fix(deps): bump the gomod-group group across 1 directory with 6 updates

[dependabot]

Bumps the gomod-group group with 4 updates in the / directory: github.com/getkin/kin-openapi, github.com/oapi-codegen/runtime, github.com/openkcm/common-sdk and github.com/openkcm/plugin-sdk.

Updates github.com/getkin/kin-openapi from 0.137.0 to 0.138.0

Release notes

Sourced from github.com/getkin/kin-openapi's releases.

v0.138.0

What's Changed

• openapi3gen: clear nullable on exported component bodies by @​0-don in getkin/kin-openapi#1164
• openapi3: add test for issue #927 (nullable not respected on $ref schemas) by @​fenollp in getkin/kin-openapi#1165
• test: move public-API tests to external _test packages by @​fenollp in getkin/kin-openapi#1168
• feat(openapi3): add per-type validation errors with cluster wrappers by @​reuvenharrison in getkin/kin-openapi#1166
• feat(openapi3conv): canonicalization pass for 3.0 -> 3.x by @​reuvenharrison in getkin/kin-openapi#1162
• openapi3conv: test Upgrade on many documents by @​fenollp in getkin/kin-openapi#1169

Full Changelog: getkin/kin-openapi@v0.137.0...v0.138.0

Commits

• d237575 openapi3conv: test Upgrade on many documents (#1169)
• 72d9005 feat(openapi3conv): canonicalization pass for 3.0 -> 3.x (#1162)
• 03ab662 feat(openapi3): add per-type validation errors with cluster wrappers (#1166)
• 3405d3b test: move public-API tests to external _test packages (#1168)
• 4ddafd1 openapi3: add test for issue #927 (nullable not respected on $ref schemas)
• 3342b7c openapi3gen: clear nullable on exported component bodies
• See full diff in compare view

Updates github.com/oapi-codegen/runtime from 1.4.0 to 1.4.1

Release notes

Sourced from github.com/oapi-codegen/runtime's releases.

Bug fixes

This is a bug fix release.

Changes in v1.4.0, coupled with changes in v2.7.0 of oapi-codegen exposed some new problems. deepObject style marshaling behavior now supports encoding unicode. UTF-8 can't be directly included in parameters, so we need to % escape it.

Form binding now detects maps, which makes binding to a Nullable possible. We can't use generics around Nullable[T], so we handle maps generically, assuming they're a Nullable with its behavior assumptions.

🐛 Bug fixes

• Fix form binding of Nullables (#133) @​mromaszewicz
• Percent-encode deepObject parameter wire output (#132) @​mromaszewicz

📦 Dependency updates

• chore(deps): update oapi-codegen/actions action to v0.7.0 (#127) @renovate[bot]
• chore(deps): update github/codeql-action action to v4 (#107) @renovate[bot]
• fix(deps): update module github.com/kataras/iris/v12 to v12.2.11 (#11) @renovate[bot]
• chore(deps): update release-drafter/release-drafter action to v7.2.0 (#122) @renovate[bot]

Sponsors

We would like to thank our sponsors for their support during this release.

Commits

• 2755f15 Fix form binding of Nullables (#133)
• 17de1dd Percent-encode deepObject parameter wire output (#132)
• d2b7c4c chore(deps): update oapi-codegen/actions action to v0.7.0
• 6fd6c25 chore(deps): update github/codeql-action action to v4
• 19040cc fix(deps): update module github.com/kataras/iris/v12 to v12.2.11
• e05282e chore(deps): update release-drafter/release-drafter action to v7.2.0 (#122)
• See full diff in compare view

Updates github.com/openkcm/common-sdk from 1.15.2 to 1.16.0

Release notes

Sourced from github.com/openkcm/common-sdk's releases.

v1.16.0

1.16.0 (2026-05-18)

Features

• Add middleware for common security headers (#290) (17dc792)

Bug Fixes

• clientData hijack potential (#288) (dab998a)
• deps: bump go.opentelemetry.io/collector/pdata from 1.55.0 to 1.56.0 in the gomod-group group (#286) (67dba59)
• deps: bump the gomod-group group with 3 updates (#289) (cce654e)
• linter findings (#291) (c236369)

Changelog

Sourced from github.com/openkcm/common-sdk's changelog.

1.16.0 (2026-05-18)

Features

• Add middleware for common security headers (#290) (17dc792)

Bug Fixes

• clientData hijack potential (#288) (dab998a)
• deps: bump go.opentelemetry.io/collector/pdata from 1.55.0 to 1.56.0 in the gomod-group group (#286) (67dba59)
• deps: bump the gomod-group group with 3 updates (#289) (cce654e)
• linter findings (#291) (c236369)

Commits

• 978fa5f chore(main): release 1.16.0 (#292)
• 17dc792 feat: Add middleware for common security headers (#290)
• c236369 fix: linter findings (#291)
• cce654e fix(deps): bump the gomod-group group with 3 updates (#289)
• dab998a fix: clientData hijack potential (#288)
• 67dba59 fix(deps): bump go.opentelemetry.io/collector/pdata from 1.55.0 to 1.56.0 in ...
• See full diff in compare view

Updates github.com/openkcm/plugin-sdk from 0.11.0 to 0.12.0

Release notes

Sourced from github.com/openkcm/plugin-sdk's releases.

v0.12.0

0.12.0 (2026-05-22)

Features

• generic key error (#154) (63acb38)

Bug Fixes

• deps: bump the gomod-group group across 1 directory with 3 updates (#152) (acdcf18)

v0.11.1

0.11.1 (2026-05-14)

Bug Fixes

• deps: bump the gomod-group group across 1 directory with 2 updates (#146) (db2696d)

Changelog

Sourced from github.com/openkcm/plugin-sdk's changelog.

0.12.0 (2026-05-22)

Features

• generic key error (#154) (63acb38)

Bug Fixes

• deps: bump the gomod-group group across 1 directory with 3 updates (#152) (acdcf18)

0.11.1 (2026-05-14)

Bug Fixes

• deps: bump the gomod-group group across 1 directory with 2 updates (#146) (db2696d)

Commits

• c8d20d5 chore(main): release 0.12.0 (#155)
• 63acb38 feat: generic key error (#154)
• acdcf18 fix(deps): bump the gomod-group group across 1 directory with 3 updates (#152)
• 38cde6a chore(main): release 0.11.1 (#151)
• 9ee55bb chore: migrate to protoc (#147)
• db2696d fix(deps): bump the gomod-group group across 1 directory with 2 updates (#146)
• See full diff in compare view

Updates go.opentelemetry.io/collector/pdata from 1.56.0 to 1.57.0

Release notes

Sourced from go.opentelemetry.io/collector/pdata's releases.

v1.58.0/v0.152.1

Images and binaries here: https://github.com/open-telemetry/opentelemetry-collector-releases/releases/tag/v0.152.1

End User Changelog

💡 Enhancements 💡

• pkg/exporterhelper: Add otelcol_exporter_in_flight_requests metric to track the number of export requests currently in-flight per exporter. (#15009) This UpDownCounter increments in startOp and decrements in endOp, allowing operators to monitor concurrent export activity and detect when an exporter is saturating its worker pool.

🧰 Bug fixes 🧰

• pkg/confighttp: Close the original request body after reading block-format Content-Encoding: snappy requests. (#15262)

• pkg/confighttp: Recover from panics in decompression libraries, return HTTP 400 instead of 500. (#13228)

• pkg/confighttp: Enforce max_request_body_size on Content-Encoding: snappy requests before the decoded buffer is allocated. (#15252)

• pkg/otelcol: Stop emitting verbose gRPC transport messages at WARN during normal client disconnect. (#5169) grpc-go gates chatty per-RPC notices (e.g. "HandleStreams failed to read frame: connection reset by peer") behind LoggerV2.V(2). zapgrpc.Logger.V conflates grpclog verbosity with zap severity, so V(2) returns true whenever WARN is enabled and these messages emit at WARN. Wrap the installed grpclog.LoggerV2 with a corrected V() that compares against a fixed verbosity threshold, matching grpclog's intended semantics. See uber-go/zap#1544.

• pkg/pdata: pcommon.Value.AsString no longer HTML-escapes <, >, and & inside ValueTypeMap and ValueTypeSlice values, matching the behavior already used for ValueTypeStr. (#14662)

• pkg/service: Fix Prometheus config defaults mismatch when host is explicitly set in telemetry configuration. (#13867) When users explicitly configured the telemetry metrics section (e.g. to change the host), the Prometheus exporter boolean fields (WithoutScopeInfo, WithoutUnits, WithoutTypeSuffix) defaulted to nil/false instead of true, causing metric name format changes compared to the implicit default configuration. This fix applies the correct defaults during config unmarshaling.

• pkg/service: Return noop tracer provider when no trace processors are defined (#15135)

API Changelog

🚩 Deprecations 🚩

• pkg/xconfmap: Deprecate xconfmap.Validator and confmap.Validate in favor of confmap.Validator and confmap.Validate. (#15142)

💡 Enhancements 💡

• cmd/mdatagen: Add go_struct.ignore_default flag to suppress default value generation for individual config fields. (#15156) Setting go_struct.ignore_default: true on a config field causes mdatagen to omit that field's default from the generated createDefaultConfig function, emitting nil for pointer fields and configoptional.None for optional fields.

• pkg/confmap: Add the confmap.Validator interface and confmap.Validate function for configuration validation. (#15142)

... (truncated)

Changelog

Sourced from go.opentelemetry.io/collector/pdata's changelog.

v1.57.0/v0.151.0

🛑 Breaking changes 🛑

• receiver/otlp: Config.Protocols is now a named field instead of an anonymous embedded field. (#15178) Access to cfg.GRPC and cfg.HTTP must be updated to cfg.Protocols.GRPC and cfg.Protocols.HTTP.

🚩 Deprecations 🚩

• cmd/mdatagen: The DefaultMetricsBuilderConfig function is deprecated. Use NewDefaultMetricsBuilderConfig instead. (#15165) The generated DefaultMetricsBuilderConfig function has been renamed to NewDefaultMetricsBuilderConfig to follow Go naming conventions. The old function is kept as a deprecated wrapper and will be removed in a future release.

💡 Enhancements 💡

• cmd/mdatagen: Handle default values for configuration fields in generated code in mdatagen. (#14560)

• cmd/mdatagen: Add opt-in override_value support for resource_attributes config via override_value_enabled flag (#15109) Components can opt in by setting override_value_enabled: true in their metadata.yaml. When enabled, per-attribute config types are generated with typed override_value fields that let users override resource attribute values in the collector configuration. Components without the flag continue to use the shared ResourceAttributeConfig type.

• cmd/mdatagen: Extend mdatagen config code generation to correctly handle default values for allOf embedded references (#14560)

• cmd/mdatagen: Handle string validators in generated config structs (#14807) Supported validators include minLength, maxLength and pattern.

• pkg/config/configgrpc: Add a DefaultBalancerName constant for the name of the default load balancer (#15139) This replaces the BalancerName function.

• pkg/config/configgrpc: Accept gRPC resolver scheme URIs in client endpoint (e.g. passthrough:///host:port) to allow control over name resolution (#14990) After the migration to grpc.NewClient, some gRPC client components such as the OTLP exporter experienced connection issues in dual-stack DNS environments. This can now be fixed by using the passthrough:/// gRPC resolver scheme in the endpoint field.

• pkg/exporterhelper: Added the WithAttrs option to allow custom attributes on exporter metrics (#14998)

🧰 Bug fixes 🧰

• cmd/mdatagen: Fix a bug in mdatagen where the allOf field was not being properly handled, resulting in incorrect generation of data models. (#15153)

• pkg/otelcol: Synchronize Collector Run and Shutdown lifecycles so that Shutdown blocks until Run completes all cleanup. (#4947) Shutdown now blocks until Run finishes cleanup, matching http.Server semantics. If Shutdown is called before Run, the next Run call returns nil after cleaning up the config provider.

• pkg/pdata: Use pool-aware constructors in gRPC service handlers so top-level request structs participate in the sync.Pool lifecycle. (#14763) The gRPC service handlers for all signal types allocated the top-level ExportXxxServiceRequest with bare new(), bypassing the sync.Pool when pdata.useProtoPooling is enabled. This caused objects returned to the pool via Delete to never be retrieved. The handlers now use the pool-aware New*() constructors.

... (truncated)

Commits

• ec10822 [chore] Prepare release v1.57.0/v0.151.0 (#15219)
• 3fa9b11 Update module github.com/golang/snappy to v1 (#15209)
• 0d4b2f7 Update github-actions deps (#15204)
• 00864cf Update actions/create-github-app-token action to v3 (#15208)
• 261c6b9 Update module go.uber.org/zap to v1.28.0 (#15206)
• 9010b74 Update module github.com/klauspost/compress to v1.18.5 (#15205)
• baaca9a Update module golang.org/x/vuln to v1.3.0 (#15207)
• d090017 [chore] Remove go-grpc-compression dependency (#15201)
• efde8a2 Support npipe transport in confignet (#14985)
• f1f655b Add override_value to mdatagen (#15112)
• Additional commits viewable in compare view

Updates google.golang.org/grpc from 1.80.0 to 1.81.0

Release notes

Sourced from google.golang.org/grpc's releases.

Release 1.81.0

Behavior Changes

• balancer/rls: Switch gauge metrics to asynchronous emission (once per collection cycle) to reduce telemetry noise and align with other gRPC language implementations. (#8808)

Dependencies

• Minimum supported Go version is now 1.25. (#8969)

Bug Fixes

• xds: Use the leaf cluster's security config for the TLS handshake instead of the aggregate cluster's config. (#8956)
• transport: Send a RST_STREAM when receiving an END_STREAM when the stream is not already half-closed. (#8832)
• xds: Fix ADS resource name validation to prevent a panic. (#8970)

New Features

• grpc/stats: Add support for custom labels in per-call metrics (gRFC A108). (#9008)
• xds: Add support for Server Name Indication (SNI) and SAN validation (gRFC A101). Disabled by default. To enable, set GRPC_EXPERIMENTAL_XDS_SNI=true environment variable. (#9016)
• xds: Add support to control which fields get propagated from ORCA backend metric reports to LRS load reports (gRFC A85). Disabled by default. To enable, set GRPC_EXPERIMENTAL_XDS_ORCA_LRS_PROPAGATION=true. (#9005)
• xds: Add metrics to track xDS client connectivity and cached resource state (gRFC A78). (#8807)
• stats/otel: Enhance grpc.subchannel.disconnections metric by adding disconnection reason to the grpc.disconnect_error label (gRFC A94). This provides granular insights into why subchannels are closing. (#8973)
• mem: Add mem.Buffer.Slice() API to slice the buffer like a slice. (#8977)
  • Special Thanks: @​ash2k

Performance Improvements

• alts: Pool read buffers to lower memory utilization when sockets are unreadable. (#8964)
• transport: Pool HTTP/2 framer read buffers to reduce idle memory consumption. Currently limited to Linux for ALTS and non-encrypted transports (TCP, Unix). To disable, set GRPC_GO_EXPERIMENTAL_HTTP_FRAMER_READ_BUFFER_POOLING=false and report any issues. (#9032)

Commits

• cb18228 Change version to 1.81.0 (#9062)
• 96748f9 Cherry-pick #9105 to 1.81.x (#9106)
• 9183222 Cherry pick #9055, #9032 to v1.81.x (#9095)
• 5cba6da Revert "deps: update dependencies for all modules (#9065)" (#9067)
• af8a936 deps: update dependencies for all modules (#9065)
• cdc60df transport: optimize heap allocations in ready reader and update syscall conne...
• 208d053 xds/resolver: pass complete XDSConfig in RPC context for HTTP filters (gRFC A...
• 50fe1cc test: Fix flaky test TestServerStreaming_ClientCallRecvMsgTwice in `end2end...
• d574bad build(deps): bump go.opentelemetry.io/otel/sdk from 1.42.0 to 1.43.0 (#9050)
• b8bf4d0 build(deps): bump go.opentelemetry.io/otel/sdk from 1.42.0 to 1.43.0 in /inte...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.