Closed dependabot[bot] closed 3 months ago
Hi @dependabot[bot]. Thanks for your PR.
I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test
on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.
Once the patch is verified, the new status will be reflected by the ok-to-test
label.
I understand the commands that are listed here.
/assign @dgrisonnet /triage accepted
/lgtm /approve /ok-to-test
[APPROVALNOTIFIER] This PR is APPROVED
This pull-request has been approved by: dependabot[bot], dgrisonnet
The full list of commands accepted by this bot can be found here.
The pull request process is described here
/retest
@dependabot[bot]: The following tests failed, say /retest
to rerun all failed tests or /retest-required
to rerun all mandatory failed tests:
Test name | Commit | Details | Required | Rerun command |
---|---|---|---|---|
pull-prometheus-adapter-test | fb2b03e77aabf55f9959eb09312319e491279020 | link | true | /test pull-prometheus-adapter-test |
pull-prometheus-adapter-test-e2e | fb2b03e77aabf55f9959eb09312319e491279020 | link | true | /test pull-prometheus-adapter-test-e2e |
pull-prometheus-adapter-verify | fb2b03e77aabf55f9959eb09312319e491279020 | link | true | /test pull-prometheus-adapter-verify |
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.
Library Vulnerabilities: | Severity | CVE | Package Name | Current Version | Fixed Version | Source |
---|---|---|---|---|---|---|
HIGH | CVE-2023-47108 | go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc | 0.35.0 | 0.46.0 | https://github.com/advisories/GHSA-8pgv-569h-w5rw | |
HIGH | CVE-2023-45142 | go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp | 0.35.1 | 0.44.0 | https://github.com/advisories/GHSA-rcjv-mgp8-qvmr |
Prometheus-adapter is not impacted by these since it does't use the otel server nor it is exposing any otel metrics. That said, I am fine with updating the deps to silence the vulnerability reporting tools, but the PR might need to be done manually seeing the current state of CI.
Prometheus-adapter is not impacted by these since it does't use the otel server nor it is exposing any otel metrics. That said, I am fine with updating the deps to silence the vulnerability reporting tools, but the PR might need to be done manually seeing the current state of CI.
@dgrisonnet good point, it is a "false positive" but good to address. I'm happy to create a PR soon.
@dgrisonnet @olivierlemasle Any ETAs on when this will get merged? The latest tag has been vulnerable since weeks.
Any ETAs on when this will get merged?
CI is red so this PR will never get merged since dependabot doesn't know how to address the failures. But if anyone is willing to take over the bump and fix the issues, I'd likely merge it.
Though I don't think this warrants a new release since the CVEs that are reported don't affect the project.
This requires a bump from custom-metrics-apiserver first
Build is failing because of following errors:
#15 2.247 /go/pkg/mod/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc@v1.10.0/client.go:30:2: no required module provides package go.opentelemetry.io/otel/exporters/otlp/internal; to add it:
#15 2.247 go get go.opentelemetry.io/otel/exporters/otlp/internal
#15 2.247 /go/pkg/mod/go.opentelemetry.io/otel/exporters/otlp/otlptrace@v1.10.0/internal/otlpconfig/envconfig.go:25:2: no required module provides package go.opentelemetry.io/otel/exporters/otlp/internal/envconfig; to add it:
#15 2.247 go get go.opentelemetry.io/otel/exporters/otlp/internal/envconfig
Any ideas on how to fix this? @dgrisonnet
@a7i I don't have much time on my hands atm, could you perhaps send a PR in custom-metrics-apiserver to update the dep?
@manikantanallagatla To fix that, you need to make sure all otel dependencies are at the same version. Right now, you have a mix of 1.10.0 and 1.18.0.
This is because earlier version of otel had shared internal dependencies, which were made non-shared in later versions to avoid this problem.
The Kubernetes project currently lacks enough contributors to adequately respond to all PRs.
This bot triages PRs according to the following rules:
lifecycle/stale
is appliedlifecycle/stale
was applied, lifecycle/rotten
is appliedlifecycle/rotten
was applied, the PR is closedYou can:
/remove-lifecycle stale
/close
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
PR needs rebase.
The Kubernetes project currently lacks enough active contributors to adequately respond to all PRs.
This bot triages PRs according to the following rules:
lifecycle/stale
is appliedlifecycle/stale
was applied, lifecycle/rotten
is appliedlifecycle/rotten
was applied, the PR is closedYou can:
/remove-lifecycle rotten
/close
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle rotten
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.
This bot triages PRs according to the following rules:
lifecycle/stale
is appliedlifecycle/stale
was applied, lifecycle/rotten
is appliedlifecycle/rotten
was applied, the PR is closedYou can:
/reopen
/remove-lifecycle rotten
Please send feedback to sig-contributor-experience at kubernetes/community.
/close
@k8s-triage-robot: Closed this PR.
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version
or @dependabot ignore this minor version
.
If you change your mind, just re-open this PR and I'll resolve any conflicts on it.
Bumps go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp from 0.35.1 to 0.44.0.
Release notes
Sourced from go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp's releases.
... (truncated)
Changelog
Sourced from go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp's changelog.
... (truncated)
Commits
fdfa6e3
Release v1.19.0/v0.44.0/v0.13.0 (#4299)aea7540
build(deps): bump github.com/aws/aws-sdk-go in /detectors/aws/ec2 (#4297)7e88614
Remove otelbeego, otelkit, otelsarama, otelmemcache, otelgocql (#4295)14f153e
build(deps): bump actions/checkout from 3 to 4 (#4291)01c596d
dependabot updates Mon Sep 11 05:08:50 UTC 2023 (#4294)50ca48f
Remove high cardanility metrics from otelhttp (#4277)b6fc62f
Update go versions used in workflow (#4278)7a8f53c
Add new gcp host attributes (#4263)aab5f49
[mux] Add request filters like otelhttp (#4230)3ad5a2c
Deprecate otelmemcache, otelgocql (#4164)You can trigger a rebase of this PR by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show