fix(deps): bump go-jose and OpenTelemetry to address security alerts#1516
Open
merlimat wants to merge 1 commit into
Open
fix(deps): bump go-jose and OpenTelemetry to address security alerts#1516merlimat wants to merge 1 commit into
merlimat wants to merge 1 commit into
Conversation
- go-jose/v4 4.0.5 -> 4.1.4 (JWE decryption panic; runtime, via pulsar/auth) - OpenTelemetry modules -> 1.43.0 (PATH hijacking, unbounded OTLP response bodies; test-only via testcontainers -> docker) - go mod tidy drops the already-unused 99designs/keyring dependency tree
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
Several open Dependabot alerts affect Go module dependencies. This PR addresses the ones that have a published fix:
github.com/go-jose/go-jose/v4pulsar/authvia AthenZ)go.opentelemetry.io/otel/sdkgo.opentelemetry.io/otel/sdk.../otlptrace/otlptracehttpModifications
github.com/go-jose/go-jose/v44.0.5→4.1.4(fixes the JWE decryption panic). This is the only runtime-impacting dependency here.v1.43.0(otel,otel/sdk,otel/metric,otel/trace,otel/exporters/otlp/otlptrace/otlptracehttp). These are only reachable from the test binary (testcontainers-go→docker/docker). The large transitive bumps they trigger (grpc,golang.org/x/net) stay on the test side; the runtime-facing transitive bumps are limited to minor/patch versions (protobuf,golang.org/x/oauth2,golang.org/x/crypto).go mod tidyadditionally drops the already-unusedgithub.com/99designs/keyringdependency tree.The remaining
github.com/docker/dockeralerts (#45, #46, #50, #51, #52) are not addressed here: the latest published module (v28.5.2+incompatible) is still within their vulnerable ranges (the fixedv29.3.1is not published as a Go module), and they are test-only.Verifying this change
This change is a dependency upgrade without code changes; covered by the existing build and tests.
Does this pull request potentially affect one of the following parts:
Documentation