search

crossplane / crossplane-runtime

A set of libraries for writing Crossplane controllers.
https://crossplane.io
Apache License 2.0
144 stars 95 forks source link

chore(deps): update module github.com/rs/cors to v1.11.0 [security] (release-1.16) #744

Closed crossplane-renovate[bot] closed 3 days ago

crossplane-renovate[bot] commented 6 days ago

This PR contains the following updates:

Package Type Update Change
github.com/rs/cors indirect minor v1.10.1 -> v1.11.0

Denial of service via malicious preflight requests in github.com/rs/cors

GO-2024-2883

More information #### Details Middleware causes a prohibitive amount of heap allocations when processing malicious preflight requests that include a Access-Control-Request-Headers (ACRH) header whose value contains many commas. This behavior can be abused by attackers to produce undue load on the middleware/server as an attempt to cause a denial of service. #### Severity Unknown #### References - [https://github.com/rs/cors/pull/171](https://togithub.com/rs/cors/pull/171) - [https://github.com/rs/cors/issues/170](https://togithub.com/rs/cors/issues/170) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2024-2883) and the [Go Vulnerability Database](https://togithub.com/golang/vulndb) ([CC-BY 4.0](https://togithub.com/golang/vulndb#license)).

Release Notes

rs/cors (github.com/rs/cors) ### [`v1.11.0`](https://togithub.com/rs/cors/compare/v1.10.1...v1.11.0) [Compare Source](https://togithub.com/rs/cors/compare/v1.10.1...v1.11.0)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR has been generated by Renovate Bot.