fix(deps): update module golang.org/x/oauth2 to v0.27.0 [security] (release-3.3.x) #16591

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Merged

paul1r merged 6 commits into release-3.3.x from deps-update/release-3.3.x-go-golang.org-x-oauth2-vulnerability

Mar 7, 2025

Contributor

renovate bot commented Mar 5, 2025

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
golang.org/x/oauth2	`v0.21.0` -> `v0.27.0`
golang.org/x/oauth2	`v0.23.0` -> `v0.27.0`

Unexpected memory consumption during token parsing in golang.org/x/oauth2

CVE-2025-22868 / GO-2025-3488

More information

Details

An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.


          fix(deps): update module golang.org/x/oauth2 to v0.27.0 [security]

c08cf7b

renovate bot added the area/security label

renovate bot requested a review from periklis as a code owner

March 5, 2025 21:36

renovate bot added the dependencies label

renovate bot requested review from xperimental, JoaoBraveCoding and a team as code owners

March 5, 2025 21:36

Contributor Author

renovate bot commented Mar 5, 2025

ℹ Artifact update notice

File name: cmd/chunks-inspect/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

The go directive was updated for compatibility reasons

Details:

Package	Change
`go`	`1.22.6` -> `1.24.1`

File name: cmd/segment-inspect/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

The go directive was updated for compatibility reasons

Details:

Package	Change
`go`	`1.22.6` -> `1.24.1`

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

The go directive was updated for compatibility reasons

Details:

Package	Change
`go`	`1.23.1` -> `1.24.1`

File name: operator/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

The go directive was updated for compatibility reasons

Details:

Package	Change
`go`	`1.22.5` -> `1.24.1`

File name: tools/lambda-promtail/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

The go directive was updated for compatibility reasons

Details:

Package	Change
`go`	`1.22` -> `1.24.1`

pull-request-size bot added the size/M label

github-actions bot added the sig/operator label


          Remove operator updates, remove toolchain from lambda-promtail

f6b152b

pull-request-size bot added size/S and removed size/M labels

paul1r and others added 2 commits

March 7, 2025 13:40


          Remove toolchain from loki go.mod

3f6e697


          Merge branch 'release-3.3.x' into deps-update/release-3.3.x-go-golang…

714733a

….org-x-oauth2-vulnerability

Contributor Author

renovate bot commented Mar 7, 2025

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

paul1r added 2 commits

March 7, 2025 13:48


          Don't update lambda-promtail at all

2a5cc6f


          Nix hash

a228898

paul1r approved these changes

View reviewed changes

paul1r enabled auto-merge (squash)

March 7, 2025 18:52

paul1r merged commit 7b35a41 into release-3.3.x

62 checks passed

paul1r deleted the deps-update/release-3.3.x-go-golang.org-x-oauth2-vulnerability branch

March 7, 2025 19:00

loki-gh-app bot mentioned this pull request

chore(release-3.3.x): release 3.3.4 #16646

Merged

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment