Skip to content

Commit 5f628e5

Browse files
leo-siftleo-sift
authored
Update plugin dependencies to address CVEs (#60)
* update dependencies * exclude package dependencies from local source manifest check
1 parent e5caab4 commit 5f628e5

7 files changed

Lines changed: 154 additions & 131 deletions

File tree

.config/Dockerfile

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@ ARG anonymous_auth_enabled=true
77
ARG development=false
88
ARG TARGETARCH
99

10-
ARG GO_VERSION=1.21.6
10+
ARG GO_VERSION=1.25.9
1111
ARG GO_ARCH=${TARGETARCH:-amd64}
1212

1313
ENV DEV "${development}"
@@ -73,4 +73,4 @@ RUN sed -i 's|</body>|<script src="http://localhost:35729/livereload.js"></scrip
7373

7474
COPY entrypoint.sh /entrypoint.sh
7575
RUN chmod +x /entrypoint.sh
76-
ENTRYPOINT ["/entrypoint.sh"]
76+
ENTRYPOINT ["/entrypoint.sh"]

.github/workflows/ci.yml

Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -58,7 +58,7 @@ jobs:
5858
if: steps.check-for-backend.outputs.has-backend == 'true'
5959
uses: actions/setup-go@v6
6060
with:
61-
go-version: '1.25.6'
61+
go-version: '1.25.9'
6262

6363
- name: Golangci-lint
6464
if: steps.check-for-backend.outputs.has-backend == 'true'
@@ -123,7 +123,13 @@ jobs:
123123
continue-on-error: true
124124
run: |
125125
set -o pipefail
126-
npx -y @grafana/plugin-validator@latest -sourceCodeUri file://./ $PLUGIN_ARCHIVE 2>&1 | tee validate-output.txt
126+
SOURCE_DIR=$(mktemp -d)
127+
rsync -a \
128+
--exclude '.git' \
129+
--exclude 'dist' \
130+
--exclude 'node_modules' \
131+
./ "$SOURCE_DIR"/
132+
npx -y @grafana/plugin-validator@latest -sourceCodeUri "file://$SOURCE_DIR" $PLUGIN_ARCHIVE 2>&1 | tee validate-output.txt
127133
shell: bash
128134
env:
129135
PLUGIN_ARCHIVE: ${{ steps.metadata.outputs.archive }}

.github/workflows/release.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -20,7 +20,7 @@ jobs:
2020
- uses: actions/checkout@v4
2121
- uses: grafana/plugin-actions/build-plugin@build-plugin/v1.0.2
2222
with:
23-
go-version: '1.25.6'
23+
go-version: '1.25.9'
2424
node-version: '20'
2525
policy_token: ${{ secrets.GRAFANA_ACCESS_POLICY_TOKEN }}
2626
attestation: true

go.mod

Lines changed: 38 additions & 34 deletions
Original file line numberDiff line numberDiff line change
@@ -1,15 +1,17 @@
11
module github.com/sift/grafana-datasource
22

3-
go 1.25.6
3+
go 1.25.7
44

55
require (
6-
github.com/grafana/grafana-plugin-sdk-go v0.287.0
6+
github.com/grafana/grafana-plugin-sdk-go v0.291.0
77
github.com/patrickmn/go-cache v2.1.0+incompatible
88
)
99

1010
require (
11-
github.com/apache/arrow-go/v18 v18.5.1 // indirect
11+
github.com/apache/arrow-go/v18 v18.5.2 // indirect
1212
github.com/cenkalti/backoff/v5 v5.0.3 // indirect
13+
github.com/clipperhouse/displaywidth v0.10.0 // indirect
14+
github.com/clipperhouse/uax29/v2 v2.6.0 // indirect
1315
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
1416
github.com/gogo/googleapis v1.4.1 // indirect
1517
github.com/grafana/otel-profiling-go v0.5.1 // indirect
@@ -18,11 +20,13 @@ require (
1820
github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.3.3 // indirect
1921
github.com/jaegertracing/jaeger-idl v0.6.0 // indirect
2022
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
23+
github.com/olekukonko/cat v0.0.0-20250911104152-50322a0618f6 // indirect
24+
github.com/olekukonko/errors v1.2.0 // indirect
25+
github.com/olekukonko/ll v0.1.6 // indirect
2126
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
22-
github.com/rivo/uniseg v0.4.7 // indirect
2327
go.opentelemetry.io/auto/sdk v1.2.1 // indirect
2428
go.yaml.in/yaml/v2 v2.4.3 // indirect
25-
golang.org/x/telemetry v0.0.0-20260109210033-bd525da824e2 // indirect
29+
golang.org/x/telemetry v0.0.0-20260209163413-e7419c687ee4 // indirect
2630
)
2731

2832
require (
@@ -31,7 +35,7 @@ require (
3135
github.com/cespare/xxhash/v2 v2.3.0 // indirect
3236
github.com/cheekybits/genny v1.0.0 // indirect
3337
github.com/cpuguy83/go-md2man/v2 v2.0.7 // indirect
34-
github.com/fatih/color v1.15.0 // indirect
38+
github.com/fatih/color v1.18.0 // indirect
3539
github.com/go-logr/logr v1.4.3 // indirect
3640
github.com/go-logr/stdr v1.2.2 // indirect
3741
github.com/goccy/go-json v0.10.5 // indirect
@@ -40,23 +44,23 @@ require (
4044
github.com/google/flatbuffers v25.12.19+incompatible // indirect
4145
github.com/google/go-cmp v0.7.0 // indirect
4246
github.com/google/uuid v1.6.0
43-
github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.3 // indirect
47+
github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0 // indirect
4448
github.com/hashicorp/go-hclog v1.6.3 // indirect
4549
github.com/hashicorp/go-plugin v1.7.0 // indirect
4650
github.com/hashicorp/yamux v0.1.2 // indirect
4751
github.com/json-iterator/go v1.1.12 // indirect
48-
github.com/klauspost/compress v1.18.2 // indirect
52+
github.com/klauspost/compress v1.18.4 // indirect
4953
github.com/klauspost/cpuid/v2 v2.3.0 // indirect
50-
github.com/magefile/mage v1.15.0 // indirect
54+
github.com/magefile/mage v1.16.1 // indirect
5155
github.com/mattetti/filebuffer v1.0.1 // indirect
52-
github.com/mattn/go-colorable v0.1.13 // indirect
56+
github.com/mattn/go-colorable v0.1.14 // indirect
5357
github.com/mattn/go-isatty v0.0.20 // indirect
54-
github.com/mattn/go-runewidth v0.0.16 // indirect
58+
github.com/mattn/go-runewidth v0.0.19 // indirect
5559
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
5660
github.com/modern-go/reflect2 v1.0.2 // indirect
5761
github.com/oklog/run v1.1.0 // indirect
58-
github.com/olekukonko/tablewriter v0.0.5 // indirect
59-
github.com/pierrec/lz4/v4 v4.1.23 // indirect
62+
github.com/olekukonko/tablewriter v1.1.4 // indirect
63+
github.com/pierrec/lz4/v4 v4.1.25 // indirect
6064
github.com/prometheus/client_golang v1.23.2 // indirect
6165
github.com/prometheus/client_model v0.6.2 // indirect
6266
github.com/prometheus/common v0.67.5 // indirect
@@ -67,29 +71,29 @@ require (
6771
github.com/unknwon/com v1.0.1 // indirect
6872
github.com/unknwon/log v0.0.0-20150304194804-e617c87089d3 // indirect
6973
github.com/urfave/cli v1.22.17 // indirect
70-
github.com/zeebo/xxh3 v1.0.2 // indirect
71-
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.64.0 // indirect
72-
go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.64.0 // indirect
73-
go.opentelemetry.io/contrib/propagators/jaeger v1.39.0 // indirect
74-
go.opentelemetry.io/contrib/samplers/jaegerremote v0.33.0 // indirect
75-
go.opentelemetry.io/otel v1.40.0 // indirect
76-
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.39.0 // indirect
77-
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.39.0 // indirect
78-
go.opentelemetry.io/otel/metric v1.40.0 // indirect
79-
go.opentelemetry.io/otel/sdk v1.40.0 // indirect
80-
go.opentelemetry.io/otel/trace v1.40.0 // indirect
74+
github.com/zeebo/xxh3 v1.1.0 // indirect
75+
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.67.0 // indirect
76+
go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.67.0 // indirect
77+
go.opentelemetry.io/contrib/propagators/jaeger v1.42.0 // indirect
78+
go.opentelemetry.io/contrib/samplers/jaegerremote v0.36.0 // indirect
79+
go.opentelemetry.io/otel v1.43.0 // indirect
80+
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.42.0 // indirect
81+
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.42.0 // indirect
82+
go.opentelemetry.io/otel/metric v1.43.0 // indirect
83+
go.opentelemetry.io/otel/sdk v1.43.0 // indirect
84+
go.opentelemetry.io/otel/trace v1.43.0 // indirect
8185
go.opentelemetry.io/proto/otlp v1.9.0 // indirect
82-
golang.org/x/exp v0.0.0-20251002181428-27f1f14c8bb9 // indirect
83-
golang.org/x/mod v0.32.0 // indirect
84-
golang.org/x/net v0.49.0 // indirect
85-
golang.org/x/sync v0.19.0
86-
golang.org/x/sys v0.40.0 // indirect
87-
golang.org/x/text v0.33.0 // indirect
88-
golang.org/x/tools v0.41.0 // indirect
86+
golang.org/x/exp v0.0.0-20260112195511-716be5621a96 // indirect
87+
golang.org/x/mod v0.33.0 // indirect
88+
golang.org/x/net v0.52.0 // indirect
89+
golang.org/x/sync v0.20.0
90+
golang.org/x/sys v0.42.0 // indirect
91+
golang.org/x/text v0.35.0 // indirect
92+
golang.org/x/tools v0.42.0 // indirect
8993
golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da // indirect
90-
google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217 // indirect
91-
google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 // indirect
92-
google.golang.org/grpc v1.78.0 // indirect
94+
google.golang.org/genproto/googleapis/api v0.0.0-20260209200024-4cfbd4190f57 // indirect
95+
google.golang.org/genproto/googleapis/rpc v0.0.0-20260226221140-a57be14db171 // indirect
96+
google.golang.org/grpc v1.79.3 // indirect
9397
google.golang.org/protobuf v1.36.11 // indirect
9498
gopkg.in/fsnotify/fsnotify.v1 v1.4.7 // indirect
9599
gopkg.in/yaml.v3 v3.0.1 // indirect

0 commit comments

Comments
 (0)