Bump github.com/prometheus/common from 0.67.5 to 0.68.1

[dependabot]

Bumps github.com/prometheus/common from 0.67.5 to 0.68.1.

Release notes

Sourced from github.com/prometheus/common's releases.

v0.68.1

What's Changed

• build(deps): bump golang.org/x/net from 0.52.0 to 0.53.0 by @​dependabot[bot] in prometheus/common#903
• build(deps): bump golang.org/x/net from 0.53.0 to 0.55.0 by @​dependabot[bot] in prometheus/common#914
• Synchronize common files from prometheus/prometheus by @​prombot in prometheus/common#915

Full Changelog: prometheus/common@v0.68.0...v0.68.1

v0.68.0

What's Changed

• Synchronize common files from prometheus/prometheus by @​prombot in prometheus/common#873
• Synchronize common files from prometheus/prometheus by @​prombot in prometheus/common#874
• build(deps): bump github.com/golang-jwt/jwt/v5 from 5.3.0 to 5.3.1 by @​dependabot[bot] in prometheus/common#879
• build(deps): bump golang.org/x/net from 0.48.0 to 0.49.0 by @​dependabot[bot] in prometheus/common#878
• Synchronize common files from prometheus/prometheus by @​prombot in prometheus/common#875
• Synchronize common files from prometheus/prometheus by @​prombot in prometheus/common#880
• Remove logic adding unit to metrics name by @​vesari in prometheus/common#877
• Synchronize common files from prometheus/prometheus by @​prombot in prometheus/common#881
• Update for Go 1.26 by @​SuperQ in prometheus/common#883
• build(deps): bump golang.org/x/net from 0.49.0 to 0.51.0 by @​dependabot[bot] in prometheus/common#882
• version: Add a slog helper by @​SuperQ in prometheus/common#886
• Remove Arthur from maintainers list by @​ArthurSens in prometheus/common#885
• Synchronize common files from prometheus/prometheus by @​prombot in prometheus/common#895
• Synchronize common files from prometheus/prometheus by @​prombot in prometheus/common#896
• config: change NewOAuth2RoundTripper to accept variadic HTTPClientOption by @​alliasgher in prometheus/common#898
• config: guard against nil oauth2 credential in RoundTrip by @​alliasgher in prometheus/common#897
• build(deps): bump golang.org/x/net from 0.51.0 to 0.52.0 by @​dependabot[bot] in prometheus/common#890
• build(deps): bump go.yaml.in/yaml/v2 from 2.4.3 to 2.4.4 by @​dependabot[bot] in prometheus/common#891
• build(deps): bump golang.org/x/oauth2 from 0.34.0 to 0.36.0 by @​dependabot[bot] in prometheus/common#892
• Move interface assertions to a test file by @​msiegen in prometheus/common#839
• fix(http_config): fix client cert rotation when no CA is configured by @​machine424 in prometheus/common#908
• Remove CircleCI by @​ArthurSens in prometheus/common#910
• Fix: apply DialContextFunc to OAuth2 token-fetch transport by @​yuri-tceretian in prometheus/common#911

New Contributors

• @​alliasgher made their first contribution in prometheus/common#898
• @​msiegen made their first contribution in prometheus/common#839
• @​machine424 made their first contribution in prometheus/common#908
• @​yuri-tceretian made their first contribution in prometheus/common#911

Full Changelog: prometheus/common@v0.67.5...v0.68.0

Commits

• 2120573 Update common Prometheus files (#915)
• 228386a build(deps): bump golang.org/x/net from 0.53.0 to 0.55.0 (#914)
• b8c88b4 build(deps): bump golang.org/x/net from 0.52.0 to 0.53.0 (#903)
• 1e0ae83 config: apply DialContextFunc to OAuth2 token-fetch transport (#911)
• b51d01b Remove CircleCI (#910)
• 0f3c348 Merge pull request #908 from machine424/ttlsco
• 732a9cf fix(http_config): fix client cert rotation when no CA is configured
• ce9215c Move interface assertions to a test file (#839)
• 1ba5ed7 build(deps): bump golang.org/x/oauth2 from 0.34.0 to 0.36.0 (#892)
• 8f8ada6 build(deps): bump go.yaml.in/yaml/v2 from 2.4.3 to 2.4.4 (#891)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Summary by CodeRabbit

• New Features

  • Added support for requiring "Not Before" (nbf) claim validation in JWT tokens.
  • Added structured logging helper for version information.
  • New Windows file attribute query and set operations.
  • Improved vectorized I/O support across Unix platforms.

• Bug Fixes

  • Fixed HTTP/2 implementation issues and improved architecture for modern Go versions.
  • Fixed OAuth2 round-tripper error handling and CA configuration issues.
  • Corrected typos and improved documentation across multiple modules.

• Dependency Updates

  • Updated Prometheus Common, golang-jwt, and golang.org/x/* modules to latest versions.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[coderabbitai]

📝 Walkthrough

Walkthrough

Vendor refresh updates dependencies and syncs modules. JWT parsing changes reorder key lookup and add an nbf-required option. Prometheus common adjusts OAuth2/TLS and OpenMetrics unit emission. x/net/http2 is split for Go 1.27 with wrapper/common layers. IDNA gains Unicode-aware validation. x/sys adds vectored I/O, constants, syscall numbers, and Windows NT EA APIs.

Changes

Module and vendor index updates

Layer / File(s)	Summary
Dependency version bumps and vendor index go.mod, vendor/modules.txt	Bumps Prometheus/common, golang.org/x/*, and jwt; regenerates vendor listings accordingly.

golang-jwt/jwt v5 parsing and validation updates

Layer / File(s)	Summary
Parser flow and comments vendor/github.com/golang-jwt/jwt/v5/parser.go	Invokes keyFunc earlier; moves join/signing-text compute; adjusts comments/typos.
Parser option: require nbf claim vendor/github.com/golang-jwt/jwt/v5/parser_option.go	Adds WithNotBeforeRequired functional option.
Token signing side effect and Validator flag vendor/github.com/golang-jwt/jwt/v5/token.go, .../validator.go	SignedString stores Signature; Validator gains requireNbf and uses it.
Docs touch-ups .../README.md, .../VERSION_HISTORY.md	Extensions table update; typo fix.

Prometheus common: HTTP/TLS/OAuth2 and OpenMetrics

Layer / File(s)	Summary
HTTP OAuth2 RoundTripper API and safety vendor/github.com/prometheus/common/config/http_config.go	NewOAuth2RoundTripper takes option funcs; propagates DialContext; nil secret error; robust TLS reload.
OpenMetrics unit emission and model cleanup vendor/github.com/prometheus/common/expfmt/openmetrics_create.go, .../model/metric.go	Always emit UNIT when present; drop yaml v2 import/assertion.
Add version.Slog helper vendor/github.com/prometheus/common/version/info.go	Adds Slog() for structured logging fields.

x/net/http2 Go 1.27-aware split (client/server/transport/writesched)

Layer / File(s)	Summary
Documentation and build constraints vendor/golang.org/x/net/http2/README.md, .../client_conn_pool.go, .../config.go, .../transport.go, .../writesched*.go	Guides source-of-truth; applies build tags gating legacy vs wrap.
ClientConn public wrappers vendor/golang.org/x/net/http2/clientconn.go	Adds exported thin wrappers to internal methods.
Server API split and common surface .../server.go, .../server_common.go, .../server_wrap.go	Moves ConfigureServer/ServeConn and symbols to common; wrap integrates with net/http; deprecates external write schedulers.
Transport refactor and common transport contracts .../transport*.go	Moves public API to transport_common; refactors internals; adds wrapper path for Go 1.27+.
Package docs and minor comment fix .../http2.go	Updates package commentary and header name reference.
HTTP common: strict :path validation vendor/golang.org/x/net/internal/httpcommon/request.go	Early reject invalid pseudo-paths.

x/net/idna Unicode-aware refactor

Layer / File(s)	Summary
Core IDNA processing and error model vendor/golang.org/x/net/idna/idna.go	Adds unicode16 gating; restructures errors; updates process/validation.
Punycode adjustments and tables/build tags vendor/golang.org/x/net/idna/punycode.go, .../tables15.0.0.go, .../trie13.0.0.go	Tweaks punycode error codes/guard; adjusts build tags; removes generated trie file.

x/sys/unix: vectored I/O, constants, types, and syscall numbers

Layer / File(s)	Summary
mkerrors and linux syscall stubs/renames vendor/golang.org/x/sys/unix/mkerrors.sh, .../syscall_linux.go, .../zsyscall_linux.go	Adds futex define; introduces *Syscall stubs; renames generated wrappers.
Vectored I/O wrappers across platforms .../readv_unix.go, .../syscall_darwin.go, .../syscall_openbsd*.{go,s}	Adds shared readv/p{read,write}v; removes Darwin impl; adds OpenBSD go/asm trampolines.
Generated linux errors/constants updates .../zerrors_linux*.go	Expands constants and error names across arches; updates tables.
Linux syscall numbers across arches .../zsysnum_linux*.go	Adds new SYS_* numbers (FILE_GETATTR/SETATTR, LISTNS, RSEQ_SLICE_YIELD, etc.).
Linux ztypes: KernelTimespec, TCPInfo, nl80211, Taskstats .../ztypes_linux*.go	Adds KernelTimespec; expands TCPInfo; bumps *_MAX; adds Taskstats *_delay_max_ts across arches.

x/sys/windows: NT file EA and info APIs

Layer / File(s)	Summary
Windows NT EA/query/set wrappers and types vendor/golang.org/x/sys/windows/*	Adds NtQueryInformationFile, NtQueryEaFile, NtSetEaFile; adds FileEaInformation.

Sequence Diagram(s)

sequenceDiagram
  rect rgba(200, 230, 255, 0.5)
  participant App
  participant NetHTTP as net/http.Transport
  participant H2T as http2.Transport
  participant H2S as http2.Server
  end
  App->>NetHTTP: RoundTrip(req)
  NetHTTP->>H2T: Delegate via registered http/2 protocol
  H2T->>H2S: ServeConnFunc/HTTP2Config
  H2S-->>App: Response

Loading

Estimated code review effort

🎯 5 (Critical) | ⏱️ ~120 minutes

Poem

A rabbit taps on vendor snow,
Bundles tweaked and versions grow.
HTTP/2 learns brand-new tricks,
JWTs demand their nbf fix.
Syscalls bloom across the burrow,
IDNA maps the Unicode furrow.
Thump-thump—ship it, on we go! 🐇✨

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/go_modules/github.com/prometheus/common-0.68.1

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

vendor/golang.org/x/net/http2/transport_wrap.go (1)

29-34: ⚡ Quick win

Clarify/seed TLS + dial settings for direct use of returned *http2.Transport

vendor/golang.org/x/net/http2/transport_wrap.go’s configureTransports returns tr2 := &Transport{} without copying *http.Transport TLS/dial configuration (29-34), and transportConfig.DialFromContext clones t.t.TLSClientConfig from the returned *http2.Transport (110-133). When the returned *http2.Transport is used, roundTripOpt sets http2TransportContextKey{} (158-181), so the custom dial/TLS path can run and ignore any t1.TLSClientConfig / dial hooks that were on the wrapped *http.Transport.

In this repo, however, http2.ConfigureTransports(rt.(*http.Transport)) is called and only http2t.ReadIdleTimeout is set; the code continues to use the original rt as the RoundTripper (vendor/github.com/prometheus/common/config/http_config.go:651-670), so the “direct *http2.Transport RoundTrip” dial/TLS behavior isn’t exercised here.

Consider seeding Transport.TLSClientConfig (and dial hooks) from the wrapped t1, or making DialFromContext fall back to t1’s dial/TLS settings when the returned Transport fields are unset.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@vendor/golang.org/x/net/http2/transport_wrap.go` around lines 29 - 34,
configureTransports currently returns an empty &Transport{} so the returned
Transport lacks TLS/dial settings from the wrapped *http.Transport (t1); update
configureTransports to seed tr2 fields from t1 by copying TLSClientConfig and
any dial hooks (e.g. DialContext / Dial / DialTLS equivalents used by Transport)
into tr2 before calling tr2.configure(t1), and/or make Transport.DialFromContext
fall back to t1's dial/TLS settings when tr2's TLSClientConfig or dial hooks are
nil so DialFromContext uses t1's configuration if the returned Transport wasn't
explicitly populated; reference configureTransports, Transport, tr2, t1,
DialFromContext, TLSClientConfig, roundTripOpt and http2TransportContextKey when
making the changes.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@vendor/github.com/prometheus/common/config/http_config.go`:
- Around line 945-965: The token-fetch transport created in
NewOAuth2RoundTripper ignores HTTPClientOption.WithNewTLSConfigFunc because
oauth2RoundTripper.newOauth2TokenSource calls NewTLSConfig directly; change
newOauth2TokenSource to build tlsConfig via the configured opts.NewTLSConfigFunc
(or call opts.NewTLSConfigFunc if non-nil, falling back to NewTLSConfig) and
ensure the token HTTP transport uses that tlsConfig (and any other opts-derived
settings) so the token request honors the same TLS customization provided to
NewOAuth2RoundTripper via optFuncs.

In `@vendor/github.com/prometheus/common/version/info.go`:
- Around line 82-97: Slog() currently returns the raw Revision variable instead
of using the fallback logic in GetRevision(); update Slog() to call
GetRevision() for the "revision" entry so structured logs match Print()/Info()
behavior—modify the function Slog() to replace the "revision", Revision pair
with "revision", GetRevision() (retain other fields unchanged).

---

Nitpick comments:
In `@vendor/golang.org/x/net/http2/transport_wrap.go`:
- Around line 29-34: configureTransports currently returns an empty &Transport{}
so the returned Transport lacks TLS/dial settings from the wrapped
*http.Transport (t1); update configureTransports to seed tr2 fields from t1 by
copying TLSClientConfig and any dial hooks (e.g. DialContext / Dial / DialTLS
equivalents used by Transport) into tr2 before calling tr2.configure(t1), and/or
make Transport.DialFromContext fall back to t1's dial/TLS settings when tr2's
TLSClientConfig or dial hooks are nil so DialFromContext uses t1's configuration
if the returned Transport wasn't explicitly populated; reference
configureTransports, Transport, tr2, t1, DialFromContext, TLSClientConfig,
roundTripOpt and http2TransportContextKey when making the changes.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: f20fe45e-92d4-4460-aa58-9ed346ac9881

📥 Commits

Reviewing files that changed from the base of the PR and between 1727940 and 1f872c2.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (115)

• go.mod
• vendor/github.com/golang-jwt/jwt/v5/README.md
• vendor/github.com/golang-jwt/jwt/v5/VERSION_HISTORY.md
• vendor/github.com/golang-jwt/jwt/v5/parser.go
• vendor/github.com/golang-jwt/jwt/v5/parser_option.go
• vendor/github.com/golang-jwt/jwt/v5/token.go
• vendor/github.com/golang-jwt/jwt/v5/validator.go
• vendor/github.com/prometheus/common/config/http_config.go
• vendor/github.com/prometheus/common/expfmt/openmetrics_create.go
• vendor/github.com/prometheus/common/model/metric.go
• vendor/github.com/prometheus/common/version/info.go
• vendor/golang.org/x/net/http/httpproxy/proxy.go
• vendor/golang.org/x/net/http2/README.md
• vendor/golang.org/x/net/http2/client_conn_pool.go
• vendor/golang.org/x/net/http2/clientconn.go
• vendor/golang.org/x/net/http2/config.go
• vendor/golang.org/x/net/http2/http2.go
• vendor/golang.org/x/net/http2/server.go
• vendor/golang.org/x/net/http2/server_common.go
• vendor/golang.org/x/net/http2/server_wrap.go
• vendor/golang.org/x/net/http2/transport.go
• vendor/golang.org/x/net/http2/transport_common.go
• vendor/golang.org/x/net/http2/transport_wrap.go
• vendor/golang.org/x/net/http2/writesched.go
• vendor/golang.org/x/net/http2/writesched_common.go
• vendor/golang.org/x/net/http2/writesched_priority_rfc7540.go
• vendor/golang.org/x/net/http2/writesched_priority_rfc9218.go
• vendor/golang.org/x/net/http2/writesched_random.go
• vendor/golang.org/x/net/http2/writesched_roundrobin.go
• vendor/golang.org/x/net/idna/go118.go
• vendor/golang.org/x/net/idna/idna.go
• vendor/golang.org/x/net/idna/idna9.0.0.go
• vendor/golang.org/x/net/idna/pre_go118.go
• vendor/golang.org/x/net/idna/punycode.go
• vendor/golang.org/x/net/idna/tables10.0.0.go
• vendor/golang.org/x/net/idna/tables11.0.0.go
• vendor/golang.org/x/net/idna/tables12.0.0.go
• vendor/golang.org/x/net/idna/tables13.0.0.go
• vendor/golang.org/x/net/idna/tables15.0.0.go
• vendor/golang.org/x/net/idna/tables17.0.0.go
• vendor/golang.org/x/net/idna/tables9.0.0.go
• vendor/golang.org/x/net/idna/trie12.0.0.go
• vendor/golang.org/x/net/idna/trie13.0.0.go
• vendor/golang.org/x/net/internal/httpcommon/request.go
• vendor/golang.org/x/sys/unix/mkerrors.sh
• vendor/golang.org/x/sys/unix/readv_unix.go
• vendor/golang.org/x/sys/unix/syscall_darwin.go
• vendor/golang.org/x/sys/unix/syscall_linux.go
• vendor/golang.org/x/sys/unix/syscall_openbsd.go
• vendor/golang.org/x/sys/unix/zerrors_linux.go
• vendor/golang.org/x/sys/unix/zerrors_linux_386.go
• vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go
• vendor/golang.org/x/sys/unix/zerrors_linux_arm.go
• vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go
• vendor/golang.org/x/sys/unix/zerrors_linux_loong64.go
• vendor/golang.org/x/sys/unix/zerrors_linux_mips.go
• vendor/golang.org/x/sys/unix/zerrors_linux_mips64.go
• vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.go
• vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.go
• vendor/golang.org/x/sys/unix/zerrors_linux_ppc.go
• vendor/golang.org/x/sys/unix/zerrors_linux_ppc64.go
• vendor/golang.org/x/sys/unix/zerrors_linux_ppc64le.go
• vendor/golang.org/x/sys/unix/zerrors_linux_riscv64.go
• vendor/golang.org/x/sys/unix/zerrors_linux_s390x.go
• vendor/golang.org/x/sys/unix/zerrors_linux_sparc64.go
• vendor/golang.org/x/sys/unix/zsyscall_linux.go
• vendor/golang.org/x/sys/unix/zsyscall_openbsd_386.go
• vendor/golang.org/x/sys/unix/zsyscall_openbsd_386.s
• vendor/golang.org/x/sys/unix/zsyscall_openbsd_amd64.go
• vendor/golang.org/x/sys/unix/zsyscall_openbsd_amd64.s
• vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm.go
• vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm.s
• vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm64.go
• vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm64.s
• vendor/golang.org/x/sys/unix/zsyscall_openbsd_mips64.go
• vendor/golang.org/x/sys/unix/zsyscall_openbsd_mips64.s
• vendor/golang.org/x/sys/unix/zsyscall_openbsd_ppc64.go
• vendor/golang.org/x/sys/unix/zsyscall_openbsd_ppc64.s
• vendor/golang.org/x/sys/unix/zsyscall_openbsd_riscv64.go
• vendor/golang.org/x/sys/unix/zsyscall_openbsd_riscv64.s
• vendor/golang.org/x/sys/unix/zsysnum_linux_386.go
• vendor/golang.org/x/sys/unix/zsysnum_linux_amd64.go
• vendor/golang.org/x/sys/unix/zsysnum_linux_arm.go
• vendor/golang.org/x/sys/unix/zsysnum_linux_arm64.go
• vendor/golang.org/x/sys/unix/zsysnum_linux_loong64.go
• vendor/golang.org/x/sys/unix/zsysnum_linux_mips.go
• vendor/golang.org/x/sys/unix/zsysnum_linux_mips64.go
• vendor/golang.org/x/sys/unix/zsysnum_linux_mips64le.go
• vendor/golang.org/x/sys/unix/zsysnum_linux_mipsle.go
• vendor/golang.org/x/sys/unix/zsysnum_linux_ppc.go
• vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64.go
• vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64le.go
• vendor/golang.org/x/sys/unix/zsysnum_linux_riscv64.go
• vendor/golang.org/x/sys/unix/zsysnum_linux_s390x.go
• vendor/golang.org/x/sys/unix/zsysnum_linux_sparc64.go
• vendor/golang.org/x/sys/unix/ztypes_linux.go
• vendor/golang.org/x/sys/unix/ztypes_linux_386.go
• vendor/golang.org/x/sys/unix/ztypes_linux_amd64.go
• vendor/golang.org/x/sys/unix/ztypes_linux_arm.go
• vendor/golang.org/x/sys/unix/ztypes_linux_arm64.go
• vendor/golang.org/x/sys/unix/ztypes_linux_loong64.go
• vendor/golang.org/x/sys/unix/ztypes_linux_mips.go
• vendor/golang.org/x/sys/unix/ztypes_linux_mips64.go
• vendor/golang.org/x/sys/unix/ztypes_linux_mips64le.go
• vendor/golang.org/x/sys/unix/ztypes_linux_mipsle.go
• vendor/golang.org/x/sys/unix/ztypes_linux_ppc.go
• vendor/golang.org/x/sys/unix/ztypes_linux_ppc64.go
• vendor/golang.org/x/sys/unix/ztypes_linux_ppc64le.go
• vendor/golang.org/x/sys/unix/ztypes_linux_riscv64.go
• vendor/golang.org/x/sys/unix/ztypes_linux_s390x.go
• vendor/golang.org/x/sys/unix/ztypes_linux_sparc64.go
• vendor/golang.org/x/sys/windows/syscall_windows.go
• vendor/golang.org/x/sys/windows/types_windows.go
• vendor/golang.org/x/sys/windows/zsyscall_windows.go
• vendor/modules.txt

💤 Files with no reviewable changes (7)

• vendor/golang.org/x/net/idna/go118.go
• vendor/github.com/prometheus/common/model/metric.go
• vendor/golang.org/x/net/idna/trie12.0.0.go
• vendor/golang.org/x/net/idna/idna9.0.0.go
• vendor/golang.org/x/net/idna/pre_go118.go
• vendor/golang.org/x/net/idna/trie13.0.0.go
• vendor/golang.org/x/sys/unix/syscall_darwin.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
rg -n "newTLSConfigFunc|NewTLSConfig\\(" vendor/github.com/prometheus/common/config/http_config.go

Repository: kubeservice-stack/node-metrics

Length of output: 589

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

file="vendor/github.com/prometheus/common/config/http_config.go"

echo "== main TLS path (around opts.newTLSConfigFunc usage) =="
sed -n '700,770p' "$file" | nl -ba | sed -n '1,140p'

echo
echo "== OAuth2 token source TLS path (around line 974) =="
sed -n '930,1010p' "$file" | nl -ba | sed -n '1,140p'

echo
echo "== newOauth2TokenSource signature and how rt.opts is used =="
rg -n "func \\(rt \\*oauth2RoundTripper\\) newOauth2TokenSource" -n "$file"

Repository: kubeservice-stack/node-metrics

Length of output: 192

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

file="vendor/github.com/prometheus/common/config/http_config.go"

num() { awk '{printf "%6d\t%s\n", NR, $0}'; }

echo "== main TLS path (opts.newTLSConfigFunc around previous match ~739) =="
sed -n '700,770p' "$file" | num | sed -n '1,120p'

echo
echo "== OAuth2 token-source TLS path (around ~974 match) =="
sed -n '940,1010p' "$file" | num | sed -n '1,120p'

echo
echo "== newOauth2TokenSource body (wider context) =="
rg -n "func \\(rt \\*oauth2RoundTripper\\) newOauth2TokenSource" "$file"
start=$(rg -n "func \\(rt \\*oauth2RoundTripper\\) newOauth2TokenSource" "$file" | head -n1 | cut -d: -f1)
# print from ~30 lines before to ~80 lines after (bounded)
from=$((start-30)); to=$((start+90))
sed -n "${from},${to}p" "$file" | num

Repository: kubeservice-stack/node-metrics

Length of output: 10669

---

Fix OAuth2 token TLS to honor WithNewTLSConfigFunc

oauth2RoundTripper.newOauth2TokenSource builds tlsConfig via NewTLSConfig(...) directly, so WithNewTLSConfigFunc provided to NewOAuth2RoundTripper(..., optFuncs...) affects the main transport but not the token-fetch transport.

Proposed fix

 func (rt *oauth2RoundTripper) newOauth2TokenSource(req *http.Request, clientCredential string) (client *http.Client, source oauth2.TokenSource, err error) {
-	tlsConfig, err := NewTLSConfig(&rt.config.TLSConfig, WithSecretManager(rt.opts.secretManager))
+	tlsConfig, err := rt.opts.newTLSConfigFunc(req.Context(), &rt.config.TLSConfig, WithSecretManager(rt.opts.secretManager))
 	if err != nil {
 		return nil, nil, err
 	}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@vendor/github.com/prometheus/common/config/http_config.go` around lines 945 -
965, The token-fetch transport created in NewOAuth2RoundTripper ignores
HTTPClientOption.WithNewTLSConfigFunc because
oauth2RoundTripper.newOauth2TokenSource calls NewTLSConfig directly; change
newOauth2TokenSource to build tlsConfig via the configured opts.NewTLSConfigFunc
(or call opts.NewTLSConfigFunc if non-nil, falling back to NewTLSConfig) and
ensure the token HTTP transport uses that tlsConfig (and any other opts-derived
settings) so the token request honors the same TLS customization provided to
NewOAuth2RoundTripper via optFuncs.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
rg -n "GetRevision\\(|\\bRevision\\b" vendor/github.com/prometheus/common/version/info.go

Repository: kubeservice-stack/node-metrics

Length of output: 329

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE="vendor/github.com/prometheus/common/version/info.go"
sed -n '75,115p' "$FILE"

Repository: kubeservice-stack/node-metrics

Length of output: 1013

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail
FILE="vendor/github.com/prometheus/common/version/info.go"
rg -n "func (Print|Info)\\b" "$FILE"

Repository: kubeservice-stack/node-metrics

Length of output: 137

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail
FILE="vendor/github.com/prometheus/common/version/info.go"
sed -n '45,85p' "$FILE"

Repository: kubeservice-stack/node-metrics

Length of output: 1280

---

Use GetRevision() in Slog() to keep structured logging consistent
Slog() currently logs "revision", Revision (line 90), bypassing the GetRevision() fallback (Revision → computedRevision) that Print() and Info() already use.
Change to "revision", GetRevision().

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@vendor/github.com/prometheus/common/version/info.go` around lines 82 - 97,
Slog() currently returns the raw Revision variable instead of using the fallback
logic in GetRevision(); update Slog() to call GetRevision() for the "revision"
entry so structured logs match Print()/Info() behavior—modify the function
Slog() to replace the "revision", Revision pair with "revision", GetRevision()
(retain other fields unchanged).

[dongjiang1989]

LGTM