Skip to content

[release-0.4] bump otel dependencies (CVE-2026-24051) (#140)#144

Closed
xrstf wants to merge 1 commit intorelease-0.4from
backport-140-0.4
Closed

[release-0.4] bump otel dependencies (CVE-2026-24051) (#140)#144
xrstf wants to merge 1 commit intorelease-0.4from
backport-140-0.4

Conversation

@xrstf
Copy link
Contributor

@xrstf xrstf commented Mar 5, 2026

This is a half-automated cherry-pick of #140

/assign xrstf

[CVE-2026-24051] Bump opentelemetry SDK to v1.41.0

@kcp-ci-bot kcp-ci-bot added the release-note Denotes a PR that will be considered when it comes time to generate release notes. label Mar 5, 2026
@kcp-ci-bot kcp-ci-bot added the dco-signoff: yes Indicates the PR's author has signed the DCO. label Mar 5, 2026
@kcp-ci-bot
Copy link
Contributor

kcp-ci-bot commented Mar 5, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign embik for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kcp-ci-bot kcp-ci-bot added do-not-merge/needs-kind Indicates a PR lacks a `kind/foo` label and requires one. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Mar 5, 2026
@kcp-ci-bot
Copy link
Contributor

kcp-ci-bot commented Mar 5, 2026

@xrstf: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-api-syncagent-test-e2e-kcp-0.27 ccc64b3 link true /test pull-api-syncagent-test-e2e-kcp-0.27
pull-api-syncagent-test ccc64b3 link true /test pull-api-syncagent-test
pull-api-syncagent-test-e2e-kcp-0.28 ccc64b3 link true /test pull-api-syncagent-test-e2e-kcp-0.28
pull-api-syncagent-lint ccc64b3 link true /test pull-api-syncagent-lint
pull-api-syncagent-build-image ccc64b3 link true /test pull-api-syncagent-build-image

Full PR test history

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@xrstf
Copy link
Contributor Author

xrstf commented Mar 6, 2026

Since otel removed functions and APIs in the otelgrpc 0.60.0 => 0.61.0 upgrade, it's now impossible for us to upgrade otel without also upgrading all of the kube dependencies.

So we cannot patch the otel (!) vulnerability in the 0.4 release of the syncagent. All users will sadly have to upgrade to 0.5.

Semver, what's that?

@xrstf xrstf closed this Mar 6, 2026
@xrstf
Copy link
Contributor Author

xrstf commented Mar 6, 2026

Cannot re-open this, but opened a new attempt to fix this in #145.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@xrstf xrstf

Labels

dco-signoff: yes Indicates the PR's author has signed the DCO. do-not-merge/needs-kind Indicates a PR lacks a `kind/foo` label and requires one. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@xrstf @kcp-ci-bot