chore(deps): bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp from 0.63.0 to 0.67.0

[dependabot]

Bumps go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp from 0.63.0 to 0.67.0.

Release notes

Sourced from go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp's releases.

v1.42.0/v2.4.0/v0.67.0/v0.36.0/v0.22.0/v0.17.0/v0.15.0/v0.14.0

Added

• Add environment variables propagation carrier in go.opentelemetry.io/contrib/propagators/envcar. (#8442)

Changed

• Upgrade go.opentelemetry.io/otel/semconv to v1.40.0, including updates across instrumentation and detector modules. (#8631)

  • The semantic conventions v1.40.0 release introduces RPC breaking changes applied in this repository:
    • RPC spans and metrics no longer include network.protocol.name, network.protocol.version, or network.transport attributes.
    • rpc.client.request.size, rpc.client.response.size, rpc.server.request.size, and rpc.server.response.size are no longer emitted in go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc.
    • rpc.message span events and their message attributes are no longer emitted in go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc (including when WithMessageEvents is configured).

  See semantic-conventions v1.40.0 release for complete details.

Fixed

• Ignore informational response status codes (100-199) except 101 Switching Protocols when storing the HTTP status code in go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp and go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux. (#6913)
• Make Body handling in Transport consistent with stdlib in go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp. (#8618)
• Fix bucket boundaries for rpc.server.call.duration and rpc.client.call.duration in go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc. (#8642)
• Host resource detector in go.opentelemetry.io/contrib/otelconf now includes os. attributes. (#8578)

Removed

• Drop support for Go 1.24. (#8628)

What's Changed

• chore(deps): update github artifact actions to v7 (major) by @​renovate[bot] in open-telemetry/opentelemetry-go-contrib#8605
• chore(deps): update module github.com/sonatard/noctx to v0.5.0 by @​renovate[bot] in open-telemetry/opentelemetry-go-contrib#8610
• chore(deps): update github/codeql-action action to v4.32.5 by @​renovate[bot] in open-telemetry/opentelemetry-go-contrib#8620
• fix(deps): update module github.com/aws/smithy-go to v1.24.2 by @​renovate[bot] in open-telemetry/opentelemetry-go-contrib#8614
• chore(deps): update go-openapi packages by @​renovate[bot] in open-telemetry/opentelemetry-go-contrib#8621
• fix(deps): update module github.com/shirou/gopsutil/v4 to v4.26.2 by @​renovate[bot] in open-telemetry/opentelemetry-go-contrib#8622
• chore(deps): update module github.com/kisielk/errcheck to v1.10.0 by @​renovate[bot] in open-telemetry/opentelemetry-go-contrib#8608
• chore(deps): update module github.com/protonmail/go-crypto to v1.4.0 by @​renovate[bot] in open-telemetry/opentelemetry-go-contrib#8609
• chore(deps): update otel/opentelemetry-collector-contrib docker tag to v0.147.0 by @​renovate[bot] in open-telemetry/opentelemetry-go-contrib#8625
• chore(deps): update module github.com/daixiang0/gci to v0.14.0 by @​renovate[bot] in open-telemetry/opentelemetry-go-contrib#8623
• Drop support for 1.24 by @​dmathieu in open-telemetry/opentelemetry-go-contrib#8628
• fix(deps): update golang.org/x by @​renovate[bot] in open-telemetry/opentelemetry-go-contrib#8554
• fix(deps): update kubernetes packages to v0.35.2 by @​renovate[bot] in open-telemetry/opentelemetry-go-contrib#8626
• fix(deps): update aws-sdk-go-v2 monorepo by @​renovate[bot] in open-telemetry/opentelemetry-go-contrib#8598
• fix(deps): update module github.com/aws/aws-lambda-go to v1.53.0 by @​renovate[bot] in open-telemetry/opentelemetry-go-contrib#8630
• otelgrpc: modernize the example project by @​ash2k in open-telemetry/opentelemetry-go-contrib#8619
• chore(deps): update googleapis to a57be14 by @​renovate[bot] in open-telemetry/opentelemetry-go-contrib#8606
• fix(deps): update module github.com/gin-gonic/gin to v1.12.0 by @​renovate[bot] in open-telemetry/opentelemetry-go-contrib#8627
• chore(deps): update module github.com/prometheus/procfs to v0.20.1 by @​renovate[bot] in open-telemetry/opentelemetry-go-contrib#8624
• fix(otelhttp): make Body handling in Transport consistent with stdlib by @​ash2k in open-telemetry/opentelemetry-go-contrib#8618
• otelhttp: Ignore informational response status codes when persisting status by @​VirrageS in open-telemetry/opentelemetry-go-contrib#6913

... (truncated)

Changelog

Sourced from go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp's changelog.

[1.42.0/2.4.0/0.67.0/0.36.0/0.22.0/0.17.0/0.15.0/0.14.0] - 2026-03-06

Added

• Add environment variables propagation carrier in go.opentelemetry.io/contrib/propagators/envcar. (#8442)

Changed

• Upgrade go.opentelemetry.io/otel/semconv to v1.40.0, including updates across instrumentation and detector modules. (#8631)

  • The semantic conventions v1.40.0 release introduces RPC breaking changes applied in this repository:
    • RPC spans and metrics no longer include network.protocol.name, network.protocol.version, or network.transport attributes.
    • rpc.client.request.size, rpc.client.response.size, rpc.server.request.size, and rpc.server.response.size are no longer emitted in go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc.
    • rpc.message span events and their message attributes are no longer emitted in go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc (including when WithMessageEvents is configured).

  See semantic-conventions v1.40.0 release for complete details.

Fixed

• Ignore informational response status codes (100-199) except 101 Switching Protocols when storing the HTTP status code in go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp and go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux. (#6913)
• Make Body handling in Transport consistent with stdlib in go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp. (#8618)
• Fix bucket boundaries for rpc.server.call.duration and rpc.client.call.duration in go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc. (#8642)
• Host resource detector in go.opentelemetry.io/contrib/otelconf now includes os. attributes. (#8578)

Removed

• Drop support for [Go 1.24]. (#8628)

[1.41.0/2.3.0/0.66.0/0.35.0/0.21.0/0.16.0/0.14.0/0.13.0] - 2026-03-02

This release is the last to support [Go 1.24]. The next release will require at least [Go 1.25].

Added

• Add WithSpanKind option in go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc to override the default span kind. (#8506)
• Add const Version in go.opentelemetry.io/contrib/bridges/otelzap. (#8544)
• Support testing of [Go 1.26]. (#8549)
• Add const Version in go.opentelemetry.io/contrib/detectors/autodetect. (#8555)
• Add const Version in go.opentelemetry.io/contrib/detectors/azure/azurevm. (#8553)
• Add const Version in go.opentelemetry.io/contrib/processors/baggagecopy. (#8557)
• Add const Version in go.opentelemetry.io/contrib/detectors/aws/lambda. (#8510)
• Add const Version in go.opentelemetry.io/contrib/propagators/autoprop. (#8488)
• Add const Version in go.opentelemetry.io/contrib/processors/minsev. (#8590)
• Add const Version in go.opentelemetry.io/contrib/exporters/autoexport. (#8612)

Fixed

• Change the rpc.server.call.duration metric value from milliseconds to seconds in go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc. (#8509)
• Change the rpc.response.status_code attribute to the canonical UPPER_SNAKE_CASE format in go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc. (#8565)
• Enforce that client_certificate_file and client_key_file are provided together in go.opentelemetry.io/contrib/otelconf. (#8450)

... (truncated)

Commits

• d8dabf6 Release v1.42.0/v2.4.0/v0.67.0/v0.36.0/v0.22.0/v0.17.0/v0.15.0/v0.14.0 (#8649)
• b1de2c7 otelconf: host detector should include os as well (#8578)
• b228c0f fix(deps): update module google.golang.org/grpc to v1.79.2 (#8644)
• e70fd97 Use correct bucket boundaries for otelgrpc client and server histograms (#8642)
• b018d98 fix(deps): update aws-sdk-go-v2 monorepo (#8643)
• fb6a351 chore(deps): update github/codeql-action action to v4.32.6 (#8641)
• 2c9c10e chore(deps): update dependency codespell to v2.4.2 (#8640)
• 22248d4 chore: enable modernize linter (#8583)
• 324662a envcar: add environment carrier (#8442)
• 69addb4 chore(deps): update k8s.io/kube-openapi digest to 5b3e3fd (#8636)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[cursor]

PR Summary

Medium Risk
Moderate risk because it raises the module Go version to 1.25 (may require CI/runtime/toolchain updates) and upgrades OpenTelemetry libraries, which can subtly change tracing/metrics behavior.

Overview
Updates the project to Go 1.25.0 (dropping the previous go1.24.9 toolchain pin) and refreshes dependency metadata accordingly.

Bumps OpenTelemetry HTTP instrumentation and core SDK packages (e.g., otelhttp 0.63.0→0.67.0, go.opentelemetry.io/otel/sdk/trace 1.40.0→1.42.0), along with related indirect updates like golang.org/x/sys 0.40.0→0.41.0.

^{Written by Cursor Bugbot for commit 2cde48f. This will update automatically on new commits. Configure here.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	golang/​go.opentelemetry.io/​otel@​v1.40.0 ⏵ v1.42.0	+1
	golang/​go.opentelemetry.io/​contrib/​instrumentation/​net/​http/​otelhttp@​v0.63.0 ⏵ v0.67.0	+4
	golang/​go.opentelemetry.io/​otel/​sdk@​v1.40.0 ⏵ v1.42.0	+1
	golang/​go.opentelemetry.io/​otel/​trace@​v1.40.0 ⏵ v1.42.0	+1

View full report

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

[cursor]

Go version mismatch breaks CI and Docker builds

High Severity

The go directive was bumped to 1.25.0 but all Dockerfiles (services/authz/Dockerfile, services/inventory/Dockerfile, services/mfa/Dockerfile) still use golang:1.24 base images, and both CI workflows (.github/workflows/ci.yml with GO_VERSION: '1.24' and .github/workflows/security.yml with go-version: '1.24') still install Go 1.24. The Dockerfiles set GOTOOLCHAIN=auto which triggers an extra Go 1.25 download during every build, adding latency and fragility. The CI workflows don't set GOTOOLCHAIN=auto and rely on the default, which could fail depending on the environment. All Go version references need to be updated to 1.25 to match the new go.mod requirement.