Skip to content

fix: bump prometheus to v0.311.2 for stored XSS CVE#223

Merged
notque merged 1 commit intomasterfrom
fix/prometheus-cve-xss
May 6, 2026
Merged

fix: bump prometheus to v0.311.2 for stored XSS CVE#223
notque merged 1 commit intomasterfrom
fix/prometheus-cve-xss

Conversation

@notque
Copy link
Copy Markdown
Contributor

@notque notque commented May 6, 2026

Summary

  • Bumps github.com/prometheus/prometheus from v0.304.1 → v0.311.2 to resolve dependabot alert Hierarchical projects #16 (stored XSS via metric names/label values in web UI tooltips, moderate severity)
  • Adapts pkg/util/promqlmod.go to new parser interface (package-level functions → methods on parser.NewParser())

Test plan

  • go build ./... passes
  • go test ./... — all packages pass
  • PromQL modification logic unchanged (same tests, same results)

@notque
fix: bump prometheus to v0.311.2 for stored XSS CVE fix
d433846 
Upgrades github.com/prometheus/prometheus from v0.304.1 to v0.311.2
(dependabot alert #16: stored XSS via metric names in web UI tooltips).

Adapts PromQL parser calls to new interface-based API — ParseExpr and
ParseMetricSelector are now methods on parser.NewParser() instead of
package-level functions.
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 6, 2026

Merging this branch will not change overall coverage

Impacted Packages Coverage Δ 🤖
github.com/SAP-cloud-infrastructure/maia/pkg/util 83.33% (ø)
Coverage by file

Changed files (no unit tests)

Changed File Coverage Δ Total Covered Missed 🤖
github.com/SAP-cloud-infrastructure/maia/pkg/util/promqlmod.go 87.88% (ø) 165 145 20

Please note that the "Total", "Covered", and "Missed" counts above refer to code statements instead of lines of code. The value in brackets refers to the test coverage of that file in the old version of the code.

@notque notque merged commit 20d055e into master May 6, 2026
6 of 7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Kuckkuck Kuckkuck Kuckkuck approved these changes

@notandy notandy Awaiting requested review from notandy notandy is a code owner

@viennaa viennaa Awaiting requested review from viennaa viennaa is a code owner

@richardtief richardtief Awaiting requested review from richardtief richardtief is a code owner

@olandr olandr Awaiting requested review from olandr olandr is a code owner

@joluc joluc Awaiting requested review from joluc joluc is a code owner

@trouaux trouaux Awaiting requested review from trouaux trouaux is a code owner

@ibakshay ibakshay Awaiting requested review from ibakshay ibakshay is a code owner

@ashifnihalb ashifnihalb Awaiting requested review from ashifnihalb ashifnihalb is a code owner

@timojohlo timojohlo Awaiting requested review from timojohlo timojohlo is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@notque @Kuckkuck