Skip to content

fix(deps): vuln minor upgrades — 4 packages (minor: 1 · patch: 3) #9

Open
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
masterfrom
engraver-auto-version-upgrade/minorpatch/go/0-1776960666
Open

fix(deps): vuln minor upgrades — 4 packages (minor: 1 · patch: 3) #9
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
masterfrom
engraver-auto-version-upgrade/minorpatch/go/0-1776960666

Conversation

@gh-worker-campaigns-3e9aa4
Copy link
Copy Markdown

@gh-worker-campaigns-3e9aa4 gh-worker-campaigns-3e9aa4 Bot commented Apr 23, 2026

Summary: High-severity security update — 4 packages upgraded (MINOR changes included)

Manifests changed:

  • . (go)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

Updates

Package From To Type Dep Type Vulnerabilities Fixed
gopkg.in/yaml.v2 v2.2.2 v2.2.8 patch Direct 3 HIGH, 4 MODERATE, 2 MEDIUM
github.com/spf13/viper v1.4.0 v1.21.0 minor Direct -
github.com/Masterminds/goutils v1.1.0 v1.1.1 patch Transitive 3 LOW
github.com/spf13/cobra v0.0.5 v0.0.7 patch Direct -

Packages marked with "-" are updated due to dependency constraints.

Security Details

🚨 Critical & High Severity (3 fixed)
Package CVE Severity Summary Unsafe Version Fixed In
gopkg.in/yaml.v2 GO-2022-0956 high Excessive resource consumption in gopkg.in/yaml.v2 v2.2.2 2.2.4
gopkg.in/yaml.v2 CVE-2022-3064 high - v2.2.2 -
gopkg.in/yaml.v2 GHSA-6q6q-88xp-6f2r HIGH yaml package for Go can consume excessive amounts of CPU or memory v2.2.2 2.2.4
ℹ️ Other Vulnerabilities (9)
Package CVE Severity Summary Unsafe Version Fixed In
gopkg.in/yaml.v2 GO-2021-0061 medium Denial of service in gopkg.in/yaml.v2 v2.2.2 2.2.3
gopkg.in/yaml.v2 CVE-2021-4235 medium - v2.2.2 -
gopkg.in/yaml.v2 GHSA-wxc4-f4m6-wwqv MODERATE Excessive Platform Resource Consumption within a Loop in Kubernetes v2.2.2 2.2.8
gopkg.in/yaml.v2 GO-2020-0036 MODERATE Excessive resource consumption in YAML parsing in gopkg.in/yaml.v2 v2.2.2 2.2.8
gopkg.in/yaml.v2 CVE-2019-11254 MODERATE - v2.2.2 -
gopkg.in/yaml.v2 GHSA-r88r-gmrh-7j83 MODERATE YAML Go package vulnerable to denial of service v2.2.2 2.2.3
github.com/Masterminds/goutils GHSA-xg2h-wx96-xgxr LOW RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be v1.1.0 1.1.1
github.com/Masterminds/goutils CVE-2021-4238 LOW - v1.1.0 -
github.com/Masterminds/goutils GO-2022-0411 LOW Insufficient randomness in github.com/Masterminds/goutils v1.1.0 1.1.1

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI
  • Approve and merge this PR

Update Mode: Vulnerability Remediation (High)

🤖 Generated by DataDog Automated Dependency Management System

@campaigner-prod campaigner-prod Bot marked this pull request as ready for review April 24, 2026 14:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

adms-custom-action-failed adms-dependency-update adms-go adms-high-severity adms-low-severity adms-medium-severity adms-minor-update adms-mode-all-updates campaigner-automated-change

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants