Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Resources.Azure] NugetAudit - fix dependencies with known vulnerabilities #2056

Merged
merged 2 commits into from
Sep 11, 2024

Conversation

Kielek
Copy link
Contributor

@Kielek Kielek commented Sep 10, 2024

Follow up to #2034

Changes

    <!-- System.Text.Encodings.Web is indirect reference. It is needed to upgrade it directly to avoid https://github.com/advisories/GHSA-ghhp-997w-qr28 -->
    <PackageReference Include="System.Text.Encodings.Web" Version="4.7.2" />

Changelog based on https://github.com/open-telemetry/opentelemetry-dotnet/blob/37535a5607ee7e4056c0e274ec01d1e0111a64be/src/OpenTelemetry.Exporter.Console/CHANGELOG.md#L112-L114

Merge requirement checklist

  • CONTRIBUTING guidelines followed (license requirements, nullable enabled, static analysis, etc.)
  • [ ] Unit tests added/updated
  • Appropriate CHANGELOG.md files updated for non-trivial changes
  • Changes in public API reviewed (if applicable)

@Kielek Kielek requested a review from a team September 10, 2024 06:11
@github-actions github-actions bot added the comp:resources.azure Things related to OpenTelemetry.Resources.Azure label Sep 10, 2024
Copy link

codecov bot commented Sep 10, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 82.35%. Comparing base (71655ce) to head (f42336c).
Report is 424 commits behind head on main.

Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##             main    #2056      +/-   ##
==========================================
+ Coverage   73.91%   82.35%   +8.43%     
==========================================
  Files         267        6     -261     
  Lines        9615      136    -9479     
==========================================
- Hits         7107      112    -6995     
+ Misses       2508       24    -2484     
Flag Coverage Δ
unittests-Resources.Azure 82.35% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

see 273 files with indirect coverage changes

@@ -15,6 +15,8 @@
<ItemGroup>
<PackageReference Include="OpenTelemetry" Version="$(OpenTelemetryCoreLatestVersion)" />
<PackageReference Include="System.Text.Json" Version="4.7.2" />
<!-- System.Text.Encodings.Web is indirect reference. It is needed to upgrade it directly to avoid https://github.com/advisories/GHSA-ghhp-997w-qr28 -->
<PackageReference Include="System.Text.Encodings.Web" Version="4.7.2" />
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The .NET Standard 2.0 version of System.Text.Json has an indirect dependency on System.Text.Encodings.Web. It is better to upgrade System.Text.Json, as was done in OpenTelemetry.Exporter.OneCollector

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We may need to re-evaluate whether this is still a challenge with auto-instrumentation - #1279 (comment)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If possible, I would be more conservative with versioning. This solution is applied in Exporter.Console. I do not see any reason we cannot follow this pattern.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We will explore it outside of this PR to understand System.Text.Json version could be bumped.

@Kielek Kielek merged commit 413e943 into open-telemetry:main Sep 11, 2024
59 checks passed
@Kielek Kielek deleted the nuget-audit-resources-azure branch September 11, 2024 19:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
comp:resources.azure Things related to OpenTelemetry.Resources.Azure
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants