-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Release 0.37.0 #168
Release 0.37.0 #168
Conversation
WalkthroughThe changes in this pull request focus on updates to the Changes
Sequence Diagram(s)sequenceDiagram
participant Developer
participant BuildSystem
participant OpenTelemetry
participant Verifier
Developer->>BuildSystem: Trigger build
BuildSystem->>OpenTelemetry: downloadFile (if modified)
OpenTelemetry-->>BuildSystem: File downloaded
BuildSystem->>Verifier: verifyFile
Verifier-->>BuildSystem: File integrity verified
BuildSystem-->>Developer: Build completed
Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media? 🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (Invoked using PR comments)
Other keywords and placeholders
CodeRabbit Configuration File (
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actionable comments posted: 0
🧹 Outside diff range comments (4)
build.gradle (4)
Line range hint
8-8
: Consider updating Sentry plugin to latest version 4.3.1The current update to 4.3.0 is good, but 4.3.1 is available with additional improvements.
Line range hint
93-98
: Security concern: Avoid using release candidate version of JacksonWhile pinning Jackson to 2.14.0-rc2 fixes the vulnerability, it's recommended to use the latest stable version 2.15.3 instead of a release candidate in production.
Apply this change:
resolutionStrategy.eachDependency { DependencyResolveDetails details -> if (details.requested.group.startsWith('com.fasterxml.jackson')) { - details.useVersion '2.14.0-rc2' + details.useVersion '2.15.3' details.because 'fixes critical vulnerability in lower versions' }
Line range hint
116-120
: Update OpenTelemetry Java agent to latest versionThe current version 1.16.0 is outdated. Consider updating to the latest stable version 1.31.0 for bug fixes and improvements.
Apply this change:
task downloadFile(type: Download) { - src 'https://github.com/open-telemetry/opentelemetry-java-instrumentation/releases/download/v1.16.0/opentelemetry-javaagent.jar' + src 'https://github.com/open-telemetry/opentelemetry-java-instrumentation/releases/download/v1.31.0/opentelemetry-javaagent.jar' dest "${buildDir}/opentelemetry/opentelemetry-javaagent.jar" onlyIfModified true }
Line range hint
122-127
: Security concern: Replace MD5 with a stronger hash algorithmMD5 is cryptographically broken and not recommended for security purposes. Consider using SHA-256 or SHA-512 instead.
Apply this change:
task verifyFile(type: Verify, dependsOn: downloadFile) { dependsOn downloadFile src new File("${buildDir}/opentelemetry/", 'opentelemetry-javaagent.jar') - algorithm 'MD5' - checksum '4f97ebd74d075e60c76ecdf47b61006a' + algorithm 'SHA-256' + checksum '<insert-sha256-checksum-here>' // Get this from the official release page }
📜 Review details
Configuration used: CodeRabbit UI
Review profile: ASSERTIVE
📒 Files selected for processing (1)
- build.gradle (1 hunks)
🔇 Additional comments (1)
build.gradle (1)
16-16
: LGTM: Version bump follows semantic versioningThe version increment from 0.36.0 to 0.37.0 is appropriate for a minor release.
Summary by CodeRabbit
New Features
downloadFile
for downloading the OpenTelemetry Java agent andverifyFile
for checking the integrity of the downloaded file.Updates
0.37.0
.4.3.0
.2.14.0-rc2
to address security vulnerabilities.