fix: CVEs in release 3.7.x#21771
Open
sandeepsukhani wants to merge 8 commits intorelease-3.7.xfrom
Open
Conversation
sandeepsukhani
requested review from
a team,
JoaoBraveCoding,
periklis and
xperimental
as code owners
chaudum
approved these changes
May 7, 2026
|
|
||
| func (testFileLoader) Load(identifier string, ignoreUnknownFields bool, nameValidationScheme model.ValidationScheme) (*rulefmt.RuleGroups, []error) { | ||
| return rulefmt.ParseFile(identifier, ignoreUnknownFields, nameValidationScheme, parser.NewParser(parser.Options{})) | ||
| parseLog := slog.New(slog.NewTextHandler(io.Discard, nil)) |
Contributor
There was a problem hiding this comment.
nit: name could be a bit more specific IMO
Suggested change
| parseLog := slog.New(slog.NewTextHandler(io.Discard, nil)) | |
| noopLogger := slog.New(slog.NewTextHandler(io.Discard, nil)) |
| type defaultFileLoader struct { | ||
| p parser.Parser | ||
| p parser.Parser | ||
| parseLog *slog.Logger |
Contributor
There was a problem hiding this comment.
nit: we usually name it logger
Suggested change
| parseLog *slog.Logger | |
| logger *slog.Logger |
chaudum
approved these changes
May 7, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this PR does / why we need it:
It includes the following changes to fix a bunch of CVEs:
v0.311.2-0.20260410083055-07c6232d159b.grafana/loki-build-image:0.35.1everywhere. Updated usingloki-build-image/version-updater.sh.Note
Medium Risk
Moderate risk due to a Go toolchain upgrade, large dependency/vendor updates (including Prometheus) and container base image changes, which can affect builds and runtime behavior. The only behavioral code change is in Promtail Azure Event Hubs parsing and should be low-risk but alters which records are emitted.
Overview
Updates the project toolchain and build/release plumbing to address CVEs: bumps Go to
1.26.2acrossgo.mod, Makefile, GitHub Actions, and multiple Dockerfiles, and standardizes build containers ongrafana/loki-build-image:0.35.1with Alpine3.23.4.Refreshes dependencies (notably Prometheus and OpenTelemetry/AWS SDK-related modules), including updating vendored AWS SDK service packages.
Fixes Promtail Azure Event Hubs parsing so records dropped by relabeling rules are skipped (rather than failing the whole batch), and updates ruler rule loading to match the newer Prometheus
rulefmt.ParseFilesignature by providing a no-opsloglogger and adjusting service discovery metrics wiring.Reviewed by Cursor Bugbot for commit fcd3704. Bugbot is set up for automated code reviews on this repo. Configure here.