Go updated to 1.18
Packages updated to the lastes versions for each.
Upgrading github.com/prometheus/common encountered the breaking change in
which removed the Log package (prometheus/common#306),
so the logging code has also been updated to use promlog instead.
Mitigates security issues:
GJSON before 1.6.4 allows attackers to cause a denial of service via crafted JSON.
https://nvd.nist.gov/vuln/detail/CVE-2020-35380
GJSON <1.6.5 allows attackers to cause a denial of service (remote) via crafted JSON.
https://nvd.nist.gov/vuln/detail/CVE-2020-36066
GJSON <=v1.6.5 allows attackers to cause a denial of service (panic: runtime error: slice bounds out of range) via a crafted GET call.
https://nvd.nist.gov/vuln/detail/CVE-2020-36067
GJSON before 1.9.3 allows a ReDoS (regular expression denial of service) attack.
https://nvd.nist.gov/vuln/detail/CVE-2021-42836
The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.
https://nvd.nist.gov/vuln/detail/CVE-2020-14040