Bump otelhttp to resolve CVE

This resolves https://nvd.nist.gov/vuln/detail/CVE-2023-45142 by bumping otelhttp to v0.45.0. It's a follow-up to #113. I had to bump the otlptrace packages to v1.19.0 to make `go mod tidy` happy as well. Updated golangci-lint; adjusted lint config for our fork; fixed important copylock lint issue. Skipped lint for some docs. Co-authored-by: Daniel Clark <[email protected]> Co-authored-by: Bartek Plotka <[email protected]>
GoogleCloudPlatform · Feb 1, 2024 · 1f75622 · 1f75622
1 parent 4d23dbd
commit 1f75622
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 7 deletions.
diff --git a/.golangci.yml b/.golangci.yml
@@ -10,8 +10,7 @@ output:
 
 linters:
   enable:
-    - depguard
-    - gocritic
+    # - depguard # NOTE(bwplotka): See https://github.com/GoogleCloudPlatform/prometheus/pull/120  for rationales.
     - gofumpt
     - goimports
     - misspell
@@ -65,7 +64,9 @@ linters-settings:
     local-prefixes: github.com/prometheus/prometheus
   gofumpt:
     extra-rules: true
-  # NOTE(bwplotka): See https://github.com/GoogleCloudPlatform/prometheus/pull/120 for rationales on adding options below.
+  # NOTE(bwplotka): See https://github.com/GoogleCloudPlatform/prometheus/pull/120  for rationales on adding options below.
+  revive:
+    severity: error # We only want critical issues.
   staticcheck:
     # Turn off deprecation notices, for our fork old versions it's fine.
     checks: ["all", "-SA1019"]

diff --git a/go.mod b/go.mod
@@ -88,11 +88,14 @@ require (
 	cloud.google.com/go/monitoring v1.17.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0 // indirect
 	github.com/AzureAD/microsoft-authentication-library-for-go v0.8.1 // indirect
+	github.com/cenkalti/backoff/v4 v4.2.1 // indirect
 	github.com/coreos/go-systemd/v22 v22.5.0 // indirect
 	github.com/distribution/reference v0.5.0 // indirect
+	github.com/go-kit/kit v0.12.0 // indirect
 	github.com/google/gnostic-models v0.6.8 // indirect
 	github.com/google/s2a-go v0.1.7 // indirect
 	github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.18.1 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
@@ -101,6 +104,7 @@ require (
 	github.com/stretchr/objx v0.5.0 // indirect
 	github.com/xhit/go-str2duration/v2 v2.1.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.46.1 // indirect
+	go.opentelemetry.io/proto/otlp v1.0.0 // indirect
 	google.golang.org/genproto v0.0.0-20231211222908-989df2bf70f3 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20231212172506-995d672761c0 // indirect
 )
@@ -117,7 +121,6 @@ require (
 	github.com/armon/go-metrics v0.4.1 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/cenkalti/backoff/v4 v4.2.1 // indirect
 	github.com/cncf/xds/go v0.0.0-20230607035331-e9ce68804cb4 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/docker/distribution v2.8.3+incompatible // indirect
@@ -128,7 +131,6 @@ require (
 	github.com/fatih/color v1.14.1 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/ghodss/yaml v1.0.0 // indirect
-	github.com/go-kit/kit v0.12.0 // indirect
 	github.com/go-logr/logr v1.4.1 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-openapi/analysis v0.21.4 // indirect
@@ -152,7 +154,6 @@ require (
 	github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect
 	github.com/googleapis/gax-go/v2 v2.12.0 // indirect
 	github.com/gorilla/websocket v1.5.0 // indirect
-	github.com/grpc-ecosystem/grpc-gateway/v2 v2.18.1 // indirect
 	github.com/hashicorp/cronexpr v1.1.1 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-hclog v1.4.0 // indirect
@@ -184,7 +185,6 @@ require (
 	go.mongodb.org/mongo-driver v1.11.3 // indirect
 	go.opencensus.io v0.24.0 // indirect
 	go.opentelemetry.io/otel/metric v1.21.0 // indirect
-	go.opentelemetry.io/proto/otlp v1.0.0 // indirect
 	golang.org/x/crypto v0.18.0 // indirect
 	golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1
 	golang.org/x/mod v0.14.0 // indirect