Skip to content

chore(deps): upgrade otel to v1.41.0 (Aikido)#1074

Merged
dorothyyzh merged 1 commit into
mainfrom
fix/aikido-dependency-vulnerabilities-2026-05-11
May 11, 2026
Merged

chore(deps): upgrade otel to v1.41.0 (Aikido)#1074
dorothyyzh merged 1 commit into
mainfrom
fix/aikido-dependency-vulnerabilities-2026-05-11

Conversation

@dorothyyzh
Copy link
Copy Markdown
Contributor

@dorothyyzh dorothyyzh commented May 11, 2026

Summary

  • Upgrade go.opentelemetry.io/otel v1.39.0 → v1.41.0 (CVE-2026-29181)
  • Build verified (excluding pre-existing local theplant/bimg/pkg-config env issue, unrelated to this change)

Aikido Issues Resolved

Aikido Issues NOT Resolved (needs review)

  • docker/docker CVE-2026-33997 #205282328 and CVE-2026-34040 #205282326 — Aikido recommends docker/docker v29.3.1 but upstream moby has migrated to github.com/moby/moby/v2 so no v29.x tag is published under the legacy docker/docker Go module path. testcontainers-go v0.42 has migrated to the new path, but transitive dep theplant/testenv@v0.2.1 still imports the legacy docker/docker/api/types/container, so upgrading testcontainers-go breaks test builds. Resolution requires theplant/testenv to migrate to moby/moby/client upstream.

Verification

  • Build passes (non-bimg packages all clean)
  • CI will run the full test suite

Deployment Note

Skill does not touch release-* branches. Merging this PR is handled per team policy.

@claude
chore(deps): upgrade go.opentelemetry.io/otel to v1.41.0 (Aikido CVE-…
ac66c81 
…2026-29181)

Resolves Aikido sub-issue #246609506 (otel v1.39.0 → v1.41.0). Build verified
locally (the unrelated theplant/bimg pkg-config failure is environmental).

Note: docker/docker v28.5.2 → v29.3.1 is blocked at the proxy level — upstream
moby migrated to github.com/moby/moby/v2; testcontainers-go v0.42 already uses
the new path but theplant/testenv has not been updated yet. CVE-2026-33997 and
CVE-2026-34040 remain open at sub-issue level until the testenv migration lands.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@deepsource-io
Copy link
Copy Markdown

deepsource-io Bot commented May 11, 2026
edited
Loading

DeepSource Code Review

We reviewed changes in a72f7fd...ac66c81 on this pull request. Below is the summary for the review, and you can see the individual issues we found as inline review comments.

See full review on DeepSource ↗

PR Report Card

Overall Grade   Security  

Reliability  

Complexity  

Hygiene  

Code Review Summary

Analyzer Status Updated (UTC) Details
Go May 11, 2026 6:58a.m. Review ↗

Important

AI Review is run only on demand for your team. We're only showing results of static analysis review right now. To trigger AI Review, comment @deepsourcebot review on this thread.

@codecov
Copy link
Copy Markdown

codecov Bot commented May 11, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@dorothyyzh dorothyyzh merged commit 61df933 into main May 11, 2026
10 checks passed
@dorothyyzh dorothyyzh deleted the fix/aikido-dependency-vulnerabilities-2026-05-11 branch May 11, 2026 07:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@levin-liu levin-liu levin-liu approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dorothyyzh @levin-liu