From a75f3450f8ef76a4d1c36960397abe2d9a45fea9 Mon Sep 17 00:00:00 2001 From: rshoemaker Date: Tue, 31 Mar 2026 11:11:53 -0400 Subject: [PATCH 1/8] fix: resolve Codacy security findings MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Update vulnerable dependencies: - Go toolchain: go1.25.5 → go1.25.8 (CVE-2025-68121, CVE-2026-25679, CVE-2025-61728, CVE-2025-61726, CVE-2025-61730, CVE-2026-27142, CVE-2026-27139) - google.golang.org/grpc: v1.77.0 → v1.79.3 (CVE-2026-33186) - go.opentelemetry.io/otel/sdk: v1.38.0 → v1.40.0 (CVE-2026-24051) - github.com/containerd/containerd: v1.7.27 → v1.7.29 (CVE-2024-25621, CVE-2025-64329) Set explicit TLS MinVersion in certificates service to prevent negotiation below TLS 1.2. --- go.mod | 18 +++++------ go.sum | 40 ++++++++++++------------- server/internal/certificates/service.go | 1 + 3 files changed, 30 insertions(+), 29 deletions(-) diff --git a/go.mod b/go.mod index 265b0df1..6c421d01 100644 --- a/go.mod +++ b/go.mod @@ -39,7 +39,7 @@ require ( go.etcd.io/etcd/client/v3 v3.6.5 go.etcd.io/etcd/server/v3 v3.6.1 go.mau.fi/zerozap v0.1.1 - go.opentelemetry.io/otel/trace v1.38.0 + go.opentelemetry.io/otel/trace v1.40.0 go.uber.org/zap v1.27.0 goa.design/goa/v3 v3.23.4 gonum.org/v1/gonum v0.16.0 @@ -54,7 +54,7 @@ require ( github.com/beorn7/perks v1.0.1 // indirect github.com/cenkalti/backoff/v4 v4.3.0 // indirect github.com/cespare/xxhash/v2 v2.3.0 // indirect - github.com/containerd/containerd v1.7.27 // indirect + github.com/containerd/containerd v1.7.29 // indirect github.com/containerd/log v0.1.0 // indirect github.com/containerd/platforms v0.2.1 // indirect github.com/coreos/go-semver v0.3.1 // indirect @@ -138,11 +138,11 @@ require ( go.opentelemetry.io/auto/sdk v1.2.1 // indirect go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.59.0 // indirect go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 // indirect - go.opentelemetry.io/otel v1.38.0 // indirect + go.opentelemetry.io/otel v1.40.0 // indirect go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0 // indirect go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0 // indirect - go.opentelemetry.io/otel/metric v1.38.0 // indirect - go.opentelemetry.io/otel/sdk v1.38.0 // indirect + go.opentelemetry.io/otel/metric v1.40.0 // indirect + go.opentelemetry.io/otel/sdk v1.40.0 // indirect go.opentelemetry.io/proto/otlp v1.5.0 // indirect go.uber.org/atomic v1.9.0 // indirect go.uber.org/multierr v1.11.0 // indirect @@ -150,13 +150,13 @@ require ( golang.org/x/mod v0.31.0 // indirect golang.org/x/net v0.48.0 // indirect golang.org/x/sync v0.19.0 // indirect - golang.org/x/sys v0.39.0 // indirect + golang.org/x/sys v0.40.0 // indirect golang.org/x/text v0.32.0 // indirect - golang.org/x/time v0.9.0 + golang.org/x/time v0.12.0 golang.org/x/tools v0.40.0 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20251022142026-3a174f9686a8 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20251213004720-97cd9d5aeac2 // indirect - google.golang.org/grpc v1.77.0 + google.golang.org/grpc v1.79.3 google.golang.org/protobuf v1.36.11 // indirect gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect diff --git a/go.sum b/go.sum index e9dda150..da3ad91e 100644 --- a/go.sum +++ b/go.sum @@ -68,8 +68,8 @@ github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnht github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= github.com/cockroachdb/datadriven v1.0.2 h1:H9MtNqVoVhvd9nCBwOyDjUEdZCREqbIdCJD93PBm/jA= github.com/cockroachdb/datadriven v1.0.2/go.mod h1:a9RdTaap04u637JoCzcUoIcDmvwSUtcUFtT/C3kJlTU= -github.com/containerd/containerd v1.7.27 h1:yFyEyojddO3MIGVER2xJLWoCIn+Up4GaHFquP7hsFII= -github.com/containerd/containerd v1.7.27/go.mod h1:xZmPnl75Vc+BLGt4MIfu6bp+fy03gdHAn9bz+FreFR0= +github.com/containerd/containerd v1.7.29 h1:90fWABQsaN9mJhGkoVnuzEY+o1XDPbg9BTC9QTAHnuE= +github.com/containerd/containerd v1.7.29/go.mod h1:azUkWcOvHrWvaiUjSQH0fjzuHIwSPg1WL5PshGP4Szs= github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I= github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo= github.com/containerd/platforms v0.2.1 h1:zvwtM3rz2YHPQsF2CHYM8+KtB5dvhISiXh5ZpSBQv6A= @@ -460,22 +460,22 @@ go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.5 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.59.0/go.mod h1:ijPqXp5P6IRRByFVVg9DY8P5HkxkHE5ARIa+86aXPf4= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 h1:jq9TW8u3so/bN+JPT166wjOI6/vQPF6Xe7nMNIltagk= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0/go.mod h1:p8pYQP+m5XfbZm9fxtSKAbM6oIllS7s2AfxrChvc7iw= -go.opentelemetry.io/otel v1.38.0 h1:RkfdswUDRimDg0m2Az18RKOsnI8UDzppJAtj01/Ymk8= -go.opentelemetry.io/otel v1.38.0/go.mod h1:zcmtmQ1+YmQM9wrNsTGV/q/uyusom3P8RxwExxkZhjM= +go.opentelemetry.io/otel v1.40.0 h1:oA5YeOcpRTXq6NN7frwmwFR0Cn3RhTVZvXsP4duvCms= +go.opentelemetry.io/otel v1.40.0/go.mod h1:IMb+uXZUKkMXdPddhwAHm6UfOwJyh4ct1ybIlV14J0g= go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0 h1:OeNbIYk/2C15ckl7glBlOBp5+WlYsOElzTNmiPW/x60= go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0/go.mod h1:7Bept48yIeqxP2OZ9/AqIpYS94h2or0aB4FypJTc8ZM= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0 h1:tgJ0uaNS4c98WRNUEx5U3aDlrDOI5Rs+1Vifcw4DJ8U= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0/go.mod h1:U7HYyW0zt/a9x5J1Kjs+r1f/d4ZHnYFclhYY2+YbeoE= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.31.0 h1:lUsI2TYsQw2r1IASwoROaCnjdj2cvC2+Jbxvk6nHnWU= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.31.0/go.mod h1:2HpZxxQurfGxJlJDblybejHB6RX6pmExPNe517hREw4= -go.opentelemetry.io/otel/metric v1.38.0 h1:Kl6lzIYGAh5M159u9NgiRkmoMKjvbsKtYRwgfrA6WpA= -go.opentelemetry.io/otel/metric v1.38.0/go.mod h1:kB5n/QoRM8YwmUahxvI3bO34eVtQf2i4utNVLr9gEmI= -go.opentelemetry.io/otel/sdk v1.38.0 h1:l48sr5YbNf2hpCUj/FoGhW9yDkl+Ma+LrVl8qaM5b+E= -go.opentelemetry.io/otel/sdk v1.38.0/go.mod h1:ghmNdGlVemJI3+ZB5iDEuk4bWA3GkTpW+DOoZMYBVVg= -go.opentelemetry.io/otel/sdk/metric v1.38.0 h1:aSH66iL0aZqo//xXzQLYozmWrXxyFkBJ6qT5wthqPoM= -go.opentelemetry.io/otel/sdk/metric v1.38.0/go.mod h1:dg9PBnW9XdQ1Hd6ZnRz689CbtrUp0wMMs9iPcgT9EZA= -go.opentelemetry.io/otel/trace v1.38.0 h1:Fxk5bKrDZJUH+AMyyIXGcFAPah0oRcT+LuNtJrmcNLE= -go.opentelemetry.io/otel/trace v1.38.0/go.mod h1:j1P9ivuFsTceSWe1oY+EeW3sc+Pp42sO++GHkg4wwhs= +go.opentelemetry.io/otel/metric v1.40.0 h1:rcZe317KPftE2rstWIBitCdVp89A2HqjkxR3c11+p9g= +go.opentelemetry.io/otel/metric v1.40.0/go.mod h1:ib/crwQH7N3r5kfiBZQbwrTge743UDc7DTFVZrrXnqc= +go.opentelemetry.io/otel/sdk v1.40.0 h1:KHW/jUzgo6wsPh9At46+h4upjtccTmuZCFAc9OJ71f8= +go.opentelemetry.io/otel/sdk v1.40.0/go.mod h1:Ph7EFdYvxq72Y8Li9q8KebuYUr2KoeyHx0DRMKrYBUE= +go.opentelemetry.io/otel/sdk/metric v1.40.0 h1:mtmdVqgQkeRxHgRv4qhyJduP3fYJRMX4AtAlbuWdCYw= +go.opentelemetry.io/otel/sdk/metric v1.40.0/go.mod h1:4Z2bGMf0KSK3uRjlczMOeMhKU2rhUqdWNoKcYrtcBPg= +go.opentelemetry.io/otel/trace v1.40.0 h1:WA4etStDttCSYuhwvEa8OP8I5EWu24lkOzp+ZYblVjw= +go.opentelemetry.io/otel/trace v1.40.0/go.mod h1:zeAhriXecNGP/s2SEG3+Y8X9ujcJOTqQ5RgdEJcawiA= go.opentelemetry.io/proto/otlp v1.5.0 h1:xJvq7gMzB31/d406fB8U5CBdyQGw4P399D1aQWU/3i4= go.opentelemetry.io/proto/otlp v1.5.0/go.mod h1:keN8WnHxOy8PG0rQZjJJ5A2ebUoafqWp0eVQ4yIXvJ4= go.uber.org/atomic v1.9.0 h1:ECmE8Bn/WFTYwEW/bpKD3M8VtR/zQVbavAoalC1PYyE= @@ -636,8 +636,8 @@ golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/sys v0.39.0 h1:CvCKL8MeisomCi6qNZ+wbb0DN9E5AATixKsvNtMoMFk= -golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= +golang.org/x/sys v0.40.0 h1:DBZZqJ2Rkml6QMQsZywtnjnnGvHza6BTfYFWY9kjEWQ= +golang.org/x/sys v0.40.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.38.0 h1:PQ5pkm/rLO6HnxFR7N2lJHOZX6Kez5Y1gDSJla6jo7Q= golang.org/x/term v0.38.0/go.mod h1:bSEAKrOT1W+VSu9TSCMtoGEOUcKxOKgl3LE5QEF/xVg= @@ -654,8 +654,8 @@ golang.org/x/text v0.32.0/go.mod h1:o/rUWzghvpD5TXrTIBuJU77MTaN0ljMWE47kxGJQ7jY= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY= -golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= +golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE= +golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= @@ -775,8 +775,8 @@ google.golang.org/genproto v0.0.0-20201210142538-e3217bee35cc/go.mod h1:FWY/as6D google.golang.org/genproto v0.0.0-20201214200347-8c77b98c765d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20210108203827-ffc7fda8c3d7/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20210226172003-ab064af71705/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto/googleapis/api v0.0.0-20251022142026-3a174f9686a8 h1:mepRgnBZa07I4TRuomDE4sTIYieg/osKmzIf4USdWS4= -google.golang.org/genproto/googleapis/api v0.0.0-20251022142026-3a174f9686a8/go.mod h1:fDMmzKV90WSg1NbozdqrE64fkuTv6mlq2zxo9ad+3yo= +google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217 h1:fCvbg86sFXwdrl5LgVcTEvNC+2txB5mgROGmRL5mrls= +google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217/go.mod h1:+rXWjjaukWZun3mLfjmVnQi18E1AsFbDN9QdJ5YXLto= google.golang.org/genproto/googleapis/rpc v0.0.0-20251213004720-97cd9d5aeac2 h1:2I6GHUeJ/4shcDpoUlLs/2WPnhg7yJwvXtqcMJt9liA= google.golang.org/genproto/googleapis/rpc v0.0.0-20251213004720-97cd9d5aeac2/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= @@ -795,8 +795,8 @@ google.golang.org/grpc v1.31.1/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= google.golang.org/grpc v1.34.0/go.mod h1:WotjhfgOW/POjDeRt8vscBtXq+2VjORFy659qA51WJ8= google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= -google.golang.org/grpc v1.77.0 h1:wVVY6/8cGA6vvffn+wWK5ToddbgdU3d8MNENr4evgXM= -google.golang.org/grpc v1.77.0/go.mod h1:z0BY1iVj0q8E1uSQCjL9cppRj+gnZjzDnzV0dHhrNig= +google.golang.org/grpc v1.79.3 h1:sybAEdRIEtvcD68Gx7dmnwjZKlyfuc61Dyo9pGXXkKE= +google.golang.org/grpc v1.79.3/go.mod h1:KmT0Kjez+0dde/v2j9vzwoAScgEPx/Bw1CYChhHLrHQ= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= diff --git a/server/internal/certificates/service.go b/server/internal/certificates/service.go index ba947a90..cefc19aa 100644 --- a/server/internal/certificates/service.go +++ b/server/internal/certificates/service.go @@ -97,6 +97,7 @@ func (s *Service) PostgresUserTLS(ctx context.Context, instanceID, hostname, use RootCAs: certPool, Certificates: []tls.Certificate{clientCert}, ServerName: hostname, + MinVersion: tls.VersionTLS12, }, nil } From 9b819f6c3e0fb22d23f3103ce2ada6a3117b720b Mon Sep 17 00:00:00 2001 From: rshoemaker Date: Tue, 31 Mar 2026 11:54:58 -0400 Subject: [PATCH 2/8] chore: suppress false positive Dockerfile security warnings The Codacy/Opengrep missing-user-entrypoint finding does not apply: - Production image uses distroless, which has no user database - CI image is not user-facing - Both run in Docker Swarm and require root for socket access --- docker/control-plane-ci/Dockerfile | 1 + docker/control-plane/Dockerfile | 1 + 2 files changed, 2 insertions(+) diff --git a/docker/control-plane-ci/Dockerfile b/docker/control-plane-ci/Dockerfile index e8e551b6..2aa072eb 100644 --- a/docker/control-plane-ci/Dockerfile +++ b/docker/control-plane-ci/Dockerfile @@ -6,4 +6,5 @@ RUN apt-get update && \ COPY ./pgedge-control-plane /pgedge-control-plane +# nosemgrep: dockerfile.security.missing-user-entrypoint.missing-user-entrypoint ENTRYPOINT ["/pgedge-control-plane"] diff --git a/docker/control-plane/Dockerfile b/docker/control-plane/Dockerfile index f34534fb..0c0cb941 100644 --- a/docker/control-plane/Dockerfile +++ b/docker/control-plane/Dockerfile @@ -4,6 +4,7 @@ ARG TARGETOS ARG TARGETARCH ARG ARCHIVE_VERSION +# nosemgrep: dockerfile.security.missing-user-entrypoint.missing-user-entrypoint ENTRYPOINT ["/pgedge-control-plane"] ADD pgedge-control-plane_${ARCHIVE_VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz / From 243328d0026807e5f7736cfa544d8a7f665689eb Mon Sep 17 00:00:00 2001 From: rshoemaker Date: Tue, 31 Mar 2026 12:40:26 -0400 Subject: [PATCH 3/8] chore: suppress false positive Codacy security findings Add .trivyignore for Docker daemon CVEs (CVE-2026-34040, CVE-2026-33997) that do not affect the Go client SDK. --- .trivyignore | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 .trivyignore diff --git a/.trivyignore b/.trivyignore new file mode 100644 index 00000000..4c66e5e0 --- /dev/null +++ b/.trivyignore @@ -0,0 +1,4 @@ +# Docker client SDK v27 — these CVEs are in the Docker daemon, not the +# Go client library. No Docker plugins are used in this project. +CVE-2026-34040 +CVE-2026-33997 \ No newline at end of file From e71d5946abff27810adfba47c97c0d48333a2818 Mon Sep 17 00:00:00 2001 From: rshoemaker Date: Tue, 31 Mar 2026 13:00:55 -0400 Subject: [PATCH 4/8] chore: update license notice --- NOTICE.txt | 52 ++++++++++++++++++++++++++-------------------------- 1 file changed, 26 insertions(+), 26 deletions(-) diff --git a/NOTICE.txt b/NOTICE.txt index e3ba85a1..e71f9348 100644 --- a/NOTICE.txt +++ b/NOTICE.txt @@ -436,8 +436,8 @@ WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ## github.com/containerd/containerd/pkg/userns * Name: github.com/containerd/containerd/pkg/userns -* Version: v1.7.27 -* License: [Apache-2.0](https://github.com/containerd/containerd/blob/v1.7.27/LICENSE) +* Version: v1.7.29 +* License: [Apache-2.0](https://github.com/containerd/containerd/blob/v1.7.29/LICENSE) ``` @@ -12557,8 +12557,8 @@ Exhibit B - "Incompatible With Secondary Licenses" Notice ## go.opentelemetry.io/otel * Name: go.opentelemetry.io/otel -* Version: v1.38.0 -* License: [Apache-2.0](https://github.com/open-telemetry/opentelemetry-go/blob/v1.38.0/LICENSE) +* Version: v1.40.0 +* License: [Apache-2.0](https://github.com/open-telemetry/opentelemetry-go/blob/v1.40.0/LICENSE) ``` Apache License @@ -12797,8 +12797,8 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ## go.opentelemetry.io/otel * Name: go.opentelemetry.io/otel -* Version: v1.38.0 -* License: [BSD-3-Clause](https://github.com/open-telemetry/opentelemetry-go/blob/v1.38.0/LICENSE) +* Version: v1.40.0 +* License: [BSD-3-Clause](https://github.com/open-telemetry/opentelemetry-go/blob/v1.40.0/LICENSE) ``` Apache License @@ -13459,8 +13459,8 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ## go.opentelemetry.io/otel/metric * Name: go.opentelemetry.io/otel/metric -* Version: v1.38.0 -* License: [Apache-2.0](https://github.com/open-telemetry/opentelemetry-go/blob/metric/v1.38.0/metric/LICENSE) +* Version: v1.40.0 +* License: [Apache-2.0](https://github.com/open-telemetry/opentelemetry-go/blob/metric/v1.40.0/metric/LICENSE) ``` Apache License @@ -13699,8 +13699,8 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ## go.opentelemetry.io/otel/metric * Name: go.opentelemetry.io/otel/metric -* Version: v1.38.0 -* License: [BSD-3-Clause](https://github.com/open-telemetry/opentelemetry-go/blob/metric/v1.38.0/metric/LICENSE) +* Version: v1.40.0 +* License: [BSD-3-Clause](https://github.com/open-telemetry/opentelemetry-go/blob/metric/v1.40.0/metric/LICENSE) ``` Apache License @@ -13939,8 +13939,8 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ## go.opentelemetry.io/otel/sdk * Name: go.opentelemetry.io/otel/sdk -* Version: v1.38.0 -* License: [Apache-2.0](https://github.com/open-telemetry/opentelemetry-go/blob/sdk/v1.38.0/sdk/LICENSE) +* Version: v1.40.0 +* License: [Apache-2.0](https://github.com/open-telemetry/opentelemetry-go/blob/sdk/v1.40.0/sdk/LICENSE) ``` Apache License @@ -14179,8 +14179,8 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ## go.opentelemetry.io/otel/sdk * Name: go.opentelemetry.io/otel/sdk -* Version: v1.38.0 -* License: [BSD-3-Clause](https://github.com/open-telemetry/opentelemetry-go/blob/sdk/v1.38.0/sdk/LICENSE) +* Version: v1.40.0 +* License: [BSD-3-Clause](https://github.com/open-telemetry/opentelemetry-go/blob/sdk/v1.40.0/sdk/LICENSE) ``` Apache License @@ -14419,8 +14419,8 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ## go.opentelemetry.io/otel/trace * Name: go.opentelemetry.io/otel/trace -* Version: v1.38.0 -* License: [Apache-2.0](https://github.com/open-telemetry/opentelemetry-go/blob/trace/v1.38.0/trace/LICENSE) +* Version: v1.40.0 +* License: [Apache-2.0](https://github.com/open-telemetry/opentelemetry-go/blob/trace/v1.40.0/trace/LICENSE) ``` Apache License @@ -14659,8 +14659,8 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ## go.opentelemetry.io/otel/trace * Name: go.opentelemetry.io/otel/trace -* Version: v1.38.0 -* License: [BSD-3-Clause](https://github.com/open-telemetry/opentelemetry-go/blob/trace/v1.38.0/trace/LICENSE) +* Version: v1.40.0 +* License: [BSD-3-Clause](https://github.com/open-telemetry/opentelemetry-go/blob/trace/v1.40.0/trace/LICENSE) ``` Apache License @@ -15376,8 +15376,8 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ## golang.org/x/sys/unix * Name: golang.org/x/sys/unix -* Version: v0.39.0 -* License: [BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/v0.39.0:LICENSE) +* Version: v0.40.0 +* License: [BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/v0.40.0:LICENSE) ``` Copyright 2009 The Go Authors. @@ -15450,8 +15450,8 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ## golang.org/x/time/rate * Name: golang.org/x/time/rate -* Version: v0.9.0 -* License: [BSD-3-Clause](https://cs.opensource.google/go/x/time/+/v0.9.0:LICENSE) +* Version: v0.12.0 +* License: [BSD-3-Clause](https://cs.opensource.google/go/x/time/+/v0.12.0:LICENSE) ``` Copyright 2009 The Go Authors. @@ -15556,8 +15556,8 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ## google.golang.org/genproto/googleapis/api * Name: google.golang.org/genproto/googleapis/api -* Version: v0.0.0-20251022142026-3a174f9686a8 -* License: [Apache-2.0](https://github.com/googleapis/go-genproto/blob/3a174f9686a8/googleapis/api/LICENSE) +* Version: v0.0.0-20251202230838-ff82c1b0f217 +* License: [Apache-2.0](https://github.com/googleapis/go-genproto/blob/ff82c1b0f217/googleapis/api/LICENSE) ``` @@ -15980,8 +15980,8 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ## google.golang.org/grpc * Name: google.golang.org/grpc -* Version: v1.77.0 -* License: [Apache-2.0](https://github.com/grpc/grpc-go/blob/v1.77.0/LICENSE) +* Version: v1.79.3 +* License: [Apache-2.0](https://github.com/grpc/grpc-go/blob/v1.79.3/LICENSE) ``` From bf19353d3bdb2e6d9788c0bad0a4c1228338edd3 Mon Sep 17 00:00:00 2001 From: rshoemaker Date: Tue, 31 Mar 2026 13:04:14 -0400 Subject: [PATCH 5/8] chore: declare MkDocs Material global in docs script Suppress ESLint no-undef false positive for document$ RxJS observable provided by MkDocs Material runtime. --- docs/scripts/generate-stack.js | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/scripts/generate-stack.js b/docs/scripts/generate-stack.js index fd8e0740..4110a7a4 100644 --- a/docs/scripts/generate-stack.js +++ b/docs/scripts/generate-stack.js @@ -1,3 +1,4 @@ +/* global document$ */ // This is the RxJS observable described on this page: // https://squidfunk.github.io/mkdocs-material/customization/?h=script#additional-javascript document$.subscribe(function () { From 6f1eb40df18cde459bf59fbde2db0d59c210897b Mon Sep 17 00:00:00 2001 From: rshoemaker Date: Tue, 31 Mar 2026 13:12:49 -0400 Subject: [PATCH 6/8] fix: work around goreleaser sum DB check failure in CI Goreleaser v2.13.3's deprecation notice points to v2.15.2, which fails verification on the Go sum DB. Bypass with GONOSUMDB and GONOSUMCHECK until we upgrade to Go 1.26+ and can bump goreleaser. --- common.mk | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/common.mk b/common.mk index db311db5..9684a978 100644 --- a/common.mk +++ b/common.mk @@ -23,7 +23,10 @@ install-tools: go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.8.0 go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.36.11 go install goa.design/goa/v3/cmd/goa@v3.23.4 - go install github.com/goreleaser/goreleaser/v2@v2.13.3 + # TODO: goreleaser v2.14+ requires Go 1.26+. The GONOSUMDB/GONOSUMCHECK + # workaround bypasses a broken deprecation check on the sum DB. Remove + # these env vars and bump goreleaser when we upgrade to Go 1.26. + GONOSUMDB=github.com/goreleaser/goreleaser GONOSUMCHECK=github.com/goreleaser/goreleaser go install github.com/goreleaser/goreleaser/v2@v2.13.3 go install github.com/anchore/syft/cmd/syft@v1.40.0 go install github.com/miniscruff/changie@v1.24.0 go install github.com/google/yamlfmt/cmd/yamlfmt@v0.21.0 From c5f9fd16e444e26999527b95ab70a1924de47122 Mon Sep 17 00:00:00 2001 From: rshoemaker Date: Tue, 31 Mar 2026 17:07:25 -0400 Subject: [PATCH 7/8] chore: suppress false positive Dockerfile security warning Add nosemgrep directive for missing-user-entrypoint in the dev Dockerfile. Same rationale as production and CI images: requires root for Docker Swarm socket access. --- docker/control-plane-dev/Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/docker/control-plane-dev/Dockerfile b/docker/control-plane-dev/Dockerfile index a49df879..ff2cb4c9 100644 --- a/docker/control-plane-dev/Dockerfile +++ b/docker/control-plane-dev/Dockerfile @@ -7,4 +7,5 @@ RUN go install github.com/go-delve/delve/cmd/dlv@latest COPY ./entrypoint.sh /entrypoint.sh COPY ./pgedge-control-plane /pgedge-control-plane +# nosemgrep: dockerfile.security.missing-user-entrypoint.missing-user-entrypoint ENTRYPOINT [ "/entrypoint.sh" ] From 94f64997552b7e18bf6a5f4897ef3f96eb7e505d Mon Sep 17 00:00:00 2001 From: rshoemaker Date: Tue, 31 Mar 2026 17:09:32 -0400 Subject: [PATCH 8/8] fix: remove redundant GONOSUMCHECK --- common.mk | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/common.mk b/common.mk index 9684a978..36058966 100644 --- a/common.mk +++ b/common.mk @@ -23,10 +23,10 @@ install-tools: go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.8.0 go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.36.11 go install goa.design/goa/v3/cmd/goa@v3.23.4 - # TODO: goreleaser v2.14+ requires Go 1.26+. The GONOSUMDB/GONOSUMCHECK - # workaround bypasses a broken deprecation check on the sum DB. Remove - # these env vars and bump goreleaser when we upgrade to Go 1.26. - GONOSUMDB=github.com/goreleaser/goreleaser GONOSUMCHECK=github.com/goreleaser/goreleaser go install github.com/goreleaser/goreleaser/v2@v2.13.3 + # TODO: goreleaser v2.14+ requires Go 1.26+. GONOSUMDB bypasses a broken + # deprecation check on the sum DB. Remove and bump goreleaser when we + # upgrade to Go 1.26. + GONOSUMDB=github.com/goreleaser/goreleaser go install github.com/goreleaser/goreleaser/v2@v2.13.3 go install github.com/anchore/syft/cmd/syft@v1.40.0 go install github.com/miniscruff/changie@v1.24.0 go install github.com/google/yamlfmt/cmd/yamlfmt@v0.21.0