chore(deps): update module go.opentelemetry.io/otel/sdk to v1.40.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
go.opentelemetry.io/otel/sdk	v1.39.0 → v1.40.0

GitHub Vulnerability Alerts

CVE-2026-24051

Impact

The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system command using a search path. An attacker with the ability to locally modify the PATH environment variable can achieve Arbitrary Code Execution (ACE) within the context of the application.

Patches

This has been patched in d45961b, which was released with v1.40.0.

References

• CWE-426: Untrusted Search Path

---

Release Notes

open-telemetry/opentelemetry-go (go.opentelemetry.io/otel/sdk)

v1.40.0

Compare Source

---

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Berlin, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 4 additional dependencies were updated

Details:

Package	Change
go.opentelemetry.io/otel	v1.39.0 -> v1.40.0
go.opentelemetry.io/otel/metric	v1.39.0 -> v1.40.0
go.opentelemetry.io/otel/trace	v1.39.0 -> v1.40.0
golang.org/x/sys	v0.39.0 -> v0.40.0