Skip to content

Commit 6b79bf8

Browse files
toddbaerttoddbaert
authored
fix(security): update otel deps, minimum core Go version (#1897)
Update vulnerable OTel deps and update to Go 1.25. Signed-off-by: Todd Baert <[email protected]>
1 parent 25c5fd7 commit 6b79bf8

File tree

6 files changed

+197
-211
lines changed

6 files changed

+197
-211
lines changed

core/go.mod

Lines changed: 45 additions & 45 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
module github.com/open-feature/flagd/core
22

3-
go 1.24.0
3+
go 1.25.0
44

55
require (
66
buf.build/gen/go/open-feature/flagd/grpc/go v1.6.1-20260217192757-1388a552fc3c.1
@@ -14,35 +14,35 @@ require (
1414
github.com/hashicorp/go-memdb v1.3.5
1515
github.com/open-feature/flagd-schemas v0.2.13
1616
github.com/open-feature/open-feature-operator/apis v0.2.45
17-
github.com/prometheus/client_golang v1.23.0
17+
github.com/prometheus/client_golang v1.23.2
1818
github.com/robfig/cron v1.2.0
1919
github.com/santhosh-tekuri/jsonschema/v6 v6.0.2
2020
github.com/stretchr/testify v1.11.1
2121
github.com/twmb/murmur3 v1.1.8
22-
go.opentelemetry.io/contrib/exporters/autoexport v0.63.0
23-
go.opentelemetry.io/otel v1.40.0
24-
go.opentelemetry.io/otel/exporters/prometheus v0.60.0
25-
go.opentelemetry.io/otel/metric v1.40.0
26-
go.opentelemetry.io/otel/sdk v1.40.0
27-
go.opentelemetry.io/otel/sdk/metric v1.40.0
28-
go.opentelemetry.io/otel/trace v1.40.0
22+
go.opentelemetry.io/contrib/exporters/autoexport v0.67.0
23+
go.opentelemetry.io/otel v1.42.0
24+
go.opentelemetry.io/otel/exporters/prometheus v0.64.0
25+
go.opentelemetry.io/otel/metric v1.42.0
26+
go.opentelemetry.io/otel/sdk v1.42.0
27+
go.opentelemetry.io/otel/sdk/metric v1.42.0
28+
go.opentelemetry.io/otel/trace v1.42.0
2929
go.uber.org/mock v0.5.2
3030
go.uber.org/zap v1.27.0
3131
gocloud.dev v0.42.0
32-
golang.org/x/crypto v0.45.0
32+
golang.org/x/crypto v0.48.0
3333
golang.org/x/exp v0.0.0-20250210185358-939b2ce775ac
34-
golang.org/x/mod v0.29.0
35-
golang.org/x/oauth2 v0.32.0
36-
golang.org/x/sync v0.18.0
37-
google.golang.org/grpc v1.78.0
34+
golang.org/x/mod v0.32.0
35+
golang.org/x/oauth2 v0.35.0
36+
golang.org/x/sync v0.19.0
37+
google.golang.org/grpc v1.79.2
3838
google.golang.org/protobuf v1.36.11
3939
gopkg.in/yaml.v3 v3.0.1
4040
k8s.io/apimachinery v0.33.2
4141
k8s.io/client-go v0.33.2
4242
)
4343

4444
require (
45-
cel.dev/expr v0.24.0 // indirect
45+
cel.dev/expr v0.25.1 // indirect
4646
cloud.google.com/go v0.121.1 // indirect
4747
cloud.google.com/go/auth v0.16.1 // indirect
4848
cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
@@ -84,11 +84,11 @@ require (
8484
github.com/beorn7/perks v1.0.1 // indirect
8585
github.com/cenkalti/backoff/v5 v5.0.3 // indirect
8686
github.com/cespare/xxhash/v2 v2.3.0 // indirect
87-
github.com/cncf/xds/go v0.0.0-20251022180443-0feb69152e9f // indirect
87+
github.com/cncf/xds/go v0.0.0-20251210132809-ee656c7534f5 // indirect
8888
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
8989
github.com/emicklei/go-restful/v3 v3.12.0 // indirect
90-
github.com/envoyproxy/go-control-plane/envoy v1.35.0 // indirect
91-
github.com/envoyproxy/protoc-gen-validate v1.2.1 // indirect
90+
github.com/envoyproxy/go-control-plane/envoy v1.36.0 // indirect
91+
github.com/envoyproxy/protoc-gen-validate v1.3.0 // indirect
9292
github.com/evanphx/json-patch/v5 v5.9.0 // indirect
9393
github.com/felixge/httpsnoop v1.0.4 // indirect
9494
github.com/fxamacker/cbor/v2 v2.7.0 // indirect
@@ -99,15 +99,14 @@ require (
9999
github.com/go-openapi/jsonreference v0.21.0 // indirect
100100
github.com/go-openapi/swag v0.23.0 // indirect
101101
github.com/gogo/protobuf v1.3.2 // indirect
102-
github.com/golang-jwt/jwt/v5 v5.2.2 // indirect
102+
github.com/golang-jwt/jwt/v5 v5.3.0 // indirect
103103
github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
104104
github.com/google/gnostic-models v0.6.9 // indirect
105105
github.com/google/s2a-go v0.1.9 // indirect
106106
github.com/google/wire v0.6.0 // indirect
107107
github.com/googleapis/enterprise-certificate-proxy v0.3.6 // indirect
108108
github.com/googleapis/gax-go/v2 v2.14.2 // indirect
109-
github.com/grafana/regexp v0.0.0-20240518133315-a468a5bfb3bc // indirect
110-
github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2 // indirect
109+
github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0 // indirect
111110
github.com/hashicorp/go-immutable-radix v1.3.1 // indirect
112111
github.com/hashicorp/go-uuid v1.0.2 // indirect
113112
github.com/hashicorp/golang-lru v0.5.4 // indirect
@@ -124,9 +123,9 @@ require (
124123
github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
125124
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
126125
github.com/prometheus/client_model v0.6.2 // indirect
127-
github.com/prometheus/common v0.65.0 // indirect
128-
github.com/prometheus/otlptranslator v0.0.2 // indirect
129-
github.com/prometheus/procfs v0.17.0 // indirect
126+
github.com/prometheus/common v0.67.5 // indirect
127+
github.com/prometheus/otlptranslator v1.0.0 // indirect
128+
github.com/prometheus/procfs v0.20.1 // indirect
130129
github.com/spf13/pflag v1.0.6 // indirect
131130
github.com/spiffe/go-spiffe/v2 v2.6.0 // indirect
132131
github.com/x448/float16 v0.8.4 // indirect
@@ -135,35 +134,36 @@ require (
135134
github.com/xeipuuv/gojsonschema v1.2.0 // indirect
136135
go.opencensus.io v0.24.0 // indirect
137136
go.opentelemetry.io/auto/sdk v1.2.1 // indirect
138-
go.opentelemetry.io/contrib/bridges/prometheus v0.63.0 // indirect
139-
go.opentelemetry.io/contrib/detectors/gcp v1.38.0 // indirect
137+
go.opentelemetry.io/contrib/bridges/prometheus v0.67.0 // indirect
138+
go.opentelemetry.io/contrib/detectors/gcp v1.39.0 // indirect
140139
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0 // indirect
141140
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0 // indirect
142-
go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.14.0 // indirect
143-
go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.14.0 // indirect
144-
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.38.0 // indirect
145-
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.38.0 // indirect
146-
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.38.0 // indirect
147-
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.38.0 // indirect
148-
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.38.0 // indirect
149-
go.opentelemetry.io/otel/exporters/stdout/stdoutlog v0.14.0 // indirect
150-
go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.38.0 // indirect
151-
go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.38.0 // indirect
152-
go.opentelemetry.io/otel/log v0.14.0 // indirect
153-
go.opentelemetry.io/otel/sdk/log v0.14.0 // indirect
154-
go.opentelemetry.io/proto/otlp v1.7.1 // indirect
141+
go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.18.0 // indirect
142+
go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.18.0 // indirect
143+
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.42.0 // indirect
144+
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.42.0 // indirect
145+
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.42.0 // indirect
146+
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.42.0 // indirect
147+
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.42.0 // indirect
148+
go.opentelemetry.io/otel/exporters/stdout/stdoutlog v0.18.0 // indirect
149+
go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.42.0 // indirect
150+
go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.42.0 // indirect
151+
go.opentelemetry.io/otel/log v0.18.0 // indirect
152+
go.opentelemetry.io/otel/sdk/log v0.18.0 // indirect
153+
go.opentelemetry.io/proto/otlp v1.9.0 // indirect
155154
go.uber.org/multierr v1.11.0 // indirect
156-
golang.org/x/net v0.47.0 // indirect
157-
golang.org/x/sys v0.40.0 // indirect
158-
golang.org/x/term v0.37.0 // indirect
159-
golang.org/x/text v0.31.0 // indirect
155+
go.yaml.in/yaml/v2 v2.4.3 // indirect
156+
golang.org/x/net v0.51.0 // indirect
157+
golang.org/x/sys v0.41.0 // indirect
158+
golang.org/x/term v0.40.0 // indirect
159+
golang.org/x/text v0.34.0 // indirect
160160
golang.org/x/time v0.11.0 // indirect
161161
golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da // indirect
162162
gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
163163
google.golang.org/api v0.235.0 // indirect
164164
google.golang.org/genproto v0.0.0-20250603155806-513f23925822 // indirect
165-
google.golang.org/genproto/googleapis/api v0.0.0-20251029180050-ab9386a59fda // indirect
166-
google.golang.org/genproto/googleapis/rpc v0.0.0-20251029180050-ab9386a59fda // indirect
165+
google.golang.org/genproto/googleapis/api v0.0.0-20260226221140-a57be14db171 // indirect
166+
google.golang.org/genproto/googleapis/rpc v0.0.0-20260226221140-a57be14db171 // indirect
167167
gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
168168
gopkg.in/inf.v0 v0.9.1 // indirect
169169
k8s.io/api v0.33.2 // indirect

0 commit comments

Comments
 (0)