Update Rust crate opentelemetry_sdk to 0.32.0 [SECURITY]

[hash-worker]

This PR contains the following updates:

Package	Type	Update	Change
opentelemetry_sdk (source)	workspace.dependencies	minor	0.30.0 → 0.32.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2026-48504

Summary

BaggagePropagator::extract_with_context in opentelemetry_sdk did not enforce the W3C Baggage size limits before parsing an inbound baggage header. A large attacker-controlled header could cause unnecessary CPU work and short-lived heap allocations while parsing entries that would later be discarded by the SDK's baggage storage limits.

The SDK now applies limits aligned with the W3C Baggage limits:

• 64 list-members
• 8192 bytes total

Impact

Services that accept untrusted inbound propagation headers may experience increased per-request resource usage when processing oversized baggage headers. This can contribute to denial-of-service risk, especially when application or transport-level header limits are absent or configured above the W3C Baggage limits.

The impact is limited to availability. This issue does not expose telemetry data, modify telemetry data, or allow code execution.

Patches

Upgrade opentelemetry_sdk to version 0.32.1 or later.

Version 0.32.1 rejects baggage header values larger than 8192 bytes and limits extraction to the first 64 list-members.

Workarounds

If upgrading immediately is not possible, reject or limit inbound baggage headers larger than 8192 bytes before invoking OpenTelemetry propagation extraction. This can be enforced at a proxy, gateway, middleware layer, or custom carrier boundary.

Resources

• W3C Baggage limits: https://www.w3.org/TR/baggage/#limits
• Related OpenTelemetry Java advisory: GHSA-rcgg-9c38-7xpx
• Related OpenTelemetry Go advisory: GHSA-mh2q-q3fh-2475
• CVE-2026-48504

Credit

tonghuaroot

---

Release Notes

open-telemetry/opentelemetry-rust (opentelemetry_sdk)

v0.32.1

Released 2026-May-23

• BaggagePropagator now enforces the W3C Baggage maximum header length
  (8192 bytes) and maximum list-member count (64) when extracting an inbound
  baggage header. Headers exceeding 8192 bytes are dropped at the
  propagator boundary; headers with more than 64 list members are
  truncated to the first 64 entries. The change keeps the propagator from
  parsing attacker-controlled input beyond the W3C limits instead of doing
  per-entry parse, decode, and allocation work only to discard the excess
  on Baggage insert. See https://www.w3.org/TR/baggage/#limits.
• Reverted the SimpleSpanProcessor telemetry suppression added in 0.32.0
  (see #​3494), which caused a RefCell already borrowed panic when a span
  was started and dropped inside a get_active_span (or Context::map_current)
  closure. Tracked in #​3510. A proper fix for the underlying
  Context::map_current re-entrancy will be investigated separately, after
  which the suppression can be safely re-applied.
• View-provided metric stream name (set via Stream::builder().with_name(...))
  is no longer validated against the instrument name syntax, per
  spec clarification.
  unit and other stream parameters continue to be validated.

v0.32.0

Compare Source

Released 2026-May-08

• SimpleSpanProcessor now suppresses telemetry during export, preventing
  telemetry-induced-telemetry feedback loops. This aligns with the existing
  behavior in BatchSpanProcessor and SimpleLogProcessor.
• Removed SimpleConcurrentLogProcessor and the experimental_logs_concurrent_log_processor
  feature flag. The use cases it was designed for (ETW/user_events exporters) are
  better served by modeling those exporters as processors directly.
• Added Counter::bind() and Histogram::bind() SDK implementations that
  return pre-bound measurement handles (BoundCounter<T>, BoundHistogram<T>).
  Bound instruments resolve the attribute-to-aggregator mapping once at bind time
  and cache the result, eliminating per-call HashMap lookups. View attribute
  filtering is applied at bind time so the hot path stays free of per-call
  attribute processing. Bound and unbound recordings with the same (post-view)
  attribute set always aggregate into the same data point, including the empty
  attribute set. Bound entries are never evicted during delta collection while
  a handle exists — idle cycles produce no export but the tracker persists. If
  bind() is called at the cardinality limit, the handle binds directly to
  the overflow tracker — its writes stay on the same direct (no-lookup) hot
  path and consistently land in the otel.metric.overflow=true bucket for
  the lifetime of the handle. To recover a bound handle after delta collection
  frees space, drop the existing handle and call bind() again. Gated behind
  the experimental_metrics_bound_instruments feature flag. Benchmarks show
  ~28x speedup for counter operations and ~9x for histograms.
• Delta metrics collection now uses in-place eviction instead of draining the
  HashMap on every collect cycle. Stale attribute sets that received no measurements
  since the last collection are evicted. Note: recovery from cardinality overflow
  now requires 2 collect cycles — the first marks entries as stale, the second
  evicts them.
• Breaking The SDK testing feature is now runtime agnostic. #​3407
  • TokioSpanExporter and new_tokio_test_exporter have been renamed to TestSpanExporter and new_test_exporter.
  • The following transitive dependencies and features have been removed: tokio/rt, tokio/time, tokio/macros, tokio/rt-multi-thread, tokio-stream, experimental_async_runtime
• Store InstrumentationScope in Arc internally in SdkTracer, making tracer clones cheaper (Arc refcount increment instead of deep copy).
• Add 32-bit platform support by using portable-atomic for AtomicI64 and AtomicU64 in the metrics module. This enables compilation on 32-bit ARM targets (e.g., armv5te-unknown-linux-gnueabi, armv7-unknown-linux-gnueabihf).
• Aggregation enum and StreamBuilder::with_aggregation() are now stable and no longer require the spec_unstable_metrics_views feature flag.
• Fix service.name Resource attribute fallback to follow OpenTelemetry
  specification by using unknown_service:<process.executable.name> format when
  service name is not explicitly configured. Previously, it only used
  unknown_service.
• Fix SpanExporter::shutdown() default timeout from 5 nanoseconds to 5 seconds.
• Breaking SpanExporter trait methods shutdown, shutdown_with_timeout, and force_flush now take &self instead of &mut self for consistency with LogExporter and PushMetricExporter. Implementers using interior mutability (e.g., Mutex, AtomicBool) require no changes.
• Added Resource::get_ref(&self, key: &Key) -> Option<&Value> to allow retrieving a reference to a resource value without cloning.
• Breaking Removed the following public hidden methods from the SdkTracer #​3227:
  • id_generator, should_sample
• Breaking Moved the following SDK sampling types from opentelemetry::trace to opentelemetry_sdk::trace #​3277:
  • SamplingDecision, SamplingResult
  • These types are SDK implementation details and should be imported from opentelemetry_sdk::trace instead.
• StreamBuilder::build() now rejects usize::MAX as a cardinality limit
  with a validation error. #​3506
• Fix Histogram boundaries being ignored in the presence of views #​3312
• TracerProviderBuilder::with_sampler allows to pass boxed instance of ShouldSample [#​3313][3313]
• Fix ObservableCounter and ObservableUpDownCounter now correctly report only data points from the current measurement cycle, removing stale attribute combinations that are no longer observed. #​3248
• Fix panic when SpanProcessor::on_end calls Context::current() (#​3262).
  • Updated SpanProcessor::on_end documentation to clarify that Context::current() returns the parent context, not the span's context
• Fix traceparent headers with unknown flags (e.g. W3C random-trace-id flag 0x02) being incorrectly rejected. Unknown flags are now accepted and zeroed out as required by the W3C trace-context spec. #​3435
• Breaking InMemoryExporterError has been removed and replaced by OTelSdkError, and a new JaegerRemoteSamplerBuildError introduced to replace last uses of TraceError. #​3458
• "spec_unstable_logs_enabled" feature flag is removed. The capability (and the
  backing specification) is now stable and is enabled by default. #​3278

v0.31.0

Compare Source

Released 2025-Sep-25

• Updated opentelemetry and opentelemetry-http dependencies to version 0.31.0.

• Feature: Add span flags support for isRemote property in OTLP exporter (#​3153)

• Updated span and link transformations to properly set flags field (0x100 for local, 0x300 for remote)

• TODO: Placeholder for Span processor related things

  • Fix SpanProcessor::on_start is no longer called on non recording spans

• Fix: Restore true parallel exports in the async-native BatchSpanProcessor by honoring OTEL_BSP_MAX_CONCURRENT_EXPORTS (#​2959). A regression in #​2685 inadvertently awaited the export() future directly in opentelemetry-sdk/src/trace/span_processor_with_async_runtime.rs instead of spawning it on the runtime, forcing all exports to run sequentially.

• Feature: Added Clone implementation to SdkLogger for API consistency with SdkTracer (#​3058).

• Fix: batch size accounting in BatchSpanProcessor when queue is full (#​3089).

• Fix: Resolved dependency issue where the "logs" feature incorrectly
  required the "trace" feature flag
  (#​3096).
  The logs functionality now operates independently, while automatic correlation
  between logs and traces continues to work when the "trace" feature is
  explicitly enabled.

• Fix: Fix shutdown of SimpleLogProcessor and async BatchLogProcessor.

• Default implementation of LogProcessor::shutdown_with_timeout() will now warn to encourage users to implement proper shutdown.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • "before 4am every weekday,every weekend"

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
hash	Ready	Preview, Comment	Jun 28, 2026 1:35am
hashdotdesign-tokens	Ready	Preview, Comment	Jun 28, 2026 1:35am
petrinaut	Ready	Preview, Comment	Jun 28, 2026 1:35am

[cursor]

PR Summary

Medium Risk
Touches the telemetry/propagation stack and introduces a dual opentelemetry 0.30/0.32 dependency graph, but behavior change is mainly the security patch with no application code edits.

Overview
Bumps the workspace opentelemetry_sdk dependency from 0.30.0 to 0.32.0 (lockfile resolves 0.32.1), addressing CVE-2026-48504: inbound W3C baggage headers are now capped at 8192 bytes and 64 list-members before parsing, reducing DoS risk from oversized propagation headers.

There are no Rust source changes—only Cargo.toml and Cargo.lock. Crates such as hash-telemetry and graph API consumers that depend on the workspace SDK pick up the new version. The lockfile also pulls in opentelemetry 0.32.0 for the new SDK while opentelemetry 0.30.0 remains for opentelemetry-otlp, tracing-opentelemetry, and related 0.30-era crates, so two OpenTelemetry API versions coexist until those dependencies are aligned.

^{Reviewed by Cursor Bugbot for commit 1bdb8c4. Bugbot is set up for automated code reviews on this repo. Configure here.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 59.77%. Comparing base (b8f5e58) to head (1bdb8c4).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #8907      +/-   ##
==========================================
- Coverage   59.77%   59.77%   -0.01%     
==========================================
  Files        1348     1348              
  Lines      131787   131833      +46     
  Branches     5941     5941              
==========================================
+ Hits        78772    78799      +27     
- Misses      52107    52126      +19     
  Partials      908      908              

Flag	Coverage Δ
apps.hash-ai-worker-ts	1.39% <ø> (-0.01%)	⬇️
apps.hash-api	3.26% <ø> (ø)
blockprotocol.type-system	40.84% <ø> (ø)
local.claude-hooks	0.00% <ø> (ø)
local.harpc-client	51.49% <ø> (ø)
local.hash-backend-utils	2.81% <ø> (ø)
local.hash-graph-sdk	9.63% <ø> (ø)
local.hash-isomorphic-utils	0.18% <ø> (-0.01%)	⬇️
rust.antsi	0.00% <ø> (ø)
rust.error-stack	90.87% <ø> (ø)
rust.harpc-codec	84.70% <ø> (ø)
rust.harpc-net	96.19% <ø> (ø)
rust.harpc-tower	67.03% <ø> (ø)
rust.harpc-types	0.00% <ø> (ø)
rust.harpc-wire-protocol	92.23% <ø> (ø)
rust.hash-codec	72.76% <ø> (ø)
rust.hash-graph-api	2.53% <ø> (ø)
rust.hash-graph-authorization	62.59% <ø> (+0.18%)	⬆️
rust.hash-graph-store	37.90% <ø> (-0.10%)	⬇️
rust.hash-graph-temporal-versioning	47.95% <ø> (ø)
rust.hash-graph-types	0.00% <ø> (ø)
rust.hash-graph-validation	83.43% <ø> (ø)
rust.hashql-ast	87.23% <ø> (ø)
rust.hashql-compiletest	28.24% <ø> (ø)
rust.hashql-core	79.60% <ø> (ø)
rust.hashql-diagnostics	72.31% <ø> (ø)
rust.hashql-eval	75.23% <ø> (ø)
rust.hashql-hir	89.06% <ø> (ø)
rust.hashql-mir	88.45% <ø> (ø)
rust.hashql-syntax-jexpr	94.04% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[codspeed-hq]

Merging this PR will not alter performance

✅ 80 untouched benchmarks

---

_{Comparing deps/rs/crate-opentelemetry_sdk-vulnerability (1bdb8c4) with main (b8f5e58)}