Background
While reviewing PR #375, OSV Scanner flagged multiple HIGH-severity CVEs in the indirect dependency github.com/prometheus/prometheus v0.310.0:
Why it cannot be fixed now
github.com/prometheus/prometheus is an indirect dependency pulled transitively by github.com/perses/perses v0.53.1 → github.com/perses/community-mixins.
Attempting the MVS override (go get github.com/prometheus/prometheus@v0.311.3 && go mod tidy) fails at build time:
# github.com/perses/community-mixins/pkg/promql
.../promql.go:107:22: undefined: parser.ParseExpr
The parser.ParseExpr symbol was removed in prometheus v0.311.x; perses/community-mixins has not been updated to the new API yet.
Resolution
This is blocked on upstream github.com/perses/community-mixins (and by extension github.com/perses/perses) releasing a version that is compatible with prometheus ≥ v0.311.x.
Action items:
References
Background
While reviewing PR #375, OSV Scanner flagged multiple HIGH-severity CVEs in the indirect dependency
github.com/prometheus/prometheus v0.310.0:Why it cannot be fixed now
github.com/prometheus/prometheusis an indirect dependency pulled transitively bygithub.com/perses/perses v0.53.1→github.com/perses/community-mixins.Attempting the MVS override (
go get github.com/prometheus/prometheus@v0.311.3 && go mod tidy) fails at build time:The
parser.ParseExprsymbol was removed in prometheus v0.311.x;perses/community-mixinshas not been updated to the new API yet.Resolution
This is blocked on upstream
github.com/perses/community-mixins(and by extensiongithub.com/perses/perses) releasing a version that is compatible with prometheus ≥ v0.311.x.Action items:
perses/community-mixinsfor a release that drops the use ofparser.ParseExpr(or updates to the replacement API).perses/persesrelease is available, bump it ingo.modand verify the indirect prometheus version resolves to ≥ v0.311.3.go.mod.References