https://aws.amazon.com/security/vulnerability-reporting) or directly via email to [aws-security@amazon.com](mailto:aws-security@amazon.com). Please do not create a public GitHub issue. #### Severity - CVSS Score: 5.9 / 10 (Medium) - Vector String: `CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H` #### References - [https://github.com/aws/aws-sdk-go-v2/security/advisories/GHSA-xmrv-pmrh-hhx2](https://redirect.github.com/aws/aws-sdk-go-v2/security/advisories/GHSA-xmrv-pmrh-hhx2) - [https://github.com/aws/aws-sdk-go-v2](https://redirect.github.com/aws/aws-sdk-go-v2) - [https://github.com/aws/aws-sdk-go-v2/releases/tag/release-2026-03-23](https://redirect.github.com/aws/aws-sdk-go-v2/releases/tag/release-2026-03-23) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-xmrv-pmrh-hhx2) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>aws/aws-sdk-go-v2 (github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs)</summary> ### [`v1.65.0`](https://redirect.github.com/aws/aws-sdk-go-v2/blob/HEAD/CHANGELOG.md#Release-2026-01-07) #### Module Highlights - `github.com/aws/aws-sdk-go-v2/service/workspaces`: [v1.65.0](service/workspaces/CHANGELOG.md#v1650-2026-01-07) - **Feature**: Add StateMessage and ProgressPercentage fields to DescribeCustomWorkspaceImageImport API response. ### [`v1.64.0`](https://redirect.github.com/aws/aws-sdk-go-v2/blob/HEAD/CHANGELOG.md#Release-2024-10-02) #### General Highlights - **Dependency Update**: Updated to the latest SDK module versions #### Module Highlights - `github.com/aws/aws-sdk-go-v2/service/appstream`: [v1.40.0](service/appstream/CHANGELOG.md#v1400-2024-10-02) - **Feature**: Added support for Automatic Time Zone Redirection on Amazon AppStream 2.0 - `github.com/aws/aws-sdk-go-v2/service/b2bi`: [v1.0.0-preview.44](service/b2bi/CHANGELOG.md#v100-preview44-2024-10-02) - **Feature**: Added and updated APIs to support outbound EDI transformations - `github.com/aws/aws-sdk-go-v2/service/bedrockagentruntime`: [v1.21.0](service/bedrockagentruntime/CHANGELOG.md#v1210-2024-10-02) - **Feature**: Added raw model response and usage metrics to PreProcessing and PostProcessing Trace - `github.com/aws/aws-sdk-go-v2/service/bedrockruntime`: [v1.18.0](service/bedrockruntime/CHANGELOG.md#v1180-2024-10-02) - **Feature**: Added new fields to Amazon Bedrock Guardrails trace - `github.com/aws/aws-sdk-go-v2/service/iotdeviceadvisor`: [v1.30.0](service/iotdeviceadvisor/CHANGELOG.md#v1300-2024-10-02) - **Feature**: Add clientToken attribute and implement idempotency for CreateSuiteDefinition. - `github.com/aws/aws-sdk-go-v2/service/ivsrealtime`: [v1.19.0](service/ivsrealtime/CHANGELOG.md#v1190-2024-10-02) - **Feature**: Adds new Stage Health EventErrorCodes applicable to RTMP(S) broadcasts. Bug Fix: Enforces that EncoderConfiguration Video height and width must be even-number values. - `github.com/aws/aws-sdk-go-v2/service/s3`: [v1.64.0](service/s3/CHANGELOG.md#v1640-2024-10-02) - **Feature**: This release introduces a header representing the minimum object size limit for Lifecycle transitions. - `github.com/aws/aws-sdk-go-v2/service/sagemaker`: [v1.162.0](service/sagemaker/CHANGELOG.md#v11620-2024-10-02) - **Feature**: releasing builtinlcc to public - `github.com/aws/aws-sdk-go-v2/service/workspaces`: [v1.47.4](service/workspaces/CHANGELOG.md#v1474-2024-10-02) - **Documentation**: WSP is being rebranded to become DCV. </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- ## Need help? You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section. <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My45Mi4xIiwidXBkYXRlZEluVmVyIjoiNDMuOTIuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiYXV0b21lcmdlLXNlY3VyaXR5LXVwZGF0ZSIsInNldmVyaXR5Ok1FRElVTSIsInVwZGF0ZS1taW5vciJdfQ==--> Signed-off-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com> Co-authored-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com>
…omponent error handling (grafana#5540) ### Brief description of Pull Request This change moves the metrics registration to the end of the pyroscope.ebpf component construction. This allows for errors to occur during construction without leaving unused metrics registered. ### Pull Request Details This is a fix for grafana#5156. I've written up the specifics of the issue here: grafana#5156 (comment) In short, during the construction of the pyroscope.ebpf component, metrics get registered for Prometheus. If the construction process fails, those metrics remain registered. Since components may be re-evaluated asynchronously, this would lead to a secondary "duplicate registration" error occasionally printed, distracting from the actual error. ### Issue(s) fixed by this Pull Request Fixes grafana#5156 ### Notes to the Reviewer I went with the lowest impact change I could think of, as the issue itself is fairly minor. Since `ms` wasn't referenced before the final return, moving it (and `newMetrics(reg)`) lower meant no failures could occur after metrics were registered. I've also verified the new test fails without the change. ### PR Checklist - [x] Tests updated Co-authored-by: Marc Sanmiquel <marcsanmiquel@gmail.com>
…privilege Kubernetes deployments (grafana#6002) ## Summary - Updates the opening note to mention that `privileged: true` is the simplest Kubernetes option, with least-privilege capabilities as an alternative - Adds a new "Required privileges" section listing the specific Linux capabilities (`BPF`, `PERFMON`, `SYS_PTRACE`, `CHECKPOINT_RESTORE`, `SYS_RESOURCE`, `DAC_READ_SEARCH`, `SYSLOG`) with brief descriptions - Documents the required host volume mounts (`/sys/kernel/debug` for debugfs and `/sys/kernel/tracing` for tracefs on kernel 5.6+) Based on simonswine/pyroscope@c3f5a82 ## Test plan - [ ] Docs render correctly (table formatting, links to `#required-privileges` anchor)
### Pull Request Details Add Docker integration test for `loki.source.docker`. This test also includes a simple `loki.relabel` and `loki.process` stages. ### Issue(s) fixed by this Pull Request Part of: grafana#4953 ### Notes to the Reviewer This also extends the Docker integration-test so each test can start additional containers, build their images, and mount the Docker socket into the Alloy container. ### PR Checklist - [ ] Documentation added - [x] Tests updated - [ ] Config converters updated
…ana#6007) ### Pull Request Details Expand loki.process pipeline tests with different kind of setups. I also changed so that the test forwards too two receivers and verify them both. For tests that includes e.g. `stage.multiline` and `stage.match` we cannot guarantee the order of entries so we need to perform unordered checks. ### Issue(s) fixed by this Pull Request Part of: grafana#4953 ### Notes to the Reviewer I merged these two test into the bigger pipeline test - TestStaticLabelsLabelAllowLabelDrop - TestRegexTimestampOutput ### PR Checklist - [ ] Documentation added - [x] Tests updated - [ ] Config converters updated --------- Co-authored-by: Piotr <17101802+thampiotr@users.noreply.github.com>
First PR to update Go with bug and security fixes: * CVE-2026-32282 * CVE-2026-32289 * CVE-2026-33810 * CVE-2026-27144 * CVE-2026-27143 * CVE-2026-32288 * CVE-2026-32283 * CVE-2026-27140 Signed-off-by: x1unix <9203548+x1unix@users.noreply.github.com>
…rafana#5472) ### Brief description of Pull Request As suggested [in the previous PR](grafana#5433 (comment)), this PR adds support for any `asprof` arguments. ### Pull Request Details Configuration example ``` profiling_config { interval = "15s" cpu = false event = "itimer" sample_rate = 200 alloc = "512k" lock = "1ms" extra_arguments = [ "--live", "--wall", "10ms", "--nativemem", "512k", "--jfrsync", "profile", "-j", "100", "-F", "stats,vtable,comptask", "--clock", "monotonic", "--cstack", "dwarf", ] } ``` ### Notes to the Reviewer - I've had doubts about how to handle the cpu property and its relationship with event. Right now it simply overwrites the event that the user has set to have the same meaning, but I'm not sure if it's the best approach. - I've also added a note (that I had forgotten in the first PR) explaining why the `perthread` flag doesn't apply when exporting to JFR. ### PR Checklist - [x] Documentation added - [ ] Tests updated - [ ] Config converters updated
### Pull Request Details Add an integration test for `loki.source.kafka` that publishes messages to multiple Kafka topics and verifies that Alloy forwards them to Loki with the expected topic labels. ### Issue(s) fixed by this Pull Request <!-- Fixes #issue_id --> ### Notes to the Reviewer ### PR Checklist - [ ] Documentation added - [x] Tests updated - [ ] Config converters updated
…afana#6021) ### Pull Request Details Close previous postgres exporter on update so replaced exporter instances do not keep stale database pools alive. When a config update is triggered for exporters we create a [new exporter](https://github.com/grafana/alloy/blob/d2ae8b82e5d751a9c6a6055af01aed0ea2339b2a/internal/component/prometheus/exporter/exporter.go#L88) and trigger reload which will [cancel the context passed to the previous exporter](https://github.com/grafana/alloy/blob/d2ae8b82e5d751a9c6a6055af01aed0ea2339b2a/internal/component/prometheus/exporter/exporter.go#L63). The problem here is that postgres exporter was using the default run function for exporter i.e. do nothing when context is canceled. So we need pass a custom run that will close all open connections. ### Issue(s) fixed by this Pull Request <!-- Fixes #issue_id --> ### Notes to the Reviewer ### PR Checklist - [ ] Documentation added - [ ] Tests updated - [ ] Config converters updated
Follow-up PR to update Go with bug and security fixes: * CVE-2026-32282 * CVE-2026-32289 * CVE-2026-33810 * CVE-2026-27144 * CVE-2026-27143 * CVE-2026-32288 * CVE-2026-32283 * CVE-2026-27140 See: grafana#6012 --------- Signed-off-by: x1unix <9203548+x1unix@users.noreply.github.com> Co-authored-by: Kalle <23356117+kalleep@users.noreply.github.com>
…afana#4614) #### PR Description This adds the ability to fetch sourcemaps from remote locations over HTTP to the `faro.receiver`. Allowing `sourcemaps > location` blocks to point to an HTTP URL as the path, e.g., `path = "https://foo.com/blob/sourcemaps/"`. The motivation behind this feature is to support the use case where your frontend is served by an external CDN and Alloy is running on internal infrastructure, where external resources are not readily accessible, and managing and attaching volumes to the Alloy container is complex or undesired. This feature allows you to host your sourcemaps internally, e.g., on a blob storage service. It also fits the use case where you don't want to expose sourcemaps to customers but still want to be able to fetch them internally for `faro.receiver`'s stack-trace transformations. If multiple location blocks are defined, blocks pointing to on-disk paths will be checked first before attempting to fetch the sourcemaps over HTTP. #### Which issue(s) this PR fixes None. #### Notes to the Reviewer None. #### PR Checklist - [X] CHANGELOG.md updated - [X] Documentation added - [X] Tests updated
…rafana#5875) ### Brief description of Pull Request Add support for specifying GCP metadata `connection_name`. ### Pull Request Details <!-- Add a more detailed descripion of the Pull Request here, if needed. --> ### Issue(s) fixed by this Pull Request <!-- Uncomment the following line and fill in an issue number if you want a GitHub issue to be closed automatically when this PR gets merged. --> <!-- Fixes #issue_id --> ### Notes to the Reviewer <!-- Add any relevant notes for the reviewers and testers of this PR. --> ### PR Checklist <!-- Remove items that do not apply. For completed items, change [ ] to [x]. --> - [ ] Documentation added - [ ] Tests updated - [ ] Config converters updated --------- Co-authored-by: Clayton Cornell <131809008+clayton-cornell@users.noreply.github.com>
…a#6022) The debuginfo upload client was missing a `WithUserAgent` option, unlike the push client which already sets it. This makes server-side request attribution and debugging easier. One-line change: pass `WithUserAgent(userAgent)` to `debuginfov1alpha1connect.NewDebuginfoServiceClient`, matching how the push client is constructed on the next line. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Reviewed-By: Claude Opus 4.6 (1M context) Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
### Brief description of Pull Request The `loki.source.api` component starts both HTTP and gRPC servers via the shared `ServerConfig`, but only the HTTP block was documented. This adds the missing `grpc` block documentation by including the existing shared `loki-server-grpc.md` reference, matching the pattern used by `loki.source.heroku` and `loki.source.gcplog`. Also fixes a copy-paste error in the shared gRPC docs where `conn_limit` was described as limiting "HTTP connections" instead of "gRPC connections". ### Pull Request Details The undocumented gRPC listener has caused confusion for users whose security teams flagged unexpected network bindings (see issue comments). Changes: - Updated intro to mention gRPC alongside HTTP - Added `grpc` and `grpc > tls` to the Blocks table - Added `### grpc` section using the existing shared include - Updated `### tls` description to cover both HTTP and gRPC - Fixed `conn_limit` description in `loki-server-grpc.md` (HTTP → gRPC) ### Issue(s) fixed by this Pull Request Fixes grafana#2889 ### Notes to the Reviewer The shared gRPC docs file (`loki-server-grpc.md`) already existed and is used by `loki.source.heroku` and `loki.source.gcplog`. This PR wires it into `loki.source.api` using the same pattern. ### PR Checklist - [x] Documentation added Co-authored-by: Clayton Cornell <131809008+clayton-cornell@users.noreply.github.com>
### Pull Request Details Start moving to use `slog.Logger` instead of `go-kit/log`. This will only change usage in runtime and I will follow up with pr(s) to migrate component usage. Eventually we can get rid of some wrappers and clean-up it a bit. ### Issue(s) fixed by this Pull Request Part of: grafana#4813 ### Notes to the Reviewer <!-- Relevant notes for reviewers/testers. --> ### PR Checklist <!-- Remove items that do not apply. For completed items, change [ ] to [x]. --> - [ ] Documentation added - [x] Tests updated - [ ] Config converters updated
…#5996) This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [vite](https://vite.dev) ([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite)) | [`7.3.1` → `7.3.2`](https://renovatebot.com/diffs/npm/vite/7.3.1/7.3.2) |  |  | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](..grafana/issues/4569) for more information. ### GitHub Vulnerability Alerts #### [CVE-2026-39364](https://redirect.github.com/vitejs/vite/security/advisories/GHSA-v2wj-q39q-566r) ### Summary The contents of files that are specified by [`server.fs.deny`](https://vite.dev/config/server-options#server-fs-deny) can be returned to the browser. ### Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network (using `--host` or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) - the sensitive file exists in the allowed directories specified by [`server.fs.allow`](https://vite.dev/config/server-options#server-fs-allow) - the sensitive file is denied with a pattern that matches a file by [`server.fs.deny`](https://vite.dev/config/server-options#server-fs-deny) ### Details On the Vite dev server, files that should be blocked by `server.fs.deny` (e.g., `.env`, `*.crt`) can be retrieved with HTTP 200 responses when query parameters such as `?raw`, `?import&raw`, or `?import&url&inline` are appended. ### PoC 1. Start the dev server: `pnpm exec vite root --host 127.0.0.1 --port 5175 --strictPort` 2. Confirm that `server.fs.deny` is enforced (expect 403): `curl -i http://127.0.0.1:5175/src/.env | head -n 20` <img width="3944" height="1092" alt="image" src="https://github.com/user-attachments/assets/ecb9f2e0-e08f-4ac7-b194-e0f988c4cd4f" /> 3. Confirm that the same files can be retrieved with query parameters (expect 200): <img width="2014" height="373" alt="image" src="https://github.com/user-attachments/assets/76bc2a6a-44f4-4161-ae47-eab5ae0c04a8" /> #### [CVE-2026-39365](https://redirect.github.com/vitejs/vite/security/advisories/GHSA-4w7w-66w2-5vf9) ### Summary Any files ending with `.map` even out side the project can be returned to the browser. ### Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network (using `--host` or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) - have a sensitive content in files ending with `.map` and the path is predictable ### Details In Vite v7.3.1, the dev server’s handling of `.map` requests for optimized dependencies resolves file paths and calls `readFile` without restricting `../` segments in the URL. As a result, it is possible to bypass the [`server.fs.strict`](https://vite.dev/config/server-options#server-fs-strict) allow list and retrieve `.map` files located outside the project root, provided they can be parsed as valid source map JSON. ### PoC 1. Create a minimal PoC sourcemap outside the project root ```bash cat > /tmp/poc.map <<'EOF' {"version":3,"file":"x.js","sources":[],"names":[],"mappings":""} EOF ``` 2. Start the Vite dev server (example) ```bash pnpm -C playground/fs-serve dev --host 127.0.0.1 --port 18080 ``` 3. Confirm that direct `/@​fs` access is blocked by `strict` (returns 403) <img width="4004" height="1038" alt="image" src="https://github.com/user-attachments/assets/15a859a8-1dc6-4105-8d58-80527c0dd9ab" /> 4. Inject `../` segments under the optimized deps `.map` URL prefix to reach `/tmp/poc.map` <img width="2790" height="846" alt="image" src="https://github.com/user-attachments/assets/5d02957d-2e6a-4c45-9819-3f024e0e81f2" /> #### [CVE-2026-39363](https://redirect.github.com/vitejs/vite/security/advisories/GHSA-p9ff-h696-f583) ### Summary [`server.fs`](https://vite.dev/config/server-options#server-fs-strict) check was not enforced to the `fetchModule` method that is exposed in Vite dev server's WebSocket. ### Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network (using `--host` or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) - WebSocket is not disabled by `server.ws: false` Arbitrary files on the server (development machine, CI environment, container, etc.) can be exposed. ### Details If it is possible to connect to the Vite dev server’s WebSocket **without an `Origin` header**, an attacker can invoke `fetchModule` via the custom WebSocket event `vite:invoke` and combine `file://...` with `?raw` (or `?inline`) to retrieve the contents of arbitrary files on the server as a JavaScript string (e.g., `export default "..."`). The access control enforced in the HTTP request path (such as `server.fs.allow`) is not applied to this WebSocket-based execution path. ### PoC 1. Start the dev server on the target Example (used during validation with this repository): ```bash pnpm -C playground/alias exec vite --host 0.0.0.0 --port 5173 ``` 2. Confirm that access is blocked via the HTTP path (example: arbitrary file) ```bash curl -i 'http://localhost:5173/@​fs/etc/passwd?raw' ``` Result: `403 Restricted` (outside the allow list) <img width="3898" height="1014" alt="image" src="https://github.com/user-attachments/assets/f6593377-549c-45d7-b562-5c19833438af" /> 3. Confirm that the same file can be retrieved via the WebSocket path By connecting to the HMR WebSocket without an `Origin` header and sending a `vite:invoke` request that calls `fetchModule` with a `file://...` URL and `?raw`, the file contents are returned as a JavaScript module. <img width="1049" height="296" alt="image" src="https://github.com/user-attachments/assets/af969f7b-d34e-4af4-8adb-5e2b83b31972" /> <img width="1382" height="955" alt="image" src="https://github.com/user-attachments/assets/6a230d2e-197a-4c9c-b373-d0129756d5d7" /> --- ### Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling [CVE-2026-39365](https://nvd.nist.gov/vuln/detail/CVE-2026-39365) / [GHSA-4w7w-66w2-5vf9](https://redirect.github.com/advisories/GHSA-4w7w-66w2-5vf9) <details> <summary>More information</summary> #### Details ##### Summary Any files ending with `.map` even out side the project can be returned to the browser. ##### Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network (using `--host` or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) - have a sensitive content in files ending with `.map` and the path is predictable ##### Details In Vite v7.3.1, the dev server’s handling of `.map` requests for optimized dependencies resolves file paths and calls `readFile` without restricting `../` segments in the URL. As a result, it is possible to bypass the [`server.fs.strict`](https://vite.dev/config/server-options#server-fs-strict) allow list and retrieve `.map` files located outside the project root, provided they can be parsed as valid source map JSON. ##### PoC 1. Create a minimal PoC sourcemap outside the project root ```bash cat > /tmp/poc.map <<'EOF' {"version":3,"file":"x.js","sources":[],"names":[],"mappings":""} EOF ``` 2. Start the Vite dev server (example) ```bash pnpm -C playground/fs-serve dev --host 127.0.0.1 --port 18080 ``` 3. Confirm that direct `/@​fs` access is blocked by `strict` (returns 403) <img width="4004" height="1038" alt="image" src="https://github.com/user-attachments/assets/15a859a8-1dc6-4105-8d58-80527c0dd9ab" /> 4. Inject `../` segments under the optimized deps `.map` URL prefix to reach `/tmp/poc.map` <img width="2790" height="846" alt="image" src="https://github.com/user-attachments/assets/5d02957d-2e6a-4c45-9819-3f024e0e81f2" /> #### Severity - CVSS Score: 6.3 / 10 (Medium) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N` #### References - [https://github.com/vitejs/vite/security/advisories/GHSA-4w7w-66w2-5vf9](https://redirect.github.com/vitejs/vite/security/advisories/GHSA-4w7w-66w2-5vf9) - [https://nvd.nist.gov/vuln/detail/CVE-2026-39365](https://nvd.nist.gov/vuln/detail/CVE-2026-39365) - [https://github.com/vitejs/vite/pull/22161](https://redirect.github.com/vitejs/vite/pull/22161) - [https://github.com/vitejs/vite/commit/79f002f2286c03c88c7b74c511c7f9fc6dc46694](https://redirect.github.com/vitejs/vite/commit/79f002f2286c03c88c7b74c511c7f9fc6dc46694) - [https://github.com/vitejs/vite](https://redirect.github.com/vitejs/vite) - [https://github.com/vitejs/vite/releases/tag/v6.4.2](https://redirect.github.com/vitejs/vite/releases/tag/v6.4.2) - [https://github.com/vitejs/vite/releases/tag/v7.3.2](https://redirect.github.com/vitejs/vite/releases/tag/v7.3.2) - [https://github.com/vitejs/vite/releases/tag/v8.0.5](https://redirect.github.com/vitejs/vite/releases/tag/v8.0.5) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-4w7w-66w2-5vf9) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket [CVE-2026-39363](https://nvd.nist.gov/vuln/detail/CVE-2026-39363) / [GHSA-p9ff-h696-f583](https://redirect.github.com/advisories/GHSA-p9ff-h696-f583) <details> <summary>More information</summary> #### Details ##### Summary [`server.fs`](https://vite.dev/config/server-options#server-fs-strict) check was not enforced to the `fetchModule` method that is exposed in Vite dev server's WebSocket. ##### Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network (using `--host` or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) - WebSocket is not disabled by `server.ws: false` Arbitrary files on the server (development machine, CI environment, container, etc.) can be exposed. ##### Details If it is possible to connect to the Vite dev server’s WebSocket **without an `Origin` header**, an attacker can invoke `fetchModule` via the custom WebSocket event `vite:invoke` and combine `file://...` with `?raw` (or `?inline`) to retrieve the contents of arbitrary files on the server as a JavaScript string (e.g., `export default "..."`). The access control enforced in the HTTP request path (such as `server.fs.allow`) is not applied to this WebSocket-based execution path. ##### PoC 1. Start the dev server on the target Example (used during validation with this repository): ```bash pnpm -C playground/alias exec vite --host 0.0.0.0 --port 5173 ``` 2. Confirm that access is blocked via the HTTP path (example: arbitrary file) ```bash curl -i 'http://localhost:5173/@​fs/etc/passwd?raw' ``` Result: `403 Restricted` (outside the allow list) <img width="3898" height="1014" alt="image" src="https://github.com/user-attachments/assets/f6593377-549c-45d7-b562-5c19833438af" /> 3. Confirm that the same file can be retrieved via the WebSocket path By connecting to the HMR WebSocket without an `Origin` header and sending a `vite:invoke` request that calls `fetchModule` with a `file://...` URL and `?raw`, the file contents are returned as a JavaScript module. <img width="1049" height="296" alt="image" src="https://github.com/user-attachments/assets/af969f7b-d34e-4af4-8adb-5e2b83b31972" /> <img width="1382" height="955" alt="image" src="https://github.com/user-attachments/assets/6a230d2e-197a-4c9c-b373-d0129756d5d7" /> #### Severity - CVSS Score: 8.2 / 10 (High) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N` #### References - [https://github.com/vitejs/vite/security/advisories/GHSA-p9ff-h696-f583](https://redirect.github.com/vitejs/vite/security/advisories/GHSA-p9ff-h696-f583) - [https://nvd.nist.gov/vuln/detail/CVE-2026-39363](https://nvd.nist.gov/vuln/detail/CVE-2026-39363) - [https://github.com/vitejs/vite/pull/22159](https://redirect.github.com/vitejs/vite/pull/22159) - [https://github.com/vitejs/vite/commit/f02d9fde0b195afe3ea2944414186962fbbe41e0](https://redirect.github.com/vitejs/vite/commit/f02d9fde0b195afe3ea2944414186962fbbe41e0) - [https://github.com/vitejs/vite](https://redirect.github.com/vitejs/vite) - [https://github.com/vitejs/vite/releases/tag/v6.4.2](https://redirect.github.com/vitejs/vite/releases/tag/v6.4.2) - [https://github.com/vitejs/vite/releases/tag/v7.3.2](https://redirect.github.com/vitejs/vite/releases/tag/v7.3.2) - [https://github.com/vitejs/vite/releases/tag/v8.0.5](https://redirect.github.com/vitejs/vite/releases/tag/v8.0.5) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-p9ff-h696-f583) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Vite: `server.fs.deny` bypassed with queries [CVE-2026-39364](https://nvd.nist.gov/vuln/detail/CVE-2026-39364) / [GHSA-v2wj-q39q-566r](https://redirect.github.com/advisories/GHSA-v2wj-q39q-566r) <details> <summary>More information</summary> #### Details ##### Summary The contents of files that are specified by [`server.fs.deny`](https://vite.dev/config/server-options#server-fs-deny) can be returned to the browser. ##### Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network (using `--host` or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) - the sensitive file exists in the allowed directories specified by [`server.fs.allow`](https://vite.dev/config/server-options#server-fs-allow) - the sensitive file is denied with a pattern that matches a file by [`server.fs.deny`](https://vite.dev/config/server-options#server-fs-deny) ##### Details On the Vite dev server, files that should be blocked by `server.fs.deny` (e.g., `.env`, `*.crt`) can be retrieved with HTTP 200 responses when query parameters such as `?raw`, `?import&raw`, or `?import&url&inline` are appended. ##### PoC 1. Start the dev server: `pnpm exec vite root --host 127.0.0.1 --port 5175 --strictPort` 2. Confirm that `server.fs.deny` is enforced (expect 403): `curl -i http://127.0.0.1:5175/src/.env | head -n 20` <img width="3944" height="1092" alt="image" src="https://github.com/user-attachments/assets/ecb9f2e0-e08f-4ac7-b194-e0f988c4cd4f" /> 3. Confirm that the same files can be retrieved with query parameters (expect 200): <img width="2014" height="373" alt="image" src="https://github.com/user-attachments/assets/76bc2a6a-44f4-4161-ae47-eab5ae0c04a8" /> #### Severity - CVSS Score: 8.2 / 10 (High) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N` #### References - [https://github.com/vitejs/vite/security/advisories/GHSA-v2wj-q39q-566r](https://redirect.github.com/vitejs/vite/security/advisories/GHSA-v2wj-q39q-566r) - [https://nvd.nist.gov/vuln/detail/CVE-2026-39364](https://nvd.nist.gov/vuln/detail/CVE-2026-39364) - [https://github.com/vitejs/vite/pull/22160](https://redirect.github.com/vitejs/vite/pull/22160) - [https://github.com/vitejs/vite/commit/a9a3df299378d9cbc5f069e3536a369f8188c8ff](https://redirect.github.com/vitejs/vite/commit/a9a3df299378d9cbc5f069e3536a369f8188c8ff) - [https://github.com/vitejs/vite](https://redirect.github.com/vitejs/vite) - [https://github.com/vitejs/vite/releases/tag/v7.3.2](https://redirect.github.com/vitejs/vite/releases/tag/v7.3.2) - [https://github.com/vitejs/vite/releases/tag/v8.0.5](https://redirect.github.com/vitejs/vite/releases/tag/v8.0.5) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-v2wj-q39q-566r) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>vitejs/vite (vite)</summary> ### [`v7.3.2`](https://redirect.github.com/vitejs/vite/releases/tag/v7.3.2) [Compare Source](https://redirect.github.com/vitejs/vite/compare/v7.3.1...v7.3.2) Please refer to [CHANGELOG.md](https://redirect.github.com/vitejs/vite/blob/v7.3.2/packages/vite/CHANGELOG.md) for details. </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- ## Need help? You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section. <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My45Mi4xIiwidXBkYXRlZEluVmVyIjoiNDMuOTIuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiYXV0b21lcmdlLXNlY3VyaXR5LXVwZGF0ZSIsInNldmVyaXR5OkhJR0giLCJ1cGRhdGUtcGF0Y2giXX0=--> Signed-off-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com> Co-authored-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com>
…URITY] (grafana#6018) This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [go.opentelemetry.io/otel/sdk](https://redirect.github.com/open-telemetry/opentelemetry-go) | `v1.42.0` → `v1.43.0` |  |  | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](..grafana/issues/4569) for more information. ### GitHub Vulnerability Alerts #### [CVE-2026-39883](https://redirect.github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-hfvc-g4fc-pqhx) ## Summary The fix for GHSA-9h8m-3fm2-qjrq (CVE-2026-24051) changed the Darwin `ioreg` command to use an absolute path but left the BSD `kenv` command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platforms. ## Root Cause `sdk/resource/host_id.go` line 42: if result, err := r.execCommand("kenv", "-q", "smbios.system.uuid"); err == nil { Compare with the fixed Darwin path at line 58: result, err := r.execCommand("/usr/sbin/ioreg", "-rd1", "-c", "IOPlatformExpertDevice") The `execCommand` helper at `sdk/resource/host_id_exec.go` uses `exec.Command(name, arg...)` which searches `$PATH` when the command name contains no path separator. Affected platforms (per build tag in `host_id_bsd.go:4`): DragonFly BSD, FreeBSD, NetBSD, OpenBSD, Solaris. The `kenv` path is reached when `/etc/hostid` does not exist (line 38-40), which is common on FreeBSD systems. ## Attack 1. Attacker has local access to a system running a Go application that imports `go.opentelemetry.io/otel/sdk` 2. Attacker places a malicious `kenv` binary earlier in `$PATH` 3. Application initializes OpenTelemetry resource detection at startup 4. `hostIDReaderBSD.read()` calls `exec.Command("kenv", ...)` which resolves to the malicious binary 5. Arbitrary code executes in the context of the application Same attack vector and impact as CVE-2026-24051. ## Suggested Fix Use the absolute path: if result, err := r.execCommand("/bin/kenv", "-q", "smbios.system.uuid"); err == nil { On FreeBSD, `kenv` is located at `/bin/kenv`. --- ### opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking [CVE-2026-39883](https://nvd.nist.gov/vuln/detail/CVE-2026-39883) / [GHSA-hfvc-g4fc-pqhx](https://redirect.github.com/advisories/GHSA-hfvc-g4fc-pqhx) <details> <summary>More information</summary> #### Details ##### Summary The fix for GHSA-9h8m-3fm2-qjrq (CVE-2026-24051) changed the Darwin `ioreg` command to use an absolute path but left the BSD `kenv` command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platforms. ##### Root Cause `sdk/resource/host_id.go` line 42: if result, err := r.execCommand("kenv", "-q", "smbios.system.uuid"); err == nil { Compare with the fixed Darwin path at line 58: result, err := r.execCommand("/usr/sbin/ioreg", "-rd1", "-c", "IOPlatformExpertDevice") The `execCommand` helper at `sdk/resource/host_id_exec.go` uses `exec.Command(name, arg...)` which searches `$PATH` when the command name contains no path separator. Affected platforms (per build tag in `host_id_bsd.go:4`): DragonFly BSD, FreeBSD, NetBSD, OpenBSD, Solaris. The `kenv` path is reached when `/etc/hostid` does not exist (line 38-40), which is common on FreeBSD systems. ##### Attack 1. Attacker has local access to a system running a Go application that imports `go.opentelemetry.io/otel/sdk` 2. Attacker places a malicious `kenv` binary earlier in `$PATH` 3. Application initializes OpenTelemetry resource detection at startup 4. `hostIDReaderBSD.read()` calls `exec.Command("kenv", ...)` which resolves to the malicious binary 5. Arbitrary code executes in the context of the application Same attack vector and impact as CVE-2026-24051. ##### Suggested Fix Use the absolute path: if result, err := r.execCommand("/bin/kenv", "-q", "smbios.system.uuid"); err == nil { On FreeBSD, `kenv` is located at `/bin/kenv`. #### Severity - CVSS Score: 7.3 / 10 (High) - Vector String: `CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N` #### References - [https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-hfvc-g4fc-pqhx](https://redirect.github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-hfvc-g4fc-pqhx) - [https://nvd.nist.gov/vuln/detail/CVE-2026-39883](https://nvd.nist.gov/vuln/detail/CVE-2026-39883) - [https://github.com/open-telemetry/opentelemetry-go](https://redirect.github.com/open-telemetry/opentelemetry-go) - [http://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.43.0](http://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.43.0) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-hfvc-g4fc-pqhx) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>open-telemetry/opentelemetry-go (go.opentelemetry.io/otel/sdk)</summary> ### [`v1.43.0`](https://redirect.github.com/open-telemetry/opentelemetry-go/releases/tag/v1.43.0): /v0.65.0/v0.19.0 [Compare Source](https://redirect.github.com/open-telemetry/opentelemetry-go/compare/v1.42.0...v1.43.0) ##### Added - Add `IsRandom` and `WithRandom` on `TraceFlags`, and `IsRandom` on `SpanContext` in `go.opentelemetry.io/otel/trace` for [W3C Trace Context Level 2 Random Trace ID Flag](https://www.w3.org/TR/trace-context-2/#random-trace-id-flag) support. ([#​8012](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8012)) - Add service detection with `WithService` in `go.opentelemetry.io/otel/sdk/resource`. ([#​7642](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7642)) - Add `DefaultWithContext` and `EnvironmentWithContext` in `go.opentelemetry.io/otel/sdk/resource` to support plumbing `context.Context` through default and environment detectors. ([#​8051](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8051)) - Support attributes with empty value (`attribute.EMPTY`) in `go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc`. ([#​8038](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8038)) - Support attributes with empty value (`attribute.EMPTY`) in `go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc`. ([#​8038](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8038)) - Support attributes with empty value (`attribute.EMPTY`) in `go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc`. ([#​8038](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8038)) - Support attributes with empty value (`attribute.EMPTY`) in `go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp`. ([#​8038](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8038)) - Support attributes with empty value (`attribute.EMPTY`) in `go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp`. ([#​8038](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8038)) - Support attributes with empty value (`attribute.EMPTY`) in `go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp`. ([#​8038](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8038)) - Support attributes with empty value (`attribute.EMPTY`) in `go.opentelemetry.io/otel/sdk/metric/metricdata/metricdatatest`. ([#​8038](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8038)) - Add support for per-series start time tracking for cumulative metrics in `go.opentelemetry.io/otel/sdk/metric`. Set `OTEL_GO_X_PER_SERIES_START_TIMESTAMPS=true` to enable. ([#​8060](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8060)) - Add `WithCardinalityLimitSelector` for metric reader for configuring cardinality limits specific to the instrument kind. ([#​7855](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7855)) ##### Changed - Introduce the `EMPTY` Type in `go.opentelemetry.io/otel/attribute` to reflect that an empty value is now a valid value, with `INVALID` remaining as a deprecated alias of `EMPTY`. ([#​8038](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8038)) - Refactor slice handling in `go.opentelemetry.io/otel/attribute` to optimize short slice values with fixed-size fast paths. ([#​8039](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8039)) - Improve performance of span metric recording in `go.opentelemetry.io/otel/sdk/trace` by returning early if self-observability is not enabled. ([#​8067](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8067)) - Improve formatting of metric data diffs in `go.opentelemetry.io/otel/sdk/metric/metricdata/metricdatatest`. ([#​8073](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8073)) ##### Deprecated - Deprecate `INVALID` in `go.opentelemetry.io/otel/attribute`. Use `EMPTY` instead. ([#​8038](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8038)) ##### Fixed - Return spec-compliant `TraceIdRatioBased` description. This is a breaking behavioral change, but it is necessary to make the implementation [spec-compliant](https://opentelemetry.io/docs/specs/otel/trace/sdk/#traceidratiobased). ([#​8027](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8027)) - Fix a race condition in `go.opentelemetry.io/otel/sdk/metric` where the lastvalue aggregation could collect the value 0 even when no zero-value measurements were recorded. ([#​8056](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8056)) - Limit HTTP response body to 4 MiB in `go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp` to mitigate excessive memory usage caused by a misconfigured or malicious server. Responses exceeding the limit are treated as non-retryable errors. ([#​8108](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8108)) - Limit HTTP response body to 4 MiB in `go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp` to mitigate excessive memory usage caused by a misconfigured or malicious server. Responses exceeding the limit are treated as non-retryable errors. ([#​8108](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8108)) - Limit HTTP response body to 4 MiB in `go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp` to mitigate excessive memory usage caused by a misconfigured or malicious server. Responses exceeding the limit are treated as non-retryable errors. ([#​8108](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8108)) - `WithHostID` detector in `go.opentelemetry.io/otel/sdk/resource` to use full path for `kenv` command on BSD. ([#​8113](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8113)) - Fix missing `request.GetBody` in `go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp` to correctly handle HTTP2 GOAWAY frame. ([#​8096](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8096)) ##### What's Changed - chore(deps): update module github.com/jgautheron/goconst to v1.9.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8014](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8014) - fix(deps): update github.com/opentracing-contrib/go-grpc/test digest to [`190d7d4`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/190d7d4) by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8013](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8013) - chore(deps): update module go.yaml.in/yaml/v2 to v2.4.4 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8016](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8016) - fix(deps): update module github.com/golangci/golangci-lint/v2 to v2.11.1 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8011](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8011) - fix(deps): update golang.org/x by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8023](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8023) - fix(deps): update module github.com/golangci/golangci-lint/v2 to v2.11.2 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8020](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8020) - chore(deps): update module github.com/mattn/go-runewidth to v0.0.21 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8017](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8017) - chore(deps): update module codeberg.org/chavacava/garif to v0.2.1 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8019](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8019) - Add doc on how to upgrade to new semconv by [@​jmmcorreia](https://redirect.github.com/jmmcorreia) in [#​7807](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7807) - fix(deps): update module go.opentelemetry.io/proto/otlp to v1.10.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8028](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8028) - resource: add WithService detector option by [@​codeboten](https://redirect.github.com/codeboten) in [#​7642](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7642) - fix(deps): update googleapis to [`a57be14`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/a57be14) by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8031](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8031) - fix(deps): update module github.com/golangci/golangci-lint/v2 to v2.11.3 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8032](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8032) - chore(deps): update module github.com/prometheus/procfs to v0.20.1 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8034](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8034) - chore(deps): update github.com/securego/gosec/v2 digest to [`8895462`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/8895462) by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8036](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8036) - chore(deps): update module github.com/sonatard/noctx to v0.5.1 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8040](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8040) - chore(deps): update github.com/securego/gosec/v2 digest to [`6e66a94`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/6e66a94) by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8043](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8043) - docs(otlp): document HTTP/protobuf insecure env vars by [@​marcschaeferger](https://redirect.github.com/marcschaeferger) in [#​8037](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8037) - Rebuild semconvkit and verifyreadmes on changes by [@​MrAlias](https://redirect.github.com/MrAlias) in [#​7995](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7995) - chore(sdk/trace): join errors properly by [@​ash2k](https://redirect.github.com/ash2k) in [#​8030](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8030) - fix(deps): update googleapis to [`84a4fc4`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/84a4fc4) by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8048](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8048) - attribute: change INVALID Type to EMPTY and mark INVALID as deprecated by [@​pellared](https://redirect.github.com/pellared) in [#​8038](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8038) - fix(sdk/trace): return spec-compliant TraceIdRatioBased description by [@​ash2k](https://redirect.github.com/ash2k) in [#​8027](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8027) - linting: add depguard rule to enforce semconv version by [@​ajuijas](https://redirect.github.com/ajuijas) in [#​8041](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8041) - chore(deps): update actions/download-artifact action to v8.0.1 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8046](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8046) - chore(deps): update github.com/securego/gosec/v2 digest to [`b7b2c7b`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/b7b2c7b) by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8044](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8044) - fix(deps): update golang.org/x by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8045](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8045) - Optimize attribute slice conversion by [@​MrAlias](https://redirect.github.com/MrAlias) in [#​8039](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8039) - Add benchmarks for end-to-end metrics SDK usage by [@​dashpole](https://redirect.github.com/dashpole) in [#​7768](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7768) - fix(deps): update golang.org/x by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8052](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8052) - chore(deps): update github.com/securego/gosec/v2 digest to [`befce8d`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/befce8d) by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8053](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8053) - trace: add Random Trace ID Flag by [@​yuanyuanzhao3](https://redirect.github.com/yuanyuanzhao3) in [#​8012](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8012) - Improve aggregation concurrent safe tests by [@​dashpole](https://redirect.github.com/dashpole) in [#​8021](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8021) - Add tests for exponential histogram concurrent-safety edge-cases by [@​dashpole](https://redirect.github.com/dashpole) in [#​8024](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8024) - exphist: replace min, max, sum, and count with atomics by [@​dashpole](https://redirect.github.com/dashpole) in [#​8025](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8025) - chore(deps): update github.com/securego/gosec/v2 digest to [`c2dfcec`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/c2dfcec) by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8055](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8055) - chore(deps): update otel/weaver docker tag to v0.22.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8058](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8058) - chore(deps): update github.com/securego/gosec/v2 digest to [`dec52c4`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/dec52c4) by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8063](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8063) - chore(deps): update otel/weaver docker tag to v0.22.1 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8061](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8061) - chore(deps): update github/codeql-action action to v4.33.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8065](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8065) - Fix race in the lastvalue aggregation where 0 could be observed by [@​dashpole](https://redirect.github.com/dashpole) in [#​8056](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8056) - chore(deps): update github.com/securego/gosec/v2 digest to [`744bfb5`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/744bfb5) by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8064](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8064) - Migrate to new bare metal runner (Ubuntu 24) by [@​trask](https://redirect.github.com/trask) in [#​8068](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8068) - sdk/resource: add WithContext variants for Default and Environment ([#​7808](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7808)) by [@​ajuijas](https://redirect.github.com/ajuijas) in [#​8051](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8051) - Use atomics for exponential histogram buckets by [@​dashpole](https://redirect.github.com/dashpole) in [#​8057](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8057) - Added the `internal/observ` package to stdoutlog by [@​yumosx](https://redirect.github.com/yumosx) in [#​7735](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7735) - Add support for the development per-series starttime feature by [@​dashpole](https://redirect.github.com/dashpole) in [#​8060](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8060) - sdk/trace/internal/observ: guard SpanStarted and spanLive with Enabled by [@​kouji-yoshimura](https://redirect.github.com/kouji-yoshimura) in [#​8067](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8067) - Cleanup exemplar featuregate readme by [@​dashpole](https://redirect.github.com/dashpole) in [#​8072](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8072) - chore(deps): update codecov/codecov-action action to v5.5.3 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8080](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8080) - chore(deps): update module github.com/ryanrolds/sqlclosecheck to v0.6.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8083](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8083) - fix(deps): update github.com/opentracing-contrib/go-grpc/test digest to [`de6f1cc`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/de6f1cc) by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8082](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8082) - chore(deps): update module go.opentelemetry.io/collector/featuregate to v1.54.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8085](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8085) - chore(deps): update module github.com/securego/gosec/v2 to v2.25.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8084](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8084) - chore(deps): update module github.com/protonmail/go-crypto to v1.4.1 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8081](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8081) - fix(deps): update module go.opentelemetry.io/collector/pdata to v1.54.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8086](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8086) - chore(deps): update actions/cache action to v5.0.4 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8079](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8079) - chore(deps): update module github.com/fatih/color to v1.19.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8087](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8087) - fix(deps): update googleapis to [`d00831a`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/d00831a) by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8078](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8078) - chore(deps): update golang.org/x/telemetry digest to [`b6b0c46`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/b6b0c46) by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8076](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8076) - fix(deps): update module google.golang.org/grpc to v1.79.3 \[security] by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8075](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8075) - sdk/metric: Support specifying cardinality limits per instrument kinds by [@​petern48](https://redirect.github.com/petern48) in [#​7855](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7855) - chore(deps): update github/codeql-action action to v4.34.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8088](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8088) - chore(deps): update codspeedhq/action action to v4.12.1 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8089](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8089) - chore(deps): update github/codeql-action action to v4.34.1 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8090](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8090) - fix(deps): update module github.com/golangci/golangci-lint/v2 to v2.11.4 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8092](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8092) - chore: fix noctx issues by [@​mmorel-35](https://redirect.github.com/mmorel-35) in [#​8008](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8008) - chore(deps): update module github.com/pelletier/go-toml/v2 to v2.3.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8095](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8095) - chore(deps): update codecov/codecov-action action to v5.5.4 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8097](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8097) - chore(deps): update codecov/codecov-action action to v6 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8098](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8098) - chore(deps): update module github.com/tetafro/godot to v1.5.6 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8099](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8099) - chore(deps): update module github.com/butuzov/ireturn to v0.4.1 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8100](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8100) - chore(deps): update github/codeql-action action to v4.35.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8101](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8101) - chore(deps): update actions/setup-go action to v6.4.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8107](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8107) - chore(deps): update module github.com/go-git/go-git/v5 to v5.17.1 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8106](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8106) - chore(deps): update module github.com/lucasb-eyer/go-colorful to v1.4.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8103](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8103) - chore(deps): update github/codeql-action action to v4.35.1 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8102](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8102) - chore(deps): update module github.com/hashicorp/go-version to v1.9.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8109](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8109) - metricdatatest: Improve printing of diffs by [@​dashpole](https://redirect.github.com/dashpole) in [#​8073](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8073) - fix(deps): update googleapis to [`d5a96ad`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/d5a96ad) by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8112](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8112) - chore(deps): update codspeedhq/action action to v4.13.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8114](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8114) - fix(deps): update module go.opentelemetry.io/collector/pdata to v1.55.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8119](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8119) - chore(deps): update fossas/fossa-action action to v1.9.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8118](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8118) - chore(deps): update module github.com/go-git/go-git/v5 to v5.17.2 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8115](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8115) - fix(deps): update googleapis to [`9d38bb4`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/9d38bb4) by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8117](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8117) - fix: support getBody in otelploghttp by [@​Tpuljak](https://redirect.github.com/Tpuljak) in [#​8096](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8096) - fix(deps): update module google.golang.org/grpc to v1.80.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8121](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8121) - Use an absolute path when calling bsd kenv by [@​dmathieu](https://redirect.github.com/dmathieu) in [#​8113](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8113) - limit response body size for OTLP HTTP exporters by [@​pellared](https://redirect.github.com/pellared) in [#​8108](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8108) - chore(deps): update github.com/golangci/dupl digest to [`c99c5cf`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/c99c5cf) by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8122](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8122) - chore(deps): update module github.com/mattn/go-runewidth to v0.0.22 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8131](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8131) - Release v1.43.0 / v0.65.0 / v0.19.0 by [@​dmathieu](https://redirect.github.com/dmathieu) in [#​8128](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8128) ##### New Contributors - [@​jmmcorreia](https://redirect.github.com/jmmcorreia) made their first contribution in [#​7807](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7807) - [@​marcschaeferger](https://redirect.github.com/marcschaeferger) made their first contribution in [#​8037](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8037) - [@​ajuijas](https://redirect.github.com/ajuijas) made their first contribution in [#​8041](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8041) - [@​yuanyuanzhao3](https://redirect.github.com/yuanyuanzhao3) made their first contribution in [#​8012](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8012) - [@​kouji-yoshimura](https://redirect.github.com/kouji-yoshimura) made their first contribution in [#​8067](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8067) - [@​Tpuljak](https://redirect.github.com/Tpuljak) made their first contribution in [#​8096](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8096) **Full Changelog**: <open-telemetry/opentelemetry-go@v1.42.0...v1.43.0> </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- ## Need help? You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section. <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My45Mi4xIiwidXBkYXRlZEluVmVyIjoiNDMuOTIuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiYXV0b21lcmdlLXNlY3VyaXR5LXVwZGF0ZSIsInNldmVyaXR5OkhJR0giLCJ1cGRhdGUtbWlub3IiXX0=--> Signed-off-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com> Co-authored-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com>
…a to v1.88.5 [SECURITY] (grafana#6006) > ℹ️ **Note** > > This PR body was truncated due to platform limits. This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [github.com/aws/aws-sdk-go-v2/service/lambda](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.87.1` → `v1.88.5` |  |  | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/4569) for more information. ### GitHub Vulnerability Alerts #### [GHSA-xmrv-pmrh-hhx2](https://redirect.github.com/aws/aws-sdk-go-v2/security/advisories/GHSA-xmrv-pmrh-hhx2) **CVSSv3.1 Rating**: [Medium] **CVSSv3.1 Score**: [5.9] **CVSSv3.1 Vector String**: [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H] ## Summary and Impact An issue exists in the the EventStream header decoder in AWS SDK for Go v2 in versions predating [2026-03-23](https://redirect.github.com/aws/aws-sdk-go-v2/releases/tag/release-2026-03-23). An actor can send a malformed EventStream response frame containing a crafted header value type byte outside the valid range, which can cause the host process to terminate. Impacted versions: < [2026-03-23](https://redirect.github.com/aws/aws-sdk-go-v2/releases/tag/release-2026-03-23) ## Patches This issue has been addressed in versions [2026-03-23](https://redirect.github.com/aws/aws-sdk-go-v2/releases/tag/release-2026-03-23) and above. We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes. ## Workarounds Not Applicable ## References If you have any questions or comments about this advisory, we ask that you contact [AWS/Amazon] Security via our [vulnerability reporting page](https://aws.amazon.com/security/vulnerability-reporting) or directly via email to [aws-security@amazon.com](mailto:aws-security@amazon.com). Please do not create a public GitHub issue. --- ### Denial of Service due to Panic in AWS SDK for Go v2 SDK EventStream Decoder [GHSA-xmrv-pmrh-hhx2](https://redirect.github.com/advisories/GHSA-xmrv-pmrh-hhx2) <details> <summary>More information</summary> #### Details **CVSSv3.1 Rating**: [Medium] **CVSSv3.1 Score**: [5.9] **CVSSv3.1 Vector String**: [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H] ##### Summary and Impact An issue exists in the the EventStream header decoder in AWS SDK for Go v2 in versions predating [2026-03-23](https://redirect.github.com/aws/aws-sdk-go-v2/releases/tag/release-2026-03-23). An actor can send a malformed EventStream response frame containing a crafted header value type byte outside the valid range, which can cause the host process to terminate. Impacted versions: < [2026-03-23](https://redirect.github.com/aws/aws-sdk-go-v2/releases/tag/release-2026-03-23) ##### Patches This issue has been addressed in versions [2026-03-23](https://redirect.github.com/aws/aws-sdk-go-v2/releases/tag/release-2026-03-23) and above. We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes. ##### Workarounds Not Applicable ##### References If you have any questions or comments about this advisory, we ask that you contact [AWS/Amazon] Security via our [vulnerability reporting page](https://aws.amazon.com/security/vulnerability-reporting) or directly via email to [aws-security@amazon.com](mailto:aws-security@amazon.com). Please do not create a public GitHub issue. #### Severity - CVSS Score: 5.9 / 10 (Medium) - Vector String: `CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H` #### References - [https://github.com/aws/aws-sdk-go-v2/security/advisories/GHSA-xmrv-pmrh-hhx2](https://redirect.github.com/aws/aws-sdk-go-v2/security/advisories/GHSA-xmrv-pmrh-hhx2) - [https://github.com/aws/aws-sdk-go-v2](https://redirect.github.com/aws/aws-sdk-go-v2) - [https://github.com/aws/aws-sdk-go-v2/releases/tag/release-2026-03-23](https://redirect.github.com/aws/aws-sdk-go-v2/releases/tag/release-2026-03-23) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-xmrv-pmrh-hhx2) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>aws/aws-sdk-go-v2 (github.com/aws/aws-sdk-go-v2/service/lambda)</summary> ### [`v1.88.5`](https://redirect.github.com/aws/aws-sdk-go-v2/blob/HEAD/CHANGELOG.md#Release-2026-03-26) #### General Highlights - **Dependency Update**: Updated to the latest SDK module versions #### Module Highlights - `github.com/aws/aws-sdk-go-v2`: v1.41.5 - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/accessanalyzer`: [v1.45.12](service/accessanalyzer/CHANGELOG.md#v14512-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/account`: [v1.30.5](service/account/CHANGELOG.md#v1305-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/acm`: [v1.37.23](service/acm/CHANGELOG.md#v13723-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/acmpca`: [v1.46.12](service/acmpca/CHANGELOG.md#v14612-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/aiops`: [v1.6.21](service/aiops/CHANGELOG.md#v1621-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/amp`: [v1.42.9](service/amp/CHANGELOG.md#v1429-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/amplify`: [v1.38.14](service/amplify/CHANGELOG.md#v13814-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/amplifybackend`: [v1.32.20](service/amplifybackend/CHANGELOG.md#v13220-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/amplifyuibuilder`: [v1.28.20](service/amplifyuibuilder/CHANGELOG.md#v12820-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/apigateway`: [v1.39.1](service/apigateway/CHANGELOG.md#v1391-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/apigatewaymanagementapi`: [v1.29.14](service/apigatewaymanagementapi/CHANGELOG.md#v12914-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/apigatewayv2`: [v1.34.1](service/apigatewayv2/CHANGELOG.md#v1341-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/appconfig`: [v1.43.13](service/appconfig/CHANGELOG.md#v14313-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/appconfigdata`: [v1.23.22](service/appconfigdata/CHANGELOG.md#v12322-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/appfabric`: [v1.16.21](service/appfabric/CHANGELOG.md#v11621-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/appflow`: [v1.51.12](service/appflow/CHANGELOG.md#v15112-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/appintegrations`: [v1.37.7](service/appintegrations/CHANGELOG.md#v1377-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/applicationautoscaling`: [v1.41.14](service/applicationautoscaling/CHANGELOG.md#v14114-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/applicationcostprofiler`: [v1.27.12](service/applicationcostprofiler/CHANGELOG.md#v12712-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/applicationdiscoveryservice`: [v1.35.13](service/applicationdiscoveryservice/CHANGELOG.md#v13513-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/applicationinsights`: [v1.34.20](service/applicationinsights/CHANGELOG.md#v13420-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/applicationsignals`: [v1.19.1](service/applicationsignals/CHANGELOG.md#v1191-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/appmesh`: [v1.35.12](service/appmesh/CHANGELOG.md#v13512-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/apprunner`: [v1.39.14](service/apprunner/CHANGELOG.md#v13914-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/appstream`: [v1.54.4](service/appstream/CHANGELOG.md#v1544-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/appsync`: [v1.53.5](service/appsync/CHANGELOG.md#v1535-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/arcregionswitch`: [v1.6.3](service/arcregionswitch/CHANGELOG.md#v163-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/arczonalshift`: [v1.22.23](service/arczonalshift/CHANGELOG.md#v12223-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/artifact`: [v1.15.5](service/artifact/CHANGELOG.md#v1155-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/athena`: [v1.57.4](service/athena/CHANGELOG.md#v1574-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/auditmanager`: [v1.46.12](service/auditmanager/CHANGELOG.md#v14612-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/autoscaling`: [v1.64.4](service/autoscaling/CHANGELOG.md#v1644-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/autoscalingplans`: [v1.30.14](service/autoscalingplans/CHANGELOG.md#v13014-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/b2bi`: [v1.0.0-preview.100](service/b2bi/CHANGELOG.md#v100-preview100-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/backup`: [v1.54.11](service/backup/CHANGELOG.md#v15411-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/backupgateway`: [v1.26.3](service/backupgateway/CHANGELOG.md#v1263-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/backupsearch`: [v1.6.23](service/backupsearch/CHANGELOG.md#v1623-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/batch`: [v1.63.2](service/batch/CHANGELOG.md#v1632-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/bcmdashboards`: [v1.1.4](service/bcmdashboards/CHANGELOG.md#v114-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/bcmdataexports`: [v1.14.0](service/bcmdataexports/CHANGELOG.md#v1140-2026-03-26) - **Feature**: With this release we are providing an option to accounts to have their export delivered to an S3 bucket that is not owned by the account. - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/bcmpricingcalculator`: [v1.10.9](service/bcmpricingcalculator/CHANGELOG.md#v1109-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/bcmrecommendedactions`: [v1.1.5](service/bcmrecommendedactions/CHANGELOG.md#v115-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/bedrock`: [v1.57.1](service/bedrock/CHANGELOG.md#v1571-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/bedrockagent`: [v1.52.7](service/bedrockagent/CHANGELOG.md#v1527-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/bedrockagentcore`: [v1.15.2](service/bedrockagentcore/CHANGELOG.md#v1152-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/bedrockagentcorecontrol`: [v1.25.1](service/bedrockagentcorecontrol/CHANGELOG.md#v1251-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/bedrockagentruntime`: [v1.51.8](service/bedrockagentruntime/CHANGELOG.md#v1518-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/bedrockdataautomation`: [v1.13.5](service/bedrockdataautomation/CHANGELOG.md#v1135-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/bedrockdataautomationruntime`: [v1.10.4](service/bedrockdataautomationruntime/CHANGELOG.md#v1104-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/bedrockruntime`: [v1.50.4](service/bedrockruntime/CHANGELOG.md#v1504-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/billing`: [v1.10.4](service/billing/CHANGELOG.md#v1104-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/billingconductor`: [v1.28.5](service/billingconductor/CHANGELOG.md#v1285-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/braket`: [v1.39.8](service/braket/CHANGELOG.md#v1398-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/budgets`: [v1.43.4](service/budgets/CHANGELOG.md#v1434-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/chatbot`: [v1.14.21](service/chatbot/CHANGELOG.md#v11421-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/chime`: [v1.41.12](service/chime/CHANGELOG.md#v14112-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/chimesdkidentity`: [v1.27.20](service/chimesdkidentity/CHANGELOG.md#v12720-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/chimesdkmediapipelines`: [v1.26.21](service/chimesdkmediapipelines/CHANGELOG.md#v12621-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/chimesdkmeetings`: [v1.33.15](service/chimesdkmeetings/CHANGELOG.md#v13315-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/chimesdkmessaging`: [v1.32.17](service/chimesdkmessaging/CHANGELOG.md#v13217-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/chimesdkvoice`: [v1.28.13](service/chimesdkvoice/CHANGELOG.md#v12813-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/cleanrooms`: [v1.42.4](service/cleanrooms/CHANGELOG.md#v1424-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/cleanroomsml`: [v1.22.5](service/cleanroomsml/CHANGELOG.md#v1225-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/cloud9`: [v1.33.20](service/cloud9/CHANGELOG.md#v13320-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/cloudcontrol`: [v1.29.13](service/cloudcontrol/CHANGELOG.md#v12913-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/clouddirectory`: [v1.30.12](service/clouddirectory/CHANGELOG.md#v13012-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/cloudformation`: [v1.71.9](service/cloudformation/CHANGELOG.md#v1719-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/cloudfront`: [v1.60.4](service/cloudfront/CHANGELOG.md#v1604-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/cloudfrontkeyvaluestore`: [v1.12.24](service/cloudfrontkeyvaluestore/CHANGELOG.md#v11224-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/cloudhsm`: [v1.29.21](service/cloudhsm/CHANGELOG.md#v12921-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/cloudhsmv2`: [v1.34.21](service/cloudhsmv2/CHANGELOG.md#v13421-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/cloudsearch`: [v1.32.12](service/cloudsearch/CHANGELOG.md#v13212-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/cloudsearchdomain`: [v1.28.20](service/cloudsearchdomain/CHANGELOG.md#v12820-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/cloudtrail`: [v1.55.9](service/cloudtrail/CHANGELOG.md#v1559-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/cloudtraildata`: [v1.17.13](service/cloudtraildata/CHANGELOG.md#v11713-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/cloudwatch`: [v1.55.3](service/cloudwatch/CHANGELOG.md#v1553-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/cloudwatchevents`: [v1.32.23](service/cloudwatchevents/CHANGELOG.md#v13223-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs`: [v1.65.0](service/cloudwatchlogs/CHANGELOG.md#v1650-2026-03-26) - **Feature**: This release adds parameter support to saved queries in CloudWatch Logs Insights. Define reusable query templates with named placeholders, invoke them using start query. Available in Console, CLI and SDK - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/codeartifact`: [v1.38.21](service/codeartifact/CHANGELOG.md#v13821-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/codebuild`: [v1.68.13](service/codebuild/CHANGELOG.md#v16813-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/codecatalyst`: [v1.21.12](service/codecatalyst/CHANGELOG.md#v12112-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/codecommit`: [v1.33.12](service/codecommit/CHANGELOG.md#v13312-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/codeconnections`: [v1.10.20](service/codeconnections/CHANGELOG.md#v11020-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/codedeploy`: [v1.35.13](service/codedeploy/CHANGELOG.md#v13513-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/codeguruprofiler`: [v1.29.20](service/codeguruprofiler/CHANGELOG.md#v12920-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/codegurureviewer`: [v1.34.20](service/codegurureviewer/CHANGELOG.md#v13420-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/codegurusecurity`: [v1.16.24](service/codegurusecurity/CHANGELOG.md#v11624-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/codepipeline`: [v1.46.21](service/codepipeline/CHANGELOG.md#v14621-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/codestarconnections`: [v1.35.13](service/codestarconnections/CHANGELOG.md#v13513-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/codestarnotifications`: [v1.31.21](service/codestarnotifications/CHANGELOG.md#v13121-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/cognitoidentity`: [v1.33.22](service/cognitoidentity/CHANGELOG.md#v13322-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider`: [v1.59.3](service/cognitoidentityprovider/CHANGELOG.md#v1593-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/cognitosync`: [v1.29.12](service/cognitosync/CHANGELOG.md#v12912-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/comprehend`: [v1.40.21](service/comprehend/CHANGELOG.md#v14021-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/comprehendmedical`: [v1.31.21](service/comprehendmedical/CHANGELOG.md#v13121-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/computeoptimizer`: [v1.49.8](service/computeoptimizer/CHANGELOG.md#v1498-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/computeoptimizerautomation`: [v1.0.8](service/computeoptimizerautomation/CHANGELOG.md#v108-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/configservice`: [v1.62.1](service/configservice/CHANGELOG.md#v1621-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/connect`: [v1.166.1](service/connect/CHANGELOG.md#v11661-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/connectcampaigns`: [v1.20.20](service/connectcampaigns/CHANGELOG.md#v12020-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/connectcampaignsv2`: [v1.11.4](service/connectcampaignsv2/CHANGELOG.md#v1114-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/connectcases`: [v1.39.1](service/connectcases/CHANGELOG.md#v1391-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/connectcontactlens`: [v1.33.13](service/connectcontactlens/CHANGELOG.md#v13313-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/connecthealth`: [v1.0.3](service/connecthealth/CHANGELOG.md#v103-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/connectparticipant`: [v1.36.7](service/connectparticipant/CHANGELOG.md#v1367-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/controlcatalog`: [v1.14.9](service/controlcatalog/CHANGELOG.md#v1149-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/controltower`: [v1.28.9](service/controltower/CHANGELOG.md#v1289-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/costandusagereportservice`: [v1.34.13](service/costandusagereportservice/CHANGELOG.md#v13413-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/costexplorer`: [v1.63.6](service/costexplorer/CHANGELOG.md#v1636-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/costoptimizationhub`: [v1.22.8](service/costoptimizationhub/CHANGELOG.md#v1228-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/customerprofiles`: [v1.57.2](service/customerprofiles/CHANGELOG.md#v1572-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/databasemigrationservice`: [v1.61.10](service/databasemigrationservice/CHANGELOG.md#v16110-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/databrew`: [v1.39.14](service/databrew/CHANGELOG.md#v13914-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/dataexchange`: [v1.40.14](service/dataexchange/CHANGELOG.md#v14014-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/datapipeline`: [v1.30.20](service/datapipeline/CHANGELOG.md#v13020-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/datasync`: [v1.58.2](service/datasync/CHANGELOG.md#v1582-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/datazone`: [v1.54.2](service/datazone/CHANGELOG.md#v1542-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/dax`: [v1.29.16](service/dax/CHANGELOG.md#v12916-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/deadline`: [v1.26.2](service/deadline/CHANGELOG.md#v1262-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/detective`: [v1.38.13](service/detective/CHANGELOG.md#v13813-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/devicefarm`: [v1.38.8](service/devicefarm/CHANGELOG.md#v1388-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/devopsguru`: [v1.40.12](service/devopsguru/CHANGELOG.md#v14012-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/directconnect`: [v1.38.15](service/directconnect/CHANGELOG.md#v13815-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/directoryservice`: [v1.38.16](service/directoryservice/CHANGELOG.md#v13816-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/directoryservicedata`: [v1.7.21](service/directoryservicedata/CHANGELOG.md#v1721-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/dlm`: [v1.35.16](service/dlm/CHANGELOG.md#v13516-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/docdb`: [v1.48.13](service/docdb/CHANGELOG.md#v14813-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/docdbelastic`: [v1.20.13](service/docdbelastic/CHANGELOG.md#v12013-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/drs`: [v1.36.13](service/drs/CHANGELOG.md#v13613-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/dsql`: [v1.12.8](service/dsql/CHANGELOG.md#v1128-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/dynamodb`: [v1.57.1](service/dynamodb/CHANGELOG.md#v1571-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/dynamodbstreams`: [v1.32.14](service/dynamodbstreams/CHANGELOG.md#v13214-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/ebs`: [v1.33.14](service/ebs/CHANGELOG.md#v13314-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/ec2`: [v1.296.1](service/ec2/CHANGELOG.md#v12961-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/ec2instanceconnect`: [v1.32.20](service/ec2instanceconnect/CHANGELOG.md#v13220-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/ecr`: [v1.56.2](service/ecr/CHANGELOG.md#v1562-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/ecrpublic`: [v1.38.13](service/ecrpublic/CHANGELOG.md#v13813-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/ecs`: [v1.74.1](service/ecs/CHANGELOG.md#v1741-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/efs`: [v1.41.14](service/efs/CHANGELOG.md#v14114-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/eks`: [v1.81.2](service/eks/CHANGELOG.md#v1812-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/eksauth`: [v1.12.13](service/eksauth/CHANGELOG.md#v11213-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/elasticache`: [v1.51.13](service/elasticache/CHANGELOG.md#v15113-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/elasticbeanstalk`: [v1.34.2](service/elasticbeanstalk/CHANGELOG.md#v1342-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/elasticloadbalancing`: [v1.33.23](service/elasticloadbalancing/CHANGELOG.md#v13323-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2`: [v1.54.10](service/elasticloadbalancingv2/CHANGELOG.md#v15410-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/elasticsearchservice`: [v1.39.2](service/elasticsearchservice/CHANGELOG.md#v1392-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/elementalinference`: [v1.0.3](service/elementalinference/CHANGELOG.md#v103-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/emr`: [v1.59.0](service/emr/CHANGELOG.md#v1590-2026-03-26) - **Feature**: Add StepExecutionRoleArn to RunJobFlow API - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/emrcontainers`: [v1.40.17](service/emrcontainers/CHANGELOG.md#v14017-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/emrserverless`: [v1.39.6](service/emrserverless/CHANGELOG.md#v1396-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/entityresolution`: [v1.26.5](service/entityresolution/CHANGELOG.md#v1265-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/eventbridge`: [v1.45.23](service/eventbridge/CHANGELOG.md#v14523-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/evs`: [v1.6.4](service/evs/CHANGELOG.md#v164-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/finspace`: [v1.33.21](service/finspace/CHANGELOG.md#v13321-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/finspacedata`: [v1.33.21](service/finspacedata/CHANGELOG.md#v13321-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/firehose`: [v1.42.13](service/firehose/CHANGELOG.md#v14213-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/fis`: [v1.37.20](service/fis/CHANGELOG.md#v13720-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/fms`: [v1.44.22](service/fms/CHANGELOG.md#v14422-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/forecast`: [v1.41.21](service/forecast/CHANGELOG.md#v14121-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/forecastquery`: [v1.29.21](service/forecastquery/CHANGELOG.md#v12921-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/frauddetector`: [v1.41.12](service/frauddetector/CHANGELOG.md#v14112-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/freetier`: [v1.13.14](service/freetier/CHANGELOG.md#v11314-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/fsx`: [v1.65.7](service/fsx/CHANGELOG.md#v1657-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/gamelift`: [v1.51.3](service/gamelift/CHANGELOG.md#v1513-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/gameliftstreams`: [v1.11.1](service/gameliftstreams/CHANGELOG.md#v1111-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/geomaps`: [v1.9.4](service/geomaps/CHANGELOG.md#v194-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/geoplaces`: [v1.8.5](service/geoplaces/CHANGELOG.md#v185-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/georoutes`: [v1.7.14](service/georoutes/CHANGELOG.md#v1714-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/glacier`: [v1.32.6](service/glacier/CHANGELOG.md#v1326-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/globalaccelerator`: [v1.35.15](service/globalaccelerator/CHANGELOG.md#v13515-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/glue`: [v1.139.1](service/glue/CHANGELOG.md#v11391-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/grafana`: [v1.33.4](service/grafana/CHANGELOG.md#v1334-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/greengrass`: [v1.32.21](service/greengrass/CHANGELOG.md#v13221-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/greengrassv2`: [v1.42.12](service/greengrassv2/CHANGELOG.md#v14212-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/groundstation`: [v1.40.4](service/groundstation/CHANGELOG.md#v1404-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/guardduty`: [v1.74.2](service/guardduty/CHANGELOG.md#v1742-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/health`: [v1.37.4](service/health/CHANGELOG.md#v1374-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/healthlake`: [v1.36.13](service/healthlake/CHANGELOG.md#v13613-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/iam`: [v1.53.7](service/iam/CHANGELOG.md#v1537-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/identitystore`: [v1.36.5](service/identitystore/CHANGELOG.md#v1365-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/imagebuilder`: [v1.51.4](service/imagebuilder/CHANGELOG.md#v1514-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/inspector`: [v1.30.20](service/inspector/CHANGELOG.md#v13020-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/inspector2`: [v1.47.4](service/inspector2/CHANGELOG.md#v1474-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/inspectorscan`: [v1.13.5](service/inspectorscan/CHANGELOG.md#v1135-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/internetmonitor`: [v1.26.14](service/internetmonitor/CHANGELOG.md#v12614-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/invoicing`: [v1.9.8](service/invoicing/CHANGELOG.md#v198-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/iot`: [v1.72.5](service/iot/CHANGELOG.md#v1725-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/iotdataplane`: [v1.32.21](service/iotdataplane/CHANGELOG.md#v13221-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/iotdeviceadvisor`: [v1.36.21](service/iotdeviceadvisor/CHANGELOG.md#v13621-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/iotevents`: [v1.33.13](service/iotevents/CHANGELOG.md#v13313-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/ioteventsdata`: [v1.30.12](service/ioteventsdata/CHANGELOG.md#v13012-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/iotfleetwise`: [v1.31.20](service/iotfleetwise/CHANGELOG.md#v13120-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/iotjobsdataplane`: [v1.30.13](service/iotjobsdataplane/CHANGELOG.md#v13013-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/iotmanagedintegrations`: [v1.8.4](service/iotmanagedintegrations/CHANGELOG.md#v184-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/iotsecuretunneling`: [v1.33.21](service/iotsecuretunneling/CHANGELOG.md#v13321-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/iotsitewise`: [v1.52.19](service/iotsitewise/CHANGELOG.md#v15219-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/iotthingsgraph`: [v1.30.21](service/iotthingsgraph/CHANGELOG.md#v13021-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/iottwinmaker`: [v1.29.21](service/iottwinmaker/CHANGELOG.md#v12921-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/iotwireless`: [v1.54.9](service/iotwireless/CHANGELOG.md#v1549-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/service/ivs`: [v1.48.14](service/ivs/CHANGELOG.md#v14814-2026-03-26) - **Bug Fix**: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning. - `github.com/aws/aws-sdk-go-v2/s </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- ## Need help? You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section. <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My45Mi4xIiwidXBkYXRlZEluVmVyIjoiNDMuOTIuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiYXV0b21lcmdlLXNlY3VyaXR5LXVwZGF0ZSIsInNldmVyaXR5Ok1FRElVTSIsInVwZGF0ZS1taW5vciJdfQ==--> Signed-off-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com> Co-authored-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com>
<!-- CONTRIBUTORS GUIDE: https://github.com/grafana/alloy/blob/main/docs/developer/contributing.md If this is your first PR or you have not contributed in a while, we recommend taking the time to review the guide. **NOTE** Your PR title must adhere to Conventional Commit style. For details on this, check out the Contributors Guide linked above. --> ### Brief description of Pull Request This change adds a `clustering` option for `loki.source.kubernetes_events` that will distribute the work according to the list. If no namespaces are specificied, then only a single instance will run. This is great, because it means that it will be safe to run on Alloy instances with multiple replicas without resulting in duplication. ### Pull Request Details <!-- Detailed descripion of the Pull Request, if needed. --> ### Issue(s) fixed by this Pull Request Fixes grafana#401 ### Notes to the Reviewer <!-- Relevant notes for reviewers/testers. --> ### PR Checklist <!-- Remove items that do not apply. For completed items, change [ ] to [x]. --> - [X] Documentation added - [ ] Tests updated - [ ] Config converters updated --------- Signed-off-by: Pete Wall <pete.wall@grafana.com>
…lplog/otlploghttp to v0.19.0 [SECURITY] (grafana#6015) This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp](https://redirect.github.com/open-telemetry/opentelemetry-go) | `v0.16.0` → `v0.19.0` |  |  | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/4569) for more information. ### GitHub Vulnerability Alerts #### [CVE-2026-39882](https://redirect.github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-w8rr-5gcm-pp58) overview: this report shows that the otlp HTTP exporters (traces/metrics/logs) read the full HTTP response body into an in-memory `bytes.Buffer` without a size cap. this is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can mitm the exporter connection). severity HIGH not claiming: this is a remote dos against every default deployment. claiming: if the exporter sends traces to an untrusted collector endpoint (or over a network segment where mitm is realistic), that endpoint can crash the process via a large response body. callsite (pinned): - exporters/otlp/otlptrace/otlptracehttp/client.go:199 - exporters/otlp/otlptrace/otlptracehttp/client.go:230 - exporters/otlp/otlpmetric/otlpmetrichttp/client.go:170 - exporters/otlp/otlpmetric/otlpmetrichttp/client.go:201 - exporters/otlp/otlplog/otlploghttp/client.go:190 - exporters/otlp/otlplog/otlploghttp/client.go:221 permalinks (pinned): - https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlptrace/otlptracehttp/client.go#L199 - https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlptrace/otlptracehttp/client.go#L230 - https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlpmetric/otlpmetrichttp/client.go#L170 - https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlpmetric/otlpmetrichttp/client.go#L201 - https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlplog/otlploghttp/client.go#L190 - https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlplog/otlploghttp/client.go#L221 root cause: each exporter client reads `resp.Body` using `io.Copy(&respData, resp.Body)` into a `bytes.Buffer` on both success and error paths, with no upper bound. impact: a malicious collector can force large transient heap allocations during export (peak memory scales with attacker-chosen response size) and can potentially crash the instrumented process (oom). affected component: - go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp - go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp - go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp repro (local-only): ```bash unzip poc.zip -d poc cd poc make canonical resp_bytes=33554432 chunk_delay_ms=0 ``` expected output contains: ``` [CALLSITE_HIT]: otlptracehttp.UploadTraces::io.Copy(resp.Body) [PROOF_MARKER]: resp_bytes=33554432 peak_alloc_bytes=118050512 ``` control (same env, patched target): ```bash unzip poc.zip -d poc cd poc make control resp_bytes=33554432 chunk_delay_ms=0 ``` expected control output contains: ``` [CALLSITE_HIT]: otlptracehttp.UploadTraces::io.Copy(resp.Body) [NC_MARKER]: resp_bytes=33554432 peak_alloc_bytes=512232 ``` attachments: poc.zip (attached) [PR_DESCRIPTION.md](https://redirect.github.com/user-attachments/files/25564272/PR_DESCRIPTION.md) [attack_scenario.md](https://redirect.github.com/user-attachments/files/25564273/attack_scenario.md) [poc.zip](https://redirect.github.com/user-attachments/files/25564271/poc.zip) Fixed in: [https://github.com/open-telemetry/opentelemetry-go/pull/8108](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8108) --- ### opentelemetry-go: OTLP HTTP exporters read unbounded HTTP response bodies [CVE-2026-39882](https://nvd.nist.gov/vuln/detail/CVE-2026-39882) / [GHSA-w8rr-5gcm-pp58](https://redirect.github.com/advisories/GHSA-w8rr-5gcm-pp58) <details> <summary>More information</summary> #### Details overview: this report shows that the otlp HTTP exporters (traces/metrics/logs) read the full HTTP response body into an in-memory `bytes.Buffer` without a size cap. this is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can mitm the exporter connection). severity HIGH not claiming: this is a remote dos against every default deployment. claiming: if the exporter sends traces to an untrusted collector endpoint (or over a network segment where mitm is realistic), that endpoint can crash the process via a large response body. callsite (pinned): - exporters/otlp/otlptrace/otlptracehttp/client.go:199 - exporters/otlp/otlptrace/otlptracehttp/client.go:230 - exporters/otlp/otlpmetric/otlpmetrichttp/client.go:170 - exporters/otlp/otlpmetric/otlpmetrichttp/client.go:201 - exporters/otlp/otlplog/otlploghttp/client.go:190 - exporters/otlp/otlplog/otlploghttp/client.go:221 permalinks (pinned): - https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlptrace/otlptracehttp/client.go#L199 - https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlptrace/otlptracehttp/client.go#L230 - https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlpmetric/otlpmetrichttp/client.go#L170 - https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlpmetric/otlpmetrichttp/client.go#L201 - https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlplog/otlploghttp/client.go#L190 - https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlplog/otlploghttp/client.go#L221 root cause: each exporter client reads `resp.Body` using `io.Copy(&respData, resp.Body)` into a `bytes.Buffer` on both success and error paths, with no upper bound. impact: a malicious collector can force large transient heap allocations during export (peak memory scales with attacker-chosen response size) and can potentially crash the instrumented process (oom). affected component: - go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp - go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp - go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp repro (local-only): ```bash unzip poc.zip -d poc cd poc make canonical resp_bytes=33554432 chunk_delay_ms=0 ``` expected output contains: ``` [CALLSITE_HIT]: otlptracehttp.UploadTraces::io.Copy(resp.Body) [PROOF_MARKER]: resp_bytes=33554432 peak_alloc_bytes=118050512 ``` control (same env, patched target): ```bash unzip poc.zip -d poc cd poc make control resp_bytes=33554432 chunk_delay_ms=0 ``` expected control output contains: ``` [CALLSITE_HIT]: otlptracehttp.UploadTraces::io.Copy(resp.Body) [NC_MARKER]: resp_bytes=33554432 peak_alloc_bytes=512232 ``` attachments: poc.zip (attached) [PR_DESCRIPTION.md](https://redirect.github.com/user-attachments/files/25564272/PR_DESCRIPTION.md) [attack_scenario.md](https://redirect.github.com/user-attachments/files/25564273/attack_scenario.md) [poc.zip](https://redirect.github.com/user-attachments/files/25564271/poc.zip) Fixed in: [https://github.com/open-telemetry/opentelemetry-go/pull/8108](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8108) #### Severity - CVSS Score: 5.3 / 10 (Medium) - Vector String: `CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H` #### References - [https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-w8rr-5gcm-pp58](https://redirect.github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-w8rr-5gcm-pp58) - [https://nvd.nist.gov/vuln/detail/CVE-2026-39882](https://nvd.nist.gov/vuln/detail/CVE-2026-39882) - [https://github.com/open-telemetry/opentelemetry-go/pull/8108](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8108) - [https://github.com/open-telemetry/opentelemetry-go](https://redirect.github.com/open-telemetry/opentelemetry-go) - [http://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.43.0](http://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.43.0) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-w8rr-5gcm-pp58) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>open-telemetry/opentelemetry-go (go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp)</summary> ### [`v0.19.0`](https://redirect.github.com/open-telemetry/opentelemetry-go/releases/tag/v0.19.0) [Compare Source](https://redirect.github.com/open-telemetry/opentelemetry-go/compare/v0.18.0...v0.19.0) ##### Added - Added `Marshaler` config option to `otlphttp` to enable otlp over json or protobufs. ([#​1586](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1586)) - A `ForceFlush` method to the `"go.opentelemetry.io/otel/sdk/trace".TracerProvider` to flush all registered `SpanProcessor`s. ([#​1608](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1608)) - Added `WithSampler` and `WithSpanLimits` to tracer provider. ([#​1633](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1633), [#​1702](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1702)) - `"go.opentelemetry.io/otel/trace".SpanContext` now has a `remote` property, and `IsRemote()` predicate, that is true when the `SpanContext` has been extracted from remote context data. ([#​1701](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1701)) - A `Valid` method to the `"go.opentelemetry.io/otel/attribute".KeyValue` type. ([#​1703](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1703)) ##### Changed - `trace.SpanContext` is now immutable and has no exported fields. ([#​1573](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1573)) - `trace.NewSpanContext()` can be used in conjunction with the `trace.SpanContextConfig` struct to initialize a new `SpanContext` where all values are known. - Update the `ForceFlush` method signature to the `"go.opentelemetry.io/otel/sdk/trace".SpanProcessor` to accept a `context.Context` and return an error. ([#​1608](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1608)) - Update the `Shutdown` method to the `"go.opentelemetry.io/otel/sdk/trace".TracerProvider` return an error on shutdown failure. ([#​1608](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1608)) - The SimpleSpanProcessor will now shut down the enclosed `SpanExporter` and gracefully ignore subsequent calls to `OnEnd` after `Shutdown` is called. ([#​1612](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1612)) - `"go.opentelemetry.io/sdk/metric/controller.basic".WithPusher` is replaced with `WithExporter` to provide consistent naming across project. ([#​1656](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1656)) - Added non-empty string check for trace `Attribute` keys. ([#​1659](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1659)) - Add `description` to SpanStatus only when `StatusCode` is set to error. ([#​1662](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1662)) - Jaeger exporter falls back to `resource.Default`'s `service.name` if the exported Span does not have one. ([#​1673](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1673)) - Jaeger exporter populates Jaeger's Span Process from Resource. ([#​1673](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1673)) - Renamed the `LabelSet` method of `"go.opentelemetry.io/otel/sdk/resource".Resource` to `Set`. ([#​1692](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1692)) - Changed `WithSDK` to `WithSDKOptions` to accept variadic arguments of `TracerProviderOption` type in `go.opentelemetry.io/otel/exporters/trace/jaeger` package. ([#​1693](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1693)) - Changed `WithSDK` to `WithSDKOptions` to accept variadic arguments of `TracerProviderOption` type in `go.opentelemetry.io/otel/exporters/trace/zipkin` package. ([#​1693](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1693)) - `"go.opentelemetry.io/otel/sdk/resource".NewWithAttributes` will now drop any invalid attributes passed. ([#​1703](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1703)) - `"go.opentelemetry.io/otel/sdk/resource".StringDetector` will now error if the produced attribute is invalid. ([#​1703](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1703)) ##### Removed - Removed `serviceName` parameter from Zipkin exporter and uses resource instead. ([#​1549](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1549)) - Removed `WithConfig` from tracer provider to avoid overriding configuration. ([#​1633](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1633)) - Removed the exported `SimpleSpanProcessor` and `BatchSpanProcessor` structs. These are now returned as a SpanProcessor interface from their respective constructors. ([#​1638](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1638)) - Removed `WithRecord()` from `trace.SpanOption` when creating a span. ([#​1660](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1660)) - Removed setting status to `Error` while recording an error as a span event in `RecordError`. ([#​1663](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1663)) - Removed `jaeger.WithProcess` configuration option. ([#​1673](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1673)) - Removed `ApplyConfig` method from `"go.opentelemetry.io/otel/sdk/trace".TracerProvider` and the now unneeded `Config` struct. ([#​1693](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1693)) ##### Fixed - Jaeger Exporter: Ensure mapping between OTEL and Jaeger span data complies with the specification. ([#​1626](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1626)) - `SamplingResult.TraceState` is correctly propagated to a newly created span's `SpanContext`. ([#​1655](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1655)) - The `otel-collector` example now correctly flushes metric events prior to shutting down the exporter. ([#​1678](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1678)) - Do not set span status message in `SpanStatusFromHTTPStatusCode` if it can be inferred from `http.status_code`. ([#​1681](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1681)) - Synchronization issues in global trace delegate implementation. ([#​1686](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1686)) - Reduced excess memory usage by global `TracerProvider`. ([#​1687](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1687)) *** #### Raw changes made between v0.18.0 and v0.19.0 [`2b4fa96`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/2b4fa9681bd0c69574aaa879039382002b220204) (HEAD -> main, tag: v0.19.0, tag: trace/v0.19.0, tag: sdk/v0.19.0, tag: sdk/metric/v0.19.0, tag: sdk/export/metric/v0.19.0, tag: oteltest/v0.19.0, tag: metric/v0.19.0, tag: exporters/trace/zipkin/v0.19.0, tag: exporters/trace/jaeger/v0.19.0, tag: exporters/stdout/v0.19.0, tag: exporters/otlp/v0.19.0, tag: exporters/metric/prometheus/v0.19.0, tag: example/zipkin/v0.19.0, tag: example/prometheus/v0.19.0, tag: example/prom-collector/v0.19.0, tag: example/otel-collector/v0.19.0, tag: example/opencensus/v0.19.0, tag: example/namedtracer/v0.19.0, tag: example/jaeger/v0.19.0, tag: bridge/opentracing/v0.19.0, tag: bridge/opencensus/v0.19.0, upstream/main, origin/main) Release v0.19.0 ([#​1710](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1710)) [`4beb704`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/4beb70416e1272c578edfe1d5f88a3a2236da178) sdk/trace: removing ApplyConfig and Config ([#​1693](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1693)) [`1d42be1`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/1d42be1601e2d9bbd1101780759520e3f3960a29) Rename WithDefaultSampler TracerProvider option to WithSampler and update docs ([#​1702](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1702)) [`860d5d8`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/860d5d86e7ace12bf2b2ca8e437d2d4fc68a6913) Add flag to determine whether SpanContext is remote ([#​1701](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1701)) [`0fe65e6`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/0fe65e6bd2b3fad00289427e0bac1974086d4326) Comply with OpenTelemetry attributes specification ([#​1703](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1703)) [`8888435`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/888843519dae308f165d1d20c095bb6352baeb52) Bump google.golang.org/api from 0.40.0 to 0.41.0 in /exporters/trace/jaeger ([#​1700](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1700)) [`345f264`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/345f264a137ed7162c30d14dd4739b5b72f76537) (global-docs) breaking(zipkin): removes servicName from zipkin exporter. ([#​1697](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1697)) [`62cbf0f`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/62cbf0f240112813105d7056506496b59740e0c2) Populate Jaeger's Span.Process from Resource ([#​1673](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1673)) [`28eaaa9`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/28eaaa9a919d03227856d83e2149b85f78d57775) Add a test to prove the Tracer is safe for concurrent calls ([#​1665](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1665)) [`8b1be11`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/8b1be11a549eefb6efeda2f940cbda70b3c3d08d) Rename resource pkg label vars and methods ([#​1692](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1692)) [`a1539d4`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/a1539d44857a29ea43c9da9bc95e0229f79c2663) OpenCensus metric exporter bridge ([#​1444](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1444)) [`77aa218`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/77aa218d4d8fa2ebda14a7a0b58db22fd20398b7) Fix issue [#​1490](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1490), apply same logic as in the SDK ([#​1687](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1687)) [`9d3416c`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/9d3416cc915ba4bfe0e7328da24bb6a3000549f9) Fix synchronization issues in global trace delegate implementation ([#​1686](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1686)) [`58f69f0`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/58f69f091e61db2ca7a8ca31d518c5de02411184) Span status from HTTP code: Do not set status message if it can be inferred ([#​1681](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1681)) [`9c305bd`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/9c305bde9c27bc2252f13ca21fc869918601b124) Flush metric events prior to shutdown in OTLP example ([#​1678](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1678)) [`66b1135`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/66b1135af4afdd1740d1c0738b9e2c5e6fe4e937) Fix CHANGELOG ([#​1680](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1680)) [`90bd4ab`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/90bd4ab50c6e85743f2b8f3a1768a5afceeb1fc0) Update employer information for maintainers ([#​1683](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1683)) [`3684191`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/368419133859dcd7a97a881ce57082d1c0a3fbfe) Remove WithRecord() option from trace.SpanOption when starting a span ([#​1660](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1660)) [`65c7de2`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/65c7de206921411cc4220c107bcad893a12033c5) Remove trace prefix from NoOp src files. ([#​1679](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1679)) [`e88a091`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/e88a091a72e4cf4c3f3a6d6e4b440d757bd3ecac) Make SpanContext Immutable ([#​1573](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1573)) [`d75e268`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/d75e268053a7a3fc19394cb48a98d22fd15eb36a) Avoid overriding configuration of tracer provider ([#​1633](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1633)) [`2b4d5ac`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/2b4d5ac3293eee30536754a5d5efec5124433ded) Bump github.com/golangci/golangci-lint in /internal/tools ([#​1671](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1671)) [`150b868`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/150b868d02c8b9844f3db446d91267ad4e75beb9) Bump github.com/google/go-cmp from 0.5.4 to 0.5.5 ([#​1667](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1667)) [`76aa924`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/76aa924e75b22f95bb189337fb9d46b64bc66c53) Fix the examples target info messaging ([#​1676](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1676)) [`a3aa9fd`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/a3aa9fdab061197aae67ac4a2c57712cfe5ef38e) Bump github.com/itchyny/gojq from 0.12.1 to 0.12.2 in /internal/tools ([#​1672](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1672)) [`a5edd79`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/a5edd79e312675f0cccf75aa324495205c95fe73) Removed setting error status while recording err as span event ([#​1663](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1663)) [`e981475`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/e9814758278b57ef5bd939aa6fcb6a1a10772db0) chore(zipkin): improves zipkin example to not to depend on timeouts. ([#​1566](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1566)) [`3dc91f2`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/3dc91f2d76146ac6a08012b8c451cc00e59ef481) Add ForceFlush method to TracerProvider ([#​1608](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1608)) [`bd0bba4`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/bd0bba43b5a1edb1da059760462fa15d81ff7cd9) exporter: swap pusher for exporter ([#​1656](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1656)) [`5690485`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/569048591c2661808ebddbd953c41c6808289454) Update the SimpleSpanProcessor ([#​1612](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1612)) [`a7f7aba`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/a7f7abac654d0c3fc93732c7f47c2bef05976eb4) SpanStatus description set only when status code is set to Error ([#​1662](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1662)) [`05252f4`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/05252f40d807999388813afb2802918a38cc0e8a) Jaeger Exporter: Fix minor mapping discrepancies ([#​1626](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1626)) [`238e7c6`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/238e7c61ba9e5b2ca3f66f20a5db5711e062f36e) Add non-empty string check for attribute keys ([#​1659](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1659)) [`e9b9aca`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/e9b9aca8a6dc8cd0b13ffea4f7a26186f4b316fd) Add tests for propagation of Sampler Tracestate changes ([#​1655](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1655)) [`875a258`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/875a25835fcfcddd61e94d87b1a0b14db4d5a0e5) Add docs on when reviews should be cleared ([#​1556](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1556)) [`7153ef2`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/7153ef2dc294fbfebaafd355ab98050b4181ff1f) Add HTTP/JSON to the otlp exporter ([#​1586](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1586)) [`62e2a0f`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/62e2a0f766d001e48867866ba7293565b9caa0c0) Unexport the simple and batch SpanProcessors ([#​1638](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1638)) [`992837f`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/992837f195eacbd84f0596bfaa79470dba7408e5) Add TracerProvider tests to oteltest harness ([#​1607](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1607)) ### [`v0.18.0`](https://redirect.github.com/open-telemetry/opentelemetry-go/releases/tag/v0.18.0) [Compare Source](https://redirect.github.com/open-telemetry/opentelemetry-go/compare/v0.17.0...v0.18.0) ##### Added - Added `resource.Default()` for use with meter and tracer providers. ([#​1507](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1507)) - `AttributePerEventCountLimit` and `AttributePerLinkCountLimit` for `SpanLimits`. ([#​1535](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1535)) - Added `Keys()` method to `propagation.TextMapCarrier` and `propagation.HeaderCarrier` to adapt `http.Header` to this interface. ([#​1544](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1544)) - Added `code` attributes to `go.opentelemetry.io/otel/semconv` package. ([#​1558](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1558)) - Compatibility testing suite in the CI system for the following systems. ([#​1567](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1567)) | OS | Go Version | Architecture | | ------- | ---------- | ------------ | | Ubuntu | 1.15 | amd64 | | Ubuntu | 1.14 | amd64 | | Ubuntu | 1.15 | 386 | | Ubuntu | 1.14 | 386 | | MacOS | 1.15 | amd64 | | MacOS | 1.14 | amd64 | | Windows | 1.15 | amd64 | | Windows | 1.14 | amd64 | | Windows | 1.15 | 386 | | Windows | 1.14 | 386 | ##### Changed - Replaced interface `oteltest.SpanRecorder` with its existing implementation `StandardSpanRecorder` ([#​1542](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1542)). - Default span limit values to 128. ([#​1535](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1535)) - Rename `MaxEventsPerSpan`, `MaxAttributesPerSpan` and `MaxLinksPerSpan` to `EventCountLimit`, `AttributeCountLimit` and `LinkCountLimit`, and move these fields into `SpanLimits`. ([#​1535](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1535)) - Renamed the `otel/label` package to `otel/attribute`. ([#​1541](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1541)) - Vendor the Jaeger exporter's dependency on Apache Thrift. ([#​1551](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1551)) - Parallelize the CI linting and testing. ([#​1567](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1567)) - Stagger timestamps in exact aggregator tests. ([#​1569](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1569)) - Changed all examples to use `WithBatchTimeout(5 * time.Second)` rather than `WithBatchTimeout(5)`. ([#​1621](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1621)) - Prevent end-users from implementing some interfaces ([#​1575](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1575)) ``` "otel/exporters/otlp/otlphttp".Option "otel/exporters/stdout".Option "otel/oteltest".Option "otel/trace".TracerOption "otel/trace".SpanOption "otel/trace".EventOption "otel/trace".LifeCycleOption "otel/trace".InstrumentationOption "otel/sdk/resource".Option "otel/sdk/trace".ParentBasedSamplerOption "otel/sdk/trace".ReadOnlySpan "otel/sdk/trace".ReadWriteSpan ``` ##### Removed - Removed attempt to resample spans upon changing the span name with `span.SetName()`. ([#​1545](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1545)) - The `test-benchmark` is no longer a dependency of the `precommit` make target. ([#​1567](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1567)) - Removed the `test-386` make target. This was replaced with a full compatibility testing suite (i.e. multi OS/arch) in the CI system. ([#​1567](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1567)) ##### Fixed - The sequential timing check of timestamps in the stdout exporter are now setup explicitly to be sequential ([#​1571](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1571)). ([#​1572](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1572)) - Windows build of Jaeger tests now compiles with OS specific functions ([#​1576](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1576)). ([#​1577](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1577)) - The sequential timing check of timestamps of go.opentelemetry.io/otel/sdk/metric/aggregator/lastvalue are now setup explicitly to be sequential ([#​1578](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1578)). ([#​1579](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1579)) - Validate tracestate header keys with vedors according to the W3C TraceContext specification ([#​1475](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1475)). ([#​1581](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1581)) - The OTLP exporter includes related labels for translations of a GaugeArray ([#​1563](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1563)). ([#​1570](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1570)) # Raw changes made between v0.17.0 and v0.18.0 [`bb4c297`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/bb4c297eb36f6af082bfa1d3216d33bd90da05f0) Pre release v0.18.0 ([#​1635](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1635)) [`712c3dc`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/712c3dccf805f2397a4b15ce467e234c7b515c18) Fix makefile ci target and coverage test packages ([#​1634](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1634)) [`841d2a5`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/841d2a5885b37fc25fe77e72dca3b0f6bac945b2) Rename local var new to not collide with builtin ([#​1610](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1610)) [`13938ab`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/13938ab5a867b7840c6c829b74a9ab39b828730e) Update SpanProcessor docs ([#​1611](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1611)) [`e25503a`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/e25503a00edef6baf2b3deb1a5884d4501e08dcf) Add compatibility tests to CI ([#​1567](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1567)) [`1519d95`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/1519d959829b2fd7a7a1b9b904b57235eb54e114) Use reasonable interval in sdktrace.WithBatchTimeout ([#​1621](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1621)) [`7d4496e`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/7d4496e0fefc99cfa70b86a09e3f8af8eae537f6) Pass metric labels when transforming to gaugeArray ([#​1570](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1570)) [`6d4a5e0`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/6d4a5e0df334546987f7d0583e0e86cdf01f2e66) Bump google.golang.org/grpc from 1.35.0 to 1.36.0 in /exporters/otlp ([#​1619](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1619)) [`a93393a`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/a93393a0d754d3b16227fbfa9df4f37b07351028) Bump google.golang.org/grpc in /example/prom-collector ([#​1620](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1620)) [`e499ca8`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/e499ca86b7ef54b42f6dd684ccbf73f226af10bd) Fix validation for tracestate with vendor and add tests ([#​1581](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1581)) [`43886e5`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/43886e52f38de640d5f7abf6d9622fc1483ce649) Make timestamps sequential in lastvalue agg check ([#​1579](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1579)) [`37688ef`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/37688ef67616aa5a99e27fb03320fd0dc87e590e) revent end-users from implementing some interfaces ([#​1575](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1575)) [`85e696d`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/85e696d20b9a6fee781fd42f68fe1b447559dc5c) Updating documentation with an working example for creating NewExporter ([#​1513](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1513)) [`562eb28`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/562eb28b7169cd83959fdb7fe1dddec74ee44ea1) Unify the Added sections of the unreleased changes ([#​1580](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1580)) [`c4cf1af`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/c4cf1aff6bba39f4e0384f5223d33647f9973a77) Fix Windows build of Jaeger tests ([#​1577](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1577)) [`4a163be`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/4a163beaa103fd57b4cf6e07dc19781ab2fda4a9) Fix stdout TestStdoutTimestamp failure with sleep ([#​1572](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1572)) [`bd4701e`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/bd4701eb935b94b0cfa21f925410fcb13cc1e389) Stagger timestamps in exact aggregator tests ([#​1569](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1569)) [`b94cd4b`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/b94cd4b24917d0099eb0ddee6f9d6be0bddee469) add code attributes to semconv package ([#​1558](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1558)) [`78c06ce`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/78c06cef3537999b4692c9f88dfb91a6451337a0) Update docs from gitter to slack for communication ([#​1554](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1554)) [`1307c91`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/1307c9116265619812781cf5b02898acabc1ef83) Remove vendor exclude from license-check ([#​1552](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1552)) [`5d2636e`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/5d2636e5bfa8538c8f36b8f11145d96351dbcd6b) Bump github.com/golangci/golangci-lint in /internal/tools ([#​1565](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1565)) [`d7aff47`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/d7aff47338ec7f6957a15262721da7fdfe5524ca) Vendor Thrift dependency ([#​1551](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1551)) [`298c5a1`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/298c5a142f4e4eb9eb9f249ff4d2fdff63bbd702) Update span limits to conform with OpenTelemetry specification ([#​1535](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1535)) [`ecf65d7`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/ecf65d7968225482a4d50e4955d6bc826119b49c) Rename otel/label -> otel/attribute ([#​1541](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1541)) [`1b5b662`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/1b5b66213656691e3528909fe39fa030eae15423) Remove resampling on span.SetName ([#​1545](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1545)) [`8da5299`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/8da5299621bd6b2de185a1e06c93289a96b1af25) fix: grpc reconnection ([#​1521](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1521)) [`3bce9c9`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/3bce9c97f800c12a791e78a1611991818f9b4db6) Add Keys() method to propagation.TextMapCarrier ([#​1544](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1544)) [`0b1a1c7`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/0b1a1c7237f3172586bb6332397997bf71e27de0) Make oteltest.SpanRecorder into a concrete type ([#​1542](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1542)) [`7d0e3e5`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/7d0e3e52b69b2ba62ef617719fba5c3ca2aea86b) SDK span no modification after ended ([#​1543](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1543)) [`7de3b58`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/7de3b58ce9e893f0f1f8214d63329ac82d759327) Remove extra labels types ([#​1314](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1314)) [`73194e4`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/73194e44dbe9ecb2ba68f80b9a687edc66ce4d2d) Bump google.golang.org/api from 0.39.0 to 0.40.0 in /exporters/trace/jaeger ([#​1536](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1536)) [`8fae0a6`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/8fae0a644ad30b2f45f0e30cdea2efd7c8654ccf) Create resource.Default() with required attributes/default values ([#​1507](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1507)) ### [`v0.17.0`](https://redirect.github.com/open-telemetry/opentelemetry-go/releases/tag/v0.17.0) [Compare Source](https://redirect.github.com/open-telemetry/opentelemetry-go/compare/v0.16.0...v0.17.0) ##### Changed - Rename project default branch from `master` to `main`. - Reverse order in which `Resource` attributes are merged, per change in spec. ([#​1501](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1501)) - Add tooling to maintain "replace" directives in go.mod files automatically. ([#​1528](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1528)) - Create new modules: otel/metric, otel/trace, otel/oteltest, otel/sdk/export/metric, otel/sdk/metric ([#​1528](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1528)) - Move metric-related public global APIs from otel to otel/metric/global. ([#​1528](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1528)) *** [`9b242bc`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/9b242bc4015d82acd63614a9e9ddba0cd1bceca8) (upstream/main, origin/main, main) Organize API into Go modules based on stability and dependencies ([#​1528](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1528)) [`e50a1c8`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/e50a1c8cecb8c584bdfada6cb21fe0b173a22646) Bump actions/cache from v2 to v2.1.4 ([#​1518](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1518)) [`a6aa7f0`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/a6aa7f00d02eb0f97056c51c439ef2874ba2410d) Bump google.golang.org/api from 0.38.0 to 0.39.0 in /exporters/trace/jaeger ([#​1517](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1517)) [`38efc87`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/38efc875cf1c9e9ae72d3021b0a813ed7fa3ce00) Code Improvement - Error strings should not be capitalized ([#​1488](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1488)) [`6b34050`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/6b340501b3b722ca36c4f9ad23678ed0a9783df3) Update default branch name ([#​1505](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1505)) [`b39fd05`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/b39fd052d472c9100286cd2af61bef735bd5c7fd) nit: Fix comment to be up-to-date ([#​1510](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1510)) [`186c295`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/186c29539f41ce5aa93b732aa70f08d50338164d) Fix golint error of package comment form ([#​1487](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1487)) [`9308d66`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/9308d6628ef77b38a9383f13dddaf7ddfe83b882) Bump google.golang.org/api from 0.37.0 to 0.38.0 in /exporters/trace/jaeger ([#​1506](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1506)) [`1952d7b`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/1952d7b6af6bbd1de70fad8abfc2585b750b8fc4) Reverse order of attribute precedence when merging two Resources ([#​1501](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1501)) [`ad7b471`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/ad7b4715860b3b40abc876093c075bf765a6e120) Remove build flags for runtime/trace support ([#​1498](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1498)) [`4bf4b69`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/4bf4b69050b7bcfe8c414522d051ebe5566c983d) Remove inaccurate and unnecessary import comment ([#​1481](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1481)) [`7e19eb6`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/7e19eb6a76deb9cc46b33604ce3dee919d398e62) Bump google.golang.org/api from 0.36.0 to 0.37.0 in /exporters/trace/jaeger ([#​1504](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1504)) [`c6a4406`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/c6a4406a586feeb14a046c31781899c073d42389) Bump github.com/golangci/golangci-lint in /internal/tools ([#​1503](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1503)) [`9524ac0`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/9524ac095466565e01746600da3d83f27220a5da) (upstream/master, origin/master, origin/HEAD) Update workflows to include main branch as trigger ([#​1497](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1497)) [`c066f15`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/c066f15ed74fec52c4755014bfcf2bdfb8e0e661) Bump github.com/gogo/protobuf from 1.3.1 to 1.3.2 in /internal/tools ([#​1478](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1478)) [`894e024`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/894e024027a47cad15c6a6a49449e100f4bfb63a) Bump github.com/golangci/golangci-lint in /internal/tools ([#​1477](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1477)) [`71ffba3`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/71ffba39d1f96df023a31df14aa57c99f53017d0) Bump google.golang.org/grpc from 1.34.0 to 1.35.0 in /exporters/otlp ([#​1471](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1471)) [`515809a`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/515809a845a9f5991c3436ce0d8e5d2aa535152a) Bump github.com/itchyny/gojq from 0.12.0 to 0.12.1 in /internal/tools ([#​1472](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1472)) [`3e96ad1`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/3e96ad1ee68eebf5ea4726af58162591a326b32e) gitignore: remove unused example path ([#​1474](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1474)) [`c562277`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/c56227771d4c3551cf4eec84a3a6d1881f5dbd9f) Histogram aggregator functional options ([#​1434](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1434)) [`0df8cd6`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/0df8cd620c46567b38a70f1f1a8e968d0a806c06) Rename Makefile.proto to avoid interpretation as proto file ([#​1468](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1468)) [`979ff51`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/979ff51f2229b9a4c66dda798b14a778a9c636a9) Bump github.com/stretchr/testify from 1.6.1 to 1.7.0 ([#​1453](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1453)) [`1df8b3b`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/1df8b3b8812a296c68fedb14d67de4ec00f4394b) Bump github.com/gogo/protobuf from 1.3.1 to 1.3.2 in /exporters/otlp ([#​1456](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1456)) [`4c30a90`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/4c30a90a45f28be483d96565ef3fb35222de1d69) Bump github.com/stretchr/testify from 1.6.1 to 1.7.0 in /sdk ([#​1455](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1455)) [`5a9f8f6`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/5a9f8f6e4e6c472179585ba743ffb14de372d973) Bump github.com/stretchr/testify from 1.6.1 to 1.7.0 in /exporters/stdout ([#​1454](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1454)) [`7786f34`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/7786f34cff0cd9e3b40505c9460cf53014cb044c) Bump github.com/stretchr/testify from 1.6.1 to 1.7.0 in /exporters/trace/zipkin ([#​1457](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1457)) [`4352a7a`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/4352a7a671347be0c676240bdb60cf87f85f8360) Bump github.com/stretchr/testify from 1.6.1 to 1.7.0 in /exporters/otlp ([#​1460](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1460)) [`6990b3b`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/6990b3b3ea1f792e3e9ac90694dec1b74171b80f) Bump github.com/stretchr/testify from 1.6.1 to 1.7.0 in /exporters/metric/prometheus ([#​1461](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1461)) [`7af40d2`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/7af40d2221f0ccdc1cec53b960e55d5767c4c14a) Bump github.com/stretchr/testify from 1.6.1 to 1.7.0 in /exporters/trace/jaeger ([#​1463](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1463)) [`f16f189`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/f16f18929b778b2430dca66ccc50ffed1f25300b) Bump google.golang.org/grpc in /example/otel-collector ([#​1465](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1465)) [`fe363be`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/fe363be3994012a06e58c713ed0f6e60a2193151) Move Span Event to API ([#​1452](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1452)) [`4392224`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/439222408b10859b9b92c9bd410041507a8bbf14) Bump google.golang.org/grpc in /example/prom-collector ([#​1466](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/1466)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- ## Need help? You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section. <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My45Mi4xIiwidXBkYXRlZEluVmVyIjoiNDMuOTIuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiYXV0b21lcmdlLXNlY3VyaXR5LXVwZGF0ZSIsInNldmVyaXR5Ok1FRElVTSIsInVwZGF0ZS1taW5vciJdfQ==--> Signed-off-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com> Co-authored-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com>
…trace/otlptracehttp to v1.43.0 [SECURITY] (grafana#6017) This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp](https://redirect.github.com/open-telemetry/opentelemetry-go) | `v1.42.0` → `v1.43.0` |  |  | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](..grafana/issues/4569) for more information. ### GitHub Vulnerability Alerts #### [CVE-2026-39882](https://redirect.github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-w8rr-5gcm-pp58) overview: this report shows that the otlp HTTP exporters (traces/metrics/logs) read the full HTTP response body into an in-memory `bytes.Buffer` without a size cap. this is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can mitm the exporter connection). severity HIGH not claiming: this is a remote dos against every default deployment. claiming: if the exporter sends traces to an untrusted collector endpoint (or over a network segment where mitm is realistic), that endpoint can crash the process via a large response body. callsite (pinned): - exporters/otlp/otlptrace/otlptracehttp/client.go:199 - exporters/otlp/otlptrace/otlptracehttp/client.go:230 - exporters/otlp/otlpmetric/otlpmetrichttp/client.go:170 - exporters/otlp/otlpmetric/otlpmetrichttp/client.go:201 - exporters/otlp/otlplog/otlploghttp/client.go:190 - exporters/otlp/otlplog/otlploghttp/client.go:221 permalinks (pinned): - https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlptrace/otlptracehttp/client.go#L199 - https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlptrace/otlptracehttp/client.go#L230 - https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlpmetric/otlpmetrichttp/client.go#L170 - https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlpmetric/otlpmetrichttp/client.go#L201 - https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlplog/otlploghttp/client.go#L190 - https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlplog/otlploghttp/client.go#L221 root cause: each exporter client reads `resp.Body` using `io.Copy(&respData, resp.Body)` into a `bytes.Buffer` on both success and error paths, with no upper bound. impact: a malicious collector can force large transient heap allocations during export (peak memory scales with attacker-chosen response size) and can potentially crash the instrumented process (oom). affected component: - go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp - go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp - go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp repro (local-only): ```bash unzip poc.zip -d poc cd poc make canonical resp_bytes=33554432 chunk_delay_ms=0 ``` expected output contains: ``` [CALLSITE_HIT]: otlptracehttp.UploadTraces::io.Copy(resp.Body) [PROOF_MARKER]: resp_bytes=33554432 peak_alloc_bytes=118050512 ``` control (same env, patched target): ```bash unzip poc.zip -d poc cd poc make control resp_bytes=33554432 chunk_delay_ms=0 ``` expected control output contains: ``` [CALLSITE_HIT]: otlptracehttp.UploadTraces::io.Copy(resp.Body) [NC_MARKER]: resp_bytes=33554432 peak_alloc_bytes=512232 ``` attachments: poc.zip (attached) [PR_DESCRIPTION.md](https://redirect.github.com/user-attachments/files/25564272/PR_DESCRIPTION.md) [attack_scenario.md](https://redirect.github.com/user-attachments/files/25564273/attack_scenario.md) [poc.zip](https://redirect.github.com/user-attachments/files/25564271/poc.zip) Fixed in: [https://github.com/open-telemetry/opentelemetry-go/pull/8108](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8108) --- ### opentelemetry-go: OTLP HTTP exporters read unbounded HTTP response bodies [CVE-2026-39882](https://nvd.nist.gov/vuln/detail/CVE-2026-39882) / [GHSA-w8rr-5gcm-pp58](https://redirect.github.com/advisories/GHSA-w8rr-5gcm-pp58) <details> <summary>More information</summary> #### Details overview: this report shows that the otlp HTTP exporters (traces/metrics/logs) read the full HTTP response body into an in-memory `bytes.Buffer` without a size cap. this is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can mitm the exporter connection). severity HIGH not claiming: this is a remote dos against every default deployment. claiming: if the exporter sends traces to an untrusted collector endpoint (or over a network segment where mitm is realistic), that endpoint can crash the process via a large response body. callsite (pinned): - exporters/otlp/otlptrace/otlptracehttp/client.go:199 - exporters/otlp/otlptrace/otlptracehttp/client.go:230 - exporters/otlp/otlpmetric/otlpmetrichttp/client.go:170 - exporters/otlp/otlpmetric/otlpmetrichttp/client.go:201 - exporters/otlp/otlplog/otlploghttp/client.go:190 - exporters/otlp/otlplog/otlploghttp/client.go:221 permalinks (pinned): - https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlptrace/otlptracehttp/client.go#L199 - https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlptrace/otlptracehttp/client.go#L230 - https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlpmetric/otlpmetrichttp/client.go#L170 - https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlpmetric/otlpmetrichttp/client.go#L201 - https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlplog/otlploghttp/client.go#L190 - https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlplog/otlploghttp/client.go#L221 root cause: each exporter client reads `resp.Body` using `io.Copy(&respData, resp.Body)` into a `bytes.Buffer` on both success and error paths, with no upper bound. impact: a malicious collector can force large transient heap allocations during export (peak memory scales with attacker-chosen response size) and can potentially crash the instrumented process (oom). affected component: - go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp - go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp - go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp repro (local-only): ```bash unzip poc.zip -d poc cd poc make canonical resp_bytes=33554432 chunk_delay_ms=0 ``` expected output contains: ``` [CALLSITE_HIT]: otlptracehttp.UploadTraces::io.Copy(resp.Body) [PROOF_MARKER]: resp_bytes=33554432 peak_alloc_bytes=118050512 ``` control (same env, patched target): ```bash unzip poc.zip -d poc cd poc make control resp_bytes=33554432 chunk_delay_ms=0 ``` expected control output contains: ``` [CALLSITE_HIT]: otlptracehttp.UploadTraces::io.Copy(resp.Body) [NC_MARKER]: resp_bytes=33554432 peak_alloc_bytes=512232 ``` attachments: poc.zip (attached) [PR_DESCRIPTION.md](https://redirect.github.com/user-attachments/files/25564272/PR_DESCRIPTION.md) [attack_scenario.md](https://redirect.github.com/user-attachments/files/25564273/attack_scenario.md) [poc.zip](https://redirect.github.com/user-attachments/files/25564271/poc.zip) Fixed in: [https://github.com/open-telemetry/opentelemetry-go/pull/8108](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8108) #### Severity - CVSS Score: 5.3 / 10 (Medium) - Vector String: `CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H` #### References - [https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-w8rr-5gcm-pp58](https://redirect.github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-w8rr-5gcm-pp58) - [https://nvd.nist.gov/vuln/detail/CVE-2026-39882](https://nvd.nist.gov/vuln/detail/CVE-2026-39882) - [https://github.com/open-telemetry/opentelemetry-go/pull/8108](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8108) - [https://github.com/open-telemetry/opentelemetry-go](https://redirect.github.com/open-telemetry/opentelemetry-go) - [http://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.43.0](http://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.43.0) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-w8rr-5gcm-pp58) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>open-telemetry/opentelemetry-go (go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp)</summary> ### [`v1.43.0`](https://redirect.github.com/open-telemetry/opentelemetry-go/releases/tag/v1.43.0): /v0.65.0/v0.19.0 [Compare Source](https://redirect.github.com/open-telemetry/opentelemetry-go/compare/v1.42.0...v1.43.0) ##### Added - Add `IsRandom` and `WithRandom` on `TraceFlags`, and `IsRandom` on `SpanContext` in `go.opentelemetry.io/otel/trace` for [W3C Trace Context Level 2 Random Trace ID Flag](https://www.w3.org/TR/trace-context-2/#random-trace-id-flag) support. ([#​8012](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8012)) - Add service detection with `WithService` in `go.opentelemetry.io/otel/sdk/resource`. ([#​7642](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7642)) - Add `DefaultWithContext` and `EnvironmentWithContext` in `go.opentelemetry.io/otel/sdk/resource` to support plumbing `context.Context` through default and environment detectors. ([#​8051](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8051)) - Support attributes with empty value (`attribute.EMPTY`) in `go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc`. ([#​8038](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8038)) - Support attributes with empty value (`attribute.EMPTY`) in `go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc`. ([#​8038](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8038)) - Support attributes with empty value (`attribute.EMPTY`) in `go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc`. ([#​8038](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8038)) - Support attributes with empty value (`attribute.EMPTY`) in `go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp`. ([#​8038](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8038)) - Support attributes with empty value (`attribute.EMPTY`) in `go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp`. ([#​8038](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8038)) - Support attributes with empty value (`attribute.EMPTY`) in `go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp`. ([#​8038](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8038)) - Support attributes with empty value (`attribute.EMPTY`) in `go.opentelemetry.io/otel/sdk/metric/metricdata/metricdatatest`. ([#​8038](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8038)) - Add support for per-series start time tracking for cumulative metrics in `go.opentelemetry.io/otel/sdk/metric`. Set `OTEL_GO_X_PER_SERIES_START_TIMESTAMPS=true` to enable. ([#​8060](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8060)) - Add `WithCardinalityLimitSelector` for metric reader for configuring cardinality limits specific to the instrument kind. ([#​7855](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7855)) ##### Changed - Introduce the `EMPTY` Type in `go.opentelemetry.io/otel/attribute` to reflect that an empty value is now a valid value, with `INVALID` remaining as a deprecated alias of `EMPTY`. ([#​8038](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8038)) - Refactor slice handling in `go.opentelemetry.io/otel/attribute` to optimize short slice values with fixed-size fast paths. ([#​8039](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8039)) - Improve performance of span metric recording in `go.opentelemetry.io/otel/sdk/trace` by returning early if self-observability is not enabled. ([#​8067](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8067)) - Improve formatting of metric data diffs in `go.opentelemetry.io/otel/sdk/metric/metricdata/metricdatatest`. ([#​8073](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8073)) ##### Deprecated - Deprecate `INVALID` in `go.opentelemetry.io/otel/attribute`. Use `EMPTY` instead. ([#​8038](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8038)) ##### Fixed - Return spec-compliant `TraceIdRatioBased` description. This is a breaking behavioral change, but it is necessary to make the implementation [spec-compliant](https://opentelemetry.io/docs/specs/otel/trace/sdk/#traceidratiobased). ([#​8027](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8027)) - Fix a race condition in `go.opentelemetry.io/otel/sdk/metric` where the lastvalue aggregation could collect the value 0 even when no zero-value measurements were recorded. ([#​8056](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8056)) - Limit HTTP response body to 4 MiB in `go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp` to mitigate excessive memory usage caused by a misconfigured or malicious server. Responses exceeding the limit are treated as non-retryable errors. ([#​8108](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8108)) - Limit HTTP response body to 4 MiB in `go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp` to mitigate excessive memory usage caused by a misconfigured or malicious server. Responses exceeding the limit are treated as non-retryable errors. ([#​8108](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8108)) - Limit HTTP response body to 4 MiB in `go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp` to mitigate excessive memory usage caused by a misconfigured or malicious server. Responses exceeding the limit are treated as non-retryable errors. ([#​8108](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8108)) - `WithHostID` detector in `go.opentelemetry.io/otel/sdk/resource` to use full path for `kenv` command on BSD. ([#​8113](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8113)) - Fix missing `request.GetBody` in `go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp` to correctly handle HTTP2 GOAWAY frame. ([#​8096](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8096)) ##### What's Changed - chore(deps): update module github.com/jgautheron/goconst to v1.9.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8014](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8014) - fix(deps): update github.com/opentracing-contrib/go-grpc/test digest to [`190d7d4`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/190d7d4) by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8013](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8013) - chore(deps): update module go.yaml.in/yaml/v2 to v2.4.4 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8016](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8016) - fix(deps): update module github.com/golangci/golangci-lint/v2 to v2.11.1 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8011](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8011) - fix(deps): update golang.org/x by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8023](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8023) - fix(deps): update module github.com/golangci/golangci-lint/v2 to v2.11.2 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8020](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8020) - chore(deps): update module github.com/mattn/go-runewidth to v0.0.21 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8017](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8017) - chore(deps): update module codeberg.org/chavacava/garif to v0.2.1 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8019](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8019) - Add doc on how to upgrade to new semconv by [@​jmmcorreia](https://redirect.github.com/jmmcorreia) in [#​7807](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7807) - fix(deps): update module go.opentelemetry.io/proto/otlp to v1.10.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8028](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8028) - resource: add WithService detector option by [@​codeboten](https://redirect.github.com/codeboten) in [#​7642](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7642) - fix(deps): update googleapis to [`a57be14`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/a57be14) by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8031](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8031) - fix(deps): update module github.com/golangci/golangci-lint/v2 to v2.11.3 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8032](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8032) - chore(deps): update module github.com/prometheus/procfs to v0.20.1 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8034](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8034) - chore(deps): update github.com/securego/gosec/v2 digest to [`8895462`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/8895462) by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8036](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8036) - chore(deps): update module github.com/sonatard/noctx to v0.5.1 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8040](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8040) - chore(deps): update github.com/securego/gosec/v2 digest to [`6e66a94`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/6e66a94) by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8043](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8043) - docs(otlp): document HTTP/protobuf insecure env vars by [@​marcschaeferger](https://redirect.github.com/marcschaeferger) in [#​8037](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8037) - Rebuild semconvkit and verifyreadmes on changes by [@​MrAlias](https://redirect.github.com/MrAlias) in [#​7995](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7995) - chore(sdk/trace): join errors properly by [@​ash2k](https://redirect.github.com/ash2k) in [#​8030](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8030) - fix(deps): update googleapis to [`84a4fc4`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/84a4fc4) by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8048](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8048) - attribute: change INVALID Type to EMPTY and mark INVALID as deprecated by [@​pellared](https://redirect.github.com/pellared) in [#​8038](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8038) - fix(sdk/trace): return spec-compliant TraceIdRatioBased description by [@​ash2k](https://redirect.github.com/ash2k) in [#​8027](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8027) - linting: add depguard rule to enforce semconv version by [@​ajuijas](https://redirect.github.com/ajuijas) in [#​8041](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8041) - chore(deps): update actions/download-artifact action to v8.0.1 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8046](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8046) - chore(deps): update github.com/securego/gosec/v2 digest to [`b7b2c7b`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/b7b2c7b) by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8044](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8044) - fix(deps): update golang.org/x by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8045](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8045) - Optimize attribute slice conversion by [@​MrAlias](https://redirect.github.com/MrAlias) in [#​8039](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8039) - Add benchmarks for end-to-end metrics SDK usage by [@​dashpole](https://redirect.github.com/dashpole) in [#​7768](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7768) - fix(deps): update golang.org/x by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8052](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8052) - chore(deps): update github.com/securego/gosec/v2 digest to [`befce8d`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/befce8d) by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8053](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8053) - trace: add Random Trace ID Flag by [@​yuanyuanzhao3](https://redirect.github.com/yuanyuanzhao3) in [#​8012](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8012) - Improve aggregation concurrent safe tests by [@​dashpole](https://redirect.github.com/dashpole) in [#​8021](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8021) - Add tests for exponential histogram concurrent-safety edge-cases by [@​dashpole](https://redirect.github.com/dashpole) in [#​8024](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8024) - exphist: replace min, max, sum, and count with atomics by [@​dashpole](https://redirect.github.com/dashpole) in [#​8025](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8025) - chore(deps): update github.com/securego/gosec/v2 digest to [`c2dfcec`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/c2dfcec) by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8055](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8055) - chore(deps): update otel/weaver docker tag to v0.22.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8058](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8058) - chore(deps): update github.com/securego/gosec/v2 digest to [`dec52c4`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/dec52c4) by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8063](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8063) - chore(deps): update otel/weaver docker tag to v0.22.1 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8061](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8061) - chore(deps): update github/codeql-action action to v4.33.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8065](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8065) - Fix race in the lastvalue aggregation where 0 could be observed by [@​dashpole](https://redirect.github.com/dashpole) in [#​8056](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8056) - chore(deps): update github.com/securego/gosec/v2 digest to [`744bfb5`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/744bfb5) by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8064](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8064) - Migrate to new bare metal runner (Ubuntu 24) by [@​trask](https://redirect.github.com/trask) in [#​8068](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8068) - sdk/resource: add WithContext variants for Default and Environment ([#​7808](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7808)) by [@​ajuijas](https://redirect.github.com/ajuijas) in [#​8051](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8051) - Use atomics for exponential histogram buckets by [@​dashpole](https://redirect.github.com/dashpole) in [#​8057](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8057) - Added the `internal/observ` package to stdoutlog by [@​yumosx](https://redirect.github.com/yumosx) in [#​7735](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7735) - Add support for the development per-series starttime feature by [@​dashpole](https://redirect.github.com/dashpole) in [#​8060](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8060) - sdk/trace/internal/observ: guard SpanStarted and spanLive with Enabled by [@​kouji-yoshimura](https://redirect.github.com/kouji-yoshimura) in [#​8067](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8067) - Cleanup exemplar featuregate readme by [@​dashpole](https://redirect.github.com/dashpole) in [#​8072](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8072) - chore(deps): update codecov/codecov-action action to v5.5.3 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8080](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8080) - chore(deps): update module github.com/ryanrolds/sqlclosecheck to v0.6.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8083](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8083) - fix(deps): update github.com/opentracing-contrib/go-grpc/test digest to [`de6f1cc`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/de6f1cc) by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8082](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8082) - chore(deps): update module go.opentelemetry.io/collector/featuregate to v1.54.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8085](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8085) - chore(deps): update module github.com/securego/gosec/v2 to v2.25.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8084](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8084) - chore(deps): update module github.com/protonmail/go-crypto to v1.4.1 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8081](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8081) - fix(deps): update module go.opentelemetry.io/collector/pdata to v1.54.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8086](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8086) - chore(deps): update actions/cache action to v5.0.4 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8079](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8079) - chore(deps): update module github.com/fatih/color to v1.19.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8087](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8087) - fix(deps): update googleapis to [`d00831a`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/d00831a) by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8078](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8078) - chore(deps): update golang.org/x/telemetry digest to [`b6b0c46`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/b6b0c46) by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8076](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8076) - fix(deps): update module google.golang.org/grpc to v1.79.3 \[security] by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8075](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8075) - sdk/metric: Support specifying cardinality limits per instrument kinds by [@​petern48](https://redirect.github.com/petern48) in [#​7855](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7855) - chore(deps): update github/codeql-action action to v4.34.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8088](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8088) - chore(deps): update codspeedhq/action action to v4.12.1 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8089](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8089) - chore(deps): update github/codeql-action action to v4.34.1 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8090](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8090) - fix(deps): update module github.com/golangci/golangci-lint/v2 to v2.11.4 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8092](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8092) - chore: fix noctx issues by [@​mmorel-35](https://redirect.github.com/mmorel-35) in [#​8008](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8008) - chore(deps): update module github.com/pelletier/go-toml/v2 to v2.3.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8095](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8095) - chore(deps): update codecov/codecov-action action to v5.5.4 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8097](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8097) - chore(deps): update codecov/codecov-action action to v6 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8098](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8098) - chore(deps): update module github.com/tetafro/godot to v1.5.6 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8099](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8099) - chore(deps): update module github.com/butuzov/ireturn to v0.4.1 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8100](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8100) - chore(deps): update github/codeql-action action to v4.35.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8101](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8101) - chore(deps): update actions/setup-go action to v6.4.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8107](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8107) - chore(deps): update module github.com/go-git/go-git/v5 to v5.17.1 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8106](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8106) - chore(deps): update module github.com/lucasb-eyer/go-colorful to v1.4.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8103](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8103) - chore(deps): update github/codeql-action action to v4.35.1 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8102](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8102) - chore(deps): update module github.com/hashicorp/go-version to v1.9.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8109](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8109) - metricdatatest: Improve printing of diffs by [@​dashpole](https://redirect.github.com/dashpole) in [#​8073](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8073) - fix(deps): update googleapis to [`d5a96ad`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/d5a96ad) by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8112](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8112) - chore(deps): update codspeedhq/action action to v4.13.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8114](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8114) - fix(deps): update module go.opentelemetry.io/collector/pdata to v1.55.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8119](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8119) - chore(deps): update fossas/fossa-action action to v1.9.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8118](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8118) - chore(deps): update module github.com/go-git/go-git/v5 to v5.17.2 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8115](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8115) - fix(deps): update googleapis to [`9d38bb4`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/9d38bb4) by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8117](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8117) - fix: support getBody in otelploghttp by [@​Tpuljak](https://redirect.github.com/Tpuljak) in [#​8096](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8096) - fix(deps): update module google.golang.org/grpc to v1.80.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8121](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8121) - Use an absolute path when calling bsd kenv by [@​dmathieu](https://redirect.github.com/dmathieu) in [#​8113](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8113) - limit response body size for OTLP HTTP exporters by [@​pellared](https://redirect.github.com/pellared) in [#​8108](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8108) - chore(deps): update github.com/golangci/dupl digest to [`c99c5cf`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/c99c5cf) by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8122](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8122) - chore(deps): update module github.com/mattn/go-runewidth to v0.0.22 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​8131](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8131) - Release v1.43.0 / v0.65.0 / v0.19.0 by [@​dmathieu](https://redirect.github.com/dmathieu) in [#​8128](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8128) ##### New Contributors - [@​jmmcorreia](https://redirect.github.com/jmmcorreia) made their first contribution in [#​7807](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7807) - [@​marcschaeferger](https://redirect.github.com/marcschaeferger) made their first contribution in [#​8037](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8037) - [@​ajuijas](https://redirect.github.com/ajuijas) made their first contribution in [#​8041](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8041) - [@​yuanyuanzhao3](https://redirect.github.com/yuanyuanzhao3) made their first contribution in [#​8012](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8012) - [@​kouji-yoshimura](https://redirect.github.com/kouji-yoshimura) made their first contribution in [#​8067](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8067) - [@​Tpuljak](https://redirect.github.com/Tpuljak) made their first contribution in [#​8096](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8096) **Full Changelog**: <open-telemetry/opentelemetry-go@v1.42.0...v1.43.0> </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- ## Need help? You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section. <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My45Mi4xIiwidXBkYXRlZEluVmVyIjoiNDMuOTIuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiYXV0b21lcmdlLXNlY3VyaXR5LXVwZGF0ZSIsInNldmVyaXR5Ok1FRElVTSIsInVwZGF0ZS1taW5vciJdfQ==--> Signed-off-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com> Co-authored-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com>
gavin-jeong
approved these changes
Apr 15, 2026
![https://cursor.com/assets/images/open-in-cursor-dark.png"><source](https://cursor.com/assets/images/open-in-cursor-dark.png"><source){kind=link}
![https://cursor.com/assets/images/open-in-cursor-light.png"><img](https://cursor.com/assets/images/open-in-cursor-light.png"><img){kind=link}
![https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> <a](https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> <a){kind=link}
![https://cursor.com/assets/images/open-in-web-dark.png"><source](https://cursor.com/assets/images/open-in-web-dark.png"><source){kind=link}
![https://cursor.com/assets/images/open-in-web-light.png"><img](https://cursor.com/assets/images/open-in-web-light.png"><img){kind=link}
![https://cursor.com/assets/images/open-in-web-dark.png"></picture></a></p](https://cursor.com/assets/images/open-in-web-dark.png"></picture></a></p){kind=link}
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Sync the fork's main branch with upstream grafana/alloy.
Why
The
release/v1.15.0andv1.15.0-mem-patchbranches are already based on v1.15.0. The fork's main is too far behind, making future patch work inconvenient.Note
🤖 Generated with Claude Code