Hi OpenTelemetry Java Maintainers,
I am requesting a new release of the opentelemetry-semconv Java artifacts (specifically version 1.43.0) to align with the latest OpenTelemetry Specification and Go implementation.
Current versions available on Maven Central (up to 1.40.0) are being flagged by security scanners (OWASP Dependency-Check / Snyk) for the following vulnerabilities:
CVE-2026-39883: Path Hijacking (Local Privilege Escalation)
CVE-2026-39882: OTLP HTTP Exporter Denial of Service (Memory Exhaustion)
The official fixes for these CVEs were introduced in version 1.43.0 of the OpenTelemetry core/spec. Since the Java semantic convention artifacts are versioned in sync with the spec, we are currently blocked from clearing these security flags in our production builds because 1.43.0 is not yet available on Maven Central.
Could you please trigger the release process to publish version 1.43.0 of the opentelemetry-semconv artifacts to Maven Central?
Thank you for your hard work on this project!
Hi OpenTelemetry Java Maintainers,
I am requesting a new release of the opentelemetry-semconv Java artifacts (specifically version 1.43.0) to align with the latest OpenTelemetry Specification and Go implementation.
Current versions available on Maven Central (up to 1.40.0) are being flagged by security scanners (OWASP Dependency-Check / Snyk) for the following vulnerabilities:
CVE-2026-39883: Path Hijacking (Local Privilege Escalation)
CVE-2026-39882: OTLP HTTP Exporter Denial of Service (Memory Exhaustion)
The official fixes for these CVEs were introduced in version 1.43.0 of the OpenTelemetry core/spec. Since the Java semantic convention artifacts are versioned in sync with the spec, we are currently blocked from clearing these security flags in our production builds because 1.43.0 is not yet available on Maven Central.
Could you please trigger the release process to publish version 1.43.0 of the opentelemetry-semconv artifacts to Maven Central?
Thank you for your hard work on this project!