chore(deps): bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp from 0.64.0 to 0.67.0

[dependabot]

Bumps go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp from 0.64.0 to 0.67.0.

Release notes

Sourced from go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp's releases.

v1.42.0/v2.4.0/v0.67.0/v0.36.0/v0.22.0/v0.17.0/v0.15.0/v0.14.0

Added

• Add environment variables propagation carrier in go.opentelemetry.io/contrib/propagators/envcar. (#8442)

Changed

• Upgrade go.opentelemetry.io/otel/semconv to v1.40.0, including updates across instrumentation and detector modules. (#8631)

  • The semantic conventions v1.40.0 release introduces RPC breaking changes applied in this repository:
    • RPC spans and metrics no longer include network.protocol.name, network.protocol.version, or network.transport attributes.
    • rpc.client.request.size, rpc.client.response.size, rpc.server.request.size, and rpc.server.response.size are no longer emitted in go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc.
    • rpc.message span events and their message attributes are no longer emitted in go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc (including when WithMessageEvents is configured).

  See semantic-conventions v1.40.0 release for complete details.

Fixed

• Ignore informational response status codes (100-199) except 101 Switching Protocols when storing the HTTP status code in go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp and go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux. (#6913)
• Make Body handling in Transport consistent with stdlib in go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp. (#8618)
• Fix bucket boundaries for rpc.server.call.duration and rpc.client.call.duration in go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc. (#8642)
• Host resource detector in go.opentelemetry.io/contrib/otelconf now includes os. attributes. (#8578)

Removed

• Drop support for Go 1.24. (#8628)

What's Changed

• chore(deps): update github artifact actions to v7 (major) by @​renovate[bot] in open-telemetry/opentelemetry-go-contrib#8605
• chore(deps): update module github.com/sonatard/noctx to v0.5.0 by @​renovate[bot] in open-telemetry/opentelemetry-go-contrib#8610
• chore(deps): update github/codeql-action action to v4.32.5 by @​renovate[bot] in open-telemetry/opentelemetry-go-contrib#8620
• fix(deps): update module github.com/aws/smithy-go to v1.24.2 by @​renovate[bot] in open-telemetry/opentelemetry-go-contrib#8614
• chore(deps): update go-openapi packages by @​renovate[bot] in open-telemetry/opentelemetry-go-contrib#8621
• fix(deps): update module github.com/shirou/gopsutil/v4 to v4.26.2 by @​renovate[bot] in open-telemetry/opentelemetry-go-contrib#8622
• chore(deps): update module github.com/kisielk/errcheck to v1.10.0 by @​renovate[bot] in open-telemetry/opentelemetry-go-contrib#8608
• chore(deps): update module github.com/protonmail/go-crypto to v1.4.0 by @​renovate[bot] in open-telemetry/opentelemetry-go-contrib#8609
• chore(deps): update otel/opentelemetry-collector-contrib docker tag to v0.147.0 by @​renovate[bot] in open-telemetry/opentelemetry-go-contrib#8625
• chore(deps): update module github.com/daixiang0/gci to v0.14.0 by @​renovate[bot] in open-telemetry/opentelemetry-go-contrib#8623
• Drop support for 1.24 by @​dmathieu in open-telemetry/opentelemetry-go-contrib#8628
• fix(deps): update golang.org/x by @​renovate[bot] in open-telemetry/opentelemetry-go-contrib#8554
• fix(deps): update kubernetes packages to v0.35.2 by @​renovate[bot] in open-telemetry/opentelemetry-go-contrib#8626
• fix(deps): update aws-sdk-go-v2 monorepo by @​renovate[bot] in open-telemetry/opentelemetry-go-contrib#8598
• fix(deps): update module github.com/aws/aws-lambda-go to v1.53.0 by @​renovate[bot] in open-telemetry/opentelemetry-go-contrib#8630
• otelgrpc: modernize the example project by @​ash2k in open-telemetry/opentelemetry-go-contrib#8619
• chore(deps): update googleapis to a57be14 by @​renovate[bot] in open-telemetry/opentelemetry-go-contrib#8606
• fix(deps): update module github.com/gin-gonic/gin to v1.12.0 by @​renovate[bot] in open-telemetry/opentelemetry-go-contrib#8627
• chore(deps): update module github.com/prometheus/procfs to v0.20.1 by @​renovate[bot] in open-telemetry/opentelemetry-go-contrib#8624
• fix(otelhttp): make Body handling in Transport consistent with stdlib by @​ash2k in open-telemetry/opentelemetry-go-contrib#8618
• otelhttp: Ignore informational response status codes when persisting status by @​VirrageS in open-telemetry/opentelemetry-go-contrib#6913

... (truncated)

Changelog

Sourced from go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp's changelog.

[1.42.0/2.4.0/0.67.0/0.36.0/0.22.0/0.17.0/0.15.0/0.14.0] - 2026-03-06

Added

• Add environment variables propagation carrier in go.opentelemetry.io/contrib/propagators/envcar. (#8442)

Changed

• Upgrade go.opentelemetry.io/otel/semconv to v1.40.0, including updates across instrumentation and detector modules. (#8631)

  • The semantic conventions v1.40.0 release introduces RPC breaking changes applied in this repository:
    • RPC spans and metrics no longer include network.protocol.name, network.protocol.version, or network.transport attributes.
    • rpc.client.request.size, rpc.client.response.size, rpc.server.request.size, and rpc.server.response.size are no longer emitted in go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc.
    • rpc.message span events and their message attributes are no longer emitted in go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc (including when WithMessageEvents is configured).

  See semantic-conventions v1.40.0 release for complete details.

Fixed

• Ignore informational response status codes (100-199) except 101 Switching Protocols when storing the HTTP status code in go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp and go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux. (#6913)
• Make Body handling in Transport consistent with stdlib in go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp. (#8618)
• Fix bucket boundaries for rpc.server.call.duration and rpc.client.call.duration in go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc. (#8642)
• Host resource detector in go.opentelemetry.io/contrib/otelconf now includes os. attributes. (#8578)

Removed

• Drop support for [Go 1.24]. (#8628)

[1.41.0/2.3.0/0.66.0/0.35.0/0.21.0/0.16.0/0.14.0/0.13.0] - 2026-03-02

This release is the last to support [Go 1.24]. The next release will require at least [Go 1.25].

Added

• Add WithSpanKind option in go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc to override the default span kind. (#8506)
• Add const Version in go.opentelemetry.io/contrib/bridges/otelzap. (#8544)
• Support testing of [Go 1.26]. (#8549)
• Add const Version in go.opentelemetry.io/contrib/detectors/autodetect. (#8555)
• Add const Version in go.opentelemetry.io/contrib/detectors/azure/azurevm. (#8553)
• Add const Version in go.opentelemetry.io/contrib/processors/baggagecopy. (#8557)
• Add const Version in go.opentelemetry.io/contrib/detectors/aws/lambda. (#8510)
• Add const Version in go.opentelemetry.io/contrib/propagators/autoprop. (#8488)
• Add const Version in go.opentelemetry.io/contrib/processors/minsev. (#8590)
• Add const Version in go.opentelemetry.io/contrib/exporters/autoexport. (#8612)

Fixed

• Change the rpc.server.call.duration metric value from milliseconds to seconds in go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc. (#8509)
• Change the rpc.response.status_code attribute to the canonical UPPER_SNAKE_CASE format in go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc. (#8565)
• Enforce that client_certificate_file and client_key_file are provided together in go.opentelemetry.io/contrib/otelconf. (#8450)

... (truncated)

Commits

• d8dabf6 Release v1.42.0/v2.4.0/v0.67.0/v0.36.0/v0.22.0/v0.17.0/v0.15.0/v0.14.0 (#8649)
• b1de2c7 otelconf: host detector should include os as well (#8578)
• b228c0f fix(deps): update module google.golang.org/grpc to v1.79.2 (#8644)
• e70fd97 Use correct bucket boundaries for otelgrpc client and server histograms (#8642)
• b018d98 fix(deps): update aws-sdk-go-v2 monorepo (#8643)
• fb6a351 chore(deps): update github/codeql-action action to v4.32.6 (#8641)
• 2c9c10e chore(deps): update dependency codespell to v2.4.2 (#8640)
• 22248d4 chore: enable modernize linter (#8583)
• 324662a envcar: add environment carrier (#8442)
• 69addb4 chore(deps): update k8s.io/kube-openapi digest to 5b3e3fd (#8636)
• Additional commits viewable in compare view

[cursor]

PR Summary

Medium Risk
Updates OpenTelemetry HTTP instrumentation and core otel/sdk/trace/metric versions, which can subtly change emitted telemetry fields and HTTP tracing behavior. Runtime risk is moderate but limited to observability/instrumentation paths.

Overview
Upgrades OpenTelemetry dependencies: otelhttp v0.64.0 → v0.67.0 and core go.opentelemetry.io/otel modules (otel, sdk, trace, and indirect metric) v1.40.0 → v1.42.0.

Refreshes go.sum accordingly and bumps indirect golang.org/x/sys v0.40.0 → v0.41.0.

^{Written by Cursor Bugbot for commit 0ed6714. This will update automatically on new commits. Configure here.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	golang/​go.opentelemetry.io/​otel@​v1.40.0 ⏵ v1.42.0	+1
	golang/​go.opentelemetry.io/​contrib/​instrumentation/​net/​http/​otelhttp@​v0.64.0 ⏵ v0.67.0	+4
	golang/​go.opentelemetry.io/​otel/​sdk@​v1.40.0 ⏵ v1.42.0	+1
	golang/​go.opentelemetry.io/​otel/​trace@​v1.40.0 ⏵ v1.42.0	+1

View full report

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

[cursor]

Go version mismatch breaks CI and Docker builds

High Severity

The go directive was bumped to 1.25.0 but all Dockerfiles (services/authz/Dockerfile, services/inventory/Dockerfile, services/mfa/Dockerfile) still use golang:1.24 base images, and both CI workflows (.github/workflows/ci.yml with GO_VERSION: '1.24' and .github/workflows/security.yml with go-version: '1.24') still install Go 1.24. The Dockerfiles set GOTOOLCHAIN=auto which triggers an extra Go 1.25 download during every build, adding latency and fragility. The CI workflows don't set GOTOOLCHAIN=auto and rely on the default, which could fail depending on the environment. All Go version references need to be updated to 1.25 to match the new go.mod requirement.