chore(deps): update all dependencies#198
Merged
Merged
Conversation
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/all
branch
from
7a6de7f to
59a204e
Compare
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/all
branch
2 times, most recently
from
8aaef31 to
95c4dd0
Compare
Contributor
Author
ℹ️ Artifact update noticeFile name: go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
|
renovate
Bot
force-pushed
the
renovate/all
branch
11 times, most recently
from
87b8ece to
90f22e3
Compare
renovate
Bot
force-pushed
the
renovate/all
branch
10 times, most recently
from
8205ff2 to
592b3ba
Compare
renovate
Bot
force-pushed
the
renovate/all
branch
2 times, most recently
from
6d2be96 to
08a634d
Compare
renovate
Bot
force-pushed
the
renovate/all
branch
13 times, most recently
from
7c3b165 to
70ba14f
Compare
renovate
Bot
force-pushed
the
renovate/all
branch
2 times, most recently
from
5e51932 to
8a21949
Compare
renovate
Bot
force-pushed
the
renovate/all
branch
from
8a21949 to
aeed23c
Compare
Signed-off-by: Bence Csati <bence.csati@axoflow.com>
Signed-off-by: Bence Csati <bence.csati@axoflow.com>
Signed-off-by: Bence Csati <bence.csati@axoflow.com>
csatib02
approved these changes
May 11, 2026
Signed-off-by: Bence Csati <bence.csati@axoflow.com>
Signed-off-by: Bence Csati <bence.csati@axoflow.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
0.35.0→v0.36.01.20.1→1.20.2v2.28.1→v2.28.3v1.39.1→v1.40.0v0.148.0→v0.150.0v1.55.0→v1.58.0v1.55.0→v1.58.0v1.55.0→v1.58.0v1.55.0→v1.58.0v0.149.0→v0.152.0v0.149.0→v0.152.0v1.55.0→v1.58.0v0.149.0→v0.152.0v1.27.1→v1.28.01.26.2-alpine3.22→1.26.3-alpine3.222.11.4→2.12.2v0.35.3→v0.35.4v0.36.0v0.35.3→v0.35.4v0.36.0v0.35.3→v0.35.4v0.36.00.20.1→0.21.00.109.0→0.112.1v0.23.3→v0.24.0Release Notes
aquasecurity/trivy-action (aquasecurity/trivy-action)
v0.36.0Compare Source
What's Changed
New Contributors
Full Changelog: aquasecurity/trivy-action@v0.35.0...v0.36.0
cert-manager/cert-manager (cert-manager/cert-manager)
v1.20.2Compare Source
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
v1.20.2 fixes invalid YAML generated in the Helm chart when both
webhook.configand
webhook.volumesare defined, and bumps Go to 1.26.2 along with dependenciesto address reported vulnerabilities.
Changes by Kind
Bug or Regression
webhook.configandwebhook.volumesare defined. (#8665, @cert-manager-bot)Other (Cleanup or Flake)
onsi/ginkgo (github.com/onsi/ginkgo/v2)
v2.28.3Compare Source
2.28.3
Maintenance
Bump all dependencies
v2.28.2Compare Source
2.28.2
f3a36b6]94151c8]4d21dbb]c102161]9619647]5779304]onsi/gomega (github.com/onsi/gomega)
v1.40.0Compare Source
1.40.0
We're adopting a new release strategy to minimize dependency bloat in projects that consume Gomega. It is a limitation of the go mod toolchain that test subdependencies of your project's direct dependencies get pulled in as indirect dependencies. In the case of Gomega, this ends up pulling in all of Ginkgo into your
go.modeven if you are only using Gomega (Gomega uses Ginkgo for its own tests).Going forward, releases will strip out all tests, tidy up the
go.modand then push this stripped down version to a newmaster-litebranch. These stripped-down versions will receive thevx.y.zgit tag and will be picked up by the go toolchain.Please open an issue if this new release process causes unexpected changes for your projects.
open-telemetry/opentelemetry-operator (github.com/open-telemetry/opentelemetry-operator)
v0.150.0Compare Source
0.150.0
🛑 Breaking changes 🛑
auto-instrumentation: Update default .NET auto-instrumentation version from 1.2.0 to 1.15.0 (#4996)This update addresses security vulnerabilities in versions older than 1.15.0 (CVE-2026-40894, GHSA-g94r-2vxg-569j).
This is a breaking change due to HTTP semantic convention changes between versions.
Existing Instrumentation CRs using version 1.2.0 will NOT be automatically upgraded.
To upgrade, manually update the image in your Instrumentation CR after reviewing the migration guide.
See #2542 for details.
💡 Enhancements 💡
operator: Expose watch-namespace scope via the--watch-namespaceCLI flag and thewatch-namespaceconfig file field. TheWATCH_NAMESPACEenvironment variable continues to work. (#4379)auto-instrumentation: Addspec.initContainerSecurityContextto the Instrumentation CRD so users can explicitly set the security context of the auto-instrumentation init containers (Java, NodeJS, Python, DotNet, Apache HTTPD, Nginx). Addspec.go.securityContextfor overriding the Go sidecar's defaults. (#4894)When unset, existing behavior is preserved — init containers inherit the security context
of the first application container being instrumented, and the Go sidecar keeps the hardcoded
defaults required for eBPF (Privileged, RunAsUser: 0). Setting either field explicitly lets
restricted PSA environments declare the exact capabilities they want.
auto-instrumentation: Allow instrumentation upgrades to be blocked for versions containing major breaking changes. (#4646, #2542)Some instrumentation upgrades involve major breaking changes. The operator can't help with those, but it can
alert the user about them. This change makes this possible. It will also allow us to set the latest version
for new Instrumentation resources by default.
See #2542 for the primary example.
Components
v0.149.0Compare Source
0.149.0
💡 Enhancements 💡
collector: Add support for Gateway API HTTPRoute creation via OpenTelemetryCollector CR (#4361)operator: Added hostAliases support for OpenTelemetryCollector and TargetAllocator pods (#896)collector: Support RBAC generation fork8s_leader_electorextension (#4802)Automatically generates a ClusterRole with permissions to manage
leasesin thecoordination.k8s.ioAPI group for leader election among multiple collector replicas.collector: Add TLS security profile injection for health_check and jaeger_query extensions (#4871)When a TLS profile is configured on the cluster, the operator now injects min_version and cipher_suites
into health_check and jaeger_query extension configs
🧰 Bug fixes 🧰
auto-instrumentation: Fix instrumentation init container security context (#4848)auto-instrumentation: Fix duplicated container names validation to allow the same container name across different language instrumentations. (#4357)operator: Fix AnyConfig.DeepCopyInto performing shallow copy, causing TargetAllocator Deployment infinite reconciliation loop (#4950)AnyConfig.DeepCopyInto used maps.Copy which only copied top-level map entries, leaving nested
maps as shared references. When ApplyDefaults injected TLS profile settings (min_version) into
the collector's scrape config, it mutated the informer cache through the shared reference. This
caused the TargetAllocator config hash to alternate between two values on every reconciliation,
triggering an infinite Deployment update loop. The fix uses JSON round-tripping for a true deep copy.
opamp: Fix nil pointer dereference in OpAMP Bridge when validating a remote collector config that omits theprocessorssection (#4970)v1beta1.Config.Processorsis an optional*AnyConfig, butvalidateComponentsdereferenced it unconditionally.When a remote config without a
processorssection is applied through a bridge that hadcomponentsAllowedconfigured, it panicked and pod restarted. The nil case is now skipped during validation.
operator: Add missing RBAC permission for events.k8s.io API group (#4950)The operator uses k8s.io/client-go/tools/events which targets the events.k8s.io API group,
but the ClusterRole only granted permission for the core API group. This caused "Server rejected
event" errors when recording events on managed resources in other namespaces.
collector: Register thek8s_attributesspelling alongsidek8sattributeswhen generating RBAC from a Collector CR so either processor name produces the pods/replicasets/etc. permissions the processor needs. (#4922)The underlying processor was renamed to snake_case in
open-telemetry/opentelemetry-collector-contrib#45901 while keeping the
original spelling accepted, but the operator only parsed the camel form
and emitted no RBAC for configs using the new name.
collector: Generate RBAC for the k8s_attributes processor under its snake_case spelling, matching the camelCase k8sattributes it was renamed from. (#4922)collector: Expose prometheus receiver api_server port on collector Service and NetworkPolicy (#4949)auto-instrumentation, opamp, target allocator: Fix Env slice aliasing in Apache HTTPD, Nginx, OpAMP Bridge, and Target Allocator container builders when the spec slice has spare backing-array capacity (#4954)collector: Remove the kubebuilder default from the sts pod management policy field so it can be properlyomitempty(#4875)This field should not be set on deployment or daemonset collectors.
Components
open-telemetry/opentelemetry-collector (go.opentelemetry.io/collector/component)
v1.58.0💡 Enhancements 💡
pkg/exporterhelper: Addotelcol_exporter_in_flight_requestsmetric to track the number of export requests currently in-flight per exporter. (#15009)This UpDownCounter increments in startOp and decrements in endOp, allowing operators to monitor
concurrent export activity and detect when an exporter is saturating its worker pool.
🧰 Bug fixes 🧰
pkg/confighttp: Close the original request body after reading block-formatContent-Encoding: snappyrequests. (#15262)pkg/confighttp: Recover from panics in decompression libraries, return HTTP 400 instead of 500. (#13228)pkg/confighttp: Enforcemax_request_body_sizeonContent-Encoding: snappyrequests before the decoded buffer is allocated. (#15252)pkg/otelcol: Stop emitting verbose gRPC transport messages at WARN during normal client disconnect. (#5169)grpc-go gates chatty per-RPC notices (e.g. "HandleStreams failed to read frame:
connection reset by peer") behind
LoggerV2.V(2). zapgrpc.Logger.V conflatesgrpclog verbosity with zap severity, so V(2) returns true whenever WARN is
enabled and these messages emit at WARN. Wrap the installed grpclog.LoggerV2
with a corrected V() that compares against a fixed verbosity threshold,
matching grpclog's intended semantics. See uber-go/zap#1544.
pkg/pdata:pcommon.Value.AsStringno longer HTML-escapes<,>, and&insideValueTypeMapandValueTypeSlicevalues, matching the behavior already used forValueTypeStr. (#14662)pkg/service: Fix Prometheus config defaults mismatch when host is explicitly set in telemetry configuration. (#13867)When users explicitly configured the telemetry metrics section (e.g. to change the host),
the Prometheus exporter boolean fields (WithoutScopeInfo, WithoutUnits, WithoutTypeSuffix)
defaulted to nil/false instead of true, causing metric name format changes compared to the
implicit default configuration. This fix applies the correct defaults during config unmarshaling.
pkg/service: Return noop tracer provider when no trace processors are defined (#15135)v1.57.0🛑 Breaking changes 🛑
cmd/builder: In the generated Collector source, thereplacestatements in the Go module will now use relative paths by default. (#15097)We expect that this will not break existing use-cases where the generated collector is only used in an interim manner for builds. It enables the possibility of tracking the generated Collector code as a longer living artifact, allowing it to be run on any machine (whereas absolute paths will be different depending on the machine the Collector source is generated on.) We have added
dist::use_absolute_replace_pathsto go back to the absolute path behaviour in the case where there is an unforeseen use-case that requires absolute paths.pkg/confighttp: Stabilize framedSnappy feature gate. (#15096)💡 Enhancements 💡
all: Add declarative schema support for service telemetry resource configuration. (#14411)The
service::telemetry::resourceconfiguration now accepts the declarative schema with explicit name/value pairs:The legacy inline attribute map format is still supported for backward compatibility:
Note:
resource.detectorsis accepted for forward compatibility but is not yet applied by the collector.exporter/otlp_grpc: Added theserver.addressandurl.pathattributes to metrics generated by the otlp exporter. (#14998)exporter/otlp_http: Added theserver.addressandurl.pathattributes to metrics generated by the otlp_http exporter. (#14998)pkg/config/configgrpc: AddUserAgentfield toClientConfigto allow overriding the default gRPC user-agent string. (#14686)The otlp gRPC exporter was unconditionally setting the User-Agent via
grpc.WithUserAgent() at dial time, which takes precedence over per-call
metadata, causing any user-configured User-Agent to be silently discarded.
A dedicated
UserAgentfield has been added toClientConfigwhich, whenset, is used in the dial option directly instead of the default BuildInfo-derived string.
pkg/config/configgrpc: Accept gRPC resolver scheme URIs in client endpoint (e.g. passthrough:///host:port) to allow control over name resolution (#14990)After the migration to grpc.NewClient, some gRPC client components such as the OTLP
exporter experienced connection issues in dual-stack DNS environments. This can now be
fixed by using the passthrough:/// gRPC resolver scheme in the endpoint field.
pkg/config/confignet: Add support for Windows Named Pipe (npipe) transport (#15085)pkg/service: Emit a warning when using the old v0.2.0 declarative config format (#15088)🧰 Bug fixes 🧰
pkg/otelcol: Print components exactly once in theotelcol componentscommand (#14682)This resolves an issue where aliased components were skipped.
pkg/otelcol: Synchronize Collector Run and Shutdown lifecycles so that Shutdown blocks until Run completes all cleanup. (#4947)Shutdown now blocks until Run finishes cleanup, matching http.Server semantics.
If Shutdown is called before Run, the next Run call returns nil after cleaning up
the config provider.
pkg/pdata: Use spec-compliant string representation for NaN, Infinity, and -Infinity in Value.AsString(). (#14487)pkg/pprofile: Fix data corruption of resource and scope attributes after marshal-unmarshal-merge round-trip. (#15084)pkg/service: Non-string resource attributes in telemetry configuration now return an error instead of panicking (#15171)pkg/xscraperhelper: fix the merge of profiles in the profiling scraper helpers (#14790)receiver/otlp: Fix profiles receiver reporting its samples as spans (#15089)v1.56.0💡 Enhancements 💡
all: Update semconv package from 1.38.0 to 1.40.0 (#15095)cmd/mdatagen: Only allow theToVersionfeature flag attribute to be set for theStableandDeprecatedstages. (#15040)To better match the feature flag README
(https://github.com/open-telemetry/opentelemetry-collector/blob/main/featuregate/README.md#feature-lifecycle).
🧰 Bug fixes 🧰
exporter/debug: Guard from out of bounds profiles dictionary indices (#14803)pdata/pprofile: create a copy when the input is marked as read-only (#15080)pkg/otelcol: Fix missing default values in unredacted print-config command by introducing confmap.WithUnredacted MarshalOption. (#14750)Resolves an issue where the unredacted mode output omitted all default-valued options. By introducing a new MarshalOption to disable redaction directly at the confmap encoding level, the unredacted mode now preserves all component defaults natively without requiring post-processing.
pkg/service: Headers on the internal telemetry OTLP exporter are now redacted when the configuration is marshaled (#14756)uber-go/zap (go.uber.org/zap)
v1.28.0Compare Source
Enhancements:
zapcore.CheckPreWriteHookandCheckedEntry.Beforemethod for transforming entries before they are written to any Cores.golangci/golangci-lint (golangci/golangci-lint)
v2.12.2Compare Source
Released on 2026-05-06
gomodguard_v2: fix blocked configurationgomodguard_v2: from 2.1.0 to 2.1.3iface: from 1.4.1 to 1.4.2v2.12.1Compare Source
Released on 2026-05-01
gomodguard_v2: fix panic with migration suggestioninstall.shscript (if you are still using an URL based on the branchmaster, please update to usehttps://golangci-lint.run/install.sh)v2.12.0Compare Source
Released on 2026-05-01
clickhouselintlinter https://github.com/ClickHouse/clickhouse-go-linterdupl: fromf665c8dtoc99c5cf(extended detection)funcorder: from 0.5.0 to 0.6.0 (new option:function)goconst: add an option to ignore strings from testsgoconst: from 1.8.2 to 1.10.0 (extended detection)gomodguard_v2: from 1.4.1 to 2.1.0 (major version with new configuration)gosec: from619ce21to 2.26.1 (new checks:G124,G708,G709,G710)govet: addinlineanalyzermakezero: from 2.1.0 to 2.2.1 (support slice type aliases)paralleltest: exposecheckcleanupoptionsloglint: from 0.11.1 to 0.12.0 (new options:allowed-keys,custom-funcs)wsl_v5: from 5.6.0 to 5.8.0 (new option:cuddle-max-statements; new checks:after-decl,after-defer,after-expr,after-go,cuddle-group)forbidigo: from 2.3.0 to 2.3.1godot: from 1.5.4 to 1.5.6govet-modernize: from 0.43.0 to 0.44.0ireturn: from 0.4.0 to 0.4.1rowserrcheck: from 1.1.1 toc5f79b8customcommandkubernetes/api (k8s.io/api)
v0.35.4Compare Source
kubernetes/apimachinery (k8s.io/apimachinery)
v0.35.4Compare Source
kubernetes/client-go (k8s.io/client-go)
v0.35.4Compare Source
kubernetes-sigs/controller-tools (kubernetes-sigs/controller-tools)
v0.21.0Compare Source
What's Changed
kubebuilder:externalDocmarker by @pedjak in #1335Misc
envtest
Dependency bumps
New Contributors
Full Changelog: kubernetes-sigs/controller-tools@v0.20.0...v0.21.0
open-telemetry/opentelemetry-helm-charts (opentelemetry-operator)
v0.112.1Compare Source
OpenTelemetry Operator Helm chart for Kubernetes
What's Changed
New Contributors
Full Changelog: open-telemetry/opentelemetry-helm-charts@opentelemetry-target-allocator-0.127.3...opentelemetry-operator-0.112.1
v0.112.0Compare Source
OpenTelemetry Operator Helm chart for Kubernetes
What's Changed
Full Changelog: open-telemetry/opentelemetry-helm-charts@opentelemetry-ebpf-instrumentation-0.8.0...opentelemetry-operator-0.112.0
opentelemetry-operator 0.112.0
What's Changed
This release updates the opentelemetry-operator to version 0.150.0.
OpenTelemetry Release Notes
Chart Information
v0.111.0Compare Source
OpenTelemetry Operator Helm chart for Kubernetes
What's Changed
Full Changelog: open-telemetry/opentelemetry-helm-charts@opentelemetry-kube-stack-0.14.12...opentelemetry-operator-0.111.0
opentelemetry-operator 0.111.0
What's Changed
This release updates the opentelemetry-operator to version 0.149.0.
OpenTelemetry Release Notes
Chart Information
v0.110.0Compare Source
OpenTelemetry Operator Helm chart for Kubernetes
What's Changed
Configuration
📅 Schedule: (in timezone Etc/UTC)
* 0-3 * * *)🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.