Skip to content

Update go.opentelemetry.io/otel version to v1.40.0 to address CVE-2026-24051#1383

Open
akankshapanse wants to merge 3 commits intokubernetes-csi:release-8.2from
akankshapanse:update_opentelemetry_version
Open

Update go.opentelemetry.io/otel version to v1.40.0 to address CVE-2026-24051#1383
akankshapanse wants to merge 3 commits intokubernetes-csi:release-8.2from
akankshapanse:update_opentelemetry_version

Conversation

@akankshapanse
Copy link
Copy Markdown

@akankshapanse akankshapanse commented Feb 20, 2026
edited
Loading

What type of PR is this?

Uncomment only one /kind <> line, hit enter to put that in a new line, and remove leading whitespaces from that line:

/kind api-change
/kind bug
/kind cleanup
/kind design
/kind documentation
/kind failing-test
/kind feature
/kind flake

What this PR does / why we need it:
This PR updates go.opentelemetry.io/otel version to v1.40.0 to address CVE-2026-24051. This changes also includes change in GO version as opentelemetry package requires GO version to be updated to minimum v1.24

Updated go.mod, go.sum and vendor files using following commands

# go get go.opentelemetry.io/otel@v1.40.0
# go mod tidy
# go mod vendor

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

Update go.opentelemetry.io/otel version to v1.40.0 to address CVE-2026-24051

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/bug Categorizes issue or PR as related to a bug. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Feb 20, 2026
@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented Feb 20, 2026

Welcome @akankshapanse!

It looks like this is your first PR to kubernetes-csi/external-snapshotter 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-csi/external-snapshotter has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

@k8s-ci-robot k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Feb 20, 2026
@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented Feb 20, 2026

Hi @akankshapanse. Thanks for your PR.

I'm waiting for a kubernetes-csi member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented Feb 20, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: akankshapanse
Once this PR has been reviewed and has the lgtm label, please assign xing-yang for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. label Feb 20, 2026
@xing-yang
Copy link
Copy Markdown
Collaborator

xing-yang commented Feb 20, 2026

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Feb 20, 2026
@akankshapanse akankshapanse force-pushed the update_opentelemetry_version branch 2 times, most recently from 20f60ff to c5e7172 Compare March 3, 2026 07:05
@akankshapanse akankshapanse force-pushed the update_opentelemetry_version branch from c5e7172 to 8eb3005 Compare March 3, 2026 08:06
@akankshapanse
Copy link
Copy Markdown
Author

akankshapanse commented Mar 3, 2026
edited
Loading

Test pull-kubernetes-csi-external-snapshotter-unit failed with below error , even when branch is rebased on latest changes from release-8.2 branch

### test-subtree:
./release-tools/verify-subtree.sh release-tools
Directory 'release-tools' contains non-upstream changes:

commit 8eb3005432252ea411c331e127eb643bfdfb1758
Author: Akanksha Panse <XXX>
Date:   Fri Feb 20 13:05:46 2026 +0530

    Update go.opentelemetry.io/otel version to v1.40.0 to address CVE-2026-24051
make: *** [release-tools/build.make:286: test-subtree] Error 1

@akankshapanse akankshapanse mentioned this pull request Mar 13, 2026
Open
@akankshapanse
Squashed 'release-tools/' changes from 90efb2ca5..119a53c3c
419f969 
119a53c3c Merge pull request kubernetes-csi#294 from andyzhangx/patch-10
7c9aa9ba3 fix: upgrade to go1.25.7 to fix CVE-2026-25679
1e81e752e Merge pull request kubernetes-csi#293 from andyzhangx/patch-9
4dc185057 fix: upgrade to go1.25.7 to fix CVE-2025-61727
b60b9a507 Merge pull request kubernetes-csi#292 from andyzhangx/patch-8
0e4e2ed0d Update Go version from 1.25.5 to 1.25.6 to fix CVE
707a99eca Merge pull request kubernetes-csi#291 from dfajmon/logcheck
a9d2b0fb3 Bump logcheck to v0.10.0
d6846630b Merge pull request kubernetes-csi#290 from dfajmon/go-1.25.5
55e527c49 Bump golang to 1.25.5
b12e407cc Merge pull request kubernetes-csi#289 from nixpanic/k8s-v1.34
bbe5e547e Use Kubernetes v1.34 and Kind v0.30 by default
4e9eb2c9e Merge pull request kubernetes-csi#288 from gnufied/add-gnufied-for-csi-approver
064e260d9 Add myself as csi approver
c852fa797 Merge pull request kubernetes-csi#287 from andyzhangx/patch-7
bce16c103 fix: upgrade to go1.24.11 to fix CVE-2025-61727
8d1258cce Merge pull request kubernetes-csi#286 from kubernetes-csi/dependabot/github_actions/actions/checkout-6
91e35981a Bump actions/checkout from 5 to 6
294138155 Merge pull request kubernetes-csi#285 from andyzhangx/patch-6
fa8b339e9 fix: upgrade to go1.24.9 to fix CVEs
74502e544 Merge pull request kubernetes-csi#278 from liangyuanpeng/migrate_k8s_testimages
533443055 Merge pull request kubernetes-csi#281 from kubernetes-csi/dependabot/github_actions/actions/checkout-5
458ce146f Bump actions/checkout from 4 to 5
5f38a9075 Merge pull request kubernetes-csi#282 from rhrmo/update-go-1.24.6
579f62421 Update go to 1.24.6
5ec1a52b8 use gcr.io/k8s-staging-test-infra instead of gcr.io/k8s-testimages
74e066a82 Merge pull request kubernetes-csi#279 from Aishwarya-Hebbar/update-csi-prow-version
6f236be7d Update CSI prow driver version to v1.17.0
0ee55894b Merge pull request kubernetes-csi#280 from xing-yang/update_go_1.24.4
9af101534 update to go 1.24.4
f5fec3e36 Merge pull request kubernetes-csi#275 from chrishenzie/emeritus
c5d285db8 Remove chrishenzie from kubernetes-csi-reviewers
0a435bf98 Merge pull request kubernetes-csi#274 from andyzhangx/patch-5
cd7b4bba3 Bump golang to 1.24.2 to fix CVE-2025-22871
701dc34bc Merge pull request kubernetes-csi#273 from andyzhangx/patch-4
aeebd30e8 Bump golang to 1.24.0
f277d561f Merge pull request kubernetes-csi#270 from carlory/update-kind-version
6dcb96a51 update default kind version to v0.25.0

git-subtree-dir: release-tools
git-subtree-split: 119a53c3cce0c04fd422514252ea62c6ff4e3548
@akankshapanse
Update go version to one used by csi-release-tools
1bf1e38
@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented Mar 23, 2026

@akankshapanse: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-kubernetes-csi-external-snapshotter-unit 1bf1e38 link true /test pull-kubernetes-csi-external-snapshotter-unit

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chrishenzie chrishenzie Awaiting requested review from chrishenzie

@humblec humblec Awaiting requested review from humblec

Assignees

No one assigned

Labels

cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@akankshapanse @k8s-ci-robot @xing-yang