-
Notifications
You must be signed in to change notification settings - Fork 928
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
build(deps): bump github.com/miekg/dns from 1.1.61 to 1.1.62 #13946
build(deps): bump github.com/miekg/dns from 1.1.61 to 1.1.62 #13946
Conversation
Bumps [github.com/miekg/dns](https://github.com/miekg/dns) from 1.1.61 to 1.1.62. - [Changelog](https://github.com/miekg/dns/blob/master/Makefile.release) - [Commits](miekg/dns@v1.1.61...v1.1.62) --- updated-dependencies: - dependency-name: github.com/miekg/dns dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
9502d99
to
aee9c76
Compare
Waiting for branch to be switch to use go 1.21 |
Closing in favor of #13993 |
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
Since this allowed updating our Go modules, it fixes all 3 CVEs: ``` $ trivy fs --scanners vuln . ... go.mod (gomod) Total: 3 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 1, CRITICAL: 0) ┌────────────────────────────┬─────────────────────┬──────────┬──────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │ ├────────────────────────────┼─────────────────────┼──────────┼──────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤ │ github.com/gorilla/schema │ CVE-2024-37298 │ HIGH │ fixed │ 1.4.0 │ 1.4.1 │ gorilla/schema: Potential memory exhaustion attack due to │ │ │ │ │ │ │ │ sparse slice deserialization │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-37298 │ ├────────────────────────────┼─────────────────────┼──────────┤ ├───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤ │ google.golang.org/grpc │ GHSA-xr7q-jx4m-x55m │ LOW │ │ 1.64.0 │ 1.64.1 │ Private tokens could appear in logs if context containing │ │ │ │ │ │ │ │ gRPC metadata is... │ │ │ │ │ │ │ │ GHSA-xr7q-jx4m-x55m │ ├────────────────────────────┼─────────────────────┼──────────┼──────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤ │ gopkg.in/square/go-jose.v2 │ CVE-2024-28180 │ MEDIUM │ affected │ 2.6.0 │ │ jose-go: improper handling of highly compressed data │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-28180 │ └────────────────────────────┴─────────────────────┴──────────┴──────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────────┘ ``` This PR supersedes #13921 and #13946.
Bumps github.com/miekg/dns from 1.1.61 to 1.1.62.
Commits
07a2352
Release 1.1.6234b3cbb
Go 1.23 was released couple of hours ago39938e9
Revert "Remove use of deprecated net.Error.Temporary (#1589)" (#1594)ef7392e
Remove use of deprecated net.Error.Temporary (#1589)ee99288
Add support for NXNAME type (#1584)8d05ff7
Add support for missing Extended DNS Error Codes (EDE) (#1585)347f250
Bump golang.org/x/sys from 0.21.0 to 0.22.0 (#1588)d6940bf
Bump golang.org/x/net from 0.26.0 to 0.27.0 (#1587)870b1c1
add rfc3596 to the list (#1577)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebase
will rebase this PR@dependabot recreate
will recreate this PR, overwriting any edits that have been made to it@dependabot merge
will merge this PR after your CI passes on it@dependabot squash and merge
will squash and merge this PR after your CI passes on it@dependabot cancel merge
will cancel a previously requested merge and block automerging@dependabot reopen
will reopen this PR if it is closed@dependabot close
will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditions
will show all of the ignore conditions of the specified dependency@dependabot ignore this major version
will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor version
will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependency
will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)