fix(deps): update rust dependencies

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
opentelemetry (source)	dependencies	minor	0.31.0 → 0.32.0
opentelemetry-otlp (source)	dependencies	minor	0.31.0 → 0.32.0
opentelemetry_sdk (source)	dependencies	minor	0.31.0 → 0.32.0
tower-http	dependencies	patch	0.6.10 → 0.6.11

---

Release Notes

open-telemetry/opentelemetry-rust (opentelemetry)

v0.32.0

Compare Source

Released 2026-May-08

• Added BoundCounter<T> and BoundHistogram<T> types that cache resolved
  aggregator references for a fixed attribute set. Created via Counter::bind()
  and Histogram::bind(), bound instruments bypass per-call attribute lookup,
  providing significant performance improvements for hot paths where the same
  attributes are used repeatedly. Both types implement Clone so a single bound
  state can be shared across threads or modules without re-binding. Also adds
  the SyncInstrument::bind() trait method and BoundSyncInstrument<T> trait
  for SDK implementors; the trait method has a no-op default so custom
  SyncInstrument impls degrade gracefully without panicking. Gated behind the
  experimental_metrics_bound_instruments feature flag.
• Add reserve method to opentelemetry::propagation::Injector to hint at the number of elements that will be added to avoid multiple resize operations of the underlying data structure. Has an empty default implementation.
• Breaking Removed the following public fields and methods from the SpanBuilder #​3227:
  • trace_id, span_id, end_time, status, sampling_result
  • with_trace_id, with_span_id, with_end_time, with_status, with_sampling_result
• Added #[must_use] attribute to opentelemetry::metrics::AsyncInstrumentBuilder to add compile time warning when .build() is not called on observable instrument builders, preventing silent failures where callbacks are never registered and metrics are never reported.
• Breaking Moved the following SDK sampling types from opentelemetry::trace to opentelemetry_sdk::trace #​3277:
  • SamplingDecision, SamplingResult
  • These types are SDK implementation details and should be imported from opentelemetry_sdk::trace instead.
• "spec_unstable_logs_enabled" feature flag is removed. The capability (and the
  backing specification) is now stable and is enabled by default.
  3278
• Remove the empty "message" field from tracing events emitted via the internal-logs feature
• Fix panic when calling Context::current() from Drop implementations triggered by ContextGuard cleanup (#​3262).

open-telemetry/opentelemetry-rust (opentelemetry-otlp)

v0.32.0

Compare Source

Released 2026-May-08

• Add tls-provider-agnostic feature flag for environments that require a custom crypto backend (e.g., OpenSSL for FIPS compliance). Enables TLS code paths without bundling ring or aws-lc-rs.
• Add build() directly on SpanExporterBuilder, MetricExporterBuilder, and LogExporterBuilder
  (before selecting a transport), which auto-selects the transport based on the
  OTEL_EXPORTER_OTLP_PROTOCOL environment variable or enabled features.
  #​3394
• Breaking Removed ExportConfig, HasExportConfig, with_export_config(), HasTonicConfig, HasHttpConfig, TonicConfig, and HttpConfig from public API.
  Use the public WithExportConfig, WithTonicConfig, and WithHttpConfig trait methods instead, which remain unchanged.
• The gRPC/tonic OTLP exporter's build method now returns an error for all signals (traces, metrics, logs) when
  an https:// endpoint is configured but no TLS feature (tls-ring or tls-aws-lc) is enabled, instead of
  silently sending unencrypted traffic. When a TLS feature is enabled and an https:// endpoint is used without
  an explicit .with_tls_config(), a default ClientTlsConfig is automatically applied.
  #​3182
• Prevent auth tokens from leaking in export error messages. gRPC and HTTP
  exporter errors no longer include potentially sensitive server responses
  (e.g., authentication tokens echoed back). Error messages returned to SDK
  processors contain only the gRPC status code or HTTP status code. Full
  details are logged at DEBUG level only.
  #​3021
• Surface pre-flight transport error details at ERROR level when grpc-tonic
  OTLP export fails due to a local misconfiguration. When the returned
  tonic::Status wraps a local transport error (invalid URL, connect failure,
  DNS), its source chain (e.g., "transport error: invalid URI") is appended
  to the returned error so SDK processors surface it at ERROR without
  requiring DEBUG logging. Server-returned gRPC status messages remain
  DEBUG-only to preserve the auth-token leak safeguards from
  #​3021.
  #​3331
• Add support for per-signal protocol environment variables:
  OTEL_EXPORTER_OTLP_TRACES_PROTOCOL, OTEL_EXPORTER_OTLP_METRICS_PROTOCOL,
  OTEL_EXPORTER_OTLP_LOGS_PROTOCOL. These allow configuring different transport protocols
  per signal type. Signal-specific vars take precedence over generic OTEL_EXPORTER_OTLP_PROTOCOL.
  The auto-select build() method on each exporter builder now respects the full priority chain:
  signal-specific env var > generic env var > feature-based default.
• Transport/protocol mismatch validation: HTTP transport returns InvalidConfig when gRPC protocol
  is requested; gRPC transport returns InvalidConfig when an HTTP protocol is requested.
• Breaking: Protocol::default() no longer consults the OTEL_EXPORTER_OTLP_PROTOCOL
  environment variable. It now returns only the feature-based default (http-json > http-proto >
  grpc-tonic). Protocol resolution from environment variables is handled internally by the
  exporter builders. Users who relied on Protocol::default() to read env vars should use
  Protocol::from_env() instead.
• Add support for OTEL_EXPORTER_OTLP_METRICS_TEMPORALITY_PREFERENCE environment variable
  to configure metrics temporality. Accepted values: cumulative (default), delta,
  lowmemory (case-insensitive). Programmatic .with_temporality() overrides the env var.
• Fix NoHttpClient error when multiple HTTP client features are enabled by using priority-based selection (reqwest-client > hyper-client > reqwest-blocking-client). #​2994
• Add partial success response handling for OTLP exporters (traces, metrics, logs) per OTLP spec. Exporters now log warnings when the server returns partial success responses with rejected items and error messages. #​865
• Refactor internal-logs feature in opentelemetry-otlp to reduce unnecessary dependencies3191
• Fixed [#​2777](https://github.com/open-telemetry/opentelemetry rust/issues/2777) to properly handle shutdown_with_timeout() when using grpc-tonic.
• Deprecate tls feature in favor of explicit tls-ring and tls-aws-lc features.
  Migration: Replace tls with tls-ring (or tls-aws-lc). Users of tls-roots or tls-webpki-roots must now also enable one of these.
• Prevent logging of header values in OTLP tonic exporter #​3465

open-telemetry/opentelemetry-rust (opentelemetry_sdk)

v0.32.0

Compare Source

Released 2026-May-08

• SimpleSpanProcessor now suppresses telemetry during export, preventing
  telemetry-induced-telemetry feedback loops. This aligns with the existing
  behavior in BatchSpanProcessor and SimpleLogProcessor.
• Removed SimpleConcurrentLogProcessor and the experimental_logs_concurrent_log_processor
  feature flag. The use cases it was designed for (ETW/user_events exporters) are
  better served by modeling those exporters as processors directly.
• Added Counter::bind() and Histogram::bind() SDK implementations that
  return pre-bound measurement handles (BoundCounter<T>, BoundHistogram<T>).
  Bound instruments resolve the attribute-to-aggregator mapping once at bind time
  and cache the result, eliminating per-call HashMap lookups. View attribute
  filtering is applied at bind time so the hot path stays free of per-call
  attribute processing. Bound and unbound recordings with the same (post-view)
  attribute set always aggregate into the same data point, including the empty
  attribute set. Bound entries are never evicted during delta collection while
  a handle exists — idle cycles produce no export but the tracker persists. If
  bind() is called at the cardinality limit, the handle binds directly to
  the overflow tracker — its writes stay on the same direct (no-lookup) hot
  path and consistently land in the otel.metric.overflow=true bucket for
  the lifetime of the handle. To recover a bound handle after delta collection
  frees space, drop the existing handle and call bind() again. Gated behind
  the experimental_metrics_bound_instruments feature flag. Benchmarks show
  ~28x speedup for counter operations and ~9x for histograms.
• Delta metrics collection now uses in-place eviction instead of draining the
  HashMap on every collect cycle. Stale attribute sets that received no measurements
  since the last collection are evicted. Note: recovery from cardinality overflow
  now requires 2 collect cycles — the first marks entries as stale, the second
  evicts them.
• Breaking The SDK testing feature is now runtime agnostic. #​3407
  • TokioSpanExporter and new_tokio_test_exporter have been renamed to TestSpanExporter and new_test_exporter.
  • The following transitive dependencies and features have been removed: tokio/rt, tokio/time, tokio/macros, tokio/rt-multi-thread, tokio-stream, experimental_async_runtime
• Store InstrumentationScope in Arc internally in SdkTracer, making tracer clones cheaper (Arc refcount increment instead of deep copy).
• Add 32-bit platform support by using portable-atomic for AtomicI64 and AtomicU64 in the metrics module. This enables compilation on 32-bit ARM targets (e.g., armv5te-unknown-linux-gnueabi, armv7-unknown-linux-gnueabihf).
• Aggregation enum and StreamBuilder::with_aggregation() are now stable and no longer require the spec_unstable_metrics_views feature flag.
• Fix service.name Resource attribute fallback to follow OpenTelemetry
  specification by using unknown_service:<process.executable.name> format when
  service name is not explicitly configured. Previously, it only used
  unknown_service.
• Fix SpanExporter::shutdown() default timeout from 5 nanoseconds to 5 seconds.
• Breaking SpanExporter trait methods shutdown, shutdown_with_timeout, and force_flush now take &self instead of &mut self for consistency with LogExporter and PushMetricExporter. Implementers using interior mutability (e.g., Mutex, AtomicBool) require no changes.
• Added Resource::get_ref(&self, key: &Key) -> Option<&Value> to allow retrieving a reference to a resource value without cloning.
• Breaking Removed the following public hidden methods from the SdkTracer #​3227:
  • id_generator, should_sample
• Breaking Moved the following SDK sampling types from opentelemetry::trace to opentelemetry_sdk::trace #​3277:
  • SamplingDecision, SamplingResult
  • These types are SDK implementation details and should be imported from opentelemetry_sdk::trace instead.
• StreamBuilder::build() now rejects usize::MAX as a cardinality limit
  with a validation error. #​3506
• Fix Histogram boundaries being ignored in the presence of views #​3312
• TracerProviderBuilder::with_sampler allows to pass boxed instance of ShouldSample [#​3313][3313]
• Fix ObservableCounter and ObservableUpDownCounter now correctly report only data points from the current measurement cycle, removing stale attribute combinations that are no longer observed. #​3248
• Fix panic when SpanProcessor::on_end calls Context::current() (#​3262).
  • Updated SpanProcessor::on_end documentation to clarify that Context::current() returns the parent context, not the span's context
• Fix traceparent headers with unknown flags (e.g. W3C random-trace-id flag 0x02) being incorrectly rejected. Unknown flags are now accepted and zeroed out as required by the W3C trace-context spec. #​3435
• Breaking InMemoryExporterError has been removed and replaced by OTelSdkError, and a new JaegerRemoteSamplerBuildError introduced to replace last uses of TraceError. #​3458
• "spec_unstable_logs_enabled" feature flag is removed. The capability (and the
  backing specification) is now stable and is enabled by default. #​3278

tower-rs/tower-http (tower-http)

v0.6.11

Compare Source

Added

• set-header: add SetMultipleResponseHeadersLayer and
  SetMultipleResponseHeader for setting multiple response headers at once.
  Supports overriding, appending, and if_not_present modes. Header
  values can be fixed or computed dynamically via closures (#​672)

  use http::{Response, header::{self, HeaderValue}};
  use http_body::Body as _;
  use tower_http::set_header::response::SetMultipleResponseHeadersLayer;
  
  let layer = SetMultipleResponseHeadersLayer::overriding(vec![
      (header::X_FRAME_OPTIONS, HeaderValue::from_static("DENY")).into(),
      (header::CONTENT_LENGTH, |res: &Response<MyBody>| {
          res.body().size_hint().exact()
              .map(|size| HeaderValue::from_str(&size.to_string()).unwrap())
      }).into(),
  ]);

• set-header: add SetMultipleRequestHeadersLayer and
  SetMultipleRequestHeaders for setting multiple request headers at once,
  mirroring the response-side API (#​677)

• classify: add From<i32> and From<NonZeroI32> impls for GrpcCode.
  Unrecognized status codes map to GrpcCode::Unknown (#​506)

Changed

• compression: compress application/grpc-web responses. Previously all
  application/grpc* content types were excluded from compression; now only
  application/grpc (non-web) is excluded (#​408)

Fixed

• fs: fix ServeDir returning 500 instead of 405 for non-GET/HEAD requests
  when call_fallback_on_method_not_allowed is enabled but no fallback service
  is configured (#​587)
• fs: remove duplicate cfg attribute on is_reserved_dos_name (#​675)

All PRs

• ci: fix flaky encoding test, add nightly stress test job by @​jlizen in #​670
• ci: use static timeout in stress-test workflow by @​jlizen in #​671
• Fix serve_dir method not allowed handling when no fallback is configured by @​soerenmeier in #​587
• Do compress grpc-web responses by @​bouk in #​408
• add From impl for GrpcCode by @​gshipilov in #​506
• feat(set_header): refactor and improve multiple header middleware by @​seun-ja in #​672
• Remove duplicate cfg attribute for is_reserved_dos_name by @​GlenDC in #​675
• feat: set multiple request header by @​seun-ja in #​677
• chore: release 0.6.11 by @​jlizen in #​673

New Contributors

• @​gshipilov made their first contribution in #​506
• @​seun-ja made their first contribution in #​672

Full Changelog: tower-rs/tower-http@tower-http-0.6.10...tower-http-0.6.11

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Only on Sunday and Saturday (* * * * 0,6)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[viccuad]

Helm unittest failure is fixed by #1730

[viccuad]

@copilot review the breaking changes of the bumped crates in the PR against our codebase.

[Copilot]

@copilot review the breaking changes of the bumped crates in the PR against our codebase.

Reviewed against commit a6df90e. There are two breaking impacts in our codebase:

1. opentelemetry-otlp 0.32 removed public ExportConfig/with_export_config(), which breaks crates/policy-server/src/metrics.rs.
2. tracing-opentelemetry 0.32.1 still depends on opentelemetry 0.31, while this PR bumps direct deps to opentelemetry/opentelemetry_sdk 0.32; this creates mixed versions and breaks crates/policy-server/src/tracing.rs (SdkTracer no longer satisfies the tracer trait expected by tracing-opentelemetry).

I validated with cargo test -p policy-server and cargo tree -p policy-server | grep opentelemetry.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[viccuad]

Blocked, we need to wait for tracing-opentelemetry to consume opentelemetry 0.32.
Bumping otel crates to 0.32 produces two incompatible versions of opentelemetry in the dependency tree, causing the SdkTracer: opentelemetry::trace::Tracer trait to fail at policy-server/src/tracing.rs.