Skip to content

fix(deps): update module google.golang.org/grpc to v1.64.1 [security] (main) #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 27 commits into
base: main
Choose a base branch
from
Open

fix(deps): update module google.golang.org/grpc to v1.64.1 [security] (main) #2

wants to merge 27 commits into from

Conversation

renovate[bot]
Copy link

@renovate renovate bot commented Oct 5, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
google.golang.org/grpc v1.64.0 -> v1.64.1 age adoption passing confidence

Private tokens could appear in logs if context containing gRPC metadata is logged in github.com/grpc/grpc-go

GHSA-xr7q-jx4m-x55m / GO-2024-2978

More information

Details

Impact

This issue represents a potential PII concern. If applications were printing or logging a context containing gRPC metadata, the affected versions will contain all the metadata, which may include private information.

Patches

The issue first appeared in 1.64.0 and is patched in 1.64.1 and 1.65.0

Workarounds

If using an affected version and upgrading is not possible, ensuring you do not log or print contexts will avoid the problem.

Severity

Low

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Private tokens could appear in logs if context containing gRPC metadata is logged in google.golang.org/grpc

GHSA-xr7q-jx4m-x55m / GO-2024-2978

More information

Details

If applications print or log a context containing gRPC metadata, the output will contain all the metadata, which may include private information. This represents a potential PII concern.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

Release Notes

grpc/grpc-go (google.golang.org/grpc)

v1.64.1: Release 1.64.1

Compare Source

Dependencies

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate bot and others added 2 commits October 5, 2024 23:30
@renovate @ying-jeanne
chore: Configure Renovate (#1)
66fb78d 
* Add renovate.json

* Update renovate.json

Signed-off-by: Ying WANG <[email protected]>

* Rename renovate.json to renovate.json5

Signed-off-by: Ying WANG <[email protected]>

* Update renovate.json5

Signed-off-by: Ying WANG <[email protected]>

* Update renovate.json5

Signed-off-by: Ying WANG <[email protected]>

---------

Signed-off-by: Ying WANG <[email protected]>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Ying WANG <[email protected]>
@ying-jeanne
Update renovate.json5
f97e65e 
Signed-off-by: Ying WANG <[email protected]>
@renovate Renovate
Copy link
Author

renovate bot commented Oct 5, 2024
edited
Loading

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: dagger/go.sum
Command failed: go get -d -t ./...
go: -d flag is deprecated. -d=true is a no-op
go: downloading golang.org/x/sync v0.7.0
go: dagger imports
	dagger/internal/dagger: package dagger/internal/dagger is not in std (/opt/containerbase/tools/golang/1.24.1/src/dagger/internal/dagger)

@renovate renovate bot force-pushed the deps-update/main-go-google.golang.org-grpc-vulnerability branch from 80c71d2 to 27e6ea3 Compare October 5, 2024 21:46
@ying-jeanne
Update renovate.json5
eaf7246 
Signed-off-by: Ying WANG <[email protected]>
@ying-jeanne
Update renovate.json5
4b0d2dd 
Signed-off-by: Ying WANG <[email protected]>
@ying-jeanne
Update renovate.json5
7b65b64 
Signed-off-by: Ying WANG <[email protected]>
@ying-jeanne
Update renovate.json5
8989243 
Signed-off-by: Ying WANG <[email protected]>
@ying-jeanne
Update renovate.json5
8a8ea8c 
Signed-off-by: Ying WANG <[email protected]>
@renovate renovate bot force-pushed the deps-update/main-go-google.golang.org-grpc-vulnerability branch from 27e6ea3 to acba04f Compare October 5, 2024 22:07
@ying-jeanne
Update renovate.json5
a000221 
Signed-off-by: Ying WANG <[email protected]>
@renovate renovate bot force-pushed the deps-update/main-go-google.golang.org-grpc-vulnerability branch from acba04f to 0a60558 Compare October 5, 2024 22:09
@renovate renovate bot force-pushed the deps-update/main-go-google.golang.org-grpc-vulnerability branch from 0a60558 to 13af3de Compare October 17, 2024 05:50
@renovate renovate bot force-pushed the deps-update/main-go-google.golang.org-grpc-vulnerability branch from 13af3de to f4104c1 Compare October 17, 2024 09:38
@renovate renovate bot force-pushed the deps-update/main-go-google.golang.org-grpc-vulnerability branch from f4104c1 to 4b96c1a Compare October 17, 2024 14:44
@renovate renovate bot force-pushed the deps-update/main-go-google.golang.org-grpc-vulnerability branch from 4b96c1a to fa75dbd Compare October 21, 2024 04:07
@renovate renovate bot force-pushed the deps-update/main-go-google.golang.org-grpc-vulnerability branch from fa75dbd to 989352c Compare October 21, 2024 07:24
@renovate renovate bot force-pushed the deps-update/main-go-google.golang.org-grpc-vulnerability branch from 989352c to 8d06580 Compare October 21, 2024 09:30
@renovate renovate bot force-pushed the deps-update/main-go-google.golang.org-grpc-vulnerability branch from 8d06580 to 9febd84 Compare October 28, 2024 04:07
@renovate
fix(deps): update module google.golang.org/protobuf to v1.35.2 (#19)
c631410 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@renovate renovate bot force-pushed the deps-update/main-go-google.golang.org-grpc-vulnerability branch from 9febd84 to a7e8cb7 Compare December 9, 2024 04:03
@renovate
fix(deps): update module github.com/prometheus/common to v0.61.0 (#20)
c74291a 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@renovate renovate bot force-pushed the deps-update/main-go-google.golang.org-grpc-vulnerability branch from a7e8cb7 to 109d9a9 Compare December 9, 2024 06:05
@renovate
chore(deps): update golangci/golangci-lint-action action to v6.1.1 (#16)
2983956 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@renovate renovate bot force-pushed the deps-update/main-go-google.golang.org-grpc-vulnerability branch from 109d9a9 to 2a70942 Compare December 9, 2024 09:44
@renovate
fix(deps): update module google.golang.org/protobuf to v1.36.0 (#23)
f69531c 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@renovate renovate bot force-pushed the deps-update/main-go-google.golang.org-grpc-vulnerability branch from 2a70942 to 23b68e8 Compare December 23, 2024 04:23
@renovate
fix(deps): update module google.golang.org/protobuf to v1.36.1 (#24)
a64480e 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@renovate renovate bot force-pushed the deps-update/main-go-google.golang.org-grpc-vulnerability branch from 23b68e8 to f6da4b2 Compare December 30, 2024 03:56
@renovate renovate bot changed the title fix(deps): update module google.golang.org/grpc to v1.64.1 [security] (main) fix(deps): update module google.golang.org/grpc to v1.64.1 [security] (main) - autoclosed Jan 22, 2025
@renovate renovate bot closed this Jan 22, 2025
@renovate renovate bot deleted the deps-update/main-go-google.golang.org-grpc-vulnerability branch January 22, 2025 01:36
@renovate renovate bot changed the title fix(deps): update module google.golang.org/grpc to v1.64.1 [security] (main) - autoclosed fix(deps): update module google.golang.org/grpc to v1.64.1 [security] (main) Jan 22, 2025
@renovate renovate bot reopened this Jan 22, 2025
@renovate renovate bot force-pushed the deps-update/main-go-google.golang.org-grpc-vulnerability branch from a7be9a5 to f6da4b2 Compare January 22, 2025 04:42
@renovate
fix(deps): update module github.com/google/go-cmp to v0.7.0 (#28)
b2e0e3f 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@renovate renovate bot force-pushed the deps-update/main-go-google.golang.org-grpc-vulnerability branch from f6da4b2 to db4504b Compare March 10, 2025 05:43
@renovate renovate bot force-pushed the deps-update/main-go-google.golang.org-grpc-vulnerability branch from db4504b to cdc1548 Compare March 10, 2025 11:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
security-update
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@ying-jeanne