Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

deps: update prom client_golang dependency #11726

Closed
wants to merge 1 commit into from
Closed

deps: update prom client_golang dependency #11726

wants to merge 1 commit into from

Conversation

deepthi
Copy link
Member

@deepthi deepthi commented Nov 16, 2022

Description

Our previous dependency has a known CVE. Though according to govulncheck, our code doesn't use the vulnerable paths, upgrading this to be safe.

Related Issue(s)

Checklist

  • "Backport to:" labels have been added if this change should be back-ported
  • Tests were added or are not required
  • Documentation was added or is not required

Deployment Notes

@vitess-bot
Copy link
Contributor

vitess-bot bot commented Nov 16, 2022

Review Checklist

Hello reviewers! 👋 Please follow this checklist when reviewing this Pull Request.

General

  • Ensure that the Pull Request has a descriptive title.
  • If this is a change that users need to know about, please apply the release notes (needs details) label so that merging is blocked unless the summary release notes document is included.

If a new flag is being introduced:

  • Is it really necessary to add this flag?
  • Flag names should be clear and intuitive (as far as possible)
  • Help text should be descriptive.
  • Flag names should use dashes (-) as word separators rather than underscores (_).

If a workflow is added or modified:

  • Each item in Jobs should be named in order to mark it as required.
  • If the workflow should be required, the maintainer team should be notified.

Bug fixes

  • There should be at least one unit or end-to-end test.
  • The Pull Request description should include a link to an issue that describes the bug.

Non-trivial changes

  • There should be some code comments as to why things are implemented the way they are.

New/Existing features

  • Should be documented, either by modifying the existing documentation or creating new documentation.
  • New features should have a link to a feature request issue or an RFC that documents the use cases, corner cases and test cases.

Backward compatibility

  • Protobuf changes should be wire-compatible.
  • Changes to _vt tables and RPCs need to be backward compatible.
  • vtctl command output order should be stable and awk-able.
  • RPC changes should be compatible with vitess-operator
  • If a flag is removed, then it should also be removed from VTop, if used there.

@deepthi deepthi added dependencies Pull requests that update a dependency file Component: Observability Pull requests that touch tracing/metrics/monitoring Type: CI/Build labels Nov 16, 2022
frouioui
frouioui approved these changes Nov 16, 2022
View reviewed changes
Copy link
Member

@frouioui frouioui left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change looks good to me. Version 1.11.1 fixes a known CVE, however, client_golang had 4 new releases since version 1.11.1. It would be even better to upgrade to their latest version: 1.14.0.

@deepthi
Copy link
Member Author

deepthi commented Nov 16, 2022

This change looks good to me. Version 1.11.1 fixes a known CVE, however, client_golang had 4 new releases since version 1.11.1. It would be even better to upgrade to their latest version: 1.14.0.

Good point. #11741 actually does that. Let's close this PR and move that forward.

@deepthi deepthi closed this Nov 16, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@frouioui frouioui frouioui approved these changes

@ajm188 ajm188 Awaiting requested review from ajm188 ajm188 is a code owner

@harshit-gangal harshit-gangal Awaiting requested review from harshit-gangal harshit-gangal is a code owner

@mattlord mattlord Awaiting requested review from mattlord mattlord is a code owner

@rohit-nayak-ps rohit-nayak-ps Awaiting requested review from rohit-nayak-ps rohit-nayak-ps is a code owner

@systay systay Awaiting requested review from systay systay is a code owner

Assignees
No one assigned
Labels
Component: Observability Pull requests that touch tracing/metrics/monitoring dependencies Pull requests that update a dependency file Type: CI/Build
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@deepthi @frouioui