fix(deps): update go dependencies (non-major)

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/duckdb/duckdb-go/v2	v2.10502.0 → v2.10503.0
go.opentelemetry.io/collector/pdata	v1.57.0 → v1.59.0
google.golang.org/grpc	v1.81.0 → v1.81.1

---

Release Notes

duckdb/duckdb-go (github.com/duckdb/duckdb-go/v2)

v2.10503.0

Compare Source

What's Changed

• Add BIT support by @​JelteF in #​117
• feat: add geometry type support by @​niger-prequel in #​132
• perf: eliminate per-cell CGO calls in getEnum via pre-built reverse dictionary by @​hellower in #​122
• Explain local static linking workflow by @​mlafeldt in #​135
• Preserve NUL bytes in created VARCHAR values by @​mlafeldt in #​136
• Add Typed for explicit scalar parameter binding by @​mlafeldt in #​137
• Bump to v1.5.3 by @​mlafeldt in #​139

New Contributors

• @​niger-prequel made their first contribution in #​132

Full Changelog: duckdb/duckdb-go@v2.10502.0...v2.10503.0

open-telemetry/opentelemetry-collector (go.opentelemetry.io/collector/pdata)

v1.59.0

🛑 Breaking changes 🛑

• pkg/configoptional: Stabilize feature gate configoptional.AddEnabledField (#​15333)
• pkg/confmap: Stabilize confmap.newExpandedValueSanitizer feature gate (#​15339)
• pkg/exporterhelper: mark exporter.PersistRequestContext as stable (#​15330)
• pkg/otelcol: Stabilize otelcol.printInitialConfig gate (#​15340)
• pkg/pdata: Remove pdata.useCustomProtoEncoding feature gate (#​15332)
• pkg/service: Stabilize telemetry.UseLocalHostAsDefaultMetricsAddress gate (#​15342)
• pkg/xpdata: Stabilize pdata.enableRefCounting feature gate (#​15331)

🧰 Bug fixes 🧰

• pkg/config/configgrpc: Fix memory corruption and fatal error in Snappy (#​15237, #​15320)

v1.58.0

💡 Enhancements 💡

• pkg/exporterhelper: Add otelcol_exporter_in_flight_requests metric to track the number of export requests currently in-flight per exporter. (#​15009)
  This UpDownCounter increments in startOp and decrements in endOp, allowing operators to monitor
  concurrent export activity and detect when an exporter is saturating its worker pool.

🧰 Bug fixes 🧰

• pkg/confighttp: Close the original request body after reading block-format Content-Encoding: snappy requests. (#​15262)

• pkg/confighttp: Recover from panics in decompression libraries, return HTTP 400 instead of 500. (#​13228)

• pkg/confighttp: Enforce max_request_body_size on Content-Encoding: snappy requests before the decoded buffer is allocated. (#​15252)

• pkg/otelcol: Stop emitting verbose gRPC transport messages at WARN during normal client disconnect. (#​5169)
  grpc-go gates chatty per-RPC notices (e.g. "HandleStreams failed to read frame:
  connection reset by peer") behind LoggerV2.V(2). zapgrpc.Logger.V conflates
  grpclog verbosity with zap severity, so V(2) returns true whenever WARN is
  enabled and these messages emit at WARN. Wrap the installed grpclog.LoggerV2
  with a corrected V() that compares against a fixed verbosity threshold,
  matching grpclog's intended semantics. See uber-go/zap#1544.

• pkg/pdata: pcommon.Value.AsString no longer HTML-escapes <, >, and & inside ValueTypeMap and ValueTypeSlice values, matching the behavior already used for ValueTypeStr. (#​14662)

• pkg/service: Fix Prometheus config defaults mismatch when host is explicitly set in telemetry configuration. (#​13867)
  When users explicitly configured the telemetry metrics section (e.g. to change the host),
  the Prometheus exporter boolean fields (WithoutScopeInfo, WithoutUnits, WithoutTypeSuffix)
  defaulted to nil/false instead of true, causing metric name format changes compared to the
  implicit default configuration. This fix applies the correct defaults during config unmarshaling.

• pkg/service: Return noop tracer provider when no trace processors are defined (#​15135)

grpc/grpc-go (google.golang.org/grpc)

v1.81.1: Release 1.81.1

Compare Source

Security

• xds/rbac: Fix a potential authorization bypass caused by incorrectly falling through URI/DNS SANs to Subject Distinguished Name (DN) when matching the authenticated principal name. With this fix, only the first non-empty identity source will be used, as per gRFC A41. (#​9111)
  • Special Thanks: @​al4an444

---

Configuration

📅 Schedule: (in timezone America/Argentina/Buenos_Aires)

• Branch creation
  • "before 9am on monday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 14 additional dependencies were updated

Details:

Package	Change
github.com/duckdb/duckdb-go-bindings	v0.10502.0 -> v0.10503.0
github.com/duckdb/duckdb-go-bindings/lib/darwin-amd64	v0.10502.0 -> v0.10503.0
github.com/duckdb/duckdb-go-bindings/lib/darwin-arm64	v0.10502.0 -> v0.10503.0
github.com/duckdb/duckdb-go-bindings/lib/linux-amd64	v0.10502.0 -> v0.10503.0
github.com/duckdb/duckdb-go-bindings/lib/linux-arm64	v0.10502.0 -> v0.10503.0
github.com/duckdb/duckdb-go-bindings/lib/windows-amd64	v0.10502.0 -> v0.10503.0
go.opentelemetry.io/collector/featuregate	v1.57.0 -> v1.59.0
golang.org/x/crypto	v0.48.0 -> v0.51.0
golang.org/x/mod	v0.32.0 -> v0.35.0
golang.org/x/net	v0.51.0 -> v0.55.0
golang.org/x/sys	v0.42.0 -> v0.45.0
golang.org/x/telemetry	v0.0.0-20260116145544-c6413dc483f5 -> v0.0.0-20260409153401-be6f6cb8b1fa
golang.org/x/text	v0.34.0 -> v0.37.0
golang.org/x/tools	v0.41.0 -> v0.44.0