Bump the backend group across 1 directory with 16 updates

[dependabot]

Bumps the backend group with 10 updates in the / directory:

Package	From	To
github.com/Masterminds/semver/v3	3.2.1	3.3.0
github.com/aquasecurity/trivy	0.52.2	0.55.1
github.com/go-chi/chi/v5	5.0.13	5.1.0
github.com/operator-framework/api	0.26.0	0.27.0
github.com/rs/cors	1.11.0	1.11.1
github.com/tektoncd/pipeline	0.60.2	0.63.0
github.com/unrolled/secure	1.14.0	1.15.0
golang.org/x/oauth2	0.21.0	0.23.0
google.golang.org/api	0.185.0	0.197.0
oras.land/oras-go	1.2.5	1.2.6

Updates github.com/Masterminds/semver/v3 from 3.2.1 to 3.3.0

Release notes

Sourced from github.com/Masterminds/semver/v3's releases.

v3.3.0

What's Changed

• Fix: bad package in README by @​sdelicata in Masterminds/semver#226
• Updating the GitHub Actions and versions of Go used by @​mattfarina in Masterminds/semver#229
• Fix spelling in README by @​robinschneider in Masterminds/semver#222
• Adding go build cache to fuzz output by @​mattfarina in Masterminds/semver#232
• Add caching to fuzz testing by @​mattfarina in Masterminds/semver#234
• updating github actions by @​mattfarina in Masterminds/semver#235
• feat: nil version equality by @​KnutZuidema in Masterminds/semver#213
• add >= and <= by @​grosser in Masterminds/semver#238
• doc: hyphen range constraint without whitespace by @​johnnychen94 in Masterminds/semver#216
• Removing reference to vert by @​mattfarina in Masterminds/semver#245
• simplify StrictNewVersion by @​grosser in Masterminds/semver#241
• Updating the testing version of Go used by @​mattfarina in Masterminds/semver#246
• bumping min version in go.mod based on what's tested by @​mattfarina in Masterminds/semver#248
• Updating changelog for 3.3.0 by @​mattfarina in Masterminds/semver#249

New Contributors

• @​sdelicata made their first contribution in Masterminds/semver#226
• @​robinschneider made their first contribution in Masterminds/semver#222
• @​KnutZuidema made their first contribution in Masterminds/semver#213
• @​grosser made their first contribution in Masterminds/semver#238
• @​johnnychen94 made their first contribution in Masterminds/semver#216

Full Changelog: Masterminds/semver@v3.2.1...v3.3.0

Changelog

Sourced from github.com/Masterminds/semver/v3's changelog.

3.3.0 (2024-08-27)

Added

• #238: Add LessThanEqual and GreaterThanEqual functions (thanks @​grosser)
• #213: nil version equality checking (thanks @​KnutZuidema)

Changed

• #241: Simplify StrictNewVersion parsing (thanks @​grosser)
• Testing support up through Go 1.23
• Minimum version set to 1.21 as this is what's tested now
• Fuzz testing now supports caching

Commits

• e6e3d4d Merge pull request #249 from mattfarina/update-changelog-3.3.0
• e80c4ea Updating changelog for 3.3.0
• 80427ad Merge pull request #248 from mattfarina/bump-min-version
• b610837 bumping min version in go.mod based on what's tested
• a4cccd8 Merge pull request #246 from mattfarina/bump-go-1.23
• 7c178cf Updating the testing version of Go used
• 29f94c1 Merge pull request #241 from grosser/grosser/validate
• 2cf1b16 Merge pull request #245 from mattfarina/remove-vert
• b55476a Removing reference to vert
• d07450b simplify StrictNewVersion
• Additional commits viewable in compare view

Updates github.com/aquasecurity/trivy from 0.52.2 to 0.55.1

Release notes

Sourced from github.com/aquasecurity/trivy's releases.

v0.55.1

⚡Release highlights and summary⚡

👉aquasecurity/trivy#7494

Changelog

https://github.com/aquasecurity/trivy/blob/release/v0.55/CHANGELOG.md#0551-2024-09-12

v0.55.0

⚡Release highlights and summary⚡

👉aquasecurity/trivy#7440

Changelog

https://github.com/aquasecurity/trivy/blob/main/CHANGELOG.md#0550-2024-09-03

v0.54.1

Changelog

• 854c61d34a550a9fcbab3bc59e55b868c15d1962 release: v0.54.1 [release/v0.54] (#7282)
• 334a1c293bb3d490af2a6d80732f399efaac22f7 fix(flag): incorrect behavior for deprected flag --clear-cache [backport: release/v0.54] (#7285)
• f61725c28b56d80fb46395479842a2ab0c517c5f fix(java): Return error when trying to find a remote pom to avoid segfault [backport: release/v0.54] (#7283)
• a7b7117fe2c9608e990b42e702cc83675c48f888 fix(plugin): do not call GitHub content API for releases and tags [backport: release/v0.54] (#7279)

v0.54.0

⚡Release highlights and summary⚡

👉 aquasecurity/trivy#7268

Changelog

https://github.com/aquasecurity/trivy/blob/main/CHANGELOG.md#0540-2024-07-30

v0.53.0

⚡Release highlights and summary⚡

👉 aquasecurity/trivy#7061

Changelog

https://github.com/aquasecurity/trivy/blob/main/CHANGELOG.md#0530-2024-07-01

Changelog

Sourced from github.com/aquasecurity/trivy's changelog.

0.55.1 (2024-09-12)

Bug Fixes

• report: change a receiver of MarshalJSON [backport: release/v0.55] (#7490) (6fa91bf)
• report: fix error with unmarshal of ExperimentalModifiedFindings [backport: release/v0.55] (#7492) (6ae7cd5)

Reverts

• java: stop supporting of test scope for pom.xml files [backport: release/v0.55] (#7489) (c20d9e2)

0.55.0 (2024-09-03)

⚠ BREAKING CHANGES

• cli: delete deprecated SBOM flags (#7266)

Features

• cli: delete deprecated SBOM flags (#7266) (7024572)
• go: use toolchain as stdlib version for go.mod files (#7163) (2d80769)
• java: add test scope support for pom.xml files (#7414) (2d97700)
• misconf: Add support for using spec from on-disk bundle (#7179) (be86126)
• misconf: ignore duplicate checks (#7317) (9ef05fc)
• misconf: iterator argument support for dynamic blocks (#7236) (fe92072)
• misconf: port and protocol support for EC2 networks (#7146) (98e136e)
• misconf: scanning support for YAML and JSON (#7311) (efdbd8f)
• misconf: support for ignore by nested attributes (#7205) (44e4686)
• misconf: support for policy and bucket grants (#7284) (a817fae)
• misconf: variable support for Terraform Plan (#7228) (db2c955)
• python: use minimum version for pip packages (#7348) (e9b43f8)
• report: export modified findings in JSON (#7383) (7aea79d)
• sbom: set User-Agent header on requests to Rekor (#7396) (af1d257)
• server: add internal --path-prefix flag for client/server mode (#7321) (24a4563)
• server: Make Trivy Server Multiplexer Exported (#7389) (4c6e8ca)
• vm: Support direct filesystem (#7058) (45b3f34)
• vm: support the Ext2/Ext3 filesystems (#6983) (35c60f0)
• vuln: Add --detection-priority flag for accuracy tuning (#7288) (fd8348d)

Bug Fixes

• aws: handle ECR repositories in different regions (#6217) (feaef96)
• flag: incorrect behavior for deprected flag --clear-cache (#7281) (2a0e529)
• helm: explicitly define kind and apiVersion of volumeClaimTemplate element (#7362) (da4ebfa)
• java: Return error when trying to find a remote pom to avoid segfault (#7275) (49d5270)
• license: add license handling to JUnit template (#7409) (f80183c)

... (truncated)

Commits

• 8c6a4a6 release: v0.55.1 [release/v0.55] (#7491)
• 6ae7cd5 fix(report): fix error with unmarshal of ExperimentalModifiedFindings [back...
• 6fa91bf fix(report): change a receiver of MarshalJSON [backport: release/v0.55] (#7490)
• c20d9e2 revert(java): stop supporting of test scope for pom.xml files [backport: ...
• 7a1e8b8 release: v0.55.0 [main] (#7271)
• 2d80769 feat(go): use toolchain as stdlib version for go.mod files (#7163)
• f80183c fix(license): add license handling to JUnit template (#7409)
• 2d97700 feat(java): add test scope support for pom.xml files (#7414)
• 870523d chore(deps): Bump trivy-checks and pin OPA (#7427)
• da4ebfa fix(helm): explicitly define kind and apiVersion of volumeClaimTemplate...
• Additional commits viewable in compare view

Updates github.com/go-chi/chi/v5 from 5.0.13 to 5.1.0

Release notes

Sourced from github.com/go-chi/chi/v5's releases.

v5.1.0

What's Changed

• middleware: add Discard method to WrapResponseWriter by @​patrislav in go-chi/chi#926
  • Adds Discard() method to the middleware.WrapResponseWriter interface. This is technically an API breaking change. However after some discussion at go-chi/chi#926, we decided to move forward, and release as minor version, as we don't expect anyone to rely on this interface / implement it externally.

New Contributors

• @​patrislav made their first contribution in go-chi/chi#926

Full Changelog: go-chi/chi@v5.0.14...v5.1.0

v5.0.14

What's Changed

• middleware: fix typo in RealIP doc by @​l2dy in go-chi/chi#903
• reduce size of Context struct from 216 bytes to 208 bytes by @​juburr in go-chi/chi#912
• Avoid possible memory leak in compress middleware by @​Neurostep in go-chi/chi#919
• docs: Update stale links in docs for contributing by @​Lutherwaves in go-chi/chi#904
• Revert "Avoid possible memory leak in compress middleware" by @​VojtechVitek in go-chi/chi#924

New Contributors

• @​l2dy made their first contribution in go-chi/chi#903
• @​juburr made their first contribution in go-chi/chi#912
• @​Neurostep made their first contribution in go-chi/chi#919
• @​Lutherwaves made their first contribution in go-chi/chi#904

Full Changelog: go-chi/chi@v5.0.12...v5.0.14

Commits

• 67be7d9 middleware: add Discard method to WrapResponseWriter (#926)
• 7957c0d Revert "fix(middleware): Close created writer in the compressor middleware (#...
• f728a1c docs: Update stale links in docs for contributing (#904)
• See full diff in compare view

Updates github.com/google/go-containerregistry from 0.19.2 to 0.20.2

Release notes

Sourced from github.com/google/go-containerregistry's releases.

v0.20.2

What's Changed

• deps: bump docker dep by @​imjasonh in google/go-containerregistry#1991

Full Changelog: google/go-containerregistry@v0.20.1...v0.20.2

v0.20.1

What's Changed

• Create remote.Push by @​mattmoor in google/go-containerregistry#1978

Full Changelog: google/go-containerregistry@v0.20.0...v0.20.1

v0.20.0

What's Changed

• Referrer API must return correct Content-Type by @​GregoireW in google/go-containerregistry#1968
• 🚨 POTENTIALLY BREAKING: Restore blind-write to remote.Put by @​jonjohnsonjr in google/go-containerregistry#1970

New Contributors

• @​GregoireW made their first contribution in google/go-containerregistry#1968

Full Changelog: google/go-containerregistry@v0.19.2...v0.20.0

Commits

• c195f15 deps: bump docker dep (#1991)
• c3d1dcc Create remote.Push (#1978)
• d36047a Restore blind-write to remote.Put (#1970)
• 9915a85 Referrer API must return correct Content-Type (#1968)
• See full diff in compare view

Updates github.com/open-policy-agent/opa from 0.65.0 to 0.67.1

Release notes

Sourced from github.com/open-policy-agent/opa's releases.

v0.67.1

This is a bug fix release addressing the following issue:

• util+server: Fix bug around chunked request handling (#6906) authored by @​philipaconrad, reported by @​David-Wobrock. A request handling bug was introduced in (#6868), which caused OPA to treat all incoming chunked requests as if they had zero-length request bodies.

v0.67.0

This release contains a mix of features, a new builtin function (strings.count), performance improvements, and bugfixes.

Breaking Change

Request Body Size Limits

OPA now automatically rejects very large requests (#6868) authored by @​philipaconrad. Requests with a Content-Length larger than 128 MB uncompressed, and gzipped requests with payloads that decompress to larger than 256 MB will be rejected, as part of hardening OPA against denial-of-service attacks. Previously, a large enough request could cause an OPA instance to run out of memory in low-memory sidecar deployment scenarios, just from attempting to read the request body into memory.

These changes allow improvements in memory usage for the OPA HTTP server, and help OPA deployments avoid some accidental out-of-memory situations.

For most users, no changes will be needed to continue using OPA. However, to control this behavior, two new configuration keys are available: server.decoding.max_length and server.decoding.gzip.max_length. These control the max size in bytes to allow for an incoming request payload, and the maximum size in bytes to allow for a decompressed gzip request payload, respectively.

Here's an example OPA configuration using the new keys:

# Set max request size to 64 MB and max gzip size (decompressed) to be 128 MB.
server:
  decoding:
    max_length: 67108864
    gzip:
      max_length: 134217728

Topdown and Rego

• topdown: New strings.count builtin which returns the number of non-overlapping instances of a substring in a string (#6827) authored by @​Manish-Giri
• format: Produce error when --rego-v1 formatted module has rule name conflicting with keyword (#6833) authored by @​johanfylling
• topdown: Add cap to caches for regex and glob built-in functions (#6828) authored by @​johanfylling. This fixes possible memory leaks where caches grow uncontrollably when large amounts of regexes or globs are generated or originate from the input document.

Runtime, Tooling, SDK

• repl: Add support for correctly loading bundle modules (#6872) authored by @​ashutosh-narkar
• plugins/discovery: Allow un-registration of discovery listener (#6851) authored by @​mjungsbluth. The discovery plugin allows OPA to register a bundle download status listener but previously did not offer a method to unregister that listener
• plugins/logs: Reduce amount of work performed inside global lock in decision log plugin (#6859) authored by @​johanfylling
• plugins/rest: Add a new client credential attribute to support Azure Workload Identity. This would allow workloads deployed on an Azure Kubernetes Services (AKS) cluster to authenticate and access Azure cloud resources (#6802) authored by @​ledbutter
• cmd/inspect: Add ability for opa inspect to inspect a single file outside of any bundle (#6873) authored by @​tjons
• cmd+bundle: Add --follow-symlinks flag to the opa build command to allow users to build directories with symlinked files, and have the contents of those symlinked files included in the built bundle (#6800) authored by @​tjons
• server: Add missing handling in the server for the explain=fails query value (#6886) authored by @​acamatcisco

... (truncated)

Changelog

Sourced from github.com/open-policy-agent/opa's changelog.

0.67.1

This is a bug fix release addressing the following issue:

• util+server: Fix bug around chunked request handling (#6906) authored by @​philipaconrad, reported by @​David-Wobrock. A request handling bug was introduced in (#6868), which caused OPA to treat all incoming chunked requests as if they had zero-length request bodies.

0.67.0

This release contains a mix of features, a new builtin function (strings.count), performance improvements, and bugfixes.

Breaking Change

Request Body Size Limits

OPA now automatically rejects very large requests (#6868) authored by @​philipaconrad. Requests with a Content-Length larger than 128 MB uncompressed, and gzipped requests with payloads that decompress to larger than 256 MB will be rejected, as part of hardening OPA against denial-of-service attacks. Previously, a large enough request could cause an OPA instance to run out of memory in low-memory sidecar deployment scenarios, just from attempting to read the request body into memory.

These changes allow improvements in memory usage for the OPA HTTP server, and help OPA deployments avoid some accidental out-of-memory situations.

For most users, no changes will be needed to continue using OPA. However, to control this behavior, two new configuration keys are available: server.decoding.max_length and server.decoding.gzip.max_length. These control the max size in bytes to allow for an incoming request payload, and the maximum size in bytes to allow for a decompressed gzip request payload, respectively.

Here's an example OPA configuration using the new keys:

# Set max request size to 64 MB and max gzip size (decompressed) to be 128 MB.
server:
  decoding:
    max_length: 67108864
    gzip:
      max_length: 134217728

Topdown and Rego

• topdown: New strings.count builtin which returns the number of non-overlapping instances of a substring in a string (#6827) authored by @​Manish-Giri
• format: Produce error when --rego-v1 formatted module has rule name conflicting with keyword (#6833) authored by @​johanfylling
• topdown: Add cap to caches for regex and glob built-in functions (#6828) authored by @​johanfylling. This fixes possible memory leaks where caches grow uncontrollably when large amounts of regexes or globs are generated or originate from the input document.

Runtime, Tooling, SDK

• repl: Add support for correctly loading bundle modules (#6872) authored by @​ashutosh-narkar
• plugins/discovery: Allow un-registration of discovery listener (#6851) authored by @​mjungsbluth. The discovery plugin allows OPA to register a bundle download status listener but previously did not offer a method to unregister that listener
• plugins/logs: Reduce amount of work performed inside global lock in decision log plugin (#6859) authored by @​johanfylling
• plugins/rest: Add a new client credential attribute to support Azure Workload Identity. This would allow workloads deployed on an Azure Kubernetes Services (AKS) cluster to authenticate and access Azure cloud resources (#6802) authored by @​ledbutter
• cmd/inspect: Add ability for opa inspect to inspect a single file outside of any bundle (#6873) authored by @​tjons
• cmd+bundle: Add --follow-symlinks flag to the opa build command to allow users to build directories with symlinked files, and have the contents of those symlinked files included in the built bundle (#6800) authored by @​tjons

... (truncated)

Commits

• b88c09e Prepare v0.67.1 release
• 11e91b0 util+server: Fix bug around chunked request handling. (#6906)
• b62ae6b Prepare v0.67.0 release
• bec8e1a build(deps): bump github/codeql-action from 3.25.13 to 3.25.14 (#6888)
• d48fdd9 server: Add missing handling for explain=fails to the REST API.
• 959f9e5 docs: Add an example of a manifest with attribute
• a793f27 repl: Add support for correctly loading bundle modules
• c5706ee server+util: Limit max request sizes, prealloc request buffers (#6868)
• 0ca35e2 build(deps): bump docker/setup-buildx-action from 3.4.0 to 3.5.0 (#6880)
• f9ccb66 build(deps): bump github/codeql-action from 3.25.12 to 3.25.13 (#6881)
• Additional commits viewable in compare view

Updates github.com/operator-framework/api from 0.26.0 to 0.27.0

Release notes

Sourced from github.com/operator-framework/api's releases.

v0.27.0

What's Changed

• Fix some typos in cel.go by @​logonoff in operator-framework/api#343
• Bump k8s.io/apiextensions-apiserver from 0.30.1 to 0.30.2 by @​dependabot in operator-framework/api#344
• Bump github.com/spf13/cobra from 1.8.0 to 1.8.1 by @​dependabot in operator-framework/api#346
• Fix codecov-action params by @​m1kola in operator-framework/api#349
• Bump k8s.io/apiextensions-apiserver from 0.30.2 to 0.30.3 by @​dependabot in operator-framework/api#353
• Bump sigs.k8s.io/controller-runtime from 0.18.4 to 0.18.5 by @​dependabot in operator-framework/api#356
• Bump kubernetes libraries to v0.31.0 and controller-runtime to v0.19.0 by @​perdasilva in operator-framework/api#357

New Contributors

• @​logonoff made their first contribution in operator-framework/api#343

Full Changelog: operator-framework/api@v0.26.0...v0.27.0

Commits

• 41cb4ae Bump kubernetes libraries to v0.31.0 and controller-runtime to v0.19.0 (#357)
• 46fd7e5 Bump sigs.k8s.io/controller-runtime from 0.18.4 to 0.18.5 (#356)
• a5729e2 Bump k8s.io/apiextensions-apiserver from 0.30.2 to 0.30.3 (#353)
• ce8a923 Fix codecov-action params (#349)
• 2e3c15f Bump github.com/spf13/cobra from 1.8.0 to 1.8.1
• fa102cb Bump k8s.io/apiextensions-apiserver from 0.30.1 to 0.30.2
• e122588 Fix some typos in cel.go (#343)
• See full diff in compare view

Updates github.com/prometheus/client_golang from 1.19.1 to 1.20.1

Release notes

Sourced from github.com/prometheus/client_golang's releases.

v1.20.1

This release contains the critical fix for the issue. Thanks to @​geberl, @​CubicrootXYZ, @​zetaab and @​timofurrer for helping us with the investigation!

• [BUGFIX] process-collector: Fixed unregistered descriptor error when using process collector with PedanticRegistry on Linux machines. #1587

v1.20.0

Thanks everyone for contributions!

⚠️ In this release we remove one (broken anyway, given Go runtime changes) metric and add three new (representing GOGC, GOMEMLIMIT and GOMAXPROCS flags) to the default collectors.NewGoCollector() collector. Given its popular usage, expect your binary to expose two additional metric.

Changes

• [CHANGE] ⚠️ go-collector: Remove go_memstat_lookups_total metric which was always 0; Go runtime stopped sharing pointer lookup statistics. #1577
• [FEATURE] ⚠️ go-collector: Add 3 default metrics: go_gc_gogc_percent, go_gc_gomemlimit_bytes and go_sched_gomaxprocs_threads as those are recommended by the Go team. #1559
• [FEATURE] go-collector: Add more information to all metrics' HELP e.g. the exact runtime/metrics sourcing each metric (if relevant). #1568 #1578
• [FEATURE] testutil: Add CollectAndFormat method. #1503
• [FEATURE] histograms: Add support for exemplars in native histograms. #1471
• [FEATURE] promhttp: Add experimental support for zstd on scrape, controlled by the request Accept-Encoding header. #1496
• [FEATURE] api/v1: Add WithLimit parameter to all API methods that supports it. #1544
• [FEATURE] prometheus: Add support for created timestamps in constant histograms and constant summaries. #1537
• [FEATURE] process-collectors: Add network usage metrics: process_network_receive_bytes_total and process_network_transmit_bytes_total. #1555
• [FEATURE] promlint: Add duplicated metric lint rule. #1472
• [BUGFIX] promlint: Relax metric type in name linter rule. #1455
• [BUGFIX] promhttp: Make sure server instrumentation wrapping supports new and future extra responseWriter methods. #1480
• [BUGFIX] testutil: Functions using compareMetricFamilies are now failing if filtered metricNames are not in the input. #1424

• feat(prometheus/testutil/promlint/validations): refine lintMetricType… by @​foehammer127 in prometheus/client_golang#1455
• Bump github.com/prometheus/client_golang from 1.18.0 to 1.19.0 in /examples/middleware by @​dependabot in prometheus/client_golang#1457
• Bump github.com/prometheus/client_model from 0.5.0 to 0.6.0 by @​dependabot in prometheus/client_golang#1458
• Bump golang.org/x/sys from 0.16.0 to 0.17.0 by @​dependabot in prometheus/client_golang#1459
• Bump github.com/prometheus/client_golang from 1.18.0 to 1.19.0 in /tutorial/whatsup by @​dependabot in prometheus/client_golang#1461
• Merge Release 1.19 back to main by @​ArthurSens in prometheus/client_golang#1462
• Bump the github-actions group with 2 updates by @​dependabot in prometheus/client_golang#1456
• Bump google.golang.org/protobuf from 1.32.0 to 1.33.0 by @​dependabot in prometheus/client_golang#1466
• Bump google.golang.org/protobuf from 1.32.0 to 1.33.0 in /examples/middleware by @​dependabot in prometheus/client_golang#1467
• Bump google.golang.org/protobuf from 1.32.0 to 1.33.0 in /tutorial/whatsup by @​dependabot in prometheus/client_golang#1469
• Add LintDuplicateMetric to promlint by @​bboreham in prometheus/client_golang#1472
• Auto-update Go Collector Metrics for new Go versions by @​SachinSahu431 in prometheus/client_golang#1476
• Implement Unwrap() for responseWriterDelegator by @​igor-drozdov in prometheus/client_golang#1480
• Bump golang.org/x/sys from 0.17.0 to 0.18.0 by @​dependabot in prometheus/client_golang#1485
• Bump github.com/prometheus/procfs from 0.12.0 to 0.13.0 by @​dependabot in prometheus/client_golang#1486
• ci: Remove hardcoded supported Go versions from go.yml by @​SachinSahu431 in prometheus/client_golang#1489
• feat: metrics generation workflow by @​SachinSahu431 in prometheus/client_golang#1481
• fix: remove redundant go module in middleware example by @​majolo in prometheus/client_golang#1492
• chore: Refactor how base metrics are added to Sched metrics by @​ArthurSens in prometheus/client_golang#1483
• gocollector: Add regex option to allow collection of debug runtime metrics by @​ArthurSens in prometheus/client_golang#1389

... (truncated)

Changelog

Sourced from github.com/prometheus/client_golang's changelog.

1.20.1 / 2024-08-20

• [BUGFIX] process-collector: Fixed unregistered descriptor error when using process collector with PedanticRegistry on linux machines. #1587

1.20.0 / 2024-08-14

• [CHANGE] ⚠️ go-collector: Remove go_memstat_lookups_total metric which was always 0; Go runtime stopped sharing pointer lookup statistics. #1577
• [FEATURE] ⚠️ go-collector: Add 3 default metrics: go_gc_gogc_percent, go_gc_gomemlimit_bytes and go_sched_gomaxprocs_threads as those are recommended by the Go team. #1559
• [FEATURE] go-collector: Add more information to all metrics' HELP e.g. the exact runtime/metrics sourcing each metric (if relevant). #1568 #1578
• [FEATURE] testutil: Add CollectAndFormat method. #1503
• [FEATURE] histograms: Add support for exemplars in native histograms. #1471
• [FEATURE] promhttp: Add experimental support for zstd on scrape, controlled by the request Accept-Encoding header. #1496
• [FEATURE] api/v1: Add WithLimit parameter to all API methods that supports it. #1544
• [FEATURE] prometheus: Add support for created timestamps in constant histograms and constant summaries. #1537
• [FEATURE] process-collector: Add network usage metrics: process_network_receive_bytes_total and process_network_transmit_bytes_total. #1555
• [FEATURE] promlint: Add duplicated metric lint rule. #1472
• [BUGFIX] promlint: Relax metric type in name linter rule. #1455
• [BUGFIX] promhttp: Make sure server instrumentation wrapping supports new and future extra responseWriter methods. #1480
• [BUGFIX] testutil: Functions using compareMetricFamilies are now failing if filtered metricNames are not in the input. #1424

1.19.0 / 2024-02-27

The module prometheus/common v0.48.0 introduced an incompatibility when used together with client_golang (See prometheus/client_golang#1448 for more details). If your project uses client_golang and you want to use prometheus/common v0.48.0 or higher, please update client_golang to v1.19.0.

• [CHANGE] Minimum required go version is now 1.20 (we also test client_golang against new 1.22 version). #1445 #1449
• [FEATURE] collectors: Add version collector. #1422 #1427

1.18.0 / 2023-12-22

• [FEATURE] promlint: Allow creation of custom metric validations. #1311
• [FEATURE] Go programs using client_golang can be built in wasip1 OS. #1350
• [BUGFIX] histograms: Add timer to reset ASAP after bucket limiting has happened. #1367
• [BUGFIX] testutil: Fix comparison of metrics with empty Help strings. #1378
• [ENHANCEMENT] Improved performance of MetricVec.WithLabelValues(...). #1360

1.17.0 / 2023-09-27

• [CHANGE] Minimum required go version is now 1.19 (we also test client_golang against new 1.21 version). #1325
• [FEATURE] Add support for Created Timestamps in Counters, Summaries and Historams. #1313
• [ENHANCEMENT] Enable detection of a native histogram without observations. #1314

1.16.0 / 2023-06-15

• [BUGFIX] api: Switch to POST for LabelNames, Series, and QueryExemplars. #1252
• [BUGFIX] api: Fix undefined execution order in return statements. #1260
• [BUGFIX] native histograms: Fix bug in bucket key calculation. #1279
• [ENHANCEMENT] Reduce constrainLabels allocations for all metrics. #1272
• [ENHANCEMENT] promhttp: Add process start time header for scrape efficiency. #1278
• [ENHANCEMENT] promlint: Improve metricUnits runtime. #1286

... (truncated)

Commits

• 2254d6c Merge pull request #1587 from prometheus/fix-processcollector
• 4a15d05 Cut 1.20.1
• f2dd7b3 Use pedantic registry in other places too, to double check.

[socket-security]

Report too large to display inline

View full report↗︎

[guardrails]

⚠️ We detected 11 security issues in this pull request:

Vulnerable Libraries (11)

Severity	Details
High	pkg:golang/github.com/operator-framework/[email protected] upgrade to: > v0.27.0
High	pkg:golang/google.golang.org/[email protected] upgrade to: > v0.197.0
Critical	pkg:golang/github.com/aquasecurity/[email protected] upgrade to: > v0.55.1
High	pkg:golang/github.com/open-policy-agent/[email protected] upgrade to: > v0.67.1
Medium	pkg:golang/golang.org/x/[email protected] upgrade to: > v0.27.0
Critical	pkg:golang/github.com/tektoncd/[email protected] upgrade to: > v0.63.0
High	pkg:golang/k8s.io/[email protected] upgrade to: > v0.31.0
Critical	pkg:golang/helm.sh/helm/[email protected] upgrade to: > v3.15.3
High	pkg:golang/oras.land/[email protected] upgrade to: > v1.2.6
High	pkg:golang/github.com/prometheus/[email protected] upgrade to: > v1.20.1
Critical	pkg:golang/github.com/google/[email protected] upgrade to: > v0.20.2

More info on how to fix Vulnerable Libraries in Go.

---

👉 Go to the dashboard for detailed results.

📥 Happy? Share your feedback with us.