Bump x/net to mititage the GHSA in prometheus.

Signed-off-by: Dan Lorenc <dlorenc@chainguard.dev>
wolfi-dev · Feb 26, 2023 · 4d3e83e · 4d3e83e
1 parent 5250f97
commit 4d3e83e
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 2 deletions.
diff --git a/Makefile b/Makefile
@@ -187,7 +187,7 @@ $(eval $(call build-package,libgcrypt,1.10.1-r3))
 $(eval $(call build-package,libxml2,2.10.3-r3))
 $(eval $(call build-package,perl-test-pod,1.52-r2))
 $(eval $(call build-package,perl-yaml-syck,1.34-r2))
-$(eval $(call build-package,prometheus,2.42.0-r1))
+$(eval $(call build-package,prometheus,2.42.0-r2))
 $(eval $(call build-package,libxslt,1.1.37-r2))
 $(eval $(call build-package,docbook-xml,4.5-r2))
 $(eval $(call build-package,xmlto,0.0.28-r3))

diff --git a/prometheus.yaml b/prometheus.yaml
@@ -1,7 +1,8 @@
 package:
   name: prometheus
+  # When bumping this version you can remove the `go get` line in the build script
   version: 2.42.0
-  epoch: 1
+  epoch: 2
   description: The Prometheus monitoring system and time series database.
   target-architecture:
     - all
@@ -23,6 +24,10 @@ pipeline:
       uri: https://github.com/prometheus/prometheus/archive/v${{package.version}}.tar.gz
       expected-sha256: 6bf05a61ae9c4c5853b3c17063e13230263cbc81dbafaf849b8ba220943bdbff
   - runs: |
+      # Mitigate GHSA-vvpx-j8f3-3w6h
+      go get golang.org/x/net@v0.7.0
+      go mod tidy
+
       GOLDFLAGS="-X github.com/prometheus/common/version.Version=${{package.version}}
         -X github.com/prometheus/common/version.Revision=WolfiLinux
         -X github.com/prometheus/common/version.Branch=master