Comply with W3C Baggage specification limits

[XSAM]

Updates the baggage implementation to comply with https://www.w3.org/TR/baggage/#limits:

• Changed maxMembers from 180 to 64 (the W3C compliance requirement)

  The resulting baggage-string contains 64 list-members or less.

• Removed maxBytesPerMembers (4096) - this per-member limit was not part of the W3C spec

• Added limit checking in extractMultiBaggage for multiple baggage headers:

  • Checks combined byte size across all headers (max 8192 bytes)
  • Checks combined member count across all headers (max 64 members)

This PR uses non-deterministic truncation when handling baggage limits.

[codecov]

Codecov Report

❌ Patch coverage is 98.78049% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 81.7%. Comparing base (7078987) to head (ee28d7a).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
propagation/baggage.go	88.8%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@          Coverage Diff          @@
##            main   #7880   +/-   ##
=====================================
  Coverage   81.7%   81.7%           
=====================================
  Files        304     304           
  Lines      23287   23331   +44     
=====================================
+ Hits       19037   19077   +40     
- Misses      3863    3866    +3     
- Partials     387     388    +1     

Files with missing lines	Coverage Δ
baggage/baggage.go	99.4% <100.0%> (+<0.1%)	⬆️
internal/errorhandler/errorhandler.go	100.0% <100.0%> (ø)
internal/global/state.go	100.0% <100.0%> (ø)
propagation/baggage.go	95.0% <88.8%> (-5.0%)	⬇️

... and 3 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[MrAlias]

• Drops all baggage if limits are exceeded per W3C spec

  If a platform cannot propagate all baggage, it MUST NOT propagate any partial list-members"

I don't think dropping all baggage is the correct interpretation of this requirement. We cannot propagate any "partial list-members", but it doesn't mean we cannot propagate complete list-members. Infact, the specification specifically states:

If either of the above conditions is not met, a platform MAY drop list-members until both conditions are met. The selection of which list-members to drop and their order is unspecified and left to the implementer.

While dropping all may indeed be a valid "selection" of list-members, I think we can do better and just take the first, or last n list-members the fit within the limits. Right?

[XSAM]

While dropping all may indeed be a valid "selection" of list-members, I think we can do better and just take the first, or last n list-members the fit within the limits. Right?

Yeah. And, this will need to refactor baggage.Parse.

https://github.com/XSAM/opentelemetry-go/blob/0b29d8f4d883f334ce68981e269d34354ca494e1/baggage/baggage.go#L472

[MrAlias]

Overall this looks good. It addresses the critical security issue, looks W3C specification compliant, and is well tested. The error handling of Parse can be improved, and the issue in extractMultiBaggage, where it silently drops headers, needs to be fixed.

[Copilot]

Pull request overview

Updates OpenTelemetry Go baggage parsing and propagation to enforce W3C Baggage size/member limits (64 members, 8192 bytes) and adjusts tests/changelog accordingly.

Changes:

• Reduce max baggage members to 64 and remove the per-member byte limit.
• Apply byte/member limit enforcement while parsing baggage strings and when extracting from multiple baggage headers.
• Add/adjust unit tests and document the change in the changelog.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
propagation/baggage.go	Adds combined multi-header limit handling for member count and total bytes.
propagation/baggage_test.go	Adds helper generators and new multi-header limit/behavior test cases.
baggage/baggage.go	Updates constants and changes Parse behavior to truncate to W3C limits instead of erroring.
baggage/baggage_test.go	Updates tests for new limit behavior and removed per-member limit.
CHANGELOG.md	Notes W3C baggage limit compliance changes.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 12 out of 12 changed files in this pull request and generated 4 comments.

Comments suppressed due to low confidence (1)

baggage/baggage_test.go:293

• Parse now truncates and returns a partial Baggage when the 8192-byte limit is exceeded, but the test cases here no longer cover that behavior (the “too large” case now fails earlier as errInvalidMember). Add a test where the input exceeds maxBytesPerBaggageString after one or more valid members, and assert ErrorIs(err, errBaggageBytes) and that the returned baggage contains the expected prefix members within the byte limit.

func TestBaggageParse(t *testing.T) {
	tooLarge := key(maxBytesPerBaggageString + 1)

	m := make([]string, maxMembers+1)
	for i := range m {
		m[i] = fmt.Sprintf("a%d=", i)
	}
	tooManyMembers := strings.Join(m, listDelimiter)

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[XSAM]

@open-telemetry/go-approvers PTAL

[MrAlias]

Looks great! 🚀

[bboreham]

High-level looks fine to me; I wasn't aware of all the details of the limits so maybe try to over-communicate when this goes out.