*: bump go.opentelemetry.io/otel/sdk to v1.43.0 to fix CVE-2026-24051 (#4884)#5013
Conversation
…idy to pull in and update other dependencies (cherry picked from commit 83b06e6)
ti-chi-bot
Bot
added
the
release-note-none
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Tip 💬 Introducing Slack Agent: The best way for teams to turn conversations into code.Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.
Built for teams:
One agent for your entire SDLC. Right inside Slack. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
ti-chi-bot
Bot
added
the
size/M
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates several Go dependencies, including testify, x/sys, logr, and OpenTelemetry core modules. Feedback indicates a potential issue where OpenTelemetry core versions are out of sync with OTLP exporters and instrumentation packages, which may cause build failures or runtime panics due to internal API changes.
| go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0 // indirect | ||
| go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 // indirect | ||
| go.opentelemetry.io/otel v1.24.0 // indirect | ||
| go.opentelemetry.io/otel v1.43.0 // indirect |
There was a problem hiding this comment.
OpenTelemetry core modules are updated to v1.43.0, but OTLP exporters (v1.22.0) and instrumentation packages (v0.49.0) remain on older versions. These components are tightly coupled via internal packages; mismatched versions frequently cause build failures or runtime panics due to internal API changes. It is highly recommended to sync all OpenTelemetry-related dependencies (core, exporters, and contrib) to matching versions to ensure stability and completeness of the update.
|
/test all |
ti-chi-bot
Bot
added
needs-1-more-lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: asddongmen, lidezhu The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
[LGTM Timeline notifier]Timeline:
|
|
/retest |
ti-chi-bot
Bot
merged commit 2d2b56a
into
pingcap:release-8.5-20260129-v8.5.5
4 participants
What problem does this PR solve?
Issue Number: ref #4889
This cherry-picks #4884 to
release-8.5-20260129-v8.5.5.This PR upgrades
go.opentelemetry.io/otel/sdktov1.43.0to address upstream OpenTelemetry SDK PATH hijacking vulnerabilities:kenvfix in earlier patched versions;v1.43.0is the first patched version for this follow-up advisory.What is changed and how it works?
This PR updates the OpenTelemetry SDK and matching modules used by the Go module graph:
go.opentelemetry.io/otel/sdk:v1.24.0->v1.43.0go.opentelemetry.io/otel:v1.24.0->v1.43.0go.opentelemetry.io/otel/metric:v1.24.0->v1.43.0go.opentelemetry.io/otel/trace:v1.24.0->v1.43.0golang.org/x/sys:v0.38.0->v0.42.0github.com/go-logr/logr:v1.4.1->v1.4.3github.com/stretchr/testify:v1.10.0->v1.11.1go mod tidyalso addsgo.opentelemetry.io/auto/sdk v1.2.1as an indirect dependency.Check List
Tests
Questions
Will it cause performance regression or break compatibility?
No performance regression is expected. This is a dependency-only change with no TiCDC source-code changes.
Do you need to update user documentation, design documentation or monitoring documentation?
No.
Release note