*: bump go.opentelemetry.io/otel/sdk to v1.43.0 to fix CVE-2026-24051

[diegeeker]

What problem does this PR solve?

Issue Number: close #4889

This PR upgrades go.opentelemetry.io/otel/sdk from v1.24.0 to v1.43.0 to address upstream OpenTelemetry SDK PATH hijacking vulnerabilities:

• CVE-2026-24051 / GHSA-9h8m-3fm2-qjrq: arbitrary code execution via PATH hijacking.
• CVE-2026-39883 / GHSA-hfvc-g4fc-pqhx: incomplete BSD/Solaris kenv fix in the earlier patched versions; v1.43.0 is the first patched version for this follow-up advisory.

What is changed and how it works?

This PR updates the OpenTelemetry SDK and matching OpenTelemetry modules used by the Go module graph:

• go.opentelemetry.io/otel/sdk: v1.24.0 -> v1.43.0
• go.opentelemetry.io/otel: v1.24.0 -> v1.43.0
• go.opentelemetry.io/otel/metric: v1.24.0 -> v1.43.0
• go.opentelemetry.io/otel/trace: v1.24.0 -> v1.43.0
• golang.org/x/sys: v0.35.0 -> v0.42.0
• github.com/go-logr/logr: v1.4.1 -> v1.4.3

go mod tidy also adds go.opentelemetry.io/auto/sdk v1.2.1 as an indirect dependency.

Check List

Tests

• Manual test
• No code

Manual test reported by the author:

make cdc build

Questions

Will it cause performance regression or break compatibility?

No performance regression is expected. This is a dependency-only change with no TiCDC source-code changes.

Do you need to update user documentation, design documentation or monitoring documentation?

No.

Release note

None

[ti-chi-bot]

Hi @diegeeker. Thanks for your PR.

I'm waiting for a pingcap member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[ti-chi-bot]

Welcome @diegeeker!

It looks like this is your first PR to pingcap/ticdc 🎉.

I'm the bot to help you request reviewers, add labels and more, See available commands.

We want to make sure your contribution gets all the attention it needs!



Thank you, and welcome to pingcap/ticdc. 😃

[pingcap-cla-assistant]

All committers have signed the CLA.

[coderabbitai]

📝 Walkthrough

Walkthrough

Updated Go module dependency versions in go.mod, including bumps to golang.org/x/sys, github.com/go-logr/logr, and a major upgrade of OpenTelemetry modules from v1.24.0 to v1.43.0, along with adding go.opentelemetry.io/auto/sdk.

Changes

Cohort / File(s)	Summary
Go Module Dependencies go.mod	Updated golang.org/x/sys (v0.35.0 → v0.42.0), github.com/go-logr/logr (v1.4.1 → v1.4.3), and OpenTelemetry stack (v1.24.0 → v1.43.0 for otel, otel/metric, otel/sdk, otel/trace). Added go.opentelemetry.io/auto/sdk v1.2.1 as indirect requirement.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• *: update third-party dependencies #4467: Updates third-party Go module versions with overlapping dependency changes to golang.org/x/sys.

Suggested labels

lgtm, approved, release-note, size/L, needs-cherry-pick-release-8.5

Suggested reviewers

• 3AceShowHand
• wlwilliamx

Poem

🐰 Dependencies dance in the spring breeze,
From old versions to new with ease,
OpenTelemetry soars to the sky,
v1.43 reaches way up high! ✨
A hop, skip, jump through go.mod—
This upgrade path is simply divine, by my word! 🥕

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and specifically describes the main change: bumping go.opentelemetry.io/otel/sdk to v1.43.0 to address CVE-2026-24051, which aligns with the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The pull request description is comprehensive and follows the required template structure with all essential sections properly filled out.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request updates several Go dependencies, including golang.org/x/sys, github.com/go-logr/logr, and core OpenTelemetry packages to version v1.43.0. Feedback suggests that the OpenTelemetry exporters and instrumentation packages should also be updated to match the new SDK version to prevent potential compatibility issues or runtime errors.

[gemini-code-assist]

When upgrading the OpenTelemetry SDK to v1.43.0, it is important to maintain version alignment across the entire ecosystem to avoid compatibility issues. Currently, the OTLP exporters (v1.22.0), contrib instrumentations (v0.49.0), and the OTLP proto (v1.1.0) are significantly behind. Using these older versions with the v1.43.0 SDK may lead to runtime errors or broken telemetry data due to changes in internal APIs and shared dependencies. It is recommended to update these related packages to their corresponding versions compatible with v1.43.0.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@go.mod`:
- Line 353: The go.mod contains contrib/exporter modules incompatible with otel
v1.43.0; update the versions for
go.opentelemetry.io/otel/exporters/otlp/otlptrace and
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc to
releases that target otel v1.43.0 (e.g., set otlptrace to a v1.x series matching
1.43.0 and otelgrpc to a recent compatible v0.x such as v0.68.0 or whatever
pkg.go.dev lists as the minimum for otel v1.43.0), run go get to resolve
transitive deps, and confirm no remaining version conflicts; specifically update
the module versions referenced in go.mod for the symbols
go.opentelemetry.io/otel/exporters/otlp/otlptrace and
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 0b06d781-8d63-4112-b716-eeb2263b7477

📥 Commits

Reviewing files that changed from the base of the PR and between f195970 and 83b06e6.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

For OpenTelemetry Go, are go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0andgo.opentelemetry.io/otel/exporters/otlp/otlptrace v1.22.0officially compatible withgo.opentelemetry.io/otel v1.43.0? Please cite the relevant compatibility policy or release notes.

💡 Result:

No, they are not officially compatible. OpenTelemetry Go follows semantic versioning (SemVer 2.0) with Go modules. The core go.opentelemetry.io/otel module at v1.43.0 is a patch release within the v1 major version, providing API stability. However, go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc is an experimental v0 module (v0.49.0), where v0.y.z versions indicate initial development with no backwards compatibility guarantees—anything may change at any time per SemVer. Similarly, go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.22.0 is significantly older than v1.43.0 (latest is v1.43.0), and Go module compatibility requires matching major versions for v1+ modules or explicit dependency alignment. pkg.go.dev listings show recent contrib otelgrpc versions (e.g., v0.68.0) and otlptrace (v1.22.0 depends on otel v1.22.0) align with corresponding otel versions, not v1.43.0. The VERSIONING.md policy states experimental v0 modules have weak stability, and stable modules version with the core, but mixing specific older patch/minor versions risks dependency conflicts or API mismatches. Use go mod tidy to verify, but per policy/release notes, these exact versions are not guaranteed compatible with otel v1.43.0.

Citations:

• 1: https://github.com/open-telemetry/opentelemetry-go/blob/a724cf884287e04785eaa91513d26a6ef9699288/VERSIONING.md
• 2: https://github.com/open-telemetry/opentelemetry-go/blob/main/VERSIONING.md
• 3: https://github.com/open-telemetry/opentelemetry-go/blob/v1.42.0/VERSIONING.md
• 4: https://pkg.go.dev/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc
• 5: https://pkg.go.dev/go.opentelemetry.io/otel/exporters/otlp/otlptrace@v1.22.0
• 6: https://github.com/open-telemetry/opentelemetry-go/blob/main/exporters/otlp/otlptrace/go.mod

---

Update OpenTelemetry contrib and exporter dependencies to versions compatible with otel v1.43.0.

The current versions are incompatible: go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.22.0 depends on otel v1.22.0, not v1.43.0, and go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0 is an experimental v0 module with no backwards compatibility guarantees. Per OpenTelemetry's VERSIONING.md policy, stable modules (v1+) version with the core otel, while v0 modules may introduce breaking changes. Recent versions like otelgrpc v0.68.0 align with current otel versions; verify pkg.go.dev for the minimum versions that support otel v1.43.0 and update accordingly to avoid dependency conflicts and API mismatches.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@go.mod` at line 353, The go.mod contains contrib/exporter modules
incompatible with otel v1.43.0; update the versions for
go.opentelemetry.io/otel/exporters/otlp/otlptrace and
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc to
releases that target otel v1.43.0 (e.g., set otlptrace to a v1.x series matching
1.43.0 and otelgrpc to a recent compatible v0.x such as v0.68.0 or whatever
pkg.go.dev lists as the minimum for otel v1.43.0), run go get to resolve
transitive deps, and confirm no remaining version conflicts; specifically update
the module versions referenced in go.mod for the symbols
go.opentelemetry.io/otel/exporters/otlp/otlptrace and
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc.

[wlwilliamx]

/test all

[wlwilliamx]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.You have signed the CLA already but the status is still pending? Let us recheck it.

@diegeeker Thank you for your work! Could you please sign the Contributor License Agreement

[diegeeker]

Hey @wlwilliamx, went ahead and signed that agreement. Can we rerun these tests?

[ti-chi-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: lidezhu, wlwilliamx

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [lidezhu,wlwilliamx]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ti-chi-bot]

[LGTM Timeline notifier]

Timeline:

• 2026-04-28 05:25:10.600764255 +0000 UTC m=+2661915.806124313: ☑️ agreed by wlwilliamx.
• 2026-04-28 05:26:47.449525779 +0000 UTC m=+2662012.654885846: ☑️ agreed by lidezhu.

[ti-chi-bot]

@diegeeker: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-unit-test	83b06e6	link	unknown	/test pull-unit-test

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[ti-chi-bot]

In response to a cherrypick label: new pull request created to branch release-8.5: #4943.
But this PR has conflicts, please resolve them!