Skip to content

fix(deps): bump go-jose and OpenTelemetry to address security alerts#1516

Open
merlimat wants to merge 1 commit into
masterfrom
fix/security-dependency-bumps
Open

fix(deps): bump go-jose and OpenTelemetry to address security alerts#1516
merlimat wants to merge 1 commit into
masterfrom
fix/security-dependency-bumps

Conversation

@merlimat

Copy link
Copy Markdown
Contributor

Motivation

Several open Dependabot alerts affect Go module dependencies. This PR addresses the ones that have a published fix:

Alert Severity Dependency Exposure
#47 high github.com/go-jose/go-jose/v4 runtime (pulsar/auth via AthenZ)
#44 high go.opentelemetry.io/otel/sdk test-only (testcontainers → docker)
#49 high go.opentelemetry.io/otel/sdk test-only
#48 medium .../otlptrace/otlptracehttp test-only

Modifications

  • Bump github.com/go-jose/go-jose/v4 4.0.54.1.4 (fixes the JWE decryption panic). This is the only runtime-impacting dependency here.
  • Bump the OpenTelemetry modules to v1.43.0 (otel, otel/sdk, otel/metric, otel/trace, otel/exporters/otlp/otlptrace/otlptracehttp). These are only reachable from the test binary (testcontainers-godocker/docker). The large transitive bumps they trigger (grpc, golang.org/x/net) stay on the test side; the runtime-facing transitive bumps are limited to minor/patch versions (protobuf, golang.org/x/oauth2, golang.org/x/crypto).
  • go mod tidy additionally drops the already-unused github.com/99designs/keyring dependency tree.

The remaining github.com/docker/docker alerts (#45, #46, #50, #51, #52) are not addressed here: the latest published module (v28.5.2+incompatible) is still within their vulnerable ranges (the fixed v29.3.1 is not published as a Go module), and they are test-only.

Verifying this change

  • Make sure that the change passes the CI checks.

This change is a dependency upgrade without code changes; covered by the existing build and tests.

Does this pull request potentially affect one of the following parts:

  • Dependencies (does it add or upgrade a dependency): yes (see above)
  • The public API: no
  • The schema: no
  • The default values of configurations: no
  • The wire protocol: no

Documentation

  • Does this pull request introduce a new feature? no

- go-jose/v4 4.0.5 -> 4.1.4 (JWE decryption panic; runtime, via pulsar/auth)
- OpenTelemetry modules -> 1.43.0 (PATH hijacking, unbounded OTLP response
  bodies; test-only via testcontainers -> docker)
- go mod tidy drops the already-unused 99designs/keyring dependency tree
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant