Bump up various versions to clear out vulnerabilities by n4zukker · Pull Request #29 · tobert/otel-cli

n4zukker · 2026-05-04T19:45:08Z

This PR addresses vulnerabilities found by a jfrog/artifactory X-ray scan. Please see #28.

The versions for go, otel and grpc are bumped up. Those newer versions have resolved the vulnerabilities and bringing them in clears everything up. That's the changes in go.mod and go.sum.

The change in main_test.go fixes an error about typing. And the changes to the other two files fix the logging so that messages are always written out without any percent signs being accidentally interpreted as formatting characters.

My golang is a little rusty (no pun intended) so please adjust the code however you like.

Errors fixed in this codebase:

build: main_test.go#L558(*testing.common).Logf format %q has arg cliOut of wrong type bytes.Buffer
build: otelcli/otlpclient.go#L21 non-constant format string in call to (github.com/tobert/otel-cli/otelcli.Config).SoftFail
build: otelcli/config.go#L398 non-constant format string in call to (github.com/tobert/otel-cli/otelcli.Config).SoftFail
build: otelcli/config.go#L371 non-constant format string in call to (github.com/tobert/otel-cli/otelcli.Config).SoftLog

CVE-2025-68121 can be found in go 1.24.2

Use String() to get the string out of bytes.Buffer

This is to get rid of CVE-2026-33186

…VE-2026-29181

Clear compilation issues which arose from golang bump to 1.25

tobert

Looks good, thank you!

n4zukker added 11 commits May 4, 2026 13:43

Update go.mod to use latest golang version

a5329cb

CVE-2025-68121 can be found in go 1.24.2

Add blank line for build

e15967e

Pass format string literal in log call

c50fba5

Add literal format string to log call

88c2081

Add format string literal to log call

3cad9ee

Explicitly pass a string to log

cbcea91

Use String() to get the string out of bytes.Buffer

Alpine does not have 1.26 yet in its repos

70ae7f4

Switch gprc to a higher version

643cb1f

This is to get rid of CVE-2026-33186

go mod tidy

14df5b8

Bump up telemetry SDK version for CVE-2026-24051, CVE-2026-39883 and C…

a8ed5c7

…VE-2026-29181

Merge pull request #1 from n4zukker/n4zukker-patch-1

3b864b0

Clear compilation issues which arose from golang bump to 1.25

tobert approved these changes May 10, 2026

View reviewed changes

tobert merged commit e7d0bad into tobert:main May 10, 2026
1 check passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump up various versions to clear out vulnerabilities#29

Bump up various versions to clear out vulnerabilities#29
tobert merged 11 commits into
tobert:mainfrom
n4zukker:main

n4zukker commented May 4, 2026

Uh oh!

tobert left a comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

n4zukker commented May 4, 2026

Errors fixed in this codebase:

Uh oh!

tobert left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants