fix(deps): vuln minor upgrades — 15 packages (minor: 3 · patch: 12) [sticker-award]

[gh-worker-campaigns-3e9aa4]

Summary: High-severity security update — 15 packages upgraded (MINOR changes included)

Manifests changed:

• sticker-award (go)

---

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

---

Updates

Package	From	To	Type	Dep Type	Vulnerabilities Fixed
go.opentelemetry.io/otel/sdk	v1.38.0	v1.43.0	minor	Transitive	4 HIGH
github.com/gin-gonic/gin	v1.11.0	v1.12.0	minor	Direct	-
github.com/golang-jwt/jwt/v5	v5.2.3	v5.3.1	minor	Direct	-
github.com/DataDog/dd-trace-go/contrib/IBM/sarama/v2	v2.6.0	v2.6.1	patch	Direct	-
github.com/DataDog/dd-trace-go/contrib/gin-gonic/gin/v2	v2.6.0	v2.6.1	patch	Direct	-
github.com/DataDog/dd-trace-go/contrib/gorm.io/gorm.v1/v2	v2.6.0	v2.6.1	patch	Direct	-
github.com/DataDog/dd-trace-go/contrib/net/http/v2	v2.6.0	v2.6.1	patch	Direct	-
github.com/DataDog/dd-trace-go/contrib/sirupsen/logrus/v2	v2.6.0	v2.6.1	patch	Direct	-
github.com/DataDog/dd-trace-go/v2	v2.6.0	v2.6.1	patch	Direct	-
github.com/aws/aws-sdk-go-v2	v1.41.2	v1.41.6	patch	Direct	-
github.com/aws/aws-sdk-go-v2/config	v1.32.10	v1.32.16	patch	Direct	-
github.com/aws/aws-sdk-go-v2/service/eventbridge	v1.45.19	v1.45.24	patch	Direct	-
github.com/aws/aws-sdk-go-v2/service/sqs	v1.42.22	v1.42.26	patch	Direct	-
github.com/go-playground/validator/v10	v10.30.1	v10.30.2	patch	Direct	-
github.com/sirupsen/logrus	v1.9.3	v1.9.4	patch	Direct	-

Packages marked with "-" are updated due to dependency constraints.

---

Security Details

🚨 Critical & High Severity (4 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
go.opentelemetry.io/otel/sdk	GHSA-9h8m-3fm2-qjrq	HIGH	OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking	v1.38.0	1.40.0
go.opentelemetry.io/otel/sdk	GO-2026-4394	HIGH	OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking in go.opentelemetry.io/otel/sdk	v1.38.0	1.40.0
go.opentelemetry.io/otel/sdk	CVE-2026-24051	HIGH	OpenTelemetry-Go Affected by Arbitrary Code Execution via PATH Hijacking	v1.38.0	-
go.opentelemetry.io/otel/sdk	GHSA-hfvc-g4fc-pqhx	HIGH	opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking	v1.38.0	1.43.0

---

Review Checklist

Standard review:

• Review changes for compatibility with your code
• Check for breaking changes in release notes
• Run tests locally or wait for CI
• Approve and merge this PR

---

Update Mode: Vulnerability Remediation (High)

🤖 Generated by DataDog Automated Dependency Management System

[campaigner-prod]

Release Notes

go.opentelemetry.io/otel/sdk (v1.38.0 → v1.43.0) — GitHub Release

v1.43.0

Added

• Add IsRandom and WithRandom on TraceFlags, and IsRandom on SpanContext in go.opentelemetry.io/otel/trace
  for W3C Trace Context Level 2 Random Trace ID Flag support. (trace: add Random Trace ID Flag open-telemetry/opentelemetry-go#8012)
• Add service detection with WithService in go.opentelemetry.io/otel/sdk/resource. (resource: add WithService detector option open-telemetry/opentelemetry-go#7642)
• Add DefaultWithContext and EnvironmentWithContext in go.opentelemetry.io/otel/sdk/resource to support plumbing context.Context through default and environment detectors. (sdk/resource: add WithContext variants for Default and Environment (#7808) open-telemetry/opentelemetry-go#8051)
• Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc. (attribute: change INVALID Type to EMPTY and mark INVALID as deprecated open-telemetry/opentelemetry-go#8038)
• Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc. (attribute: change INVALID Type to EMPTY and mark INVALID as deprecated open-telemetry/opentelemetry-go#8038)
• Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc. (attribute: change INVALID Type to EMPTY and mark INVALID as deprecated open-telemetry/opentelemetry-go#8038)
• Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp. (attribute: change INVALID Type to EMPTY and mark INVALID as deprecated open-telemetry/opentelemetry-go#8038)
• Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp. (attribute: change INVALID Type to EMPTY and mark INVALID as deprecated open-telemetry/opentelemetry-go#8038)
• Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp. (attribute: change INVALID Type to EMPTY and mark INVALID as deprecated open-telemetry/opentelemetry-go#8038)
• Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/sdk/metric/metricdata/metricdatatest. (attribute: change INVALID Type to EMPTY and mark INVALID as deprecated open-telemetry/opentelemetry-go#8038)
• Add support for per-series start time tracking for cumulative metrics in go.opentelemetry.io/otel/sdk/metric.
  Set OTEL_GO_X_PER_SERIES_START_TIMESTAMPS=true to enable. (Add support for the development per-series starttime feature open-telemetry/opentelemetry-go#8060)
• Add WithCardinalityLimitSelector for metric reader for configuring cardinality limits specific to the instrument kind. (sdk/metric: Support specifying cardinality limits per instrument kinds open-telemetry/opentelemetry-go#7855)

Changed

• Introduce the EMPTY Type in go.opentelemetry.io/otel/attribute to reflect that an empty value is now a valid value, with INVALID remaining as a deprecated

(truncated)

v1.42.0

Added

• Add go.opentelemetry.io/otel/semconv/v1.40.0 package.
  The package contains semantic conventions from the v1.40.0 version of the OpenTelemetry Semantic Conventions.
  See the migration documentation for information on how to upgrade from go.opentelemetry.io/otel/semconv/v1.39.0. (Revert "Revert "Generate semconv/v1.40.0"" open-telemetry/opentelemetry-go#7985)
• Add Err and SetErr on Record in go.opentelemetry.io/otel/log to attach an error and set record exception attributes in go.opentelemetry.io/otel/log/sdk. (log: add error field to Record and make SDK to emit exception attributes open-telemetry/opentelemetry-go#7924)

Changed

• TracerProvider.ForceFlush in go.opentelemetry.io/otel/sdk/trace joins errors together and continues iteration through SpanProcessors as opposed to returning the first encountered error without attempting exports on subsequent SpanProcessors. (TracerProvider ForceFlush() Error Fix open-telemetry/opentelemetry-go#7856)

Fixed

• Fix missing request.GetBody in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp to correctly handle HTTP2 GOAWAY frame. (support stdlib request.GetBody on metrics open-telemetry/opentelemetry-go#7931)

(truncated — see source for full notes)

github.com/gin-gonic/gin (v1.11.0 → v1.12.0) — GitHub Release

v1.12.0

Changelog

Features

• 192ac89eefc1c30f7c97ae48a9ffb1c6f1c8c8bc: feat(binding): add support for encoding.UnmarshalText in uri/query binding (feat(binding): add support for encoding.UnmarshalText in uri/query binding gin-gonic/gin#4203) (@takanuva15)
• 53410d2e07054369e0960fbe2eed97e1b9966f12: feat(context): add GetError and GetErrorSlice methods for error retrieval (chore(context): add GetError and GetErrorSlice methods gin-gonic/gin#4502) (@raju-mechatronics)
• acc55e049e33b401e810dbd8c0d6dcb6b3ba2b05: feat(context): add Protocol Buffers support to content negotiation (feat(context): add Protocol Buffers support to content negotiation gin-gonic/gin#4423) (@1911860538)
• 38e765119241d990705169bedb5002a29ae0cbd1: feat(context): implemented Delete method (@Spyder01)
• 771dcc6476d7bc6abb9ec0235ecefa4d38fe6fb0: feat(gin): add option to use escaped path (feat(gin): add option to use escaped path gin-gonic/gin#4420) (@ldesauw)
• 4dec17afdff48e8018c83618fbbe69fceeb2b41d: feat(logger): color latency (feat(logger):color latency gin-gonic/gin#4146) (@wsyqn6)
• d7776de7d444935ea4385999711bd6331a98fecb: feat(render): add bson protocol (feat(render): add bson protocol gin-gonic/gin#4145) (@laurentcau)

Bug fixes

• b917b14ff9d189f16a7492be79d123a47806ee19: fix(binding): empty value error (binding:fix empty value error gin-gonic/gin#2169) (@guonaihong)
• c3d1092b3b48addf6f9cd00fe274ec3bd14650eb: fix(binding): improve empty slice/array handling in form binding (fix(binding): improve empty slice/array handling in form binding gin-gonic/gin#4380) (@1911860538)
• 9914178584e42458ff7d23891463a880f58c9d86: fix(context): ClientIP handling for multiple X-Forwarded-For header values (fix(context): ClientIP handling for multiple X-Forwarded-For header values gin-gonic/gin#4472) (@Nurysso)
• 2a794cd0b0faa7d829291375b27a3467ea972b0d: fix(debug): version mismatch (fix(debug): version mismatch gin-gonic/gin#4403) (@zeek0x)
• c3d5a28ed6d3849da820195b6774d212bcc038a9: fix(gin): close os.File in RunFd to prevent resource leak (fix(gin): close os.File in RunFd to prevent resource leak gin-gonic/gin#4422) (@1911860538)
• 5fad976b372e381312f8de69f0969f1284d229d3: fix(gin): literal colon routes not working with engine.Handler() (fix(gin): literal colon routes not working with engine.Handler() gin-gonic/gin#4415) (@pawannn)
• 63dd3e60cab89c27fb66bce1423bd268d52abad1: fix(recover): suppress http.ErrAbortHandler in recover (fix(recover): suppress http.ErrAbortHandler gin-gonic/gin#4336) (@MondayCha)
• 5c00df8afadd06cc5be530dde00fe6d9fa4a2e4a: fix(render): write content length in Data.Render (fix(render): write content length in Data.Render gin-gonic/gin#4206) (@dengaleev)
• 234a6d4c00cb77af9852aca0b8289745d5529b4b: fix(response): refine hijack behavior for response lifecycle (fix(response): refine hijack behavior for response lifecycle gin-gonic/gin#4373) (@appleboy)
• 472d086af2acd924cb4b9d7be0525f7d790f69bc: fix(tree): panic

(truncated)

github.com/golang-jwt/jwt/v5 (v5.2.3 → v5.3.1) — GitHub Release

v5.3.1

What's Changed

🔐 Features

• Add spellcheck Github action to catch common spelling mistakes by @equalsgibson in Add spellcheck Github action to catch common spelling mistakes golang-jwt/jwt#458
• Add WithNotBeforeRequired parser option and add test coverage by @equalsgibson in Add WithNotBeforeRequired parser option and add test coverage golang-jwt/jwt#456
• Update godoc example func to properly refer to NewWithClaims() by @equalsgibson in Update godoc example func to properly refer to NewWithClaims() golang-jwt/jwt#459
• Update github workflows by @mfridman in Update github workflows golang-jwt/jwt#462
• Additional test for CustomClaims that validates unmarshalling behaviour by @equalsgibson in Additional test for CustomClaims that validates unmarshalling behaviour golang-jwt/jwt#457
• Fix early file close in jwt cli by @mfridman in Fix early file close in jwt cli golang-jwt/jwt#472
• Add TPM signature reference by @salrashid123 in Add TPM signature reference golang-jwt/jwt#473
• Remove misleading ParserOptions documentation in Remove misleading ParserOptions documentation golang-jwt/jwt#484
• Save signature to Token struct after successful signing by @EgorSheff in Save signature to Token struct after successful signing golang-jwt/jwt#417
• Set token.Signature in ParseUnverified by @slickwilli in Set token.Signature in ParseUnverified golang-jwt/jwt#414

👒 Dependencies

• Bump crate-ci/typos from 1.34.0 to 1.35.3 by @dependabot[bot] in Bump crate-ci/typos from 1.34.0 to 1.35.3 golang-jwt/jwt#461
• Bump crate-ci/typos from 1.35.4 to 1.36.2 by @dependabot[bot] in Bump crate-ci/typos from 1.35.4 to 1.36.2 golang-jwt/jwt#470
• Bump github/codeql-action from 3 to 4 by @dependabot[bot] in Bump github/codeql-action from 3 to 4 golang-jwt/jwt#478
• Bump crate-ci/typos from 1.36.2 to 1.39.0 by @dependabot[bot] in Bump crate-ci/typos from 1.36.2 to 1.39.0 golang-jwt/jwt#480
• Bump golangci/golangci-lint-action from 8 to 9 by @dependabot[bot] in Bump golangci/golangci-lint-action from 8 to 9 golang-jwt/jwt#481
• Bump actions/setup-go from 5 to 6 by @dependabot[bot] in Bump actions/setup-go from 5 to 6 golang-jwt/jwt#469
• Bump crate-ci/typos from 1.39.0 to 1.40.0 by @dependabot[bot] in https

(truncated)

v5.3.0

This release is almost identical to to v5.2.3 but now correctly indicates Go 1.21 as minimum requirement.

What's Changed

• Create CODEOWNERS by @oxisto in Create CODEOWNERS golang-jwt/jwt#449
• Bump Go version to indicate correct minimum requirement by @oxisto in Bump Go version to indicate correct minimum requirement golang-jwt/jwt#452

Full Changelog: golang-jwt/jwt@v5.2.3...v5.3.0

github.com/DataDog/dd-trace-go/contrib/IBM/sarama/v2 (v2.6.0 → v2.6.1) — GitHub Release

What's Changed

Application Performance Monitoring (APM)

• fix(tracer): preserve keep/drop possibility for OTel bridge on unsampled spans
  by @genesor in fix(tracer): preserve keep/drop possibility for OTel bridge on unsampled spans dd-trace-go#4631 (cherry-picked in DataDog/dd-trace-go@c9e8383)

Full Changelog: DataDog/dd-trace-go@v2.6.0...v2.6.1

github.com/DataDog/dd-trace-go/contrib/gin-gonic/gin/v2 (v2.6.0 → v2.6.1) — GitHub Release

What's Changed

Application Performance Monitoring (APM)

• fix(tracer): preserve keep/drop possibility for OTel bridge on unsampled spans
  by @genesor in fix(tracer): preserve keep/drop possibility for OTel bridge on unsampled spans dd-trace-go#4631 (cherry-picked in DataDog/dd-trace-go@c9e8383)

Full Changelog: DataDog/dd-trace-go@v2.6.0...v2.6.1

github.com/DataDog/dd-trace-go/contrib/gorm.io/gorm.v1/v2 (v2.6.0 → v2.6.1) — GitHub Release

What's Changed

Application Performance Monitoring (APM)

• fix(tracer): preserve keep/drop possibility for OTel bridge on unsampled spans
  by @genesor in fix(tracer): preserve keep/drop possibility for OTel bridge on unsampled spans dd-trace-go#4631 (cherry-picked in DataDog/dd-trace-go@c9e8383)

Full Changelog: DataDog/dd-trace-go@v2.6.0...v2.6.1

github.com/DataDog/dd-trace-go/contrib/net/http/v2 (v2.6.0 → v2.6.1) — GitHub Release

What's Changed

Application Performance Monitoring (APM)

• fix(tracer): preserve keep/drop possibility for OTel bridge on unsampled spans
  by @genesor in fix(tracer): preserve keep/drop possibility for OTel bridge on unsampled spans dd-trace-go#4631 (cherry-picked in DataDog/dd-trace-go@c9e8383)

Full Changelog: DataDog/dd-trace-go@v2.6.0...v2.6.1

github.com/DataDog/dd-trace-go/contrib/sirupsen/logrus/v2 (v2.6.0 → v2.6.1) — GitHub Release

What's Changed

Application Performance Monitoring (APM)

• fix(tracer): preserve keep/drop possibility for OTel bridge on unsampled spans
  by @genesor in fix(tracer): preserve keep/drop possibility for OTel bridge on unsampled spans dd-trace-go#4631 (cherry-picked in DataDog/dd-trace-go@c9e8383)

Full Changelog: DataDog/dd-trace-go@v2.6.0...v2.6.1

github.com/DataDog/dd-trace-go/v2 (v2.6.0 → v2.6.1) — GitHub Release

What's Changed

Application Performance Monitoring (APM)

• fix(tracer): preserve keep/drop possibility for OTel bridge on unsampled spans
  by @genesor in fix(tracer): preserve keep/drop possibility for OTel bridge on unsampled spans dd-trace-go#4631 (cherry-picked in DataDog/dd-trace-go@c9e8383)

Full Changelog: DataDog/dd-trace-go@v2.6.0...v2.6.1

github.com/aws/aws-sdk-go-v2 (v1.41.2 → v1.41.6) — Changelog

https://github.com/aws/aws-sdk-go-v2/blob/main/CHANGELOG.md

github.com/aws/aws-sdk-go-v2/config (v1.32.10 → v1.32.16) — Changelog

https://github.com/aws/aws-sdk-go-v2/blob/main/CHANGELOG.md

github.com/aws/aws-sdk-go-v2/service/eventbridge (v1.45.19 → v1.45.24) — Changelog

https://github.com/aws/aws-sdk-go-v2/blob/main/CHANGELOG.md

github.com/aws/aws-sdk-go-v2/service/sqs (v1.42.22 → v1.42.26) — Changelog

https://github.com/aws/aws-sdk-go-v2/blob/main/CHANGELOG.md

github.com/go-playground/validator/v10 (v10.30.1 → v10.30.2) — GitHub Release

What's Changed

• chore(deps): bump golang.org/x/crypto from 0.46.0 to 0.47.0 by @dependabot[bot] in chore(deps): bump golang.org/x/crypto from 0.46.0 to 0.47.0 go-playground/validator#1523
• feat: add translations for alphaspace and alphanumspace tags in indonesian by @savioruz in feat: add translations for alphaspace and alphanumspace tags in indonesian go-playground/validator#1522
• chore(deps): bump github.com/gabriel-vasile/mimetype from 1.4.12 to 1.4.13 by @dependabot[bot] in chore(deps): bump github.com/gabriel-vasile/mimetype from 1.4.12 to 1.4.13 go-playground/validator#1526
• feat: add cmyk(color) to validator by @thenicolau in feat: add cmyk(color) to validator go-playground/validator#1528
• chore(deps): bump golang.org/x/text from 0.33.0 to 0.34.0 by @dependabot[bot] in chore(deps): bump golang.org/x/text from 0.33.0 to 0.34.0 go-playground/validator#1534
• chore(deps): bump golang.org/x/crypto from 0.47.0 to 0.48.0 by @dependabot[bot] in chore(deps): bump golang.org/x/crypto from 0.47.0 to 0.48.0 go-playground/validator#1533
• Go 1.26 support by @nodivbyzero in Go 1.26 support go-playground/validator#1535
• fix: prevent panic in unique validation with nil pointer elements by @nodivbyzero in fix: prevent panic in unique validation with nil pointer elements go-playground/validator#1532
• docs: fix typos by @alexandear in docs: fix typos go-playground/validator#1527
• feat: implement ValidatorValuer interface feature by @thommeo in feat: implement ValidatorValuer interface feature go-playground/validator#1416
• docs: add Valuer interface documentation and example by @wofiporia in docs: add Valuer interface documentation and example go-playground/validator#1540
• chore(deps): bump golang.org/x/text from 0.34.0 to 0.35.0 by @dependabot[bot] in chore(deps): bump golang.org/x/text from 0.34.0 to 0.35.0 go-playground/validator#1545
• chore(deps): bump golang.org/x/crypto from 0.48.0 to 0.49.0 by @dependabot[bot] in chore(deps): bump golang.org/x/crypto from 0.48.0 to 0.49.0 go-playground/validator#1546
• feat: add postcode patterns for Colombia (CO) and British Virgin Islands (VG) by @j-ibarra in feat: add postcode patterns for Colombia (CO) and British Virgin Islands (VG) go-playground/validator#1547
• fix(fqdn): allow hyphens in last domain label by @alihasan070707 in fix(fqdn): allow hyphens in last domain label go-playground/validator#1548

New Contributors

• @savioruz made their first contribution in feat: add translations for alphaspace and alphanumspace tags in indonesian go-playground/validator#1522
• @thenicolau made their first contribution in feat: add cmyk(color) to validator go-playground/validator#1528
• @thommeo made their first contribution in feat: implement ValidatorValuer interface feature go-playground/validator#1416
• @wofiporia made their first contribution in docs: add Valuer interface documentation and example go-playground/validator#1540
• @j-ibarra made their first contribution in feat: add postcode patterns for Colombia (CO) and British Virgin Islands (VG) go-playground/validator#1547
• @alihasan070707 made their first contribution in fix(fqdn): allow hyphens in last domain label go-playground/validator#1548

Full Changelog: go-playground/validator@v10.30.1...v10.30.2

github.com/sirupsen/logrus (v1.9.3 → v1.9.4) — GitHub Release

Notable changes

• go.mod: update minimum supported go version to v1.17 go.mod: bump up deps; CI: remove appveyor, add macOS sirupsen/logrus#1460
• go.mod: bump up dependencies go.mod: bump up deps; CI: remove appveyor, add macOS sirupsen/logrus#1460
• Touch-up godoc and add "doc" links.
• README: fix links, grammar, and update examples.
• Add GNU/Hurd support Add GNU/Hurd support sirupsen/logrus#1364
• Add WASI wasip1 support Add WASI wasip1 support sirupsen/logrus#1388
• Remove uses of deprecated ioutil package refactor: replace the deprecated function in the ioutil package sirupsen/logrus#1472
• CI: update actions and golangci-lint CI: update actions and golangci-lint sirupsen/logrus#1459
• CI: remove appveyor, add macOS go.mod: bump up deps; CI: remove appveyor, add macOS sirupsen/logrus#1460

Full Changelog: sirupsen/logrus@v1.9.3...v1.9.4

---

Generated by ADMS Sources: 11 GitHub Releases, 4 Changelogs.

[seberm-6]

Hey, sorry for the noise. This was caused by a bug in our automated dependency update system that incorrectly included upstream changelog content in PR comments, triggering notifications to external contributors. The feature flag has been turned off and we're working on a fix. Sorry about that again.