Closed dependabot[bot] closed 8 months ago
Will need to update go to 1.21.3
in the build image (and everywhere else as needed) to successfully build unit tests:
Vulnerability #1: GO-2023-2102
HTTP/2 rapid reset can cause excessive work in net/http
More info: https://pkg.go.dev/vuln/GO-2023-2102
Standard library
Found in: net/http@go1.21.2
Fixed in: net/http@go1.21.3
Example traces found:
#1: main.go:252:21: nifikop.main calls manager.controllerManager.Start, which eventually calls http.Server.Serve
Bumps golang.org/x/net from 0.14.0 to 0.17.0.
Commits
b225e7c
http2: limit maximum handler goroutines to MaxConcurrentStreams88194ad
go.mod: update golang.org/x dependencies2b60a61
quic: fix several bugs in flow control accounting73d82ef
quic: handle DATA_BLOCKED frames5d5a036
quic: handle streams moving from the data queue to the meta queue350aad2
quic: correctly extend peer's flow control window after MAX_DATA21814e7
quic: validate connection id transport parametersa600b35
quic: avoid redundant MAX_DATA updatesea63359
http2: check stream body is present on read timeoutddd8598
quic: version negotiationDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show