Skip to content

fix(deps): vuln major upgrades — 33 packages (major: 1 · minor: 30 · patch: 2) #433

Draft
gh-worker-campaigns-3e9aa4[bot] wants to merge 2 commits into
mainfrom
engraver-auto-version-upgrade/major/go/0-1783346669
Draft

fix(deps): vuln major upgrades — 33 packages (major: 1 · minor: 30 · patch: 2) #433
gh-worker-campaigns-3e9aa4[bot] wants to merge 2 commits into
mainfrom
engraver-auto-version-upgrade/major/go/0-1783346669

Conversation

@gh-worker-campaigns-3e9aa4

Copy link
Copy Markdown
Contributor

Summary: Critical-severity security update — 35 packages upgraded (MAJOR changes included)

Manifests changed:

  • . (go)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.


Updates

Package From To Type Dep Type Vulnerabilities Fixed
golang.org/x/crypto v0.46.0 v0.53.0 minor Transitive 14 CRITICAL, 4 HIGH, 8 MEDIUM
github.com/containerd/containerd/v2 v2.1.5 v2.3.2 minor Transitive 8 HIGH, 4 MEDIUM
go.opentelemetry.io/otel/sdk v1.39.0 v1.44.0 minor Transitive 4 HIGH
github.com/docker/compose/v2 v2.40.2 v5.3.0 major Direct 3 HIGH
go.opentelemetry.io/otel v1.39.0 v1.44.0 minor Transitive 1 HIGH
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.35.0 v1.44.0 minor Transitive 2 MEDIUM
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.35.0 v1.44.0 minor Transitive 2 MEDIUM
golang.org/x/net v0.48.0 v0.56.0 minor Transitive 2 MEDIUM, 6 UNKNOWN
github.com/compose-spec/compose-go/v2 v2.9.0 v2.13.0 minor Direct -
github.com/containerd/containerd/api v1.9.0 v1.11.1 minor Transitive -
github.com/containerd/typeurl/v2 v2.2.3 v2.3.0 minor Transitive -
github.com/felixge/httpsnoop v1.0.4 v1.1.0 minor Transitive -
github.com/go-viper/mapstructure/v2 v2.4.0 v2.5.0 minor Transitive -
github.com/golang-jwt/jwt/v5 v5.2.3 v5.3.1 minor Transitive -
github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.1 v2.29.0 minor Transitive -
github.com/hashicorp/go-version v1.7.0 v1.9.0 minor Transitive -
github.com/klauspost/compress v1.18.0 v1.19.0 minor Transitive -
github.com/morikuni/aec v1.0.0 v1.1.0 minor Transitive -
github.com/pelletier/go-toml/v2 v2.2.4 v2.4.2 minor Transitive -
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.37.0 v1.44.0 minor Transitive -
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.37.0 v1.44.0 minor Transitive -
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.37.0 v1.44.0 minor Transitive -
go.opentelemetry.io/otel/metric v1.39.0 v1.44.0 minor Transitive -
go.opentelemetry.io/otel/sdk/metric v1.39.0 v1.44.0 minor Transitive -
go.opentelemetry.io/otel/trace v1.39.0 v1.44.0 minor Transitive -
go.opentelemetry.io/proto/otlp v1.7.1 v1.10.0 minor Transitive -
golang.org/x/sync v0.19.0 v0.21.0 minor Transitive -
golang.org/x/sys v0.39.0 v0.46.0 minor Transitive 1 UNKNOWN
golang.org/x/term v0.38.0 v0.44.0 minor Transitive -
golang.org/x/text v0.32.0 v0.38.0 minor Transitive -
golang.org/x/time v0.12.0 v0.15.0 minor Transitive -
google.golang.org/grpc v1.79.3 v1.82.0 minor Direct -
tags.cncf.io/container-device-interface v1.0.1 v1.1.0 minor Transitive -
github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.1 v2.27.8 patch Transitive -
github.com/klauspost/compress v1.18.0 v1.18.7 patch Transitive -

Warning

Major Version Upgrade

This update includes major version changes that may contain breaking changes. Please:

  • Review the changelog/release notes for breaking changes
  • Test thoroughly in a staging environment
  • Update any code that depends on changed APIs
  • Ensure all tests pass before merging

Security Details

🚨 Critical & High Severity (34 fixed)
Package CVE Severity Summary Unsafe Version Fixed In Case
golang.org/x/crypto GO-2026-5019 CRITICAL Invoking bypass of FIDO/U2F security keys physical interaction in golang.org/x/crypto/ssh v0.46.0 0.52.0 -
golang.org/x/crypto GHSA-jppx-rxg9-jmrx CRITICAL golang.org/x/crypto/ssh/agent doesn't enforce invoking key constraints v0.46.0 - -
golang.org/x/crypto GO-2026-5005 CRITICAL Invoking key constraints not enforced in golang.org/x/crypto/ssh/agent v0.46.0 0.52.0 -
golang.org/x/crypto GHSA-f5wc-c3c7-36mc CRITICAL golang.org/x/crypto/ssh/agent doesn't drop invoking agent constraints when forwarding keys v0.46.0 - -
golang.org/x/crypto GO-2026-5006 CRITICAL Invoking agent constraints dropped when forwarding keys in golang.org/x/crypto/ssh/agent v0.46.0 0.52.0 -
golang.org/x/crypto GHSA-x527-x647-q7gg CRITICAL golang.org/x/crypto/ssh: Invoking VerifiedPublicKeyCallback permissions skip enforcement v0.46.0 - -
golang.org/x/crypto GO-2026-5023 CRITICAL Invoking VerifiedPublicKeyCallback permissions skip enforcement in golang.org/x/crypto/ssh v0.46.0 0.52.0 -
golang.org/x/crypto GHSA-5cgq-3rg8-m6cv CRITICAL golang.org/x/crypto/ssh/knownhosts vulnerable to auth bypass via unenforced @Revoked status v0.46.0 - -
golang.org/x/crypto GO-2026-5021 CRITICAL Invoking auth bypass via unenforced @Revoked status in golang.org/x/crypto/ssh/knownhosts v0.46.0 0.52.0 -
golang.org/x/crypto GHSA-rm3j-f69w-wqmq CRITICAL golang.org/x/crypto/ssh vulnerable to infinite loop on large channel writes v0.46.0 - -
golang.org/x/crypto GO-2026-5020 CRITICAL Invoking infinite loop on large channel writes in golang.org/x/crypto/ssh v0.46.0 0.52.0 -
golang.org/x/crypto GHSA-vgwf-h737-ff37 CRITICAL golang.org/x/crypto/ssh: Invoking client can cause server deadlock on unexpected responses v0.46.0 - -
golang.org/x/crypto GO-2026-5017 CRITICAL Invoking client can cause server deadlock on unexpected responses in golang.org/x/crypto/ssh v0.46.0 0.52.0 -
golang.org/x/crypto GHSA-89gr-r52h-f8rx CRITICAL golang.org/x/crypto/ssh: FIDO/U2F security key physical presence check can be bypassed v0.46.0 - -
github.com/containerd/containerd/v2 GHSA-fqw6-gf59-qr4w HIGH containerd user ID handling bypass allows runAsNonRoot evasion v2.1.5 2.0.9 -
github.com/containerd/containerd/v2 GO-2026-5378 HIGH containerd user ID handling bypass allows runAsNonRoot evasion in github.com/containerd/containerd v2.1.5 2.0.9 -
github.com/containerd/containerd/v2 GO-2026-5622 HIGH Arbitrary host CRI log file read via symlink following in CRI checkpoint restore in github.com/containerd/containerd v2.1.5 2.1.9 -
github.com/containerd/containerd/v2 GHSA-rgh6-rfwx-v388 HIGH Arbitrary host CRI log file read via symlink following in CRI checkpoint restore v2.1.5 2.1.9 -
github.com/containerd/containerd/v2 GHSA-33vj-92qq-66hc HIGH containerd CRI checkpoint restore CDI annotation smuggling v2.1.5 2.1.9 -
github.com/containerd/containerd/v2 GO-2026-5064 HIGH containerd CRI checkpoint restore CDI annotation smuggling in github.com/containerd/containerd v2.1.5 2.1.9 -
github.com/containerd/containerd/v2 GHSA-xhf5-7wjv-pqxp HIGH containerd CRI — image-config LABEL flows to restart-monitor binary:// logger: host-root command execution from an image pull v2.1.5 2.0.10 -
github.com/containerd/containerd/v2 GO-2026-5758 HIGH containerd CRI — image-config LABEL flows to restart-monitor binary:// logger: host-root command execution from an image pull in github.com/containerd/containerd v2.1.5 2.0.10 -
github.com/docker/compose/v2 GO-2026-4610 high Docker CLI Plugins: Uncontrolled Search Path Element Leads to Local Privilege Escalation on Windows in github.com/docker/cli v2.40.2 - -
github.com/docker/compose/v2 CVE-2025-15558 high - v2.40.2 - -
github.com/docker/compose/v2 GHSA-p436-gjf2-799p HIGH Docker CLI Plugins: Uncontrolled Search Path Element Leads to Local Privilege Escalation on Windows v2.40.2 - -
go.opentelemetry.io/otel GHSA-mh2q-q3fh-2475 HIGH OpenTelemetry-Go: multi-value baggage header extraction causes excessive allocations (remote dos amplification) v1.39.0 1.41.0 -
go.opentelemetry.io/otel/sdk GHSA-hfvc-g4fc-pqhx HIGH opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking v1.39.0 1.43.0 -
go.opentelemetry.io/otel/sdk GHSA-9h8m-3fm2-qjrq HIGH OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking v1.39.0 1.40.0 -
go.opentelemetry.io/otel/sdk GO-2026-4394 HIGH OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking in go.opentelemetry.io/otel/sdk v1.39.0 1.40.0 -
go.opentelemetry.io/otel/sdk CVE-2026-24051 HIGH OpenTelemetry-Go Affected by Arbitrary Code Execution via PATH Hijacking v1.39.0 - -
golang.org/x/crypto GO-2026-5018 HIGH Invoking pathological RSA/DSA parameters may cause DoS in golang.org/x/crypto/ssh v0.46.0 0.52.0 -
golang.org/x/crypto GHSA-q4h4-gmj2-qvw2 HIGH golang.org/x/crypto/ssh: Invoking byte arithmetic causes underflow and panic v0.46.0 - -
golang.org/x/crypto GO-2026-5013 HIGH Invoking byte arithmetic causes underflow and panic in golang.org/x/crypto/ssh v0.46.0 0.52.0 -
golang.org/x/crypto GHSA-w879-237q-wc7r HIGH golang.org/x/crypto/ssh: Invoking pathological RSA/DSA parameters may cause DoS v0.46.0 - -
ℹ️ Other Vulnerabilities (25)
Package CVE Severity Summary Unsafe Version Fixed In Case
github.com/containerd/containerd/v2 GO-2026-5338 MODERATE containerd: CRI checkpoint import allows local image tag poisoning in github.com/containerd/containerd v2.1.5 2.1.9 -
github.com/containerd/containerd/v2 GO-2026-5475 MODERATE containerd image-triggered runtime DoS via unbounded group parsing in github.com/containerd/containerd v2.1.5 2.0.10 -
github.com/containerd/containerd/v2 GHSA-cvxm-645q-p574 MODERATE containerd: CRI checkpoint import allows local image tag poisoning v2.1.5 2.1.9 -
github.com/containerd/containerd/v2 GHSA-jpcc-p29g-p8mq MODERATE containerd image-triggered runtime DoS via unbounded group parsing v2.1.5 2.0.10 -
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp GO-2026-4985 MODERATE Oversized OTLP HTTP response bodies can cause memory exhaustion in go.opentelemetry.io/otel/exporters/otlp v1.35.0 1.43.0 -
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp GHSA-w8rr-5gcm-pp58 MODERATE opentelemetry-go: OTLP HTTP exporters read unbounded HTTP response bodies v1.35.0 1.43.0 -
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp GHSA-w8rr-5gcm-pp58 MODERATE opentelemetry-go: OTLP HTTP exporters read unbounded HTTP response bodies v1.35.0 1.43.0 -
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp GO-2026-4985 MODERATE Oversized OTLP HTTP response bodies can cause memory exhaustion in go.opentelemetry.io/otel/exporters/otlp v1.35.0 1.43.0 -
golang.org/x/crypto GO-2026-5033 MODERATE Invoking pathological inputs can lead to client panic in golang.org/x/crypto/ssh/agent v0.46.0 0.52.0 -
golang.org/x/crypto GHSA-45gg-vh54-h5m9 MODERATE golang.org/x/crypto/ssh vulnerable to invoking bypass of certificate restrictions v0.46.0 - -
golang.org/x/crypto GO-2026-5014 MODERATE Invoking bypass of certificate restrictions in golang.org/x/crypto/ssh v0.46.0 0.52.0 -
golang.org/x/crypto GHSA-9m57-25v3-79x9 MODERATE golang.org/x/crypto/ssh/agent: Invoking pathological inputs can lead to client panic v0.46.0 - -
golang.org/x/crypto GHSA-qpw4-5x99-6vjp MODERATE golang.org/x/crypto/ssh: Invoking memory leak when rejecting channels can lead to DoS v0.46.0 - -
golang.org/x/crypto GO-2026-5016 MODERATE Invoking memory leak when rejecting channels can lead to DoS in golang.org/x/crypto/ssh v0.46.0 0.52.0 -
golang.org/x/crypto GO-2026-5015 MODERATE Invoking server panic during CheckHostKey/Authenticate in golang.org/x/crypto/ssh v0.46.0 0.52.0 -
golang.org/x/crypto GHSA-78mq-xcr3-xm33 MODERATE golang.org/x/crypto/ssh is vulnerable to invoking server panic during CheckHostKey/Authenticate flow v0.46.0 - -
golang.org/x/net GO-2026-5028 MODERATE Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html v0.48.0 0.55.0 -
golang.org/x/net GHSA-5cv4-jp36-h3mw MODERATE Go Net HTML parser is vulnerable to denial of service v0.48.0 0.55.0 -
golang.org/x/net GO-2026-5025 unknown Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html v0.48.0 0.55.0 -
golang.org/x/net GO-2026-5030 unknown Invoking duplicate attributes can cause XSS in golang.org/x/net/html v0.48.0 0.55.0 -
golang.org/x/net GO-2026-5029 unknown Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html v0.48.0 0.55.0 -
golang.org/x/net GO-2026-4918 unknown Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net v0.48.0 0.53.0 -
golang.org/x/net GO-2026-5027 unknown Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html v0.48.0 0.55.0 -
golang.org/x/net GO-2026-5026 unknown Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna v0.48.0 0.55.0 -
golang.org/x/sys GO-2026-5024 unknown Invoking integer overflow in NewNTUnicodeString in golang.org/x/sys/windows v0.39.0 0.44.0 -
⚠️ Dependencies that have Reached EOL (1)
Dependency Unsafe Version EOL Date New Version Path
github.com/morikuni/aec v1.0.0 - v1.1.0 go.mod

Review Checklist

Extra review is recommended for this update:

  • Review changes for compatibility with your code
  • Check release notes for breaking changes
  • Run integration tests to verify service behavior
  • Test in staging environment before production
  • Monitor key metrics after deployment
  • Approve and merge this PR

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

dd-octo-sts-2c363b Bot and others added 2 commits July 7, 2026 12:11
…: 2)

Co-authored-by: gh-worker-campaigns-3e9aa4[bot] <244854796+gh-worker-campaigns-3e9aa4[bot]@users.noreply.github.com>
Co-authored-by: gh-worker-campaigns-3e9aa4[bot] <244854796+gh-worker-campaigns-3e9aa4[bot]@users.noreply.github.com>
@gh-worker-campaigns-3e9aa4

Copy link
Copy Markdown
Contributor Author

Auto-rebase complete

Branch is up to date with main — rebased onto e7ac468.


Auto-Rebase · Add no-auto-rebase to opt out

@dd-octo-sts-2c363b dd-octo-sts-2c363b Bot force-pushed the engraver-auto-version-upgrade/major/go/0-1783346669 branch from 9b4dbb5 to 2f08ed1 Compare July 7, 2026 12:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants