Update deps v2

[aphralG]

Proposed changes

Update Otel Deps

Checklist

Before creating a PR, run through this checklist and mark each as complete.

• I have read the CONTRIBUTING document
• I have run make install-tools and have attached any dependency changes to this pull request
• If applicable, I have added tests that prove my fix is effective or that my feature works
• If applicable, I have checked that any relevant tests pass after adding my changes
• If applicable, I have updated any relevant documentation (README.md)
• If applicable, I have tested my cross-platform changes on Ubuntu 22, Redhat 8, SUSE 15 and FreeBSD 13

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ❌ 3 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 5 package(s) with unknown licenses.

See the Details below.

License Issues

test/integration/go.mod

Package	Version	License	Issue Type
go.opentelemetry.io/otel	1.40.0	Apache-2.0 AND BSD-3-Clause	Incompatible License
go.opentelemetry.io/otel/metric	1.40.0	Apache-2.0 AND BSD-3-Clause	Incompatible License
go.opentelemetry.io/otel/trace	1.40.0	Apache-2.0 AND BSD-3-Clause	Incompatible License
github.com/cespare/xxhash/v2	2.3.0	Null	Unknown License
github.com/stretchr/testify	1.11.1	Null	Unknown License

go.mod

Package	Version	License	Issue Type
github.com/stretchr/testify	1.11.1	Null	Unknown License

sdk/go.mod

Package	Version	License	Issue Type
github.com/stretchr/testify	1.11.1	Null	Unknown License

test/performance/go.mod

Package	Version	License	Issue Type
github.com/stretchr/testify	1.11.1	Null	Unknown License

Allowed Licenses: Apache-1.1, Apache-2.0, BSD-2-Clause, BSD-3-Clause, BSL-1.0, ISC, MIT, NCSA, OpenSSL, Python-2.0, X11, CC0-1.0, CC-BY-4.0, LicenseRef-scancode-google-patent-license-golang

Excluded from license check: pkg:githubactions/fossas/fossa-action, pkg:githubactions/opentofu/setup-opentofu, pkg:golang/github.com/shoenig/go-m1cpu, pkg:pypi/pytest-metadata

OpenSSF Scorecard

Scorecard details

Package	Version	Score	Details
gomod/github.com/stretchr/testify	1.11.1	Unknown	Unknown
gomod/github.com/stretchr/testify	1.10.0	Unknown	Unknown
gomod/github.com/stretchr/testify	1.11.1	Unknown	Unknown
gomod/github.com/stretchr/testify	1.10.0	Unknown	Unknown
gomod/github.com/cespare/xxhash/v2	2.3.0	Unknown	Unknown
gomod/github.com/stretchr/testify	1.11.1	Unknown	Unknown
gomod/go.opentelemetry.io/auto/sdk	1.2.1	🟢 8.1	Details Check Score Reason Code-Review ⚠️ -1 Found no human activity in the last 30 changesets Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Pinned-Dependencies 🟢 9 dependency not pinned by hash detected -- score normalized to 9 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Packaging 🟢 10 packaging workflow detected Signed-Releases ⚠️ -1 no releases found Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities 🟢 9 1 existing vulnerabilities detected Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected License 🟢 10 license file detected CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 16 contributing companies or organizations
gomod/go.opentelemetry.io/otel	1.40.0	🟢 9.3	Details Check Score Reason Dependency-Update-Tool 🟢 10 update tool detected Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 10 30 commit(s) and 19 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices 🟢 5 badge detected: Passing Pinned-Dependencies 🟢 10 all dependencies are pinned License 🟢 10 license file detected Fuzzing 🟢 10 project is fuzzed Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST 🟢 10 SAST tool is run on all commits Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Signed-Releases 🟢 8 5 out of the last 5 releases have a total of 5 signed artifacts. Security-Policy 🟢 10 security policy file detected CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 38 contributing companies or organizations
gomod/go.opentelemetry.io/otel/metric	1.40.0	🟢 9.3	Details Check Score Reason Dependency-Update-Tool 🟢 10 update tool detected Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 10 30 commit(s) and 19 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices 🟢 5 badge detected: Passing Pinned-Dependencies 🟢 10 all dependencies are pinned License 🟢 10 license file detected Fuzzing 🟢 10 project is fuzzed Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST 🟢 10 SAST tool is run on all commits Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Signed-Releases 🟢 8 5 out of the last 5 releases have a total of 5 signed artifacts. Security-Policy 🟢 10 security policy file detected CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 38 contributing companies or organizations
gomod/go.opentelemetry.io/otel/trace	1.40.0	🟢 9.3	Details Check Score Reason Dependency-Update-Tool 🟢 10 update tool detected Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 10 30 commit(s) and 19 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices 🟢 5 badge detected: Passing Pinned-Dependencies 🟢 10 all dependencies are pinned License 🟢 10 license file detected Fuzzing 🟢 10 project is fuzzed Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST 🟢 10 SAST tool is run on all commits Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Signed-Releases 🟢 8 5 out of the last 5 releases have a total of 5 signed artifacts. Security-Policy 🟢 10 security policy file detected CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 38 contributing companies or organizations
gomod/github.com/stretchr/testify	1.10.0	Unknown	Unknown
gomod/go.opentelemetry.io/auto/sdk	1.1.0	🟢 8.1	Details Check Score Reason Code-Review ⚠️ -1 Found no human activity in the last 30 changesets Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Pinned-Dependencies 🟢 9 dependency not pinned by hash detected -- score normalized to 9 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Packaging 🟢 10 packaging workflow detected Signed-Releases ⚠️ -1 no releases found Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities 🟢 9 1 existing vulnerabilities detected Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected License 🟢 10 license file detected CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 16 contributing companies or organizations
gomod/go.opentelemetry.io/otel	1.36.0	🟢 9.3	Details Check Score Reason Dependency-Update-Tool 🟢 10 update tool detected Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 10 30 commit(s) and 19 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices 🟢 5 badge detected: Passing Pinned-Dependencies 🟢 10 all dependencies are pinned License 🟢 10 license file detected Fuzzing 🟢 10 project is fuzzed Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST 🟢 10 SAST tool is run on all commits Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Signed-Releases 🟢 8 5 out of the last 5 releases have a total of 5 signed artifacts. Security-Policy 🟢 10 security policy file detected CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 38 contributing companies or organizations
gomod/go.opentelemetry.io/otel/metric	1.36.0	🟢 9.3	Details Check Score Reason Dependency-Update-Tool 🟢 10 update tool detected Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 10 30 commit(s) and 19 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices 🟢 5 badge detected: Passing Pinned-Dependencies 🟢 10 all dependencies are pinned License 🟢 10 license file detected Fuzzing 🟢 10 project is fuzzed Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST 🟢 10 SAST tool is run on all commits Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Signed-Releases 🟢 8 5 out of the last 5 releases have a total of 5 signed artifacts. Security-Policy 🟢 10 security policy file detected CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 38 contributing companies or organizations
gomod/go.opentelemetry.io/otel/trace	1.36.0	🟢 9.3	Details Check Score Reason Dependency-Update-Tool 🟢 10 update tool detected Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 10 30 commit(s) and 19 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices 🟢 5 badge detected: Passing Pinned-Dependencies 🟢 10 all dependencies are pinned License 🟢 10 license file detected Fuzzing 🟢 10 project is fuzzed Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST 🟢 10 SAST tool is run on all commits Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Signed-Releases 🟢 8 5 out of the last 5 releases have a total of 5 signed artifacts. Security-Policy 🟢 10 security policy file detected CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 38 contributing companies or organizations
gomod/github.com/stretchr/testify	1.11.1	Unknown	Unknown
gomod/github.com/stretchr/testify	1.10.0	Unknown	Unknown

Scanned Manifest Files

go.mod

• github.com/stretchr/testify@1.11.1
• github.com/stretchr/testify@1.10.0

sdk/go.mod

• github.com/stretchr/testify@1.11.1
• github.com/stretchr/testify@1.10.0

test/integration/go.mod

• github.com/cespare/xxhash/v2@2.3.0
• github.com/stretchr/testify@1.11.1
• go.opentelemetry.io/auto/sdk@1.2.1
• go.opentelemetry.io/otel@1.40.0
• go.opentelemetry.io/otel/metric@1.40.0
• go.opentelemetry.io/otel/trace@1.40.0
• github.com/stretchr/testify@1.10.0
• go.opentelemetry.io/auto/sdk@1.1.0
• go.opentelemetry.io/otel@1.36.0
• go.opentelemetry.io/otel/metric@1.36.0
• go.opentelemetry.io/otel/trace@1.36.0

test/performance/go.mod

• github.com/stretchr/testify@1.11.1
• github.com/stretchr/testify@1.10.0