chore(deps): Update module github.com/cloudevents/sdk-go/v2 to v2.15.2 [SECURITY]

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/cloudevents/sdk-go/v2	v2.14.0 -> v2.15.2

GitHub Vulnerability Alerts

CVE-2024-28110

Impact

What kind of vulnerability is it? Who is impacted? Using cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper causes the go-sdk to leak credentials to arbitrary endpoints.

The relevant code is here (also inline, emphasis added):

if p.Client == nil {
  p.Client = **http.DefaultClient**
}

if p.roundTripper != nil {
  p.Client.**Transport = p.roundTripper**
}

When the transport is populated with an authenticated transport such as:

• oauth2.Transport
• idtoken.NewClient(...).Transport

... then http.DefaultClient is modified with the authenticated transport and will start to send Authorization tokens to any endpoint it is used to contact!

Found and patched by: @​tcnghia and @​mattmoor

Patches

v.2.15.2

---

Release Notes

cloudevents/sdk-go (github.com/cloudevents/sdk-go/v2)

### [`v2.15.2`](https://togithub.com/cloudevents/sdk-go/releases/tag/v2.15.2) [Compare Source](https://togithub.com/cloudevents/sdk-go/compare/v2.15.1...v2.15.2) ##### What's Changed - Patch for a potential security issue. See [CVE-2024-28110](TBD). - Note: this could be a breaking change for people if they purposely change golang's HTTP `DefaultClient`, or change the CloudEvents `Client` returned from `NewClient`, and expect those changes to be visible on other HTTP flows using those Clients. E.g. auth **Full Changelog**: https://github.com/cloudevents/sdk-go/compare/v2.15.1...v2.15.2 ### [`v2.15.1`](https://togithub.com/cloudevents/sdk-go/releases/tag/v2.15.1) [Compare Source](https://togithub.com/cloudevents/sdk-go/compare/v2.15.0...v2.15.1) #### What's Changed - Bump andstor/file-existence-action from 2 to 3 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/cloudevents/sdk-go/pull/1009](https://togithub.com/cloudevents/sdk-go/pull/1009) - Bump golang.org/x/crypto from 0.14.0 to 0.17.0 in /test/conformance by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/cloudevents/sdk-go/pull/993](https://togithub.com/cloudevents/sdk-go/pull/993) - Bump golang.org/x/crypto from 0.14.0 to 0.17.0 in /test/benchmark by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/cloudevents/sdk-go/pull/994](https://togithub.com/cloudevents/sdk-go/pull/994) - Bump golang.org/x/crypto from 0.14.0 to 0.17.0 in /samples/kafka by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/cloudevents/sdk-go/pull/995](https://togithub.com/cloudevents/sdk-go/pull/995) - Bump golang.org/x/crypto from 0.14.0 to 0.17.0 in /test/integration by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/cloudevents/sdk-go/pull/996](https://togithub.com/cloudevents/sdk-go/pull/996) - Bump golang.org/x/crypto from 0.14.0 to 0.17.0 in /protocol/kafka_sarama/v2 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/cloudevents/sdk-go/pull/997](https://togithub.com/cloudevents/sdk-go/pull/997) - Bump golang.org/x/crypto from 0.14.0 to 0.17.0 in /samples/http by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/cloudevents/sdk-go/pull/998](https://togithub.com/cloudevents/sdk-go/pull/998) - Bump golang.org/x/crypto from 0.14.0 to 0.17.0 in /samples/nats by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/cloudevents/sdk-go/pull/999](https://togithub.com/cloudevents/sdk-go/pull/999) - Bump golang.org/x/crypto from 0.14.0 to 0.17.0 in /samples/stan by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/cloudevents/sdk-go/pull/1004](https://togithub.com/cloudevents/sdk-go/pull/1004) - Bump golang.org/x/crypto from 0.14.0 to 0.17.0 in /samples/nats_jetstream by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/cloudevents/sdk-go/pull/1003](https://togithub.com/cloudevents/sdk-go/pull/1003) - Bump golang.org/x/crypto from 0.14.0 to 0.17.0 in /protocol/nats/v2 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/cloudevents/sdk-go/pull/1002](https://togithub.com/cloudevents/sdk-go/pull/1002) - Bump golang.org/x/crypto from 0.14.0 to 0.17.0 in /protocol/nats_jetstream/v2 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/cloudevents/sdk-go/pull/1001](https://togithub.com/cloudevents/sdk-go/pull/1001) - Bump golang.org/x/crypto from 0.14.0 to 0.17.0 in /protocol/stan/v2 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/cloudevents/sdk-go/pull/1000](https://togithub.com/cloudevents/sdk-go/pull/1000) - Propose the `confluent-kafka-go` binding for Kafka by [@​yanmxa](https://togithub.com/yanmxa) in [https://github.com/cloudevents/sdk-go/pull/1008](https://togithub.com/cloudevents/sdk-go/pull/1008) - Sync CESQL tck tests by [@​Cali0707](https://togithub.com/Cali0707) in [https://github.com/cloudevents/sdk-go/pull/1010](https://togithub.com/cloudevents/sdk-go/pull/1010) - Fix docstring typos in nats and jetstream protocol by [@​jafossum](https://togithub.com/jafossum) in [https://github.com/cloudevents/sdk-go/pull/1013](https://togithub.com/cloudevents/sdk-go/pull/1013) - Bump golangci/golangci-lint-action from 3 to 4 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/cloudevents/sdk-go/pull/1016](https://togithub.com/cloudevents/sdk-go/pull/1016) - Bump the bundler group across 1 directories with 1 update by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/cloudevents/sdk-go/pull/1011](https://togithub.com/cloudevents/sdk-go/pull/1011) - Remove vi swp file by [@​duglin](https://togithub.com/duglin) in [https://github.com/cloudevents/sdk-go/pull/1020](https://togithub.com/cloudevents/sdk-go/pull/1020) #### New Contributors - [@​Cali0707](https://togithub.com/Cali0707) made their first contribution in [https://github.com/cloudevents/sdk-go/pull/1010](https://togithub.com/cloudevents/sdk-go/pull/1010) - [@​jafossum](https://togithub.com/jafossum) made their first contribution in [https://github.com/cloudevents/sdk-go/pull/1013](https://togithub.com/cloudevents/sdk-go/pull/1013) **Full Changelog**: https://github.com/cloudevents/sdk-go/compare/v2.15.0...v2.15.1 ### [`v2.15.0`](https://togithub.com/cloudevents/sdk-go/releases/tag/v2.15.0) [Compare Source](https://togithub.com/cloudevents/sdk-go/compare/v2.14.0...v2.15.0) ##### Highlights 💫 This release includes various updates and improvements such as README enhancements, dependency bumps, bug fixes, race condition resolutions, and protocol-related adjustments. Notable changes involve upgrading dependencies like grpc and go.opentelemetry, addressing race conditions, fixing Kafka test issues, and introducing new features like binary content mode for NATS and JetStream protocols. Additionally, there are governance documentation updates, link corrections, and improvements in error handling and documentation across different modules. ##### Breaking 🚨 The Kafka Sarama protocol now uses the `"github.com/IBM/sarama"` Go module import path. ##### Commits 📄 [`896e1d0`](https://togithub.com/cloudevents/sdk-go/commit/896e1d0) Update README.md [`75ec0f2`](https://togithub.com/cloudevents/sdk-go/commit/75ec0f2) Bump actions/setup-go from 4 to 5 [`41e80f7`](https://togithub.com/cloudevents/sdk-go/commit/41e80f7) fixed couple issues [`9ccd339`](https://togithub.com/cloudevents/sdk-go/commit/9ccd339) bugfix_value_type_of_dataschema [`c8cbca9`](https://togithub.com/cloudevents/sdk-go/commit/c8cbca9) adds unique package name for import [`f1bca09`](https://togithub.com/cloudevents/sdk-go/commit/f1bca09) relative .pb.go generation, go_package set to package name [`c20eef2`](https://togithub.com/cloudevents/sdk-go/commit/c20eef2) bump the pahao mqtt to v0.12 [`ed7be6b`](https://togithub.com/cloudevents/sdk-go/commit/ed7be6b) Add WithCustomAttributes for PubSub [`be31358`](https://togithub.com/cloudevents/sdk-go/commit/be31358) returning the error when doing a nack in the message [`ecead5c`](https://togithub.com/cloudevents/sdk-go/commit/ecead5c) Make a few comments a bit clearer [`57be3cd`](https://togithub.com/cloudevents/sdk-go/commit/57be3cd) Try to make sure the Receiver starts before we send events [`f5c7061`](https://togithub.com/cloudevents/sdk-go/commit/f5c7061) Try to fix race again - don't reuse clients for sender/receiver [`8bea925`](https://togithub.com/cloudevents/sdk-go/commit/8bea925) Bump google.golang.org/grpc from 1.56.1 to 1.56.3 in /samples/http [`fa6be00`](https://togithub.com/cloudevents/sdk-go/commit/fa6be00) Bump google.golang.org/grpc from 1.56.1 to 1.56.3 in /protocol/pubsub/v2 [`7e05ecd`](https://togithub.com/cloudevents/sdk-go/commit/7e05ecd) Bump google.golang.org/grpc from 1.56.1 to 1.56.3 in /samples/pubsub [`13825ba`](https://togithub.com/cloudevents/sdk-go/commit/13825ba) Sleep less to avoid timeouts [`3162d69`](https://togithub.com/cloudevents/sdk-go/commit/3162d69) Bump github.com/nats-io/nats-server/v2 in /protocol/stan/v2 [`ec8b0f9`](https://togithub.com/cloudevents/sdk-go/commit/ec8b0f9) deps: update nats dependencies [`dae9f6c`](https://togithub.com/cloudevents/sdk-go/commit/dae9f6c) Bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp [`1d6360b`](https://togithub.com/cloudevents/sdk-go/commit/1d6360b) Bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp [`06658a2`](https://togithub.com/cloudevents/sdk-go/commit/06658a2) Bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp [`7c1a3b1`](https://togithub.com/cloudevents/sdk-go/commit/7c1a3b1) fix race [`6f5984b`](https://togithub.com/cloudevents/sdk-go/commit/6f5984b) Move to go 1.18 Had to run gofmt and fix some weird typos due to tabs in the comments [`0a006bb`](https://togithub.com/cloudevents/sdk-go/commit/0a006bb) Fix race condition in kafka tests [`510b002`](https://togithub.com/cloudevents/sdk-go/commit/510b002) issue 814 - Add binary content mode for NATS and JetStream protocols [`ac3d30c`](https://togithub.com/cloudevents/sdk-go/commit/ac3d30c) add link to our security mailing list [`9405398`](https://togithub.com/cloudevents/sdk-go/commit/9405398) Bump golang.org/x/net in /observability/opencensus/v2 [`3cbfae0`](https://togithub.com/cloudevents/sdk-go/commit/3cbfae0) Bump golang.org/x/net from 0.9.0 to 0.17.0 in /protocol/pubsub/v2 [`65eb52e`](https://togithub.com/cloudevents/sdk-go/commit/65eb52e) Bump golang.org/x/net from 0.12.0 to 0.17.0 in /protocol/kafka_sarama/v2 [`d25d6e4`](https://togithub.com/cloudevents/sdk-go/commit/d25d6e4) Bump golang.org/x/net from 0.9.0 to 0.17.0 in /samples/pubsub [`e4653a8`](https://togithub.com/cloudevents/sdk-go/commit/e4653a8) Bump golang.org/x/net from 0.12.0 to 0.17.0 in /test/conformance [`6ed9f79`](https://togithub.com/cloudevents/sdk-go/commit/6ed9f79) Bump golang.org/x/net from 0.9.0 to 0.17.0 in /samples/http [`6a3393c`](https://togithub.com/cloudevents/sdk-go/commit/6a3393c) Bump golang.org/x/net from 0.7.0 to 0.17.0 in /test/benchmark [`806ef35`](https://togithub.com/cloudevents/sdk-go/commit/806ef35) Bump golang.org/x/net from 0.12.0 to 0.17.0 in /samples/kafka [`de13f1b`](https://togithub.com/cloudevents/sdk-go/commit/de13f1b) Bump golang.org/x/net from 0.12.0 to 0.17.0 in /test/integration [`3eefeb1`](https://togithub.com/cloudevents/sdk-go/commit/3eefeb1) Governance docs per CE PR 1226 [`1bcaa28`](https://togithub.com/cloudevents/sdk-go/commit/1bcaa28) Update links to cloudevents spec [`6aa2742`](https://togithub.com/cloudevents/sdk-go/commit/6aa2742) context.Done() may never reach if waiting on r.incoming <- msgErr [`4bcddda`](https://togithub.com/cloudevents/sdk-go/commit/4bcddda) move it to write message [`d06aea7`](https://togithub.com/cloudevents/sdk-go/commit/d06aea7) clean the the previous properties [`0cc4fba`](https://togithub.com/cloudevents/sdk-go/commit/0cc4fba) Bump actions/checkout from 3 to 4 [`f1c0d0a`](https://togithub.com/cloudevents/sdk-go/commit/f1c0d0a) change denpendency sarama from Shopify to IBM [`f84be73`](https://togithub.com/cloudevents/sdk-go/commit/f84be73) Updated based on feedback [`310da90`](https://togithub.com/cloudevents/sdk-go/commit/310da90) Support ACK when receiving malformed events [`808bf38`](https://togithub.com/cloudevents/sdk-go/commit/808bf38) provide the qos and retain configuration for mqtt protocol [`e085f1a`](https://togithub.com/cloudevents/sdk-go/commit/e085f1a) correct the doc links [`766b88e`](https://togithub.com/cloudevents/sdk-go/commit/766b88e) remove the usage of deprecated io/ioutil package [`e15d03d`](https://togithub.com/cloudevents/sdk-go/commit/e15d03d) add assertion helper for extension keys ([#​920](https://togithub.com/cloudevents/sdk-go/issues/920)) [`c1482af`](https://togithub.com/cloudevents/sdk-go/commit/c1482af) append mqtt to the doc of protocol binding ([#​919](https://togithub.com/cloudevents/sdk-go/issues/919)) [`ff22db5`](https://togithub.com/cloudevents/sdk-go/commit/ff22db5) Bump andstor/file-existence-action from 1 to 2 ([#​917](https://togithub.com/cloudevents/sdk-go/issues/917)) [`bf156f1`](https://togithub.com/cloudevents/sdk-go/commit/bf156f1) call finish on unused messages; tidy retry logic [`fdcb2d2`](https://togithub.com/cloudevents/sdk-go/commit/fdcb2d2) mqtt protocol binding ([#​910](https://togithub.com/cloudevents/sdk-go/issues/910)) [`f681ac6`](https://togithub.com/cloudevents/sdk-go/commit/f681ac6) Bump grpc dependencies and workflow versions ([#​914](https://togithub.com/cloudevents/sdk-go/issues/914)) [`c684ae9`](https://togithub.com/cloudevents/sdk-go/commit/c684ae9) vote to add embano1 as a maintainer [`50b18a0`](https://togithub.com/cloudevents/sdk-go/commit/50b18a0) Bump golang.org/x/crypto in /samples/http ([#​902](https://togithub.com/cloudevents/sdk-go/issues/902)) [`5232986`](https://togithub.com/cloudevents/sdk-go/commit/5232986) http: Fixes for Gin http receiver sample ([#​905](https://togithub.com/cloudevents/sdk-go/issues/905)) [`9970acc`](https://togithub.com/cloudevents/sdk-go/commit/9970acc) Added a Gin http receiver sample ([#​842](https://togithub.com/cloudevents/sdk-go/issues/842)) [`b7a65db`](https://togithub.com/cloudevents/sdk-go/commit/b7a65db) add kafka topic/partition/offset to the extension of event ([#​896](https://togithub.com/cloudevents/sdk-go/issues/896)) [`bc9170f`](https://togithub.com/cloudevents/sdk-go/commit/bc9170f) Short-circuit AND expressions ([#​899](https://togithub.com/cloudevents/sdk-go/issues/899)) [`eae656f`](https://togithub.com/cloudevents/sdk-go/commit/eae656f) Bump nokogiri from 1.14.2 to 1.14.3 in /docs ([#​891](https://togithub.com/cloudevents/sdk-go/issues/891)) [`ff0a142`](https://togithub.com/cloudevents/sdk-go/commit/ff0a142) fix: Fixing syntax errors and add some test feedback ([#​892](https://togithub.com/cloudevents/sdk-go/issues/892)) [`55e5dba`](https://togithub.com/cloudevents/sdk-go/commit/55e5dba) Update RELEASING to be more explicit

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• [ ] If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[dpebot]

/gcbrun