Bump github.com/dapr/dapr from 1.13.0 to 1.13.5

[dependabot[bot]]

Bumps github.com/dapr/dapr from 1.13.0 to 1.13.5.

Release notes

Sourced from github.com/dapr/dapr's releases.

Dapr Runtime v1.13.5

Dapr 1.13.5

Updated dependencies

Updated multiple dependencies to address reported vulnerabilities. Currently, none of the vulnerabilities in the updated dependencies are known to be exploitable in Dapr. Update to accomodate users that need to comply with automated vulnerability scanning tools.

Dapr Runtime v1.13.4

Dapr 1.13.4

Update the golang.org/x/net dependency to v0.24.0

Problem

Dapr used a Golang dependency for golang.org/x/net that contained the following CVE.

Impact

CVE details here.

Root cause

CVE details here.

Solution

The dependency version was updated from v0.21.0 to v0.24.0

Dapr Runtime v1.13.3

Dapr 1.13.3

This update includes bug fixes:

• App API token forwarded from caller to receiving app
• Upgrade Go version to 1.21.9
• Placement server fails to disseminate placement tables
• Restore dapr_http_server_response_count HTTP metric

App API token forwarded from caller to receiving app

Problem

The caller sidecar is appending the local app API token to the egress request, thereby leaking the API token protecting the local app to the foreign sidecar.

Impact

Receiving app can have access to the calling app's API token and make unauthorized calls directly to the originating app - in case it is listening on 0.0.0.0 or an accessible IP address.

... (truncated)

Commits

• e490e58 Release notes for 1.13.5 (#7864)
• 0e521bb fix(1.13): bump release branch dependencies (#7847)
• b18d951 add v1.13.4 release notes (#7769)
• c2bdebb update golang.org/x/net dep (#7766)
• 4c359b5 Fix MacOS tests. (#7748)
• e0591e4 Merge pull request from GHSA-284c-x8m7-9w5h
• 3cc0fc0 update to go 1.21.9 (#7726)
• afae0ad check for returned error (#7668)
• 1ac185d Restore legacy dapr_http_server_response_count HTTP metric (#7662)
• f09b193 Merge pull request #7670 from yaron2/contrib-1
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot[bot]]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.