chore(deps): bump the go_modules group across 3 directories with 3 updates

[dependabot]

Bumps the go_modules group with 2 updates in the /packages/api directory: github.com/gohugoio/hugo and go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp.
Bumps the go_modules group with 1 update in the /packages/orchestrator directory: github.com/go-jose/go-jose/v4.
Bumps the go_modules group with 2 updates in the /packages/shared directory: go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp and github.com/go-jose/go-jose/v4.

Updates github.com/gohugoio/hugo from 0.139.4 to 0.159.2

Release notes

Sourced from github.com/gohugoio/hugo's releases.

v0.159.2

Note that the security fix below is not a potential threat if you either:

• Trust your Markdown content files.
• Have custom render hook template for links and images.

EDIT IN: This release also adds release archives for non-extended-withdeploy builds.

What's Changed

• Fix potential content XSS by escaping dangerous URLs in Markdown links and images 479fe6c6 @​bep
• resources/page: Fix shared reader in Source.ValueAsOpenReadSeekCloser df520e31 @​jmooring #14684

v0.159.1

The regression fixed in this release isn't new, but it's so subtle that we thought we'd release this sooner rather than later. For some time now, the minifier we use have stripped namespaced attributes in SVGs, which broke dynamic constructs using e.g. AlpineJS' x-bind: namespace (library used by Hugo's documentation site).

To fix this, the upstream library has hadded a keepNamespaces slice option. It was not possible to find a default that would make all happy, so we opted for an option that at least would make AlpineJS sites work out of the box:

 [minify.tdewolff.svg]
      keepNamespaces = ['', 'x-bind']

What's Changed

• minifiers: Keep x-bind and blank namespace in SVG minification 42289d76 @​bep #14669

v0.159.0

This release greatly improves and simplifies management of Node.js/npm dependencies in a multi-module setup. See this page for more information.

Note

• Replace deprecated site.Data with hugo.Data in tests a8fca598 @​bep
• Replace deprecated excludeFiles and includeFiles with files in tests 182b1045 @​bep
• Replace deprecated :filename with :contentbasename in the permalinks test eb11c3d0 @​bep

Bug fixes

• tpl/tplimpl: Fix Vimeo shortcode test eaf4c751 @​jmooring #14649

Improvements

• create: Return error instead of panic when page not found 807cae1d @​mango766 #14112
• commands: Preserve non-content files in convert output c4fb61d9 @​xndvaz #4621
• npm: Use workspaces to simplify hugo mod npm pack d88a29e0 @​bep

... (truncated)

Commits

• 5f4646a releaser: Bump versions for release of 0.159.2
• 479fe6c Fix potential content XSS by escaping dangerous URLs in links and images
• 81a5cdc releaser: Add standard withdeploy release assets
• df520e3 resources/page: Fix shared reader in Source.ValueAsOpenReadSeekCloser
• b55d452 testing: Simplify line ending handling in tests
• ea7eac6 readme: Update Go version to 1.25.0
• 458ebdd releaser: Prepare repository for 0.160.0-DEV
• 86c7d3a releaser: Bump versions for release of 0.159.1
• 42289d7 minifiers: Keep x-bind and blank namespace in SVG minification
• 0c013c2 Adjust depreceated syntax in tests
• Additional commits viewable in compare view

Updates go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp from 0.15.0 to 0.19.0

Release notes

Sourced from go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp's releases.

Release v0.19.0

Added

• Added Marshaler config option to otlphttp to enable otlp over json or protobufs. (#1586)
• A ForceFlush method to the "go.opentelemetry.io/otel/sdk/trace".TracerProvider to flush all registered SpanProcessors. (#1608)
• Added WithSampler and WithSpanLimits to tracer provider. (#1633, #1702)
• "go.opentelemetry.io/otel/trace".SpanContext now has a remote property, and IsRemote() predicate, that is true when the SpanContext has been extracted from remote context data. (#1701)
• A Valid method to the "go.opentelemetry.io/otel/attribute".KeyValue type. (#1703)

Changed

• trace.SpanContext is now immutable and has no exported fields. (#1573)
  • trace.NewSpanContext() can be used in conjunction with the trace.SpanContextConfig struct to initialize a new SpanContext where all values are known.
• Update the ForceFlush method signature to the "go.opentelemetry.io/otel/sdk/trace".SpanProcessor to accept a context.Context and return an error. (#1608)
• Update the Shutdown method to the "go.opentelemetry.io/otel/sdk/trace".TracerProvider return an error on shutdown failure. (#1608)
• The SimpleSpanProcessor will now shut down the enclosed SpanExporter and gracefully ignore subsequent calls to OnEnd after Shutdown is called. (#1612)
• "go.opentelemetry.io/sdk/metric/controller.basic".WithPusher is replaced with WithExporter to provide consistent naming across project. (#1656)
• Added non-empty string check for trace Attribute keys. (#1659)
• Add description to SpanStatus only when StatusCode is set to error. (#1662)
• Jaeger exporter falls back to resource.Default's service.name if the exported Span does not have one. (#1673)
• Jaeger exporter populates Jaeger's Span Process from Resource. (#1673)
• Renamed the LabelSet method of "go.opentelemetry.io/otel/sdk/resource".Resource to Set. (#1692)
• Changed WithSDK to WithSDKOptions to accept variadic arguments of TracerProviderOption type in go.opentelemetry.io/otel/exporters/trace/jaeger package. (#1693)
• Changed WithSDK to WithSDKOptions to accept variadic arguments of TracerProviderOption type in go.opentelemetry.io/otel/exporters/trace/zipkin package. (#1693)
• "go.opentelemetry.io/otel/sdk/resource".NewWithAttributes will now drop any invalid attributes passed. (#1703)
• "go.opentelemetry.io/otel/sdk/resource".StringDetector will now error if the produced attribute is invalid. (#1703)

Removed

• Removed serviceName parameter from Zipkin exporter and uses resource instead. (#1549)
• Removed WithConfig from tracer provider to avoid overriding configuration. (#1633)
• Removed the exported SimpleSpanProcessor and BatchSpanProcessor structs. These are now returned as a SpanProcessor interface from their respective constructors. (#1638)
• Removed WithRecord() from trace.SpanOption when creating a span. (#1660)
• Removed setting status to Error while recording an error as a span event in RecordError. (#1663)
• Removed jaeger.WithProcess configuration option. (#1673)
• Removed ApplyConfig method from "go.opentelemetry.io/otel/sdk/trace".TracerProvider and the now unneeded Config struct. (#1693)

Fixed

• Jaeger Exporter: Ensure mapping between OTEL and Jaeger span data complies with the specification. (#1626)
• SamplingResult.TraceState is correctly propagated to a newly created span's SpanContext. (#1655)
• The otel-collector example now correctly flushes metric events prior to shutting down the exporter. (#1678)
• Do not set span status message in SpanStatusFromHTTPStatusCode if it can be inferred from http.status_code. (#1681)
• Synchronization issues in global trace delegate implementation. (#1686)
• Reduced excess memory usage by global TracerProvider. (#1687)

---

Raw changes made between v0.18.0 and v0.19.0

... (truncated)

Changelog

Sourced from go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp's changelog.

[1.43.0/0.65.0/0.19.0] 2026-04-02

Added

• Add IsRandom and WithRandom on TraceFlags, and IsRandom on SpanContext in go.opentelemetry.io/otel/trace for W3C Trace Context Level 2 Random Trace ID Flag support. (#8012)
• Add service detection with WithService in go.opentelemetry.io/otel/sdk/resource. (#7642)
• Add DefaultWithContext and EnvironmentWithContext in go.opentelemetry.io/otel/sdk/resource to support plumbing context.Context through default and environment detectors. (#8051)
• Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc. (#8038)
• Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc. (#8038)
• Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc. (#8038)
• Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp. (#8038)
• Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp. (#8038)
• Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp. (#8038)
• Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/sdk/metric/metricdata/metricdatatest. (#8038)
• Add support for per-series start time tracking for cumulative metrics in go.opentelemetry.io/otel/sdk/metric. Set OTEL_GO_X_PER_SERIES_START_TIMESTAMPS=true to enable. (#8060)
• Add WithCardinalityLimitSelector for metric reader for configuring cardinality limits specific to the instrument kind. (#7855)

Changed

• Introduce the EMPTY Type in go.opentelemetry.io/otel/attribute to reflect that an empty value is now a valid value, with INVALID remaining as a deprecated alias of EMPTY. (#8038)
• Improve slice handling in go.opentelemetry.io/otel/attribute to optimize short slice values with fixed-size fast paths. (#8039)
• Improve performance of span metric recording in go.opentelemetry.io/otel/sdk/trace by returning early if self-observability is not enabled. (#8067)
• Improve formatting of metric data diffs in go.opentelemetry.io/otel/sdk/metric/metricdata/metricdatatest. (#8073)

Deprecated

• Deprecate INVALID in go.opentelemetry.io/otel/attribute. Use EMPTY instead. (#8038)

Fixed

• Return spec-compliant TraceIdRatioBased description. This is a breaking behavioral change, but it is necessary to make the implementation spec-compliant. (#8027)
• Fix a race condition in go.opentelemetry.io/otel/sdk/metric where the lastvalue aggregation could collect the value 0 even when no zero-value measurements were recorded. (#8056)
• Limit HTTP response body to 4 MiB in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp to mitigate excessive memory usage caused by a misconfigured or malicious server. Responses exceeding the limit are treated as non-retryable errors. (#8108)
• Limit HTTP response body to 4 MiB in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp to mitigate excessive memory usage caused by a misconfigured or malicious server. Responses exceeding the limit are treated as non-retryable errors. (#8108)
• Limit HTTP response body to 4 MiB in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp to mitigate excessive memory usage caused by a misconfigured or malicious server. Responses exceeding the limit are treated as non-retryable errors. (#8108)
• WithHostID detector in go.opentelemetry.io/otel/sdk/resource to use full path for kenv command on BSD. (#8113)
• Fix missing request.GetBody in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp to correctly handle HTTP2 GOAWAY frame. (#8096)

[1.42.0/0.64.0/0.18.0/0.0.16] 2026-03-06

Added

• Add go.opentelemetry.io/otel/semconv/v1.40.0 package. The package contains semantic conventions from the v1.40.0 version of the OpenTelemetry Semantic Conventions. See the migration documentation for information on how to upgrade from go.opentelemetry.io/otel/semconv/v1.39.0. (#7985)

... (truncated)

Commits

• 2b4fa96 Release v0.19.0 (#1710)
• 4beb704 sdk/trace: removing ApplyConfig and Config (#1693)
• 1d42be1 Rename WithDefaultSampler TracerProvider option to WithSampler and update doc...
• 860d5d8 Add flag to determine whether SpanContext is remote (#1701)
• 0fe65e6 Comply with OpenTelemetry attributes specification (#1703)
• 8888435 Bump google.golang.org/api from 0.40.0 to 0.41.0 in /exporters/trace/jaeger (...
• 345f264 breaking(zipkin): removes servicName from zipkin exporter. (#1697)
• 62cbf0f Populate Jaeger's Span.Process from Resource (#1673)
• 28eaaa9 Add a test to prove the Tracer is safe for concurrent calls (#1665)
• 8b1be11 Rename resource pkg label vars and methods (#1692)
• Additional commits viewable in compare view

Updates github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4

Release notes

Sourced from github.com/go-jose/go-jose/v4's releases.

v4.1.4

What's Changed

Fixes Panic in JWE decryption. See GHSA-78h2-9frx-2jm8

Full Changelog: go-jose/go-jose@v4.1.3...v4.1.4

Commits

• 0e59876 Merge commit from fork
• ddffdbc Bump actions/checkout from 5 to 6 (#213)
• See full diff in compare view

Updates go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp from 0.15.0 to 0.19.0

Release notes

Sourced from go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp's releases.

Release v0.19.0

Added

• Added Marshaler config option to otlphttp to enable otlp over json or protobufs. (#1586)
• A ForceFlush method to the "go.opentelemetry.io/otel/sdk/trace".TracerProvider to flush all registered SpanProcessors. (#1608)
• Added WithSampler and WithSpanLimits to tracer provider. (#1633, #1702)
• "go.opentelemetry.io/otel/trace".SpanContext now has a remote property, and IsRemote() predicate, that is true when the SpanContext has been extracted from remote context data. (#1701)
• A Valid method to the "go.opentelemetry.io/otel/attribute".KeyValue type. (#1703)

Changed

• trace.SpanContext is now immutable and has no exported fields. (#1573)
  • trace.NewSpanContext() can be used in conjunction with the trace.SpanContextConfig struct to initialize a new SpanContext where all values are known.
• Update the ForceFlush method signature to the "go.opentelemetry.io/otel/sdk/trace".SpanProcessor to accept a context.Context and return an error. (#1608)
• Update the Shutdown method to the "go.opentelemetry.io/otel/sdk/trace".TracerProvider return an error on shutdown failure. (#1608)
• The SimpleSpanProcessor will now shut down the enclosed SpanExporter and gracefully ignore subsequent calls to OnEnd after Shutdown is called. (#1612)
• "go.opentelemetry.io/sdk/metric/controller.basic".WithPusher is replaced with WithExporter to provide consistent naming across project. (#1656)
• Added non-empty string check for trace Attribute keys. (#1659)
• Add description to SpanStatus only when StatusCode is set to error. (#1662)
• Jaeger exporter falls back to resource.Default's service.name if the exported Span does not have one. (#1673)
• Jaeger exporter populates Jaeger's Span Process from Resource. (#1673)
• Renamed the LabelSet method of "go.opentelemetry.io/otel/sdk/resource".Resource to Set. (#1692)
• Changed WithSDK to WithSDKOptions to accept variadic arguments of TracerProviderOption type in go.opentelemetry.io/otel/exporters/trace/jaeger package. (#1693)
• Changed WithSDK to WithSDKOptions to accept variadic arguments of TracerProviderOption type in go.opentelemetry.io/otel/exporters/trace/zipkin package. (#1693)
• "go.opentelemetry.io/otel/sdk/resource".NewWithAttributes will now drop any invalid attributes passed. (#1703)
• "go.opentelemetry.io/otel/sdk/resource".StringDetector will now error if the produced attribute is invalid. (#1703)

Removed

• Removed serviceName parameter from Zipkin exporter and uses resource instead. (#1549)
• Removed WithConfig from tracer provider to avoid overriding configuration. (#1633)
• Removed the exported SimpleSpanProcessor and BatchSpanProcessor structs. These are now returned as a SpanProcessor interface from their respective constructors. (#1638)
• Removed WithRecord() from trace.SpanOption when creating a span. (#1660)
• Removed setting status to Error while recording an error as a span event in RecordError. (#1663)
• Removed jaeger.WithProcess configuration option. (#1673)
• Removed ApplyConfig method from "go.opentelemetry.io/otel/sdk/trace".TracerProvider and the now unneeded Config struct. (#1693)

Fixed

• Jaeger Exporter: Ensure mapping between OTEL and Jaeger span data complies with the specification. (#1626)
• SamplingResult.TraceState is correctly propagated to a newly created span's SpanContext. (#1655)
• The otel-collector example now correctly flushes metric events prior to shutting down the exporter. (#1678)
• Do not set span status message in SpanStatusFromHTTPStatusCode if it can be inferred from http.status_code. (#1681)
• Synchronization issues in global trace delegate implementation. (#1686)
• Reduced excess memory usage by global TracerProvider. (#1687)

---

Raw changes made between v0.18.0 and v0.19.0

... (truncated)

Changelog

Sourced from go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp's changelog.

[1.43.0/0.65.0/0.19.0] 2026-04-02

Added

• Add IsRandom and WithRandom on TraceFlags, and IsRandom on SpanContext in go.opentelemetry.io/otel/trace for W3C Trace Context Level 2 Random Trace ID Flag support. (#8012)
• Add service detection with WithService in go.opentelemetry.io/otel/sdk/resource. (#7642)
• Add DefaultWithContext and EnvironmentWithContext in go.opentelemetry.io/otel/sdk/resource to support plumbing context.Context through default and environment detectors. (#8051)
• Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc. (#8038)
• Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc. (#8038)
• Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc. (#8038)
• Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp. (#8038)
• Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp. (#8038)
• Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp. (#8038)
• Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/sdk/metric/metricdata/metricdatatest. (#8038)
• Add support for per-series start time tracking for cumulative metrics in go.opentelemetry.io/otel/sdk/metric. Set OTEL_GO_X_PER_SERIES_START_TIMESTAMPS=true to enable. (#8060)
• Add WithCardinalityLimitSelector for metric reader for configuring cardinality limits specific to the instrument kind. (#7855)

Changed

• Introduce the EMPTY Type in go.opentelemetry.io/otel/attribute to reflect that an empty value is now a valid value, with INVALID remaining as a deprecated alias of EMPTY. (#8038)
• Improve slice handling in go.opentelemetry.io/otel/attribute to optimize short slice values with fixed-size fast paths. (#8039)
• Improve performance of span metric recording in go.opentelemetry.io/otel/sdk/trace by returning early if self-observability is not enabled. (#8067)
• Improve formatting of metric data diffs in go.opentelemetry.io/otel/sdk/metric/metricdata/metricdatatest. (#8073)

Deprecated

• Deprecate INVALID in go.opentelemetry.io/otel/attribute. Use EMPTY instead. (#8038)

Fixed

• Return spec-compliant TraceIdRatioBased description. This is a breaking behavioral change, but it is necessary to make the implementation spec-compliant. (#8027)
• Fix a race condition in go.opentelemetry.io/otel/sdk/metric where the lastvalue aggregation could collect the value 0 even when no zero-value measurements were recorded. (#8056)
• Limit HTTP response body to 4 MiB in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp to mitigate excessive memory usage caused by a misconfigured or malicious server. Responses exceeding the limit are treated as non-retryable errors. (#8108)
• Limit HTTP response body to 4 MiB in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp to mitigate excessive memory usage caused by a misconfigured or malicious server. Responses exceeding the limit are treated as non-retryable errors. (#8108)
• Limit HTTP response body to 4 MiB in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp to mitigate excessive memory usage caused by a misconfigured or malicious server. Responses exceeding the limit are treated as non-retryable errors. (#8108)
• WithHostID detector in go.opentelemetry.io/otel/sdk/resource to use full path for kenv command on BSD. (#8113)
• Fix missing request.GetBody in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp to correctly handle HTTP2 GOAWAY frame. (#8096)

[1.42.0/0.64.0/0.18.0/0.0.16] 2026-03-06

Added

• Add go.opentelemetry.io/otel/semconv/v1.40.0 package. The package contains semantic conventions from the v1.40.0 version of the OpenTelemetry Semantic Conventions. See the migration documentation for information on how to upgrade from go.opentelemetry.io/otel/semconv/v1.39.0. (#7985)

... (truncated)

Commits

• 2b4fa96 Release v0.19.0 (#1710)
• 4beb704 sdk/trace: removing ApplyConfig and Config (#1693)
• 1d42be1 Rename WithDefaultSampler TracerProvider option to WithSampler and update doc...
• 860d5d8 Add flag to determine whether SpanContext is remote (#1701)
• 0fe65e6 Comply with OpenTelemetry attributes specification (#1703)
• 8888435 Bump google.golang.org/api from 0.40.0 to 0.41.0 in /exporters/trace/jaeger (...
• 345f264 breaking(zipkin): removes servicName from zipkin exporter. (#1697)
• 62cbf0f Populate Jaeger's Span.Process from Resource (#1673)
• 28eaaa9 Add a test to prove the Tracer is safe for concurrent calls (#1665)
• 8b1be11 Rename resource pkg label vars and methods (#1692)
• Additional commits viewable in compare view

Updates github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4

Release notes

Sourced from github.com/go-jose/go-jose/v4's releases.

v4.1.4

What's Changed

Fixes Panic in JWE decryption. See GHSA-78h2-9frx-2jm8

Full Changelog: go-jose/go-jose@v4.1.3...v4.1.4

Commits

• 0e59876 Merge commit from fork
• ddffdbc Bump actions/checkout from 5 to 6 (#213)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[claude]

🟡 packages/orchestrator/go.mod was not updated with go mod tidy after otel/log and otel/sdk/log were bumped to v0.19.0 in packages/shared — orchestrator still records v0.15.0 for both indirect deps and v1.79.3 for grpc (shared moved to v1.80.0). Go MVS resolves the correct higher versions at build time via the workspace and replace directive, so compiled binaries are correct, but the stale go.sum entries (missing v0.19.0 checksums) can cause build failures when building orchestrator outside workspace mode.

Extended reasoning...

What the bug is: This PR bumps go.opentelemetry.io/otel/log and go.opentelemetry.io/otel/sdk/log from v0.15.0 to v0.19.0 in packages/shared and packages/api, and bumps google.golang.org/grpc from v1.79.3 to v1.80.0 in both. However, packages/orchestrator/go.mod was not updated. It still declares otel/log v0.15.0 and otel/sdk/log v0.15.0 as indirect dependencies (visible in the unmodified portion of the diff), and grpc v1.79.3 as a direct dependency. This indicates go mod tidy was not run in packages/orchestrator after the shared/api changes.

The specific code path: packages/orchestrator/go.mod lines 157-163 (otel/log and otel/sdk/log at v0.15.0, grpc at v1.79.3). packages/shared/go.mod was updated to require otel/log v0.19.0 and otel/sdk/log v0.19.0 as direct deps, and grpc v1.80.0. orchestrator uses a local replace directive pointing to ../shared.

Why existing code does not prevent it: Go MVS (Minimum Version Selection) silently resolves to the higher versions at build time by aggregating requirements across the dependency graph. The workspace (go.work) further helps aggregate sum files. So the compiled binary uses the correct versions, masking the inconsistency during normal workspace builds.

Addressing the refutations: The refuters correctly note that MVS guarantees correct runtime behavior. For the grpc direct dependency specifically, they are right that go mod tidy does not bump a direct dependency just because a transitive dep requires a higher version — each module records its own minimum. However, the otel indirect deps are a different matter: go mod tidy WOULD update those. Furthermore, the deeper issue is that orchestrator/go.sum only has checksums for otel/log v0.15.0 and otel/sdk/log v0.15.0, not v0.19.0. When MVS resolves to v0.19.0 (because shared requires it), but go.sum lacks the v0.19.0 hash, building orchestrator in isolation outside workspace mode (cd packages/orchestrator && go build ./...) would fail with a missing go.sum entry error under Go 1.16+ default -mod=readonly behavior.

Impact: Any CI job or developer that builds orchestrator in isolation rather than via the workspace will encounter a build failure. The stale lower bounds also mislead developers about what versions are actually in use.

How to fix: Run go mod tidy in packages/orchestrator. This updates the indirect dep lower bounds to v0.19.0 and adds the required checksums to go.sum. For grpc (direct dep), manually update to v1.80.0 if orchestrator needs features from that version, or leave at v1.79.3 knowing MVS will resolve higher.

Step-by-step proof: (1) shared/go.mod bumped: otel/log v0.15.0 -> v0.19.0 as direct dep. (2) orchestrator/go.mod unchanged: otel/log v0.15.0 // indirect. (3) orchestrator depends on shared via replace directive, so at build time Go MVS selects v0.19.0. (4) orchestrator/go.sum has only hashes for otel/log v0.15.0 — no v0.19.0 entries. (5) Outside workspace mode: go build in packages/orchestrator fails with missing go.sum entry for go.opentelemetry.io/otel/log@v0.19.0. (6) Fix: run go mod tidy in packages/orchestrator.

[dependabot]

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml