Open strausmann opened 1 week ago
itzg
commented
1 week ago Seems like it would be the indirect dependency here:
https://github.com/itzg/mc-monitor/blob/3c931ec973e78ac576395043a27cd7f917f93ee4/go.mod#L52
I would have expected dependabot to already be addressing that on the next round.
Are you really wanting to chase down all these low priority CVEs? I know I don't really care to.
strausmann
commented
1 week ago No, not necessarily. is just a nice to have.
vitorvasc
commented
1 week ago Hey.
Not sure if there is any other dependency that downloads the GRPC, but in general It should come from Open Telemetry. Updating the dependencies to v1.29.0 should do the trick!
https://github.com/open-telemetry/opentelemetry-go/releases
https://github.com/itzg/mc-monitor/blob/3c931ec973e78ac576395043a27cd7f917f93ee4/go.mod
go.opentelemetry.io/otel v1.29.0
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.29.0
go.opentelemetry.io/otel/metric v1.29.0
go.opentelemetry.io/otel/sdk/metric v1.29.0Thanks @vitorvasc ! I'm actually curious if the weekly run of dependabot (on Mondays for this repo) will bump that anyway.
strausmann
commented
1 week ago Maybe try Renovate if Dependabot doesn't do something like this reliably; then Semantic Release for automatic publication with relevant code changes. 😁
I get this CVE reported by the Docker Scout for itzg/mc-monitor. Unfortunately,I can't find the place in the code to submit a PR.
LOW: https://github.com/advisories/GHSA-xr7q-jx4m-x55m
https://github.com/grpc/grpc-go/commit/ab292411ddc0f3b7a7786754d1fe05264c3021eb
Can we fix that?