Bump the minor-and-patch group with 2 updates

[dependabot[bot]]

Bumps the minor-and-patch group with 2 updates: github.com/go-chi/httprate and github.com/prometheus/client_golang.

Updates github.com/go-chi/httprate from 0.12.1 to 0.14.0

Release notes

Sourced from github.com/go-chi/httprate's releases.

v0.14.0

What's Changed

• Implement rate-limiting from HTTP handler (e.g. by request payload) by @​VojtechVitek in go-chi/httprate#42
• Export http.RateLimiter type by @​VojtechVitek in go-chi/httprate#43
• Introduce RespondOnLimit() vs. OnLimit() methods by @​VojtechVitek in go-chi/httprate#44

Add support to rate-limit by custom key from HTTP handler (e.g. by request payload fields)

// Rate-limiter for login endpoint.
loginRateLimiter := httprate.NewRateLimiter(5, time.Minute)
r.Post("/login", func(w http.ResponseWriter, r *http.Request) {

var payload struct {

Username string json:"username"

Password string json:"password"

}

err := json.NewDecoder(r.Body).Decode(&payload)

if err != nil || payload.Username == "" || payload.Password == "" {

w.WriteHeader(400)

return

}
// Rate-limit login at 5 req/min.
if loginRateLimiter.RespondOnLimit(w, r, payload.Username) {
    return
}

w.Write([]byte("login at 5 req/min\n"))

})

Full Changelog: https://github.com/go-chi/httprate/compare/v0.12.1...v0.14.0

v0.13.1

What's Changed

• Export http.RateLimiter type by @​VojtechVitek in go-chi/httprate#43 so users can pass *http.RateLimiter (or save in their server struct) and use the new .OnLimit() feature from go-chi/httprate#42.

Full Changelog: https://github.com/go-chi/httprate/compare/v0.13.0...v0.13.1

v0.13.0

Full Changelog: https://github.com/go-chi/httprate/compare/v0.13.0...v0.13.0

Add support to rate-limit by custom key from HTTP handler (e.g. by request payload fields)

// Rate-limiter for login endpoint.
loginRateLimiter := httprate.NewRateLimiter(5, time.Minute)
r.Post("/login", func(w http.ResponseWriter, r *http.Request) {

var payload struct {

</tr></table>

... (truncated)

Commits

• 5e681e3 Introduce RespondOnLimit() vs. OnLimit() (#44)
• c4c778c Export RateLimiter type (#43)
• 80029e2 Implement rate-limiting from HTTP handler (e.g. by request payload) (#42)
• See full diff in compare view

Updates github.com/prometheus/client_golang from 1.20.0 to 1.20.2

Release notes

Sourced from github.com/prometheus/client_golang's releases.

v1.20.2

• [BUGFIX] promhttp: Unset Content-Encoding header when data is uncompressed. #1596

v1.20.1

This release contains the critical fix for the issue. Thanks to @​geberl, @​CubicrootXYZ, @​zetaab and @​timofurrer for helping us with the investigation!

• [BUGFIX] process-collector: Fixed unregistered descriptor error when using process collector with PedanticRegistry on Linux machines. #1587

Changelog

Sourced from github.com/prometheus/client_golang's changelog.

1.20.2 / 2024-08-23

• [BUGFIX] promhttp: Unset Content-Encoding header when data is uncompressed. #1596

1.20.1 / 2024-08-20

• [BUGFIX] process-collector: Fixed unregistered descriptor error when using process collector with PedanticRegistry on linux machines. #1587

Commits

• 67121dc Merge pull request #1596 from mrueg/fix-uncompressed-content-header
• 187acd4 Cut 1.20.2
• f7f8f3a fix: Unset Content-Encoding header when uncompressed
• 2254d6c Merge pull request #1587 from prometheus/fix-processcollector
• 4a15d05 Cut 1.20.1
• f2dd7b3 Use pedantic registry in other places too, to double check.
• 261fe84 bugfix: Pass network metrics to processCollector's Describe() function
• 5bf3341 Use NewPedanticRegistry in Process' Collector tests
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore ` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore ` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore ` will remove the ignore condition of the specified dependency and ignore conditions

[socket-security[bot]]

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
golang/github.com/go-chi/httprate@v0.14.0	network	0	39.6 kB
golang/github.com/prometheus/client_golang@v1.20.2	filesystem, network, unsafe	0	1.15 MB

🚮 Removed packages: golang/github.com/go-chi/httprate@v0.12.1), golang/github.com/prometheus/client_golang@v1.20.0)

View full report↗︎

[socket-security[bot]]

👍 Dependency issues cleared. Learn more about Socket for GitHub ↗︎

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

Ignoring: golang/github.com/go-chi/httprate@v0.14.0, golang/github.com/prometheus/client_golang@v1.20.2

View full report↗︎

Next steps

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/foo@1.0.0 or ignore all packages with @SocketSecurity ignore-all

[marcelosalloum]

@SocketSecurity ignore-all

[marcelosalloum]

SocketSecurity complained because I did one commit in the dependabot branch to update go.list. That's the reason why I added https://github.com/stellar/stellar-disbursement-platform-backend/pull/403#issuecomment-2311113735

[marcelosalloum]

@dependabot squash and merge