Skip to content

fix(deps): vuln unstable upgrades — 11 packages (unstable: 3 · minor: 8) #132

Draft
gh-worker-campaigns-3e9aa4[bot] wants to merge 2 commits into
mainfrom
engraver-auto-version-upgrade/unstable/go/1-1778227130
Draft

fix(deps): vuln unstable upgrades — 11 packages (unstable: 3 · minor: 8) #132
gh-worker-campaigns-3e9aa4[bot] wants to merge 2 commits into
mainfrom
engraver-auto-version-upgrade/unstable/go/1-1778227130

Conversation

@gh-worker-campaigns-3e9aa4
Copy link
Copy Markdown
Contributor

@gh-worker-campaigns-3e9aa4 gh-worker-campaigns-3e9aa4 Bot commented May 8, 2026

Summary: High-severity security update — 11 packages upgraded (UNSTABLE changes included)

Manifests changed:

  • . (go)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

Updates

Package From To Type Dep Type Vulnerabilities Fixed
github.com/moby/buildkit v0.27.1 v0.29.0 unstable Direct 6 HIGH
go.opentelemetry.io/otel v1.40.0 v1.43.0 minor Transitive 1 HIGH
go.opentelemetry.io/otel/sdk v1.40.0 v1.43.0 minor Transitive 1 HIGH
golang.org/x/net v0.50.0 v0.53.0 unstable Direct 2 UNKNOWN
golang.org/x/text v0.34.0 v0.36.0 unstable Direct -
github.com/ProtonMail/go-crypto v1.3.0 v1.4.1 minor Transitive -
github.com/aws/smithy-go v1.24.1 v1.25.1 minor Transitive -
github.com/fsnotify/fsnotify v1.9.0 v1.10.1 minor Transitive -
github.com/pelletier/go-toml/v2 v2.2.4 v2.3.1 minor Transitive -
go.opentelemetry.io/otel/metric v1.40.0 v1.43.0 minor Transitive -
go.opentelemetry.io/otel/trace v1.40.0 v1.43.0 minor Transitive -

Packages marked with "-" are updated due to dependency constraints.

Security Details

🚨 Critical & High Severity (8 fixed)
Package CVE Severity Summary Unsafe Version Fixed In
github.com/moby/buildkit GO-2026-4858 high BuildKit's Malicious frontend can cause file escape outside of storage root in github.com/moby/buildkit v0.27.1 0.28.1
github.com/moby/buildkit GHSA-4c29-8rgm-jvjj HIGH BuildKit's Malicious frontend can cause file escape outside of storage root v0.27.1 0.28.1
github.com/moby/buildkit CVE-2026-33747 high BuildKit vulnerable to malicious frontend causing file escape outside of storage root v0.27.1 -
github.com/moby/buildkit GHSA-4vrq-3vrq-g6gg HIGH BuildKit Git URL subdir component can cause access to restricted files v0.27.1 0.28.1
github.com/moby/buildkit CVE-2026-33748 HIGH BuildKit Git URL subdir component can cause access to restricted files v0.27.1 -
github.com/moby/buildkit GO-2026-4859 HIGH BuildKit Git URL subdir component can cause access to restricted files in github.com/moby/buildkit v0.27.1 0.28.1
go.opentelemetry.io/otel GHSA-mh2q-q3fh-2475 HIGH OpenTelemetry-Go: multi-value baggage header extraction causes excessive allocations (remote dos amplification) v1.40.0 1.41.0
go.opentelemetry.io/otel/sdk GHSA-hfvc-g4fc-pqhx HIGH opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking v1.40.0 1.43.0
ℹ️ Other Vulnerabilities (2)
Package CVE Severity Summary Unsafe Version Fixed In
golang.org/x/net GO-2026-4918 unknown Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net v0.50.0 0.53.0
golang.org/x/net GO-2026-4559 unknown Sending certain HTTP/2 frames can cause a server to panic in golang.org/x/net v0.50.0 0.51.0

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI
  • Approve and merge this PR

Update Mode: Vulnerability Remediation (High)

🤖 Generated by DataDog Automated Dependency Management System

@datadog-datadog-prod-us1

This comment has been minimized.

Sign in to view
@gh-worker-campaigns-3e9aa4
Copy link
Copy Markdown
Contributor Author

gh-worker-campaigns-3e9aa4 Bot commented May 8, 2026
edited
Loading

Auto-rebase complete

Branch is up to date with main — rebased onto e49e331.

Auto-Rebase · Add no-auto-rebase to opt out

@dd-octo-sts-c33ac5 dd-octo-sts-c33ac5 Bot force-pushed the engraver-auto-version-upgrade/unstable/go/1-1778227130 branch from ccb94a3 to 8d9d616 Compare May 8, 2026 13:07
@dd-octo-sts-6cbbf8 dd-octo-sts-6cbbf8 Bot force-pushed the engraver-auto-version-upgrade/unstable/go/1-1778227130 branch 2 times, most recently from 2ecd1ea to 3d65fb0 Compare May 13, 2026 12:24
dd-octo-sts-b8cf80 Bot and others added 2 commits May 18, 2026 12:47
@dd-octo-sts-b8cf80 @dd-octo-sts-6cbbf8
Executing automated changes
22c527f 
Co-authored-by: dd-octo-sts-6cbbf8[bot] <256648585+dd-octo-sts-6cbbf8[bot]@users.noreply.github.com>
@dd-octo-sts-b8cf80 @dd-octo-sts-6cbbf8
chore: regenerate lockfiles after rebase
8d3c3b1 
Co-authored-by: dd-octo-sts-6cbbf8[bot] <256648585+dd-octo-sts-6cbbf8[bot]@users.noreply.github.com>
@dd-octo-sts-b8cf80 dd-octo-sts-b8cf80 Bot force-pushed the engraver-auto-version-upgrade/unstable/go/1-1778227130 branch from 3d65fb0 to 8d3c3b1 Compare May 18, 2026 12:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

adms-dependency-update adms-go adms-high-severity adms-mode-all-vulns adms-unstable-update campaigner-automated-change

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants