Bump go.opentelemetry.io/otel/sdk from 1.34.0 to 1.40.0 and fix tests#9442
Merged
simvlad merged 7 commits intotemporalio:mainfrom Mar 10, 2026
Merged
Bump go.opentelemetry.io/otel/sdk from 1.34.0 to 1.40.0 and fix tests#9442simvlad merged 7 commits intotemporalio:mainfrom
simvlad merged 7 commits intotemporalio:mainfrom
Conversation
Bumps [go.opentelemetry.io/otel/sdk](https://github.com/open-telemetry/opentelemetry-go) from 1.34.0 to 1.40.0. - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-go@v1.34.0...v1.40.0) --- updated-dependencies: - dependency-name: go.opentelemetry.io/otel/sdk dependency-version: 1.40.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
stephanos
approved these changes
Mar 10, 2026
stephanos
pushed a commit
that referenced
this pull request
Mar 10, 2026
…#9442) ## What changed? Bumps [go.opentelemetry.io/otel/sdk](https://github.com/open-telemetry/opentelemetry-go) from 1.34.0 to 1.40.0. Fix misuse of testify assertions inside `EventuallyWithT` callbacks ## Why? testify v1.11.0 introduced a "check early" optimization where `EventuallyWithT` runs the condition immediately before the first tick. This exposed pre-existing bugs where suite-level assertions (`s.NoError`, `s.True`, etc.) were used inside `EventuallyWithT` callbacks instead of `CollectT`-based assertions. Suite assertions call `FailNow` on the real test T, killing the test immediately instead of allowing `EventuallyWithT` to retry. The cache test relied on the tick delay to accumulate hold time before measuring. ## How did you test it? - [x] built - [x] covered by existing tests - [x] added new unit test(s) -- no, fixed existing ones ## Potential risks No - test change --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
stephanos
pushed a commit
that referenced
this pull request
Mar 11, 2026
…#9442) ## What changed? Bumps [go.opentelemetry.io/otel/sdk](https://github.com/open-telemetry/opentelemetry-go) from 1.34.0 to 1.40.0. Fix misuse of testify assertions inside `EventuallyWithT` callbacks ## Why? testify v1.11.0 introduced a "check early" optimization where `EventuallyWithT` runs the condition immediately before the first tick. This exposed pre-existing bugs where suite-level assertions (`s.NoError`, `s.True`, etc.) were used inside `EventuallyWithT` callbacks instead of `CollectT`-based assertions. Suite assertions call `FailNow` on the real test T, killing the test immediately instead of allowing `EventuallyWithT` to retry. The cache test relied on the tick delay to accumulate hold time before measuring. ## How did you test it? - [x] built - [x] covered by existing tests - [x] added new unit test(s) -- no, fixed existing ones ## Potential risks No - test change --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
rkannan82
added a commit
that referenced
this pull request
Mar 20, 2026
Addresses CVE-2026-24051 (HIGH) in go.opentelemetry.io/otel/sdk. Cherry-picked from main (f7a3d63), dropped TestForceCAN_WithOverrideState which depends on features not present on release/v1.30.x. Made-with: Cursor
This was referenced Mar 20, 2026
rkannan82
added a commit
that referenced
this pull request
Mar 21, 2026
## Summary Bumps dependencies to address security CVEs on `main`: - **CVE-2026-33186 (CRITICAL)**: `google.golang.org/grpc` v1.72.2 → v1.79.3 — authorization bypass via missing leading `/` in `:path` header - **CVE-2026-22184 (HIGH)**: Alpine `zlib` 1.3.1-r2 → 1.3.2-r0 — global buffer overflow in `untgz` utility Note: The other two CVEs from the v1.30.2 security review are already addressed on `main`: - otel/sdk v1.40.0 — already landed via #9442 - Go stdlib — `main` is on Go 1.26.0 (separate release series) ## Risk assessment - **grpc v1.72.2 → v1.79.3**: 7 minor version jump with ~23 transitive dependency upgrades. Builds cleanly. Same bump successfully applied to `release/v1.30.x` in #9610. - **zlib**: Alpine package upgrade via `apk upgrade --no-cache zlib` in both server and admin-tools Dockerfiles. ## Test plan - [ ] CI passes Made with [Cursor](https://cursor.com)
birme
pushed a commit
to eyevinn-osaas/temporal
that referenced
this pull request
Mar 23, 2026
…temporalio#9442) ## What changed? Bumps [go.opentelemetry.io/otel/sdk](https://github.com/open-telemetry/opentelemetry-go) from 1.34.0 to 1.40.0. Fix misuse of testify assertions inside `EventuallyWithT` callbacks ## Why? testify v1.11.0 introduced a "check early" optimization where `EventuallyWithT` runs the condition immediately before the first tick. This exposed pre-existing bugs where suite-level assertions (`s.NoError`, `s.True`, etc.) were used inside `EventuallyWithT` callbacks instead of `CollectT`-based assertions. Suite assertions call `FailNow` on the real test T, killing the test immediately instead of allowing `EventuallyWithT` to retry. The cache test relied on the tick delay to accumulate hold time before measuring. ## How did you test it? - [x] built - [x] covered by existing tests - [x] added new unit test(s) -- no, fixed existing ones ## Potential risks No - test change --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
birme
pushed a commit
to eyevinn-osaas/temporal
that referenced
this pull request
Mar 23, 2026
…ralio#9611) ## Summary Bumps dependencies to address security CVEs on `main`: - **CVE-2026-33186 (CRITICAL)**: `google.golang.org/grpc` v1.72.2 → v1.79.3 — authorization bypass via missing leading `/` in `:path` header - **CVE-2026-22184 (HIGH)**: Alpine `zlib` 1.3.1-r2 → 1.3.2-r0 — global buffer overflow in `untgz` utility Note: The other two CVEs from the v1.30.2 security review are already addressed on `main`: - otel/sdk v1.40.0 — already landed via temporalio#9442 - Go stdlib — `main` is on Go 1.26.0 (separate release series) ## Risk assessment - **grpc v1.72.2 → v1.79.3**: 7 minor version jump with ~23 transitive dependency upgrades. Builds cleanly. Same bump successfully applied to `release/v1.30.x` in temporalio#9610. - **zlib**: Alpine package upgrade via `apk upgrade --no-cache zlib` in both server and admin-tools Dockerfiles. ## Test plan - [ ] CI passes Made with [Cursor](https://cursor.com)
rkannan82
added a commit
that referenced
this pull request
Mar 23, 2026
…9569) Adapted from main commits f7a3d63 and 0f8873d: - caching_redirector_test.go: wrap StaleTTL final assertion in EventuallyWithT to avoid hang under testify v1.11.1 (which checks condition immediately; FailNow inside goroutine exits without signaling) - worker_deployment_test.go: fix verifyDescribeWorkerDeployment calls to pass s.Require() as first arg; add proto.Equal assertion on deployment version during delete verification Skipped portions of #9442/#9569 that reference API fields/types not present in go.temporal.io/api v1.53.0 (LastCurrentTime, ForceCANVersionSignalArgs, GetPollerAutoscaling). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
rkannan82
added a commit
that referenced
this pull request
Mar 23, 2026
…9569) Adapted from main commits f7a3d63 and 0f8873d: - caching_redirector_test.go: wrap StaleTTL final assertion in EventuallyWithT to avoid hang under testify v1.11.1 (which checks condition immediately; FailNow inside goroutine exits without signaling) - worker_deployment_test.go: fix verifyDescribeWorkerDeployment calls to pass s.Require() as first arg; add proto.Equal assertion on deployment version during delete verification Skipped portions of #9442/#9569 that reference API fields/types not present in go.temporal.io/api v1.53.0 (LastCurrentTime, ForceCANVersionSignalArgs, GetPollerAutoscaling). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
rkannan82
added a commit
that referenced
this pull request
Mar 24, 2026
## Summary Security dependency bumps for v1.29.4.1 security-only patch release. ### CVEs addressed | CVE | Severity | Fix | |-----|----------|-----| | CVE-2026-33186 | CRITICAL | grpc v1.79.3 | | CVE-2026-24051 | HIGH | otel/sdk v1.40.0 | | CVE-2025-22868 | HIGH | x/oauth2 v0.34.0 | | CVE-2026-25679 | HIGH | Go 1.25.8 (go directive) | Alpine CVE (CVE-2026-22184) handled in docker-builds repo. ### Changes - Dep bumps: grpc, otel/sdk (+ related), x/oauth2, x/net, x/crypto, x/sys, x/sync, x/text, x/exp, cel.dev/expr, uber/dig - `cache_test.go`: fix `EventuallyWithT` for otel/sdk v1.40.0 + testify v1.11.1 behavior change (move `release()` outside callback, add explicit sleep) - `caching_redirector_test.go`: wrap StaleTTL final assertion in `EventuallyWithT` to avoid hang under testify v1.11.1 - `worker_deployment_test.go`: fix `verifyDescribeWorkerDeployment` calls (missing `s.Require()` arg); add `proto.Equal` assertion during delete verification ### Notes - Dep bumps cherry-picked from #9610; test fixes adapted from #9442 and #9569 - `temporal.io/api` (v1.53.0) and `temporal.io/sdk` (v1.35.0) kept at 1.29.x versions - Pre-1.30 Dockerfiles excluded (managed in docker-builds repo) - Test changes from #9442/#9569 that reference API fields not in v1.53.0 (LastCurrentTime, ForceCANVersionSignalArgs, GetPollerAutoscaling) are not cherry-picked --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
richer421
pushed a commit
to wisdom-knowledge/temporal
that referenced
this pull request
Apr 13, 2026
## Summary Bumps dependencies flagged by Trivy scan to address CVEs in the v1.30.2 release image: - **CVE-2026-33186 (CRITICAL)**: `google.golang.org/grpc` v1.72.2 → v1.79.3 — authorization bypass via missing leading `/` in `:path` header - **CVE-2026-24051 (HIGH)**: `go.opentelemetry.io/otel/sdk` v1.34.0 → v1.40.0 — PATH hijacking (cherry-picked from main, PR temporalio#9442) - **CVE-2026-25679 (HIGH)**: Go stdlib `net/url` — bumped Go from 1.25.7 → 1.25.8 - **CVE-2026-22184 (HIGH)**: Alpine `zlib` 1.3.1-r2 → 1.3.2-r0 — global buffer overflow in `untgz` utility ## Risk assessment - **grpc v1.72.2 → v1.79.3**: Largest change. 7 minor version jump with ~30 transitive dependency upgrades (protobuf, x/net, x/crypto, envoy control plane, genproto, etc.). Builds cleanly. Note: this bump has not been done on `main` yet. - **otel/sdk v1.34.0 → v1.40.0**: Already landed on `main` via temporalio#9442. Includes test fixes for testify v1.11.0 `EventuallyWithT` behavior change. - **Go 1.25.7 → 1.25.8**: Patch version, minimal risk. - **zlib**: Alpine package upgrade via `apk upgrade --no-cache zlib` in both server and admin-tools Dockerfiles. ## Test plan - [ ] CI passes on this PR - [ ] After merge, wait for Build & Publish to produce new image - [ ] Re-run nightly validation with new image SHA - [ ] Re-run long-haul test - [ ] Re-run Trivy scan to confirm CVEs are resolved - [ ] Get security clearance from #team-eng-security-it Made with [Cursor](https://cursor.com)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What changed?
Bumps go.opentelemetry.io/otel/sdk from 1.34.0 to 1.40.0.
Fix misuse of testify assertions inside
EventuallyWithTcallbacksWhy?
testify v1.11.0 introduced a "check early" optimization where
EventuallyWithTruns the condition immediately before the first tick. This exposed pre-existing bugs where suite-level assertions (s.NoError,s.True, etc.) were used insideEventuallyWithTcallbacks instead ofCollectT-based assertions. Suite assertions callFailNowon the real test T, killing the test immediately instead of allowingEventuallyWithTto retry. The cache test relied on the tick delay toaccumulate hold time before measuring.
How did you test it?
Potential risks
No - test change