Skip to content

chore(deps): bump prometheus/prometheus to v0.311.3 (security)#226

Merged
notque merged 1 commit into
masterfrom
chore/bump-prometheus-v0.311.3
May 27, 2026
Merged

chore(deps): bump prometheus/prometheus to v0.311.3 (security)#226
notque merged 1 commit into
masterfrom
chore/bump-prometheus-v0.311.3

Conversation

@notque

@notque notque commented May 27, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Summary

  • Bump github.com/prometheus/prometheus from pseudo-version v0.311.2-0.20260410083055-07c6232d159b to tagged release v0.311.3.
  • Clears 3 Dependabot advisories on master: CVE-2026-42151, CVE-2026-42154, CVE-2026-44903.
  • Adds a ### Security entry under ## [Unreleased] in CHANGELOG.md.

Why this is safe

Maia imports only two symbols from prometheus/prometheus:

Package Used in
github.com/prometheus/prometheus/model/labels pkg/util/promqlmod.go (label injection)
github.com/prometheus/prometheus/promql/parser pkg/util/promqlmod.go (AST visitor)

Both APIs are unchanged in the v0.311.2 → v0.311.3 patch release. No call-site updates required. + "govulncheck" + reported zero exploitable call paths even before the bump — Dependabot flagged the manifest match, not reachable code. Bump still required for SBOM/compliance hygiene.

Validation

Run locally on the branch:

  • + "make generate" + (mockgen + go-bindata + addlicense)
  • + "make" + (build succeeds)
  • + "make check" + (tests + golangci-lint v2 + typos — all green)
  • + "go.sum" + regenerated, hashes match upstream

Test plan

  • CI passes on this branch (lint, tests, REUSE compliance, CodeQL)
  • Dependabot re-resolves the 3 advisories as fixed after merge
  • No new advisories introduced by the upgrade

@notque
chore(deps): bump prometheus/prometheus to v0.311.3
2a1ba73 
Replace pseudo-version v0.311.2-0.20260410083055-07c6232d159b with the
tagged release v0.311.3, clearing three Dependabot advisories.

Resolves:
- CVE-2026-42151
- CVE-2026-42154
- CVE-2026-44903

Maia imports only github.com/prometheus/prometheus/model/labels and
.../promql/parser. Both APIs are unchanged in v0.311.3 (patch release).
Validated locally with make generate, make, and make check (all gates
green: tests, golangci-lint v2, typos).
@notque notque merged commit b23e4d3 into master May 27, 2026
6 checks passed
@notque notque deleted the chore/bump-prometheus-v0.311.3 branch May 27, 2026 20:26
@notque notque mentioned this pull request May 27, 2026
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@notandy notandy notandy approved these changes

@LeoZhangZXZ LeoZhangZXZ Awaiting requested review from LeoZhangZXZ LeoZhangZXZ is a code owner

@Kuckkuck Kuckkuck Awaiting requested review from Kuckkuck Kuckkuck is a code owner

@viennaa viennaa Awaiting requested review from viennaa viennaa is a code owner

@richardtief richardtief Awaiting requested review from richardtief richardtief is a code owner

@olandr olandr Awaiting requested review from olandr olandr is a code owner

@joluc joluc Awaiting requested review from joluc joluc is a code owner

@trouaux trouaux Awaiting requested review from trouaux trouaux is a code owner

@ibakshay ibakshay Awaiting requested review from ibakshay ibakshay is a code owner

@ashifnihalb ashifnihalb Awaiting requested review from ashifnihalb ashifnihalb is a code owner

@timojohlo timojohlo Awaiting requested review from timojohlo timojohlo is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@notque @notandy