chore(integrations): bump to GoSQLX v1.14.0

[ajitpratap0]

Summary

Follow-up to PR #508. Bumps the integration sub-modules to track the v1.14.0 release tag (which is now live on main).

Both sub-modules have replace github.com/ajitpratap0/GoSQLX => ../../ directives so the version pin in `require` only matters for published module consumers (`go get github.com/ajitpratap0/GoSQLX/integrations/opentelemetry@v1.14.0`).

Changes

• `integrations/opentelemetry/go.mod`:
  • `github.com/ajitpratap0/GoSQLX` v1.13.0 → v1.14.0
  • `go.opentelemetry.io/otel{,/sdk,/trace,/metric}` v1.42.0 → v1.43.0 (CVE-2026-39883 fix)
• `integrations/gorm/go.mod`:
  • `github.com/ajitpratap0/GoSQLX` v1.13.0 → v1.14.0

Test plan

• `go mod tidy` clean in both sub-modules
• `go test -race -timeout 60s ./...` passes in integrations/opentelemetry
• `go test -race -timeout 60s ./...` passes in integrations/gorm
• CI integrations.yml workflow green

🤖 Generated with Claude Code

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
gosqlx-website	Ready	Preview, Comment	Apr 11, 2026 7:20pm

[github-actions]

Claude finished @ajitpratap0's task —— View job

---

Code Review Complete ✅

I've reviewed this PR for code quality, potential bugs, performance considerations, security concerns, and test coverage.

Review Checklist

• Read and analyze changed files
• Evaluate dependency version updates
• Assess security implications of CVE fix
• Review replace directive strategy
• Check test coverage adequacy
• Provide comprehensive feedback

---

Review Summary

This is a clean and well-executed dependency bump that follows best practices. The PR appropriately updates integration sub-modules to track the v1.14.0 release while addressing a critical security vulnerability.

✅ Strengths

Security

• Critical CVE fix: Properly addresses CVE-2026-39883 by upgrading OpenTelemetry from v1.42.0 → v1.43.0
• Security impact: HIGH severity vulnerability in go.opentelemetry.io/otel/sdk is resolved
• Documentation: CVE is well-documented in CHANGELOG.md and already added to .trivyignore (showing good security practices)

Code Quality

• Clean changes: Only version updates, no code modifications required
• Consistent approach: Both integration modules updated uniformly (v1.13.0 → v1.14.0)
• Proper module structure: replace directives correctly point to ../../ for local development

Dependency Management

• Go 1.26.1: Both modules correctly specify the required Go version
• Minimal dependencies: Clean dependency trees with appropriate indirect dependencies
• Version consistency: All OpenTelemetry packages consistently updated to v1.43.0

Testing & Validation

• Manual verification: Test plan shows proper go mod tidy and race testing completed
• Existing tests: Both modules have adequate test coverage for their functionality
  • integrations/opentelemetry/otel_test.go: Tests span creation and tracing integration
  • integrations/gorm/plugin_test.go: Tests GORM plugin functionality

🔍 Technical Analysis

Module Architecture (integrations/*/go.mod)

// Excellent pattern: local development + published versioning
require github.com/ajitpratap0/GoSQLX v1.14.0  // For published consumers
replace github.com/ajitpratap0/GoSQLX => ../../  // For local development

This approach ensures:

• Local development uses current codebase (../../)
• Published modules reference correct tagged version (v1.14.0)
• Consumers can go get github.com/ajitpratap0/GoSQLX/integrations/opentelemetry@v1.14.0

OpenTelemetry Updates (integrations/opentelemetry/go.mod:7-10,18)

All OTel packages consistently upgraded:

• go.opentelemetry.io/otel: v1.42.0 → v1.43.0
• go.opentelemetry.io/otel/sdk: v1.42.0 → v1.43.0
• go.opentelemetry.io/otel/trace: v1.42.0 → v1.43.0
• go.opentelemetry.io/otel/metric: v1.42.0 → v1.43.0 (indirect)

GORM Integration (integrations/gorm/go.mod:6)

Minimal, focused update - only the GoSQLX dependency version changed, which is exactly what's needed.

⚠️ Minor Considerations

CI Pipeline

• Final CI validation still pending (marked as [ ] CI integrations.yml workflow green)
• Recommend waiting for CI completion before merge to ensure no integration issues

Version Alignment

• Verify the main module's go.mod also tracks v1.14.0 to maintain consistency across the repository
• Consider adding integration tests that validate cross-module compatibility

📊 Performance & Compatibility Impact

• Performance: ✅ No performance impact expected - pure version bumps
• Breaking Changes: ✅ None - this is a drop-in upgrade per changelog
• Backward Compatibility: ✅ Maintained - semantic versioning respected

🛡️ Security Assessment

• High Priority: CVE-2026-39883 fix is critical and properly implemented
• Dependency Security: All updated dependencies are from trusted sources
• No Vulnerabilities Introduced: Clean dependency updates with no new security concerns

🏆 Recommendation

APPROVE - This PR demonstrates excellent dependency management practices:

• Security-conscious (addresses CVE promptly)
• Well-tested (manual validation completed)
• Properly documented (clear changelog entries)
• Follows semantic versioning
• Maintains clean module architecture

The only blocker is awaiting CI completion, which should be straightforward given the nature of the changes.

---

Job Run: https://github.com/ajitpratap0/GoSQLX/actions/runs/24289715577