Skip to content

fix(deps): vuln major upgrades — 32 packages (major: 1 · minor: 29 · patch: 2) #429

Draft
gh-worker-campaigns-3e9aa4[bot] wants to merge 2 commits into
mainfrom
engraver-auto-version-upgrade/major/go/0-1781532169
Draft

fix(deps): vuln major upgrades — 32 packages (major: 1 · minor: 29 · patch: 2) #429
gh-worker-campaigns-3e9aa4[bot] wants to merge 2 commits into
mainfrom
engraver-auto-version-upgrade/major/go/0-1781532169

Conversation

@gh-worker-campaigns-3e9aa4

Copy link
Copy Markdown
Contributor

Summary: High-severity security update — 34 packages upgraded (MAJOR changes included)

Manifests changed:

  • . (go)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.


Updates

Package From To Type Dep Type Vulnerabilities Fixed
go.opentelemetry.io/otel/sdk v1.39.0 v1.44.0 minor Transitive 4 HIGH
github.com/docker/compose/v2 v2.40.2 v5.1.4 major Direct 3 HIGH
github.com/containerd/containerd/v2 v2.1.5 v2.3.1 minor Transitive 1 HIGH
go.opentelemetry.io/otel v1.39.0 v1.44.0 minor Transitive 1 HIGH
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.35.0 v1.44.0 minor Transitive 2 MEDIUM
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.35.0 v1.44.0 minor Transitive 2 MEDIUM
github.com/compose-spec/compose-go/v2 v2.9.0 v2.11.0 minor Direct -
github.com/containerd/containerd/api v1.9.0 v1.11.1 minor Transitive -
github.com/containerd/typeurl/v2 v2.2.3 v2.3.0 minor Transitive -
github.com/felixge/httpsnoop v1.0.4 v1.1.0 minor Transitive -
github.com/go-viper/mapstructure/v2 v2.4.0 v2.5.0 minor Transitive -
github.com/golang-jwt/jwt/v5 v5.2.3 v5.3.1 minor Transitive -
github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.1 v2.29.0 minor Transitive -
github.com/hashicorp/go-version v1.7.0 v1.9.0 minor Transitive -
github.com/morikuni/aec v1.0.0 v1.1.0 minor Transitive -
github.com/pelletier/go-toml/v2 v2.2.4 v2.3.1 minor Transitive -
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.37.0 v1.44.0 minor Transitive -
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.37.0 v1.44.0 minor Transitive -
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.37.0 v1.44.0 minor Transitive -
go.opentelemetry.io/otel/metric v1.39.0 v1.44.0 minor Transitive -
go.opentelemetry.io/otel/sdk/metric v1.39.0 v1.44.0 minor Transitive -
go.opentelemetry.io/otel/trace v1.39.0 v1.44.0 minor Transitive -
go.opentelemetry.io/proto/otlp v1.7.1 v1.10.0 minor Transitive -
golang.org/x/crypto v0.46.0 v0.53.0 minor Transitive 13 UNKNOWN
golang.org/x/net v0.48.0 v0.56.0 minor Transitive 7 UNKNOWN
golang.org/x/sync v0.19.0 v0.21.0 minor Transitive -
golang.org/x/sys v0.39.0 v0.46.0 minor Transitive 1 UNKNOWN
golang.org/x/term v0.38.0 v0.44.0 minor Transitive -
golang.org/x/text v0.32.0 v0.38.0 minor Transitive -
golang.org/x/time v0.12.0 v0.15.0 minor Transitive -
google.golang.org/grpc v1.79.3 v1.81.1 minor Direct -
tags.cncf.io/container-device-interface v1.0.1 v1.1.0 minor Transitive -
github.com/compose-spec/compose-go/v2 v2.9.0 v2.9.1 patch Direct -
github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.1 v2.27.8 patch Transitive -

Warning

Major Version Upgrade

This update includes major version changes that may contain breaking changes. Please:

  • Review the changelog/release notes for breaking changes
  • Test thoroughly in a staging environment
  • Update any code that depends on changed APIs
  • Ensure all tests pass before merging

Security Details

🚨 Critical & High Severity (9 fixed)
Package CVE Severity Summary Unsafe Version Fixed In
github.com/containerd/containerd/v2 GHSA-fqw6-gf59-qr4w HIGH containerd user ID handling bypass allows runAsNonRoot evasion v2.1.5 2.0.9
github.com/docker/compose/v2 GO-2026-4610 high Docker CLI Plugins: Uncontrolled Search Path Element Leads to Local Privilege Escalation on Windows in github.com/docker/cli v2.40.2 -
github.com/docker/compose/v2 CVE-2025-15558 high - v2.40.2 -
github.com/docker/compose/v2 GHSA-p436-gjf2-799p HIGH Docker CLI Plugins: Uncontrolled Search Path Element Leads to Local Privilege Escalation on Windows v2.40.2 -
go.opentelemetry.io/otel GHSA-mh2q-q3fh-2475 HIGH OpenTelemetry-Go: multi-value baggage header extraction causes excessive allocations (remote dos amplification) v1.39.0 1.41.0
go.opentelemetry.io/otel/sdk GHSA-9h8m-3fm2-qjrq HIGH OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking v1.39.0 1.40.0
go.opentelemetry.io/otel/sdk GO-2026-4394 HIGH OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking in go.opentelemetry.io/otel/sdk v1.39.0 1.40.0
go.opentelemetry.io/otel/sdk CVE-2026-24051 HIGH OpenTelemetry-Go Affected by Arbitrary Code Execution via PATH Hijacking v1.39.0 -
go.opentelemetry.io/otel/sdk GHSA-hfvc-g4fc-pqhx HIGH opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking v1.39.0 1.43.0
ℹ️ Other Vulnerabilities (25)
Package CVE Severity Summary Unsafe Version Fixed In
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp GO-2026-4985 MODERATE Oversized OTLP HTTP response bodies can cause memory exhaustion in go.opentelemetry.io/otel/exporters/otlp v1.35.0 1.43.0
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp GHSA-w8rr-5gcm-pp58 MODERATE opentelemetry-go: OTLP HTTP exporters read unbounded HTTP response bodies v1.35.0 1.43.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp GO-2026-4985 MODERATE Oversized OTLP HTTP response bodies can cause memory exhaustion in go.opentelemetry.io/otel/exporters/otlp v1.35.0 1.43.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp GHSA-w8rr-5gcm-pp58 MODERATE opentelemetry-go: OTLP HTTP exporters read unbounded HTTP response bodies v1.35.0 1.43.0
golang.org/x/crypto GO-2026-5016 unknown Invoking memory leak when rejecting channels can lead to DoS in golang.org/x/crypto/ssh v0.46.0 0.52.0
golang.org/x/crypto GO-2026-5017 unknown Invoking client can cause server deadlock on unexpected responses in golang.org/x/crypto/ssh v0.46.0 0.52.0
golang.org/x/crypto GO-2026-5005 unknown Invoking key constraints not enforced in golang.org/x/crypto/ssh/agent v0.46.0 0.52.0
golang.org/x/crypto GO-2026-5013 unknown Invoking byte arithmetic causes underflow and panic in golang.org/x/crypto/ssh v0.46.0 0.52.0
golang.org/x/crypto GO-2026-5021 unknown Invoking auth bypass via unenforced @Revoked status in golang.org/x/crypto/ssh/knownhosts v0.46.0 0.52.0
golang.org/x/crypto GO-2026-5023 unknown Invoking VerifiedPublicKeyCallback permissions skip enforcement in golang.org/x/crypto/ssh v0.46.0 0.52.0
golang.org/x/crypto GO-2026-5033 unknown Invoking pathological inputs can lead to client panic in golang.org/x/crypto/ssh/agent v0.46.0 0.52.0
golang.org/x/crypto GO-2026-5006 unknown Invoking agent constraints dropped when forwarding keys in golang.org/x/crypto/ssh/agent v0.46.0 0.52.0
golang.org/x/crypto GO-2026-5014 unknown Invoking bypass of certificate restrictions in golang.org/x/crypto/ssh v0.46.0 0.52.0
golang.org/x/crypto GO-2026-5019 unknown Invoking bypass of FIDO/U2F security keys physical interaction in golang.org/x/crypto/ssh v0.46.0 0.52.0
golang.org/x/crypto GO-2026-5020 unknown Invoking infinite loop on large channel writes in golang.org/x/crypto/ssh v0.46.0 0.52.0
golang.org/x/crypto GO-2026-5015 unknown Invoking server panic during CheckHostKey/Authenticate in golang.org/x/crypto/ssh v0.46.0 0.52.0
golang.org/x/crypto GO-2026-5018 unknown Invoking pathological RSA/DSA parameters may cause DoS in golang.org/x/crypto/ssh v0.46.0 0.52.0
golang.org/x/net GO-2026-5026 unknown Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna v0.48.0 0.55.0
golang.org/x/net GO-2026-5029 unknown Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html v0.48.0 0.55.0
golang.org/x/net GO-2026-5025 unknown Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html v0.48.0 0.55.0
golang.org/x/net GO-2026-4918 unknown Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net v0.48.0 0.53.0
golang.org/x/net GO-2026-5030 unknown Invoking duplicate attributes can cause XSS in golang.org/x/net/html v0.48.0 0.55.0
golang.org/x/net GO-2026-5028 unknown Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html v0.48.0 0.55.0
golang.org/x/net GO-2026-5027 unknown Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html v0.48.0 0.55.0
golang.org/x/sys GO-2026-5024 unknown Invoking integer overflow in NewNTUnicodeString in golang.org/x/sys/windows v0.39.0 0.44.0
⚠️ Dependencies that have Reached EOL (1)
Dependency Unsafe Version EOL Date New Version Path
github.com/morikuni/aec v1.0.0 - v1.1.0 go.mod

Review Checklist

Extra review is recommended for this update:

  • Review changes for compatibility with your code
  • Check release notes for breaking changes
  • Run integration tests to verify service behavior
  • Test in staging environment before production
  • Monitor key metrics after deployment
  • Approve and merge this PR

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

@datadog-official

This comment has been minimized.

@gh-worker-campaigns-3e9aa4

gh-worker-campaigns-3e9aa4 Bot commented Jun 16, 2026

Copy link
Copy Markdown
Contributor Author

Auto-rebase complete

Branch is up to date with main — rebased onto e7ac468.


Auto-Rebase · Add no-auto-rebase to opt out

@dd-octo-sts-6354d5 dd-octo-sts-6354d5 Bot force-pushed the engraver-auto-version-upgrade/major/go/0-1781532169 branch from 9068538 to cd29b06 Compare June 16, 2026 12:09
dd-octo-sts-98cdbc Bot and others added 2 commits July 7, 2026 12:11
…: 2)

Co-authored-by: dd-octo-sts-6354d5[bot] <266798271+dd-octo-sts-6354d5[bot]@users.noreply.github.com>
Co-authored-by: gh-worker-campaigns-3e9aa4[bot] <244854796+gh-worker-campaigns-3e9aa4[bot]@users.noreply.github.com>
@dd-octo-sts-98cdbc dd-octo-sts-98cdbc Bot force-pushed the engraver-auto-version-upgrade/major/go/0-1781532169 branch from cd29b06 to 906346a Compare July 7, 2026 12:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants