chore: bump OTel vulnerable dep

[mbevc1]

Use patched upstream dependency and fix Snyk reporting a vulnerability.

[claude]

Claude finished @mbevc1's task in 2s —— View job

---

Review: PR #916 — chore: bump OTel vulnerable dep

• Phase 1: Static analysis (go build, go vet, go mod tidy)
• Phase 2: Review dependency changes
• Phase 3: Post review findings

---

Static Analysis

All checks pass:

• go build ./... — compiles cleanly
• go vet ./... — no issues
• go mod tidy && git diff --exit-code go.mod go.sum — no drift, dependencies are consistent

Review

This PR bumps three OTel core API modules from v1.43.0 → v1.44.0:

• go.opentelemetry.io/otel
• go.opentelemetry.io/otel/metric
• go.opentelemetry.io/otel/trace

The corresponding go.sum entries are updated accordingly. All OTel modules are indirect dependencies (not imported directly by this project).

Version consistency: The otel/sdk and otel/exporters/* modules remain at v1.43.0. This is fine — these are independently-versioned modules in the upstream OTel Go project, and go mod tidy confirms compatibility.

No issues found. The change is minimal, targeted, and correctly addresses the vulnerable dependency. The go.sum hashes are updated to match the new versions.

LGTM — clean dependency bump to patch a Snyk-reported vulnerability. 👍