fix(deps): vuln unstable upgrades — 7 packages (unstable: 1 · minor: 6)

[gh-worker-campaigns-3e9aa4]

Summary: High-severity security update — 7 packages upgraded (UNSTABLE changes included)

Manifests changed:

• . (go)

---

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

---

Updates

Package	From	To	Type	Dep Type	Vulnerabilities Fixed
go.opentelemetry.io/otel/sdk	v1.35.0	v1.43.0	minor	Direct	4 HIGH
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp	v0.60.0	v0.68.0	unstable	Direct	-
go.opentelemetry.io/auto/sdk	v1.1.0	v1.2.1	minor	Transitive	-
go.opentelemetry.io/otel	v1.35.0	v1.43.0	minor	Direct	-
go.opentelemetry.io/otel/metric	v1.35.0	v1.43.0	minor	Direct	-
go.opentelemetry.io/otel/sdk/metric	v1.35.0	v1.43.0	minor	Transitive	-
go.opentelemetry.io/otel/trace	v1.35.0	v1.43.0	minor	Transitive	-

Packages marked with "-" are updated due to dependency constraints.

---

Security Details

🚨 Critical & High Severity (4 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
go.opentelemetry.io/otel/sdk	GHSA-9h8m-3fm2-qjrq	HIGH	OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking	v1.35.0	1.40.0
go.opentelemetry.io/otel/sdk	CVE-2026-24051	HIGH	OpenTelemetry-Go Affected by Arbitrary Code Execution via PATH Hijacking	v1.35.0	-
go.opentelemetry.io/otel/sdk	GO-2026-4394	HIGH	OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking in go.opentelemetry.io/otel/sdk	v1.35.0	1.40.0
go.opentelemetry.io/otel/sdk	GHSA-hfvc-g4fc-pqhx	HIGH	opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking	v1.35.0	1.43.0

---

Review Checklist

Standard review:

• Review changes for compatibility with your code
• Check for breaking changes in release notes
• Run tests locally or wait for CI
• Approve and merge this PR

---

Update Mode: Vulnerability Remediation (High)

🤖 Generated by DataDog Automated Dependency Management System