renovate[bot]
commented
4 months ago ℹ Artifact update notice
File name: go.mod
In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):
- 7 additional dependencies were updated
Details:
| Package | Change |
|---|---|
golang.org/x/crypto |
v0.21.0 -> v0.24.0 |
golang.org/x/mod |
v0.14.0 -> v0.17.0 |
golang.org/x/net |
v0.23.0 -> v0.26.0 |
golang.org/x/sync |
v0.6.0 -> v0.7.0 |
golang.org/x/sys |
v0.18.0 -> v0.21.0 |
golang.org/x/text |
v0.14.0 -> v0.16.0 |
golang.org/x/tools |
v0.15.0 -> v0.21.1-0.20240508182429-e35e4ccd0d2d |
This PR contains the following updates:
v1.64.0->v1.64.1GitHub Vulnerability Alerts
GHSA-xr7q-jx4m-x55m
Impact
This issue represents a potential PII concern. If applications were printing or logging a context containing gRPC metadata, the affected versions will contain all the metadata, which may include private information.
Patches
The issue first appeared in 1.64.0 and is patched in 1.64.1 and 1.65.0
Workarounds
If using an affected version and upgrading is not possible, ensuring you do not log or print contexts will avoid the problem.
Release Notes
grpc/grpc-go (google.golang.org/grpc)
### [`v1.64.1`](https://togithub.com/grpc/grpc-go/releases/tag/v1.64.1): Release 1.64.1 [Compare Source](https://togithub.com/grpc/grpc-go/compare/v1.64.0...v1.64.1) ### Dependencies - Update x/net/http2 to address [CVE-2023-45288](https://nvd.nist.gov/vuln/detail/CVE-2023-45288) ([#7352](https://togithub.com/grpc/grpc-go/issues/7352)) - metadata: remove String method from MD to make printing consistent ([#7374](https://togithub.com/grpc/grpc-go/issues/7374))Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.