Skip to content

build: bump vulnerable Go dependencies on release-8.5#1132

Open
vtatai wants to merge 1 commit into
pingcap:release-8.5from
vtatai:github/release-8.5-vuln-version-bumps
Open

build: bump vulnerable Go dependencies on release-8.5#1132
vtatai wants to merge 1 commit into
pingcap:release-8.5from
vtatai:github/release-8.5-vuln-version-bumps

Conversation

@vtatai

@vtatai vtatai commented Jun 24, 2026
edited
Loading

Copy link
Copy Markdown

Summary

This PR updates the release-8.5 branch to consume newer Prometheus / OpenTelemetry / Go networking dependencies needed to address vulnerability findings in downstream TiDB monitor reloader images.

The main driver is CVE-2026-39883, reported against go.opentelemetry.io/otel/sdk via the Prometheus dependency chain. The fixed version required by our scanner is newer than the version currently pulled by github.com/prometheus/prometheus v0.55.1, so this bumps Prometheus and related modules.

Changes

  • Bump github.com/prometheus/prometheus to v0.312.0
  • Bump OpenTelemetry modules to v1.44.0
  • Bump Go networking/security modules:
    • golang.org/x/crypto
    • golang.org/x/net
  • Update rulefmt.Parse call sites for the newer Prometheus API:
    • pkg/operator/rules.go
    • reload/server/bizlogic/server.go

Why this is needed

Downstream TiDB monitor reloader images built from this branch are being flagged for CVE-2026-39883 through the Prometheus/OpenTelemetry dependency chain.

Updating only direct OpenTelemetry modules is not enough because the affected dependency path is pulled through Prometheus. Bumping Prometheus brings in the newer compatible OpenTelemetry stack and requires small source compatibility updates for the changed rulefmt API.

Validation

  • go test ./reload/... ./pkg/operator/...
  • git diff --check

@ti-chi-bot

ti-chi-bot Bot commented Jun 24, 2026

Copy link
Copy Markdown

Welcome @vtatai! It looks like this is your first PR to pingcap/monitoring 🎉

@pingcap-cla-assistant

pingcap-cla-assistant Bot commented Jun 24, 2026

Copy link
Copy Markdown

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.

Victor Tatai seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
You have signed the CLA already but the status is still pending? Let us recheck it.

@ti-chi-bot ti-chi-bot Bot added the size/XL label Jun 24, 2026
@ti-chi-bot

ti-chi-bot Bot commented Jun 25, 2026

Copy link
Copy Markdown

@dveeden: adding LGTM is restricted to approvers and reviewers in OWNERS files.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@dveeden

dveeden commented Jun 25, 2026

Copy link
Copy Markdown

Could you make sure the CLA is signed?

@dveeden

dveeden commented Jun 25, 2026

Copy link
Copy Markdown

govulncheck isn't happy about some things. Could you check the ones related to the rules?

$ govulncheck ./...
govulncheck: loading packages: 
There are errors with the provided package patterns:

/home/dvaneeden/dev/pingcap/monitoring/cmd/main.go:94:6: main redeclared in this block
/home/dvaneeden/dev/pingcap/monitoring/cmd/CRD.go:21:6: 	other declaration of main
/home/dvaneeden/dev/pingcap/monitoring/cmd/monitoring.go:74:6: main redeclared in this block
/home/dvaneeden/dev/pingcap/monitoring/cmd/CRD.go:21:6: 	other declaration of main
/home/dvaneeden/dev/pingcap/monitoring/cmd/main.go:422:39: not enough arguments in call to rulefmt.Parse
	have ([]byte)
	want ([]byte, bool, model.ValidationScheme, "github.com/prometheus/prometheus/promql/parser".Parser, *slog.Logger)
/home/dvaneeden/dev/pingcap/monitoring/cmd/main.go:432:14: cannot use make([]rulefmt.RuleNode, 0, len(group.Rules)) (value of type []rulefmt.RuleNode) as []rulefmt.Rule value in struct literal
/home/dvaneeden/dev/pingcap/monitoring/cmd/main.go:455:36: cannot use rule (variable of struct type rulefmt.RuleNode) as rulefmt.Rule value in argument to append

For details on package patterns, see https://pkg.go.dev/cmd/go#hdr-Package_lists_and_patterns.

tennix
tennix approved these changes Jun 25, 2026
View reviewed changes

@tennix tennix left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ti-chi-bot

ti-chi-bot Bot commented Jun 25, 2026

Copy link
Copy Markdown

@tennix: adding LGTM is restricted to approvers and reviewers in OWNERS files.

Details

In response to this:

LGTM

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@ti-chi-bot

ti-chi-bot Bot commented Jun 25, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dveeden, tennix
Once this PR has been reviewed and has the lgtm label, please assign fgksgf for approval. For more information see the Code Review Process.
Please ensure that each of them provides their approval before proceeding.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dveeden dveeden dveeden approved these changes
@tennix tennix tennix approved these changes

Assignees

No one assigned

Labels

contribution first-time-contributor size/XL

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@vtatai @dveeden @tennix