Skip to content

dev: bump the safe group across 1 directory with 20 updates#7925

Open
dependabot[bot] wants to merge 1 commit into
v3.36from
dependabot/go_modules/safe-c8bd63c522
Open

dev: bump the safe group across 1 directory with 20 updates#7925
dependabot[bot] wants to merge 1 commit into
v3.36from
dependabot/go_modules/safe-c8bd63c522

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Jun 3, 2026

Bumps the safe group with 11 updates in the / directory:

Package From To
github.com/aws/aws-sdk-go-v2/config 1.32.17 1.32.22
github.com/aws/aws-sdk-go-v2/service/s3 1.101.0 1.103.1
github.com/jackc/pgx/v5 5.9.2 5.10.0
github.com/nats-io/nats-server/v2 2.14.0 2.14.2
github.com/redis/go-redis/v9 9.18.0 9.20.0
github.com/uptrace/bun/dialect/pgdialect 1.2.15 1.2.18
github.com/uptrace/bun/driver/pgdriver 1.2.15 1.2.18
go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux 0.68.0 0.69.0
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc 0.68.0 0.69.0
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp 0.68.0 0.69.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc 1.43.0 1.44.0

Updates github.com/aws/aws-sdk-go-v2/config from 1.32.17 to 1.32.22

Commits

Updates github.com/aws/aws-sdk-go-v2/service/s3 from 1.101.0 to 1.103.1

Commits

Updates github.com/jackc/pgx/v5 from 5.9.2 to 5.10.0

Changelog

Sourced from github.com/jackc/pgx/v5's changelog.

5.10.0 (June 3, 2026)

This release includes a significant amount of hardening against malicious or compromised PostgreSQL servers, contributed by Sean Chittenden at CrowdStrike, Inc. This work bounds binary decoders against attacker-controlled message sizes, caps server-supplied SCRAM iteration counts, adds require_auth to restrict which authentication methods a server may use (mitigating downgrade attacks under sslmode=prefer), and ensures cancellation requests are sent over TLS when the original connection used TLS.

Features

  • Add require_auth to restrict accepted server authentication methods (Sean Chittenden at CrowdStrike, Inc.)
  • Add ParseConfigOptions.ConnStringAllowedKeys to restrict allowed connection string keys (Sean Chittenden at CrowdStrike, Inc.)
  • Add StructArgs and StrictStructArgs for @-named queries (Tubelight30)
  • Add ErrConnClosed sentinel error and unwrap it from connLockError (Charlie Tonneslan)
  • pgxpool: check if connection is expired before acquire (arthurdotwork)

Security Hardening

  • Encrypt CancelRequest connection when the primary connection used TLS (Sean Chittenden at CrowdStrike, Inc.)
  • Cap server-supplied SCRAM iteration count (Sean Chittenden at CrowdStrike, Inc.)
  • Default Frontend max message body length to ~1 GiB (Sean Chittenden at CrowdStrike, Inc.)
  • Bound hstore binary decode against malicious server input (Sean Chittenden at CrowdStrike, Inc.)
  • Bound array binary decode element length against remaining message bytes (Sean Chittenden at CrowdStrike, Inc.)
  • Bound array element count against remaining message bytes (Sean Chittenden at CrowdStrike, Inc.)
  • Bound range, multirange, and tsvector binary decoders (Sean Chittenden at CrowdStrike, Inc.)
  • Document secure connection configuration (Sean Chittenden at CrowdStrike, Inc.)
  • Fix panic on malformed geometric text; return an error instead (MaIII)

Fixes

  • Fix scanning "char" (OID 18) into *string in binary format (luongs3)
  • Fix handling of typed-nil driver.Valuer in array and composite codecs (Donncha Fahy)
  • Fix CopyData.Data hex decoding in UnmarshalJSON (Charlie Tonneslan)
  • Fix data race when context is cancelled during connect
  • Fix parseKeywordValueSettings rejecting trailing whitespace (alliasgher)
  • pgconn: preserve full error chain in normalizeTimeoutError (Charlie Tonneslan)
  • pgconn: use a fresh context for the fallback connection in connectPreferred (Charlie Tonneslan)
  • pgxpool: fix MaxLifetimeDestroyCount and ping order for acquire-time expiry check
  • Add missing error check of rows.Err to load types (Jen Altavilla)
Commits
  • 7293fb1 Update changelog for v5.10.0
  • 1ade285 pgconn: document secure connection configuration
  • b4d6d4d pgtype: bound range, multirange, and tsvector binary decoders
  • 0639b37 pgconn: add ParseConfigOptions.ConnStringAllowedKeys
  • b28e65b pgtype: bound array element count against remaining message bytes
  • cd1f389 pgtype: bound array binary decode element length against remaining bytes
  • ff27b5b pgtype: bound hstore binary decode against malicious server input
  • a6002e1 pgproto3: default Frontend max message body length to ~1 GiB
  • 44f6173 pgconn: cap server-supplied SCRAM iteration count
  • 1a976f7 pgconn: add require_auth to restrict accepted server auth methods
  • Additional commits viewable in compare view

Updates github.com/nats-io/nats-server/v2 from 2.14.0 to 2.14.2

Release notes

Sourced from github.com/nats-io/nats-server/v2's releases.

Release v2.14.2

Changelog

Refer to the 2.14 Upgrade Guide for backwards compatibility notes with 2.12.x. Please note that the 2.13.x version was skipped.

Go Version

  • 1.26.3

Dependencies

  • golang.org/x/crypto v0.52.0
  • golang.org/x/sys v0.45.0
  • github.com/nats-io/jwt/v2 v2.8.2
  • github.com/nats-io/nkeys v0.4.16

Improved

General

  • The client ID is now available through the embedded ClientAuthentication API (#8217)

Fixed

General

  • A race condition when handling subscription interest over routes has been fixed (#8235)
  • Potential protocol-level corruption from rewriting $JS.ACK subjects has been fixed (#8242)
  • Potential protocol-level corruption from buffer misuse in compressed WebSocket clients has been fixed (#8244)
  • The /accstatz monitoring endpoint no longer omits accounts with only leaf connections (#8252)

JetStream

  • Fixed a case where Raft peers were not correctly tracked after an inactivity stall during catchup (#8226)
  • Quorum needed is now calculated correctly when bootstrapping the metalayer when gateway URLs resolve to multiple IP addresses (#8238)
  • The filestore no longer performs a block skip check on streams with extremely high subject counts, as it could result in runaway CPU usage (#8227)
  • Fixed a case where the filestore would not release a lock after handling a write error (#8232)
  • Purge operations on both file and memory stores are now more consistent with each other (#8241)
  • Fixed a case where the consumer lock would not release a lock after handling a start sequence error (#8230)
  • Counter streams and message schedules now have configuration constraints applied to prevent incorrect usage patterns (#8240)
  • Improved stream and consumer scale down behaviour consistency (#8253)
  • Fixed an issue where the per-subject state last block was not stored correctly with a max messages per subject limit of 1 (#8254)
  • Fixed a drift that could occur in the peer sets after a peer remove of an online node (#8258)

Complete Changes

nats-io/nats-server@v2.14.1...v2.14.2

Release v2.14.2-RC.1

Changelog

... (truncated)

Commits
  • 1d06592 Release v2.14.2
  • 4e1aefa Cherry-picks for v2.14.2 (#8256)
  • ac092ff Update dependencies
  • 01e589d [FIXED] Peer set desync/re-add after stream peer-remove
  • 3d122e8 De-flake TestJetStreamConsumerPrioritized
  • 3836d96 [FIXED] Initial MaxMsgsPerSubject update not enforced
  • 92cf2e3 [FIXED] Filestore only stores last block when MaxMsgsPerSubject 1
  • 3288b4f (2.14) [IMPROVED] Remove redundant error check in filestore
  • 6ea46d5 [FIXED] Stream and consumer scale down consistency
  • 5edd91c [FIXED] AccountStatz omits accounts with only leaf connections
  • Additional commits viewable in compare view

Updates github.com/redis/go-redis/v9 from 9.18.0 to 9.20.0

Release notes

Sourced from github.com/redis/go-redis/v9's releases.

9.20.0

🚀 Highlights

Redis 8.8 Support

This release adds support for Redis 8.8. The README's supported-versions list now includes Redis 8.8 alongside 8.0/8.2/8.4, and CI exercises the 8.8 client-libs-test image across the full suite (Makefile, build workflow, doctests, run-tests action, and docker-compose).

Coverage for the new commands that ship in the 8.x line, rounded out in this release:

  • AR* array data type (#3813) — new array data structure, exposed via the ArrayCmdable interface (see the experimental-features highlight below).
  • INCREX (#3816) — atomic increment with expiration in a single round-trip.
  • XNACK (#3790) — explicit negative-acknowledge of pending stream entries.
  • XAUTOCLAIM PEL deletes (#3798) — XAUTOCLAIM/XAUTOCLAIMJUSTID now return the list of deleted message IDs from the pending entries list.
  • TS.RANGE multiple aggregators (#3791) — TS.RANGE/TS.REVRANGE/TS.MRANGE/TS.MREVRANGE accept multiple aggregators in a single call.
  • Z(UNION|INTER|DIFF) COUNT aggregator (#3802) — COUNT reducer for sorted-set set operations.
  • JSON.SET FPHA (#3797) — new FPHA argument that specifies the floating-point type for homogeneous FP arrays.

CI image bump (#3814) by @​ofekshenawa. Command coverage contributions by @​cxljs, @​elena-kolevska, @​Khukharr, @​ndyakov, and @​ofekshenawa.

Stable RESP3 for RediSearch (UnstableResp3 deprecated)

FT.SEARCH, FT.AGGREGATE, FT.INFO, FT.SPELLCHECK, and FT.SYNDUMP now parse RESP3 (map) responses into the same typed result objects as RESP2 — Val() and Result() work uniformly on both protocols, no flag required. Previously, RESP3 search responses required UnstableResp3: true and were returned as opaque maps accessible only via RawResult() / RawVal().

As a result, the UnstableResp3 option is now a no-op across every options struct (Options, ClusterOptions, UniversalOptions, FailoverOptions, RingOptions) and has been marked // Deprecated:. The field is retained for backwards compatibility — existing code that sets UnstableResp3: true will continue to compile and behave identically — but it will be removed in a future release and new code should not set it. RawResult() / RawVal() continue to work for callers that prefer the raw RESP payload.

(#3741) by @​ndyakov

Experimental Array Data Structure Commands

Adds an experimental ArrayCmdable interface with the AR* command family (ARSet, ARGet, ARGetRange, ARMSet, ARMGet, ARDel, ARDelRange, ARScan, ARSeek, ARNext, ARLastItems, ARGrep, ARGrepWithValues, ARInfo/ARInfoFull, and typed reducers AROpSum/AROpMin/AROpMax/AROpAnd/AROpOr/AROpXor/AROpMatch/AROpUsed) for working with Redis 8.8's new array data type. API is experimental and may change in a future release.

(#3813) by @​cxljs

✨ New Features

  • RESP3 search parser: First-class RESP3 parsing for FT.SEARCH/FT.AGGREGATE/FT.INFO/FT.SPELLCHECK/FT.SYNDUMP responses with backwards compatibility for RESP2 (#3741) by @​ndyakov
  • INCREX: New INCREX command support — atomic increment with expiration (#3816) by @​ndyakov
  • XNACK: Client support for the XNACK stream command for explicitly negative-acknowledging pending entries (#3790) by @​elena-kolevska
  • TS range multiple aggregators: TS.RANGE/TS.REVRANGE/TS.MRANGE/TS.MREVRANGE now accept multiple aggregators in a single call (#3791) by @​elena-kolevska
  • XAutoClaim deleted IDs: XAUTOCLAIM/XAUTOCLAIMJUSTID now return the list of deleted message IDs from the PEL (#3798) by @​Khukharr
  • JSON.SET FPHA: JSON.SET accepts a new FPHA argument that specifies the floating-point type for homogeneous floating-point arrays (#3797) by @​ndyakov
  • Sorted-set union/intersection COUNT: ZUNION/ZINTER/ZDIFF aggregator now supports COUNT (#3802) by @​ofekshenawa
  • FT.HYBRID vector validation: Validates hybrid-search vector input types and adds proper typed vector parameters (#3756) by @​DengY11
  • Cluster pool wait stats: ClusterClient.PoolStats() now accumulates WaitCount and WaitDurationNs across all node pools (previously always zero) (#3809) by @​LINKIWI

🐛 Bug Fixes

  • TLS-only Cluster PubSub: CLUSTER SLOTS port-0 entries now fall back to the origin endpoint's port, fixing dial tcp <ip>:0: connection refused on TLS-only clusters started with --port 0 --tls-port <port> (fixes #3726) (#3828) by @​ndyakov
  • Sharded PubSub reconnect routing: PubSub.conn() now passes both regular (c.channels) and sharded (c.schannels) channels into the per-PubSub newConn closure. Previously, ClusterClient.SSubscribe-only PubSubs reconnected to a random node (because the routing closure saw an empty channel list), the SSUBSCRIBE was sent to the wrong shard, and the resulting MOVED reply was silently dropped (#3829) by @​ndyakov
  • ClusterClient Watch retry: User errors returned from a Watch callback are no longer subjected to cluster-retry classification; transient cluster errors still retry, but a callback returning e.g. net.ErrClosed short-circuits immediately (#3821) by @​obiyang

... (truncated)

Changelog

Sourced from github.com/redis/go-redis/v9's changelog.

9.20.0 (2026-05-28)

🚀 Highlights

Redis 8.8 Support

This release adds support for Redis 8.8. The README's supported-versions list now includes Redis 8.8 alongside 8.0/8.2/8.4, and CI exercises the 8.8-rc1 client-libs-test image across the full suite (Makefile, build workflow, doctests, run-tests action, and docker-compose).

Coverage for the new commands that ship in the 8.x line, rounded out in this release:

  • AR* array data type (#3813) — new array data structure, exposed via the ArrayCmdable interface (see the experimental-features highlight below).
  • INCREX (#3816) — atomic increment with expiration in a single round-trip.
  • XNACK (#3790) — explicit negative-acknowledge of pending stream entries.
  • XAUTOCLAIM PEL deletes (#3798) — XAUTOCLAIM/XAUTOCLAIMJUSTID now return the list of deleted message IDs from the pending entries list.
  • TS.RANGE multiple aggregators (#3791) — TS.RANGE/TS.REVRANGE/TS.MRANGE/TS.MREVRANGE accept multiple aggregators in a single call.
  • Z(UNION|INTER|DIFF) COUNT aggregator (#3802) — COUNT reducer for sorted-set set operations.
  • JSON.SET FPHA (#3797) — new FPHA argument that specifies the floating-point type for homogeneous FP arrays.

CI image bump (#3814) by @​ofekshenawa. Command coverage contributions by @​cxljs, @​elena-kolevska, @​Khukharr, @​ndyakov, and @​ofekshenawa.

Stable RESP3 for RediSearch (UnstableResp3 deprecated)

FT.SEARCH, FT.AGGREGATE, FT.INFO, FT.SPELLCHECK, and FT.SYNDUMP now parse RESP3 (map) responses into the same typed result objects as RESP2 — Val() and Result() work uniformly on both protocols, no flag required. Previously, RESP3 search responses required UnstableResp3: true and were returned as opaque maps accessible only via RawResult() / RawVal().

As a result, the UnstableResp3 option is now a no-op across every options struct (Options, ClusterOptions, UniversalOptions, FailoverOptions, RingOptions) and has been marked // Deprecated:. The field is retained for backwards compatibility — existing code that sets UnstableResp3: true will continue to compile and behave identically — but it will be removed in a future release and new code should not set it. RawResult() / RawVal() continue to work for callers that prefer the raw RESP payload.

(#3741) by @​ndyakov

Experimental Array Data Structure Commands

Adds an experimental ArrayCmdable interface with the AR* command family (ARSet, ARGet, ARGetRange, ARMSet, ARMGet, ARDel, ARDelRange, ARScan, ARSeek, ARNext, ARLastItems, ARGrep, ARGrepWithValues, ARInfo/ARInfoFull, and typed reducers AROpSum/AROpMin/AROpMax/AROpAnd/AROpOr/AROpXor/AROpMatch/AROpUsed) for working with Redis 8.8's new array data type. API is experimental and may change in a future release.

(#3813) by @​cxljs

✨ New Features

  • RESP3 search parser: First-class RESP3 parsing for FT.SEARCH/FT.AGGREGATE/FT.INFO/FT.SPELLCHECK/FT.SYNDUMP responses with backwards compatibility for RESP2 (#3741) by @​ndyakov
  • INCREX: New INCREX command support — atomic increment with expiration (#3816) by @​ndyakov
  • XNACK: Client support for the XNACK stream command for explicitly negative-acknowledging pending entries (#3790) by @​elena-kolevska
  • TS range multiple aggregators: TS.RANGE/TS.REVRANGE/TS.MRANGE/TS.MREVRANGE now accept multiple aggregators in a single call (#3791) by @​elena-kolevska
  • XAutoClaim deleted IDs: XAUTOCLAIM/XAUTOCLAIMJUSTID now return the list of deleted message IDs from the PEL (#3798) by @​Khukharr
  • JSON.SET FPHA: JSON.SET accepts a new FPHA argument that specifies the floating-point type for homogeneous floating-point arrays (#3797) by @​ndyakov
  • Sorted-set union/intersection COUNT: ZUNION/ZINTER/ZDIFF aggregator now supports COUNT (#3802) by @​ofekshenawa
  • FT.HYBRID vector validation: Validates hybrid-search vector input types and adds proper typed vector parameters (#3756) by @​DengY11
  • Cluster pool wait stats: ClusterClient.PoolStats() now accumulates WaitCount and WaitDurationNs across all node pools (previously always zero) (#3809) by @​LINKIWI

🐛 Bug Fixes

  • TLS-only Cluster PubSub: CLUSTER SLOTS port-0 entries now fall back to the origin endpoint's port, fixing dial tcp <ip>:0: connection refused on TLS-only clusters started with --port 0 --tls-port <port> (fixes #3726) (#3828) by @​ndyakov
  • Sharded PubSub reconnect routing: PubSub.conn() now passes both regular (c.channels) and sharded (c.schannels) channels into the per-PubSub newConn closure. Previously, ClusterClient.SSubscribe-only PubSubs reconnected to a random node (because the routing closure saw an empty channel list), the SSUBSCRIBE was sent to the wrong shard, and the resulting MOVED reply was silently dropped (#3829) by @​ndyakov

... (truncated)

Commits
  • 7d05dd3 chore(release): v9.20.0 (#3832)
  • 9756882 fix(test): make waitForSentinelClusterStable robust to disconnected r… (#3830)
  • 875ce21 fix(sentinel): do not close sentinel when replica list is empty (#3795)
  • 8a027f2 chore(ci): add govulncheck workflow (#3779)
  • d8407df fix(pubsub): include shard channels in newConn routing list (#3829)
  • 6af9bdc fix(cluster): fall back to origin port when CLUSTER SLOTS reports port 0 (#3828)
  • fa5aa8c chore(doc): Update README and CI image. (#3822)
  • fdcc6f9 refactor(keyPos): Enhance key position retrieval with CommandInfo caching (#3...
  • 68a8bc1 fix(sentinel): close non-winning sentinel clients in MasterAddr concurrent pr...
  • 00bf6d3 fix: avoid retrying ClusterClient Watch callback errors (#3821)
  • Additional commits viewable in compare view

Updates github.com/uptrace/bun/dialect/pgdialect from 1.2.15 to 1.2.18

Release notes

Sourced from github.com/uptrace/bun/dialect/pgdialect's releases.

v1.2.18

Please refer to CHANGELOG.md for details

v1.2.17

Please refer to CHANGELOG.md for details

v1.2.16

Please refer to CHANGELOG.md for details

Changelog

Sourced from github.com/uptrace/bun/dialect/pgdialect's changelog.

1.2.18 (2026-02-28)

Bug Fixes

  • handle []byte and [N]byte in Tuple, separate List from Tuple imp… (uptrace/bun#1340) (bec98b9)
  • validate parenthesized content in ReadIdentifier to prevent ?(?, ?) misparse (#1338) (b8da15b), closes #1337

1.2.17 (2026-02-21)

Bug Fixes

  • migrator exec error propagation (#1320) (b40f603)
  • OrderAscNullsFirst mapping (fixes #1305) (43b6af2)
  • panic in indirectAsKey when loading complex models. TypeOf(v) returns nil (2788c5b)
  • RunMigration marks migration as applied after running (#1330) (990c2eb)

Features

  • add Tuple and List (#1331) (5c2b3d1)
  • create unique index on migration name column in Migrator.Init (#1332) (44ac056)
  • update: use DEFAULT instead of NULL on databases that support it (#1315) (cabcffd)

1.2.16 (2025-11-20)

Bug Fixes

Features

... (truncated)

Commits
  • 5de0fb9 chore: release v1.2.18 (release.sh) (#1341)
  • bec98b9 fix: handle []byte and [N]byte in Tuple, separate List from Tuple imp… (#1340)
  • b8da15b fix: validate parenthesized content in ReadIdentifier to prevent ?(?, ?) misp...
  • 6b7a19b Add client cert support in postgres dsn (sslcert and sslkey) (#1336)
  • 3c9f8fb chore: remove Go 1.24 from CI build matrix
  • 43d07be chore: release v1.2.17 (release.sh) (#1333)
  • a94579f chore: add doc comments for exported identifiers across sub-packages
  • b19d8f7 chore: add doc comments for package, type, and exported functions
  • 415f372 chore: re-order features by category and add missing documentation
  • 44ac056 feat: create unique index on migration name column in Migrator.Init (#1332)
  • Additional commits viewable in compare view

Updates github.com/uptrace/bun/driver/pgdriver from 1.2.15 to 1.2.18

Release notes

Sourced from github.com/uptrace/bun/driver/pgdriver's releases.

v1.2.18

Please refer to CHANGELOG.md for details

v1.2.17

Please refer to CHANGELOG.md for details

v1.2.16

Please refer to CHANGELOG.md for details

Changelog

Sourced from github.com/uptrace/bun/driver/pgdriver's changelog.

1.2.18 (2026-02-28)

Bug Fixes

  • handle []byte and [N]byte in Tuple, separate List from Tuple imp… (uptrace/bun#1340) (bec98b9)
  • validate parenthesized content in ReadIdentifier to prevent ?(?, ?) misparse (#1338) (b8da15b), closes #1337

1.2.17 (2026-02-21)

Bug Fixes

  • migrator exec error propagation (#1320) (b40f603)
  • OrderAscNullsFirst mapping (fixes #1305) (43b6af2)
  • panic in indirectAsKey when loading complex models. TypeOf(v) returns nil (2788c5b)
  • RunMigration marks migration as applied after running (#1330) (990c2eb)

Features

  • add Tuple and List (#1331) (5c2b3d1)
  • create unique index on migration name column in Migrator.Init (#1332) (44ac056)
  • update: use DEFAULT instead of NULL on databases that support it (#1315) (cabcffd)

1.2.16 (2025-11-20)

Bug Fixes

Features

... (truncated)

Commits
  • 5de0fb9 chore: release v1.2.18 (release.sh) (#1341)
  • bec98b9 fix: handle []byte and [N]byte in Tuple, separate List from Tuple imp… (#1340)
  • b8da15b fix: validate parenthesized content in ReadIdentifier to prevent ?(?, ?) misp...
  • 6b7a19b Add client cert support in postgres dsn (sslcert and sslkey) (#1336)
  • 3c9f8fb chore: remove Go 1.24 from CI build matrix
  • 43d07be chore: release v1.2.17 (release.sh) (#1333)
  • a94579f chore: add doc comments for exported identifiers across sub-packages
  • b19d8f7 chore: add doc comments for package, type, and exported functions
  • 415f372 chore: re-order features by category and add missing documentation
  • 44ac056 feat: create unique index on migration name column in Migrator.Init (#1332)
  • Additional commits viewable in compare view

Updates go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux from 0.68.0 to 0.69.0

Release notes

Sourced from go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux's releases.

v1.44.0/v2.5.1/v0.69.0/v0.37.1/v0.24.0/v0.19.0/v0.16.1/v0.16.0

Added

  • Add error.type attribute to http.client.request.duration for transport failures in otelhttp. (#8801)
  • Add examples for prometheus compatibility document. (#8716)
  • Add support for cardinality_limits in PeriodicMetricReader in otelconf. (#8885)
  • Add Resource method to SDK in go.opentelemetry.io/contrib/otelconf/x to expose the resolved SDK resource from declarative configuration. (#8913)
  • Add go.opentelemetry.io/contrib/detectors/hetzner, a new resource detector for Hetzner Cloud servers, ported from github.com/open-telemetry/opentelemetry-collector-contrib/processor/resourcedetectionprocessor/internal/hetzner. Detects cloud.provider, cloud.platform, cloud.region, cloud.availability_zone, host.id, and host.name. (#8979)

Changed

  • Set error field as record.SetErr instead of a plain attribute in go.opentelemetry.io/contrib/bridges/otellogrus. (#8776)
  • Set the "error" field (e.g. created via zap.Error) as record.SetErr instead of a plain attribute in go.opentelemetry.io/contrib/bridges/otelzap. (#8719)
  • Set fields implementing error interface from slog records as record.SetErr instead of plain attributes in go.opentelemetry.io/contrib/bridges/otelslog. (#8774)
  • Set emitted errors in go.opentelemetry.io/contrib/bridges/otellogr as record errors (Record.SetErr) instead of exception.message attributes. (#8775)

Fixed

  • Fix header attributes lost when using sub-spans in go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace. (#8797)
  • Validate encoding configuration for OTLP HTTP exporters in go.opentelemetry.io/contrib/otelconf. (#8772)
  • Remove the custom body wrapper from the request's body after the request is processed to allow body type comparisons with the original type in go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp and go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux. (#6914)
  • Unknown or empty HTTP methods now report "_OTHER" instead of "GET" across all HTTP instrumentations to align with OpenTelemetry semantic conventions. (#8868)
  • The default span name formatter in go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp now conforms to the OpenTelemetry HTTP semantic conventions for server span names. (#8871)
    • The default span name is now {method} {route} (e.g. GET /foo/{id}) when a route pattern is available, or {method} (e.g. GET) otherwise.

Removed

  • Remove the deprecated WithSpanOptions option in go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc. (#8991)

What's Changed

@dependabot
dev: bump the safe group across 1 directory with 20 updates
8dd1db7 
Bumps the safe group with 11 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2) | `1.32.17` | `1.32.22` |
| [github.com/aws/aws-sdk-go-v2/service/s3](https://github.com/aws/aws-sdk-go-v2) | `1.101.0` | `1.103.1` |
| [github.com/jackc/pgx/v5](https://github.com/jackc/pgx) | `5.9.2` | `5.10.0` |
| [github.com/nats-io/nats-server/v2](https://github.com/nats-io/nats-server) | `2.14.0` | `2.14.2` |
| [github.com/redis/go-redis/v9](https://github.com/redis/go-redis) | `9.18.0` | `9.20.0` |
| [github.com/uptrace/bun/dialect/pgdialect](https://github.com/uptrace/bun) | `1.2.15` | `1.2.18` |
| [github.com/uptrace/bun/driver/pgdriver](https://github.com/uptrace/bun) | `1.2.15` | `1.2.18` |
| [go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux](https://github.com/open-telemetry/opentelemetry-go-contrib) | `0.68.0` | `0.69.0` |
| [go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc](https://github.com/open-telemetry/opentelemetry-go-contrib) | `0.68.0` | `0.69.0` |
| [go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp](https://github.com/open-telemetry/opentelemetry-go-contrib) | `0.68.0` | `0.69.0` |
| [go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc](https://github.com/open-telemetry/opentelemetry-go) | `1.43.0` | `1.44.0` |



Updates `github.com/aws/aws-sdk-go-v2/config` from 1.32.17 to 1.32.22
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](aws/aws-sdk-go-v2@config/v1.32.17...config/v1.32.22)

Updates `github.com/aws/aws-sdk-go-v2/service/s3` from 1.101.0 to 1.103.1
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](aws/aws-sdk-go-v2@service/s3/v1.101.0...service/s3/v1.103.1)

Updates `github.com/jackc/pgx/v5` from 5.9.2 to 5.10.0
- [Changelog](https://github.com/jackc/pgx/blob/master/CHANGELOG.md)
- [Commits](jackc/pgx@v5.9.2...v5.10.0)

Updates `github.com/nats-io/nats-server/v2` from 2.14.0 to 2.14.2
- [Release notes](https://github.com/nats-io/nats-server/releases)
- [Changelog](https://github.com/nats-io/nats-server/blob/main/RELEASES.md)
- [Commits](nats-io/nats-server@v2.14.0...v2.14.2)

Updates `github.com/redis/go-redis/v9` from 9.18.0 to 9.20.0
- [Release notes](https://github.com/redis/go-redis/releases)
- [Changelog](https://github.com/redis/go-redis/blob/master/RELEASE-NOTES.md)
- [Commits](redis/go-redis@v9.18.0...v9.20.0)

Updates `github.com/uptrace/bun/dialect/pgdialect` from 1.2.15 to 1.2.18
- [Release notes](https://github.com/uptrace/bun/releases)
- [Changelog](https://github.com/uptrace/bun/blob/master/CHANGELOG.md)
- [Commits](uptrace/bun@v1.2.15...v1.2.18)

Updates `github.com/uptrace/bun/driver/pgdriver` from 1.2.15 to 1.2.18
- [Release notes](https://github.com/uptrace/bun/releases)
- [Changelog](https://github.com/uptrace/bun/blob/master/CHANGELOG.md)
- [Commits](uptrace/bun@v1.2.15...v1.2.18)

Updates `go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux` from 0.68.0 to 0.69.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go-contrib/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/main/CHANGELOG.md)
- [Commits](open-telemetry/opentelemetry-go-contrib@zpages/v0.68.0...zpages/v0.69.0)

Updates `go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc` from 0.68.0 to 0.69.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go-contrib/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/main/CHANGELOG.md)
- [Commits](open-telemetry/opentelemetry-go-contrib@zpages/v0.68.0...zpages/v0.69.0)

Updates `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` from 0.68.0 to 0.69.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go-contrib/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/main/CHANGELOG.md)
- [Commits](open-telemetry/opentelemetry-go-contrib@zpages/v0.68.0...zpages/v0.69.0)

Updates `go.opentelemetry.io/otel` from 1.43.0 to 1.44.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md)
- [Commits](open-telemetry/opentelemetry-go@v1.43.0...v1.44.0)

Updates `go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc` from 1.43.0 to 1.44.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md)
- [Commits](open-telemetry/opentelemetry-go@v1.43.0...v1.44.0)

Updates `go.opentelemetry.io/otel/exporters/stdout/stdouttrace` from 1.43.0 to 1.44.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md)
- [Commits](open-telemetry/opentelemetry-go@v1.43.0...v1.44.0)

Updates `go.opentelemetry.io/otel/metric` from 1.43.0 to 1.44.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md)
- [Commits](open-telemetry/opentelemetry-go@v1.43.0...v1.44.0)

Updates `go.opentelemetry.io/otel/sdk` from 1.43.0 to 1.44.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md)
- [Commits](open-telemetry/opentelemetry-go@v1.43.0...v1.44.0)

Updates `go.opentelemetry.io/otel/trace` from 1.43.0 to 1.44.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md)
- [Commits](open-telemetry/opentelemetry-go@v1.43.0...v1.44.0)

Updates `golang.org/x/crypto` from 0.51.0 to 0.52.0
- [Commits](golang/crypto@v0.51.0...v0.52.0)

Updates `golang.org/x/net` from 0.54.0 to 0.55.0
- [Commits](golang/net@v0.54.0...v0.55.0)

Updates `google.golang.org/genproto/googleapis/api` from 0.0.0-20260414002931-afd174a4e478 to 0.0.0-20260526163538-3dc84a4a5aaa
- [Commits](https://github.com/googleapis/go-genproto/commits)

Updates `google.golang.org/genproto/googleapis/rpc` from 0.0.0-20260414002931-afd174a4e478 to 0.0.0-20260526163538-3dc84a4a5aaa
- [Commits](https://github.com/googleapis/go-genproto/commits)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/config
  dependency-version: 1.32.22
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: safe
- dependency-name: github.com/aws/aws-sdk-go-v2/service/s3
  dependency-version: 1.103.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: safe
- dependency-name: github.com/jackc/pgx/v5
  dependency-version: 5.10.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: safe
- dependency-name: github.com/nats-io/nats-server/v2
  dependency-version: 2.14.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: safe
- dependency-name: github.com/redis/go-redis/v9
  dependency-version: 9.20.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: safe
- dependency-name: github.com/uptrace/bun/dialect/pgdialect
  dependency-version: 1.2.18
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: safe
- dependency-name: github.com/uptrace/bun/driver/pgdriver
  dependency-version: 1.2.18
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: safe
- dependency-name: go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux
  dependency-version: 0.69.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: safe
- dependency-name: go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc
  dependency-version: 0.69.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: safe
- dependency-name: go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
  dependency-version: 0.69.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: safe
- dependency-name: go.opentelemetry.io/otel
  dependency-version: 1.44.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: safe
- dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc
  dependency-version: 1.44.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: safe
- dependency-name: go.opentelemetry.io/otel/exporters/stdout/stdouttrace
  dependency-version: 1.44.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: safe
- dependency-name: go.opentelemetry.io/otel/metric
  dependency-version: 1.44.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: safe
- dependency-name: go.opentelemetry.io/otel/sdk
  dependency-version: 1.44.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: safe
- dependency-name: go.opentelemetry.io/otel/trace
  dependency-version: 1.44.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: safe
- dependency-name: golang.org/x/crypto
  dependency-version: 0.52.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: safe
- dependency-name: golang.org/x/net
  dependency-version: 0.55.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: safe
- dependency-name: google.golang.org/genproto/googleapis/api
  dependency-version: 0.0.0-20260526163538-3dc84a4a5aaa
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: safe
- dependency-name: google.golang.org/genproto/googleapis/rpc
  dependency-version: 0.0.0-20260526163538-3dc84a4a5aaa
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: safe
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot requested a review from a team as a code owner June 3, 2026 14:08
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Jun 3, 2026
@dependabot dependabot Bot requested a review from halimi June 3, 2026 14:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@halimi halimi Awaiting requested review from halimi halimi is a code owner automatically assigned from TheThingsNetwork/stack-reviewers-1

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file go Pull requests that update Go code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants