fix(deps): update github.com/grafana/loki digest to 012cf92 [security] (main) - autoclosed

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
github.com/grafana/loki	require	digest	4e4359e -> 012cf92
github.com/grafana/loki	require	digest	90888a0 -> 012cf92

GitHub Vulnerability Alerts

CVE-2021-36156

An issue was discovered in Grafana Loki through 2.2.1. The header value X-Scope-OrgID is used to construct file paths for rules files, and if crafted to conduct directory traversal such as ae ../../sensitive/path/in/deployment pathname, then Loki will attempt to parse a rules file at that location and include some of the contents in the error message.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[renovate]

⚠ Artifact update problem

Renovate failed to update artifacts related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: tools/lambda-promtail/go.sum

Command failed: go mod tidy
go: downloading github.com/google/go-cmp v0.5.9
go: downloading gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c
go: downloading github.com/alicebob/miniredis/v2 v2.30.4
go: downloading github.com/OneOfOne/xxhash v1.2.6
go: downloading github.com/alicebob/miniredis v2.5.0+incompatible
go: downloading github.com/spaolacci/murmur3 v1.1.0
go: downloading github.com/onsi/ginkgo v1.16.5
go: downloading github.com/onsi/gomega v1.24.0
go: downloading github.com/kr/pretty v0.3.1
go: downloading github.com/Workiva/go-datastructures v1.1.0
go: downloading github.com/pierrec/lz4/v4 v4.1.18
go: downloading github.com/HdrHistogram/hdrhistogram-go v1.1.2
go: downloading github.com/alicebob/gopher-json v0.0.0-20200520072559-a9ecdc9d1d3a
go: downloading github.com/yuin/gopher-lua v1.1.0
go: downloading github.com/kr/text v0.2.0
go: downloading github.com/rogpeppe/go-internal v1.10.0
go: downloading github.com/pascaldekloe/goe v0.1.0
go: downloading github.com/hashicorp/consul/sdk v0.14.1
go: downloading github.com/hashicorp/go-uuid v1.0.3
go: downloading github.com/nxadm/tail v1.4.8
go: downloading github.com/hashicorp/go-version v1.2.1
go: downloading github.com/Azure/go-autorest/autorest v0.11.29
go: downloading github.com/Azure/go-autorest v14.2.0+incompatible
go: downloading github.com/Azure/go-autorest/autorest/adal v0.9.23
go: downloading github.com/digitalocean/godo v1.99.0
go: downloading github.com/hetznercloud/hcloud-go/v2 v2.0.0
go: downloading github.com/ionos-cloud/sdk-go/v6 v6.1.8
go: downloading k8s.io/api v0.28.1
go: downloading k8s.io/apimachinery v0.28.1
go: downloading k8s.io/client-go v0.21.0
go: downloading github.com/linode/linodego v1.19.0
go: downloading github.com/docker/docker v24.0.7+incompatible
go: downloading github.com/hashicorp/nomad/api v0.0.0-20230718173136-3a687930bd3e
go: downloading github.com/gophercloud/gophercloud v1.5.0
go: downloading github.com/ovh/go-ovh v1.4.1
go: downloading github.com/scaleway/scaleway-sdk-go v1.0.0-beta.20
go: downloading github.com/kolo/xmlrpc v0.0.0-20220921171641-a4b6fa1dd06b
go: downloading github.com/vultr/govultr/v2 v2.17.2
go: downloading github.com/envoyproxy/go-control-plane v0.11.1
go: downloading github.com/envoyproxy/protoc-gen-validate v1.0.2
go: downloading github.com/go-zookeeper/zk v1.0.3
go: downloading gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7
go: downloading github.com/Azure/go-autorest/autorest/date v0.3.0
go: downloading github.com/Azure/go-autorest/autorest/to v0.4.0
go: downloading github.com/Azure/go-autorest/autorest/validation v0.3.1
go: downloading github.com/Azure/go-autorest/tracing v0.6.0
go: downloading github.com/Azure/go-autorest/logger v0.2.1
go: downloading github.com/google/go-querystring v1.1.0
go: downloading github.com/google/gofuzz v1.2.0
go: downloading k8s.io/klog/v2 v2.100.1
go: downloading k8s.io/klog v1.0.0
go: downloading k8s.io/utils v0.0.0-20230711102312-30195339c3c7
go: downloading sigs.k8s.io/structured-merge-diff/v4 v4.3.0
go: downloading github.com/spf13/pflag v1.0.5
go: downloading golang.org/x/term v0.15.0
go: downloading github.com/go-resty/resty/v2 v2.7.0
go: downloading gopkg.in/ini.v1 v1.67.0
go: downloading github.com/docker/go-connections v0.4.0
go: downloading github.com/docker/go-units v0.5.0
go: downloading github.com/opencontainers/image-spec v1.0.2
go: downloading github.com/docker/distribution v2.8.2+incompatible
go: downloading github.com/opencontainers/go-digest v1.0.0
go: downloading github.com/gorilla/websocket v1.5.0
go: downloading github.com/hashicorp/cronexpr v1.1.2
go: downloading github.com/hashicorp/go-retryablehttp v0.7.4
go: downloading github.com/cncf/xds/go v0.0.0-20230607035331-e9ce68804cb4
go: downloading github.com/benbjohnson/clock v1.1.0
go: downloading github.com/dnaeon/go-vcr v1.2.0
go: downloading gopkg.in/inf.v0 v0.9.1
go: downloading sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd
go: downloading cloud.google.com/go/compute/metadata v0.2.3
go: downloading sigs.k8s.io/yaml v1.3.0
go: downloading cloud.google.com/go/compute v1.23.0
go: downloading github.com/Microsoft/go-winio v0.6.1
go: downloading github.com/jmespath/go-jmespath/internal/testify v1.5.1
go: downloading k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9
go: downloading cloud.google.com/go v0.110.7
go: downloading github.com/go-openapi/jsonreference v0.20.2
go: downloading github.com/go-openapi/swag v0.22.4
go: downloading github.com/google/gnostic-models v0.6.8
go: downloading github.com/go-openapi/jsonpointer v0.20.0
go: downloading github.com/mailru/easyjson v0.7.7
go: downloading github.com/josharian/intern v1.0.0
go: finding module for package github.com/googleapis/gnostic/openapiv2
go: finding module for package k8s.io/apimachinery/pkg/util/clock
go: downloading github.com/googleapis/gnostic v0.7.0
go: downloading k8s.io/apimachinery v0.29.1
go: found github.com/googleapis/gnostic/openapiv2 in github.com/googleapis/gnostic v0.7.0
go: main/lambda-promtail imports
	github.com/grafana/loki/pkg/logproto imports
	github.com/grafana/loki/pkg/logql/syntax imports
	github.com/prometheus/prometheus/promql imports
	github.com/prometheus/prometheus/util/teststorage imports
	github.com/prometheus/prometheus/tsdb imports
	github.com/prometheus/prometheus/config tested by
	github.com/prometheus/prometheus/config.test imports
	github.com/prometheus/prometheus/discovery/kubernetes imports
	k8s.io/client-go/kubernetes imports
	k8s.io/client-go/discovery imports
	github.com/googleapis/gnostic/openapiv2: github.com/googleapis/gnostic@v0.7.0: parsing go.mod:
	module declares its path as: github.com/google/gnostic
	        but was required as: github.com/googleapis/gnostic

File name: operator/go.sum

Command failed: go get -d -t ./...
warning: ignoring symlink /tmp/renovate/repos/github/grafana/loki/operator/website/content/docs
go: downloading github.com/ViaQ/logerr/v2 v2.1.0
go: downloading github.com/openshift/api v0.0.0-20240116035456-11ed2fbcb805
go: downloading github.com/openshift/cloud-credential-operator v0.0.0-20240122210451-67842c7839ac
go: downloading github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.67.1
go: downloading k8s.io/apimachinery v0.28.6
go: downloading k8s.io/client-go v0.28.6
go: downloading sigs.k8s.io/controller-runtime v0.16.3
go: downloading k8s.io/component-base v0.28.6
go: downloading k8s.io/api v0.28.6
go: downloading github.com/openshift/library-go v0.0.0-20240117151256-95b334bccb5d
go: downloading k8s.io/apiserver v0.28.6
go: downloading k8s.io/utils v0.0.0-20240102154912-e7106e64919e
go: downloading github.com/prometheus/client_golang v1.17.0
go: downloading github.com/evanphx/json-patch/v5 v5.6.0
go: downloading gomodules.xyz/jsonpatch/v2 v2.4.0
go: downloading github.com/prometheus/client_model v0.4.1-0.20230718164431-9a2bf3000d16
go: downloading github.com/prometheus/procfs v0.11.1
go: downloading golang.org/x/net v0.19.0
go: downloading k8s.io/apiextensions-apiserver v0.28.3
go: downloading github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da
go: downloading golang.org/x/sync v0.5.0
go: downloading github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822
go: downloading go.etcd.io/etcd/api/v3 v3.5.9
go: downloading go.etcd.io/etcd/client/pkg/v3 v3.5.9
go: downloading go.etcd.io/etcd/client/v3 v3.5.9
go: downloading github.com/emicklei/go-restful/v3 v3.11.0
go: downloading go.uber.org/zap v1.25.0
go: downloading golang.org/x/tools v0.16.1
go: downloading github.com/coreos/go-semver v0.3.1
go: downloading golang.org/x/mod v0.14.0
go: github.com/sercand/kuberesolver/v5@v5.1.1 used for two different module paths (github.com/sercand/kuberesolver and github.com/sercand/kuberesolver/v5)

[github-actions]

Trivy scan found the following vulnerabilities:

• HIGH, Target: docker.io/grafana/loki:main-0dc8c75 (alpine 3.18.4), Type: alpine openssl: Incorrect cipher key and IV length processing in libcrypto3 v3.1.3-r0. Fixed in v3.1.4-r0
• HIGH, Target: docker.io/grafana/loki:main-0dc8c75 (alpine 3.18.4), Type: alpine openssl: Incorrect cipher key and IV length processing in libssl3 v3.1.3-r0. Fixed in v3.1.4-r0
  \nTo see more details on these vulnerabilities, and how/where to fix them, please run docker build -t grafana/loki:main-0dc8c75 -f cmd/loki/Dockerfile .
  trivy i grafana/loki:main-0dc8c75 on your branch. If these were not introduced by your PR, please considering fixing them in via a subsequent PR. Thanks!