-
Notifications
You must be signed in to change notification settings - Fork 510
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Recommend moving to go.opentelemetry.io/proto/[email protected] #548
Comments
Thanks for the issue! Just opened this PR to address this: #549 |
Does this need to be patched in envoy, too https://github.com/envoyproxy/envoy/blob/b2d449eb1f130d9f8d01af4ef2da89416b2157db/api/bazel/repository_locations.bzl#L103? |
Since this has been updated, I've noticed that a new version hasn't been created. Is there a timeline y'all have for putting out a new version with the updated dependency (understandably with other changes as well)? |
Understood, I can understand not having very much bandwidth. Thank you for getting back and your candor. |
Due to a dependabot alert I've noticed that this package is using an older version of
go.opentelemetry.io/proto/otlp
(v0.7.0
) resulting in usage of a vulnerable version ofgopkg.in/yaml.v2
versionv2.2.3
, CVE-2019-11254.go.opentelemetry.io/proto/otlp
has recently updated their dependancies to address the concern, so there should is a fresh version to update to in this.To help against consumers of this package being vulnerable, I'd recommend moving to
go.opentelemetry.io/proto/[email protected]
The text was updated successfully, but these errors were encountered: