release-0.7: Bump golang to v1.21.8 and k8s dependencies to v1.29.2 and fix CVEs

kubernetes-sigs / metrics-server

Scalable and efficient source of container resource metrics for Kubernetes built-in autoscaling pipelines.

https://kubernetes.io/docs/tasks/debug-application-cluster/resource-metrics-pipeline/

Apache License 2.0

5.72k stars 1.86k forks source link

release-0.7: Bump golang to v1.21.8 and k8s dependencies to v1.29.2 and fix CVEs #1443

Closed dgrisonnet closed 5 months ago

dgrisonnet commented 5 months ago

Bump all the things on release-0.7 to prepare for a new patch release.

Scanning the binary in the docker image after the go update yielded:

➜  /tmp govulncheck -mode=binary metrics-server
Scanning your binary for known vulnerabilities...

=== Symbol Results ===

Vulnerability #1: GO-2024-2611
    Infinite loop in JSON unmarshaling in google.golang.org/protobuf
  More info: https://pkg.go.dev/vuln/GO-2024-2611
  Module: google.golang.org/protobuf
    Found in: google.golang.org/protobuf@v1.32.0
    Fixed in: google.golang.org/protobuf@v1.33.0
    Example traces found:
      #1: json.Decoder.Peek
      #2: json.Decoder.Read
      #3: protojson.Unmarshal
      #4: protojson.UnmarshalOptions.Unmarshal

Your code is affected by 1 vulnerability from 1 module.
This scan found no other vulnerabilities in packages you import or modules you
require.

So I udpated protobuf aswell.

k8s-ci-robot commented 5 months ago

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dgrisonnet

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/kubernetes-sigs/metrics-server/blob/release-0.7/OWNERS)~~ [dgrisonnet] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment

k8s-ci-robot commented 5 months ago

This issue is currently awaiting triage.

If metrics-server contributors determine this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.

serathius commented 5 months ago

/lgtm