-
-
Notifications
You must be signed in to change notification settings - Fork 30
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Private tokens could appear in logs if context containing gRPC metadata is logged #97
Comments
Seems like it would be the indirect dependency here: Line 52 in 3c931ec
I would have expected dependabot to already be addressing that on the next round. Are you really wanting to chase down all these low priority CVEs? I know I don't really care to. |
No, not necessarily. is just a nice to have. |
Hey. Not sure if there is any other dependency that downloads the GRPC, but in general It should come from Open Telemetry. Updating the dependencies to v1.29.0 should do the trick! https://github.com/open-telemetry/opentelemetry-go/releases https://github.com/itzg/mc-monitor/blob/3c931ec973e78ac576395043a27cd7f917f93ee4/go.mod go.opentelemetry.io/otel v1.29.0
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.29.0
go.opentelemetry.io/otel/metric v1.29.0
go.opentelemetry.io/otel/sdk/metric v1.29.0 |
Thanks @vitorvasc ! I'm actually curious if the weekly run of dependabot (on Mondays for this repo) will bump that anyway. |
Maybe try Renovate if Dependabot doesn't do something like this reliably; then Semantic Release for automatic publication with relevant code changes. 😁 |
I get this CVE reported by the Docker Scout for itzg/mc-monitor.
Unfortunately,I can't find the place in the code to submit a PR.
LOW: GHSA-xr7q-jx4m-x55m
grpc/grpc-go@ab29241
Can we fix that?
The text was updated successfully, but these errors were encountered: