build(deps): bump golang.org/x/net from 0.33.0 to 0.36.0#3266
Conversation
dependabot
Bot
added
dependencies
|
Any ETA on when this PR will be merged ? We are having security findings on the master branch code. Requesting to please expedite this. |
|
Any security alerts for this seem to be a false positive. The issue in question relates to functions not in use by the exporter. Please do not report raw vulnerability scanner results. They are prone to false positives and cause the Prometheus team toil in verifying. Please verify vulnerability reports and include specific details as to which components are directly exploitable. |
|
@dependabot rebase |
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.33.0 to 0.36.0. - [Commits](golang/net@v0.33.0...v0.36.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/go_modules/golang.org/x/net-0.36.0
branch
from
8c8fa1d to
78ef579
Compare
|
I saw your PR and the crypto library version has changed to 0.35.0. This is as per advisory https://nvd.nist.gov/vuln/detail/CVE-2025-22869 . Also, there is another CVE https://nvd.nist.gov/vuln/detail/CVE-2025-22868 which requires to bump the oauth2 version. I am not sure if this PR is the right place to discuss this, but i am posting here since atleast the crypto bump will help us. |
|
There is no ssh or oauth2 use in the exporter. You must be more careful about evaluating security reports. Please stop reporting false positives. If you continue to do so you will be banned from the project. |
2 participants
Bumps golang.org/x/net from 0.33.0 to 0.36.0.
Commits
85d1d54go.mod: update golang.org/x dependenciescde1ddaproxy, http/httpproxy: do not mismatch IPv6 zone ids against hostsfe7f039publicsuffix: spruce up code gen and speed up PublicSuffix459513dinternal/http3: move more common stream processing to genericConnaad0180http2: fix flakiness from t.Log when GOOS=jsb73e574http2: don't log expected errors from writing invalid trailers5f45c77internal/http3: make read-data tests usable for server handlers43c2540http2, internal/httpcommon: reject userinfo in :authority1d78a08http2, internal/httpcommon: factor out server header logic for h2/h30d7dc54quic: add Conn.ConnectionStateDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.