Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update all dependencies #408

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

chore(deps): update all dependencies #408

wants to merge 2 commits into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Apr 1, 2024
edited
Loading

Mend Renovate

This PR contains the following updates:

Package Type Update Change Age Adoption Passing Confidence
antonbabenko/pre-commit-terraform repository minor v1.91.0 -> v1.92.1 age adoption passing confidence
archive (source) required_provider minor 2.4.2 -> 2.5.0 age adoption passing confidence
defenseunicorns/build-harness patch 2.0.9 -> 2.0.34 age adoption passing confidence
github.com/aws/aws-sdk-go require minor v1.51.6 -> v1.55.5 age adoption passing confidence
github.com/defenseunicorns/delivery_aws_iac_utils require patch v0.0.5 -> v0.0.6 age adoption passing confidence
github.com/defenseunicorns/terraform-aws-bastion module patch v0.0.13 -> v0.0.17 age adoption passing confidence
github.com/defenseunicorns/terraform-aws-eks module patch v0.0.17 -> v0.0.23 age adoption passing confidence
github.com/defenseunicorns/terraform-aws-lambda module patch v0.0.3 -> v0.0.7 age adoption passing confidence
github.com/defenseunicorns/terraform-aws-vpc module patch v0.1.7 -> v0.1.11 age adoption passing confidence
github.com/gruntwork-io/terratest require minor v0.46.13 -> v0.47.0 age adoption passing confidence
github.com/hashicorp/go-getter indirect patch v1.7.3 -> v1.7.5 age adoption passing confidence
golang.org/x/net indirect minor v0.20.0 -> v0.23.0 age adoption passing confidence
k8s.io/api require minor v0.29.3 -> v0.31.0 age adoption passing confidence
k8s.io/apimachinery require minor v0.29.3 -> v0.31.0 age adoption passing confidence
k8s.io/client-go require minor v0.29.3 -> v0.31.0 age adoption passing confidence
renovatebot/pre-commit-hooks repository major 37.410.2 -> 38.29.0 age adoption passing confidence
sigs.k8s.io/aws-iam-authenticator require patch v0.6.18 -> v0.6.22 age adoption passing confidence
terraform-aws-modules/kms/aws (source) module major ~> 2.0 -> ~> 3.0 age adoption passing confidence

Note: The pre-commit manager in Renovate is not supported by the pre-commit maintainers or community. Please do not report any problems there, instead create a Discussion in the Renovate repository if you have any questions.

GitHub Vulnerability Alerts

CVE-2024-3817

When go-getter is performing a Git operation, go-getter will try to clone the given repository. If a Git reference is not passed along with the Git url, go-getter will then try to check the remote repository’s HEAD reference of its default branch by passing arguments to the Git binary on the host it is executing on.

An attacker may format a Git URL in order to inject additional Git arguments to the Git call.

Consumers of the go-getter library should evaluate the risk associated with these issues in the context of their go-getter usage and upgrade go-getter to 1.7.4 or later.

CVE-2024-6257

HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configuration, potentially leading to arbitrary code execution. When go-getter is performing a Git operation, go-getter will try to clone the given repository in a specified destination. Cloning initializes a git config to the provided destination and if the repository needs to get updated go-getter will pull the new changes .

An attacker may alter the Git config after the cloning step to set an arbitrary Git configuration to achieve code execution.

Argument injection when fetching remote default Git branches in github.com/hashicorp/go-getter

CVE-2024-3817 / GHSA-q64h-39hv-4cf7 / GO-2024-2800

More information

Details

When go-getter is performing a Git operation, go-getter will try to clone the given repository. If a Git reference is not passed along with the Git url, go-getter will then try to check the remote repository's HEAD reference of its default branch by passing arguments to the Git binary on the host it is executing on.

An attacker may format a Git URL in order to inject additional Git arguments to the Git call.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

HashiCorp go-getter Vulnerable to Argument Injection When Fetching Remote Default Git Branches

CVE-2024-3817 / GHSA-q64h-39hv-4cf7 / GO-2024-2800

More information

Details

When go-getter is performing a Git operation, go-getter will try to clone the given repository. If a Git reference is not passed along with the Git url, go-getter will then try to check the remote repository’s HEAD reference of its default branch by passing arguments to the Git binary on the host it is executing on.

An attacker may format a Git URL in order to inject additional Git arguments to the Git call.

Consumers of the go-getter library should evaluate the risk associated with these issues in the context of their go-getter usage and upgrade go-getter to 1.7.4 or later.

Severity

  • CVSS Score: 9.8 / 10 (Critical)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

HashiCorp go-getter Vulnerable to Code Execution On Git Update Via Git Config Manipulation

CVE-2024-6257 / GHSA-xfhp-jf8p-mh5w / GO-2024-2948

More information

Details

HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configuration, potentially leading to arbitrary code execution. When go-getter is performing a Git operation, go-getter will try to clone the given repository in a specified destination. Cloning initializes a git config to the provided destination and if the repository needs to get updated go-getter will pull the new changes .

An attacker may alter the Git config after the cloning step to set an arbitrary Git configuration to achieve code execution.

Severity

  • CVSS Score: 8.4 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Code Execution on Git update in github.com/hashicorp/go-getter

CVE-2024-6257 / GHSA-xfhp-jf8p-mh5w / GO-2024-2948

More information

Details

A crafted request can execute Git update on an existing maliciously modified Git Configuration. This can potentially lead to arbitrary code execution. When performing a Git operation, the library will try to clone the given repository to a specified destination. Cloning initializes a git config in the provided destination. An attacker may alter the Git config after the cloning step to set an arbitrary Git configuration to achieve code execution.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

CVE-2023-45288

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.

HTTP/2 CONTINUATION flood in net/http

BIT-golang-2023-45288 / CVE-2023-45288 / GHSA-4v7x-pqxf-cx7m / GO-2024-2687

More information

Details

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames.

Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed.

This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send.

The fix sets a limit on the amount of excess header frames we will process before closing a connection.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

net/http, x/net/http2: close connections when receiving too many headers

BIT-golang-2023-45288 / CVE-2023-45288 / GHSA-4v7x-pqxf-cx7m / GO-2024-2687

More information

Details

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

antonbabenko/pre-commit-terraform (antonbabenko/pre-commit-terraform)

v1.92.1

Compare Source

Bug Fixes
  • terraform_docs: Suppress "terraform command not found" error message in case binary does not exist (#​693) (6ff3572)

v1.92.0

Compare Source

Features
  • Add terragrunt_validate_inputs hook to check unused and undefined inputs (#​677) (a139b71)
hashicorp/terraform-provider-archive (archive)

v2.5.0

Compare Source

ENHANCEMENTS:

  • data-source/archive_file: Add glob pattern matching support to the excludes attribute. (#​354)
  • resource/archive_file: Add glob pattern matching support to the excludes attribute. (#​354)
defenseunicorns/build-harness (defenseunicorns/build-harness)

v2.0.34

Compare Source

Miscellaneous Chores

v2.0.33

Compare Source

Miscellaneous Chores

v2.0.32

Compare Source

Miscellaneous Chores

v2.0.31

Compare Source

Miscellaneous Chores

v2.0.30

Compare Source

Miscellaneous Chores

v2.0.29

Compare Source

Miscellaneous Chores

v2.0.28

Compare Source

Miscellaneous Chores

v2.0.27

Compare Source

Miscellaneous Chores

v2.0.26

Compare Source

Miscellaneous Chores
  • deps: update dependency defenseunicorns/uds-cli to v0.11.1 (#​304) (e50f574)
  • remove the schedule from the renovate config (#​302) (f183cad)

v2.0.25

Compare Source

Miscellaneous Chores

v2.0.24

Compare Source

Miscellaneous Chores

v2.0.23

Compare Source

Miscellaneous Chores

v2.0.22

Compare Source

Miscellaneous Chores

v2.0.21

Compare Source

Miscellaneous Chores

v2.0.20

Compare Source

Miscellaneous Chores

v2.0.19

Compare Source

Miscellaneous Chores

v2.0.18

Compare Source

Miscellaneous Chores
  • deps: update ghcr.io/defenseunicorns/build-harness/build-harness docker tag to v2.0.17 (#​268) (1bbaf14)
  • deps: update stable to v1.7.0 (#​270) (f476bc6)

v2.0.17

Compare Source

Miscellaneous Chores

v2.0.16

Compare Source

Miscellaneous Chores

v2.0.15

Compare Source

Miscellaneous Chores
  • deps: update ghcr.io/defenseunicorns/build-harness/build-harness docker tag to v2.0.14 (#​258) (9e7e6f3)
  • deps: update stable (#​260) (9965dce)

v2.0.14

Compare Source

Miscellaneous Chores
  • deps: update ghcr.io/defenseunicorns/build-harness/build-harness docker tag to v2.0.13 (#​255) (d3f43ce)
  • deps: update stable (#​257) (341206a)

v2.0.13

Compare Source

Miscellaneous Chores

v2.0.12

Compare Source

Miscellaneous Chores

v2.0.11

Compare Source

Miscellaneous Chores

v2.0.10

Compare Source

Miscellaneous Chores
aws/aws-sdk-go (github.com/aws/aws-sdk-go)

v1.55.5

Compare Source

===

Service Client Updates
  • service/appstream: Updates service API and documentation
    • Added support for Red Hat Enterprise Linux 8 on Amazon AppStream 2.0
  • service/autoscaling: Updates service API and documentation
    • Increase the length limit for VPCZoneIdentifier from 2047 to 5000
  • service/codepipeline: Updates service API, documentation, and paginators
    • AWS CodePipeline V2 type pipelines now support stage level conditions to enable development teams to safely release changes that meet quality and compliance requirements.
  • service/elasticache: Updates service documentation
    • Doc only update for changes to deletion API.
  • service/elasticloadbalancing: Updates service API
  • service/eventbridge: Updates service API
  • service/logs: Updates service API
    • Add v2 smoke tests and smithy smokeTests trait for SDK testing.
  • service/models.lex.v2: Updates service API and documentation
  • service/rolesanywhere: Updates service API and documentation
  • service/tnb: Updates service API and documentation
  • service/workspaces: Updates service documentation
    • Removing multi-session as it isn't supported for pools

v1.55.4

Compare Source

===

Service Client Updates
  • service/elasticache: Updates service documentation
    • Renaming full service name as it appears in developer documentation.
  • service/memorydb: Updates service API and documentation

v1.55.3

Compare Source

===

Service Client Updates
  • service/application-autoscaling: Updates service API
  • service/application-signals: Updates service API and documentation
  • service/bedrock-runtime: Updates service API and documentation
  • service/codecommit: Updates service API and documentation
    • CreateRepository API now throws OperationNotAllowedException when the account has been restricted from creating a repository.
  • service/datazone: Updates service API and documentation
  • service/ec2: Updates service API and documentation
    • EC2 Fleet now supports using custom identifiers to reference Amazon Machine Images (AMI) in launch requests that are configured to choose from a diversified list of instance types.
  • service/ecr: Updates service API, documentation, paginators, and examples
    • API and documentation updates for Amazon ECR, adding support for creating, updating, describing and deleting ECR Repository Creation Template.
  • service/eks: Updates service API and documentation
  • service/elasticloadbalancingv2: Updates service API, documentation, and examples
  • service/network-firewall: Updates service API and documentation
  • service/outposts: Updates service API and documentation
  • service/states: Updates service API and documentation
    • This release adds support to customer managed KMS key encryption in AWS Step Functions.
SDK Bugs
  • Remove broken integration test.
    • Remove integration test broken by cloudsearch service.

v1.55.2

Compare Source

===

Service Client Updates
  • service/cleanrooms: Updates service API and documentation
  • service/dynamodb: Updates service API, documentation, waiters, paginators, and examples
    • DynamoDB doc only update for July
  • service/iotsitewise: Updates service API and documentation
  • service/mediapackagev2: Updates service API
  • service/medical-imaging: Updates service API and documentation
  • service/pinpoint-sms-voice-v2: Updates service API and documentation
SDK Bugs
  • Add missing bool error matching.
    • This enables waiters defined to match on presence/absence of errors.

v1.55.1

Compare Source

===

Service Client Updates
  • service/appsync: Updates service API and paginators
  • service/cleanrooms: Updates service API, documentation, and paginators
  • service/cleanroomsml: Updates service API, documentation, and waiters
  • service/connect: Updates service API and documentation
  • service/connect-contact-lens: Updates service API and documentation
  • service/datazone: Updates service API and documentation
  • service/entityresolution: Updates service API and documentation

[`v1.55

Configuration

📅 Schedule: Branch creation - "after 4am and before 10am on Monday" in timezone America/New_York, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from a team as a code owner April 1, 2024 09:53
@renovate renovate bot added the renovate The Renovate Bot made this label Apr 1, 2024
narwhal-bot[bot]
narwhal-bot bot previously approved these changes Apr 1, 2024
View reviewed changes
Copy link
Contributor

@narwhal-bot narwhal-bot bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Auto approved

@narwhal-bot narwhal-bot bot enabled auto-merge April 1, 2024 09:55
@narwhal-bot narwhal-bot bot added this pull request to the merge queue Apr 1, 2024
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Apr 1, 2024
@renovate Renovate
Copy link
Contributor Author

renovate bot commented Jun 10, 2024
edited
Loading

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 17 additional dependencies were updated
  • The go directive was updated for compatibility reasons

Details:

Package Change
go 1.22.1 -> 1.23.0
cloud.google.com/go/compute/metadata v0.2.3 -> v0.3.0
github.com/davecgh/go-spew v1.1.1 -> v1.1.2-0.20180830191138-d8f796af33cc
github.com/go-logr/logr v1.4.1 -> v1.4.2
github.com/google/uuid v1.5.0 -> v1.6.0
github.com/imdario/mergo v0.3.11 -> v0.3.16
github.com/moby/spdystream v0.2.0 -> v0.4.0
github.com/pmezard/go-difflib v1.0.0 -> v1.0.1-0.20181226105442-5d4384ee4fb2
golang.org/x/crypto v0.18.0 -> v0.24.0
golang.org/x/oauth2 v0.16.0 -> v0.21.0
golang.org/x/sync v0.6.0 -> v0.7.0
golang.org/x/sys v0.16.0 -> v0.21.0
golang.org/x/term v0.16.0 -> v0.21.0
golang.org/x/text v0.14.0 -> v0.16.0
google.golang.org/protobuf v1.33.0 -> v1.34.2
k8s.io/klog/v2 v2.110.1 -> v2.130.1
k8s.io/kube-openapi v0.0.0-20240105020646-a37d4de58910 -> v0.0.0-20240228011516-70dd3763d340
k8s.io/utils v0.0.0-20240102154912-e7106e64919e -> v0.0.0-20240711033017-18e509b52bc8

@renovate renovate bot force-pushed the renovate/all branch 21 times, most recently from 0590717 to 32762ad Compare June 18, 2024 05:17
@renovate renovate bot force-pushed the renovate/all branch 20 times, most recently from 8fd34df to e5b51ea Compare August 13, 2024 00:39
@renovate renovate bot force-pushed the renovate/all branch 3 times, most recently from f522487 to 4a29b6a Compare August 14, 2024 09:04
@ntwkninja
Copy link
Member

ntwkninja commented Aug 14, 2024
edited by narwhal-bot bot
Loading

/update autoformat
🤖 View pipeline run

@renovate Renovate
Copy link
Contributor Author

renovate bot commented Aug 14, 2024

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ntwkninja ntwkninja ntwkninja approved these changes

@narwhal-bot narwhal-bot[bot] narwhal-bot[bot] left review comments

Assignees
No one assigned
Labels
renovate The Renovate Bot made this
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@ntwkninja