Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
⬆️ Bump libraries
github.com/google/uuid
from v1.4.0 to v1.6.0github.com/prometheus/client_golang
from v1.17.0 to v1.19.1github.com/prometheus/common
from v0.44.0 to v0.55.0github.com/spf13/viper
from v1.17.0 to v1.19.0github.com/stretchr/testify
from v1.7.0 to v1.9.0go.uber.org/zap
from v1.27.0 to v1.28.0golang.org/x/sys
from v0.18.0 to v0.21.0golang.org/x/text
from v0.15.0 to v0.16.0google.golang.org/protobuf
from v1.32.0 to v1.34.2github.com/prometheus/procfs
from v0.11.1 to v0.15.1github.com/rogpeppe/go-internal
from v1.10.0 to v1.12.0github.com/sagikazarmark/locafero
from v0.3.0 to v0.4.0github.com/spf13/afero
from v1.10.0 to v1.11.0github.com/spf13/cast
from v1.5.1 to v1.6.0go.opentelemetry.io/contrib
from v1.19.0 to v1.28.0go.opentelemetry.io/otel
from v1.18.0 to v1.28.0☝️ Dependency go:go.opentelemetry.io/contrib:v1.19.0 is vulnerable
Upgrade to 1.28.0
CVE-2023-47108, Score: 7.5
OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. In versions through 0.45.0, and 1.0.0 through 1.20.0 the grpc Unary Server Interceptor out of the box adds labels
net.peer.sock.addr
andnet.peer.sock.port
that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. An attacker can easily flood the peer address and port for requests. As a workaround to stop being affected, a view removing the attributes can be used. The other possibility is to disable grpc metrics instrumentation by passingotelgrpc.WithMeterProvider
option withnoop.NewMeterProvider
.