Skip to content

Bump dependencies to address reported CVEs#715

Open
saripurigopi wants to merge 1 commit into
kubernetes-sigs:masterfrom
saripurigopi:fix-cve-dependencies
Open

Bump dependencies to address reported CVEs#715
saripurigopi wants to merge 1 commit into
kubernetes-sigs:masterfrom
saripurigopi:fix-cve-dependencies

Conversation

@saripurigopi

@saripurigopi saripurigopi commented Jun 29, 2026

Copy link
Copy Markdown

Summary

Addresses #706 by upgrading vulnerable Go dependencies:

  • Bump Go toolchain from 1.22.x to 1.25.0 (Makefile GO_VERSION updated for container builds)
  • google.golang.org/grpc 1.60.1 → 1.79.3
  • go.opentelemetry.io/otel/sdk 1.21.0 → 1.43.0 (and related otel packages)
  • golang.org/x/net 0.25.0 → 0.55.0
  • golang.org/x/crypto 0.31.0 → 0.51.0
  • Other transitive golang.org/x/* and protobuf/genproto updates from go mod tidy

govulncheck ./... reports no vulnerabilities affecting this codebase after the bump.

Test plan

  • make test
  • make verify-deps
  • go run golang.org/x/vuln/cmd/govulncheck@latest ./...

Upgrade Go to 1.25.0 and update grpc, OpenTelemetry, and golang.org/x modules to patched versions.
@kubernetes-prow kubernetes-prow Bot added the needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. label Jun 29, 2026
@kubernetes-prow

Copy link
Copy Markdown

This issue is currently awaiting triage.

If prometheus-adapter contributors determine this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@kubernetes-prow kubernetes-prow Bot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Jun 29, 2026
@kubernetes-prow

Copy link
Copy Markdown

Hi @saripurigopi. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@kubernetes-prow kubernetes-prow Bot requested review from dashpole and dgrisonnet June 29, 2026 22:09
@kubernetes-prow

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: saripurigopi
Once this PR has been reviewed and has the lgtm label, please assign dgrisonnet for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kubernetes-prow kubernetes-prow Bot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Jun 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant