chore(deps): bump the go_modules group across 1 directory with 8 updates

[dependabot]

Bumps the go_modules group with 4 updates in the / directory: github.com/prometheus/client_golang, go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp, golang.org/x/crypto and google.golang.org/grpc.

Updates github.com/prometheus/client_golang from 1.11.0 to 1.11.1

Release notes

Sourced from github.com/prometheus/client_golang's releases.

1.11.1 / 2022-02-15

• [SECURITY FIX] promhttp: Check validity of method and code label values prometheus/client_golang#987 (Addressed CVE-2022-21698)

What's Changed

• promhttp: Check validity of method and code label values by @​bwplotka and @​kakkoyun in prometheus/client_golang#987

Full Changelog: prometheus/client_golang@v1.11.0...v1.11.1

Changelog

Sourced from github.com/prometheus/client_golang's changelog.

Unreleased

• [FEATURE] HTTP handlers created by promhttp package now support metrics filtering by providing one or more name[] query parameters. The default behavior when none are provided remains the same, returning all metrics. #1925

Unreleased exp module

• [BUGFIX] exp/api: Reject malformed snappy payloads declaring huge decoded sizes. Enforce a 32MB decoded-size limit to prevent OOM from oversized remote-write requests. #1917.

1.23.2 / 2025-09-05

This release is made to upgrade to prometheus/common v0.66.1, which drops the dependencies github.com/grafana/regexp and go.uber.org/atomic and replaces gopkg.in/yaml.v2 with go.yaml.in/yaml/v2 (a drop-in replacement). There are no functional changes.

1.23.1 / 2025-09-04

This release is made to be compatible with a backwards incompatible API change in prometheus/common v0.66.0. There are no functional changes.

1.23.0 / 2025-07-30

• [CHANGE] Minimum required Go version is now 1.23, only the two latest Go versions are supported from now on. #1812
• [FEATURE] Add WrapCollectorWith and WrapCollectorWithPrefix #1766
• [FEATURE] Add exemplars for native histograms #1686
• [ENHANCEMENT] exp/api: Bubble up status code from writeResponse #1823
• [ENHANCEMENT] collector/go: Update runtime metrics for Go v1.23 and v1.24 #1833
• [BUGFIX] exp/api: client prompt return on context cancellation #1729

1.22.0 / 2025-04-07

⚠️ This release contains potential breaking change if you use experimental zstd support introduce in #1496 ⚠️

Experimental support for zstd on scrape was added, controlled by the request Accept-Encoding header. It was enabled by default since version 1.20, but now you need to add a blank import to enable it. The decision to make it opt-in by default was originally made because the Go standard library was expected to have default zstd support added soon, golang/go#62513 however, the work took longer than anticipated and it will be postponed to upcoming major Go versions.

e.g.:

import (
  _ "github.com/prometheus/client_golang/prometheus/promhttp/zstd"
)

• [FEATURE] prometheus: Add new CollectorFunc utility #1724
• [CHANGE] Minimum required Go version is now 1.22 (we also test client_golang against latest go version - 1.24) #1738
• [FEATURE] api: WithLookbackDelta and WithStats options have been added to API client. #1743
• [CHANGE] ⚠️ promhttp: Isolate zstd support and klauspost/compress library use to promhttp/zstd package. #1765

1.21.1 / 2025-03-04

... (truncated)

Commits

• 989baa3 promhttp: Check validity of method and code label values (#962) (#987)
• See full diff in compare view

Updates go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp from 0.20.0 to 0.44.0

Release notes

Sourced from go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp's releases.

Release v0.36.2

Changed

• Upgrade dependencies of the OpenTelemetry Go Metric SDK to use the new v0.32.2 release
• Avoid getting a new Tracer for every RPC in go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc. (#2835)
• Conditionally compute message size for tracing events using proto v2 API rather than legacy v1 API in go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc. (#2647)

Deprecated

• The Inject function in go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc is deprecated. (#2838)
• The Extract function in go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc is deprecated. (#2838)

Release v0.36.1

Changed

• Upgrade dependencies of the OpenTelemetry Go Metric SDK to use the new v0.32.1 release.

Release v0.36.0

Changed

• Upgrade dependencies of the OpenTelemetry Go Metric SDK to use the new v0.32.0 release. (#2781, #2756, #2758, #2760, #2762)

Release v0.24.0

0.24.0 - 2021-09-21

Update dependency on the go.opentelemetry.io/otel project to v1.0.0.

v0.23.0

0.23.0 - 2021-09-09

Added

• Add WithoutSubSpans, WithRedactedHeaders, WithoutHeaders, and WithInsecureHeaders options for otelhttptrace.NewClientTrace. (#879)

Changed

• Split go.opentelemetry.io/contrib/propagators module into b3, jaeger, ot modules. (#985)
• otelmongodb span attributes, name and span status now conform to specification. (#769)
• Migrated EC2 resource detector support from root module go.opentelemetry.io/contrib/detectors/aws to a separate EC2 resource detector module go.opentelemetry.io/contrib/detectors/aws/ec2 (#1017)
• Add cloud.provider and cloud.platform to AWS detectors. (#1043)
• otelhttptrace.NewClientTrace now redacts known sensitive headers by default. (#879)

Fixed

• Fix span not marked as error in otelhttp.Transport when RoundTrip fails with an error. (#950)

Release v0.22.0

Added

• Add the zpages span processor. (#894)

... (truncated)

Changelog

Sourced from go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp's changelog.

[1.40.0/2.2.0/0.65.0/0.34.0/0.20.0/0.15.0/0.13.0/0.12.0] - 2026-02-02

Added

• WithMetricAttributesFn option in go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc to define dynamic attributes on auto-instrumented metrics. (#8191)
• Add support for configuring propagators in go.opentelemetry.io/contrib/otelconf. (#8281)
• Add const Version in go.opentelemetry.io/contrib/bridges/prometheus. (#8401)
• Add const Version in go.opentelemetry.io/contrib/otelconf. (#8461)
• Add const Version in go.opentelemetry.io/contrib/bridges/otellogr. (#8477)
• Add const Version in go.opentelemetry.io/contrib/bridges/otellogrus. (#8485)
• Add const Version in go.opentelemetry.io/contrib/bridges/otelslog. (#8480)

Fixed

• Fix panic when passing nil TracerProvider or MeterProvider to WithTracerProvider or WithMeterProvider in go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc. (#8323)
• Transport in go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp now supports reading request body multiple times for subsequent requests that reuse http.Request. (#8352)

Changed

• The Version() function in go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp has been replaced by const Version. (#8142)
• The Version() function in go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace has been replaced by const Version. (#8302)
• The Version() function in go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc has been replaced by const Version. (#8317)
• The Version() function in go.opentelemetry.io/contrib/zpages has been replaced by const Version. (#8325)
• The Version() function in go.opentelemetry.io/contrib/instrumentation/go.mongodb.org/mongo-driver/mongo/otelmongo has been replaced by const Version. (#8340)
• The Version() function in go.opentelemetry.io/contrib/instrumentation/github.com/gin-gonic/gin/otelgin has been replaced by const Version. (#8341)
• The Version() function in go.opentelemetry.io/contrib/instrumentation/runtime has been replaced by const Version string. (#8349)
• The Version() function in go.opentelemetry.io/contrib/instrumentation/github.com/aws/aws-sdk-go-v2/otelaws has been replaced by const Version. (#8356)
• The Version() function in go.opentelemetry.io/contrib/instrumentation/github.com/aws/aws-lambda-go/otellambda has been replaced by const Version. (#8357)
• The Version() function in go.opentelemetry.io/contrib/instrumentation/host has been replaced by const Version. (#8358)
• The Version() function in go.opentelemetry.io/contrib/instrumentation/github.com/emicklei/go-restful/otelrestful has been replaced by const Version. (#8360)
• The Version() function in go.opentelemetry.io/contrib/propagators/opencensus has been replaced by const Version. (#8361)
• The Version() function in go.opentelemetry.io/contrib/instrumentation/github.com/labstack/echo/otelecho has been replaced by const Version. (#8365)
• The Version() function in go.opentelemetry.io/contrib/samplers/probability/consistent has been replaced by const Version. (#8366)
• The Version() function in go.opentelemetry.io/contrib/instrumentation/go.mongodb.org/mongo-driver/v2/mongo/otelmongo has been replaced by const Version. (#8370)
• Set error.type attribute instead of adding exception span events in go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp. (#8386)
• Set error.type attribute instead of adding exception span events in go.opentelemetry.io/contrib/instrumentation/github.com/aws/aws-sdk-go-v2/otelaws. (#8386)
• Upgrade go.opentelemetry.io/otel/semconv to v1.39.0, including updates across all instrumentation and detector modules. (#8404)
  • The semantic conventions v1.39.0 release introduces breaking changes, including:
    • rpc span and metric attributes have been renamed to align with naming guidelines:
      • rpc.system → rpc.system.name (values: grpc, grpc_web, connectrpc, thrift, dubbo, etc.)
      • rpc.method and rpc.service have been merged into a fully-qualified rpc.method attribute
      • rpc.client|server.duration → rpc.client|server.call.duration (unit changed to seconds)
      • rpc.grpc.request.metadata/rpc.grpc.response.metadata → rpc.request.metadata/rpc.response.metadata
      • rpc.grpc.status_code → deprecated in favor of rpc.response.status_code
      • rpc.jsonrpc.request_id → jsonrpc.request.id
      • rpc.jsonrpc.version → jsonrpc.protocol.version
    • system and process metrics:
      • *.linux.memory metrics renamed to *.memory.linux
      • system.process.status → process.state
      • system.paging.type and process.paging.fault_type → system.paging.fault.type

... (truncated)

Commits

• fdfa6e3 Release v1.19.0/v0.44.0/v0.13.0 (#4299)
• aea7540 build(deps): bump github.com/aws/aws-sdk-go in /detectors/aws/ec2 (#4297)
• 7e88614 Remove otelbeego, otelkit, otelsarama, otelmemcache, otelgocql (#4295)
• 14f153e build(deps): bump actions/checkout from 3 to 4 (#4291)
• 01c596d dependabot updates Mon Sep 11 05:08:50 UTC 2023 (#4294)
• 50ca48f Remove high cardanility metrics from otelhttp (#4277)
• b6fc62f Update go versions used in workflow (#4278)
• 7a8f53c Add new gcp host attributes (#4263)
• aab5f49 [mux] Add request filters like otelhttp (#4230)
• 3ad5a2c Deprecate otelmemcache, otelgocql (#4164)
• Additional commits viewable in compare view

Updates golang.org/x/crypto from 0.0.0-20210817164053-32db794688a5 to 0.45.0

Commits

• See full diff in compare view

Updates golang.org/x/net from 0.0.0-20210813160813-60bc85c4be6d to 0.47.0

Commits

• See full diff in compare view

Updates golang.org/x/sys from 0.0.0-20211210111614-af8b64212486 to 0.38.0

Commits

• See full diff in compare view

Updates golang.org/x/text from 0.3.7 to 0.31.0

Commits

• e7ff6b3 go.mod: update golang.org/x dependencies
• fbf012b all: use reflect.TypeFor instead of reflect.TypeOf
• c6abd03 go.mod: update golang.org/x dependencies
• 42f038d x/text: fix nil dereference in gotext extract
• a42f0e2 all: use built-in max/min to simplify the code
• e69f31b go.mod: update golang.org/x dependencies
• 60c9786 all: upgrade go directive to at least 1.24.0 [generated]
• 425d715 go.mod: update golang.org/x dependencies
• b6d2645 go.mod: update golang.org/x dependencies
• 8072180 go.mod: update golang.org/x dependencies
• Additional commits viewable in compare view

Updates google.golang.org/grpc from 1.43.0 to 1.79.3

Release notes

Sourced from google.golang.org/grpc's releases.

Release 1.79.3

Security

• server: fix an authorization bypass where malformed :path headers (missing the leading slash) could bypass path-based restricted "deny" rules in interceptors like grpc/authz. Any request with a non-canonical path is now immediately rejected with an Unimplemented error. (#8981)

Release 1.79.2

Bug Fixes

• stats: Prevent redundant error logging in health/ORCA producers by skipping stats/tracing processing when no stats handler is configured. (grpc/grpc-go#8874)

Release 1.79.1

Bug Fixes

• grpc: Remove the -dev suffix from the User-Agent header. (grpc/grpc-go#8902)

Release 1.79.0

API Changes

• mem: Add experimental API SetDefaultBufferPool to change the default buffer pool. (#8806)
  • Special Thanks: @​vanja-p
• experimental/stats: Update MetricsRecorder to require embedding the new UnimplementedMetricsRecorder (a no-op struct) in all implementations for forward compatibility. (#8780)

Behavior Changes

• balancer/weightedtarget: Remove handling of Addresses and only handle Endpoints in resolver updates. (#8841)

New Features

• experimental/stats: Add support for asynchronous gauge metrics through the new AsyncMetricReporter and RegisterAsyncReporter APIs. (#8780)
• pickfirst: Add support for weighted random shuffling of endpoints, as described in gRFC A113.
  • This is enabled by default, and can be turned off using the environment variable GRPC_EXPERIMENTAL_PF_WEIGHTED_SHUFFLING. (#8864)
• xds: Implement :authority rewriting, as specified in gRFC A81. (#8779)
• balancer/randomsubsetting: Implement the random_subsetting LB policy, as specified in gRFC A68. (#8650)
  • Special Thanks: @​marek-szews

Bug Fixes

• credentials/tls: Fix a bug where the port was not stripped from the authority override before validation. (#8726)
  • Special Thanks: @​Atul1710
• xds/priority: Fix a bug causing delayed failover to lower-priority clusters when a higher-priority cluster is stuck in CONNECTING state. (#8813)
• health: Fix a bug where health checks failed for clients using legacy compression options (WithDecompressor or RPCDecompressor). (#8765)
  • Special Thanks: @​sanki92
• transport: Fix an issue where the HTTP/2 server could skip header size checks when terminating a stream early. (#8769)
  • Special Thanks: @​joybestourous
• server: Propagate status detail headers, if available, when terminating a stream during request header processing. (#8754)
  • Special Thanks: @​joybestourous

Performance Improvements

• credentials/alts: Optimize read buffer alignment to reduce copies. (#8791)
• mem: Optimize pooling and creation of buffer objects. (#8784)
• transport: Reduce slice re-allocations by reserving slice capacity. (#8797)

... (truncated)

Commits

• dda86db Change version to 1.79.3 (#8983)
• 72186f1 grpc: enforce strict path checking for incoming requests on the server (#8981)
• 97ca352 Changing version to 1.79.3-dev (#8954)
• 8902ab6 Change the version to release 1.79.2 (#8947)
• a928670 Cherry-pick #8874 to v1.79.x (#8904)
• 06df363 Change version to 1.79.2-dev (#8903)
• 782f2de Change version to 1.79.1 (#8902)
• 850eccb Change version to 1.79.1-dev (#8851)
• 765ff05 Change version to 1.79.0 (#8850)
• 68804be Cherry pick #8864 to v1.79.x (#8896)
• Additional commits viewable in compare view

Updates google.golang.org/protobuf from 1.27.1 to 1.36.10

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.