You've already forked opentelemetry-go
mirror of
https://github.com/open-telemetry/opentelemetry-go.git
synced 2026-06-03 18:35:08 +02:00
renovate[bot]
8a930a97da
This PR contains the following updates: | Package | Change | Age | Confidence | |---|---|---|---| | [github.com/cyphar/filepath-securejoin](https://redirect.github.com/cyphar/filepath-securejoin) | `v0.5.0` -> `v0.5.1` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>cyphar/filepath-securejoin (github.com/cyphar/filepath-securejoin)</summary> ### [`v0.5.1`](https://redirect.github.com/cyphar/filepath-securejoin/releases/tag/v0.5.1): -- "Spooky scary skeletons send shivers down your spine!" [Compare Source](https://redirect.github.com/cyphar/filepath-securejoin/compare/v0.5.0...v0.5.1) ##### Changed - `openat2` can return `-EAGAIN` if it detects a possible attack in certain scenarios (namely if there was a rename or mount while walking a path with a `..` component). While this is necessary to avoid a denial-of-service in the kernel, it does require retry loops in userspace. In previous versions, `pathrs-lite` would retry `openat2` 32 times before returning an error, but we've received user reports that this limit can be hit on systems with very heavy load. In some synthetic benchmarks (testing the worst-case of an attacker doing renames in a tight loop on every core of a 16-core machine) we managed to get a \~3% failure rate in runc. We have improved this situation in two ways: - We have now increased this limit to 128, which should be good enough for most use-cases without becoming a denial-of-service vector (the number of syscalls called by the `O_PATH` resolver in a typical case is within the same ballpark). The same benchmarks show a failure rate of \~0.12% which (while not zero) is probably sufficient for most users. - In addition, we now return a `unix.EAGAIN` error that is bubbled up and can be detected by callers. This means that callers with stricter requirements to avoid spurious errors can choose to do their own infinite `EAGAIN` retry loop (though we would strongly recommend users use time-based deadlines in such retry loops to avoid potentially unbounded denials-of-service). </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/open-telemetry/opentelemetry-go). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xNTkuNCIsInVwZGF0ZWRJblZlciI6IjQxLjE1OS40IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJTa2lwIENoYW5nZWxvZyIsImRlcGVuZGVuY2llcyJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>