[2024-03-04] Bump dependencies identified by dependabot

[ivanvc]

This pull request completes this week's etcd dependency updates following our dependency roster and dependency management instructions.

Summary of actions:

• google.golang.org/protobuf bump from 1.32.0 to 1.33.0, addresses CVE-2024-24786. Wasn't catch by dependabot, but by Go vulnerability CI check
• build(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc from 1.23.1 to 1.24.0 #17527 - Bumped
• build(deps): bump github.com/google/yamlfmt from 0.10.0 to 0.11.0 in /tools/mod #17519 - Bumped
• build(deps): bump github.com/prometheus/common from 0.47.0 to 0.49.0 #17525 - Bumped
• build(deps): bump github.com/Abirdcfly/dupword from 0.0.13 to 0.0.14 in /tools/mod #17523 - Indirect
• build(deps): bump github.com/denis-tingaikin/go-header from 0.4.3 to 0.5.0 in /tools/mod #17522 - Indirect
• build(deps): bump github.com/securego/gosec/v2 from 2.18.2 to 2.19.0 in /tools/mod #17521 - Indirect
• build(deps): bump github.com/spf13/cast from 1.5.0 to 1.6.0 in /tools/mod #17520 - Indirect

Please read https://github.com/etcd-io/etcd/blob/main/CONTRIBUTING.md#contribution-flow.

[k8s-ci-robot]

Hi @ivanvc. Thanks for your PR.

I'm waiting for a etcd-io member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[ivanvc]

Note that the Go Vulnerability Checker is still failing due to the Go 1.21.8 (#17539) 1.22.1 (#17393) update

[jmhbnz]

/ok-to-test

[jmhbnz]

LGTM - Thanks for helping us stay on top of these @ivanvc 🙏🏻

[ahrtr]

The workflow failure is caused by #17393 (comment)

[ahrtr]

Please rebase this PR and bump google.golang.org/protobuf to 1.33.0 in this PR.

[ivanvc]

Please rebase this PR and bump google.golang.org/protobuf to 1.33.0 in this PR.

@ahrtr, done. I already bumped protobuf to 1.33.0 :)

[ahrtr]

Please rebase this PR and bump google.golang.org/protobuf to 1.33.0 in this PR.

@ahrtr, done. I already bumped protobuf to 1.33.0 :)

Thanks.

Why the CVE CVE-2024-24786 wasn't discovered by 3.5 and 3.4's workflow checks. Could you please raise an issue to followup this for 3.4 and 3.5? Thanks.

[ahrtr]

CVE CVE-2024-24786

Refer to https://github.com/protocolbuffers/protobuf-go/releases/tag/v1.33.0

[ahrtr]

lgtm

Thanks

[ivanvc]

Please rebase this PR and bump google.golang.org/protobuf to 1.33.0 in this PR.

@ahrtr, done. I already bumped protobuf to 1.33.0 :)

Thanks.

Why the CVE CVE-2024-24786 wasn't discovered by 3.5 and 3.4's workflow checks. Could you please raise an issue to followup this for 3.4 and 3.5? Thanks.

It seems like those two branches don't have the vulnerability check. I'll raise an issue and work on it shortly. I'll also bump protobuf there.

[ahrtr]

I'll raise an issue and work on it shortly. I'll also bump protobuf there.

Thank you!

[ivanvc]

I'll raise an issue and work on it shortly. I'll also bump protobuf there.

Thank you!

@ahrtr just a heads up that I created #17551 and #17549 to track these issues