Skip to content

fix(deps): vuln unstable upgrades — 13 packages (unstable: 7 · minor: 6) #26

Draft
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/unstable/go/1-1776966293
Draft

fix(deps): vuln unstable upgrades — 13 packages (unstable: 7 · minor: 6) #26
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/unstable/go/1-1776966293

Conversation

@gh-worker-campaigns-3e9aa4
Copy link
Copy Markdown

@gh-worker-campaigns-3e9aa4 gh-worker-campaigns-3e9aa4 Bot commented Apr 23, 2026

Summary: Critical-severity security update — 13 packages upgraded (UNSTABLE changes included)

Manifests changed:

  • . (go)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

Updates

Package From To Type Dep Type Vulnerabilities Fixed
google.golang.org/grpc v1.72.0 v1.80.0 minor Direct 3 CRITICAL
golang.org/x/net v0.40.0 v0.53.0 unstable Direct 2 MODERATE, 1 UNKNOWN
cloud.google.com/go/compute/metadata v0.6.0 v0.9.0 unstable Direct -
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.60.0 v0.68.0 unstable Direct -
golang.org/x/oauth2 v0.30.0 v0.36.0 unstable Direct -
golang.org/x/sync v0.14.0 v0.20.0 unstable Direct -
golang.org/x/time v0.11.0 v0.15.0 unstable Direct -
google.golang.org/api v0.232.0 v0.276.0 unstable Direct -
github.com/googleapis/gax-go/v2 v2.14.1 v2.22.0 minor Transitive -
go.opentelemetry.io/auto/sdk v1.1.0 v1.2.1 minor Transitive -
go.opentelemetry.io/otel v1.35.0 v1.43.0 minor Direct -
go.opentelemetry.io/otel/metric v1.35.0 v1.43.0 minor Direct -
go.opentelemetry.io/otel/trace v1.35.0 v1.43.0 minor Transitive -

Packages marked with "-" are updated due to dependency constraints.

Security Details

🚨 Critical & High Severity (3 fixed)
Package CVE Severity Summary Unsafe Version Fixed In
google.golang.org/grpc GO-2026-4762 critical Authorization bypass in gRPC-Go via missing leading slash in :path in google.golang.org/grpc v1.72.0 1.79.3
google.golang.org/grpc CVE-2026-33186 critical gRPC-Go has an authorization bypass via missing leading slash in :path v1.72.0 -
google.golang.org/grpc GHSA-p77j-4mvh-x3m3 CRITICAL gRPC-Go has an authorization bypass via missing leading slash in :path v1.72.0 1.79.3
ℹ️ Other Vulnerabilities (3)
Package CVE Severity Summary Unsafe Version Fixed In
golang.org/x/net GO-2026-4440 MODERATE Quadratic parsing complexity in golang.org/x/net/html v0.40.0 0.45.0
golang.org/x/net GHSA-w4gw-w5jq-g9jh MODERATE golang.org/x/net/html has a Quadratic Parsing Complexity issue v0.40.0 -
golang.org/x/net GO-2026-4441 unknown Infinite parsing loop in golang.org/x/net v0.40.0 0.45.0

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI
  • Approve and merge this PR

Update Mode: Vulnerability Remediation (Critical)

🤖 Generated by DataDog Automated Dependency Management System

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

campaigner-automated-change

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants