Skip to content

Track: Bump indirect dep github.com/prometheus/prometheus past v0.310.0 (HIGH CVEs) #376

Description

@coderabbitai

Background

While reviewing PR #375, OSV Scanner flagged multiple HIGH-severity CVEs in the indirect dependency github.com/prometheus/prometheus v0.310.0:

Advisory Severity Summary
GHSA-8rm2-7qqf-34qm HIGH Remote read endpoint DoS via crafted snappy payload
GHSA-wg65-39gg-5wfj HIGH Azure AD OAuth client secret exposed via config API
GHSA-fw8g-cg8f-9j28 HIGH Stored XSS via crafted histogram bucket label values
GHSA-vffh-x6r8-xx99 HIGH Stored XSS via metric names and label values in web UI

Why it cannot be fixed now

github.com/prometheus/prometheus is an indirect dependency pulled transitively by github.com/perses/perses v0.53.1github.com/perses/community-mixins.

Attempting the MVS override (go get github.com/prometheus/prometheus@v0.311.3 && go mod tidy) fails at build time:

# github.com/perses/community-mixins/pkg/promql
.../promql.go:107:22: undefined: parser.ParseExpr

The parser.ParseExpr symbol was removed in prometheus v0.311.x; perses/community-mixins has not been updated to the new API yet.

Resolution

This is blocked on upstream github.com/perses/community-mixins (and by extension github.com/perses/perses) releasing a version that is compatible with prometheus ≥ v0.311.x.

Action items:

  • Monitor upstream perses/community-mixins for a release that drops the use of parser.ParseExpr (or updates to the replacement API).
  • Once a compatible perses/perses release is available, bump it in go.mod and verify the indirect prometheus version resolves to ≥ v0.311.3.
  • If MVS still doesn't advance prometheus transitively, apply an explicit override in go.mod.

References

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions