Update module go.opentelemetry.io/otel/sdk to v1.40.0 [SECURITY] - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
go.opentelemetry.io/otel/sdk	v1.39.0 → v1.40.0

GitHub Vulnerability Alerts

CVE-2026-24051

Impact

The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system command using a search path. An attacker with the ability to locally modify the PATH environment variable can achieve Arbitrary Code Execution (ACE) within the context of the application.

Patches

This has been patched in d45961b, which was released with v1.40.0.

References

• CWE-426: Untrusted Search Path

---

Release Notes

open-telemetry/opentelemetry-go (go.opentelemetry.io/otel/sdk)

v1.40.0

Compare Source

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 4 additional dependencies were updated

Details:

Package	Change
go.opentelemetry.io/otel	v1.39.0 -> v1.40.0
go.opentelemetry.io/otel/trace	v1.39.0 -> v1.40.0
golang.org/x/sys	v0.39.0 -> v0.40.0
go.opentelemetry.io/otel/metric	v1.39.0 -> v1.40.0

[changeset-bot]

⚠️ No Changeset found

Latest commit: ad2b4e3

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

💥 An error occurred when fetching the changed packages and changesets in this PR

Some errors occurred when validating the changesets config:
The package or glob expression "github.com/livekit/protocol" specified in the `fixed` option does not match any package in the project. You may have misspelled the package name or provided an invalid glob expression. Note that glob expressions must be defined according to https://www.npmjs.com/package/micromatch.