go-sdk icon indicating copy to clipboard operation
go-sdk copied to clipboard
verified publisher icon dapr

Bump github.com/dapr/dapr from 1.8.0 to 1.8.4

Open dependabot[bot] opened this issue 3 years ago • 1 comments

Bumps github.com/dapr/dapr from 1.8.0 to 1.8.4.

Release notes

Sourced from github.com/dapr/dapr's releases.

Dapr Runtime v1.8.4

Dapr 1.8.4

Fixes an issue that could have caused Azure Service Bus components to stop receiving messages

Problem

Starting with Dapr 1.8.0, a bug in the Azure Service Bus components–bindings.azure.servicebusqueues and pubsub.azure.servicebus–could cause Dapr to stop receiving messages after a failure, requiring the runtime to be restarted.

Impact

The issue impact users of Dapr 1.8.0-1.8.3 who use the a component of type bindings.azure.servicebusqueues or pubsub.azure.servicebus. After recovering from a failure, for example a temporary network loss, Dapr could stop receiving messages from the queue or topic, requiring a restart of the runtime.

Root cause

In case of errors, Go channels used to limit concurrency (in particular, used to enable maxActiveMessages and maxConcurrentHandlers) were not drained as expected. As such, the runtime would end up stuck in a waiting state and would not retrieve more messages from Azure Service Bus.

Solution

We have identified the places where Go channels were not drained correctly and fixed the bug in Dapr 1.8.4.

Updated the bluemonday transitive dependency to fix CVE-2021-42576

Problem

Dapr versions < 1.8.4 have a transitive dependency on github.com/microcosm-cc/bluemonday 1.0.7 or earlier. Versions of bluemonday before 1.0.16 are impacted by CVE-2021-42576.

Impact

Despite the vulnerability considered "critical", we believe the impact on Dapr users is limited. The affected code is a transitive dependency imported by the middleware.http.oauth2 component and not used in active code paths in Dapr.

Root cause

github.com/microcosm-cc/bluemonday, a transitive dependency of middleware.http.oauth2 component, needed to be updated to versions greater than 1.0.16.

Solution

We have upgraded the github.com/microcosm-cc/bluemonday transitive dependency to a version not affected by CVE-2021-42576 in Dapr 1.8.4.

Dapr Runtime v1.8.3

Dapr 1.8.3

Fixes panic when invoking a non-existent service with Resiliency enabled

Problem

Dapr 1.8.0 introduced an error that causes a panic in the runtime when attempting to invoke a service that does not exist (and with dealing with a few other error cases) and the Resiliency preview feature is enabled–even if no resiliency policies are configured.

Impact

... (truncated)

Commits
  • 1857582 Merge pull request #4994 from ItalyPaleAle/hotfix-1.8.4
  • eb9a132 Updarted pinned components-contrib version
  • 0891cde Added release notes for 1.8.4
  • 638a1fd Release 1.8.3 (cherry-pick 4938 into release-1.8) (#4942)
  • 75982fb Changelog for 1.8.2 (#4930)
  • 4cf2092 Fix: use the correct version of backoff (#4926)
  • f2583aa [1.8.1 hotfix] Updated pinned components-contrib (#4916)
  • d21c9b2 Build tools CLI (plus speed up E2E tests by copying test apps without pulling...
  • e9e282a Fix release noted to include 1845 from contrib (#4888)
  • c24e3b0 Update v1.8.0.md (#4880)
  • See full diff in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

dependabot[bot] avatar Aug 12 '22 16:08 dependabot[bot]

Codecov Report

Merging #312 (bbe841b) into main (7c38f5a) will not change coverage. The diff coverage is n/a.

@@           Coverage Diff           @@
##             main     #312   +/-   ##
=======================================
  Coverage   67.22%   67.22%           
=======================================
  Files          27       27           
  Lines        1547     1547           
=======================================
  Hits         1040     1040           
  Misses        418      418           
  Partials       89       89

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

codecov[bot] avatar Aug 12 '22 16:08 codecov[bot]

Looks like github.com/dapr/dapr is no longer a dependency, so this is no longer needed.

dependabot[bot] avatar Sep 30 '22 22:09 dependabot[bot]