spokeywheeler / drawbridge Goto Github PK
View Code? Open in Web Editor NEWLicense: MIT License
License: MIT License
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
These updates are currently rate-limited. Click on a checkbox below to force their creation now.
These updates have all been created already. Click a checkbox below to force a retry/rebase of any.
github.com/aws/aws-sdk-go-v2
, github.com/aws/aws-sdk-go-v2/config
, github.com/aws/aws-sdk-go-v2/credentials
, github.com/aws/aws-sdk-go-v2/service/appconfig
, github.com/aws/aws-sdk-go-v2/service/sts
)cmd/pkg/mod/golang.org/x/[email protected]/unix/linux/Dockerfile
ubuntu 22.04
cmd/pkg/mod/github.com/knadh/[email protected]/.github/workflows/test.yml
actions/checkout v2
actions/setup-go v2
ubuntu 20.04
cmd/pkg/mod/github.com/mitchellh/[email protected]/.github/workflows/test.yml
actions/setup-go v2
actions/checkout v2
cmd/pkg/mod/github.com/mitchellh/[email protected]/.github/workflows/test.yml
actions/setup-go v2
actions/checkout v2
cmd/pkg/mod/gopkg.in/[email protected]/.github/workflows/go.yaml
actions/checkout v2
actions/setup-go v2
ubuntu 20.04
cmd/pkg/mod/github.com/fsnotify/[email protected]/go.mod
go 1.19
golang.org/x/sys v0.9.0
cmd/pkg/mod/github.com/knadh/[email protected]/go.mod
go 1.19
github.com/aws/aws-sdk-go-v2 v1.18.1
github.com/aws/aws-sdk-go-v2/config v1.18.27
github.com/aws/aws-sdk-go-v2/credentials v1.13.26
github.com/aws/aws-sdk-go-v2/service/appconfig v1.17.11
github.com/aws/aws-sdk-go-v2/service/sts v1.19.2
github.com/fatih/structs v1.1.0
github.com/fsnotify/fsnotify v1.6.0
github.com/hashicorp/consul/api v1.21.0
github.com/hashicorp/hcl v1.0.0
github.com/hashicorp/hcl/v2 v2.19.1
github.com/hashicorp/vault/api v1.10.0
github.com/hjson/hjson-go/v4 v4.3.0
github.com/joho/godotenv v1.5.1
github.com/mitchellh/copystructure v1.2.0
github.com/mitchellh/mapstructure v1.5.0
github.com/npillmayer/nestext v0.1.3
github.com/pelletier/go-toml v1.9.5
github.com/pelletier/go-toml/v2 v2.1.0
github.com/rhnvrm/simples3 v0.8.3
github.com/spf13/pflag v1.0.5
github.com/stretchr/testify v1.8.4
go.etcd.io/etcd/client/v3 v3.5.9
gopkg.in/yaml.v3 v3.0.1
cmd/pkg/mod/github.com/mitchellh/[email protected]/go.mod
go 1.19
github.com/mitchellh/reflectwalk v1.0.2
cmd/pkg/mod/github.com/mitchellh/[email protected]/go.mod
go 1.19
cmd/pkg/mod/golang.org/x/[email protected]/go.mod
go 1.19
cmd/pkg/mod/gopkg.in/[email protected]/go.mod
Please install our new product, Sonatype Lift with advanced features
Library home page: https://proxy.golang.org/github.com/hashicorp/consul/api/@v/v1.20.0.zip
Found in HEAD commit: 0c9767cc865b5c0b94b5628f441a02ef6e25e360
CVE | Severity | CVSS | Dependency | Type | Fixed in (github.com/hashicorp/Consul/api-v1.20.0 version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2023-2816 | High | 8.7 | github.com/hashicorp/Consul/api-v1.20.0 | Direct | v1.15.3 | โ |
Library home page: https://proxy.golang.org/github.com/hashicorp/consul/api/@v/v1.20.0.zip
Dependency Hierarchy:
Found in HEAD commit: 0c9767cc865b5c0b94b5628f441a02ef6e25e360
Found in base branch: main
Consul and Consul Enterprise allowed any user with service:write permissions to use Envoy extensions configured via service-defaults to patch remote proxy instances that target the configured service, regardless of whether the user has permission to modify the service(s) corresponding to those modified proxies.
Publish Date: 2023-06-02
URL: CVE-2023-2816
Base Score Metrics:
Type: Upgrade version
Release Date: 2023-06-02
Fix Resolution: v1.15.3
Step up your Open Source Security Game with Mend here
Found in HEAD commit: c5da1087dc006f88b4a2c8473c618300ff349911
CVE | Severity | CVSS | Dependency | Type | Fixed in (go.etcd.io/etcd/client/v3-v3.5.9 version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2023-39325 | High | 7.5 | golang.org/x/net-v0.7.0 | Transitive | N/A* | โ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Library home page: https://proxy.golang.org/golang.org/x/net/@v/v0.7.0.zip
Dependency Hierarchy:
Found in HEAD commit: c5da1087dc006f88b4a2c8473c618300ff349911
Found in base branch: main
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.
Publish Date: 2023-10-11
URL: CVE-2023-39325
Base Score Metrics:
Type: Upgrade version
Origin: https://pkg.go.dev/vuln/GO-2023-2102
Release Date: 2023-10-11
Fix Resolution: go1.20.10, go1.21.3, golang.org/x/net - v0.17.0
Step up your Open Source Security Game with Mend here
Found in HEAD commit: 64773dc2ff7b1509222d7a4c4ca08be3f98526b4
CVE | Severity | CVSS | Dependency | Type | Fixed in (github.com/HashiCorp/vault/api-v1.0.4 version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2021-38561 | High | 7.5 | golang.org/x/text-v0.3.6 | Transitive | N/A* | โ |
CVE-2022-32149 | High | 7.5 | golang.org/x/text-v0.3.6 | Transitive | N/A* | โ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.
Library home page: https://proxy.golang.org/golang.org/x/text/@v/v0.3.6.zip
Dependency Hierarchy:
Found in HEAD commit: 64773dc2ff7b1509222d7a4c4ca08be3f98526b4
Found in base branch: main
golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be used as a vector for a denial-of-service attack.
Publish Date: 2022-12-26
URL: CVE-2021-38561
Base Score Metrics:
Type: Upgrade version
Origin: https://osv.dev/vulnerability/GO-2021-0113
Release Date: 2021-08-12
Fix Resolution: v0.3.7
Step up your Open Source Security Game with Mend here
Library home page: https://proxy.golang.org/golang.org/x/text/@v/v0.3.6.zip
Dependency Hierarchy:
Found in HEAD commit: 64773dc2ff7b1509222d7a4c4ca08be3f98526b4
Found in base branch: main
An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.
Publish Date: 2022-10-14
URL: CVE-2022-32149
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-32149
Release Date: 2022-10-14
Fix Resolution: v0.3.8
Step up your Open Source Security Game with Mend here
Found in HEAD commit: 599e2090707d2fdcb87d68de1d8173306ccd7b9d
CVE | Severity | CVSS | Dependency | Type | Fixed in (go.etcd.io/etcd/client/v3-v3.5.6 version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-27664 | High | 7.5 | golang.org/x/net-v0.0.0-20211216030914-fe4d6282115f | Transitive | N/A* | โ |
CVE-2022-30633 | High | 7.5 | golang.org/x/net-v0.0.0-20211216030914-fe4d6282115f | Transitive | N/A* | โ |
CVE-2022-41721 | High | 7.5 | golang.org/x/net-v0.0.0-20211216030914-fe4d6282115f | Transitive | N/A* | โ |
CVE-2022-28131 | High | 7.5 | golang.org/x/net-v0.0.0-20211216030914-fe4d6282115f | Transitive | N/A* | โ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.
Library home page: https://proxy.golang.org/golang.org/x/net/@v/v0.0.0-20211216030914-fe4d6282115f.zip
Dependency Hierarchy:
Found in HEAD commit: 599e2090707d2fdcb87d68de1d8173306ccd7b9d
Found in base branch: main
In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.
Publish Date: 2022-09-06
URL: CVE-2022-27664
Base Score Metrics:
Step up your Open Source Security Game with Mend here
Library home page: https://proxy.golang.org/golang.org/x/net/@v/v0.0.0-20211216030914-fe4d6282115f.zip
Dependency Hierarchy:
Found in HEAD commit: 599e2090707d2fdcb87d68de1d8173306ccd7b9d
Found in base branch: main
Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via unmarshalling an XML document into a Go struct which has a nested field that uses the 'any' field tag.
Publish Date: 2022-08-10
URL: CVE-2022-30633
Base Score Metrics:
Type: Upgrade version
Origin: https://security-tracker.debian.org/tracker/CVE-2022-30633
Release Date: 2022-05-13
Fix Resolution: go1.17.12,go1.18.4
Step up your Open Source Security Game with Mend here
Library home page: https://proxy.golang.org/golang.org/x/net/@v/v0.0.0-20211216030914-fe4d6282115f.zip
Dependency Hierarchy:
Found in HEAD commit: 599e2090707d2fdcb87d68de1d8173306ccd7b9d
Found in base branch: main
A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.
Publish Date: 2023-01-13
URL: CVE-2022-41721
Base Score Metrics:
Step up your Open Source Security Game with Mend here
Library home page: https://proxy.golang.org/golang.org/x/net/@v/v0.0.0-20211216030914-fe4d6282115f.zip
Dependency Hierarchy:
Found in HEAD commit: 599e2090707d2fdcb87d68de1d8173306ccd7b9d
Found in base branch: main
Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a deeply nested XML document.
Publish Date: 2022-08-10
URL: CVE-2022-28131
Base Score Metrics:
Type: Upgrade version
Origin: https://security-tracker.debian.org/tracker/CVE-2022-28131
Release Date: 2022-03-29
Fix Resolution: go1.17.12,go1.18.4
Step up your Open Source Security Game with Mend here
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.