Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Release/bump libraries #78

Open
wants to merge 3 commits into
base: master
Choose a base branch
from

Conversation

fegger-ducksify
Copy link

⬆️ Bump libraries

  • Upgraded github.com/google/uuid from v1.4.0 to v1.6.0
  • Upgraded github.com/prometheus/client_golang from v1.17.0 to v1.19.1
  • Upgraded github.com/prometheus/common from v0.44.0 to v0.55.0
  • Upgraded github.com/spf13/viper from v1.17.0 to v1.19.0
  • Upgraded github.com/stretchr/testify from v1.7.0 to v1.9.0
  • Upgraded go.uber.org/zap from v1.27.0 to v1.28.0
  • Upgraded golang.org/x/sys from v0.18.0 to v0.21.0
  • Upgraded golang.org/x/text from v0.15.0 to v0.16.0
  • Upgraded google.golang.org/protobuf from v1.32.0 to v1.34.2
  • Upgraded github.com/prometheus/procfs from v0.11.1 to v0.15.1
  • Upgraded github.com/rogpeppe/go-internal from v1.10.0 to v1.12.0
  • Upgraded github.com/sagikazarmark/locafero from v0.3.0 to v0.4.0
  • Upgraded github.com/spf13/afero from v1.10.0 to v1.11.0
  • Upgraded github.com/spf13/cast from v1.5.1 to v1.6.0
  • Upgraded go.opentelemetry.io/contrib from v1.19.0 to v1.28.0
  • Upgraded go.opentelemetry.io/otel from v1.18.0 to v1.28.0
  • Upgraded google.golang.org/grpc from 1.64.0 to 1.64.1

☝️ Dependency go:go.opentelemetry.io/contrib:v1.19.0 is vulnerable

Upgrade to 1.28.0

CVE-2023-47108, Score: 7.5

OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. In versions through 0.45.0, and 1.0.0 through 1.20.0 the grpc Unary Server Interceptor out of the box adds labels net.peer.sock.addr and net.peer.sock.port that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. An attacker can easily flood the peer address and port for requests. As a workaround to stop being affected, a view removing the attributes can be used. The other possibility is to disable grpc metrics instrumentation by passing otelgrpc.WithMeterProvider option with noop.NewMeterProvider.

fegger-ducksify and others added 3 commits July 15, 2024 23:46
- Upgraded `github.com/google/uuid` from v1.4.0 to v1.6.0
- Upgraded `github.com/prometheus/client_golang` from v1.17.0 to v1.19.1
- Upgraded `github.com/prometheus/common` from v0.44.0 to v0.55.0
- Upgraded `github.com/spf13/viper` from v1.17.0 to v1.19.0
- Upgraded `github.com/stretchr/testify` from v1.7.0 to v1.9.0
- Upgraded `go.uber.org/zap` from v1.27.0 to v1.28.0
- Upgraded `golang.org/x/sys` from v0.18.0 to v0.21.0
- Upgraded `golang.org/x/text` from v0.15.0 to v0.16.0
- Upgraded `google.golang.org/protobuf` from v1.32.0 to v1.34.2
- Upgraded `github.com/prometheus/procfs` from v0.11.1 to v0.15.1
- Upgraded `github.com/rogpeppe/go-internal` from v1.10.0 to v1.12.0
- Upgraded `github.com/sagikazarmark/locafero` from v0.3.0 to v0.4.0
- Upgraded `github.com/spf13/afero` from v1.10.0 to v1.11.0
- Upgraded `github.com/spf13/cast` from v1.5.1 to v1.6.0
- Upgraded `go.opentelemetry.io/contrib` from v1.19.0 to v1.28.0
- Upgraded `go.opentelemetry.io/otel` from v1.18.0 to v1.28.0
Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.64.0 to 1.64.1.
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](grpc/grpc-go@v1.64.0...v1.64.1)

---
updated-dependencies:
- dependency-name: google.golang.org/grpc
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
…ng.org/grpc-1.64.1

Bump google.golang.org/grpc from 1.64.0 to 1.64.1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant