Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Mend: high confidence minor and patch dependency updates #20

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update Mend: high confidence minor and patch dependency updates #20

wants to merge 1 commit into from

Conversation

mend-for-github-com[bot]
Copy link

@mend-for-github-com mend-for-github-com bot commented Mar 26, 2024
edited

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
cloud.google.com/go/secretmanager v1.11.1 -> v1.13.1 age adoption passing confidence
cloud.google.com/go/storage v1.33.0 -> v1.41.0 age adoption passing confidence
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.8.0 -> v1.11.1 age adoption passing confidence
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.1 -> v1.5.2 age adoption passing confidence
github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.1.0 -> v1.3.2 age adoption passing confidence
github.com/DataDog/datadog-go/v5 v5.3.0 -> v5.5.0 age adoption passing confidence
github.com/bugsnag/bugsnag-go/v2 v2.2.0 -> v2.4.0 age adoption passing confidence
github.com/felixge/httpsnoop v1.0.3 -> v1.0.4 age adoption passing confidence
github.com/newrelic/go-agent/v3 v3.26.0 -> v3.33.0 age adoption passing confidence
github.com/prometheus/client_golang v1.17.0 -> v1.19.1 age adoption passing confidence
github.com/stretchr/testify v1.8.4 -> v1.9.0 age adoption passing confidence
go.opentelemetry.io/otel/metric v1.19.0 -> v1.27.0 age adoption passing confidence
go.opentelemetry.io/otel/sdk/metric v1.19.0 -> v1.27.0 age adoption passing confidence
golang.org/x/image v0.13.0 -> v0.16.0 age adoption passing confidence
golang.org/x/net v0.15.0 -> v0.17.0 age adoption passing confidence
golang.org/x/sys v0.13.0 -> v0.20.0 age adoption passing confidence
gopkg.in/DataDog/dd-trace-go.v1 v1.55.0 -> v1.64.0 age adoption passing confidence

By merging this PR, the issue #19 will be automatically resolved and closed:

Severity CVSS Score CVE Reachability
High High 7.5 CVE-2023-39325

Release Notes

DataDog/datadog-go (github.com/DataDog/datadog-go/v5)

v5.5.0

Compare Source

See the Changelog for the details.

v5.4.0

Compare Source

See the Changelog for the details.

bugsnag/bugsnag-go (github.com/bugsnag/bugsnag-go/v2)

v2.4.0

Compare Source

2.4.0 (2024-04-15)

Enhancements

v2.3.1

Compare Source

2.3.1 (2024-03-18)

Bug fixes
  • Handle empty pointers to complex structs in metadata.Add
    #​221

v2.3.0

Compare Source

2.3.0 (2024-03-05)

Bug fixes

v2.2.1

Compare Source

2.2.1 (2022-02-21)

Bug fixes
  • Fix middleware panic on nil *http.Request
    #​212
felixge/httpsnoop (github.com/felixge/httpsnoop)

v1.0.4

Compare Source

newrelic/go-agent (github.com/newrelic/go-agent/v3)

v3.33.0: Release 3.33.0

Compare Source

3.33.0

Added
  • Support for Zap Field Attributes
  • Updated dependency on csec-go-agent in nrsecurityagent
Fixed
  • Fixed an issue where running containers on AWS would falsely flag Azure Utilization
  • Fixed a typo with nrecho-v3
  • Changed nrslog example to use a context driven handler

These changes increment the affected integration package version numbers to:

  • nrsecurityagent v1.3.1
  • nrecho-v3 v1.1.1
  • logcontext-v2/nrslog v1.2.0
  • logcontext-v2/nrzap v1.2.0
Support statement

We use the latest version of the Go language. At minimum, you should be using no version of Go older than what is supported by the Go team themselves.
See the Go agent EOL Policy for details about supported versions of the Go agent and third-party components.

v3.32.0: Release 3.32.0

Compare Source

3.32.0

Added
  • Updates to support for the New Relic security agent to report API endpoints.
    • Adds new wrapper function for the nrecho, nrgin, and nrgorilla integrations.
  • Handler to take New Relic transaction data from context automatically when using nrslog integration (thanks, @​adomaskizogian!)
Fixed
  • Adds missing license file to the nropenai integration.
  • Changes *bedrockruntime.Client parameters in nrawsbedrock integration to use a more general interface type, allowing the use of custom types which extend the bedrock client type.
  • Fixes pgx5 pool example
  • Updated unit tests to check Transaction.Ignore
  • Updated nrzap unit tests to add background logger sugared test case.
Support statement

We use the latest version of the Go language. At minimum, you should be using no version of Go older than what is supported by the Go team themselves.
See the Go agent EOL Policy for details about supported versions of the Go agent and third-party components.

v3.31.0: Release 3.31.0

Compare Source

3.31.0

Added
  • Integration packages to instrument AI model invocations (see below).
    • New package nrawsbedrock v1.0.0 introduced to instrument calls to Amazon Bedrock Runtime Client API InvokeModel and InvokeModelWithResponseStream calls. Also provides a simple one-step method which invokes stream invocations and harvests the response stream data for you.
    • New package nropenai v1.0.0 introduced to instrument calls to OpenAI using NRCreateChatCompletion, NRCreateChatCompletionStream, and NRCreateEmbedding calls.
    • Dockerfile in the examples/server sample app which facilitates the easy creation of a containerized ready-to-run sample app for situations where that makes testing easier.
Fixed
  • .Ignore was not ignoring transaction. Fixes Issue #​845.
  • Added nil error check in wrap function. Fixes Issue #​862.
  • WrapBackgroundCore background logger was not sending logs to New Relic. Fixes Issue #​859.
  • Corrected pgx5 integration example which caused a race condition. Thanks to @​WillAbides! Fixes Issue #​855.
  • Updated third-party library versions due to reported security or other supportability issues:
    • github.com/jackc/pgx/v5 to 5.5.4 in nrpgx5 integration
    • google.gopang.org/protobuf to 1.33.0 in nrmicro and nrgrpc integrations
    • github.com/jackc/pgx/v4 to 4.18.2 in nrpgx integration
AI Monitoring Configuration

New configuration options are available specific to AI monitoring. These settings include:

  • AIMonitoring.Enabled, configured via ConfigAIMonitoring.Enabled(bool) [default false]
  • AIMonitoring.Streaming.Enabled, configured via ConfigAIMonitoringStreamingEnabled(bool) [default true]
  • AIMonitoring.Content.Enabled, configured via ConfigAIMonitoringContentEnabled(bool) [default true]
AI Monitoring Public API Methods

Two new AI monitoring related public API methods have been added, as methods of the newrelic.Application value returned by newrelic.NewApplication:

AI Monitoring

New Relic AI monitoring is the industry’s first APM solution that provides end-to-end visibility for AI Large Language Model (LLM) applications. It enables end-to-end visibility into the key components of an AI LLM application. With AI monitoring, users can monitor, alert, and debug AI-powered applications for reliability, latency, performance, security and cost. AI monitoring also enables AI/LLM specific insights (metrics, events, logs and traces) which can easily integrate to build advanced guardrails for enterprise security, privacy and compliance.

AI monitoring offers custom-built insights and tracing for the complete lifecycle of an LLM’s prompts and responses, from raw user input to repaired/polished responses. AI monitoring provides built-in integrations with popular LLMs and components of the AI development stack. This release provides instrumentation for OpenAI
and Bedrock.

When AI monitoring is enabled with ConfigAIMonitoringEnabled(true), the agent will now capture AI LLM related data. This data will be visible under a new APM tab called AI Responses. See our AI Monitoring documentation for more details.

Support statement

We use the latest version of the Go language. At minimum, you should be using no version of Go older than what is supported by the Go team themselves.
See the Go agent EOL Policy for details about supported versions of the Go agent and third-party components.

v3.30.0: Release 3.30.0

Compare Source

3.30.0

Added
  • Updated the depencency on nrsecurityagent to 1.0.0.
  • Added new integration, logcontext-v2/nrslog, which instruments logging via the new slog library.
Fixed
  • Redacts license keys from error reporting.
Support statement

We use the latest version of the Go language. At minimum, you should be using no version of Go older than what is supported by the Go team themselves.
See the Go agent EOL Policy for details about supported versions of the Go agent and third-party components.

v3.29.1: Release 3.29.1

Compare Source

3.29.1

Added
  • Added Dockerized Unit Tests for Github Actions (internal build support)
Fixes
  • Updated version of New Relic Security Agent (enables bug fixes released in that agent code for use with the Go Agent).
Support statement

We use the latest version of the Go language. At minimum, you should be using no version of Go older than what is supported by the Go team themselves.
See the Go agent EOL Policy for details about supported versions of the Go agent and third-party components.

v3.29.0: Release 3.29.0

Compare Source

3.29.0

Added
  • Security agent integration nrsecurityagent now reports security configuraiton information along with the overall Go Agent configuration values. (Updates nrsecurityagent to v1.2.0.)
  • Code-Level Metrics collection efficiency enhancement allows user callback function for as-needed (and just-in-time) evaluation of custom code locations rather than up-front location overrides, via the WithCodeLocationCallback CLM option. Deprecates WithCodeLocation option (although the latter function is still supported for compatibility with existing code).
  • Added extended synthetics support for new X-Newrelic-Synthetics-Info HTTP headers.
  • Documentation fixes.
  • Removed deprecated ROADMAP.md file.
Support statement

We use the latest version of the Go language. At minimum, you should be using no version of Go older than what is supported by the Go team themselves.
See the Go agent EOL Policy for details about supported versions of the Go agent and third-party components.

v3.28.1: Release 3.28.1

Compare Source

3.28.1

Added

Added Supportability Metrics to nrfasthttp (brings nrfasthttp version to v1.0.1).
Always Link Transaction IDs to traces regardless of whether Distributed Tracing is enabled or not

Fixed

Fixed an issue where nil Request.Body could be set to non-nil request.Body with zero length when the security agent is enabled

Security

More Secure URL Redaction

Support statement

We use the latest version of the Go language. At minimum, you should be using no version of Go older than what is supported by the Go team themselves.
See the Go agent EOL Policy for details about supported versions of the Go agent and third-party components.

v3.28.0: Release 3.28.0

Compare Source

3.28.0

Fixed
  • Bumped gRPC from 1.54.0 -> 1.56.3 in the following packages /v3/integrations/nrgrpc, /v3/, /v3/integrations/nrgrpc
  • Bumped golang.org/x/net from 0.8.0 -> 0.17.0 in package /v3/integrations/nrgraphqlgo
  • Fixed issue where nrfasthttp would not properly register security agent headers
  • Move fasthttp instrumentation into a new integration package, nrfasthttp
  • Fixed issue where usage of io.ReadAll() was causing a memory leak
Support statement

We use the latest version of the Go language. At minimum, you should be using no version of Go older than what is supported by the Go team themselves.
See the Go agent EOL Policy for details about supported versions of the Go agent and third-party components.

v3.27.0: Release 3.27.0

Compare Source

3.27.0

Added
  • Added Support for getting Container ID's from cgroup v2 docker containers
  • A new instrumentation package for RabbitMQ with distributed tracing support: nramqp
Fixed
  • Unit tests repairs and improvements
  • Removed deprecated V2 code from the repository. The support timeframe for this code has expired and is no longer recommended for use.
  • Bumped github.com/graphql-go/graphql from 0.7.9 to 0.8.1
Support statement

We use the latest version of the Go language. At minimum, you should be using no version of Go older than what is supported by the Go team themselves.

See the Go agent EOL Policy for details about supported versions of the Go agent and third-party components.

prometheus/client_golang (github.com/prometheus/client_golang)

v1.19.1

Compare Source

What's Changed

  • Security patches for golang.org/x/sys and google.golang.org/protobuf

New Contributors

Full Changelog: prometheus/client_golang@v1.19.0...v1.19.1

v1.19.0

Compare Source

What's Changed

The module prometheus/common v0.48.0 introduced an incompatibility when used together with client_golang (See https://github.com/prometheus/client_golang/pull/1448 for more details). If your project uses client_golang and you want to use prometheus/common v0.48.0 or higher, please update client_golang to v1.19.0.

  • [CHANGE] Minimum required go version is now 1.20 (we also test client_golang against new 1.22 version). #​1445 #​1449
  • [FEATURE] collectors: Add version collector. #​1422 #​1427

New Contributors

Full Changelog: prometheus/client_golang@v1.18.0...v1.19.0

v1.18.0

Compare Source

What's Changed

  • [FEATURE] promlint: Allow creation of custom metric validations. #​1311
  • [FEATURE] Go programs using client_golang can be built in wasip1 OS. #​1350
  • [BUGFIX] histograms: Add timer to reset ASAP after bucket limiting has happened. #​1367
  • [BUGFIX] testutil: Fix comparison of metrics with empty Help strings. #​1378
  • [ENHANCEMENT] Improved performance of MetricVec.WithLabelValues(...). #​1360

New Contributors

Full Changelog: prometheus/client_golang@v1.17.0...v1.18.0

stretchr/testify (github.com/stretchr/testify)

v1.9.0

Compare Source

What's Changed

New Contributors

Full Changelog: stretchr/testify@v1.8.4...v1.9.0

open-telemetry/opentelemetry-go (go.opentelemetry.io/otel/metric)

v1.27.0: /v0.49.0/v0.3.0

Compare Source

This release includes the first beta release of the OpenTelemetry Logs Bridge API and SDK for Go.

Overview
Added
  • Add example for go.opentelemetry.io/otel/exporters/stdout/stdoutlog. (#​5242)
  • Add RecordFactory in go.opentelemetry.io/otel/sdk/log/logtest to facilitate testing exporter and processor implementations. (#​5258)
  • Add RecordFactory in go.opentelemetry.io/otel/log/logtest to facilitate testing bridge implementations. (#​5263)
  • The count of dropped records from the BatchProcessor in go.opentelemetry.io/otel/sdk/log is logged. (#​5276)
  • Add metrics in the otel-collector example. (#​5283)
  • Add the synchronous gauge instrument to go.opentelemetry.io/otel/metric. (#​5304)
    • An int64 or float64 synchronous gauge instrument can now be created from a Meter.
    • All implementations of the API (go.opentelemetry.io/otel/metric/noop, go.opentelemetry.io/otel/sdk/metric) are updated to support this instrument.
  • Add logs to go.opentelemetry.io/otel/example/dice. (#​5349)
Changed
  • The Shutdown method of Exporter in go.opentelemetry.io/otel/exporters/stdout/stdouttrace ignores the context cancellation and always returns nil. (#​5189)
  • The ForceFlush and Shutdown methods of the exporter returned by New in go.opentelemetry.io/otel/exporters/stdout/stdoutmetric ignore the context cancellation and always return nil. (#​5189)
  • Apply the value length limits to Record attributes in go.opentelemetry.io/otel/sdk/log. (#​5230)
  • De-duplicate map attributes added to a Record in go.opentelemetry.io/otel/sdk/log. (#​5230)
  • go.opentelemetry.io/otel/exporters/stdout/stdoutlog won't print timestamps when WithoutTimestamps option is set. (#​5241)
  • The go.opentelemetry.io/otel/exporters/stdout/stdoutlog exporter won't print AttributeValueLengthLimit and AttributeCountLimit fields now, instead it prints the DroppedAttributes field. (#​5272)
  • Improved performance in the Stringer implementation of go.opentelemetry.io/otel/baggage.Member by reducing the number of allocations. (#​5286)
  • Set the start time for last-value aggregates in go.opentelemetry.io/otel/sdk/metric. (#​5305)
  • The Span in go.opentelemetry.io/otel/sdk/trace will record links without span context if either non-empty TraceState or attributes are provided. (#​5315)
  • Upgrade all dependencies of go.opentelemetry.io/otel/semconv/v1.24.0 to go.opentelemetry.io/otel/semconv/v1.25.0. (#​5374)
Fixed
  • Comparison of unordered maps for go.opentelemetry.io/otel/log.KeyValue and go.opentelemetry.io/otel/log.Value. (#​5306)
  • Fix the empty output of go.opentelemetry.io/otel/log.Value in go.opentelemetry.io/otel/exporters/stdout/stdoutlog. (#​5311)
  • Split the behavior of Recorder in go.opentelemetry.io/otel/log/logtest so it behaves as a LoggerProvider only. (#​5365)
  • Fix wrong package name of the error message when parsing endpoint URL in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp. (#​5371)
  • Identify the Logger returned from the global LoggerProvider in go.opentelemetry.io/otel/log/global with its schema URL. (#​5375)
What's Changed

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

@mend-for-github-com mend-for-github-com bot added the security fix Security fix generated by Mend label Mar 26, 2024
@mend-for-github-com mend-for-github-com bot force-pushed the whitesource-remediate/mend-high-confidence-minor-and-patch-dependency-updates branch 4 times, most recently from 98eabc1 to 39dff06 Compare April 4, 2024 05:29
@mend-for-github-com mend-for-github-com bot force-pushed the whitesource-remediate/mend-high-confidence-minor-and-patch-dependency-updates branch 5 times, most recently from a0da45c to c63d330 Compare April 11, 2024 06:14
@mend-for-github-com mend-for-github-com bot force-pushed the whitesource-remediate/mend-high-confidence-minor-and-patch-dependency-updates branch 5 times, most recently from 12ae496 to f207764 Compare April 19, 2024 06:13
@mend-for-github-com mend-for-github-com bot force-pushed the whitesource-remediate/mend-high-confidence-minor-and-patch-dependency-updates branch 5 times, most recently from e8f6aaf to 7c9a60a Compare April 25, 2024 06:20
@mend-for-github-com mend-for-github-com bot force-pushed the whitesource-remediate/mend-high-confidence-minor-and-patch-dependency-updates branch 3 times, most recently from 22c7bc1 to 0faf5cf Compare May 5, 2024 06:06
@mend-for-github-com mend-for-github-com bot force-pushed the whitesource-remediate/mend-high-confidence-minor-and-patch-dependency-updates branch 2 times, most recently from 7a2dca3 to ad5d573 Compare May 10, 2024 05:32
@mend-for-github-com mend-for-github-com bot force-pushed the whitesource-remediate/mend-high-confidence-minor-and-patch-dependency-updates branch 4 times, most recently from e17977e to c626d11 Compare May 23, 2024 05:45
@mend-for-github-com mend-for-github-com bot force-pushed the whitesource-remediate/mend-high-confidence-minor-and-patch-dependency-updates branch from c626d11 to 2b45160 Compare May 24, 2024 05:36
@mend-for-github-com mend-for-github-com bot force-pushed the whitesource-remediate/mend-high-confidence-minor-and-patch-dependency-updates branch 5 times, most recently from b498e5b to 2b297b3 Compare May 30, 2024 01:00
@mend-for-github-com mend-for-github-com bot force-pushed the whitesource-remediate/mend-high-confidence-minor-and-patch-dependency-updates branch from 2b297b3 to 24558ab Compare May 30, 2024 05:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
security fix Security fix generated by Mend
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
0 participants