You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@servicecomb.apache.org by GitBox <gi...@apache.org> on 2022/05/12 09:22:22 UTC

[GitHub] [servicecomb-java-chassis] dependabot[bot] opened a new pull request, #2878: Bump simpleclient_bom from 0.12.0 to 0.15.0

dependabot[bot] opened a new pull request, #2878:
URL: https://github.com/apache/servicecomb-java-chassis/pull/2878

   Bumps [simpleclient_bom](https://github.com/prometheus/client_java) from 0.12.0 to 0.15.0.
   <details>
   <summary>Release notes</summary>
   <p><em>Sourced from <a href="https://github.com/prometheus/client_java/releases">simpleclient_bom's releases</a>.</em></p>
   <blockquote>
   <h2>0.15.0 / 2022-02-05</h2>
   <p>Major refactoring of Quantiles in Summary metrics. This will make them faster and use less memory. The new implementation also supports two corner cases that were not possible before: You can now use <code>.quantile(0, 0)</code> to track the minimum observed value and <code>.quantile(1, 0)</code> to track the maximum observed value. Thanks a lot <a href="https://github.com/DieBauer"><code>@​DieBauer</code></a>! <a href="https://github-redirect.dependabot.com/prometheus/client_java/issues/755">#755</a></p>
   <p>In addition to that the release includes:</p>
   <p>[ENHANCEMENT] Lots of dependency version bumps.
   [BUGFIX] Apply <code>ServletConfig</code> during Servlet initialization in <code>simpleclient_servlet</code> and <code>simpleclient_servlet_jakarta</code> <a href="https://github-redirect.dependabot.com/prometheus/client_java/issues/739">#739</a>
   [BUGFIX] <code>HTTPServer</code>: Don't send a Content-Length header when Transfer-Encoding is chunked <a href="https://github-redirect.dependabot.com/prometheus/client_java/issues/738">#738</a>. Thanks <a href="https://github.com/dhoard"><code>@​dhoard</code></a>
   [BUGFIX] <code>simpleclient_log4j</code> set the log4j dependency scope as <code>provided</code> so that users don't accidentally pull the log4j version used in client_java. Note: This module is for monitoring log4j version 1, in <code>simpleclient_log4j2</code> the dependency is already <code>provided</code>.
   [BUGFIX] <code>simpleclient_dropwizard</code> set the Dropwizard dependency scope as <code>provided</code> so that users don't accidentally pull the Dropwizard version used in client_java.</p>
   <h2>0.14.1 / 2021-12-19</h2>
   <p>Bump the <code>log4j</code> version in <code>simpleclient_log4j2</code> to 2.17.0. Apart from that this release is identical to 0.14.0.</p>
   <h2>0.14.0 / 2021-12-18</h2>
   <p>Yet another <code>log4j</code> version update in <code>simpleclient_log4j2</code>: This time to 2.16.0. Note that the <code>log4j</code> dependency in <code>simpleclient_log4j2</code> has scope <code>provided</code>, i.e. <code>simpleclient_log4j2</code> does not ship with <code>log4j</code>. <code>simpleclient_log4j2</code> uses whatever <code>log4j</code> version the monitored application provides at runtime. Updating the <code>log4j</code> dependency in <code>simpleclient_log4j2</code> helps getting rid of security scanner warnings (see <a href="https://github-redirect.dependabot.com/prometheus/client_java/issues/733">#733</a>), but in order to eliminate the <code>log4j</code> vulnerability you must make sure that the application you monitor ships with an up-to-date <code>log4j</code> version.</p>
   <p>Apart from the <code>log4j</code> update we have a new feature:</p>
   <p>[ENHANCEMENT] The <code>HTTPServer</code> can now be configured to use SSL (<a href="https://github-redirect.dependabot.com/prometheus/client_java/issues/695">#695</a>). Thanks <a href="https://github.com/dhoard"><code>@​dhoard</code></a>.</p>
   <h2>0.13.0 / 2021-12-13</h2>
   <p>We updated <code>log4j</code> to 2.15.0, which fixes the log4shell vulnerability (CVE-2021-44228) (<a href="https://github-redirect.dependabot.com/prometheus/client_java/issues/726">#726</a>). Technically <code>simpleclient_log4j2</code> is not directly affected by the vulnerability, because as long as you update log4j in your monitored application <code>simpleclient_log4j2</code> will pick up the updated version. However, it makes sense to remove the vulnerable versions from the dependency tree, therefore the update.</p>
   <p>In addition to the log4j update in <code>simpleclient_log4j2</code>, this release contains the following enhancements and fixes:</p>
   <p>[ENHANCEMENT] Allow passing a custom registry to the logback InstrumentedAppender (<a href="https://github-redirect.dependabot.com/prometheus/client_java/issues/690">#690</a>). Thanks <a href="https://github.com/MatthewDolan"><code>@​MatthewDolan</code></a>.
   [BUGFIX] Correct handling of HEAD requests (<a href="https://github-redirect.dependabot.com/prometheus/client_java/issues/688">#688</a>). Thanks <a href="https://github.com/dhoard"><code>@​dhoard</code></a>.
   [ENHANCEMENT] Lots of more integration tests and tests with different Java versions.
   [ENHANCEMENT] Make HTTPMetricHandler public so that users can use them in their own HttpServers (<a href="https://github-redirect.dependabot.com/prometheus/client_java/issues/722">#722</a>). Thanks <a href="https://github.com/dhoard"><code>@​dhoard</code></a>.
   [ENHANCEMENT] Make Base64 encoding in the HTTP authentication for the PushGateway work with all Java versions (<a href="https://github-redirect.dependabot.com/prometheus/client_java/issues/698">#698</a>). Thanks <a href="https://github.com/dhoard"><code>@​dhoard</code></a>.</p>
   </blockquote>
   </details>
   <details>
   <summary>Commits</summary>
   <ul>
   <li><a href="https://github.com/prometheus/client_java/commit/eb70395cd8db09bd61ae3755caf91d0687f54d7e"><code>eb70395</code></a> [maven-release-plugin] prepare release parent-0.15.0</li>
   <li><a href="https://github.com/prometheus/client_java/commit/c205ef3edbb31da0808fa526e19b1025fad7f30b"><code>c205ef3</code></a> Fix JavaDoc warnings</li>
   <li><a href="https://github.com/prometheus/client_java/commit/c70a2e25e07dc30083641f7ee64ea0f242b069f2"><code>c70a2e2</code></a> Bump OpenTelemetry version</li>
   <li><a href="https://github.com/prometheus/client_java/commit/3568b2477c60dcde4d9380b666ad60a33d0f4208"><code>3568b24</code></a> Remove call to Math.floor in f()</li>
   <li><a href="https://github.com/prometheus/client_java/commit/a3954b03512376050f3609ae9fa462fda7fb427a"><code>a3954b0</code></a> Dependency version bumps (<a href="https://github-redirect.dependabot.com/prometheus/client_java/issues/761">#761</a>)</li>
   <li><a href="https://github.com/prometheus/client_java/commit/b56849c28ddaaada434c1e5facfa09504b1e2da9"><code>b56849c</code></a> simpleclient_log4j: make log4j dependency provided</li>
   <li><a href="https://github.com/prometheus/client_java/commit/579694315f59906caffa3acff0891f6105a88314"><code>5796943</code></a> Bump vertx-web from 3.3.2 to 3.5.4 in /simpleclient_vertx (<a href="https://github-redirect.dependabot.com/prometheus/client_java/issues/758">#758</a>)</li>
   <li><a href="https://github.com/prometheus/client_java/commit/f9a117126157019af5248be6588dd442e3c6dd6a"><code>f9a1171</code></a> Summaries: Allow 0.0 and 1.0 quantiles and update documentation</li>
   <li><a href="https://github.com/prometheus/client_java/commit/fd9da3e7f756dc9c119108ebf6dbe88cda9a740c"><code>fd9da3e</code></a> CKMS Quantiles: Add tests, refactor, fix tests</li>
   <li><a href="https://github.com/prometheus/client_java/commit/787eef37843e3ea0972d064eb567d0639a8aba5f"><code>787eef3</code></a> Improve CKMSQuantiles and address memory leak</li>
   <li>Additional commits viewable in <a href="https://github.com/prometheus/client_java/compare/parent-0.12.0...parent-0.15.0">compare view</a></li>
   </ul>
   </details>
   <br />
   
   
   [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=io.prometheus:simpleclient_bom&package-manager=maven&previous-version=0.12.0&new-version=0.15.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
   
   Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.
   
   [//]: # (dependabot-automerge-start)
   [//]: # (dependabot-automerge-end)
   
   ---
   
   <details>
   <summary>Dependabot commands and options</summary>
   <br />
   
   You can trigger Dependabot actions by commenting on this PR:
   - `@dependabot rebase` will rebase this PR
   - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
   - `@dependabot merge` will merge this PR after your CI passes on it
   - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
   - `@dependabot cancel merge` will cancel a previously requested merge and block automerging
   - `@dependabot reopen` will reopen this PR if it is closed
   - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
   - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
   - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
   - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
   
   
   </details>


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@servicecomb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [servicecomb-java-chassis] Shoothzj commented on pull request #2878: Bump simpleclient_bom from 0.12.0 to 0.15.0

Posted by GitBox <gi...@apache.org>.
Shoothzj commented on PR #2878:
URL: https://github.com/apache/servicecomb-java-chassis/pull/2878#issuecomment-1124909253

   @dependabot rebase


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@servicecomb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [servicecomb-java-chassis] dependabot[bot] commented on pull request #2878: Bump simpleclient_bom from 0.12.0 to 0.15.0

Posted by GitBox <gi...@apache.org>.
dependabot[bot] commented on PR #2878:
URL: https://github.com/apache/servicecomb-java-chassis/pull/2878#issuecomment-1124873518

   Looks like this PR is already up-to-date with master! If you'd still like to recreate it from scratch, overwriting any edits, you can request `@dependabot recreate`.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@servicecomb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [servicecomb-java-chassis] Shoothzj merged pull request #2878: Bump simpleclient_bom from 0.12.0 to 0.15.0

Posted by GitBox <gi...@apache.org>.
Shoothzj merged PR #2878:
URL: https://github.com/apache/servicecomb-java-chassis/pull/2878


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@servicecomb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [servicecomb-java-chassis] codecov-commenter commented on pull request #2878: Bump simpleclient_bom from 0.12.0 to 0.15.0

Posted by GitBox <gi...@apache.org>.
codecov-commenter commented on PR #2878:
URL: https://github.com/apache/servicecomb-java-chassis/pull/2878#issuecomment-1124937827

   # [Codecov](https://codecov.io/gh/apache/servicecomb-java-chassis/pull/2878?src=pr&el=h1&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) Report
   > :exclamation: No coverage uploaded for pull request base (`master@7b07ff8`). [Click here to learn what that means](https://docs.codecov.io/docs/error-reference?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#section-missing-base-commit).
   > The diff coverage is `n/a`.
   
   ```diff
   @@            Coverage Diff            @@
   ##             master    #2878   +/-   ##
   =========================================
     Coverage          ?   77.31%           
     Complexity        ?     1418           
   =========================================
     Files             ?     1615           
     Lines             ?    43301           
     Branches          ?     3667           
   =========================================
     Hits              ?    33478           
     Misses            ?     8286           
     Partials          ?     1537           
   ```
   
   
   
   ------
   
   [Continue to review full report at Codecov](https://codecov.io/gh/apache/servicecomb-java-chassis/pull/2878?src=pr&el=continue&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation).
   > **Legend** - [Click here to learn more](https://docs.codecov.io/docs/codecov-delta?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation)
   > `Δ = absolute <relative> (impact)`, `ø = not affected`, `? = missing data`
   > Powered by [Codecov](https://codecov.io/gh/apache/servicecomb-java-chassis/pull/2878?src=pr&el=footer&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation). Last update [7b07ff8...5f5df49](https://codecov.io/gh/apache/servicecomb-java-chassis/pull/2878?src=pr&el=lastupdated&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation). Read the [comment docs](https://docs.codecov.io/docs/pull-request-comments?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation).
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@servicecomb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [servicecomb-java-chassis] Shoothzj commented on pull request #2878: Bump simpleclient_bom from 0.12.0 to 0.15.0

Posted by GitBox <gi...@apache.org>.
Shoothzj commented on PR #2878:
URL: https://github.com/apache/servicecomb-java-chassis/pull/2878#issuecomment-1124873504

   @dependabot rebase


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@servicecomb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org