Private tokens could appear in logs if context containing gRPC metadata is logged #97
Comments
|
Seems like it would be the indirect dependency here: Line 52 in 3c931ec I would have expected dependabot to already be addressing that on the next round. Are you really wanting to chase down all these low priority CVEs? I know I don't really care to. |
|
No, not necessarily. is just a nice to have. |
|
Hey. Not sure if there is any other dependency that downloads the GRPC, but in general It should come from Open Telemetry. Updating the dependencies to v1.29.0 should do the trick! https://github.com/open-telemetry/opentelemetry-go/releases https://github.com/itzg/mc-monitor/blob/3c931ec973e78ac576395043a27cd7f917f93ee4/go.mod go.opentelemetry.io/otel v1.29.0
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.29.0
go.opentelemetry.io/otel/metric v1.29.0
go.opentelemetry.io/otel/sdk/metric v1.29.0 |
|
Thanks @vitorvasc ! I'm actually curious if the weekly run of dependabot (on Mondays for this repo) will bump that anyway. |
|
Maybe try Renovate if Dependabot doesn't do something like this reliably; then Semantic Release for automatic publication with relevant code changes. 😁 |
I get this CVE reported by the Docker Scout for itzg/mc-monitor.
Unfortunately,I can't find the place in the code to submit a PR.
LOW: GHSA-xr7q-jx4m-x55m
grpc/grpc-go@ab29241
Can we fix that?
The text was updated successfully, but these errors were encountered: