Bump the go_modules group across 2 directories with 10 updates

[dependabot]

Bumps the go_modules group with 6 updates in the / directory:

Package	From	To
github.com/golang/glog	0.0.0-20160126235308-23def4e6c14b	1.2.4
github.com/prometheus/client_golang	1.11.0	1.11.1
golang.org/x/crypto	0.0.0-20220507011949-2cf3adece122	0.45.0
golang.org/x/oauth2	0.0.0-20210819190943-2bc19b11175f	0.27.0
google.golang.org/grpc	1.45.0	1.56.3
github.com/cyphar/filepath-securejoin	0.2.3	0.2.4

Bumps the go_modules group with 2 updates in the /examples/are-you-alive directory: github.com/prometheus/client_golang and github.com/sirupsen/logrus.

Updates github.com/golang/glog from 0.0.0-20160126235308-23def4e6c14b to 1.2.4

Release notes

Sourced from github.com/golang/glog's releases.

v1.2.4

What's Changed

• Fail if log file already exists by @​chressie in golang/glog#74:
  • glog: Don't try to create/rotate a given syncBuffer twice in the same second
  • glog: introduce createInDir function as in internal version
  • glog: have createInDir fail if the file already exists

Full Changelog: golang/glog@v1.2.3...v1.2.4

v1.2.3

What's Changed

• glog: check that stderr is valid before using it by default by @​chressie in golang/glog#72
• glog: fix typo by @​chressie in golang/glog#73

Full Changelog: golang/glog@v1.2.2...v1.2.3

v1.2.2

What's Changed

• glog: avoid calling user.Current() on windows by @​bentekkie in golang/glog#69

Full Changelog: golang/glog@v1.2.1...v1.2.2

v1.2.1

What's Changed

• glog: don't hold mutex when sync'ing by @​chressie in golang/glog#68

Full Changelog: golang/glog@v1.2.0...v1.2.1

v1.2.0

What's Changed

• glog: add context variants and logsink tests by @​chressie in golang/glog#66

Full Changelog: golang/glog@v1.1.2...v1.2.0

v1.1.2

Bugfix release.

What's Changed

• glog: populate symlinks -log_link directory by @​chressie in golang/glog#64

Full Changelog: golang/glog@v1.1.1...v1.1.2

v1.1.1

Bugfixes since the larger v1.1.0, which have been addressed.

v1.1.0

... (truncated)

Commits

• See full diff in compare view

Updates github.com/prometheus/client_golang from 1.11.0 to 1.11.1

Release notes

Sourced from github.com/prometheus/client_golang's releases.

1.11.1 / 2022-02-15

• [SECURITY FIX] promhttp: Check validity of method and code label values prometheus/client_golang#987 (Addressed CVE-2022-21698)

What's Changed

• promhttp: Check validity of method and code label values by @​bwplotka and @​kakkoyun in prometheus/client_golang#987

Full Changelog: prometheus/client_golang@v1.11.0...v1.11.1

Changelog

Sourced from github.com/prometheus/client_golang's changelog.

Unreleased

• [FEATURE] HTTP handlers created by promhttp package now support metrics filtering by providing one or more name[] query parameters. The default behavior when none are provided remains the same, returning all metrics. #1925

Unreleased exp module

• [BUGFIX] exp/api: Reject malformed snappy payloads declaring huge decoded sizes. Enforce a 32MB decoded-size limit to prevent OOM from oversized remote-write requests. #1917.

1.23.2 / 2025-09-05

This release is made to upgrade to prometheus/common v0.66.1, which drops the dependencies github.com/grafana/regexp and go.uber.org/atomic and replaces gopkg.in/yaml.v2 with go.yaml.in/yaml/v2 (a drop-in replacement). There are no functional changes.

1.23.1 / 2025-09-04

This release is made to be compatible with a backwards incompatible API change in prometheus/common v0.66.0. There are no functional changes.

1.23.0 / 2025-07-30

• [CHANGE] Minimum required Go version is now 1.23, only the two latest Go versions are supported from now on. #1812
• [FEATURE] Add WrapCollectorWith and WrapCollectorWithPrefix #1766
• [FEATURE] Add exemplars for native histograms #1686
• [ENHANCEMENT] exp/api: Bubble up status code from writeResponse #1823
• [ENHANCEMENT] collector/go: Update runtime metrics for Go v1.23 and v1.24 #1833
• [BUGFIX] exp/api: client prompt return on context cancellation #1729

1.22.0 / 2025-04-07

⚠️ This release contains potential breaking change if you use experimental zstd support introduce in #1496 ⚠️

Experimental support for zstd on scrape was added, controlled by the request Accept-Encoding header. It was enabled by default since version 1.20, but now you need to add a blank import to enable it. The decision to make it opt-in by default was originally made because the Go standard library was expected to have default zstd support added soon, golang/go#62513 however, the work took longer than anticipated and it will be postponed to upcoming major Go versions.

e.g.:

import (
  _ "github.com/prometheus/client_golang/prometheus/promhttp/zstd"
)

• [FEATURE] prometheus: Add new CollectorFunc utility #1724
• [CHANGE] Minimum required Go version is now 1.22 (we also test client_golang against latest go version - 1.24) #1738
• [FEATURE] api: WithLookbackDelta and WithStats options have been added to API client. #1743
• [CHANGE] ⚠️ promhttp: Isolate zstd support and klauspost/compress library use to promhttp/zstd package. #1765

1.21.1 / 2025-03-04

... (truncated)

Commits

• 989baa3 promhttp: Check validity of method and code label values (#962) (#987)
• See full diff in compare view

Updates golang.org/x/crypto from 0.0.0-20220507011949-2cf3adece122 to 0.45.0

Commits

• See full diff in compare view

Updates golang.org/x/net from 0.7.0 to 0.47.0

Commits

• 9a29643 go.mod: update golang.org/x dependencies
• 07cefd8 context: deprecate
• 5ac9dac publicsuffix: don't treat ip addresses as domain names
• d1f64cc quic: use testing/synctest
• fff0469 http2: document that RFC 7540 prioritization does not work with small payloads
• f35e3a4 http2: fix weight overflow in RFC 7540 write scheduler
• 89adc90 http2: fix typo referring to RFC 9218 as RFC 9128 instead
• 8d76a2c quic: don't defer MAX_STREAMS frames indefinitely
• 027f8b7 quic: fix expected ACK Delay in client's ACK after HANDSHAKE_DONE
• dec9fe7 dns/dnsmessage: update SVCB packing to prohibit name compression
• Additional commits viewable in compare view

Updates golang.org/x/oauth2 from 0.0.0-20210819190943-2bc19b11175f to 0.27.0

Commits

• See full diff in compare view

Updates google.golang.org/grpc from 1.45.0 to 1.56.3

Release notes

Sourced from google.golang.org/grpc's releases.

Release 1.56.3

Security

• server: prohibit more than MaxConcurrentStreams handlers from running at once (CVE-2023-44487)

  In addition to this change, applications should ensure they do not leave running tasks behind related to the RPC before returning from method handlers, or should enforce appropriate limits on any such work.

Release 1.56.2

• status: To fix a panic, status.FromError now returns an error with codes.Unknown when the error implements the GRPCStatus() method, and calling GRPCStatus() returns nil. (#6374)

Release 1.56.1

• client: handle empty address lists correctly in addrConn.updateAddrs

Release 1.56.0

New Features

• client: support channel idleness using WithIdleTimeout dial option (#6263)
  • This feature is currently disabled by default, but will be enabled with a 30 minute default in the future.
• client: when using pickfirst, keep channel state in TRANSIENT_FAILURE until it becomes READY (gRFC A62) (#6306)
• xds: Add support for Custom LB Policies (gRFC A52) (#6224)
• xds: support pick_first Custom LB policy (gRFC A62) (#6314) (#6317)
• client: add support for pickfirst address shuffling (gRFC A62) (#6311)
• xds: Add support for String Matcher Header Matcher in RDS (#6313)
• xds/outlierdetection: Add Channelz Logger to Outlier Detection LB (#6145)
  • Special Thanks: @​s-matyukevich
• xds: enable RLS in xDS by default (#6343)
• orca: add support for application_utilization field and missing range checks on several metrics setters
• balancer/weightedroundrobin: add new LB policy for balancing between backends based on their load reports (gRFC A58) (#6241)
• authz: add conversion of json to RBAC Audit Logging config (#6192)
• authz: add support for stdout logger (#6230 and #6298)
• authz: support customizable audit functionality for authorization policy (#6192 #6230 #6298 #6158 #6304 and #6225)

Bug Fixes

• orca: fix a race at startup of out-of-band metric subscriptions that would cause the report interval to request 0 (#6245)
• xds/xdsresource: Fix Outlier Detection Config Handling and correctly set xDS Defaults (#6361)
• xds/outlierdetection: Fix Outlier Detection Config Handling by setting defaults in ParseConfig() (#6361)

API Changes

• orca: allow a ServerMetricsProvider to be passed to the ORCA service and ServerOption (#6223)

Release 1.55.1

• status: To fix a panic, status.FromError now returns an error with codes.Unknown when the error implements the GRPCStatus() method, and calling GRPCStatus() returns nil. (#6374)

Release 1.55.0

Behavior Changes

• xds: enable federation support by default (#6151)
• status: status.Code and status.FromError handle wrapped errors (#6031 and #6150)

... (truncated)

Commits

• 1055b48 Update version.go to 1.56.3 (#6713)
• 5efd7bd server: prohibit more than MaxConcurrentStreams handlers from running at once...
• bd1f038 Upgrade version.go to 1.56.3-dev (#6434)
• faab873 Update version.go to v1.56.2 (#6432)
• 6b0b291 status: fix panic when servers return a wrapped error with status OK (#6374) ...
• ed56401 [PSM interop] Don't fail target if sub-target already failed (#6390) (#6405)
• cd6a794 Update version.go to v1.56.2-dev (#6387)
• 5b67e5e Update version.go to v1.56.1 (#6386)
• d0f5150 client: handle empty address lists correctly in addrConn.updateAddrs (#6354) ...
• 997c1ea Change version to 1.56.1-dev (#6345)
• Additional commits viewable in compare view

Updates google.golang.org/protobuf from 1.28.0 to 1.30.0

Updates github.com/cyphar/filepath-securejoin from 0.2.3 to 0.2.4

Release notes

Sourced from github.com/cyphar/filepath-securejoin's releases.

v0.2.4

This release fixes a potential security issue in filepath-securejoin when used on Windows (GHSA-6xv5-86q9-7xr8, which could be used to generate paths outside of the provided rootfs in certain cases), as well as improving the overall behaviour of filepath-securejoin when dealing with Windows paths that contain volume names. Thanks to Paulo Gomes for discovering and fixing these issues.

In addition, we've switched (at long last) to GitHub Actions and have continuous integration testing on Linux, MacOS, and Windows.

Thanks to the following contributors for making this release possible:

• Aleksa Sarai cyphar@cyphar.com
• Paulo Gomes pjbgf@linux.com

Signed-off-by: Aleksa Sarai cyphar@cyphar.com

Changelog

Sourced from github.com/cyphar/filepath-securejoin's changelog.

[0.2.4] - 2023-09-06

Security

• This release fixes a potential security issue in filepath-securejoin when used on Windows (GHSA-6xv5-86q9-7xr8, which could be used to generate paths outside of the provided rootfs in certain cases), as well as improving the overall behaviour of filepath-securejoin when dealing with Windows paths that contain volume names. Thanks to Paulo Gomes for discovering and fixing these issues.

Fixed

• Switch to GitHub Actions for CI so we can test on Windows as well as Linux and MacOS.

Commits

• 2710d06 VERSION: release v0.2.4
• 6894341 merge #9 into main
• c121231 Fix support for Windows
• 05b6423 ci: switch to GHA
• 64536a8 VERSION: back to development
• See full diff in compare view

Updates gopkg.in/yaml.v3 from 3.0.0-20210107192922-496545a6307b to 3.0.1

Updates github.com/prometheus/client_golang from 1.6.0 to 1.11.1

Release notes

Sourced from github.com/prometheus/client_golang's releases.

1.11.1 / 2022-02-15

• [SECURITY FIX] promhttp: Check validity of method and code label values prometheus/client_golang#987 (Addressed CVE-2022-21698)

What's Changed

• promhttp: Check validity of method and code label values by @​bwplotka and @​kakkoyun in prometheus/client_golang#987

Full Changelog: prometheus/client_golang@v1.11.0...v1.11.1

Changelog

Sourced from github.com/prometheus/client_golang's changelog.

Unreleased

• [FEATURE] HTTP handlers created by promhttp package now support metrics filtering by providing one or more name[] query parameters. The default behavior when none are provided remains the same, returning all metrics. #1925

Unreleased exp module

• [BUGFIX] exp/api: Reject malformed snappy payloads declaring huge decoded sizes. Enforce a 32MB decoded-size limit to prevent OOM from oversized remote-write requests. #1917.

1.23.2 / 2025-09-05

This release is made to upgrade to prometheus/common v0.66.1, which drops the dependencies github.com/grafana/regexp and go.uber.org/atomic and replaces gopkg.in/yaml.v2 with go.yaml.in/yaml/v2 (a drop-in replacement). There are no functional changes.

1.23.1 / 2025-09-04

This release is made to be compatible with a backwards incompatible API change in prometheus/common v0.66.0. There are no functional changes.

1.23.0 / 2025-07-30

• [CHANGE] Minimum required Go version is now 1.23, only the two latest Go versions are supported from now on. #1812
• [FEATURE] Add WrapCollectorWith and WrapCollectorWithPrefix #1766
• [FEATURE] Add exemplars for native histograms #1686
• [ENHANCEMENT] exp/api: Bubble up status code from writeResponse #1823
• [ENHANCEMENT] collector/go: Update runtime metrics for Go v1.23 and v1.24 #1833
• [BUGFIX] exp/api: client prompt return on context cancellation #1729

1.22.0 / 2025-04-07

⚠️ This release contains potential breaking change if you use experimental zstd support introduce in #1496 ⚠️

Experimental support for zstd on scrape was added, controlled by the request Accept-Encoding header. It was enabled by default since version 1.20, but now you need to add a blank import to enable it. The decision to make it opt-in by default was originally made because the Go standard library was expected to have default zstd support added soon, golang/go#62513 however, the work took longer than anticipated and it will be postponed to upcoming major Go versions.

e.g.:

import (
  _ "github.com/prometheus/client_golang/prometheus/promhttp/zstd"
)

• [FEATURE] prometheus: Add new CollectorFunc utility #1724
• [CHANGE] Minimum required Go version is now 1.22 (we also test client_golang against latest go version - 1.24) #1738
• [FEATURE] api: WithLookbackDelta and WithStats options have been added to API client. #1743
• [CHANGE] ⚠️ promhttp: Isolate zstd support and klauspost/compress library use to promhttp/zstd package. #1765

1.21.1 / 2025-03-04

... (truncated)

Commits

• 989baa3 promhttp: Check validity of method and code label values (#962) (#987)
• See full diff in compare view

Updates github.com/sirupsen/logrus from 1.6.0 to 1.8.3

Release notes

Sourced from github.com/sirupsen/logrus's releases.

v1.8.3

What's Changed

• Add instructions to use different log levels for local and syslog by @​tommyblue in sirupsen/logrus#1372
• This commit fixes a potential denial of service vulnerability in logrus.Writer() that could be triggered by logging text longer than 64kb without newlines. by @​ozfive in sirupsen/logrus#1376
• Use text when shows the logrus output by @​xieyuschen in sirupsen/logrus#1339

New Contributors

• @​tommyblue made their first contribution in sirupsen/logrus#1372
• @​ozfive made their first contribution in sirupsen/logrus#1376
• @​xieyuschen made their first contribution in sirupsen/logrus#1339

Full Changelog: sirupsen/logrus@v1.8.2...v1.8.3

v1.8.2

What's Changed

• CI: use GitHub Actions by @​thaJeztah in sirupsen/logrus#1239
• go.mod: github.com/stretchr/testify v1.7.0 by @​thaJeztah in sirupsen/logrus#1246
• Change godoc badge to pkg.go.dev badge by @​minizilla in sirupsen/logrus#1249
• Add support for the logger private buffer pool. by @​edoger in sirupsen/logrus#1253
• bump golang.org/x/sys depency version by @​dgsb in sirupsen/logrus#1280
• Update README.md by @​runphp in sirupsen/logrus#1266
• indicates issues as stale automatically by @​dgsb in sirupsen/logrus#1281
• ci: add go 1.17 to test matrix by @​anajavi in sirupsen/logrus#1277
• reduce the list of cross build target by @​dgsb in sirupsen/logrus#1282
• Improve Log methods documentation by @​dgsb in sirupsen/logrus#1283
• fix race condition for SetFormatter and SetReportCaller by @​rubensayshi in sirupsen/logrus#1263
• bump version of golang.org/x/sys dependency by @​nathanejohnson in sirupsen/logrus#1333
• update gopkg.in/yaml.v3 to v3.0.1 by @​izhakmo in sirupsen/logrus#1337
• update dependencies by @​dgsb in sirupsen/logrus#1343
• Fix data race in hooks.test package by @​FrancoisWagner in sirupsen/logrus#1362

New Contributors

• @​minizilla made their first contribution in sirupsen/logrus#1249
• @​edoger made their first contribution in sirupsen/logrus#1253
• @​runphp made their first contribution in sirupsen/logrus#1266
• @​anajavi made their first contribution in sirupsen/logrus#1277
• @​rubensayshi made their first contribution in sirupsen/logrus#1263
• @​nathanejohnson made their first contribution in sirupsen/logrus#1333
• @​izhakmo made their first contribution in sirupsen/logrus#1337
• @​FrancoisWagner made their first contribution in sirupsen/logrus#1362

Full Changelog: sirupsen/logrus@v1.8.1...v1.8.2

v1.8.1

No release notes provided.

v1.8.0

Correct versioning number replacing v1.7.1

v1.7.1

... (truncated)

Changelog

Sourced from github.com/sirupsen/logrus's changelog.

1.8.1

Code quality:

• move magefile in its own subdir/submodule to remove magefile dependency on logrus consumer
• improve timestamp format documentation

Fixes:

• fix race condition on logger hooks

1.8.0

Correct versioning number replacing v1.7.1.

1.7.1

Beware this release has introduced a new public API and its semver is therefore incorrect.

Code quality:

• use go 1.15 in travis
• use magefile as task runner

Fixes:

• small fixes about new go 1.13 error formatting system
• Fix for long time race condiction with mutating data hooks

Features:

• build support for zos

1.7.0

Fixes:

• the dependency toward a windows terminal library has been removed

Features:

• a new buffer pool management API has been added
• a set of <LogLevel>Fn() functions have been added

Commits

• b30aa27 Merge pull request #1339 from xieyuschen/patch-1
• 6acd903 Merge pull request #1376 from ozfive/master
• 105e63f Merge pull request #1 from ashmckenzie/ashmckenzie/fix-writer-scanner
• c052ba6 Scan text in 64KB chunks
• e59b167 Merge pull request #1372 from tommyblue/syslog_different_loglevels
• 766cfec This commit fixes a potential denial of service vulnerability in logrus.Write...
• 70234da Add instructions to use different log levels for local and syslog
• a448f82 Merge pull request #1362 from FrancoisWagner/fix-data-race-in-hooks-test-pkg
• ff07b25 Fix data race in hooks.test package
• f8bf765 Merge pull request #1343 from sirupsen/dbd-upd-dep
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.