Skip to content

fix: update dependencies to resolve known CVEs#1472

Open
henriklt wants to merge 3 commits intoapache:masterfrom
henriklt:fix/update-deps-cve
Open

fix: update dependencies to resolve known CVEs#1472
henriklt wants to merge 3 commits intoapache:masterfrom
henriklt:fix/update-deps-cve

Conversation

@henriklt
Copy link
Copy Markdown

@henriklt henriklt commented Mar 20, 2026
edited
Loading

Motivation

Update transitive dependencies with known CVEs to their patched versions.

Modifications

  • go-viper/mapstructure/v2: v2.4.0 --> v2.5.0
  • go.opentelemetry.io/otel/sdk: v1.21.0 --> v1.41.0
  • dvsekhvalnov/jose2go: removed (no longer required in module graph)
  • golang.org/x/crypto: v0.45.0 --> v0.48.0

Verifying this change

This change is already covered by existing tests, such as the full unit and integration test suites.

Does this pull request potentially affect one of the following parts:

  • Dependencies (does it add or upgrade a dependency): yes
  • The public API: no
  • The schema: no
  • The default values of configurations: no
  • The wire protocol: no

Documentation

  • Does this pull request introduce a new feature? no

henriklt added 2 commits March 20, 2026 09:55
@henriklt
fix: update dependencies to resolve known CVEs
159e6ef 
- go-viper/mapstructure/v2: v2.4.0 → v2.5.0
- go.opentelemetry.io/otel/sdk: v1.21.0 → v1.41.0
- dvsekhvalnov/jose2go: v1.7.0 → v1.8.0
- golang.org/x/crypto: v0.45.0 → v0.48.0

Signed-off-by: Henrik Thorsgaard <hlt@scopito.com>
@henriklt
fix: resolve data race in TestSendBufferRetainWhenConnectionStuck
8cac1a7
@crossoverJie crossoverJie requested a review from Copilot March 26, 2026 16:13
Copilot AI reviewed Mar 26, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates Go module dependencies to patched versions to address known CVEs, and adjusts a producer test to avoid concurrent access to a mocked connection’s buffer slice.

Changes:

  • Bumped multiple direct/indirect dependencies (notably OpenTelemetry, x/crypto, mapstructure, testify, x/mod).
  • Updated TestSendBufferRetainWhenConnectionStuck to read mock connection buffers via a lock-protected snapshot helper.
  • Cleaned up module metadata (go.mod/go.sum) by removing no-longer-needed dependencies.

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 2 comments.

File Description
pulsar/producer_test.go Adds a lock-protected buffer snapshot accessor to avoid data races in tests.
go.mod Updates and removes dependencies to pick up CVE fixes and tidy the module graph.
go.sum Refreshes checksums to match the updated/tidied dependency set.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread go.mod
Comment thread pulsar/producer_test.go Outdated
@henriklt
fix: rename getBuffers to buffersSnapshot for clarity
0267893 
Rename the method to communicate that it returns a point-in-time
copy of the buffer slice, not a live reference.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@henriklt