Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Mend: high confidence minor and patch dependency updates #20

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update Mend: high confidence minor and patch dependency updates #20

wants to merge 1 commit into from

Conversation

mend-for-github-com[bot]
Copy link

@mend-for-github-com mend-for-github-com bot commented Mar 26, 2024
edited

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
cloud.google.com/go/secretmanager v1.11.1 -> v1.13.1 age adoption passing confidence
cloud.google.com/go/storage v1.33.0 -> v1.41.0 age adoption passing confidence
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.1 -> v1.5.2 age adoption passing confidence
github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.1.0 -> v1.3.2 age adoption passing confidence
github.com/DataDog/datadog-go/v5 v5.3.0 -> v5.5.0 age adoption passing confidence
github.com/bugsnag/bugsnag-go/v2 v2.2.0 -> v2.4.0 age adoption passing confidence
github.com/felixge/httpsnoop v1.0.3 -> v1.0.4 age adoption passing confidence
github.com/getsentry/sentry-go v0.25.0 -> v0.27.0 age adoption passing confidence
github.com/newrelic/go-agent/v3 v3.26.0 -> v3.33.0 age adoption passing confidence
github.com/prometheus/client_golang v1.17.0 -> v1.19.1 age adoption passing confidence
github.com/stretchr/testify v1.8.4 -> v1.9.0 age adoption passing confidence
go.opentelemetry.io/contrib/propagators/aws v1.20.0 -> v1.27.0 age adoption passing confidence
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.19.0 -> v1.27.0 age adoption passing confidence
go.opentelemetry.io/otel/sdk/metric v1.19.0 -> v1.27.0 age adoption passing confidence
golang.org/x/image v0.13.0 -> v0.16.0 age adoption passing confidence
golang.org/x/net v0.15.0 -> v0.17.0 age adoption passing confidence
golang.org/x/sys v0.13.0 -> v0.20.0 age adoption passing confidence
google.golang.org/api v0.145.0 -> v0.181.0 age adoption passing confidence

By merging this PR, the issue #19 will be automatically resolved and closed:

Severity CVSS Score CVE Reachability
High High 7.5 CVE-2023-39325

Release Notes

DataDog/datadog-go (github.com/DataDog/datadog-go/v5)

v5.5.0

Compare Source

See the Changelog for the details.

v5.4.0

Compare Source

See the Changelog for the details.

bugsnag/bugsnag-go (github.com/bugsnag/bugsnag-go/v2)

v2.4.0

Compare Source

2.4.0 (2024-04-15)

Enhancements

v2.3.1

Compare Source

2.3.1 (2024-03-18)

Bug fixes
  • Handle empty pointers to complex structs in metadata.Add
    #​221

v2.3.0

Compare Source

2.3.0 (2024-03-05)

Bug fixes

v2.2.1

Compare Source

2.2.1 (2022-02-21)

Bug fixes
  • Fix middleware panic on nil *http.Request
    #​212
felixge/httpsnoop (github.com/felixge/httpsnoop)

v1.0.4

Compare Source

getsentry/sentry-go (github.com/getsentry/sentry-go)

v0.27.0: 0.27.0

Compare Source

The Sentry SDK team is happy to announce the immediate availability of Sentry Go SDK v0.27.0.

Breaking Changes
  • Exception.ThreadId is now typed as uint64. It was wrongly typed as string before. (#​770)
Misc
  • Export Event.Attachments (#​771)

v0.26.0: 0.26.0

Compare Source

The Sentry SDK team is happy to announce the immediate availability of Sentry Go SDK v0.26.0.

Breaking Changes

As previously announced, this release removes some methods from the SDK.

  • sentry.TransactionName() use sentry.WithTransactionName() instead.
  • sentry.OpName() use sentry.WithOpName() instead.
  • sentry.TransctionSource() use sentry.WithTransactionSource() instead.
  • sentry.SpanSampled() use sentry.WithSpanSampled() instead.
Features

  • Add WithDescription span option (#​751)

    span := sentry.StartSpan(ctx, "http.client", WithDescription("GET /api/users"))

  • Add support for package name parsing in Go 1.20 and higher (#​730)

Bug Fixes
  • Apply ClientOptions.SampleRate only to errors & messages (#​754)
  • Check if git is available before executing any git commands (#​737)
newrelic/go-agent (github.com/newrelic/go-agent/v3)

v3.33.0: Release 3.33.0

Compare Source

3.33.0

Added
  • Support for Zap Field Attributes
  • Updated dependency on csec-go-agent in nrsecurityagent
Fixed
  • Fixed an issue where running containers on AWS would falsely flag Azure Utilization
  • Fixed a typo with nrecho-v3
  • Changed nrslog example to use a context driven handler

These changes increment the affected integration package version numbers to:

  • nrsecurityagent v1.3.1
  • nrecho-v3 v1.1.1
  • logcontext-v2/nrslog v1.2.0
  • logcontext-v2/nrzap v1.2.0
Support statement

We use the latest version of the Go language. At minimum, you should be using no version of Go older than what is supported by the Go team themselves.
See the Go agent EOL Policy for details about supported versions of the Go agent and third-party components.

v3.32.0: Release 3.32.0

Compare Source

3.32.0

Added
  • Updates to support for the New Relic security agent to report API endpoints.
    • Adds new wrapper function for the nrecho, nrgin, and nrgorilla integrations.
  • Handler to take New Relic transaction data from context automatically when using nrslog integration (thanks, @​adomaskizogian!)
Fixed
  • Adds missing license file to the nropenai integration.
  • Changes *bedrockruntime.Client parameters in nrawsbedrock integration to use a more general interface type, allowing the use of custom types which extend the bedrock client type.
  • Fixes pgx5 pool example
  • Updated unit tests to check Transaction.Ignore
  • Updated nrzap unit tests to add background logger sugared test case.
Support statement

We use the latest version of the Go language. At minimum, you should be using no version of Go older than what is supported by the Go team themselves.
See the Go agent EOL Policy for details about supported versions of the Go agent and third-party components.

v3.31.0: Release 3.31.0

Compare Source

3.31.0

Added
  • Integration packages to instrument AI model invocations (see below).
    • New package nrawsbedrock v1.0.0 introduced to instrument calls to Amazon Bedrock Runtime Client API InvokeModel and InvokeModelWithResponseStream calls. Also provides a simple one-step method which invokes stream invocations and harvests the response stream data for you.
    • New package nropenai v1.0.0 introduced to instrument calls to OpenAI using NRCreateChatCompletion, NRCreateChatCompletionStream, and NRCreateEmbedding calls.
    • Dockerfile in the examples/server sample app which facilitates the easy creation of a containerized ready-to-run sample app for situations where that makes testing easier.
Fixed
  • .Ignore was not ignoring transaction. Fixes Issue #​845.
  • Added nil error check in wrap function. Fixes Issue #​862.
  • WrapBackgroundCore background logger was not sending logs to New Relic. Fixes Issue #​859.
  • Corrected pgx5 integration example which caused a race condition. Thanks to @​WillAbides! Fixes Issue #​855.
  • Updated third-party library versions due to reported security or other supportability issues:
    • github.com/jackc/pgx/v5 to 5.5.4 in nrpgx5 integration
    • google.gopang.org/protobuf to 1.33.0 in nrmicro and nrgrpc integrations
    • github.com/jackc/pgx/v4 to 4.18.2 in nrpgx integration
AI Monitoring Configuration

New configuration options are available specific to AI monitoring. These settings include:

  • AIMonitoring.Enabled, configured via ConfigAIMonitoring.Enabled(bool) [default false]
  • AIMonitoring.Streaming.Enabled, configured via ConfigAIMonitoringStreamingEnabled(bool) [default true]
  • AIMonitoring.Content.Enabled, configured via ConfigAIMonitoringContentEnabled(bool) [default true]
AI Monitoring Public API Methods

Two new AI monitoring related public API methods have been added, as methods of the newrelic.Application value returned by newrelic.NewApplication:

AI Monitoring

New Relic AI monitoring is the industry’s first APM solution that provides end-to-end visibility for AI Large Language Model (LLM) applications. It enables end-to-end visibility into the key components of an AI LLM application. With AI monitoring, users can monitor, alert, and debug AI-powered applications for reliability, latency, performance, security and cost. AI monitoring also enables AI/LLM specific insights (metrics, events, logs and traces) which can easily integrate to build advanced guardrails for enterprise security, privacy and compliance.

AI monitoring offers custom-built insights and tracing for the complete lifecycle of an LLM’s prompts and responses, from raw user input to repaired/polished responses. AI monitoring provides built-in integrations with popular LLMs and components of the AI development stack. This release provides instrumentation for OpenAI
and Bedrock.

When AI monitoring is enabled with ConfigAIMonitoringEnabled(true), the agent will now capture AI LLM related data. This data will be visible under a new APM tab called AI Responses. See our AI Monitoring documentation for more details.

Support statement

We use the latest version of the Go language. At minimum, you should be using no version of Go older than what is supported by the Go team themselves.
See the Go agent EOL Policy for details about supported versions of the Go agent and third-party components.

v3.30.0: Release 3.30.0

Compare Source

3.30.0

Added
  • Updated the depencency on nrsecurityagent to 1.0.0.
  • Added new integration, logcontext-v2/nrslog, which instruments logging via the new slog library.
Fixed
  • Redacts license keys from error reporting.
Support statement

We use the latest version of the Go language. At minimum, you should be using no version of Go older than what is supported by the Go team themselves.
See the Go agent EOL Policy for details about supported versions of the Go agent and third-party components.

v3.29.1: Release 3.29.1

Compare Source

3.29.1

Added
  • Added Dockerized Unit Tests for Github Actions (internal build support)
Fixes
  • Updated version of New Relic Security Agent (enables bug fixes released in that agent code for use with the Go Agent).
Support statement

We use the latest version of the Go language. At minimum, you should be using no version of Go older than what is supported by the Go team themselves.
See the Go agent EOL Policy for details about supported versions of the Go agent and third-party components.

v3.29.0: Release 3.29.0

Compare Source

3.29.0

Added
  • Security agent integration nrsecurityagent now reports security configuraiton information along with the overall Go Agent configuration values. (Updates nrsecurityagent to v1.2.0.)
  • Code-Level Metrics collection efficiency enhancement allows user callback function for as-needed (and just-in-time) evaluation of custom code locations rather than up-front location overrides, via the WithCodeLocationCallback CLM option. Deprecates WithCodeLocation option (although the latter function is still supported for compatibility with existing code).
  • Added extended synthetics support for new X-Newrelic-Synthetics-Info HTTP headers.
  • Documentation fixes.
  • Removed deprecated ROADMAP.md file.
Support statement

We use the latest version of the Go language. At minimum, you should be using no version of Go older than what is supported by the Go team themselves.
See the Go agent EOL Policy for details about supported versions of the Go agent and third-party components.

v3.28.1: Release 3.28.1

Compare Source

3.28.1

Added

Added Supportability Metrics to nrfasthttp (brings nrfasthttp version to v1.0.1).
Always Link Transaction IDs to traces regardless of whether Distributed Tracing is enabled or not

Fixed

Fixed an issue where nil Request.Body could be set to non-nil request.Body with zero length when the security agent is enabled

Security

More Secure URL Redaction

Support statement

We use the latest version of the Go language. At minimum, you should be using no version of Go older than what is supported by the Go team themselves.
See the Go agent EOL Policy for details about supported versions of the Go agent and third-party components.

v3.28.0: Release 3.28.0

Compare Source

3.28.0

Fixed
  • Bumped gRPC from 1.54.0 -> 1.56.3 in the following packages /v3/integrations/nrgrpc, /v3/, /v3/integrations/nrgrpc
  • Bumped golang.org/x/net from 0.8.0 -> 0.17.0 in package /v3/integrations/nrgraphqlgo
  • Fixed issue where nrfasthttp would not properly register security agent headers
  • Move fasthttp instrumentation into a new integration package, nrfasthttp
  • Fixed issue where usage of io.ReadAll() was causing a memory leak
Support statement

We use the latest version of the Go language. At minimum, you should be using no version of Go older than what is supported by the Go team themselves.
See the Go agent EOL Policy for details about supported versions of the Go agent and third-party components.

v3.27.0: Release 3.27.0

Compare Source

3.27.0

Added
  • Added Support for getting Container ID's from cgroup v2 docker containers
  • A new instrumentation package for RabbitMQ with distributed tracing support: nramqp
Fixed
  • Unit tests repairs and improvements
  • Removed deprecated V2 code from the repository. The support timeframe for this code has expired and is no longer recommended for use.
  • Bumped github.com/graphql-go/graphql from 0.7.9 to 0.8.1
Support statement

We use the latest version of the Go language. At minimum, you should be using no version of Go older than what is supported by the Go team themselves.

See the Go agent EOL Policy for details about supported versions of the Go agent and third-party components.

prometheus/client_golang (github.com/prometheus/client_golang)

v1.19.1

Compare Source

What's Changed

  • Security patches for golang.org/x/sys and google.golang.org/protobuf

New Contributors

Full Changelog: prometheus/client_golang@v1.19.0...v1.19.1

v1.19.0

Compare Source

What's Changed

The module prometheus/common v0.48.0 introduced an incompatibility when used together with client_golang (See https://github.com/prometheus/client_golang/pull/1448 for more details). If your project uses client_golang and you want to use prometheus/common v0.48.0 or higher, please update client_golang to v1.19.0.

  • [CHANGE] Minimum required go version is now 1.20 (we also test client_golang against new 1.22 version). #​1445 #​1449
  • [FEATURE] collectors: Add version collector. #​1422 #​1427

New Contributors

Full Changelog: prometheus/client_golang@v1.18.0...v1.19.0

v1.18.0

Compare Source

What's Changed

  • [FEATURE] promlint: Allow creation of custom metric validations. #​1311
  • [FEATURE] Go programs using client_golang can be built in wasip1 OS. #​1350
  • [BUGFIX] histograms: Add timer to reset ASAP after bucket limiting has happened. #​1367
  • [BUGFIX] testutil: Fix comparison of metrics with empty Help strings. #​1378
  • [ENHANCEMENT] Improved performance of MetricVec.WithLabelValues(...). #​1360

New Contributors

Full Changelog: prometheus/client_golang@v1.17.0...v1.18.0

stretchr/testify (github.com/stretchr/testify)

v1.9.0

Compare Source

What's Changed

New Contributors

Full Changelog: stretchr/testify@v1.8.4...v1.9.0

open-telemetry/opentelemetry-go-contrib (go.opentelemetry.io/contrib/propagators/aws)

v1.27.0: /v0.52.0/v0.21.0/v0.7.0/v0.2.0

Compare Source

Overview

Added
  • Add the new go.opentelemetry.io/contrib/instrgen package to provide auto-generated source code instrumentation. (#​3068, #​3108)
  • Add an experimental OTEL_METRICS_PRODUCERS environment variable to go.opentelemetry.io/contrib/autoexport to be set metrics producers. (#​5281)
    • prometheus and none are supported values. You can specify multiple producers separated by a comma.
    • Add WithFallbackMetricProducer option that adds a fallback if the OTEL_METRICS_PRODUCERS is not set or empty.
  • The go.opentelemetry.io/contrib/processors/baggage/baggagetrace module. This module provides a Baggage Span Processor. (#​5404)
  • Add gRPC trace Filter for stats handler to go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc. (#​5196)
  • Add a repository Code Ownership Policy. (#​5555)
  • The go.opentelemetry.io/contrib/bridges/otellogrus module. This module provides an OpenTelemetry logging bridge for github.com/sirupsen/logrus. (#​5355)
  • The WithVersion option function in go.opentelemetry.io/contrib/bridges/otelslog. This option function is used as a replacement of WithInstrumentationScope to specify the logged package version. (#​5588)
  • The WithSchemaURL option function in go.opentelemetry.io/contrib/bridges/otelslog. This option function is used as a replacement of WithInstrumentationScope to specify the semantic convention schema URL for the logged records. (#​5588)
  • Add support for Cloud Run jobs in go.opentelemetry.io/contrib/detectors/gcp. (#​5559)
Changed

  • The gRPC trace Filter for interceptor is renamed to InterceptorFilter. (#​5196)

  • The gRPC trace filter functions Any, All, None, Not, MethodName, MethodPrefix, FullMethodName, ServiceName, ServicePrefix and HealthCheck for interceptor are moved to go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/filters/interceptor. With this change, the filters in go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc are now working for stats handler. (#​5196)

  • NewLogger now accepts a name string as the first argument. This parameter is used as a replacement of WithInstrumentationScope to specify the name of the logger backing the underlying Handler. (#​5588)

  • NewHandler now accepts a name string as the first argument. This parameter is used as a replacement of WithInstrumentationScope to specify the name of the logger backing the returned Handler. (#​5588)

  • Upgrade all dependencies of go.opentelemetry.io/otel/semconv/v1.24.0 to go.opentelemetry.io/otel/semconv/v1.25.0. (#​5605)

Removed
  • The WithInstrumentationScope option function in go.opentelemetry.io/contrib/bridges/otelslog is removed. Use the name parameter added to NewHandler and NewLogger as well as WithVersion and WithSchema as replacements. (#​5588)
Deprecated
  • The InterceptorFilter type in go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc is deprecated. ([#​519

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

@mend-for-github-com mend-for-github-com bot added the security fix Security fix generated by Mend label Mar 26, 2024
@mend-for-github-com mend-for-github-com bot force-pushed the whitesource-remediate/mend-high-confidence-minor-and-patch-dependency-updates branch 4 times, most recently from 98eabc1 to 39dff06 Compare April 4, 2024 05:29
@mend-for-github-com mend-for-github-com bot force-pushed the whitesource-remediate/mend-high-confidence-minor-and-patch-dependency-updates branch 5 times, most recently from a0da45c to c63d330 Compare April 11, 2024 06:14
@mend-for-github-com mend-for-github-com bot force-pushed the whitesource-remediate/mend-high-confidence-minor-and-patch-dependency-updates branch 5 times, most recently from 12ae496 to f207764 Compare April 19, 2024 06:13
@mend-for-github-com mend-for-github-com bot force-pushed the whitesource-remediate/mend-high-confidence-minor-and-patch-dependency-updates branch 5 times, most recently from e8f6aaf to 7c9a60a Compare April 25, 2024 06:20
@mend-for-github-com mend-for-github-com bot force-pushed the whitesource-remediate/mend-high-confidence-minor-and-patch-dependency-updates branch 3 times, most recently from 22c7bc1 to 0faf5cf Compare May 5, 2024 06:06
@mend-for-github-com mend-for-github-com bot force-pushed the whitesource-remediate/mend-high-confidence-minor-and-patch-dependency-updates branch 2 times, most recently from 7a2dca3 to ad5d573 Compare May 10, 2024 05:32
@mend-for-github-com mend-for-github-com bot force-pushed the whitesource-remediate/mend-high-confidence-minor-and-patch-dependency-updates branch 4 times, most recently from e17977e to c626d11 Compare May 23, 2024 05:45
@mend-for-github-com mend-for-github-com bot force-pushed the whitesource-remediate/mend-high-confidence-minor-and-patch-dependency-updates branch from c626d11 to 2b45160 Compare May 24, 2024 05:36
@mend-for-github-com mend-for-github-com bot force-pushed the whitesource-remediate/mend-high-confidence-minor-and-patch-dependency-updates branch 2 times, most recently from 835a469 to 1ba91af Compare May 26, 2024 05:23
@mend-for-github-com mend-for-github-com bot force-pushed the whitesource-remediate/mend-high-confidence-minor-and-patch-dependency-updates branch from 1ba91af to 053fb57 Compare May 27, 2024 05:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
security fix Security fix generated by Mend
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
0 participants