Skip to content

fix(deps): vuln minor upgrades — 4 packages (minor: 2 · patch: 2) #491

Draft
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
masterfrom
engraver-auto-version-upgrade/minorpatch/go/0-1781555820
Draft

fix(deps): vuln minor upgrades — 4 packages (minor: 2 · patch: 2) #491
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
masterfrom
engraver-auto-version-upgrade/minorpatch/go/0-1781555820

Conversation

@gh-worker-campaigns-3e9aa4

@gh-worker-campaigns-3e9aa4 gh-worker-campaigns-3e9aa4 Bot commented Jun 15, 2026

Copy link
Copy Markdown

Summary: Critical-severity security update — 4 packages upgraded (MINOR changes included)

Manifests changed:

  • . (go)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

Updates

Package From To Type Dep Type Vulnerabilities Fixed
google.golang.org/grpc v1.79.0 v1.79.3 patch Direct 3 CRITICAL
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c v3.0.1 patch Transitive 3 HIGH
golang.org/x/net v0.48.0 v0.56.0 minor Transitive 7 UNKNOWN
golang.org/x/sys v0.39.0 v0.46.0 minor Transitive 1 UNKNOWN

Security Details

🚨 Critical & High Severity (6 fixed)
Package CVE Severity Summary Unsafe Version Fixed In
google.golang.org/grpc GHSA-p77j-4mvh-x3m3 CRITICAL gRPC-Go has an authorization bypass via missing leading slash in :path v1.79.0 1.79.3
google.golang.org/grpc CVE-2026-33186 CRITICAL gRPC-Go has an authorization bypass via missing leading slash in :path v1.79.0 -
google.golang.org/grpc GO-2026-4762 CRITICAL Authorization bypass in gRPC-Go via missing leading slash in :path in google.golang.org/grpc v1.79.0 1.79.3
gopkg.in/yaml.v3 GHSA-hp87-p4gw-j4gq HIGH gopkg.in/yaml.v3 Denial of Service v3.0.0-20200313102051-9f266ea9e77c 3.0.1
gopkg.in/yaml.v3 CVE-2022-28948 high - v3.0.0-20200313102051-9f266ea9e77c -
gopkg.in/yaml.v3 GO-2022-0603 high Panic in gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c 3.0.0-20220521103104-8f96da9f5d5e
ℹ️ Other Vulnerabilities (8)
Package CVE Severity Summary Unsafe Version Fixed In
golang.org/x/net GO-2026-5029 unknown Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html v0.48.0 0.55.0
golang.org/x/net GO-2026-5030 unknown Invoking duplicate attributes can cause XSS in golang.org/x/net/html v0.48.0 0.55.0
golang.org/x/net GO-2026-5028 unknown Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html v0.48.0 0.55.0
golang.org/x/net GO-2026-5025 unknown Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html v0.48.0 0.55.0
golang.org/x/net GO-2026-4918 unknown Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net v0.48.0 0.53.0
golang.org/x/net GO-2026-5027 unknown Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html v0.48.0 0.55.0
golang.org/x/net GO-2026-5026 unknown Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna v0.48.0 0.55.0
golang.org/x/sys GO-2026-5024 unknown Invoking integer overflow in NewNTUnicodeString in golang.org/x/sys/windows v0.39.0 0.44.0
⚠️ Dependencies that have Reached EOL (1)
Dependency Unsafe Version EOL Date New Version Path
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c - v3.0.1 go.mod

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI
  • Approve and merge this PR

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

campaigner-automated-change

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants