Skip to content

deps(deps): update googleapis/release-please-action action to v4.2.0 #84

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 18, 2025
Merged

deps(deps): update googleapis/release-please-action action to v4.2.0 #84

merged 1 commit into from
May 18, 2025

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Mar 5, 2025
edited
Loading

This PR contains the following updates:

Package Type Update Change
googleapis/release-please-action action minor v4.1.4 -> v4.2.0

Release Notes

googleapis/release-please-action (googleapis/release-please-action)

v4.2.0

Compare Source

Features
  • support for skip-labeling parameter for GitHub action (#​1066) (fb7f385)

v4.1.5

Compare Source

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from lotyp as a code owner March 5, 2025 22:08
@renovate renovate bot enabled auto-merge (squash) March 5, 2025 22:08
@github-actions github-actions bot added the type: maintenance For maintenance, refactor and testing (perf, chore, style, revert, refactor, test, build, ci) label Mar 5, 2025
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Mar 5, 2025
edited
Loading

Outdated

🔍 Vulnerabilities of tonistiigi/binfmt:latest

📦 Image Reference tonistiigi/binfmt:latest
digestsha256:69b92b14f1ebdc33c46dec2d21e4e306fde34da0f227cf3cf0564045c020f6ed
vulnerabilitiescritical: 0 high: 0 medium: 0 low: 0
platformlinux/amd64
size34 MB
packages14

1 similar comment
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Mar 5, 2025
edited
Loading

Outdated

🔍 Vulnerabilities of tonistiigi/binfmt:latest

📦 Image Reference tonistiigi/binfmt:latest
digestsha256:69b92b14f1ebdc33c46dec2d21e4e306fde34da0f227cf3cf0564045c020f6ed
vulnerabilitiescritical: 0 high: 0 medium: 0 low: 0
platformlinux/amd64
size34 MB
packages14

@renovate renovate bot changed the title deps(deps): update googleapis/release-please-action action to v4.1.5 deps(deps): update googleapis/release-please-action action to v4.2.0 Mar 7, 2025
@renovate renovate bot force-pushed the renovate/googleapis-release-please-action-4.x branch from ff0f63a to e97ac3c Compare March 7, 2025 23:01
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Mar 7, 2025
edited
Loading

Outdated

🔍 Vulnerabilities of moby/buildkit:buildx-stable-1

📦 Image Reference moby/buildkit:buildx-stable-1
digestsha256:9a7c554fb67ad49ab2e6a8ee8ed575140900e5380d146c13ad6812e3710e27d6
vulnerabilitiescritical: 0 high: 5 medium: 0 low: 0
platformlinux/amd64
size104 MB
packages246
📦 Base Image alpine:3
also known as
  • 3.21
  • 3.21.3
  • latest
digestsha256:1c4eef651f65e2f7daee7ee785882ac164b02b78fb74503052a26dc061c90474
vulnerabilitiescritical: 0 high: 0 medium: 0 low: 0
critical: 0 high: 4 medium: 0 low: 0 stdlib 1.22.4 (golang)

pkg:golang/[email protected]

high : CVE--2024--34158

Affected range<1.22.7
Fixed version1.22.7
EPSS Score0.045%
EPSS Percentile18th percentile
Description

Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

high : CVE--2024--34156

Affected range<1.22.7
Fixed version1.22.7
EPSS Score0.045%
EPSS Percentile18th percentile
Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

high : CVE--2024--24791

Affected range>=1.22.0-0
<1.22.5
Fixed version1.22.5
EPSS Score0.045%
EPSS Percentile18th percentile
Description

The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail.

An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

high : CVE--2022--30635

Affected range<1.22.7
Fixed version1.22.7
EPSS Score0.215%
EPSS Percentile60th percentile
Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

critical: 0 high: 1 medium: 0 low: 0 golang.org/x/crypto 0.31.0 (golang)

pkg:golang/golang.org/x/[email protected]

high : CVE--2025--22869

Affected range<0.35.0
Fixed version0.35.0
EPSS Score0.045%
EPSS Percentile18th percentile
Description

SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Mar 7, 2025
edited
Loading

Outdated

Recommended fixes for image moby/buildkit:buildx-stable-1

Base image is alpine:3

Name3.21.3
Digestsha256:1c4eef651f65e2f7daee7ee785882ac164b02b78fb74503052a26dc061c90474
Vulnerabilitiescritical: 0 high: 0 medium: 0 low: 0
Pushed3 weeks ago
Size3.6 MB
Packages19
OS3.21.3
The base image is also available under the supported tag(s): 3.21, 3.21.3, latest

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Mar 7, 2025
edited
Loading

Outdated

🔍 Vulnerabilities of moby/buildkit:buildx-stable-1

📦 Image Reference moby/buildkit:buildx-stable-1
digestsha256:9a7c554fb67ad49ab2e6a8ee8ed575140900e5380d146c13ad6812e3710e27d6
vulnerabilitiescritical: 0 high: 5 medium: 0 low: 0
platformlinux/amd64
size104 MB
packages246
📦 Base Image alpine:3
also known as
  • 3.21
  • 3.21.3
  • latest
digestsha256:1c4eef651f65e2f7daee7ee785882ac164b02b78fb74503052a26dc061c90474
vulnerabilitiescritical: 0 high: 0 medium: 0 low: 0
critical: 0 high: 4 medium: 0 low: 0 stdlib 1.22.4 (golang)

pkg:golang/[email protected]

high : CVE--2024--34158

Affected range<1.22.7
Fixed version1.22.7
EPSS Score0.045%
EPSS Percentile18th percentile
Description

Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

high : CVE--2024--34156

Affected range<1.22.7
Fixed version1.22.7
EPSS Score0.045%
EPSS Percentile18th percentile
Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

high : CVE--2024--24791

Affected range>=1.22.0-0
<1.22.5
Fixed version1.22.5
EPSS Score0.045%
EPSS Percentile18th percentile
Description

The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail.

An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

high : CVE--2022--30635

Affected range<1.22.7
Fixed version1.22.7
EPSS Score0.215%
EPSS Percentile60th percentile
Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

critical: 0 high: 1 medium: 0 low: 0 golang.org/x/crypto 0.31.0 (golang)

pkg:golang/golang.org/x/[email protected]

high : CVE--2025--22869

Affected range<0.35.0
Fixed version0.35.0
EPSS Score0.045%
EPSS Percentile18th percentile
Description

SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Mar 7, 2025
edited
Loading

Outdated

Recommended fixes for image moby/buildkit:buildx-stable-1

Base image is alpine:3

Name3.21.3
Digestsha256:1c4eef651f65e2f7daee7ee785882ac164b02b78fb74503052a26dc061c90474
Vulnerabilitiescritical: 0 high: 0 medium: 0 low: 0
Pushed3 weeks ago
Size3.6 MB
Packages19
OS3.21.3
The base image is also available under the supported tag(s): 3.21, 3.21.3, latest

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

@renovate renovate bot force-pushed the renovate/googleapis-release-please-action-4.x branch from e97ac3c to 24fcfdc Compare May 18, 2025 18:09
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented May 18, 2025
edited
Loading

Outdated

🔍 Vulnerabilities of moby/buildkit:buildx-stable-1

📦 Image Reference moby/buildkit:buildx-stable-1
digestsha256:8124f5e2ddf9a4985ca653c7bd4bb0132eef4316aaf2975181a5f6a9d0f14ced
vulnerabilitiescritical: 1 high: 4 medium: 0 low: 0
platformlinux/amd64
size104 MB
packages248
📦 Base Image alpine:3
also known as
  • 3.21
  • 3.21.3
  • latest
digestsha256:1c4eef651f65e2f7daee7ee785882ac164b02b78fb74503052a26dc061c90474
vulnerabilitiescritical: 0 high: 0 medium: 0 low: 0
critical: 1 high: 4 medium: 0 low: 0 stdlib 1.22.4 (golang)

pkg:golang/[email protected]

critical : CVE--2025--22871

Affected range<1.23.8
Fixed version1.23.8
EPSS Score0.018%
EPSS Percentile3rd percentile
Description

The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.

high : CVE--2024--34158

Affected range<1.22.7
Fixed version1.22.7
EPSS Score0.054%
EPSS Percentile17th percentile
Description

Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

high : CVE--2024--34156

Affected range<1.22.7
Fixed version1.22.7
EPSS Score0.108%
EPSS Percentile30th percentile
Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

high : CVE--2024--24791

Affected range>=1.22.0-0
<1.22.5
Fixed version1.22.5
EPSS Score0.200%
EPSS Percentile43rd percentile
Description

The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail.

An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

high : CVE--2022--30635

Affected range<1.22.7
Fixed version1.22.7
EPSS Score0.127%
EPSS Percentile33rd percentile
Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented May 18, 2025
edited
Loading

Outdated

Recommended fixes for image moby/buildkit:buildx-stable-1

Base image is alpine:3

Name3.21.3
Digestsha256:1c4eef651f65e2f7daee7ee785882ac164b02b78fb74503052a26dc061c90474
Vulnerabilitiescritical: 0 high: 0 medium: 0 low: 0
Pushed3 months ago
Size3.6 MB
Packages19
OS3.21.3
The base image is also available under the supported tag(s): 3.21, 3.21.3, latest

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

@github-actions GitHub Actions
Copy link
Contributor

🔍 Vulnerabilities of moby/buildkit:buildx-stable-1

📦 Image Reference moby/buildkit:buildx-stable-1
digestsha256:8124f5e2ddf9a4985ca653c7bd4bb0132eef4316aaf2975181a5f6a9d0f14ced
vulnerabilitiescritical: 1 high: 4 medium: 0 low: 0
platformlinux/amd64
size104 MB
packages248
📦 Base Image alpine:3
also known as
  • 3.21
  • 3.21.3
  • latest
digestsha256:1c4eef651f65e2f7daee7ee785882ac164b02b78fb74503052a26dc061c90474
vulnerabilitiescritical: 0 high: 0 medium: 0 low: 0
critical: 1 high: 4 medium: 0 low: 0 stdlib 1.22.4 (golang)

pkg:golang/[email protected]

critical : CVE--2025--22871

Affected range<1.23.8
Fixed version1.23.8
EPSS Score0.018%
EPSS Percentile3rd percentile
Description

The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.

high : CVE--2024--34158

Affected range<1.22.7
Fixed version1.22.7
EPSS Score0.054%
EPSS Percentile17th percentile
Description

Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

high : CVE--2024--34156

Affected range<1.22.7
Fixed version1.22.7
EPSS Score0.108%
EPSS Percentile30th percentile
Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

high : CVE--2024--24791

Affected range>=1.22.0-0
<1.22.5
Fixed version1.22.5
EPSS Score0.200%
EPSS Percentile43rd percentile
Description

The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail.

An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

high : CVE--2022--30635

Affected range<1.22.7
Fixed version1.22.7
EPSS Score0.127%
EPSS Percentile33rd percentile
Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

@github-actions GitHub Actions
Copy link
Contributor

Recommended fixes for image moby/buildkit:buildx-stable-1

Base image is alpine:3

Name3.21.3
Digestsha256:1c4eef651f65e2f7daee7ee785882ac164b02b78fb74503052a26dc061c90474
Vulnerabilitiescritical: 0 high: 0 medium: 0 low: 0
Pushed3 months ago
Size3.6 MB
Packages19
OS3.21.3
The base image is also available under the supported tag(s): 3.21, 3.21.3, latest

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

@way-finder-bot way-finder-bot self-requested a review May 18, 2025 18:10
@way-finder-bot way-finder-bot self-assigned this May 18, 2025
@renovate renovate bot merged commit ff88622 into master May 18, 2025
9 checks passed
@renovate renovate bot deleted the renovate/googleapis-release-please-action-4.x branch May 18, 2025 18:10
@lotyp lotyp mentioned this pull request May 18, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@way-finder-bot way-finder-bot way-finder-bot approved these changes

@lotyp lotyp Awaiting requested review from lotyp lotyp is a code owner

Assignees

@way-finder-bot way-finder-bot

Labels
type: maintenance For maintenance, refactor and testing (perf, chore, style, revert, refactor, test, build, ci)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@way-finder-bot