-
Notifications
You must be signed in to change notification settings - Fork 236
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: debasishbsws <[email protected]>
- Loading branch information
1 parent
693b820
commit 0d5e062
Showing
2 changed files
with
70 additions
and
9 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,6 +1,6 @@ | ||
| package: | ||
| name: thanos | ||
| version: 0.33.0 | ||
| version: 0.34.0 | ||
| epoch: 0 | ||
| description: Highly available Prometheus setup with long term storage capabilities. | ||
| copyright: | ||
|
|
@@ -18,21 +18,19 @@ environment: | |
| pipeline: | ||
| - uses: git-checkout | ||
| with: | ||
| expected-commit: 0f025f1ff97826a632435ba8fdcb9e3bc248bb27 | ||
| expected-commit: 18d740f2921ab9dfc4fe5c4650bf21cd6d7a1c64 | ||
| repository: https://github.com/thanos-io/thanos | ||
| tag: v${{package.version}} | ||
|
|
||
| - uses: patch | ||
| with: | ||
| patches: upgrade-grpc-to-1.57.2.patch | ||
|
|
||
| - uses: go/bump | ||
| with: | ||
| deps: golang.org/x/[email protected] golang.org/x/[email protected] | ||
| deps: golang.org/x/[email protected] | ||
|
|
||
| - runs: | | ||
| # Mitigate GHSA-m425-mq94-257g | ||
| go mod edit -dropreplace=google.golang.org/grpc | ||
| go get google.golang.org/[email protected] | ||
| go mod edit -replace github.com/sercand/kuberesolver=github.com/sercand/kuberesolver/[email protected] | ||
| go mod tidy | ||
| make build | ||
| - runs: | | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,63 @@ | ||
| From effaa8ac16b266c70b3b12273b3cc4d495a49e68 Mon Sep 17 00:00:00 2001 | ||
| From: hanyuting8 <[email protected]> | ||
| Date: Fri, 19 Jan 2024 21:24:17 +0800 | ||
| Subject: [PATCH] Upgrade grpc to 1.57.2 | ||
| MIME-Version: 1.0 | ||
| Content-Type: text/plain; charset=UTF-8 | ||
| Content-Transfer-Encoding: 8bit | ||
|
|
||
| 1、In the replace of go.mod, due to weaveworks/common#239, The grpc version is 1.45.0, but there are vulnerabilities in this version. In order to fix CVE-2023-44478, the grpc version needs to be upgraded to 1.57.2 | ||
| 2、In order to upgrade GRPC, the version of weaveworks/common also needs to be upgraded, otherwise the build will fail | ||
|
|
||
| Signed-off-by: hanyuting8 <[email protected]> | ||
| --- | ||
| go.mod | 7 +- | ||
| go.sum | 863 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++- | ||
| 2 files changed, 852 insertions(+), 18 deletions(-) | ||
|
|
||
| diff --git a/go.mod b/go.mod | ||
| index 0faf225636..2d1347885c 100644 | ||
| --- a/go.mod | ||
| +++ b/go.mod | ||
| @@ -33,7 +33,6 @@ require ( | ||
| github.com/googleapis/gax-go v2.0.2+incompatible | ||
| github.com/gorilla/mux v1.8.0 // indirect | ||
| github.com/grafana/regexp v0.0.0-20221122212121-6b5c0a4cb7fd // indirect | ||
| - github.com/grpc-ecosystem/go-grpc-middleware v1.3.0 // indirect | ||
| github.com/grpc-ecosystem/go-grpc-middleware/providers/kit/v2 v2.0.0-20201002093600-73cf2ae9d891 | ||
| github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.0.0-rc.2.0.20201207153454-9f6bf00c00a7 | ||
| github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 | ||
| @@ -70,7 +69,7 @@ require ( | ||
| github.com/uber/jaeger-client-go v2.30.0+incompatible | ||
| github.com/uber/jaeger-lib v2.4.1+incompatible // indirect | ||
| github.com/vimeo/galaxycache v0.0.0-20210323154928-b7e5d71c067a | ||
| - github.com/weaveworks/common v0.0.0-20221201103051-7c2720a9024d | ||
| + github.com/weaveworks/common v0.0.0-20230728070032-dd9e68f319d5 | ||
| go.elastic.co/apm v1.11.0 | ||
| go.elastic.co/apm/module/apmot v1.11.0 | ||
| go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.1 // indirect | ||
| @@ -136,6 +135,7 @@ require ( | ||
| github.com/metalmatze/signal v0.0.0-20210307161603-1c9aa721a97a // indirect | ||
| github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect | ||
| github.com/onsi/ginkgo v1.16.5 // indirect | ||
| + github.com/sercand/kuberesolver/v4 v4.0.0 // indirect | ||
| github.com/zhangyunhao116/umap v0.0.0-20221211160557-cb7705fafa39 // indirect | ||
| go.opentelemetry.io/collector/featuregate v1.0.0 // indirect | ||
| go.opentelemetry.io/collector/pdata v1.0.0 // indirect | ||
| @@ -232,7 +232,6 @@ require ( | ||
| github.com/rivo/uniseg v0.2.0 // indirect | ||
| github.com/rs/xid v1.5.0 // indirect | ||
| github.com/santhosh-tekuri/jsonschema v1.2.4 // indirect | ||
| - github.com/sercand/kuberesolver v2.4.0+incompatible // indirect | ||
| github.com/shirou/gopsutil/v3 v3.22.9 // indirect | ||
| github.com/sirupsen/logrus v1.9.3 // indirect | ||
| github.com/spaolacci/murmur3 v1.1.0 // indirect | ||
| @@ -273,7 +272,7 @@ replace ( | ||
| github.com/vimeo/galaxycache => github.com/thanos-community/galaxycache v0.0.0-20211122094458-3a32041a1f1e | ||
|
|
||
| // Override due to https://github.com/weaveworks/common/issues/239 | ||
| - google.golang.org/grpc => google.golang.org/grpc v1.45.0 | ||
| + google.golang.org/grpc => google.golang.org/grpc v1.57.2 | ||
|
|
||
| // Overriding to use latest commit. | ||
| gopkg.in/alecthomas/kingpin.v2 => github.com/alecthomas/kingpin v1.3.8-0.20210301060133-17f40c25f497 |