chore(deps): bump go.opentelemetry.io/otel/sdk to v1.41.0

[mdelapenya]

Summary

• Bumps go.opentelemetry.io/otel/sdk to v1.41.0 across root module and 12 submodules
• Fixes 12 open Dependabot alerts for OpenTelemetry Go SDK PATH Hijacking vulnerability (high severity)
• Affected modules: root, aerospike, arangodb, chroma, compose, dockermcpgateway, meilisearch, memcached, milvus, nebulagraph, ollama, socat, solace

Test plan

• CI passes for all affected modules
• No regressions in module dependency resolution

🤖 Generated with Claude Code

[netlify]

✅ Deploy Preview for testcontainers-go ready!

Name	Link
🔨 Latest commit	2fafad3
🔍 Latest deploy log	https://app.netlify.com/projects/testcontainers-go/deploys/69aed0cb1ecca000080f6414
😎 Deploy Preview	https://deploy-preview-3589--testcontainers-go.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 2d9d7ae0-eec6-41b0-b8d5-72e7f9dad1e4

📥 Commits

Reviewing files that changed from the base of the PR and between 0a37718 and 2fafad3.

⛔ Files ignored due to path filters (1)

• modules/dockermodelrunner/go.sum is excluded by !**/*.sum

📒 Files selected for processing (3)

• modules/azure/go.mod
• modules/azurite/go.mod
• modules/dockermodelrunner/go.mod

🚧 Files skipped from review as they are similar to previous changes (2)

• modules/azurite/go.mod
• modules/azure/go.mod

---

Summary by CodeRabbit

Release Notes

• Chores
  • Updated observability stack to a newer release for improved stability and telemetry
  • Applied security and compatibility updates to cryptographic and system libraries
  • Upgraded logging components to the latest patch release
  • Aligned and refreshed many indirect dependencies across modules for compatibility
  • Updated development environment configuration and workspace entries

Walkthrough

Systematic dependency version updates across the root module and 70+ submodules: added indirect github.com/cenkalti/backoff/v5 and github.com/cespare/xxhash/v2, upgraded OpenTelemetry modules to v1.41.0, bumped github.com/go-logr/logr and multiple golang.org/x/* packages; no exported/public APIs changed. (≈40 words)

Changes

Cohort / File(s)	Summary
Root & Examples go.mod, examples/nginx/go.mod	Added indirects backoff/v5, xxhash/v2; upgraded OpenTelemetry to v1.41.0, bumped go-logr and several golang.org/x/* versions.
Bulk modules — database, storage, search, streams, infra modules/*/go.mod (e.g. modules/aerospike/go.mod, modules/cassandra/go.mod, modules/mongodb/go.mod, modules/postgres/go.mod, modules/redis/go.mod, modules/elasticsearch/go.mod, modules/minio/go.mod, modules/meilisearch/go.mod, modules/qdrant/go.mod, modules/weaviate/go.mod, modules/yugabytedb/go.mod, ...)	Added indirects (backoff/v5, xxhash/v2) and unified OTEL to v1.41.0; bumped github.com/go-logr/logr to v1.4.3 and various golang.org/x/* modules. Some modules also updated grpc/protobuf transitive deps.
Compose, tooling & larger transitive changes modules/compose/go.mod, modules/gcloud/go.mod, modules/grafana-lgtm/go.mod	Larger transitive upgrades (OTEL, grpc, genproto, google protobuf/grpc, and golang.org/x/*); more heterogeneous changes — review transitive alignment and replace directives.
Modules with notable small deviations modules/tidb/go.mod, modules/ollama/go.mod, modules/meilisearch/go.mod	Minor removals/replacements of older OTEL/sdk lines or swaps to consolidated OTLP/otlptrace packages; some added grpc-gateway or proto version bumps.
Workspace & editor .vscode/.testcontainers-go.code-workspace	Added tidb to VSCode workspace folders.

Sequence Diagram(s)

(Skipped — change set is dependency/version updates without new multi-component control flow.)

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• chore(compose): update to compose-v5 #3568 — overlaps on OTEL and related dependency/version bumps referenced in this change set.

Suggested labels

chore

Poem

🐰 Hopping through modules, versions in hand,

Otel climbs higher across every land.
Backoff and xxhash scurry into view,
Logr and x/* follow, tidy and true.
I nibble a carrot and cheer — deps updated, hooray!

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: bumping go.opentelemetry.io/otel/sdk to v1.41.0, which is the primary focus across the affected modules.
Description check	✅ Passed	The description is directly related to the changeset, providing a clear summary of the dependency updates, affected modules, and security vulnerability fixes being addressed.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

modules/forgejo/go.mod (1)

57-60: Consider updating otlptrace to v1.41.0 for consistency with other OTEL packages.

The otlptrace exporter is at v1.40.0 while core OTEL packages (otel, metric, trace) are at v1.41.0. Since v1.41.0 is available and released, updating would align versions across the module. The security fix (GHSA-9h8m-3fm2-qjrq) is already present in v1.40.0, so this is a consistency improvement rather than a critical fix.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@modules/forgejo/go.mod` around lines 57 - 60, Update the otlptrace dependency
in go.mod so its version matches the other OpenTelemetry packages: change the
go.opentelemetry.io/otel/exporters/otlp/otlptrace entry from v1.40.0 to v1.41.0;
ensure go.mod is tidied (run go mod tidy) and verify builds/tests pass after
updating otlptrace.

go.mod (1)

30-30: Acknowledge upstream OpenTelemetry SDK security fix while noting limited practical impact.

The update to go.opentelemetry.io/otel/sdk v1.41.0 addresses GHSA-9h8m-3fm2-qjrq (PATH hijacking vulnerability), which is patched in v1.40.0+. However, this vulnerability only affects macOS hosts via the Host ID resource detector; testcontainers-go's compose module runs Linux CI and does not use the Host ID detector, so the practical risk impact is negligible. This version bump flows from upstream docker/compose/v5 dependencies and cannot be independently overridden in this module.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@go.mod` at line 30, The xxhash dependency update is a transitive dependency
resulting from the upstream go.opentelemetry.io/otel/sdk update to v1.41.0,
which addresses a security vulnerability (GHSA-9h8m-3fm2-qjrq). Ensure that
go.mod and go.sum are properly updated by running go mod tidy to resolve all
transitive dependencies from the updated OpenTelemetry SDK. While the security
fix should be acknowledged in the commit message or documentation, note that the
practical risk impact to this project is limited since the vulnerability only
affects macOS Host ID resource detection, which is not used in the Linux-based
CI environment for testcontainers-go's compose module, and this version bump
cannot be independently overridden as it flows from upstream dependencies.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@modules/mongodb/go.mod`:
- Line 64: The otlptrace exporter version in this module
(go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.19.0) is out of sync with
core OTEL v1.41.0; update the root module's dependency on the otlptracehttp
package to v1.41.0 or newer so child modules (including the modules/mongodb
go.mod) inherit the correct exporter version, then run dependency resolution (go
mod tidy / vendor refresh) at the root and re-run builds to ensure the updated
otlptrace (otlptracehttp -> otlptrace) version is propagated to modules/mongodb
and other downstream modules.

In `@modules/ollama/go.mod`:
- Around line 58-63: Update the otlp HTTP trace exporter dependency to match the
other OpenTelemetry packages by changing the version of
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp from v1.31.0 to
v1.41.0 in the go.mod entry so all otel modules (including otel, trace, metric,
and otlptracehttp) use v1.41.0 and receive the same fixes; locate the go.mod
line referencing go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp
and bump its version to v1.41.0, then run go mod tidy to update the lock files.

---

Nitpick comments:
In `@go.mod`:
- Line 30: The xxhash dependency update is a transitive dependency resulting
from the upstream go.opentelemetry.io/otel/sdk update to v1.41.0, which
addresses a security vulnerability (GHSA-9h8m-3fm2-qjrq). Ensure that go.mod and
go.sum are properly updated by running go mod tidy to resolve all transitive
dependencies from the updated OpenTelemetry SDK. While the security fix should
be acknowledged in the commit message or documentation, note that the practical
risk impact to this project is limited since the vulnerability only affects
macOS Host ID resource detection, which is not used in the Linux-based CI
environment for testcontainers-go's compose module, and this version bump cannot
be independently overridden as it flows from upstream dependencies.

In `@modules/forgejo/go.mod`:
- Around line 57-60: Update the otlptrace dependency in go.mod so its version
matches the other OpenTelemetry packages: change the
go.opentelemetry.io/otel/exporters/otlp/otlptrace entry from v1.40.0 to v1.41.0;
ensure go.mod is tidied (run go mod tidy) and verify builds/tests pass after
updating otlptrace.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 7afdf1ed-d417-48dc-93e7-638b082e8e9b

📥 Commits

Reviewing files that changed from the base of the PR and between c411ba4 and b734406.

⛔ Files ignored due to path filters (65)

• examples/nginx/go.sum is excluded by !**/*.sum
• go.sum is excluded by !**/*.sum
• modules/aerospike/go.sum is excluded by !**/*.sum
• modules/arangodb/go.sum is excluded by !**/*.sum
• modules/artemis/go.sum is excluded by !**/*.sum
• modules/azure/go.sum is excluded by !**/*.sum
• modules/azurite/go.sum is excluded by !**/*.sum
• modules/cassandra/go.sum is excluded by !**/*.sum
• modules/chroma/go.sum is excluded by !**/*.sum
• modules/clickhouse/go.sum is excluded by !**/*.sum
• modules/cockroachdb/go.sum is excluded by !**/*.sum
• modules/compose/go.sum is excluded by !**/*.sum
• modules/consul/go.sum is excluded by !**/*.sum
• modules/couchbase/go.sum is excluded by !**/*.sum
• modules/databend/go.sum is excluded by !**/*.sum
• modules/dind/go.sum is excluded by !**/*.sum
• modules/dockermcpgateway/go.sum is excluded by !**/*.sum
• modules/dockermodelrunner/go.sum is excluded by !**/*.sum
• modules/dolt/go.sum is excluded by !**/*.sum
• modules/dynamodb/go.sum is excluded by !**/*.sum
• modules/elasticsearch/go.sum is excluded by !**/*.sum
• modules/etcd/go.sum is excluded by !**/*.sum
• modules/forgejo/go.sum is excluded by !**/*.sum
• modules/gcloud/go.sum is excluded by !**/*.sum
• modules/grafana-lgtm/go.sum is excluded by !**/*.sum
• modules/inbucket/go.sum is excluded by !**/*.sum
• modules/influxdb/go.sum is excluded by !**/*.sum
• modules/k3s/go.sum is excluded by !**/*.sum
• modules/k6/go.sum is excluded by !**/*.sum
• modules/kafka/go.sum is excluded by !**/*.sum
• modules/localstack/go.sum is excluded by !**/*.sum
• modules/mariadb/go.sum is excluded by !**/*.sum
• modules/meilisearch/go.sum is excluded by !**/*.sum
• modules/memcached/go.sum is excluded by !**/*.sum
• modules/milvus/go.sum is excluded by !**/*.sum
• modules/minio/go.sum is excluded by !**/*.sum
• modules/mockserver/go.sum is excluded by !**/*.sum
• modules/mongodb/go.sum is excluded by !**/*.sum
• modules/mssql/go.sum is excluded by !**/*.sum
• modules/mysql/go.sum is excluded by !**/*.sum
• modules/nats/go.sum is excluded by !**/*.sum
• modules/nebulagraph/go.sum is excluded by !**/*.sum
• modules/neo4j/go.sum is excluded by !**/*.sum
• modules/ollama/go.sum is excluded by !**/*.sum
• modules/openfga/go.sum is excluded by !**/*.sum
• modules/openldap/go.sum is excluded by !**/*.sum
• modules/opensearch/go.sum is excluded by !**/*.sum
• modules/pinecone/go.sum is excluded by !**/*.sum
• modules/postgres/go.sum is excluded by !**/*.sum
• modules/pulsar/go.sum is excluded by !**/*.sum
• modules/qdrant/go.sum is excluded by !**/*.sum
• modules/rabbitmq/go.sum is excluded by !**/*.sum
• modules/redis/go.sum is excluded by !**/*.sum
• modules/redpanda/go.sum is excluded by !**/*.sum
• modules/registry/go.sum is excluded by !**/*.sum
• modules/scylladb/go.sum is excluded by !**/*.sum
• modules/socat/go.sum is excluded by !**/*.sum
• modules/solace/go.sum is excluded by !**/*.sum
• modules/surrealdb/go.sum is excluded by !**/*.sum
• modules/toxiproxy/go.sum is excluded by !**/*.sum
• modules/valkey/go.sum is excluded by !**/*.sum
• modules/vault/go.sum is excluded by !**/*.sum
• modules/vearch/go.sum is excluded by !**/*.sum
• modules/weaviate/go.sum is excluded by !**/*.sum
• modules/yugabytedb/go.sum is excluded by !**/*.sum

📒 Files selected for processing (66)

• examples/nginx/go.mod
• go.mod
• modules/aerospike/go.mod
• modules/arangodb/go.mod
• modules/artemis/go.mod
• modules/azure/go.mod
• modules/azurite/go.mod
• modules/cassandra/go.mod
• modules/chroma/go.mod
• modules/clickhouse/go.mod
• modules/cockroachdb/go.mod
• modules/compose/go.mod
• modules/consul/go.mod
• modules/couchbase/go.mod
• modules/databend/go.mod
• modules/dind/go.mod
• modules/dockermcpgateway/go.mod
• modules/dockermodelrunner/go.mod
• modules/dolt/go.mod
• modules/dynamodb/go.mod
• modules/elasticsearch/go.mod
• modules/etcd/go.mod
• modules/forgejo/go.mod
• modules/gcloud/go.mod
• modules/grafana-lgtm/go.mod
• modules/inbucket/go.mod
• modules/influxdb/go.mod
• modules/k3s/go.mod
• modules/k6/go.mod
• modules/kafka/go.mod
• modules/localstack/go.mod
• modules/mariadb/go.mod
• modules/meilisearch/go.mod
• modules/memcached/go.mod
• modules/milvus/go.mod
• modules/minio/go.mod
• modules/mockserver/go.mod
• modules/mongodb/go.mod
• modules/mssql/go.mod
• modules/mysql/go.mod
• modules/nats/go.mod
• modules/nebulagraph/go.mod
• modules/neo4j/go.mod
• modules/ollama/go.mod
• modules/openfga/go.mod
• modules/openldap/go.mod
• modules/opensearch/go.mod
• modules/pinecone/go.mod
• modules/postgres/go.mod
• modules/pulsar/go.mod
• modules/qdrant/go.mod
• modules/rabbitmq/go.mod
• modules/redis/go.mod
• modules/redpanda/go.mod
• modules/registry/go.mod
• modules/scylladb/go.mod
• modules/socat/go.mod
• modules/solace/go.mod
• modules/surrealdb/go.mod
• modules/tidb/go.mod
• modules/toxiproxy/go.mod
• modules/valkey/go.mod
• modules/vault/go.mod
• modules/vearch/go.mod
• modules/weaviate/go.mod
• modules/yugabytedb/go.mod

💤 Files with no reviewable changes (1)

• modules/tidb/go.mod