Conversation
update protobuf version for CVE
There was a problem hiding this comment.
Pull request overview
Updates the project’s Go toolchain and key telemetry/metrics dependencies (Prometheus + OpenTelemetry), likely in response to security/CVE concerns, and refreshes the container build/runtime base images accordingly.
Changes:
- Bumped Go version in
go.modand the build image to Go 1.25. - Upgraded Prometheus and OpenTelemetry dependencies (and associated indirect dependencies).
- Moved the runtime container base from distroless Debian 11 to Debian 12.
Reviewed changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
go.mod |
Raises Go version and updates direct/indirect dependency versions (Prometheus, OTel, etc.). |
go.sum |
Refreshes dependency checksums to match the upgraded module graph. |
Dockerfile |
Updates Go builder image and distroless runtime base to newer Debian generation. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| module github.com/masih/fdbmeter | ||
|
|
||
| go 1.20 | ||
| go 1.25.0 |
There was a problem hiding this comment.
The module Go version is now set to go 1.25.0, but the repo’s GitHub Actions workflow still pins Go 1.20.x (see .github/workflows/test.yml). With Go 1.20 the build/tests will fail because it can’t satisfy (and may not parse) a go directive this new. Update CI (and any other build tooling) to use Go >= 1.25, and consider using the canonical go 1.25 format in go.mod to avoid version-parsing issues across tooling.
| go 1.25.0 | |
| go 1.25 |
|
Thanks for contributing. Please also bump go version used by gha workflow. |
No description provided.