Merge pull request #123 from spolti/otelhttp

Fixes vulnerabilities on the otelhttp dependency
opendatahub-io · Nov 24, 2023 · 157e32b · 157e32b
2 parents 4f9e741 + 79c638e
commit 157e32b
Showing 1 changed file with 10 additions and 4 deletions.
diff --git a/go.mod b/go.mod
@@ -100,7 +100,13 @@ require (
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
 )
 
-// remove when upgrade to controller-runtime 0.15.xor apimachinery to 0.27.x
-// Fixes github.com/elazarl/goproxy Denial of Service (DoS)
-// This dependency was remove from apimachinery 0.27.0
-replace k8s.io/apimachinery => k8s.io/apimachinery v0.27.0
+replace (
+	// remove when upgrade to controller-runtime 0.15.x or apimachinery to 0.27.x
+	// Fixes github.com/elazarl/goproxy Denial of Service (DoS)
+	// This dependency was removed from apimachinery 0.27.0
+	 k8s.io/apimachinery => k8s.io/apimachinery v0.27.0
+	// Fixes CVE-2022-21698 and CVE-2023-45142
+	// this dependency comes from k8s.io/[email protected] and k8s.io/[email protected]
+	// before removing it make sure that the next version of the related k8s dependencies contains the fix
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp => go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.44.0
+)