Skip to content

VULN UPGRADE: minor upgrades — 20 packages (minor: 9 · patch: 11) #13

Closed
campaigner-prod[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/minorpatch/go/0-1771016623
Closed

VULN UPGRADE: minor upgrades — 20 packages (minor: 9 · patch: 11) #13
campaigner-prod[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/minorpatch/go/0-1771016623

Conversation

@campaigner-prod
Copy link
Copy Markdown

@campaigner-prod campaigner-prod Bot commented Feb 13, 2026

Summary: Security update — 20 packages upgraded (MINOR changes included)

Manifests changed:

  • . (go)

Updates

Package From To Type Vulnerabilities Fixed
github.com/sigstore/cosign/v2 v2.2.4 v2.6.2 minor 3 MODERATE
github.com/go-git/go-git/v5 v5.13.0 v5.16.4 minor 2 MODERATE
github.com/sigstore/sigstore v1.9.4 v1.10.4 minor 2 MODERATE
github.com/alecthomas/kong v1.4.0 v1.14.0 minor -
github.com/aws/smithy-go v1.20.2 v1.24.0 minor -
github.com/emicklei/dot v1.8.0 v1.10.0 minor -
github.com/go-git/go-billy/v5 v5.6.2 v5.7.0 minor -
github.com/prometheus/client_golang v1.22.0 v1.23.2 minor -
github.com/spf13/afero v1.12.0 v1.15.0 minor -
github.com/google/go-containerregistry v0.20.6 v0.20.7 patch -
github.com/sirupsen/logrus v1.9.3 v1.9.4 patch -
k8s.io/api v0.34.1 v0.34.3 patch -
k8s.io/apiextensions-apiserver v0.34.1 v0.34.3 patch -
k8s.io/apimachinery v0.34.1 v0.34.4 patch -
k8s.io/apiserver v0.34.1 v0.34.3 patch -
k8s.io/cli-runtime v0.34.1 v0.34.3 patch -
k8s.io/client-go v0.34.1 v0.34.3 patch -
k8s.io/kubectl v0.34.1 v0.34.3 patch -
k8s.io/metrics v0.34.1 v0.34.3 patch -
sigs.k8s.io/controller-runtime v0.22.2 v0.22.5 patch -

Packages marked with "-" are updated due to dependency constraints.

Security Details

ℹ️ Other Vulnerabilities (7)
Package CVE Severity Summary Unsafe Version Fixed In
github.com/go-git/go-git/v5 GHSA-37cx-329c-33x3 MODERATE go-git improperly verifies data integrity values for .idx and .pack files v5.13.0 5.16.5
github.com/go-git/go-git/v5 CVE-2026-25934 MODERATE go-git improperly verifies data integrity values for .idx and .pack files v5.13.0 -
github.com/sigstore/cosign/v2 GHSA-whqx-f9j3-ch6m MODERATE Cosign verification accepts any valid Rekor entry under certain conditions v2.2.4 2.6.2
github.com/sigstore/cosign/v2 CVE-2026-22703 MODERATE Cosign verification accepts any valid Rekor entry under certain conditions v2.2.4 -
github.com/sigstore/cosign/v2 GO-2026-4309 MODERATE Cosign verification accepts any valid Rekor entry under certain conditions in github.com/sigstore/cosign v2.2.4 2.6.2
github.com/sigstore/sigstore GHSA-fcv2-xgw5-pqxf MODERATE sigstore legacy TUF client allows for arbitrary file writes with target cache path traversal v1.9.4 1.10.4
github.com/sigstore/sigstore CVE-2026-24137 MODERATE sigstore legacy TUF client allows for arbitrary file writes with target cache path traversal v1.9.4 -

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI

Update Mode: Vulnerability Remediation

🤖 Generated by DataDog Automated Dependency Management System

@campaigner-prod campaigner-prod Bot closed this Mar 8, 2026
@campaigner-prod campaigner-prod Bot deleted the engraver-auto-version-upgrade/minorpatch/go/0-1771016623 branch March 8, 2026 14:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

adms-dependency-update adms-go adms-medium-severity adms-minor-update adms-mode-all-updates campaigner-automated-change

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants