Skip to content
This repository was archived by the owner on Nov 19, 2025. It is now read-only.

fix(deps): update security updates#64

Closed
NumaryBot wants to merge 1 commit intomainfrom
renovate/security
Closed

fix(deps): update security updates#64
NumaryBot wants to merge 1 commit intomainfrom
renovate/security

Conversation

@NumaryBot
Copy link
Contributor

@NumaryBot NumaryBot commented Sep 9, 2025

This PR contains the following updates:

Package Type Update Change
github.com/aws/aws-sdk-go-v2/config require minor v1.29.18 -> v1.31.7
github.com/spf13/cobra require minor v1.8.1 -> v1.10.1
github.com/stretchr/testify require minor v1.10.0 -> v1.11.1
go (source) toolchain minor 1.22.7 -> 1.25.1
go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux require minor v0.59.0 -> v0.63.0
go.opentelemetry.io/otel require minor v1.34.0 -> v1.38.0
go.opentelemetry.io/otel/trace require minor v1.34.0 -> v1.38.0
go.uber.org/fx require minor v1.23.0 -> v1.24.0
golang minor 1.19-alpine -> 1.25-alpine
jeffail/benthos final minor 4.10 -> 4.27
jeffail/benthos minor 4.11 -> 4.27
opensearchproject/opensearch minor 2.11.0 -> 2.19.3

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Release Notes

spf13/cobra (github.com/spf13/cobra)

v1.10.1

Compare Source

🐛 Fix

v1.0.9 of pflags brought back ParseErrorsWhitelist and marked it as deprecated

Full Changelog: spf13/cobra@v1.10.0...v1.10.1

v1.10.0

Compare Source

What's Changed

🚨 Attention!

This version of pflag carried a breaking change: it renamed ParseErrorsWhitelist to ParseErrorsAllowlist which can break builds if both pflag and cobra are dependencies in your project.

  • If you use both pflag and cobra, upgrade pflagto 1.0.8 andcobrato1.10.0`
  • or use the newer, fixed version of pflag v1.0.9 which keeps the deprecated ParseErrorsWhitelist

More details can be found here: https://github.com/spf13/cobra/pull/2303#issuecomment-3242333515

✨ Features
🐛 Fix
🪠 Testing
📝 Docs

New Contributors

Full Changelog: spf13/cobra@v1.9.1...v1.9.2

v1.9.1

Compare Source

🐛 Fixes

Full Changelog: spf13/cobra@v1.9.0...v1.9.1

v1.9.0

Compare Source

✨ Features

🐛 Fixes

🤖 Completions

🧪 Testing

✍🏼 Documentation

🔧 Dependency upgrades

Thank you to all of our amazing contributors and all the great work that's been going into the completions feature!!

👋🏼 New Contributors

Full Changelog: spf13/cobra@v1.8.1...v1.9.0

stretchr/testify (github.com/stretchr/testify)

v1.11.1

Compare Source

This release fixes #​1785 introduced in v1.11.0 where expected argument values implementing the stringer interface (String() string) with a method which mutates their value, when passed to mock.Mock.On (m.On("Method", <expected>).Return()) or actual argument values passed to mock.Mock.Called may no longer match one another where they previously did match. The behaviour prior to v1.11.0 where the stringer is always called is restored. Future testify releases may not call the stringer method at all in this case.

What's Changed

Full Changelog: stretchr/testify@v1.11.0...v1.11.1

v1.11.0

Compare Source

What's Changed

Functional Changes

v1.11.0 Includes a number of performance improvements.

Fixes
Documentation, Build & CI

New Contributors

Full Changelog: stretchr/testify@v1.10.0...v1.11.0

open-telemetry/opentelemetry-go (go.opentelemetry.io/otel)

v1.38.0: /v0.60.0/v0.14.0/v0.0.13

Compare Source

Overview

This release is the last to support Go 1.23. The next release will require at least Go 1.24.

Added
  • Add native histogram exemplar support in go.opentelemetry.io/otel/exporters/prometheus. (#​6772)
  • Add template attribute functions to the go.opentelmetry.io/otel/semconv/v1.34.0 package. (#​6939)
    • ContainerLabel
    • DBOperationParameter
    • DBSystemParameter
    • HTTPRequestHeader
    • HTTPResponseHeader
    • K8SCronJobAnnotation
    • K8SCronJobLabel
    • K8SDaemonSetAnnotation
    • K8SDaemonSetLabel
    • K8SDeploymentAnnotation
    • K8SDeploymentLabel
    • K8SJobAnnotation
    • K8SJobLabel
    • K8SNamespaceAnnotation
    • K8SNamespaceLabel
    • K8SNodeAnnotation
    • K8SNodeLabel
    • K8SPodAnnotation
    • K8SPodLabel
    • K8SReplicaSetAnnotation
    • K8SReplicaSetLabel
    • K8SStatefulSetAnnotation
    • K8SStatefulSetLabel
    • ProcessEnvironmentVariable
    • RPCConnectRPCRequestMetadata
    • RPCConnectRPCResponseMetadata
    • RPCGRPCRequestMetadata
    • RPCGRPCResponseMetadata
  • Add ErrorType attribute helper function to the go.opentelmetry.io/otel/semconv/v1.34.0 package. (#​6962)
  • Add WithAllowKeyDuplication in go.opentelemetry.io/otel/sdk/log which can be used to disable deduplication for log records. (#​6968)
  • Add WithCardinalityLimit option to configure the cardinality limit in go.opentelemetry.io/otel/sdk/metric. (#​6996, #​7065, #​7081, #​7164, #​7165, #​7179)
  • Add Clone method to Record in go.opentelemetry.io/otel/log that returns a copy of the record with no shared state. (#​7001)
  • Add experimental self-observability span and batch span processor metrics in go.opentelemetry.io/otel/sdk/trace. Check the go.opentelemetry.io/otel/sdk/trace/internal/x package documentation for more information. (#​7027, #​6393, #​7209)
  • The go.opentelemetry.io/otel/semconv/v1.36.0 package. The package contains semantic conventions from the v1.36.0 version of the OpenTelemetry Semantic Conventions. See the migration documentation for information on how to upgrade from go.opentelemetry.io/otel/semconv/v1.34.0.(#​7032, #​7041)
  • Add support for configuring Prometheus name translation using WithTranslationStrategy option in go.opentelemetry.io/otel/exporters/prometheus. The current default translation strategy when UTF-8 mode is enabled is NoUTF8EscapingWithSuffixes, but a future release will change the default strategy to UnderscoreEscapingWithSuffixes for compliance with the specification. (#​7111)
  • Add experimental self-observability log metrics in go.opentelemetry.io/otel/sdk/log. Check the go.opentelemetry.io/otel/sdk/log/internal/x package documentation for more information. (#​7121)
  • Add experimental self-observability trace exporter metrics in go.opentelemetry.io/otel/exporters/stdout/stdouttrace. Check the go.opentelemetry.io/otel/exporters/stdout/stdouttrace/internal/x package documentation for more information. (#​7133)
  • Support testing of [Go 1.25]. (#​7187)
  • The go.opentelemetry.io/otel/semconv/v1.37.0 package. The package contains semantic conventions from the v1.37.0 version of the OpenTelemetry Semantic Conventions. See the migration documentation for information on how to upgrade from go.opentelemetry.io/otel/semconv/v1.36.0.(#​7254)
Changed
  • Optimize TraceIDFromHex and SpanIDFromHex in go.opentelemetry.io/otel/sdk/trace. (#​6791)
  • Change AssertEqual in go.opentelemetry.io/otel/log/logtest to accept TestingT in order to support benchmarks and fuzz tests. (#​6908)
  • Change DefaultExemplarReservoirProviderSelector in go.opentelemetry.io/otel/sdk/metric to use runtime.GOMAXPROCS(0) instead of runtime.NumCPU() for the FixedSizeReservoirProvider default size. (#​7094)
Fixed
  • SetBody method of Record in go.opentelemetry.io/otel/sdk/log now deduplicates key-value collections (log.Value of log.KindMap from go.opentelemetry.io/otel/log). (#​7002)
  • Fix go.opentelemetry.io/otel/exporters/prometheus to not append a suffix if it's already present in metric name. (#​7088)
  • Fix the go.opentelemetry.io/otel/exporters/stdout/stdouttrace self-observability component type and name. (#​7195)
  • Fix partial export count metric in go.opentelemetry.io/otel/exporters/stdout/stdouttrace. (#​7199)
Deprecated
  • Deprecate WithoutUnits and WithoutCounterSuffixes options, preferring WithTranslationStrategy instead. (#​7111)
  • Deprecate support for OTEL_GO_X_CARDINALITY_LIMIT environment variable in go.opentelemetry.io/otel/sdk/metric. Use WithCardinalityLimit option instead. (#​7166)
What's Changed

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@NumaryBot NumaryBot enabled auto-merge (squash) September 9, 2025 11:03
@NumaryBot
Copy link
Contributor Author

NumaryBot commented Sep 9, 2025

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 18 additional dependencies were updated

Details:

Package Change
github.com/aws/aws-sdk-go-v2 v1.36.6 -> v1.39.0
github.com/aws/aws-sdk-go-v2/credentials v1.17.71 -> v1.18.11
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.33 -> v1.18.7
github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.37 -> v1.4.7
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.37 -> v2.7.7
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.4 -> v1.13.1
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.18 -> v1.13.7
github.com/aws/aws-sdk-go-v2/service/sso v1.25.6 -> v1.29.2
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.4 -> v1.34.3
github.com/aws/aws-sdk-go-v2/service/sts v1.34.1 -> v1.38.3
github.com/aws/smithy-go v1.22.4 -> v1.23.0
github.com/go-logr/logr v1.4.2 -> v1.4.3
github.com/spf13/pflag v1.0.5 -> v1.0.9
go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.34.0 -> v1.38.0
go.opentelemetry.io/otel/metric v1.34.0 -> v1.38.0
go.opentelemetry.io/otel/sdk v1.34.0 -> v1.38.0
go.uber.org/dig v1.18.0 -> v1.19.0
golang.org/x/sys v0.29.0 -> v0.35.0

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Sep 9, 2025
edited
Loading

Walkthrough

Updated the Benthos Docker base image from jeffail/benthos:4.10 to jeffail/benthos:4.27 in benthos.Dockerfile. All other instructions (WORKDIR, COPY, ENV ELASTICSEARCH_BATCHING_COUNT) remain unchanged.

Changes

Cohort / File(s) Summary
Docker base image update
benthos.Dockerfile		 Bump base image tag from jeffail/benthos:4.10 to jeffail/benthos:4.27; no other modifications.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Pre-merge checks (2 passed, 1 inconclusive)

❌ Failed checks (1 inconclusive)
Check name Status Explanation Resolution
Title Check ❓ Inconclusive The current title “fix(deps): update security updates” is overly generic and repetitive, failing to specify which dependencies or security issues are addressed; it does not clearly highlight the primary change of the pull request. Consider revising the title to specify the key dependency bumps or security patches, for example “chore(deps): bump AWS SDK, Cobra, and OpenTelemetry to address security fixes,” so that reviewers can immediately grasp the main update.
✅ Passed checks (2 passed)
Check name Status Explanation
Description Check ✅ Passed The pull request description provides a detailed table of updated dependencies, their types, version changes, and includes relevant release notes excerpts, making it directly related to the changeset.
Docstring Coverage ✅ Passed No functions found in the changes. Docstring coverage check skipped.

Poem

I thump my paws—new image, neat!
From 4.10 to 4.27, a tidy feat.
In Docker burrow, layers align,
No extra tweaks—clean and fine.
I nibble logs with cheerful might,
Ship those streams, hop into night. 🥕🐇

Warning

Review ran into problems

🔥 Problems

Errors were encountered while retrieving linked issues.

Errors (2)
  • Failed to retrieve linked issues from the platform client.
  • UTF-8: Entity not found: Issue - Could not find referenced Issue.
📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

  • Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between c6222a9 and 4a472db.

⛔ Files ignored due to path filters (3)
  • docker-compose.yml is excluded by !**/*.yml
  • go.mod is excluded by !**/*.mod
  • go.sum is excluded by !**/*.sum, !**/*.sum
📒 Files selected for processing (1)
  • benthos.Dockerfile (1 hunks)
🔇 Additional comments (1)
benthos.Dockerfile (1)

1-1: Pin Docker image by digest and add Renovate hint

  • Supply-chain: annotate with a Renovate datasource and pin jeffail/benthos:4.27 to a SHA-256 digest for reproducible builds.
  • Compatibility: the streams subcommand in v4.27.0 still supports -r/--resources and -t/--template flags (including wildcards) (v3.benthos.dev).

Apply:

- FROM jeffail/benthos:4.27
+ # renovate: datasource=docker depName=jeffail/benthos
+ FROM jeffail/benthos:4.27@sha256:<DIGEST>
✨ Finishing Touches
🧪 Generate unit tests
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch renovate/security

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@flemzord flemzord closed this Sep 9, 2025
auto-merge was automatically disabled September 9, 2025 12:22

Pull request was closed

@NumaryBot NumaryBot deleted the renovate/security branch September 9, 2025 12:56
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@NumaryBot @flemzord