Bump OpenTelemetry dependencies to v1.44.0 (CVE-2026-41178)#5873
Merged
Conversation
Bumps all OpenTelemetry modules to v1.44.0 to address GHSA-5wrp-cwcj-q835 (CVE-2026-41178). The advisory affects go.opentelemetry.io/otel/baggage and .../propagation at v1.41.0 and v1.43.0; both are pulled in transitively and the fix ships in v1.44.0. Co-authored-by: Isaac
d94870d to
4cda5c8
Compare
janniklasrose
approved these changes
Jul 9, 2026
Collaborator
Integration test reportCommit: d94870d
8 interesting tests: 4 RECOVERED, 4 SKIP
Top 10 slowest tests (at least 2 minutes):
|
deco-sdk-tagging Bot
added a commit
that referenced
this pull request
Jul 9, 2026
## Release v1.7.0 ### CLI * An explicitly selected profile (`--profile` or a bundle's `workspace.profile`) now takes precedence over auth environment variables (`DATABRICKS_HOST`, `DATABRICKS_TOKEN`, etc.) instead of being silently shadowed by them; env vars still fill auth fields the profile leaves empty ([#5096](#5096)). * Fix intermittent crashes when processing pages from API calls ([#5815](#5815)). ### Bundles * direct: add basic version of job_runs resource (experimental) ([#5603](#5603)). * Fix permissions added to a job or pipeline by a Python (PyDABs) mutator failing to deploy with "must have exactly one owner"; the deploying identity is now set as owner, matching resources whose permissions are declared in YAML ([#5821](#5821)). * Remove duplicate enum values for jsonschema.json ([#5839](#5839)). * direct: volumes: support `volume_path` property ([#5550](#5550)). * direct: Fix deploy bug when a `postgres_projects`, `postgres_branches`, or `postgres_endpoints` field is set to its zero value (e.g. `enable_pg_native_login: false`, `replace_existing: false`) ([#5782](#5782)). * `bundle run --only` help now documents the `+` modifier syntax: prefix a task key with `+` to also run its upstream tasks, or suffix it with `+` for downstream tasks ([#5760](#5760)). * direct: Recognize UC-managed catalog and schema property defaults to avoid unnecessary drift ([#5865](#5865) & [#5870](#5870)). * Fix `bundle deploy --select <resource>` skipping the resource's grants and permissions; they are now applied as part of the selected resource ([#5852](#5852)). * Support `purge_on_delete: true` on `postgres_branches` so bundles can hard-delete a Lakebase branch on destroy (skipping the soft-delete retention window) ([#5801](#5801)). * Support `replace_existing: true` on `postgres_databases` and `postgres_roles` so bundles can take over a database or role that already exists on a Lakebase branch instead of failing with `ALREADY_EXISTS` ([#5803](#5803)). ### Dependency updates * Bump databricks-sdk-go to v0.154.0 ([#5855](#5855)). * Bump terraform-provider to 1.121.0 ([#5857](#5857)). * Bump OpenTelemetry dependencies to v1.44.0 to address [CVE-2026-41178](GHSA-5wrp-cwcj-q835) ([#5873](#5873)).
Collaborator
Integration test reportCommit: 9a92921
33 interesting tests: 16 flaky, 9 FAIL, 5 RECOVERED, 2 SKIP, 1 KNOWN
Top 50 slowest tests (at least 2 minutes):
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps all OpenTelemetry modules from v1.43.0 to v1.44.0 to address GHSA-5wrp-cwcj-q835 (CVE-2026-41178).
The advisory affects
go.opentelemetry.io/otel/baggageandgo.opentelemetry.io/otel/propagationat v1.41.0 and v1.43.0. Both are pulled in transitively (via the Databricks Go SDK config,otelhttp, andgoogle.golang.org/api), andmaincurrently sits on the affected v1.43.0. The fix ships in v1.44.0.Modules bumped:
otel,otel/metric,otel/trace,otel/sdk,otel/sdk/metric— all v1.43.0 → v1.44.0.Note:
govulncheckdoes not yet flag this — there is no Go vulnerability database entry aliased to the advisory, so detection was manual against the affected-version list.This pull request and its description were written by Isaac.