fix: Fix multiple vulnerabilities by upgrading to go1.25.9 and otel-go

[PeterSchafer]

Pull Request Submission Checklist

• Follows CONTRIBUTING guidelines
• Commit messages
  are release-note ready, emphasizing
  what was changed, not how.
• Includes detailed description of changes
• Contains risk assessment (Low | Medium | High)
• Highlights breaking API changes (if applicable)
• Links to automated tests covering new functionality
• Includes manual testing instructions (if necessary)
• Updates relevant GitBook documentation (PR link: ___)
• Includes product update to be announced in the next stable release notes

What does this PR do?

This PR updates multiple dependencies to address high severity vulnerabilities.

Where should the reviewer start?

How should this be manually tested?

What's the product update that needs to be communicated to CLI users?

N/A

Risk assessment (Low | Medium | High)?

Low, as the dependency bumps are either fix or minor upgrades.

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[github-actions]

	Warnings
⚠️	There are multiple commits on your branch, please squash them locally before merging!

Generated by 🚫 dangerJS against d26e83f

[snyk-pr-review-bot]

PR Reviewer Guide 🔍

🧪 No relevant tests

🔒 No security concerns identified

⚡ Recommended focus areas for review OpenTelemetry Version Mismatch 🟠 [major] The PR upgrades go.opentelemetry.io/otel, otel/metric, and otel/trace to version 1.41.0 (lines 247, 248, 251), but leaves go.opentelemetry.io/otel/sdk and go.opentelemetry.io/otel/sdk/metric at version 1.40.0. In the OpenTelemetry Go ecosystem, API and SDK versions must be synchronized. A version mismatch can lead to silent failures where telemetry data is not exported because the newer API does not find the expected features in the older SDK. Furthermore, if the 'multiple vulnerabilities' referenced in the PR title are in the SDK logic, this change fails to remediate them. go.opentelemetry.io/otel v1.41.0 // indirect go.opentelemetry.io/otel/metric v1.41.0 // indirect go.opentelemetry.io/otel/sdk v1.40.0 // indirect go.opentelemetry.io/otel/sdk/metric v1.40.0 // indirect go.opentelemetry.io/otel/trace v1.41.0 // indirect

📚 Repository Context Analyzed This review considered 5 relevant code sections from 4 files (average relevance: 0.89) CONTRIBUTING.md (2 segments, lines 218-387) package.json (lines 1-223) scripts/upgrade-snyk-go-dependencies.go (lines 1-135) package-lock.json (lines 22696-22948)