Bump go libraries versions to mitigate CVE-2024-24786

.github/workflows/golangci-lint.yml

@@ -6,17 +6,26 @@ on:
     branches:
       - master
   pull_request:
+
+permissions:
+  contents: read
+  pull-requests: read
+
 jobs:
   golangci:
     name: lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-go@v2
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
         with:
-          go-version: '^1.18'
+          go-version: '1.21'
+          cache: false
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v2
+        uses: golangci/golangci-lint-action@v4
         with:
-          version: v1.51.2
-          args: cardinality/...
+          # Require: The version of golangci-lint to use.
+          version: v1.54
+
+          # Optional: working directory, useful for monorepos
+          working-directory: cardinality

README.md

@@ -13,12 +13,13 @@ The metrics are obtained by calling the Promtheus API at the ```/api/v1/status/t
 
 There are 4 types of metric exposed:
 
-```
+```txt
 1. cardinality_exporter_label_value_count_by_label_name{label=""}: These metrics report label names and their respective value counts.
 2. cardinality_exporter_memory_in_bytes_by_label_name{label=""}: These metrics report label names and their respective memory used in bytes. Memory usage is calculated by adding the length of all values for a given label name.
 3. cardinality_exporter_series_count_by_label_pair{label_pair=""}: This will provide a list of label value pairs and their series count.
 4. cardinality_exporter_series_count_by_metric_name{metric=""}: These metrics report metric names and their respective series counts.
 ```
+
 ## Options
 
 (```go run . [OPTIONS]```)
@@ -38,19 +39,21 @@ There are 4 types of metric exposed:
 ## Exposing Metrics
 
 ### Dealing with auth'd Prometheus instances
+
 Some Prometheus instances will not let the exporter access the ```/api/v1/status/tsdb``` endpoint without providing some authorisation credentials. To access these instances, you must provide the authorisation credentials required. The solution to this depends on whether you are using the ```--proms``` or ```--service_discovery``` flag:
+
 - With ```--proms```:
-    - Use the ```--auth``` flag to specify a YAML file mapping ```--proms``` instances to the values required.
-    - Example: \<my-prometheus\>:\<my-Authorization-header-value\>).
+  - Use the ```--auth``` flag to specify a YAML file mapping ```--proms``` instances to the values required.
+  - Example: \<my-prometheus\>:\<my-Authorization-header-value\>).
 - With ```--service_discovery```:
-    - Use the ```--auth``` flag to specify a YAML file mapping instance identifiers to the values required.
-    - Identifiers can be at the namespace level, the Prometheus instance level, or the sharded instance level.
-    - The naming convention is: ```<namespace>[_<prometheus-instance-name>[_<sharded-instance-name>]]``` (square brackets means optional).
-    - Examples (k8s/secret.yaml provides an example Kubernetes Secret):
-        - ```my-namespace: "Bearer 123456789"``` - specifies that requests to Prometheus instances in namespace "my-namespace" should include the header "Authorization: Bearer 123456789".
-        - ```my-namespace_my-prometheus-instance: "Basic 123456789"``` - specifies that requests to the Prometheus instance "my-prometheus-instance" in namespace "my-namespace" should include the header "Authorization: Basic 123456789".
-        - ```my-namespace_my-prometheus-instance_my-sharded-instance: "Basic 987654321"``` - specifies that requests to sharded instance "my-sharded-instance" with the Prometheus instance name "my-prometheus-instance" in namespace "my-namespace" should include the header "Authorization: Basic 987654321".
-    - When looking for authorisation credentials, the exporter will look in this order:
+  - Use the ```--auth``` flag to specify a YAML file mapping instance identifiers to the values required.
+  - Identifiers can be at the namespace level, the Prometheus instance level, or the sharded instance level.
+  - The naming convention is: ```<namespace>[_<prometheus-instance-name>[_<sharded-instance-name>]]``` (square brackets means optional).
+  - Examples (k8s/secret.yaml provides an example Kubernetes Secret):
+    - ```my-namespace: "Bearer 123456789"``` - specifies that requests to Prometheus instances in namespace "my-namespace" should include the header "Authorization: Bearer 123456789".
+    - ```my-namespace_my-prometheus-instance: "Basic 123456789"``` - specifies that requests to the Prometheus instance "my-prometheus-instance" in namespace "my-namespace" should include the header "Authorization: Basic 123456789".
+    - ```my-namespace_my-prometheus-instance_my-sharded-instance: "Basic 987654321"``` - specifies that requests to sharded instance "my-sharded-instance" with the Prometheus instance name "my-prometheus-instance" in namespace "my-namespace" should include the header "Authorization: Basic 987654321".
+  - When looking for authorisation credentials, the exporter will look in this order:
         1. sharded instance level
         1. Prometheus instance level
         1. namespace level
@@ -59,6 +62,7 @@ Some Prometheus instances will not let the exporter access the ```/api/v1/status
 In both cases you must specify the exact value of the Authorization header, since the request to ```/api/v1/status/tsdb``` will include the header: ```Authorization: <your-provided-value>```. k8s/secret.yaml provides an example of the ```--service_discovery``` ```--auth``` file.
 
 ### Installing on a cluster
+
 See k8s/README.md for running on kubernetes
 
 #### Docker images
@@ -67,32 +71,37 @@ Distroless docker images are available at thoughtmachine/prometheus-cardinality-
 
 Docker images based on Alpine are available at thoughtmachine/prometheus-cardinality-exporter:$COMMIT
 
-See  https://hub.docker.com/r/thoughtmachine/prometheus-cardinality-exporter
+See  <https://hub.docker.com/r/thoughtmachine/prometheus-cardinality-exporter>
 
 ### Running Locally
+
 ```go run . --port=<port-to-serve-on> --proms=<prometheus-instance-to-expose> [--proms=<prometheus-instance-to-expose>...] --freq=<frequency-to-ping-api>```
 
 ### Running Within a Kubernetes Cluster (with service discovery)
-#### In order to deploy to a kubernetes cluster:
+
+#### In order to deploy to a kubernetes cluster
 
 Tweak and apply the files in k8s/
 
-#### Make sure you alter the k8s/deployment.yaml such that it contains the options that you require:
+#### Make sure you alter the k8s/deployment.yaml such that it contains the options that you require
+
 In the example below, all of the possible flags that can be used with the ```--service_discovery``` option are included.\
 NOTE: not all flags are required, for example, you do not need the ```--auth``` flag if none of your Prometheus instances require authorization to access.
 
 ```args: ["-c", "/home/app/prometheus-cardinality-exporter  --auth=<prometheus-api-auth-values-filepath> --port=<port-to-serve-on> --service_discovery --freq=<frequency-to-ping-api> --selector=<service-selector> --regex=<regex-for-prometheus-instances> --namespaces=<namespace-of-prometheus-instances> [--namespaces=<namespace-of-prometheus-instances>...]]```
 
 ## Building
+
 ```go build ./...```
 
 If you'd prefer to use docker to build and run all tests use
 
 ```docker build -f Dockerfile-builder . --rm=false```
 
 ## Testing
+
 ```go test ./...```
 
 ## Linting
 
-```go run github.com/golangci/golangci-lint/cmd/golangci-lint@v1.53.1 run```
+```go run github.com/golangci/golangci-lint/cmd/golangci-lint@v1.54.0 run```

go.mod

@@ -6,30 +6,30 @@ require (
 	github.com/cenkalti/backoff v2.2.1+incompatible
 	github.com/golang/mock v1.6.0
 	github.com/jessevdk/go-flags v1.5.0
-	github.com/prometheus/client_golang v1.17.0
+	github.com/prometheus/client_golang v1.19.0
 	github.com/sirupsen/logrus v1.9.3
-	github.com/stretchr/testify v1.8.4
+	github.com/stretchr/testify v1.9.0
 	github.com/thought-machine/prometheus-cardinality-exporter v0.0.0-20230313093022-b8c023b1c120
 	gopkg.in/yaml.v3 v3.0.1
-	k8s.io/apimachinery v0.28.2
-	k8s.io/client-go v0.28.2
+	k8s.io/apimachinery v0.29.3
+	k8s.io/client-go v0.29.3
 )
 
 require (
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
-	github.com/go-logr/logr v1.2.4 // indirect
-	github.com/go-openapi/jsonpointer v0.20.0 // indirect
-	github.com/go-openapi/jsonreference v0.20.2 // indirect
-	github.com/go-openapi/swag v0.22.4 // indirect
+	github.com/emicklei/go-restful/v3 v3.12.0 // indirect
+	github.com/go-logr/logr v1.4.1 // indirect
+	github.com/go-openapi/jsonpointer v0.21.0 // indirect
+	github.com/go-openapi/jsonreference v0.21.0 // indirect
+	github.com/go-openapi/swag v0.23.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang/protobuf v1.5.3 // indirect
+	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
-	github.com/google/uuid v1.3.1 // indirect
+	github.com/google/uuid v1.6.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
@@ -38,24 +38,24 @@ require (
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/prometheus/client_model v0.5.0 // indirect
-	github.com/prometheus/common v0.44.0 // indirect
-	github.com/prometheus/procfs v0.12.0 // indirect
-	golang.org/x/net v0.17.0 // indirect
-	golang.org/x/oauth2 v0.13.0 // indirect
-	golang.org/x/sys v0.13.0 // indirect
-	golang.org/x/term v0.13.0 // indirect
-	golang.org/x/text v0.13.0 // indirect
-	golang.org/x/time v0.3.0 // indirect
+	github.com/prometheus/client_model v0.6.0 // indirect
+	github.com/prometheus/common v0.50.0 // indirect
+	github.com/prometheus/procfs v0.13.0 // indirect
+	golang.org/x/net v0.22.0 // indirect
+	golang.org/x/oauth2 v0.18.0 // indirect
+	golang.org/x/sys v0.18.0 // indirect
+	golang.org/x/term v0.18.0 // indirect
+	golang.org/x/text v0.14.0 // indirect
+	golang.org/x/time v0.5.0 // indirect
 	google.golang.org/appengine v1.6.8 // indirect
-	google.golang.org/protobuf v1.31.0 // indirect
+	google.golang.org/protobuf v1.33.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
-	k8s.io/api v0.28.2 // indirect
-	k8s.io/klog/v2 v2.100.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 // indirect
-	k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect
+	k8s.io/api v0.29.3 // indirect
+	k8s.io/klog/v2 v2.120.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 // indirect
+	k8s.io/utils v0.0.0-20240310230437-4693a0247e57 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
-	sigs.k8s.io/structured-merge-diff/v4 v4.3.0 // indirect
-	sigs.k8s.io/yaml v1.3.0 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
+	sigs.k8s.io/yaml v1.4.0 // indirect
 )