protojson: vuln: discard unknown fields can result in stack overflow #1584
Comments
gopherbot
pushed a commit
to protocolbuffers/protobuf-go
that referenced
this issue
Dec 21, 2023
Fixes golang/protobuf#1583 and golang/protobuf#1584 Limits the level of recursion when parsing JSON to avoid fatal stack overflow errors if input uses pathologically deep nesting. This is already a feature of the binary format, and this adds that feature to the JSON format. This also re-implements how JSON values are discarded to be more efficient (and not use recursion). Change-Id: I4026b739abe0335387209a43645f65e4b6e43409 Reviewed-on: https://go-review.googlesource.com/c/protobuf/+/552255 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: David Chase <drchase@google.com> Auto-Submit: Lasse Folger <lassefolger@google.com> Reviewed-by: Lasse Folger <lassefolger@google.com>
|
Fixed in protocolbuffers/protobuf-go@bfcd647 |
renovate bot
added a commit
to open-feature/flagd
that referenced
this issue
Dec 22, 2023
[](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [google.golang.org/protobuf](https://togithub.com/protocolbuffers/protobuf-go) | `v1.31.0` -> `v1.32.0` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>protocolbuffers/protobuf-go (google.golang.org/protobuf)</summary> ### [`v1.32.0`](https://togithub.com/protocolbuffers/protobuf-go/releases/tag/v1.32.0) [Compare Source](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.31.0...v1.32.0) **Full Changelog**: protocolbuffers/protobuf-go@v1.31.0...v1.32.0 This release contains commit protocolbuffers/protobuf-go@bfcd647, which fixes a denial of service vulnerability by preventing a stack overflow through a default maximum recursion limit. See [golang/protobuf#1583 and [golang/protobuf#1584 for details. </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/open-feature/flagd). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xMDMuMSIsInVwZGF0ZWRJblZlciI6IjM3LjEwMy4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
zeebe-bors-camunda bot
added a commit
to camunda/zeebe
that referenced
this issue
Dec 25, 2023
15716: deps(go): Update module google.golang.org/protobuf to v1.32.0 (main) r=github-actions[bot] a=renovate[bot] [](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [google.golang.org/protobuf](https://togithub.com/protocolbuffers/protobuf-go) | `v1.31.0` -> `v1.32.0` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>protocolbuffers/protobuf-go (google.golang.org/protobuf)</summary> ### [`v1.32.0`](https://togithub.com/protocolbuffers/protobuf-go/releases/tag/v1.32.0) [Compare Source](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.31.0...v1.32.0) **Full Changelog**: protocolbuffers/protobuf-go@v1.31.0...v1.32.0 This release contains commit protocolbuffers/protobuf-go@bfcd647, which fixes a denial of service vulnerability by preventing a stack overflow through a default maximum recursion limit. See [golang/protobuf#1583 and [golang/protobuf#1584 for details. </details> --- ### Configuration 📅 **Schedule**: Branch creation - "after 8pm every weekday,before 6am every weekday" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/camunda/zeebe). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xMDMuMSIsInVwZGF0ZWRJblZlciI6IjM3LjEwMy4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
bogdandrutu
pushed a commit
to open-telemetry/opentelemetry-collector-contrib
that referenced
this issue
Dec 27, 2023
[](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [google.golang.org/protobuf](https://togithub.com/protocolbuffers/protobuf-go) | `v1.31.0` -> `v1.32.0` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>protocolbuffers/protobuf-go (google.golang.org/protobuf)</summary> ### [`v1.32.0`](https://togithub.com/protocolbuffers/protobuf-go/releases/tag/v1.32.0) [Compare Source](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.31.0...v1.32.0) **Full Changelog**: protocolbuffers/protobuf-go@v1.31.0...v1.32.0 This release contains commit protocolbuffers/protobuf-go@bfcd647, which fixes a denial of service vulnerability by preventing a stack overflow through a default maximum recursion limit. See [golang/protobuf#1583 and [golang/protobuf#1584 for details. </details> --- ### Configuration 📅 **Schedule**: Branch creation - "on tuesday" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/open-telemetry/opentelemetry-collector-contrib). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xMDMuMSIsInVwZGF0ZWRJblZlciI6IjM3LjEwMy4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9--> --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: opentelemetrybot <107717825+opentelemetrybot@users.noreply.github.com>
dbuduev
added a commit
to cerbos/cerbos
that referenced
this issue
Dec 27, 2023
[](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | Type | Update | |---|---|---|---|---|---|---|---| | [github.com/aws/aws-sdk-go](https://togithub.com/aws/aws-sdk-go) | `v1.49.4` -> `v1.49.10` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | require | patch | | [github.com/cerbos/cloud-api](https://togithub.com/cerbos/cloud-api) | `v0.1.11` -> `v0.1.12` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | require | patch | | [github.com/golang-migrate/migrate/v4](https://togithub.com/golang-migrate/migrate) | `v4.16.2` -> `v4.17.0` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | require | minor | | [github.com/goreleaser/goreleaser](https://togithub.com/goreleaser/goreleaser) | `v1.22.1` -> `v1.23.0` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | require | minor | | [github.com/twmb/franz-go](https://togithub.com/twmb/franz-go) | `v1.15.3` -> `v1.15.4` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | require | patch | | [github.com/vektra/mockery/v2](https://togithub.com/vektra/mockery) | `v2.38.0` -> `v2.39.1` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | require | minor | | golang.org/x/exp | `aacd6d4` -> `02704c9` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | require | digest | | [google.golang.org/grpc](https://togithub.com/grpc/grpc-go) | `v1.60.0` -> `v1.60.1` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | require | patch | | [google.golang.org/protobuf](https://togithub.com/protocolbuffers/protobuf-go) | `v1.31.1-0.20231215091903-8ed73c755013` -> `v1.32.0` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | require | minor | | [google.golang.org/protobuf](https://togithub.com/protocolbuffers/protobuf-go) | `v1.31.0` -> `v1.32.0` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | require | minor | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>aws/aws-sdk-go (github.com/aws/aws-sdk-go)</summary> ### [`v1.49.10`](https://togithub.com/aws/aws-sdk-go/blob/HEAD/CHANGELOG.md#Release-v14910-2023-12-26) [Compare Source](https://togithub.com/aws/aws-sdk-go/compare/v1.49.9...v1.49.10) \=== ##### Service Client Updates - `service/iam`: Updates service documentation - Documentation updates for AWS Identity and Access Management (IAM). ##### SDK Enhancements - `aws`: Add `WithUseFIPSEndpoint` to `aws.Config`. ([#​5078](https://togithub.com/aws/aws-sdk-go/pull/5078)) - `WithUseFIPSEndpoint` can be used to explicitly enable or disable FIPS endpoint variants. ### [`v1.49.9`](https://togithub.com/aws/aws-sdk-go/blob/HEAD/CHANGELOG.md#Release-v1499-2023-12-22) [Compare Source](https://togithub.com/aws/aws-sdk-go/compare/v1.49.8...v1.49.9) \=== ##### Service Client Updates - `service/bedrock-agent`: Updates service API - `service/glue`: Updates service API and documentation - This release adds additional configurations for Query Session Context on the following APIs: GetUnfilteredTableMetadata, GetUnfilteredPartitionMetadata, GetUnfilteredPartitionsMetadata. - `service/lakeformation`: Updates service API and documentation - `service/mediaconnect`: Updates service API and documentation - `service/networkmonitor`: Adds new service - `service/omics`: Updates service documentation - `service/s3`: Updates service examples - Added additional examples for some operations. - `service/secretsmanager`: Adds new service - Update endpoint rules and examples. ### [`v1.49.8`](https://togithub.com/aws/aws-sdk-go/blob/HEAD/CHANGELOG.md#Release-v1498-2023-12-21) [Compare Source](https://togithub.com/aws/aws-sdk-go/compare/v1.49.7...v1.49.8) \=== ##### Service Client Updates - `service/amp`: Updates service API and documentation - `service/appintegrations`: Updates service API, documentation, paginators, and examples - `service/bedrock-agent`: Updates service API and documentation - `service/codecommit`: Updates service API and documentation - AWS CodeCommit now supports customer managed keys from AWS Key Management Service. UpdateRepositoryEncryptionKey is added for updating the key configuration. CreateRepository, GetRepository, BatchGetRepositories are updated with new input or output parameters. - `service/connect`: Updates service API, documentation, and paginators - `service/medialive`: Updates service API and documentation - MediaLive now supports the ability to configure the audio that an AWS Elemental Link UHD device produces, when the device is configured as the source for a flow in AWS Elemental MediaConnect. - `service/rds`: Updates service API, documentation, waiters, paginators, and examples - This release adds support for using RDS Data API with Aurora PostgreSQL Serverless v2 and provisioned DB clusters. - `service/rds-data`: Updates service API and documentation - `service/sagemaker`: Updates service API and documentation - Amazon SageMaker Training now provides model training container access for debugging purposes. Amazon SageMaker Search now provides the ability to use visibility conditions to limit resource access to a single domain or multiple domains. ### [`v1.49.7`](https://togithub.com/aws/aws-sdk-go/blob/HEAD/CHANGELOG.md#Release-v1497-2023-12-20) [Compare Source](https://togithub.com/aws/aws-sdk-go/compare/v1.49.6...v1.49.7) \=== ##### Service Client Updates - `service/appstream`: Updates service API and documentation - This release introduces configurable clipboard, allowing admins to specify the maximum length of text that can be copied by the users from their device to the remote session and vice-versa. - `service/eks`: Updates service API, documentation, and paginators - `service/guardduty`: Updates service API and documentation - This release 1) introduces a new API: GetOrganizationStatistics , and 2) adds a new UsageStatisticType TOP_ACCOUNTS_BY_FEATURE for GetUsageStatistics API - `service/managedblockchain-query`: Updates service API and documentation - `service/mediatailor`: Updates service API and documentation - `service/route53`: Updates service API and documentation - Amazon Route 53 now supports the Canada West (Calgary) Region (ca-west-1) for latency records, geoproximity records, and private DNS for Amazon VPCs in that region. ### [`v1.49.6`](https://togithub.com/aws/aws-sdk-go/blob/HEAD/CHANGELOG.md#Release-v1496-2023-12-19) [Compare Source](https://togithub.com/aws/aws-sdk-go/compare/v1.49.5...v1.49.6) \=== ##### Service Client Updates - `service/appsync`: Updates service API and documentation - `service/chime-sdk-meetings`: Updates service API and documentation - `service/ec2`: Updates service API and documentation - Provision BYOIPv4 address ranges and advertise them by specifying the network border groups option in Los Angeles, Phoenix and Dallas AWS Local Zones. - `service/fsx`: Updates service API and documentation - `service/marketplace-catalog`: Updates service API and documentation - `service/rds`: Updates service API, documentation, waiters, paginators, and examples - RDS - The release adds two new APIs: DescribeDBRecommendations and ModifyDBRecommendation ### [`v1.49.5`](https://togithub.com/aws/aws-sdk-go/blob/HEAD/CHANGELOG.md#Release-v1495-2023-12-18) [Compare Source](https://togithub.com/aws/aws-sdk-go/compare/v1.49.4...v1.49.5) \=== ##### Service Client Updates - `service/cognito-idp`: Updates service API and documentation - `service/eks`: Updates service API, documentation, and paginators - `service/quicksight`: Updates service documentation - A docs-only release to add missing entities to the API reference. - `service/route53resolver`: Updates service API and documentation </details> <details> <summary>cerbos/cloud-api (github.com/cerbos/cloud-api)</summary> ### [`v0.1.12`](https://togithub.com/cerbos/cloud-api/compare/v0.1.11...v0.1.12) [Compare Source](https://togithub.com/cerbos/cloud-api/compare/v0.1.11...v0.1.12) </details> <details> <summary>golang-migrate/migrate (github.com/golang-migrate/migrate/v4)</summary> ### [`v4.17.0`](https://togithub.com/golang-migrate/migrate/releases/tag/v4.17.0) [Compare Source](https://togithub.com/golang-migrate/migrate/compare/v4.16.2...v4.17.0) #### Changelog - [`cf03803`](https://togithub.com/golang-migrate/migrate/commit/cf03803) Add rqlite 8.0.0 to tested database versions - [`12968a7`](https://togithub.com/golang-migrate/migrate/commit/12968a7) Add syntax highlighting to Postgres example - [`50112e7`](https://togithub.com/golang-migrate/migrate/commit/50112e7) Add to clickhouse README.md database creation - [`5ded96d`](https://togithub.com/golang-migrate/migrate/commit/5ded96d) Bump golang.org/x/crypto from 0.14.0 to 0.17.0 - [`c3ebd52`](https://togithub.com/golang-migrate/migrate/commit/c3ebd52) Bump google.golang.org/grpc from 1.55.0 to 1.56.3 - [`5026488`](https://togithub.com/golang-migrate/migrate/commit/5026488) Clean up require directive grouping - [`3b02b18`](https://togithub.com/golang-migrate/migrate/commit/3b02b18) Correct a spelling mistake - [`cd17c5a`](https://togithub.com/golang-migrate/migrate/commit/cd17c5a) Drop support for Go 1.19 and add support for Go 1.21 - [`839421e`](https://togithub.com/golang-migrate/migrate/commit/839421e) Leverage quoteIdentifier from pgx - [`bad30b5`](https://togithub.com/golang-migrate/migrate/commit/bad30b5) Mention migradaptor - [`fb22436`](https://togithub.com/golang-migrate/migrate/commit/fb22436) Merge remote-tracking branch 'origin/master' into upgrade-spanner - [`bfedabb`](https://togithub.com/golang-migrate/migrate/commit/bfedabb) Merge remote-tracking branch 'upstream/master' - [`92dec35`](https://togithub.com/golang-migrate/migrate/commit/92dec35) Move supported go version to standard place - [`4078ef8`](https://togithub.com/golang-migrate/migrate/commit/4078ef8) New release prep - [`9fe7383`](https://togithub.com/golang-migrate/migrate/commit/9fe7383) Quote in drop as well - [`691f687`](https://togithub.com/golang-migrate/migrate/commit/691f687) Reformat ScyllaDB/Cassandra docs - [`90a3ac4`](https://togithub.com/golang-migrate/migrate/commit/90a3ac4) Remove cluster adaptation for tables to pass tests - [`64755d0`](https://togithub.com/golang-migrate/migrate/commit/64755d0) Update README.md - [`f2c4b52`](https://togithub.com/golang-migrate/migrate/commit/f2c4b52) Update aws-sdk-go from v1.44.301 to v1.49.6 - [`876a13d`](https://togithub.com/golang-migrate/migrate/commit/876a13d) Update aws-sdk-go to adress vulerabilitiy - [`b567287`](https://togithub.com/golang-migrate/migrate/commit/b567287) Update from alpine 3.18 to 3.19 - [`f2e0b33`](https://togithub.com/golang-migrate/migrate/commit/f2e0b33) Update lib/pq to fix cert permissions issues - [`208ac53`](https://togithub.com/golang-migrate/migrate/commit/208ac53) Update spanner to fix security issue See also: [golang-migrate/migrate#952 - [`72957b6`](https://togithub.com/golang-migrate/migrate/commit/72957b6) Updated version of spanner to support sequences and generate uuid - [`7d03609`](https://togithub.com/golang-migrate/migrate/commit/7d03609) add 8.11 and 8.12 versions and remove debug logging - [`7a72550`](https://togithub.com/golang-migrate/migrate/commit/7a72550) add tests for scylladb. add scylladb to docs - [`90273fe`](https://togithub.com/golang-migrate/migrate/commit/90273fe) clickhouse: Quote db name in ensureVersionTable - [`5163ac7`](https://togithub.com/golang-migrate/migrate/commit/5163ac7) feature: add rqlite support - [`ee8a8e5`](https://togithub.com/golang-migrate/migrate/commit/ee8a8e5) fix: typo - [`f8afa5a`](https://togithub.com/golang-migrate/migrate/commit/f8afa5a) small changes to retry failed by timeout CI - [`669437c`](https://togithub.com/golang-migrate/migrate/commit/669437c) update rqlite 8 container version to 8.0.6 </details> <details> <summary>goreleaser/goreleaser (github.com/goreleaser/goreleaser)</summary> ### [`v1.23.0`](https://togithub.com/goreleaser/goreleaser/releases/tag/v1.23.0) [Compare Source](https://togithub.com/goreleaser/goreleaser/compare/v1.22.1...v1.23.0) #### Changelog ##### New Features - [`b149223`](https://togithub.com/goreleaser/goreleaser/commit/b14922322317aa6522d05f6b24856fd89a760bbc): feat(docs): Update command in SLSA verification blog post ([#​4420](https://togithub.com/goreleaser/goreleaser/issues/4420)) ([@​laurentsimon](https://togithub.com/laurentsimon)) - [`ee14837`](https://togithub.com/goreleaser/goreleaser/commit/ee1483712733f4c2db4e13a113a65d6948f4fdef): feat(homebrew): add os to dependency ([#​4481](https://togithub.com/goreleaser/goreleaser/issues/4481)) ([@​caarlos0](https://togithub.com/caarlos0)) - [`dda1c70`](https://togithub.com/goreleaser/goreleaser/commit/dda1c708ae56de981ae43bb5c6dd38ca0acb9226): feat(nix): validate licenses ([#​4497](https://togithub.com/goreleaser/goreleaser/issues/4497)) ([@​caarlos0](https://togithub.com/caarlos0)) - [`1d34568`](https://togithub.com/goreleaser/goreleaser/commit/1d34568b75347fcb1aea3d7bbf55fe4bc85039f1): feat(sbom): update default command ([@​caarlos0](https://togithub.com/caarlos0)) - [`27f0e33`](https://togithub.com/goreleaser/goreleaser/commit/27f0e3304b744fcdb1f57fd02ee6283c43ce2e56): feat(winget): support installing .exe directly ([#​4498](https://togithub.com/goreleaser/goreleaser/issues/4498)) ([@​caarlos0](https://togithub.com/caarlos0)) - [`22fa994`](https://togithub.com/goreleaser/goreleaser/commit/22fa9947c869b42f3e9b50e95c4b8619396b48c1): feat: allow to template builds.gobinary ([#​4454](https://togithub.com/goreleaser/goreleaser/issues/4454)) ([@​caarlos0](https://togithub.com/caarlos0)) - [`711490d`](https://togithub.com/goreleaser/goreleaser/commit/711490dfc7c6b5faa083f98b01777e347624ae35): feat: aur dir ([#​4484](https://togithub.com/goreleaser/goreleaser/issues/4484)) ([@​caarlos0](https://togithub.com/caarlos0)) - [`25a054c`](https://togithub.com/goreleaser/goreleaser/commit/25a054c5e113c6b121aaff3841bdffa7f316bd8c): feat: improve --single-target ([#​4442](https://togithub.com/goreleaser/goreleaser/issues/4442)) ([@​caarlos0](https://togithub.com/caarlos0)) - [`bd7933d`](https://togithub.com/goreleaser/goreleaser/commit/bd7933d1852bddef445e7c81a91f7a71148b5fac): feat: improve project and build hooks error handling ([@​caarlos0](https://togithub.com/caarlos0)) - [`8f6b16f`](https://togithub.com/goreleaser/goreleaser/commit/8f6b16f6b5c122d2cc1a22a344ccde288dc035ed): feat: validate ko's main path ([#​4429](https://togithub.com/goreleaser/goreleaser/issues/4429)) ([@​gabrielcipriano](https://togithub.com/gabrielcipriano)) ##### Bug fixes - [`8586878`](https://togithub.com/goreleaser/goreleaser/commit/8586878fdf47d38fd9f18c06fac8512ef2657b37): fix(aur): support wrap_in_directory ([#​4502](https://togithub.com/goreleaser/goreleaser/issues/4502)) ([@​caarlos0](https://togithub.com/caarlos0)) - [`aa9986e`](https://togithub.com/goreleaser/goreleaser/commit/aa9986e8268daed6b4adaa5d11a81f98dc20c11b): fix(github): do not fail branch creation if it already exists ([#​4471](https://togithub.com/goreleaser/goreleaser/issues/4471)) ([@​caarlos0](https://togithub.com/caarlos0)) - [`a09a0d7`](https://togithub.com/goreleaser/goreleaser/commit/a09a0d701875e1bf541e2ce46edeffd7866b405b): fix(ko): error finishing with . ([@​caarlos0](https://togithub.com/caarlos0)) - [`2b9e471`](https://togithub.com/goreleaser/goreleaser/commit/2b9e471370e488fa497f565df8c9fa8b4fbfaa51): fix(nix): include unzip if any artifact is a zip ([#​4495](https://togithub.com/goreleaser/goreleaser/issues/4495)) ([@​caarlos0](https://togithub.com/caarlos0)) - [`103b54b`](https://togithub.com/goreleaser/goreleaser/commit/103b54bed526713d612639fbd1d04fcb24b43f67): fix(sbom): warn/error on wrong configuration ([@​caarlos0](https://togithub.com/caarlos0)) - [`a85d049`](https://togithub.com/goreleaser/goreleaser/commit/a85d049f9b6b376c9ebfb729ea086e499efdcee6): fix(winget): improve schema ([#​4489](https://togithub.com/goreleaser/goreleaser/issues/4489)) ([@​caarlos0](https://togithub.com/caarlos0)) - [`e33d053`](https://togithub.com/goreleaser/goreleaser/commit/e33d0536129abeee90f46fbde5950403ba37cee1): fix: --single-target when no match ([@​caarlos0](https://togithub.com/caarlos0)) - [`159211a`](https://togithub.com/goreleaser/goreleaser/commit/159211ae78e146f2c1d595410831464ba67cb915): fix: add -c flags when building go test ([#​4473](https://togithub.com/goreleaser/goreleaser/issues/4473)) ([@​fl0Lec](https://togithub.com/fl0Lec)) - [`74e7064`](https://togithub.com/goreleaser/goreleaser/commit/74e706461ba44ec491f9a000004edae85e7dcf55): fix: allow homebrew to use tar.xz format ([#​4441](https://togithub.com/goreleaser/goreleaser/issues/4441)) ([@​jftuga](https://togithub.com/jftuga)) - [`c0b2be3`](https://togithub.com/goreleaser/goreleaser/commit/c0b2be344fca8c66fda35391ca76d9c3ca9753c8): fix: handle configs with no explicit targets on --single-target ([@​caarlos0](https://togithub.com/caarlos0)) - [`142b94c`](https://togithub.com/goreleaser/goreleaser/commit/142b94c533a21c4bfcfae405bc920b80cecb8b41): fix: improve chocolatey no archive error handling and docs ([@​caarlos0](https://togithub.com/caarlos0)) - [`59a3eeb`](https://togithub.com/goreleaser/goreleaser/commit/59a3eeb56da5d614a7432dd6a6036dbf050bf7c6): fix: linkedin announce api changes ([#​4428](https://togithub.com/goreleaser/goreleaser/issues/4428)) ([@​gabrielcipriano](https://togithub.com/gabrielcipriano)) ##### Dependency updates - [`00ea9f9`](https://togithub.com/goreleaser/goreleaser/commit/00ea9f97edfb74a90e739257b3f2a2ee59323e31): feat(deps): bump code.gitea.io/sdk/gitea from 0.16.0 to 0.17.0 ([#​4459](https://togithub.com/goreleaser/goreleaser/issues/4459)) ([@​dependabot](https://togithub.com/dependabot)\[bot]) - [`a5ae5cd`](https://togithub.com/goreleaser/goreleaser/commit/a5ae5cd20a18de548602681417f38353d6e8fcc1): feat(deps): bump github.com/disgoorg/disgo from 0.16.11 to 0.16.12 ([#​4422](https://togithub.com/goreleaser/goreleaser/issues/4422)) ([@​dependabot](https://togithub.com/dependabot)\[bot]) - [`f9203ba`](https://togithub.com/goreleaser/goreleaser/commit/f9203badebae11145bf5b29796ec039c264330db): feat(deps): bump github.com/disgoorg/disgo from 0.16.12 to 0.17.0 ([#​4434](https://togithub.com/goreleaser/goreleaser/issues/4434)) ([@​dependabot](https://togithub.com/dependabot)\[bot]) - [`3458c7f`](https://togithub.com/goreleaser/goreleaser/commit/3458c7f34e1fd153aed105300d71bcbd65943ab2): feat(deps): bump github.com/google/go-containerregistry from 0.16.1 to 0.17.0 ([#​4452](https://togithub.com/goreleaser/goreleaser/issues/4452)) ([@​dependabot](https://togithub.com/dependabot)\[bot]) - [`334cb89`](https://togithub.com/goreleaser/goreleaser/commit/334cb890a589811e6d07845ec79acb9926f387b4): feat(deps): bump github.com/google/ko from 0.15.0 to 0.15.1 ([#​4435](https://togithub.com/goreleaser/goreleaser/issues/4435)) ([@​dependabot](https://togithub.com/dependabot)\[bot]) - [`e39548d`](https://togithub.com/goreleaser/goreleaser/commit/e39548dde7a1e5da73b587c8af08750f8c9fe4fd): feat(deps): bump github.com/google/uuid from 1.4.0 to 1.5.0 ([#​4476](https://togithub.com/goreleaser/goreleaser/issues/4476)) ([@​dependabot](https://togithub.com/dependabot)\[bot]) - [`782dd54`](https://togithub.com/goreleaser/goreleaser/commit/782dd54b1f9186887adb9231a1970ea4466c74d8): feat(deps): bump github.com/goreleaser/nfpm/v2 from 2.34.0 to 2.35.0 ([#​4492](https://togithub.com/goreleaser/goreleaser/issues/4492)) ([@​dependabot](https://togithub.com/dependabot)\[bot]) - [`3c6dcd8`](https://togithub.com/goreleaser/goreleaser/commit/3c6dcd8dcd4b361468095d168bd8a22bf6b5c847): feat(deps): bump github.com/sigstore/cosign/v2 from 2.1.1 to 2.2.1 ([#​4419](https://togithub.com/goreleaser/goreleaser/issues/4419)) ([@​dependabot](https://togithub.com/dependabot)\[bot]) - [`182e103`](https://togithub.com/goreleaser/goreleaser/commit/182e1033308331be3a084d2836752984c037a79c): feat(deps): bump github.com/xanzy/go-gitlab from 0.93.2 to 0.94.0 ([#​4433](https://togithub.com/goreleaser/goreleaser/issues/4433)) ([@​dependabot](https://togithub.com/dependabot)\[bot]) - [`48d4d04`](https://togithub.com/goreleaser/goreleaser/commit/48d4d04c713bd27837053591e42e1b2e41500051): feat(deps): bump github.com/xanzy/go-gitlab from 0.94.0 to 0.95.1 ([#​4468](https://togithub.com/goreleaser/goreleaser/issues/4468)) ([@​dependabot](https://togithub.com/dependabot)\[bot]) - [`a096097`](https://togithub.com/goreleaser/goreleaser/commit/a096097646e69a63ea9534116c75d1c050d24218): feat(deps): bump github.com/xanzy/go-gitlab from 0.95.1 to 0.95.2 ([#​4477](https://togithub.com/goreleaser/goreleaser/issues/4477)) ([@​dependabot](https://togithub.com/dependabot)\[bot]) - [`52de4ac`](https://togithub.com/goreleaser/goreleaser/commit/52de4ac1245776f996cc6790a71b6f4d80552dfc): feat(deps): bump gocloud.dev from 0.34.0 to 0.35.0 ([#​4467](https://togithub.com/goreleaser/goreleaser/issues/4467)) ([@​dependabot](https://togithub.com/dependabot)\[bot]) - [`c6b68aa`](https://togithub.com/goreleaser/goreleaser/commit/c6b68aa4603ef69a7775a1d921fc71c274c87393): feat(deps): bump golang from 1.21.4-alpine to 1.21.5-alpine ([#​4463](https://togithub.com/goreleaser/goreleaser/issues/4463)) ([@​dependabot](https://togithub.com/dependabot)\[bot]) - [`fdf73bd`](https://togithub.com/goreleaser/goreleaser/commit/fdf73bda9e8f3223969b26856b3e976352dfa40b): feat(deps): bump golang from `110b07a` to `30a46e7` ([#​4455](https://togithub.com/goreleaser/goreleaser/issues/4455)) ([@​dependabot](https://togithub.com/dependabot)\[bot]) - [`0222430`](https://togithub.com/goreleaser/goreleaser/commit/022243067bbc98411998bdf314831aa1eafe2167): feat(deps): bump golang from `30a46e7` to `70afe55` ([#​4457](https://togithub.com/goreleaser/goreleaser/issues/4457)) ([@​dependabot](https://togithub.com/dependabot)\[bot]) - [`f0c4d71`](https://togithub.com/goreleaser/goreleaser/commit/f0c4d71b7806466f4728f0ae8d79bbe8c25518ca): feat(deps): bump golang from `5c1cabd` to `feceecc` ([#​4466](https://togithub.com/goreleaser/goreleaser/issues/4466)) ([@​dependabot](https://togithub.com/dependabot)\[bot]) - [`d616c38`](https://togithub.com/goreleaser/goreleaser/commit/d616c385dec0eaf1845d38dd859f5d71130e94c5): feat(deps): bump golang from `feceecc` to `4db4aac` ([#​4491](https://togithub.com/goreleaser/goreleaser/issues/4491)) ([@​dependabot](https://togithub.com/dependabot)\[bot]) - [`3bae110`](https://togithub.com/goreleaser/goreleaser/commit/3bae110184c8133133ee87e447ae70ef545fdef1): feat(deps): bump golang.org/x/crypto from 0.16.0 to 0.17.0 ([#​4485](https://togithub.com/goreleaser/goreleaser/issues/4485)) ([@​dependabot](https://togithub.com/dependabot)\[bot]) - [`a73fcfc`](https://togithub.com/goreleaser/goreleaser/commit/a73fcfc5d96a6e0d7127d0b0665db6d8cbd1fa37): feat(deps): bump golang.org/x/oauth2 from 0.13.0 to 0.14.0 ([#​4416](https://togithub.com/goreleaser/goreleaser/issues/4416)) ([@​dependabot](https://togithub.com/dependabot)\[bot]) - [`5587cb2`](https://togithub.com/goreleaser/goreleaser/commit/5587cb2cb7562eac0b86749e6ed14ffb3c78593c): feat(deps): bump golang.org/x/oauth2 from 0.14.0 to 0.15.0 ([#​4445](https://togithub.com/goreleaser/goreleaser/issues/4445)) ([@​dependabot](https://togithub.com/dependabot)\[bot]) - [`5c2cbb3`](https://togithub.com/goreleaser/goreleaser/commit/5c2cbb3417ddd0847a97e153a7f620595ea2d083): feat(deps): bump golang.org/x/tools from 0.14.0 to 0.15.0 ([#​4417](https://togithub.com/goreleaser/goreleaser/issues/4417)) ([@​dependabot](https://togithub.com/dependabot)\[bot]) - [`2f1162a`](https://togithub.com/goreleaser/goreleaser/commit/2f1162a2a4afda8c5d59e45236f9e7acfef43590): feat(deps): bump golang.org/x/tools from 0.15.0 to 0.16.0 ([#​4444](https://togithub.com/goreleaser/goreleaser/issues/4444)) ([@​dependabot](https://togithub.com/dependabot)\[bot]) - [`7b5a858`](https://togithub.com/goreleaser/goreleaser/commit/7b5a85839a7020372c3faf9e317f0010136f6721): feat(deps): bump golang.org/x/tools from 0.16.0 to 0.16.1 ([#​4478](https://togithub.com/goreleaser/goreleaser/issues/4478)) ([@​dependabot](https://togithub.com/dependabot)\[bot]) - [`853275f`](https://togithub.com/goreleaser/goreleaser/commit/853275f37920134a8337d485c3667e8cc710a45d): feat(deps): update go-github to v57 ([@​caarlos0](https://togithub.com/caarlos0)) - [`6e9ed05`](https://togithub.com/goreleaser/goreleaser/commit/6e9ed0561ec1f431be830096651f28f6b241cec8): feat(deps): update nfpm to latest ([@​caarlos0](https://togithub.com/caarlos0)) - [`7d29385`](https://togithub.com/goreleaser/goreleaser/commit/7d293855e81aef7f795429fc76da9e9109c661c4): fix(deps): bump golang from 1.21.3-alpine to 1.21.4-alpine ([#​4414](https://togithub.com/goreleaser/goreleaser/issues/4414)) ([@​dependabot](https://togithub.com/dependabot)\[bot]) ##### Build process updates - [`4f17fba`](https://togithub.com/goreleaser/goreleaser/commit/4f17fba173ec6d8feb93b15607fc692dd2b64533): build: fix setup-task rate limit ([@​caarlos0](https://togithub.com/caarlos0)) - [`5a74601`](https://togithub.com/goreleaser/goreleaser/commit/5a74601559edeb6db85dc3e069d33e04836de7d3): build: fix typo ([@​caarlos0](https://togithub.com/caarlos0)) - [`b0bf4eb`](https://togithub.com/goreleaser/goreleaser/commit/b0bf4eb0cd024e900042b3b28615e479fbdae900): build: golangci config ([@​caarlos0](https://togithub.com/caarlos0)) - [`9d2162b`](https://togithub.com/goreleaser/goreleaser/commit/9d2162b61c5d5ceb58e61919030743e79c94f78b): build: report only new lint problems ([@​caarlos0](https://togithub.com/caarlos0)) - [`18c109a`](https://togithub.com/goreleaser/goreleaser/commit/18c109a62af1dbff1dcc5a662c6bf8e2a60633af): build: simplify changelog on nightly builds ([@​caarlos0](https://togithub.com/caarlos0)) - [`be9ad4d`](https://togithub.com/goreleaser/goreleaser/commit/be9ad4d47dd09c218c8fd32b321a99ff7eb5956d): build: update workflow ([@​caarlos0](https://togithub.com/caarlos0)) ##### Other work - [`a5f7678`](https://togithub.com/goreleaser/goreleaser/commit/a5f767832a8e7a4832249576318820481beb6069): SBOM improvements ([#​4430](https://togithub.com/goreleaser/goreleaser/issues/4430)) ([@​caarlos0](https://togithub.com/caarlos0)) - [`6bce81c`](https://togithub.com/goreleaser/goreleaser/commit/6bce81c0bef158590dc65dcb6ccce1d3cb426c04): docs(azblob): correct auth to Azure storage service ([#​4439](https://togithub.com/goreleaser/goreleaser/issues/4439)) ([@​librucha](https://togithub.com/librucha)) - [`d83243c`](https://togithub.com/goreleaser/goreleaser/commit/d83243cc28900f3583e3d921eeccf3b0bb69e6f6): docs(sbom): improve sbom alternative example ([@​caarlos0](https://togithub.com/caarlos0)) - [`532879e`](https://togithub.com/goreleaser/goreleaser/commit/532879ea9247650061a5544a2d23dfb09d6861ea): docs: Removed the duplicate GoReleaser Pro entry ([#​4456](https://togithub.com/goreleaser/goreleaser/issues/4456)) ([@​cafferata](https://togithub.com/cafferata)) - [`b7be447`](https://togithub.com/goreleaser/goreleaser/commit/b7be447e0a727c7a9eefcad2eb0447bea23dc2b1): docs: add flipt to USERS ([@​caarlos0](https://togithub.com/caarlos0)) - [`522ab11`](https://togithub.com/goreleaser/goreleaser/commit/522ab11bf3dd846fd1b61500b533e269a242c6a4): docs: fix broken link ([@​caarlos0](https://togithub.com/caarlos0)) - [`3ec68fb`](https://togithub.com/goreleaser/goreleaser/commit/3ec68fbf8c3a1b16ca0f69aeccfb93765685b643): docs: fix broken link ([@​caarlos0](https://togithub.com/caarlos0)) - [`233c4bc`](https://togithub.com/goreleaser/goreleaser/commit/233c4bc26e7e518ad3ea6d71179a1ef538048c52): docs: fix changelog subgroups docs ([@​caarlos0](https://togithub.com/caarlos0)) - [`d2c0e4c`](https://togithub.com/goreleaser/goreleaser/commit/d2c0e4c6ad93c950c1462a653fef854c05f6e14d): docs: fix typo ([#​4447](https://togithub.com/goreleaser/goreleaser/issues/4447)) ([@​EverythingSuckz](https://togithub.com/EverythingSuckz)) - [`582ff38`](https://togithub.com/goreleaser/goreleaser/commit/582ff3808db1fa4339324031f60c1682f26669f6): docs: fix typo in check_boxes ([#​4499](https://togithub.com/goreleaser/goreleaser/issues/4499)) ([@​jidckii](https://togithub.com/jidckii)) - [`d89557b`](https://togithub.com/goreleaser/goreleaser/commit/d89557b27711224dfc4d3f91c3bd2172b1747090): docs: install should say the required Go version ([@​caarlos0](https://togithub.com/caarlos0)) - [`b682fdf`](https://togithub.com/goreleaser/goreleaser/commit/b682fdf7bb3d10644ea9978f1655fcc9d74cc520): docs: mention that snaps cant be built inside docker ([@​caarlos0](https://togithub.com/caarlos0)) - [`c1b7139`](https://togithub.com/goreleaser/goreleaser/commit/c1b71396c6e8d36e6e2bbae9047e687ed9da167a): docs: update ([@​caarlos0](https://togithub.com/caarlos0)) - [`11e5682`](https://togithub.com/goreleaser/goreleaser/commit/11e5682165ad40dff9f65e864df4e922fbf7bb0c): docs: update CONTRIBUTING.md add upx as optional prerequesite ([#​4427](https://togithub.com/goreleaser/goreleaser/issues/4427)) ([@​gabrielcipriano](https://togithub.com/gabrielcipriano)) - [`149b178`](https://togithub.com/goreleaser/goreleaser/commit/149b1780945cfcda1ca2291c45f28f319b5ece2f): docs: update deprecated `--skip-publish` release flag ([#​4449](https://togithub.com/goreleaser/goreleaser/issues/4449)) ([@​ixje](https://togithub.com/ixje)) - [`429ddb1`](https://togithub.com/goreleaser/goreleaser/commit/429ddb175075ff00412be1b6206127c03fd53966): docs: update details about cosign and certificate ([@​caarlos0](https://togithub.com/caarlos0)) - [`910b837`](https://togithub.com/goreleaser/goreleaser/commit/910b837f7df4b259ab14d687ed7a77415ad2c2c9): docs: update snap link ([#​4486](https://togithub.com/goreleaser/goreleaser/issues/4486)) ([@​lucacome](https://togithub.com/lucacome)) - [`df982a6`](https://togithub.com/goreleaser/goreleaser/commit/df982a6a3b402f0a3bf9147473a5adda0da08d6b): docs: update the link to the go wiki page on first-class ports ([#​4490](https://togithub.com/goreleaser/goreleaser/issues/4490)) ([@​smlx](https://togithub.com/smlx)) - [`7e48196`](https://togithub.com/goreleaser/goreleaser/commit/7e481967b3e527dc45b85d7e41d3b6540ae3f4ed): docs: update users, blog posts divider ([@​caarlos0](https://togithub.com/caarlos0)) - [`6491631`](https://togithub.com/goreleaser/goreleaser/commit/64916314c7b402b42fde8cde78349fcdb07c0cdf): docs: update users.md ([@​caarlos0](https://togithub.com/caarlos0)) - [`6f598dc`](https://togithub.com/goreleaser/goreleaser/commit/6f598dc9b01b005f5e07fe11790b6a7bb85641c1): refactor(brew): use cases.Title instead of strings.Title ([@​caarlos0](https://togithub.com/caarlos0)) **Full Changelog**: goreleaser/goreleaser@v1.22.0...v1.23.0 #### Helping out This release is only possible thanks to **all** the support of some **awesome people**! Want to be one of them? You can [sponsor](https://goreleaser.com/sponsors/), get a [Pro License](https://goreleaser.com/pro) or [contribute with code](https://goreleaser.com/contributing). #### Where to go next? - Find examples and commented usage of all options in our [website](https://goreleaser.com/intro/). - Reach out on [Discord](https://discord.gg/RGEBtg8vQ6) and [Twitter](https://twitter.com/goreleaser)! <a href="https://goreleaser.com"><img src="https://raw.githubusercontent.com/goreleaser/artwork/master/opencollective-header.png" with="100%" alt="GoReleaser logo"></a> </details> <details> <summary>twmb/franz-go (github.com/twmb/franz-go)</summary> ### [`v1.15.4`](https://togithub.com/twmb/franz-go/blob/HEAD/CHANGELOG.md#v1154) [Compare Source](https://togithub.com/twmb/franz-go/compare/v1.15.3...v1.15.4) \=== This patch release fixes a difficult to encounter, but fatal-for-group-consuming bug. The sequence of events to trigger this bug: - OffsetCommit is issued before Heartbeat - The coordinator for the group needs to be loaded (so, likely, a previous `NOT_COORDINATOR` error was received) - OffsetCommit triggers the load - a second OffsetCommit happens while the first is still running, canceling the first OffsetCommit's context In this sequence of events, FindCoordinator will fail with `context.Canceled` and, importantly, also return that error to Heartbeat. In the guts of the client, a `context.Canceled` error *should* only happen when a group is being left, so this error is recognized as a group-is-leaving error and the group management goroutine exits. Thus, the group is never rejoined. This likely requires a system to be overloaded to begin with, because FindCoordinator requests are usually very fast. The fix is to use the client context when issuing FindCoordinator, rather than the parent request. The parent request can still quit, but FindCoordinator continues. No parent request can affect any other waiting request. This patch also includes a dep bump for everything but klauspost/compress; klauspost/compress changed go.mod to require go1.19, while this repo still requires 1.18. v1.16 will change to require 1.19 and then this repo will bump klauspost/compress. There were multiple additions to the yet-unversioned kfake package, so that an advanced "test" could be written to trigger the behavior for this patch and then ensure it is fixed. To see the test, please check the comment on PR [650](https://togithub.com/twmb/franz-go/pull/650). - [`7d050fc`](https://togithub.com/twmb/franz-go/commit/7d050fc) kgo: do not cancel FindCoordinator if the parent context cancels </details> <details> <summary>vektra/mockery (github.com/vektra/mockery/v2)</summary> ### [`v2.39.1`](https://togithub.com/vektra/mockery/releases/tag/v2.39.1) [Compare Source](https://togithub.com/vektra/mockery/compare/v2.39.0...v2.39.1) #### Changelog - [`5c62fda`](https://togithub.com/vektra/mockery/commit/5c62fda) Add MongoDB as user of mockery - [`a199cfb`](https://togithub.com/vektra/mockery/commit/a199cfb) Add clarification on internal error - [`5254b81`](https://togithub.com/vektra/mockery/commit/5254b81) Merge pull request [#​741](https://togithub.com/vektra/mockery/issues/741) from LandonTClipp/clarification - [`b9df18e`](https://togithub.com/vektra/mockery/commit/b9df18e) Merge pull request [#​742](https://togithub.com/vektra/mockery/issues/742) from LandonTClipp/mongo ### [`v2.39.0`](https://togithub.com/vektra/mockery/releases/tag/v2.39.0) [Compare Source](https://togithub.com/vektra/mockery/compare/v2.38.0...v2.39.0) #### Changelog - [`b248492`](https://togithub.com/vektra/mockery/commit/b248492) Don't recurse into submodules on `recursive: true` - [`4f9dc15`](https://togithub.com/vektra/mockery/commit/4f9dc15) Merge pull request [#​740](https://togithub.com/vektra/mockery/issues/740) from LandonTClipp/monorepo </details> <details> <summary>grpc/grpc-go (google.golang.org/grpc)</summary> ### [`v1.60.1`](https://togithub.com/grpc/grpc-go/releases/tag/v1.60.1) [Compare Source](https://togithub.com/grpc/grpc-go/compare/v1.60.0...v1.60.1) ### Bug Fixes - server: fix two bugs that could lead to panics at shutdown when using [NumStreamWorkers](https://pkg.go.dev/google.golang.org/grpc#NumStreamWorkers) (experimental feature). </details> <details> <summary>protocolbuffers/protobuf-go (google.golang.org/protobuf)</summary> ### [`v1.32.0`](https://togithub.com/protocolbuffers/protobuf-go/releases/tag/v1.32.0) [Compare Source](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.31.0...v1.32.0) **Full Changelog**: protocolbuffers/protobuf-go@v1.31.0...v1.32.0 This release contains commit protocolbuffers/protobuf-go@bfcd647, which fixes a denial of service vulnerability by preventing a stack overflow through a default maximum recursion limit. See [golang/protobuf#1583 and [golang/protobuf#1584 for details. </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 4am on Monday" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/cerbos/cerbos). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xMDMuMSIsInVwZGF0ZWRJblZlciI6IjM3LjEwMy4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9--> --------- Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Signed-off-by: Dennis Buduev <dbuduev@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Dennis Buduev <dbuduev@users.noreply.github.com>
charithe
pushed a commit
to cerbos/cerbos-sdk-go
that referenced
this issue
Dec 27, 2023
[](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [google.golang.org/grpc](https://togithub.com/grpc/grpc-go) | `v1.60.0` -> `v1.60.1` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [google.golang.org/protobuf](https://togithub.com/protocolbuffers/protobuf-go) | `v1.31.0` -> `v1.32.0` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>grpc/grpc-go (google.golang.org/grpc)</summary> ### [`v1.60.1`](https://togithub.com/grpc/grpc-go/releases/tag/v1.60.1) [Compare Source](https://togithub.com/grpc/grpc-go/compare/v1.60.0...v1.60.1) ### Bug Fixes - server: fix two bugs that could lead to panics at shutdown when using [NumStreamWorkers](https://pkg.go.dev/google.golang.org/grpc#NumStreamWorkers) (experimental feature). </details> <details> <summary>protocolbuffers/protobuf-go (google.golang.org/protobuf)</summary> ### [`v1.32.0`](https://togithub.com/protocolbuffers/protobuf-go/releases/tag/v1.32.0) [Compare Source](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.31.0...v1.32.0) **Full Changelog**: protocolbuffers/protobuf-go@v1.31.0...v1.32.0 This release contains commit protocolbuffers/protobuf-go@bfcd647, which fixes a denial of service vulnerability by preventing a stack overflow through a default maximum recursion limit. See [golang/protobuf#1583 and [golang/protobuf#1584 for details. </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 4am on Monday" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/cerbos/cerbos-sdk-go). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xMDMuMSIsInVwZGF0ZWRJblZlciI6IjM3LjEwMy4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9--> Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
nslaughter
pushed a commit
to nslaughter/opentelemetry-collector-contrib
that referenced
this issue
Dec 27, 2023
…0220) [](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [google.golang.org/protobuf](https://togithub.com/protocolbuffers/protobuf-go) | `v1.31.0` -> `v1.32.0` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>protocolbuffers/protobuf-go (google.golang.org/protobuf)</summary> ### [`v1.32.0`](https://togithub.com/protocolbuffers/protobuf-go/releases/tag/v1.32.0) [Compare Source](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.31.0...v1.32.0) **Full Changelog**: protocolbuffers/protobuf-go@v1.31.0...v1.32.0 This release contains commit protocolbuffers/protobuf-go@bfcd647, which fixes a denial of service vulnerability by preventing a stack overflow through a default maximum recursion limit. See [golang/protobuf#1583 and [golang/protobuf#1584 for details. </details> --- ### Configuration 📅 **Schedule**: Branch creation - "on tuesday" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/open-telemetry/opentelemetry-collector-contrib). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xMDMuMSIsInVwZGF0ZWRJblZlciI6IjM3LjEwMy4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9--> --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: opentelemetrybot <107717825+opentelemetrybot@users.noreply.github.com>
nslaughter
pushed a commit
to nslaughter/opentelemetry-collector-contrib
that referenced
this issue
Dec 27, 2023
…0220) [](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [google.golang.org/protobuf](https://togithub.com/protocolbuffers/protobuf-go) | `v1.31.0` -> `v1.32.0` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>protocolbuffers/protobuf-go (google.golang.org/protobuf)</summary> ### [`v1.32.0`](https://togithub.com/protocolbuffers/protobuf-go/releases/tag/v1.32.0) [Compare Source](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.31.0...v1.32.0) **Full Changelog**: protocolbuffers/protobuf-go@v1.31.0...v1.32.0 This release contains commit protocolbuffers/protobuf-go@bfcd647, which fixes a denial of service vulnerability by preventing a stack overflow through a default maximum recursion limit. See [golang/protobuf#1583 and [golang/protobuf#1584 for details. </details> --- ### Configuration 📅 **Schedule**: Branch creation - "on tuesday" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/open-telemetry/opentelemetry-collector-contrib). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xMDMuMSIsInVwZGF0ZWRJblZlciI6IjM3LjEwMy4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9--> --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: opentelemetrybot <107717825+opentelemetrybot@users.noreply.github.com>
bogdandrutu
pushed a commit
to open-telemetry/opentelemetry-collector
that referenced
this issue
Dec 29, 2023
[](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [google.golang.org/protobuf](https://togithub.com/protocolbuffers/protobuf-go) | `v1.31.0` -> `v1.32.0` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>protocolbuffers/protobuf-go (google.golang.org/protobuf)</summary> ### [`v1.32.0`](https://togithub.com/protocolbuffers/protobuf-go/releases/tag/v1.32.0) [Compare Source](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.31.0...v1.32.0) **Full Changelog**: protocolbuffers/protobuf-go@v1.31.0...v1.32.0 This release contains commit protocolbuffers/protobuf-go@bfcd647, which fixes a denial of service vulnerability by preventing a stack overflow through a default maximum recursion limit. See [golang/protobuf#1583 and [golang/protobuf#1584 for details. </details> --- ### Configuration 📅 **Schedule**: Branch creation - "on tuesday" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/open-telemetry/opentelemetry-collector). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xMDMuMSIsInVwZGF0ZWRJblZlciI6IjM3LjEwMy4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9--> --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: opentelemetrybot <107717825+opentelemetrybot@users.noreply.github.com>
tdeebswihart
added a commit
to temporalio/api-go
that referenced
this issue
Jan 3, 2024
This commit ports over the fixes (and tests) for the two DOS bugs fixed by golang/protobuf recently: 1. golang/protobuf#1583 2. golang/protobuf#1584 These changes come from protocolbuffers/protobuf-go@bfcd647
tdeebswihart
added a commit
to temporalio/api-go
that referenced
this issue
Jan 3, 2024
This commit ports over the fixes (and tests) for the two DOS bugs fixed by golang/protobuf recently: 1. golang/protobuf#1583 2. golang/protobuf#1584 These changes come from protocolbuffers/protobuf-go@bfcd647
michaelkedar
pushed a commit
to google/osv.dev
that referenced
this issue
Jan 9, 2024
[](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | Type | Update | |---|---|---|---|---|---|---|---| | [github.com/grpc-ecosystem/grpc-gateway/v2](https://togithub.com/grpc-ecosystem/grpc-gateway) | `v2.18.1` -> `v2.19.0` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | require | minor | | [go](https://go.dev/) ([source](https://togithub.com/golang/go)) | `1.21.5` -> `1.21.6` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | golang | patch | | [google.golang.org/protobuf](https://togithub.com/protocolbuffers/protobuf-go) | `v1.31.0` -> `v1.32.0` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | require | minor | | | All locks refreshed | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | lockFileMaintenance | | [jekyll-feed](https://togithub.com/jekyll/jekyll-feed) | `0.15.1` -> `0.17.0` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | minor | --- ### Release Notes <details> <summary>grpc-ecosystem/grpc-gateway (github.com/grpc-ecosystem/grpc-gateway/v2)</summary> ### [`v2.19.0`](https://togithub.com/grpc-ecosystem/grpc-gateway/releases/tag/v2.19.0) [Compare Source](https://togithub.com/grpc-ecosystem/grpc-gateway/compare/v2.18.1...v2.19.0) #### What's Changed - fix: use req.Body instead of IOReaderFactory when possible by [@​leungster](https://togithub.com/leungster) in [grpc-ecosystem/grpc-gateway#3727 - runtime: Add outgoing trailer matching by [@​adriansmares](https://togithub.com/adriansmares) in [grpc-ecosystem/grpc-gateway#3725 - Add openapiv2\_opt support for passing values to go templates via cli by [@​500poundbear](https://togithub.com/500poundbear) in [grpc-ecosystem/grpc-gateway#3764 - \[Bug [#​3829](https://togithub.com/grpc-ecosystem/grpc-gateway/issues/3829)] \[protoc-gen-openapiv2] consider openapiv2\_tag.name attribute when generating ope… by [@​omrikiei](https://togithub.com/omrikiei) in [grpc-ecosystem/grpc-gateway#3830 - feat: partial message created as named definitions by [@​nkcr](https://togithub.com/nkcr) in [grpc-ecosystem/grpc-gateway#3743 - Fix name tags in methods by [@​omrikiei](https://togithub.com/omrikiei) in [grpc-ecosystem/grpc-gateway#3843 - Revert [`4c79b45`](https://togithub.com/grpc-ecosystem/grpc-gateway/commit/4c79b45386348459926176911cb6b35f6f53dcdc) by [@​johanbrandhorst](https://togithub.com/johanbrandhorst) in [grpc-ecosystem/grpc-gateway#3856 #### New Contributors - [@​leungster](https://togithub.com/leungster) made their first contribution in [grpc-ecosystem/grpc-gateway#3727 - [@​adriansmares](https://togithub.com/adriansmares) made their first contribution in [grpc-ecosystem/grpc-gateway#3725 - [@​500poundbear](https://togithub.com/500poundbear) made their first contribution in [grpc-ecosystem/grpc-gateway#3764 - [@​omrikiei](https://togithub.com/omrikiei) made their first contribution in [grpc-ecosystem/grpc-gateway#3830 - [@​nkcr](https://togithub.com/nkcr) made their first contribution in [grpc-ecosystem/grpc-gateway#3743 **Full Changelog**: grpc-ecosystem/grpc-gateway@v2.18.1...v2.19.0 </details> <details> <summary>golang/go (go)</summary> ### [`v1.21.6`](https://togithub.com/golang/go/compare/go1.21.5...go1.21.6) </details> <details> <summary>protocolbuffers/protobuf-go (google.golang.org/protobuf)</summary> ### [`v1.32.0`](https://togithub.com/protocolbuffers/protobuf-go/releases/tag/v1.32.0) [Compare Source](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.31.0...v1.32.0) **Full Changelog**: protocolbuffers/protobuf-go@v1.31.0...v1.32.0 This release contains commit protocolbuffers/protobuf-go@bfcd647, which fixes a denial of service vulnerability by preventing a stack overflow through a default maximum recursion limit. See [golang/protobuf#1583 and [golang/protobuf#1584 for details. </details> <details> <summary>jekyll/jekyll-feed (jekyll-feed)</summary> ### [`v0.17.0`](https://togithub.com/jekyll/jekyll-feed/blob/HEAD/History.markdown#0170--2022-10-14) [Compare Source](https://togithub.com/jekyll/jekyll-feed/compare/v0.16.0...v0.17.0) ##### Documentation - Update CI status badge ([#​363](https://togithub.com/jekyll/jekyll-feed/issues/363)) ##### Development Fixes - Add Ruby 3.1 to the CI matrix ([#​365](https://togithub.com/jekyll/jekyll-feed/issues/365)) ##### Minor Enhancements - Allow disabling of jekyll-feed while in development ([#​370](https://togithub.com/jekyll/jekyll-feed/issues/370)) ### [`v0.16.0`](https://togithub.com/jekyll/jekyll-feed/blob/HEAD/History.markdown#0160--2022-01-03) [Compare Source](https://togithub.com/jekyll/jekyll-feed/compare/v0.15.1...v0.16.0) ##### Minor Enhancements - Add support for `page.description` in front matter to become entry `<summary>` ([#​297](https://togithub.com/jekyll/jekyll-feed/issues/297)) ##### Bug Fixes - Fold private methods into the `:render` method as local variables ([#​327](https://togithub.com/jekyll/jekyll-feed/issues/327)) - Check `post.categories` instead of `post.category` ([#​357](https://togithub.com/jekyll/jekyll-feed/issues/357)) - Switched xml_escape for `<![CDATA[]]>` for post content ([#​332](https://togithub.com/jekyll/jekyll-feed/issues/332)) ##### Development Fixes - Add Ruby 3.0 to CI ([#​337](https://togithub.com/jekyll/jekyll-feed/issues/337)) - Lock RuboCop to v1.18.x ([#​348](https://togithub.com/jekyll/jekyll-feed/issues/348)) - Add workflow to release gem via GH Action ([#​355](https://togithub.com/jekyll/jekyll-feed/issues/355)) ##### Documentation - Use `.atom` extension in documented examples since we write an Atom feed ([#​359](https://togithub.com/jekyll/jekyll-feed/issues/359)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on wednesday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/google/osv.dev). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xMDMuMSIsInVwZGF0ZWRJblZlciI6IjM3LjEyNy4wIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIn0=-->
cparkins
pushed a commit
to AmadeusITGroup/opentelemetry-collector-contrib
that referenced
this issue
Jan 10, 2024
…0220) [](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [google.golang.org/protobuf](https://togithub.com/protocolbuffers/protobuf-go) | `v1.31.0` -> `v1.32.0` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>protocolbuffers/protobuf-go (google.golang.org/protobuf)</summary> ### [`v1.32.0`](https://togithub.com/protocolbuffers/protobuf-go/releases/tag/v1.32.0) [Compare Source](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.31.0...v1.32.0) **Full Changelog**: protocolbuffers/protobuf-go@v1.31.0...v1.32.0 This release contains commit protocolbuffers/protobuf-go@bfcd647, which fixes a denial of service vulnerability by preventing a stack overflow through a default maximum recursion limit. See [golang/protobuf#1583 and [golang/protobuf#1584 for details. </details> --- ### Configuration 📅 **Schedule**: Branch creation - "on tuesday" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/open-telemetry/opentelemetry-collector-contrib). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xMDMuMSIsInVwZGF0ZWRJblZlciI6IjM3LjEwMy4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9--> --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: opentelemetrybot <107717825+opentelemetrybot@users.noreply.github.com>
another-rex
pushed a commit
to google/osv-scanner
that referenced
this issue
Feb 5, 2024
[](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---|---|---| | [deps.dev/api/v3alpha](https://togithub.com/google/deps.dev) | require | digest | `00b51ef` -> `c339c64` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [deps.dev/util/resolve](https://togithub.com/google/deps.dev) | require | digest | `00b51ef` -> `c339c64` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [deps.dev/util/semver](https://togithub.com/google/deps.dev) | require | digest | `1e316b8` -> `c339c64` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [github.com/gkampitakis/go-snaps](https://togithub.com/gkampitakis/go-snaps) | require | minor | `v0.4.12` -> `v0.5.2` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [github.com/ianlancetaylor/demangle](https://togithub.com/ianlancetaylor/demangle) | require | digest | `964b1d5` -> `1f824a1` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [github.com/jedib0t/go-pretty/v6](https://togithub.com/jedib0t/go-pretty) | require | patch | `v6.5.3` -> `v6.5.4` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [go](https://go.dev/) ([source](https://togithub.com/golang/go)) | golang | patch | `1.21.5` -> `1.21.6` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | golang.org/x/exp | require | digest | `1b97071` -> `2c58cdc` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [google.golang.org/grpc](https://togithub.com/grpc/grpc-go) | require | minor | `v1.60.1` -> `v1.61.0` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [google.golang.org/protobuf](https://togithub.com/protocolbuffers/protobuf-go) | require | minor | `v1.31.0` -> `v1.32.0` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>gkampitakis/go-snaps (github.com/gkampitakis/go-snaps)</summary> ### [`v0.5.2`](https://togithub.com/gkampitakis/go-snaps/compare/v0.5.1...v0.5.2) [Compare Source](https://togithub.com/gkampitakis/go-snaps/compare/v0.5.1...v0.5.2) ### [`v0.5.1`](https://togithub.com/gkampitakis/go-snaps/releases/tag/v0.5.1) [Compare Source](https://togithub.com/gkampitakis/go-snaps/compare/v0.5.0...v0.5.1) #### What's Changed - fix: replace `Print` with `Println` by [@​G-Rath](https://togithub.com/G-Rath) in [gkampitakis/go-snaps#94 **Full Changelog**: gkampitakis/go-snaps@v0.5.0...v0.5.1 ### [`v0.5.0`](https://togithub.com/gkampitakis/go-snaps/releases/tag/v0.5.0) [Compare Source](https://togithub.com/gkampitakis/go-snaps/compare/v0.4.12...v0.5.0) #### What's Changed - docs: improve readme code formatting and grammar by [@​G-Rath](https://togithub.com/G-Rath) in [gkampitakis/go-snaps#85 - docs: improve `TestMain` references by [@​G-Rath](https://togithub.com/G-Rath) in [gkampitakis/go-snaps#86 - chore(docs): minor improvements by [@​gkampitakis](https://togithub.com/gkampitakis) in [gkampitakis/go-snaps#89 - chore: clean up test mocks and change getTestID param order by [@​gkampitakis](https://togithub.com/gkampitakis) in [gkampitakis/go-snaps#92 - feat: don't create multiple snapshots when -test.count>1 by [@​gkampitakis](https://togithub.com/gkampitakis) in [gkampitakis/go-snaps#90 #### Breaking changes ❗ On `v0.5.0` when running tests with `test.count>1` flag a call to create a snapshot will not create multiple instances of the same snapshot, but it will create the snapshot once and then subsequent execution will test against that snapshot. Look at issue [gkampitakis/go-snaps#87 #### New Contributors - [@​G-Rath](https://togithub.com/G-Rath) made their first contribution in [gkampitakis/go-snaps#85 **Full Changelog**: gkampitakis/go-snaps@v0.4.12...v0.5.0 </details> <details> <summary>jedib0t/go-pretty (github.com/jedib0t/go-pretty/v6)</summary> ### [`v6.5.4`](https://togithub.com/jedib0t/go-pretty/releases/tag/v6.5.4) [Compare Source](https://togithub.com/jedib0t/go-pretty/compare/v6.5.3...v6.5.4) #### What's Changed - table: fix SuppressTrailingSpaces removing spaces from the beginning by [@​ilya-lesikov](https://togithub.com/ilya-lesikov) in [jedib0t/go-pretty#295 - table: fix documentation for merges by [@​jedib0t](https://togithub.com/jedib0t) in [jedib0t/go-pretty#296 #### New Contributors - [@​ilya-lesikov](https://togithub.com/ilya-lesikov) made their first contribution in [jedib0t/go-pretty#295 **Full Changelog**: jedib0t/go-pretty@v6.5.3...v6.5.4 </details> <details> <summary>golang/go (go)</summary> ### [`v1.21.6`](https://togithub.com/golang/go/compare/go1.21.5...go1.21.6) </details> <details> <summary>grpc/grpc-go (google.golang.org/grpc)</summary> ### [`v1.61.0`](https://togithub.com/grpc/grpc-go/releases/tag/v1.61.0): Release 1.61.0 [Compare Source](https://togithub.com/grpc/grpc-go/compare/v1.60.1...v1.61.0) ### New Features - resolver: provide method, `AuthorityOverrider`, to allow resolver.Builders to override the default authority for a `ClientConn`. (EXPERIMENTAL) ([#​6752](https://togithub.com/grpc/grpc-go/issues/6752)) - Special Thanks: [@​Aditya-Sood](https://togithub.com/Aditya-Sood) - xds: add support for mTLS Credentials in xDS bootstrap ([gRFC A65](github.com/grpc/proposal/blob/8c31bfedded5f0a51c4933e9e9a8246122f9c41a/A65-xds-mtls-creds-in-bootstrap.md)) ([#​6757](https://togithub.com/grpc/grpc-go/issues/6757)) - Special Thanks: [@​atollena](https://togithub.com/atollena) - server: add `grpc.WaitForHandlers` `ServerOption` to cause `Server.Stop` to block until method handlers return. (EXPERIMENTAL) ([#​6922](https://togithub.com/grpc/grpc-go/issues/6922)) ### Performance Improvements - grpc: skip compression of empty messages as an optimization ([#​6842](https://togithub.com/grpc/grpc-go/issues/6842)) - Special Thanks: [@​jroper](https://togithub.com/jroper) - orca: use atomic pointer to improve performance in server metrics recorder ([#​6799](https://togithub.com/grpc/grpc-go/issues/6799)) - Special Thanks: [@​danielzhaotongliu](https://togithub.com/danielzhaotongliu) ### Bug Fixes - client: correctly enable TCP keepalives with OS defaults on windows ([#​6863](https://togithub.com/grpc/grpc-go/issues/6863)) - Special Thanks: [@​mmatczuk](https://togithub.com/mmatczuk) - server: change some stream operations to return `UNAVAILABLE` instead of `UNKNOWN` when underlying connection is broken ([#​6891](https://togithub.com/grpc/grpc-go/issues/6891)) - Special Thanks: [@​mustafasen81](https://togithub.com/mustafasen81) - server: fix `GracefulStop` to block until all method handlers return (v1.60 regression). ([#​6922](https://togithub.com/grpc/grpc-go/issues/6922)) - server: fix two bugs that could lead to panics at shutdown when using [`NumStreamWorkers`](https://pkg.go.dev/google.golang.org/grpc#NumStreamWorkers) (EXPERIMENTAL). ([#​6856](https://togithub.com/grpc/grpc-go/issues/6856)) - reflection: do not send invalid descriptors to clients for files that cannot be fully resolved ([#​6771](https://togithub.com/grpc/grpc-go/issues/6771)) - Special Thanks: [@​jhump](https://togithub.com/jhump) - xds: don't fail channel/server startup when xds creds is specified, but bootstrap is missing certificate providers ([#​6848](https://togithub.com/grpc/grpc-go/issues/6848)) - xds: Atomically read and write xDS security configuration client side ([#​6796](https://togithub.com/grpc/grpc-go/issues/6796)) - xds/server: fix RDS handling for non-inline route configs ([#​6915](https://togithub.com/grpc/grpc-go/issues/6915)) </details> <details> <summary>protocolbuffers/protobuf-go (google.golang.org/protobuf)</summary> ### [`v1.32.0`](https://togithub.com/protocolbuffers/protobuf-go/releases/tag/v1.32.0) [Compare Source](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.31.0...v1.32.0) **Full Changelog**: protocolbuffers/protobuf-go@v1.31.0...v1.32.0 This release contains commit protocolbuffers/protobuf-go@bfcd647, which fixes a denial of service vulnerability by preventing a stack overflow through a default maximum recursion limit. See [golang/protobuf#1583 and [golang/protobuf#1584 for details. </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on monday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/google/osv-scanner). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xNzAuMCIsInVwZGF0ZWRJblZlciI6IjM3LjE3My4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->
renovate bot
added a commit
to DelineaXPM/dsv-k8s
that referenced
this issue
Mar 26, 2024
…rity] (#116) [](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [google.golang.org/protobuf](https://togithub.com/protocolbuffers/protobuf-go) | `v1.31.0` -> `v1.33.0` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2024-24786](https://nvd.nist.gov/vuln/detail/CVE-2024-24786) The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set. --- ### Golang protojson.Unmarshal function infinite loop when unmarshaling certain forms of invalid JSON [CVE-2024-24786](https://nvd.nist.gov/vuln/detail/CVE-2024-24786) / [GHSA-8r3f-844c-mc37](https://togithub.com/advisories/GHSA-8r3f-844c-mc37) / [GO-2024-2611](https://pkg.go.dev/vuln/GO-2024-2611) <details> <summary>More information</summary> #### Details The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set. #### Severity Moderate #### References - [https://nvd.nist.gov/vuln/detail/CVE-2024-24786](https://nvd.nist.gov/vuln/detail/CVE-2024-24786) - [https://github.com/protocolbuffers/protobuf-go/commit/f01a588e5810b90996452eec4a28f22a0afae023](https://togithub.com/protocolbuffers/protobuf-go/commit/f01a588e5810b90996452eec4a28f22a0afae023) - [https://github.com/protocolbuffers/protobuf-go](https://togithub.com/protocolbuffers/protobuf-go) - [https://github.com/protocolbuffers/protobuf-go/releases/tag/v1.33.0](https://togithub.com/protocolbuffers/protobuf-go/releases/tag/v1.33.0) - [https://go.dev/cl/569356](https://go.dev/cl/569356) - [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDMBHAVSDU2FBDZ45U3A2VLSM35OJ2HU](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDMBHAVSDU2FBDZ45U3A2VLSM35OJ2HU) - [https://pkg.go.dev/vuln/GO-2024-2611](https://pkg.go.dev/vuln/GO-2024-2611) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-8r3f-844c-mc37) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Infinite loop in JSON unmarshaling in google.golang.org/protobuf [CVE-2024-24786](https://nvd.nist.gov/vuln/detail/CVE-2024-24786) / [GHSA-8r3f-844c-mc37](https://togithub.com/advisories/GHSA-8r3f-844c-mc37) / [GO-2024-2611](https://pkg.go.dev/vuln/GO-2024-2611) <details> <summary>More information</summary> #### Details The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set. #### Severity Unknown #### References - [https://go.dev/cl/569356](https://go.dev/cl/569356) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2024-2611) and the [Go Vulnerability Database](https://togithub.com/golang/vulndb) ([CC-BY 4.0](https://togithub.com/golang/vulndb#license)). </details> --- ### Release Notes <details> <summary>protocolbuffers/protobuf-go (google.golang.org/protobuf)</summary> ### [`v1.33.0`](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.32.0...v1.33.0) [Compare Source](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.32.0...v1.33.0) ### [`v1.32.0`](https://togithub.com/protocolbuffers/protobuf-go/releases/tag/v1.32.0) [Compare Source](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.31.0...v1.32.0) **Full Changelog**: protocolbuffers/protobuf-go@v1.31.0...v1.32.0 This release contains commit protocolbuffers/protobuf-go@bfcd647, which fixes a denial of service vulnerability by preventing a stack overflow through a default maximum recursion limit. See [golang/protobuf#1583 and [golang/protobuf#1584 for details. </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/DelineaXPM/dsv-k8s). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yMzAuMCIsInVwZGF0ZWRJblZlciI6IjM3LjI2OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
renovate bot
added a commit
to DelineaXPM/terraform-provider-dsv
that referenced
this issue
Mar 28, 2024
…rity] (#79) [](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [google.golang.org/protobuf](https://togithub.com/protocolbuffers/protobuf-go) | `v1.30.0` -> `v1.33.0` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2024-24786](https://nvd.nist.gov/vuln/detail/CVE-2024-24786) The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set. --- ### Infinite loop in JSON unmarshaling in google.golang.org/protobuf [CVE-2024-24786](https://nvd.nist.gov/vuln/detail/CVE-2024-24786) / [GHSA-8r3f-844c-mc37](https://togithub.com/advisories/GHSA-8r3f-844c-mc37) / [GO-2024-2611](https://pkg.go.dev/vuln/GO-2024-2611) <details> <summary>More information</summary> #### Details The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set. #### Severity Unknown #### References - [https://go.dev/cl/569356](https://go.dev/cl/569356) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2024-2611) and the [Go Vulnerability Database](https://togithub.com/golang/vulndb) ([CC-BY 4.0](https://togithub.com/golang/vulndb#license)). </details> --- ### Golang protojson.Unmarshal function infinite loop when unmarshaling certain forms of invalid JSON [CVE-2024-24786](https://nvd.nist.gov/vuln/detail/CVE-2024-24786) / [GHSA-8r3f-844c-mc37](https://togithub.com/advisories/GHSA-8r3f-844c-mc37) / [GO-2024-2611](https://pkg.go.dev/vuln/GO-2024-2611) <details> <summary>More information</summary> #### Details The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set. #### Severity Moderate #### References - [https://nvd.nist.gov/vuln/detail/CVE-2024-24786](https://nvd.nist.gov/vuln/detail/CVE-2024-24786) - [https://github.com/protocolbuffers/protobuf-go/commit/f01a588e5810b90996452eec4a28f22a0afae023](https://togithub.com/protocolbuffers/protobuf-go/commit/f01a588e5810b90996452eec4a28f22a0afae023) - [https://github.com/protocolbuffers/protobuf-go](https://togithub.com/protocolbuffers/protobuf-go) - [https://github.com/protocolbuffers/protobuf-go/releases/tag/v1.33.0](https://togithub.com/protocolbuffers/protobuf-go/releases/tag/v1.33.0) - [https://go.dev/cl/569356](https://go.dev/cl/569356) - [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDMBHAVSDU2FBDZ45U3A2VLSM35OJ2HU](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDMBHAVSDU2FBDZ45U3A2VLSM35OJ2HU) - [https://pkg.go.dev/vuln/GO-2024-2611](https://pkg.go.dev/vuln/GO-2024-2611) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-8r3f-844c-mc37) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>protocolbuffers/protobuf-go (google.golang.org/protobuf)</summary> ### [`v1.33.0`](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.32.0...v1.33.0) [Compare Source](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.32.0...v1.33.0) ### [`v1.32.0`](https://togithub.com/protocolbuffers/protobuf-go/releases/tag/v1.32.0) [Compare Source](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.31.0...v1.32.0) **Full Changelog**: protocolbuffers/protobuf-go@v1.31.0...v1.32.0 This release contains commit protocolbuffers/protobuf-go@bfcd647, which fixes a denial of service vulnerability by preventing a stack overflow through a default maximum recursion limit. See [golang/protobuf#1583 and [golang/protobuf#1584 for details. ### [`v1.31.0`](https://togithub.com/protocolbuffers/protobuf-go/releases/tag/v1.31.0) [Compare Source](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.30.0...v1.31.0) ##### Notable changes <a name="v1.31-notable-changes"></a> **New Features** - [CL/489316](https://go.dev/cl/489316): types/dynamicpb: add NewTypes - Add a function to construct a dynamic type registry from a protoregistry.Files - [CL/489615](https://go.dev/cl/489615): encoding: add MarshalAppend to protojson and prototext **Minor performance improvements** - [CL/491596](https://go.dev/cl/491596): encoding/protodelim: If UnmarshalFrom gets a bufio.Reader, try to reuse its buffer instead of creating a new one - [CL/500695](https://go.dev/cl/500695): proto: store the size of tag to avoid multiple calculations **Bug fixes** - [CL/497935](https://go.dev/cl/497935): internal/order: fix sorting of synthetic oneofs to be deterministic - [CL/505555](https://go.dev/cl/505555): encoding/protodelim: fix handling of io.EOF </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/DelineaXPM/terraform-provider-dsv). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yMzAuMCIsInVwZGF0ZWRJblZlciI6IjM3LjI2OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
](https://renovatebot.com){kind=link}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This is closely related to #1583. If a schema does not support an arbitrarily deep JSON encoding, a stack overflow can still be induced via a malicious payload if the
protojson.UnmarshalOptions.DiscardUnknownfield is true. This is because the code to discard unknown fields is recursive. It should instead use iteration with a slice to model the stack of open objects and arrays, so it can safely discard JSON of arbitrary complexity.The text was updated successfully, but these errors were encountered: