Fixes vulnerabilities on the otelhttp dependency

chore: Fixes the following vulnerabilities in the go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp dependency: - [CVE-2022-21698](https://www.cve.org/CVERecord?id=CVE-2022-21698) / [CVE-2023-45142](https://www.cve.org/CVERecord?id=CVE-2023-45142): Allocation of Resources Without Limits or Throttling Signed-off-by: Spolti <fspolti@redhat.com>
opendatahub-io · Jan 12, 2024 · ee04314 · ee04314
1 parent fa314ef
commit ee04314
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/go.mod b/go.mod
@@ -129,6 +129,11 @@ require (
 )
 
 replace (
+	// Fixes CVE-2022-21698 and CVE-2023-45142
+	// this dependency comes from k8s.io/component-base@v0.28.4 and k8s.io/apiextensions-apiserver@v0.28.4
+	// before removing it make sure that the next version of the related k8s dependencies contains the fix
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp => go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.44.0
+
 	// The crypto is pulled from go/compute which is pulled by go/storage
 	// this replace can be removed when version 1.36.1 of go/storage is released.
 	// https://github.com/googleapis/google-cloud-go/tree/main/storage