Bump go.opentelemetry.io version to address CVE-2026-39883

[mfredenhagen]

Community Contribution License

All community contributions in this pull request are licensed to the project maintainers
under the terms of the Apache 2 license.
By creating this pull request I represent that I have the right to license the
contributions to the project maintainers under the Apache 2 license.

Description

Bump go.opentelemetry.io/otel and related packages (metric, sdk, sdk/metric, trace) from v1.42.0 to v1.43.0 to address CVE-2026-39883.

Motivation and Context

CVE-2026-39883 affects go.opentelemetry.io/otel v1.42.0 and earlier. Upgrading to v1.43.0 resolves the vulnerability.

How to test this PR?

• go mod tidy should succeed with no changes.
• go build ./... should compile without errors.
• Existing tests should continue to pass.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Optimization (provides speedup with no functional changes)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

• Fixes a regression (If yes, please add commit-id or PR # here)
• Unit tests added/updated
• Internal documentation updated
• Create a documentation update request here