Bump github.com/prometheus/common from 0.67.5 to 0.68.0

[dependabot]

Bumps github.com/prometheus/common from 0.67.5 to 0.68.0.

Release notes

Sourced from github.com/prometheus/common's releases.

v0.68.0

What's Changed

• Synchronize common files from prometheus/prometheus by @​prombot in prometheus/common#873
• Synchronize common files from prometheus/prometheus by @​prombot in prometheus/common#874
• build(deps): bump github.com/golang-jwt/jwt/v5 from 5.3.0 to 5.3.1 by @​dependabot[bot] in prometheus/common#879
• build(deps): bump golang.org/x/net from 0.48.0 to 0.49.0 by @​dependabot[bot] in prometheus/common#878
• Synchronize common files from prometheus/prometheus by @​prombot in prometheus/common#875
• Synchronize common files from prometheus/prometheus by @​prombot in prometheus/common#880
• Remove logic adding unit to metrics name by @​vesari in prometheus/common#877
• Synchronize common files from prometheus/prometheus by @​prombot in prometheus/common#881
• Update for Go 1.26 by @​SuperQ in prometheus/common#883
• build(deps): bump golang.org/x/net from 0.49.0 to 0.51.0 by @​dependabot[bot] in prometheus/common#882
• version: Add a slog helper by @​SuperQ in prometheus/common#886
• Remove Arthur from maintainers list by @​ArthurSens in prometheus/common#885
• Synchronize common files from prometheus/prometheus by @​prombot in prometheus/common#895
• Synchronize common files from prometheus/prometheus by @​prombot in prometheus/common#896
• config: change NewOAuth2RoundTripper to accept variadic HTTPClientOption by @​alliasgher in prometheus/common#898
• config: guard against nil oauth2 credential in RoundTrip by @​alliasgher in prometheus/common#897
• build(deps): bump golang.org/x/net from 0.51.0 to 0.52.0 by @​dependabot[bot] in prometheus/common#890
• build(deps): bump go.yaml.in/yaml/v2 from 2.4.3 to 2.4.4 by @​dependabot[bot] in prometheus/common#891
• build(deps): bump golang.org/x/oauth2 from 0.34.0 to 0.36.0 by @​dependabot[bot] in prometheus/common#892
• Move interface assertions to a test file by @​msiegen in prometheus/common#839
• fix(http_config): fix client cert rotation when no CA is configured by @​machine424 in prometheus/common#908
• Remove CircleCI by @​ArthurSens in prometheus/common#910
• Fix: apply DialContextFunc to OAuth2 token-fetch transport by @​yuri-tceretian in prometheus/common#911

New Contributors

• @​alliasgher made their first contribution in prometheus/common#898
• @​msiegen made their first contribution in prometheus/common#839
• @​machine424 made their first contribution in prometheus/common#908
• @​yuri-tceretian made their first contribution in prometheus/common#911

Full Changelog: prometheus/common@v0.67.5...v0.68.0

Commits

• 1e0ae83 config: apply DialContextFunc to OAuth2 token-fetch transport (#911)
• b51d01b Remove CircleCI (#910)
• 0f3c348 Merge pull request #908 from machine424/ttlsco
• 732a9cf fix(http_config): fix client cert rotation when no CA is configured
• ce9215c Move interface assertions to a test file (#839)
• 1ba5ed7 build(deps): bump golang.org/x/oauth2 from 0.34.0 to 0.36.0 (#892)
• 8f8ada6 build(deps): bump go.yaml.in/yaml/v2 from 2.4.3 to 2.4.4 (#891)
• 5bf00a4 build(deps): bump golang.org/x/net from 0.51.0 to 0.52.0 (#890)
• a4fac5c config: guard against nil oauth2 credential in RoundTrip (#897)
• 9e28363 Merge pull request #898 from alliasgher/fix/NewOAuth2RoundTripper-exported-op...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Summary by CodeRabbit

• New Features

  • Added required 'not-before' claim validation option for JWT token parsing
  • New structured logging helper for version metadata output

• Bug Fixes

  • Improved HTTP/2 stream error handling and retry logic

• Documentation

  • Added deprecation notices for HTTP/2 write scheduler components
  • Enhanced token signature handling documentation

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR bumps four Go dependencies with accompanying library-specific changes. JWT library adds a not-before claim requirement option and refactors signature handling. Prometheus common refactors OAuth2 round-tripper options and removes OpenMetrics unit encoding configuration. HTTP/2 library deprecates user-provided write schedulers and restricts retry logic for stream errors.

Changes

Dependency Updates with Library Enhancements

Layer / File(s)	Summary
Dependency version bumps go.mod, vendor/modules.txt	go.mod and vendor/modules.txt updated to reflect prometheus/common v0.68.0, golang-jwt v5.3.1, golang.org/x/net v0.52.0, and golang.org/x/oauth2 v0.36.0; recorded Go versions adjusted for prometheus/common and oauth2.
JWT parsing, validation, and signature handling improvements vendor/github.com/golang-jwt/jwt/v5/parser.go, vendor/github.com/golang-jwt/jwt/v5/parser_option.go, vendor/github.com/golang-jwt/jwt/v5/token.go, vendor/github.com/golang-jwt/jwt/v5/validator.go, vendor/github.com/golang-jwt/jwt/v5/README.md, vendor/github.com/golang-jwt/jwt/v5/VERSION_HISTORY.md	ParseWithClaims refactored to delegate signature base64 decoding to ParseUnverified; ParseUnverified now decodes and populates token.Signature field. New WithNotBeforeRequired() parser option added; Validator struct gains requireNbf flag, and Validate method now conditionally enforces nbf claim based on this flag. SignedString now stores computed signature on token instance. Documentation updated across parser, validator, and option files; typo corrected in version history.
Prometheus OAuth2 round-tripper API refactoring vendor/github.com/prometheus/common/config/http_config.go	NewOAuth2RoundTripper signature changed to accept variadic HTTPClientOption instead of internal *httpClientOptions; constructor initializes from defaultHTTPClientOptions and applies options internally. OAuth2 transport now explicitly sets DialContext from configured options. oauth2RoundTripper.RoundTrip adds defensive nil check on oauthCredential to prevent panic. TLS round-tripper unchanged-materials branch refined.
Prometheus OpenMetrics encoder: remove WithUnit option and change # UNIT behavior vendor/github.com/prometheus/common/expfmt/openmetrics_create.go	WithUnit() EncoderOption function removed; withUnit flag removed from encoderOption struct. Metric name unit suffix appending removed from MetricFamilyToOpenMetrics. # UNIT line emission condition changed from conditional (when WithUnit enabled) to unconditional (whenever in.Unit != nil). Supporting documentation removed.
Prometheus version helper and import cleanup vendor/github.com/prometheus/common/version/info.go, vendor/github.com/prometheus/common/model/metric.go	New Slog() helper function exported from version/info.go, returning []any of key/value pairs for version metadata. model/metric.go removes go.yaml.in/yaml/v2 import and compile-time type assertion scaffold for ValidationScheme interfaces; marshal/unmarshal methods remain.
HTTP/2 write scheduler deprecations and error handling changes vendor/golang.org/x/net/http2/http2.go, vendor/golang.org/x/net/http2/server.go, vendor/golang.org/x/net/http2/transport.go, vendor/golang.org/x/net/http2/writesched.go, vendor/golang.org/x/net/http2/writesched_priority_rfc7540.go, vendor/golang.org/x/net/http2/writesched_random.go	WriteScheduler, OpenStreamOptions, FrameWriteRequest, PriorityWriteSchedulerConfig, NewPriorityWriteScheduler, and NewRandomWriteScheduler marked with deprecation notices for user-provided write schedulers; RFC 7540 scheduler noted as having known bugs and performance issues. Package documentation updated to discourage direct imports. canRetryError logic narrowed for StreamError to only allow ErrCodeRefusedStream retry, disallowing ErrCodeProtocol with errFromPeer. Unexported errorReader type removed. Server.NewWriteScheduler field marked deprecated.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 Hop along as versions dance on high,
JWT claims now require their due reply,
Prometheus options whisper: deprecated ways,
HTTP/2 schedulers fade through the haze,
With OAuth2 refactored and imports refined,
Four libraries updated in one PR's design!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the primary change: bumping github.com/prometheus/common from 0.67.5 to 0.68.0, which is the main dependency update covered in the PR.
Docstring Coverage	✅ Passed	Docstring coverage is 91.67% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/go_modules/github.com/prometheus/common-0.68.0

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 11: The go.mod currently pins golang.org/x/net at v0.52.0 which has known
advisories (GO-2026-4918, GO-2026-5025…5030 and CVE-2026-27141); update the
golang.org/x/net dependency to the first release that contains those fixes
(replace the existing golang.org/x/net v0.52.0 entry via `go get
golang.org/x/net@<fixed-release>` or `go get golang.org/x/net@latest`, then run
`go mod tidy` and commit the updated go.mod/go.sum), verify
github.com/prometheus/common and github.com/golang-jwt/jwt/v5 entries remain at
safe versions (they appear OK but re-run checks), and run `govulncheck` against
the full module graph to confirm no transitive vulnerabilities remain for
golang.org/x/net, golang.org/x/oauth2, github.com/prometheus/common, and
github.com/golang-jwt/jwt/v5.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 65394585-5467-4d16-bb70-2c498e67ae39

📥 Commits

Reviewing files that changed from the base of the PR and between 1727940 and 5e8a84f.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (18)

• go.mod
• vendor/github.com/golang-jwt/jwt/v5/README.md
• vendor/github.com/golang-jwt/jwt/v5/VERSION_HISTORY.md
• vendor/github.com/golang-jwt/jwt/v5/parser.go
• vendor/github.com/golang-jwt/jwt/v5/parser_option.go
• vendor/github.com/golang-jwt/jwt/v5/token.go
• vendor/github.com/golang-jwt/jwt/v5/validator.go
• vendor/github.com/prometheus/common/config/http_config.go
• vendor/github.com/prometheus/common/expfmt/openmetrics_create.go
• vendor/github.com/prometheus/common/model/metric.go
• vendor/github.com/prometheus/common/version/info.go
• vendor/golang.org/x/net/http2/http2.go
• vendor/golang.org/x/net/http2/server.go
• vendor/golang.org/x/net/http2/transport.go
• vendor/golang.org/x/net/http2/writesched.go
• vendor/golang.org/x/net/http2/writesched_priority_rfc7540.go
• vendor/golang.org/x/net/http2/writesched_random.go
• vendor/modules.txt

💤 Files with no reviewable changes (2)

• vendor/github.com/prometheus/common/model/metric.go
• vendor/golang.org/x/net/http2/transport.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Verify Go module versions exist and check for security advisories

echo "=== Checking prometheus/common v0.68.0 ==="
gh api repos/prometheus/common/releases/tags/v0.68.0 --jq '.tag_name, .published_at' 2>/dev/null || echo "Release not found or API error"

echo -e "\n=== Checking golang-jwt/jwt v5.3.1 ==="
gh api repos/golang-jwt/jwt/releases/tags/v5.3.1 --jq '.tag_name, .published_at' 2>/dev/null || echo "Release not found or API error"

echo -e "\n=== Checking security advisories for all dependencies ==="
gh api graphql -f query='
{
  securityVulnerabilities(first: 10, ecosystem: GO, package: "github.com/prometheus/common") {
    nodes {
      advisory {
        summary
        severity
        publishedAt
      }
      vulnerableVersionRange
      firstPatchedVersion {
        identifier
      }
    }
  }
}'

gh api graphql -f query='
{
  securityVulnerabilities(first: 10, ecosystem: GO, package: "github.com/golang-jwt/jwt/v5") {
    nodes {
      advisory {
        summary
        severity
        publishedAt
      }
      vulnerableVersionRange
      firstPatchedVersion {
        identifier
      }
    }
  }
}'

Repository: kubeservice-stack/node-metrics

Length of output: 611

---

🌐 Web query:

Are there any known security vulnerabilities in golang.org/x/net v0.52.0 or golang.org/x/oauth2 v0.36.0?

💡 Result:

As of May 29, 2026, both golang.org/x/net v0.52.0 and golang.org/x/oauth2 v0.36.0 have known security vulnerabilities associated with them [1][2]. Regarding golang.org/x/net v0.52.0: The pkg.go.dev page for this version explicitly lists several security advisories, including GO-2026-4918, GO-2026-5025, GO-2026-5026, GO-2026-5027, GO-2026-5028, GO-2026-5029, and GO-2026-5030 [1]. Additionally, CVE-2026-27141 describes a vulnerability where sending certain HTTP/2 frames can cause a server to panic due to a missing nil check in golang.org/x/net/http2 [3][4]. Users are generally advised to consult the official Go vulnerability database for the most up-to-date status and remediation guidance for these identifiers [1]. Regarding golang.org/x/oauth2 v0.36.0: While specific, recent CVEs directly targeting version v0.36.0 were not identified in the search results, the package has a history of security issues, such as CVE-2025-22868 (a denial of service vulnerability in the jws package), which was addressed in version v0.27.0 [5][6][7]. Users should always verify their specific dependencies against the Go vulnerability database to identify any newly disclosed vulnerabilities that may affect their installed version [1][6]. Given the dynamic nature of security disclosures, it is strongly recommended that you regularly run govulncheck in your Go projects to identify if your specific usage of these modules is impacted by any known vulnerabilities [8].

Citations:

• 1: https://pkg.go.dev/golang.org/x/net@v0.52.0
• 2: https://pkg.go.dev/golang.org/x/oauth2@v0.36.0
• 3: https://osv.dev/vulnerability/CVE-2026-27141
• 4: https://cve.circl.lu/vuln/CVE-2026-27141
• 5: https://groups.google.com/g/golang-dev/c/9lIKDd3Ff1s
• 6: https://pkg.go.dev/vuln/GO-2025-3488
• 7: https://security.snyk.io/vuln/SNYK-DEBIAN13-GOLANGGOLANGXOAUTH2-8754530
• 8: https://news.ycombinator.com/item?id=48195698

---

Update go.mod security review: all releases resolve; golang.org/x/net needs attention

• go.mod lines 11/28/45-46: github.com/prometheus/common v0.68.0 and github.com/golang-jwt/jwt/v5 v5.3.1 have releases; GitHub’s security query returns no issues for prometheus/common, and the only surfaced jwt/v5 advisory affects versions < 5.2.2 (patched in 5.2.2) so v5.3.1 should be unaffected for that issue.
• golang.org/x/net v0.52.0 has known Go advisories (GO-2026-4918, GO-2026-5025…GO-2026-5030) and CVE-2026-27141 (http2 server panic) associated with the version → bump to the first fixed x/net release.
• golang.org/x/oauth2 v0.36.0: no specific vulnerability targeting this exact version was found in the search results (there are older issues like CVE-2025-22868 fixed in v0.27.0), but run govulncheck on your full dependency graph to ensure no transitive hits.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 11, The go.mod currently pins golang.org/x/net at v0.52.0
which has known advisories (GO-2026-4918, GO-2026-5025…5030 and CVE-2026-27141);
update the golang.org/x/net dependency to the first release that contains those
fixes (replace the existing golang.org/x/net v0.52.0 entry via `go get
golang.org/x/net@<fixed-release>` or `go get golang.org/x/net@latest`, then run
`go mod tidy` and commit the updated go.mod/go.sum), verify
github.com/prometheus/common and github.com/golang-jwt/jwt/v5 entries remain at
safe versions (they appear OK but re-run checks), and run `govulncheck` against
the full module graph to confirm no transitive vulnerabilities remain for
golang.org/x/net, golang.org/x/oauth2, github.com/prometheus/common, and
github.com/golang-jwt/jwt/v5.