Skip to content

fix(deps): update opentelemetry-go monorepo #9

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(deps): update opentelemetry-go monorepo #9

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link

@renovate renovate bot commented Jul 15, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
go.opentelemetry.io/otel v1.6.2 -> v1.36.0 age adoption passing confidence
go.opentelemetry.io/otel/exporters/prometheus v0.28.0 -> v0.58.0 age adoption passing confidence
go.opentelemetry.io/otel/metric v0.28.0 -> v0.38.1 age adoption passing confidence
go.opentelemetry.io/otel/sdk/metric v0.28.0 -> v0.41.0 age adoption passing confidence

Release Notes

open-telemetry/opentelemetry-go (go.opentelemetry.io/otel)

v1.36.0: /v0.58.0/v0.12.0

Compare Source

Added
  • Add exponential histogram support in go.opentelemetry.io/otel/exporters/prometheus. (#​6421)
  • The go.opentelemetry.io/otel/semconv/v1.31.0 package.
    The package contains semantic conventions from the v1.31.0 version of the OpenTelemetry Semantic Conventions.
    See the migration documentation for information on how to upgrade from go.opentelemetry.io/otel/semconv/v1.30.0. (#​6479)
  • Add Recording, Scope, and Record types in go.opentelemetry.io/otel/log/logtest. (#​6507)
  • Add WithHTTPClient option to configure the http.Client used by go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp. (#​6751)
  • Add WithHTTPClient option to configure the http.Client used by go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp. (#​6752)
  • Add WithHTTPClient option to configure the http.Client used by go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp. (#​6688)
  • Add ValuesGetter in go.opentelemetry.io/otel/propagation, a TextMapCarrier that supports retrieving multiple values for a single key. (#​5973)
  • Add Values method to HeaderCarrier to implement the new ValuesGetter interface in go.opentelemetry.io/otel/propagation. (#​5973)
  • Update Baggage in go.opentelemetry.io/otel/propagation to retrieve multiple values for a key when the carrier implements ValuesGetter. (#​5973)
  • Add AssertEqual function in go.opentelemetry.io/otel/log/logtest. (#​6662)
  • The go.opentelemetry.io/otel/semconv/v1.32.0 package.
    The package contains semantic conventions from the v1.32.0 version of the OpenTelemetry Semantic Conventions.
    See the migration documentation for information on how to upgrade from go.opentelemetry.io/otel/semconv/v1.31.0(#​6782)
  • Add Transform option in go.opentelemetry.io/otel/log/logtest. (#​6794)
  • Add Desc option in go.opentelemetry.io/otel/log/logtest. (#​6796)
Removed
  • Drop support for [Go 1.22]. (#​6381, #​6418)
  • Remove Resource field from EnabledParameters in go.opentelemetry.io/otel/sdk/log. (#​6494)
  • Remove RecordFactory type from go.opentelemetry.io/otel/log/logtest. (#​6492)
  • Remove ScopeRecords, EmittedRecord, and RecordFactory types from go.opentelemetry.io/otel/log/logtest. (#​6507)
  • Remove AssertRecordEqual function in go.opentelemetry.io/otel/log/logtest, use AssertEqual instead. (#​6662)
Changed
  • ⚠️ Update github.com/prometheus/client_golang to v1.21.1, which changes the NameValidationScheme to UTF8Validation.
    This allows metrics names to keep original delimiters (e.g. .), rather than replacing with underscores.
    This can be reverted by setting github.com/prometheus/common/model.NameValidationScheme to LegacyValidation in github.com/prometheus/common/model. (#​6433)
  • Initialize map with len(keys) in NewAllowKeysFilter and NewDenyKeysFilter to avoid unnecessary allocations in go.opentelemetry.io/otel/attribute. (#​6455)
  • go.opentelemetry.io/otel/log/logtest is now a separate Go module. (#​6465)
  • go.opentelemetry.io/otel/sdk/log/logtest is now a separate Go module. (#​6466)
  • Recorder in go.opentelemetry.io/otel/log/logtest no longer separately stores records emitted by loggers with the same instrumentation scope. (#​6507)
  • Improve performance of BatchProcessor in go.opentelemetry.io/otel/sdk/log by not exporting when exporter cannot accept more. (#​6569, #​6641)
Deprecated
  • Deprecate support for model.LegacyValidation for go.opentelemetry.io/otel/exporters/prometheus. (#​6449)
Fixes
  • Stop percent encoding header environment variables in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc and go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp. (#​6392)
  • Ensure the noopSpan.tracerProvider method is not inlined in go.opentelemetry.io/otel/trace so the go.opentelemetry.io/auto instrumentation can instrument non-recording spans. (#​6456)
  • Use a sync.Pool instead of allocating metricdata.ResourceMetrics in go.opentelemetry.io/otel/exporters/prometheus. (#​6472)

What's Changed

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate Renovate
Copy link
Author

renovate bot commented Jul 15, 2024
edited
Loading

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: go.sum
Command failed: go get -d -t ./...
go: -d flag is deprecated. -d=true is a no-op
go: downloading github.com/mitchellh/go-homedir v1.1.0
go: downloading github.com/spf13/cobra v1.8.1
go: downloading github.com/spf13/viper v1.10.1
go: downloading github.com/sirupsen/logrus v1.9.3
go: downloading go.opentelemetry.io/otel v1.36.0
go: downloading go.opentelemetry.io/otel/exporters/prometheus v0.58.0
go: downloading go.opentelemetry.io/otel/metric v1.36.0
go: downloading go.opentelemetry.io/otel/sdk/metric v1.36.0
go: downloading go.opentelemetry.io/otel/sdk v1.36.0
go: downloading github.com/inconshreveable/mousetrap v1.1.0
go: downloading github.com/spf13/pflag v1.0.5
go: downloading github.com/fsnotify/fsnotify v1.5.1
go: downloading github.com/magiconair/properties v1.8.5
go: downloading github.com/mitchellh/mapstructure v1.4.3
go: downloading github.com/spf13/afero v1.6.0
go: downloading github.com/spf13/cast v1.4.1
go: downloading github.com/spf13/jwalterweatherman v1.1.0
go: downloading github.com/subosito/gotenv v1.2.0
go: downloading gopkg.in/ini.v1 v1.66.2
go: downloading golang.org/x/sys v0.33.0
go: downloading github.com/prometheus/client_golang v1.22.0
go: downloading github.com/prometheus/client_model v0.6.2
go: downloading github.com/prometheus/common v0.64.0
go: downloading google.golang.org/protobuf v1.36.6
go: downloading golang.org/x/text v0.25.0
go: downloading github.com/hashicorp/hcl v1.0.0
go: downloading github.com/pelletier/go-toml v1.9.4
go: downloading gopkg.in/yaml.v2 v2.4.0
go: downloading github.com/beorn7/perks v1.0.1
go: downloading github.com/cespare/xxhash/v2 v2.3.0
go: downloading github.com/prometheus/procfs v0.16.1
go: downloading github.com/go-logr/logr v1.4.2
go: downloading go.opentelemetry.io/otel/trace v1.36.0
go: downloading github.com/go-logr/stdr v1.2.2
go: downloading go.opentelemetry.io/auto/sdk v1.1.0
go: downloading github.com/google/uuid v1.6.0
go: downloading github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822
go: downloading go.opentelemetry.io v0.1.0
go: github.com/ishantanu/gcp-status-exporter/pkg/exporter imports
	go.opentelemetry.io/otel/metric/global: cannot find module providing package go.opentelemetry.io/otel/metric/global
go: github.com/ishantanu/gcp-status-exporter/pkg/exporter imports
	go.opentelemetry.io/otel/metric/instrument: cannot find module providing package go.opentelemetry.io/otel/metric/instrument
go: github.com/ishantanu/gcp-status-exporter/pkg/exporter imports
	go.opentelemetry.io/otel/sdk/metric/aggregator/histogram: cannot find module providing package go.opentelemetry.io/otel/sdk/metric/aggregator/histogram
go: github.com/ishantanu/gcp-status-exporter/pkg/exporter imports
	go.opentelemetry.io/otel/sdk/metric/controller/basic: cannot find module providing package go.opentelemetry.io/otel/sdk/metric/controller/basic
go: github.com/ishantanu/gcp-status-exporter/pkg/exporter imports
	go.opentelemetry.io/otel/sdk/metric/export/aggregation: cannot find module providing package go.opentelemetry.io/otel/sdk/metric/export/aggregation
go: github.com/ishantanu/gcp-status-exporter/pkg/exporter imports
	go.opentelemetry.io/otel/sdk/metric/processor/basic: cannot find module providing package go.opentelemetry.io/otel/sdk/metric/processor/basic
go: github.com/ishantanu/gcp-status-exporter/pkg/exporter imports
	go.opentelemetry.io/otel/sdk/metric/selector/simple: cannot find module providing package go.opentelemetry.io/otel/sdk/metric/selector/simple

@shift shift force-pushed the main branch 3 times, most recently from bc2c3c2 to 7b89a94 Compare July 15, 2024 11:54
@renovate renovate bot force-pushed the renovate/opentelemetry-go-monorepo branch from bfbc43a to 85bc325 Compare August 23, 2024 22:31
@renovate renovate bot force-pushed the renovate/opentelemetry-go-monorepo branch from 85bc325 to a3b79b5 Compare September 10, 2024 22:41
@renovate renovate bot force-pushed the renovate/opentelemetry-go-monorepo branch from a3b79b5 to cff81ca Compare October 11, 2024 18:23
@renovate renovate bot force-pushed the renovate/opentelemetry-go-monorepo branch from cff81ca to 305f9f6 Compare November 8, 2024 18:55
@renovate renovate bot force-pushed the renovate/opentelemetry-go-monorepo branch from 305f9f6 to c295d51 Compare December 12, 2024 20:08
@renovate renovate bot force-pushed the renovate/opentelemetry-go-monorepo branch from c295d51 to 16d8219 Compare January 17, 2025 17:47
@renovate renovate bot force-pushed the renovate/opentelemetry-go-monorepo branch from 16d8219 to a7351ab Compare March 5, 2025 23:03
@renovate renovate bot force-pushed the renovate/opentelemetry-go-monorepo branch from a7351ab to 65ddc78 Compare May 21, 2025 08:24
@socket-security Socket Security
Copy link

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedgo.opentelemetry.io/​otel@​v1.6.2 ⏵ v1.36.075 -18100100100100
Updatedgo.opentelemetry.io/​otel/​exporters/​prometheus@​v0.28.0 ⏵ v0.58.0100 +2100100100100
Updatedgo.opentelemetry.io/​otel/​sdk/​metric@​v0.28.0 ⏵ v1.36.0100100100100100
Updatedgo.opentelemetry.io/​otel/​metric@​v0.28.0 ⏵ v1.36.0100100100100100

View full report

@socket-security Socket Security
Copy link

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action Severity Alert (click for details)
Block Medium
github.com/google/[email protected] Uses eval.

Location: Package overview

From: ?golang/github.com/google/[email protected]

ℹ Read more on: This package | This alert | What is dynamic code execution?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Avoid packages that use dynamic code execution like eval(), since this could potentially execute any code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/github.com/google/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
github.com/google/[email protected] has Network access.

Location: Package overview

From: ?golang/github.com/google/[email protected]

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/github.com/google/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
github.com/kylelemons/[email protected] has Network access.

Location: Package overview

From: ?golang/github.com/kylelemons/[email protected]

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/github.com/kylelemons/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
github.com/kylelemons/[email protected] Uses eval.

Location: Package overview

From: ?golang/github.com/kylelemons/[email protected]

ℹ Read more on: This package | This alert | What is dynamic code execution?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Avoid packages that use dynamic code execution like eval(), since this could potentially execute any code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/github.com/kylelemons/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
github.com/prometheus/[email protected] Uses eval.

Location: Package overview

From: ?golang/github.com/prometheus/[email protected]

ℹ Read more on: This package | This alert | What is dynamic code execution?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Avoid packages that use dynamic code execution like eval(), since this could potentially execute any code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/github.com/prometheus/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
go.opentelemetry.io/auto/[email protected] Uses eval.

Location: Package overview

From: ?golang/go.opentelemetry.io/auto/[email protected]

ℹ Read more on: This package | This alert | What is dynamic code execution?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Avoid packages that use dynamic code execution like eval(), since this could potentially execute any code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/go.opentelemetry.io/auto/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
go.opentelemetry.io/[email protected] Uses eval.

Location: Package overview

From: ?golang/go.opentelemetry.io/[email protected]

ℹ Read more on: This package | This alert | What is dynamic code execution?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Avoid packages that use dynamic code execution like eval(), since this could potentially execute any code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/go.opentelemetry.io/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
go.opentelemetry.io/[email protected] has Network access.

Location: Package overview

From: ?golang/go.opentelemetry.io/[email protected]

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/go.opentelemetry.io/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
go.opentelemetry.io/otel/[email protected] Uses eval.

Location: Package overview

From: ?golang/go.opentelemetry.io/otel/[email protected]

ℹ Read more on: This package | This alert | What is dynamic code execution?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Avoid packages that use dynamic code execution like eval(), since this could potentially execute any code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/go.opentelemetry.io/otel/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
go.opentelemetry.io/otel/[email protected] has Network access.

Location: Package overview

From: ?golang/go.opentelemetry.io/otel/[email protected]

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/go.opentelemetry.io/otel/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
go.opentelemetry.io/otel/[email protected] Uses eval.

Location: Package overview

From: ?golang/go.opentelemetry.io/otel/[email protected]

ℹ Read more on: This package | This alert | What is dynamic code execution?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Avoid packages that use dynamic code execution like eval(), since this could potentially execute any code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/go.opentelemetry.io/otel/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
go.opentelemetry.io/otel/[email protected] has Shell access.

Location: Package overview

From: ?golang/go.opentelemetry.io/otel/[email protected]

ℹ Read more on: This package | This alert | What is shell access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/go.opentelemetry.io/otel/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
go.opentelemetry.io/otel/[email protected] has Network access.

Location: Package overview

From: ?golang/go.opentelemetry.io/otel/[email protected]

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/go.opentelemetry.io/otel/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
go.opentelemetry.io/otel/sdk/[email protected] Uses eval.

Location: Package overview

From: ?golang/go.opentelemetry.io/otel/sdk/[email protected]

ℹ Read more on: This package | This alert | What is dynamic code execution?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Avoid packages that use dynamic code execution like eval(), since this could potentially execute any code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/go.opentelemetry.io/otel/sdk/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
go.opentelemetry.io/otel/[email protected] Uses eval.

Location: Package overview

From: ?golang/go.opentelemetry.io/otel/[email protected]

ℹ Read more on: This package | This alert | What is dynamic code execution?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Avoid packages that use dynamic code execution like eval(), since this could potentially execute any code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/go.opentelemetry.io/otel/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
github.com/go-logr/[email protected] has Filesystem access.

Location: Package overview

From: ?golang/github.com/go-logr/[email protected]

ℹ Read more on: This package | This alert | What is filesystem access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/github.com/go-logr/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
github.com/prometheus/[email protected] has Environment variable access.

Location: Package overview

From: ?golang/github.com/prometheus/[email protected]

ℹ Read more on: This package | This alert | What is environment variable access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/github.com/prometheus/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
github.com/stretchr/[email protected] is a AI-detected potential code anomaly.

Notes: The use of 'go get' introduces a security risk due to the potential inclusion of unverified code, leading to potential malicious behavior within the project.

Confidence: 1.00

Severity: 0.60

From: ?golang/github.com/stretchr/[email protected]

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/github.com/stretchr/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
go.opentelemetry.io/auto/[email protected] has Environment variable access.

Location: Package overview

From: ?golang/go.opentelemetry.io/auto/[email protected]

ℹ Read more on: This package | This alert | What is environment variable access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/go.opentelemetry.io/auto/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
go.opentelemetry.io/otel/exporters/[email protected] has Filesystem access.

Location: Package overview

From: ?golang/go.opentelemetry.io/otel/exporters/[email protected]

ℹ Read more on: This package | This alert | What is filesystem access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/go.opentelemetry.io/otel/exporters/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
go.opentelemetry.io/otel/[email protected] has Environment variable access.

Location: Package overview

From: ?golang/go.opentelemetry.io/otel/[email protected]

ℹ Read more on: This package | This alert | What is environment variable access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/go.opentelemetry.io/otel/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
go.opentelemetry.io/otel/[email protected] has Filesystem access.

Location: Package overview

From: ?golang/go.opentelemetry.io/otel/[email protected]

ℹ Read more on: This package | This alert | What is filesystem access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/go.opentelemetry.io/otel/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
go.opentelemetry.io/otel/sdk/[email protected] has Environment variable access.

Location: Package overview

From: ?golang/go.opentelemetry.io/otel/sdk/[email protected]

ℹ Read more on: This package | This alert | What is environment variable access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/go.opentelemetry.io/otel/sdk/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
go.opentelemetry.io/otel/[email protected] has Environment variable access.

Location: Package overview

From: ?golang/go.opentelemetry.io/otel/[email protected]

ℹ Read more on: This package | This alert | What is environment variable access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/go.opentelemetry.io/otel/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants