chore(deps): update opentelemetry to 1.13.1

[thomhurst]

This PR contains the following updates:

Package	Type	Update	Change
OpenTelemetry.Exporter.OpenTelemetryProtocol (source)	nuget	patch	1.13.0 -> 1.13.1
OpenTelemetry.Extensions.Hosting (source)	nuget	patch	1.13.0 -> 1.13.1

---

Release Notes

open-telemetry/opentelemetry-dotnet (OpenTelemetry.Exporter.OpenTelemetryProtocol)

v1.13.1

Release details: 1.13.1

• In version 1.13.0, the digital signature (.dll-keyless.sig) and
  certificate (.dll-keyless.pem) files were unintentionally omitted from the
  published NuGet packages.
• This hotfix restores the Sigstore signing artifacts for all target frameworks
  (net462, netstandard2.0, netstandard2.1, net8.0, net9.0), ensuring
  the integrity of DLL verification using Sigstore cosign.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[claude]

Claude finished @thomhurst's task —— View job

---

PR Review: OpenTelemetry Update to 1.13.1

Review Tasks

• Examine the changed .csproj file
• Analyze the impact of the OpenTelemetry version update
• Assess code quality and best practices
• Check for potential bugs or issues
• Evaluate performance considerations
• Review security concerns
• Consider test coverage requirements

Review Feedback

✅ Overall Assessment: APPROVED

This is a straightforward and safe dependency update that should be merged.

Code Quality & Best Practices

• ✅ Good: The change follows standard dependency management practices
• ✅ Good: Only updates the specific packages that need updating (selective approach)
• ✅ Good: Maintains consistency by updating both related OpenTelemetry packages together

Potential Issues & Concerns

• ⚠️ Version Inconsistency: The project has mixed OpenTelemetry package versions:

  • Updated packages: OpenTelemetry.Exporter.OpenTelemetryProtocol and OpenTelemetry.Extensions.Hosting → 1.13.1
  • Unchanged packages: OpenTelemetry.Instrumentation.* packages remain at 1.12.0

  Recommendation: Consider updating all OpenTelemetry packages to the latest compatible versions for consistency and to avoid potential compatibility issues.

Security Considerations

• ✅ Positive: According to the release notes, this hotfix restores Sigstore signing artifacts that were missing in v1.13.0
• ✅ Security Improvement: The update enhances DLL verification integrity using Sigstore cosign
• ✅ Safe: Patch version updates typically don't introduce breaking changes

Performance Considerations

• ✅ Neutral: Patch updates rarely include performance regressions
• ✅ Low Risk: OpenTelemetry instrumentation impact should remain consistent
• The release notes don't mention any performance-related changes

Test Coverage

• ✅ Adequate: No additional test coverage required for dependency version bumps
• Note: The change affects a template project (TUnit.Aspire.Starter), so the impact is on generated projects rather than core functionality
• Observation: There's a snapshot test file that will need updating when the template tests run

Breaking Changes

• ✅ None Expected: This is a patch release (1.13.0 → 1.13.1) focused solely on restoring signing artifacts

Recommendations

1. Consider Full Update: Update remaining OpenTelemetry packages from 1.12.0 to 1.13.1 for version consistency
2. Monitor: Watch for any issues after deployment, though none are expected
3. Template Tests: Ensure template generation tests pass with the updated versions

File: ExampleNamespace.ServiceDefaults.csproj:15-16

- <PackageReference Include="OpenTelemetry.Exporter.OpenTelemetryProtocol" Version="1.13.0" />
- <PackageReference Include="OpenTelemetry.Extensions.Hosting" Version="1.13.0" />
+ <PackageReference Include="OpenTelemetry.Exporter.OpenTelemetryProtocol" Version="1.13.1" />
+ <PackageReference Include="OpenTelemetry.Extensions.Hosting" Version="1.13.1" />

Verdict: This is a safe, security-positive dependency update that should be merged. The only consideration is whether to update the remaining OpenTelemetry packages for consistency.

---

[claude]

Claude finished @thomhurst's task —— View job

---

PR Review: OpenTelemetry Update to 1.13.1

Review Tasks

• Examine the changed .csproj file
• Analyze the impact of the OpenTelemetry version update
• Assess code quality and best practices
• Check for potential bugs or issues
• Evaluate performance considerations
• Review security concerns
• Consider test coverage requirements

Review Feedback

✅ Overall Assessment: APPROVED

This is a straightforward and safe dependency update that should be merged.

Code Quality & Best Practices

• ✅ Good: The change follows standard dependency management practices
• ✅ Good: Only updates the specific packages that need updating (selective approach)
• ✅ Good: Maintains consistency by updating both related OpenTelemetry packages together

Potential Issues & Concerns

• ⚠️ Version Inconsistency: The project has mixed OpenTelemetry package versions:

  • Updated packages: OpenTelemetry.Exporter.OpenTelemetryProtocol and OpenTelemetry.Extensions.Hosting → 1.13.1
  • Unchanged packages: OpenTelemetry.Instrumentation.* packages remain at 1.12.0

  Recommendation: Consider updating all OpenTelemetry packages to the latest compatible versions for consistency and to avoid potential compatibility issues.

Security Considerations

• ✅ Positive: According to the release notes, this hotfix restores Sigstore signing artifacts that were missing in v1.13.0
• ✅ Security Improvement: The update enhances DLL verification integrity using Sigstore cosign
• ✅ Safe: Patch version updates typically don't introduce breaking changes

Performance Considerations

• ✅ Neutral: Patch updates rarely include performance regressions
• ✅ Low Risk: OpenTelemetry instrumentation impact should remain consistent
• The release notes don't mention any performance-related changes

Test Coverage

• ✅ Adequate: No additional test coverage required for dependency version bumps
• Note: The change affects a template project (TUnit.Aspire.Starter), so the impact is on generated projects rather than core functionality
• Observation: There's a snapshot test file that will need updating when the template tests run

Breaking Changes

• ✅ None Expected: This is a patch release (1.13.0 → 1.13.1) focused solely on restoring signing artifacts

Recommendations

1. Consider Full Update: Update remaining OpenTelemetry packages from 1.12.0 to 1.13.1 for version consistency
2. Monitor: Watch for any issues after deployment, though none are expected
3. Template Tests: Ensure template generation tests pass with the updated versions

File: ExampleNamespace.ServiceDefaults.csproj:15-16

- <PackageReference Include="OpenTelemetry.Exporter.OpenTelemetryProtocol" Version="1.13.0" />
- <PackageReference Include="OpenTelemetry.Extensions.Hosting" Version="1.13.0" />
+ <PackageReference Include="OpenTelemetry.Exporter.OpenTelemetryProtocol" Version="1.13.1" />
+ <PackageReference Include="OpenTelemetry.Extensions.Hosting" Version="1.13.1" />

Verdict: This is a safe, security-positive dependency update that should be merged. The only consideration is whether to update the remaining OpenTelemetry packages for consistency.

---

[claude]

Claude finished @thomhurst's task —— View job

---

PR Review: OpenTelemetry Dependency Update

Review Tasks

• Examine the changed .csproj file
• Analyze the impact of the OpenTelemetry version update
• Assess code quality and best practices
• Check for potential bugs or issues
• Evaluate performance considerations
• Review security concerns
• Consider test coverage requirements

Review Feedback

✅ Overall Assessment: APPROVED

This is a straightforward and safe dependency update that should be merged.

Code Quality & Best Practices

• ✅ Good: The change follows standard dependency management practices
• ✅ Good: Only updates the specific packages that need updating (selective approach)
• ✅ Good: Maintains consistency by updating both related OpenTelemetry packages together

Potential Issues & Concerns

• ⚠️ Version Inconsistency: The project has mixed OpenTelemetry package versions:

  • Updated packages: OpenTelemetry.Exporter.OpenTelemetryProtocol and OpenTelemetry.Extensions.Hosting → 1.13.1
  • Unchanged packages: OpenTelemetry.Instrumentation.* packages remain at 1.12.0

  Recommendation: Consider updating all OpenTelemetry packages to the latest compatible versions for consistency and to avoid potential compatibility issues.

Security Considerations

• ✅ Positive: According to the release notes, this hotfix restores Sigstore signing artifacts that were missing in v1.13.0
• ✅ Security Improvement: The update enhances DLL verification integrity using Sigstore cosign
• ✅ Safe: Patch version updates typically don't introduce breaking changes

Performance Considerations

• ✅ Neutral: Patch updates rarely include performance regressions
• ✅ Low Risk: OpenTelemetry instrumentation impact should remain consistent
• The release notes don't mention any performance-related changes

Test Coverage

• ✅ Adequate: No additional test coverage required for dependency version bumps
• Note: The change affects a template project (TUnit.Aspire.Starter), so the impact is on generated projects rather than core functionality
• Observation: There's a snapshot test file that will need updating when the template tests run

Breaking Changes

• ✅ None Expected: This is a patch release (1.13.0 → 1.13.1) focused solely on restoring signing artifacts

Recommendations

1. Consider Full Update: Update remaining OpenTelemetry packages from 1.12.0 to 1.13.1 for version consistency
2. Monitor: Watch for any issues after deployment, though none are expected
3. Template Tests: Ensure template generation tests pass with the updated versions

File: ExampleNamespace.ServiceDefaults.csproj:15-16

- <PackageReference Include="OpenTelemetry.Exporter.OpenTelemetryProtocol" Version="1.13.0" />
- <PackageReference Include="OpenTelemetry.Extensions.Hosting" Version="1.13.0" />
+ <PackageReference Include="OpenTelemetry.Exporter.OpenTelemetryProtocol" Version="1.13.1" />
+ <PackageReference Include="OpenTelemetry.Extensions.Hosting" Version="1.13.1" />

Verdict: This is a safe, security-positive dependency update that should be merged. The only consideration is whether to update the remaining OpenTelemetry packages for consistency.

---

[claude]

Claude finished @thomhurst's task —— View job

---

PR Review: OpenTelemetry Dependency Update

Review Tasks

• Examine the changed .csproj file
• Analyze the impact of the OpenTelemetry version update
• Assess code quality and best practices
• Check for potential bugs or issues
• Evaluate performance considerations
• Review security concerns
• Consider test coverage requirements

Review Feedback

✅ Overall Assessment: APPROVED

This is a straightforward and safe dependency update that should be merged.

Code Quality & Best Practices

• ✅ Good: The change follows standard dependency management practices
• ✅ Good: Only updates the specific packages that need updating (selective approach)
• ✅ Good: Maintains consistency by updating both related OpenTelemetry packages together

Potential Issues & Concerns

• ⚠️ Version Inconsistency: The project has mixed OpenTelemetry package versions:

  • Updated packages: OpenTelemetry.Exporter.OpenTelemetryProtocol and OpenTelemetry.Extensions.Hosting → 1.13.1
  • Unchanged packages: OpenTelemetry.Instrumentation.* packages remain at 1.12.0

  Recommendation: Consider updating all OpenTelemetry packages to the latest compatible versions for consistency and to avoid potential compatibility issues.

Security Considerations

• ✅ Positive: According to the release notes, this hotfix restores Sigstore signing artifacts that were missing in v1.13.0
• ✅ Security Improvement: The update enhances DLL verification integrity using Sigstore cosign
• ✅ Safe: Patch version updates typically don't introduce breaking changes

Performance Considerations

• ✅ Neutral: Patch updates rarely include performance regressions
• ✅ Low Risk: OpenTelemetry instrumentation impact should remain consistent
• The release notes don't mention any performance-related changes

Test Coverage

• ✅ Adequate: No additional test coverage required for dependency version bumps
• Note: The change affects a template project (TUnit.Aspire.Starter), so the impact is on generated projects rather than core functionality
• Observation: There's a snapshot test file that will need updating when the template tests run

Breaking Changes

• ✅ None Expected: This is a patch release (1.13.0 → 1.13.1) focused solely on restoring signing artifacts

Recommendations

1. Consider Full Update: Update remaining OpenTelemetry packages from 1.12.0 to 1.13.1 for version consistency
2. Monitor: Watch for any issues after deployment, though none are expected
3. Template Tests: Ensure template generation tests pass with the updated versions

File: ExampleNamespace.ServiceDefaults.csproj:15-16

- <PackageReference Include="OpenTelemetry.Exporter.OpenTelemetryProtocol" Version="1.13.0" />
- <PackageReference Include="OpenTelemetry.Extensions.Hosting" Version="1.13.0" />
+ <PackageReference Include="OpenTelemetry.Exporter.OpenTelemetryProtocol" Version="1.13.1" />
+ <PackageReference Include="OpenTelemetry.Extensions.Hosting" Version="1.13.1" />

Verdict: This is a safe, security-positive dependency update that should be merged. The only consideration is whether to update the remaining OpenTelemetry packages for consistency.

---