fix(deps): bump prometheus/client_golang + Go 1.26 [IS-21913]#64
Draft
ozan-koksal wants to merge 3 commits intodevelopfrom
Draft
fix(deps): bump prometheus/client_golang + Go 1.26 [IS-21913]#64ozan-koksal wants to merge 3 commits intodevelopfrom
ozan-koksal wants to merge 3 commits intodevelopfrom
Conversation
…S-21913] Addresses CVE-2022-21698 (GHSA-cg3q-j54f-5p7p) — Uncontrolled Resource Consumption in promhttp from prometheus/client_golang. The vulnerability allows unbounded cardinality and a potential memory exhaustion attack via HTTP requests with arbitrary methods. Fixed in v1.11.1+; bumped to the latest stable v1.20.5 (transitively pulled in by insrequester). Also bumps the Go directive to 1.26.0 across every sub-module for consistency with the project-wide toolchain upgrade.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes CVE-2022-21698 (GHSA-cg3q-j54f-5p7p) — Uncontrolled Resource Consumption in
promhttpfromgithub.com/prometheus/client_golang. The vulnerability allows unbounded cardinality (and a potential memory-exhaustion DoS) via HTTP requests with arbitrary methods. Fixed in v1.11.1+; this PR bumps to the latest stable v1.20.5.It also bumps the Go directive in every sub-module to 1.26.0 for consistency with the project-wide toolchain upgrade.
Affected modules
insrequester— direct upgrade ofgithub.com/prometheus/client_golangfrom v0.9.2 -> v1.20.5 (indirect dep) + Go 1.24.0 -> 1.26.0inscacheable,inscodeerr,insdash,insgorm,inskinesis,inslogger,insredis,inssentry,inssimpleroute,inssql,inssqs,insssm— Go directive bump only (1.19/1.23.0 -> 1.26.0) +go mod tidyinsrequesteris the only sub-module that referencesprometheus/client_golang(transitively via test deps); confirmed viago list -m allacross every module.Test plan
go build ./...passes for every modified sub-modulego test ./...passes forinsrequester,inscacheable,insdash,inskinesis(the modules with tests)inscodeerr,insgorm,inslogger,insredis,inssentry,inssimpleroute,inssql,insssm)inssqshas a pre-existing test deadlock ondevelop(reproducible without these changes) — not introduced by this PR; tracked separately