fix(deps): vuln minor upgrades — 15 packages (minor: 6 · patch: 9)

[gh-worker-campaigns-3e9aa4]

Summary: Security update — 15 packages upgraded (MINOR changes included)

Manifests changed:

• . (go)

---

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

---

Updates

Package	From	To	Type	Dep Type	Vulnerabilities Fixed
github.com/go-git/go-git/v5	v5.16.0	v5.16.5	patch	Direct	5 MODERATE, 2 MEDIUM, 3 LOW
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp	v1.35.0	v1.43.0	minor	Direct	1 MODERATE
cloud.google.com/go/bigquery	v1.67.0	v1.76.0	minor	Direct	-
github.com/bradleyfalzon/ghinstallation/v2	v2.15.0	v2.18.0	minor	Direct	-
github.com/chainguard-dev/clog	v1.7.0	v1.8.0	minor	Direct	-
github.com/coreos/go-oidc/v3	v3.14.1	v3.18.0	minor	Direct	-
github.com/prometheus/client_golang	v1.22.0	v1.23.2	minor	Direct	-
chainguard.dev/go-grpc-kit	v0.17.10	v0.17.17	patch	Direct	-
chainguard.dev/sdk	v0.1.32	v0.1.53	patch	Direct	-
cloud.google.com/go/profiler	v0.4.2	v0.4.3	patch	Direct	-
github.com/cloudevents/sdk-go/v2	v2.16.0	v2.16.2	patch	Direct	-
github.com/cloudflare/circl	v1.6.1	v1.6.3	patch	Transitive	3 LOW
github.com/shirou/gopsutil/v4	v4.25.4	v4.25.12	patch	Direct	-
github.com/snabb/httpreaderat	v1.0.1	v1.0.3	patch	Direct	-
google.golang.org/protobuf	v1.36.6	v1.36.11	patch	Direct	-

Packages marked with "-" are updated due to dependency constraints.

---

Security Details

ℹ️ Other Vulnerabilities (14)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
github.com/go-git/go-git/v5	GO-2026-4910	medium	Maliciously crafted idx file can cause asymmetric memory consumption in github.com/go-git/go-git	v5.16.0	5.17.1
github.com/go-git/go-git/v5	CVE-2026-34165	medium	go-git: Maliciously crafted idx file can cause asymmetric memory consumption	v5.16.0	-
github.com/go-git/go-git/v5	GO-2026-4473	MODERATE	Improper verification of data integrity values for .idx and .pack files in github.com/go-git/go-git	v5.16.0	5.16.5
github.com/go-git/go-git/v5	GHSA-jhf3-xxhw-2wpp	MODERATE	go-git: Maliciously crafted idx file can cause asymmetric memory consumption	v5.16.0	5.17.1
github.com/go-git/go-git/v5	GHSA-37cx-329c-33x3	MODERATE	go-git improperly verifies data integrity values for .idx and .pack files	v5.16.0	5.16.5
github.com/go-git/go-git/v5	CVE-2026-25934	MODERATE	go-git improperly verifies data integrity values for .idx and .pack files	v5.16.0	-
github.com/go-git/go-git/v5	GHSA-3xc5-wrhm-f963	MODERATE	go-git: Credential leak via cross-host redirect in smart HTTP transport	v5.16.0	5.18.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp	GHSA-w8rr-5gcm-pp58	MODERATE	opentelemetry-go: OTLP HTTP exporters read unbounded HTTP response bodies	v1.35.0	1.43.0
github.com/cloudflare/circl	GO-2026-4550	LOW	CIRCL has an incorrect calculation in secp384r1 CombinedMult in github.com/cloudflare/circl	v1.6.1	1.6.3
github.com/cloudflare/circl	CVE-2026-1229	LOW	-	v1.6.1	-
github.com/cloudflare/circl	GHSA-q9hv-hpm4-hj6x	LOW	CIRCL has an incorrect calculation in secp384r1 CombinedMult	v1.6.1	1.6.3
github.com/go-git/go-git/v5	GO-2026-4909	low	Missing validation decoding Index v4 files leads to panic in github.com/go-git/go-git	v5.16.0	5.17.1
github.com/go-git/go-git/v5	CVE-2026-33762	low	go-git: Missing validation decoding Index v4 files leads to panic	v5.16.0	-
github.com/go-git/go-git/v5	GHSA-gm2x-2g9h-ccm8	LOW	go-git missing validation decoding Index v4 files leads to panic	v5.16.0	5.17.1

⚠️ Dependencies that have Reached EOL (1)

Dependency	Unsafe Version	EOL Date	New Version	Path
github.com/snabb/httpreaderat	v1.0.1	-	v1.0.3	go.mod

---

Review Checklist

Standard review:

• Review changes for compatibility with your code
• Check for breaking changes in release notes
• Run tests locally or wait for CI
• Approve and merge this PR

---

Update Mode: Vulnerability Remediation

🤖 Generated by DataDog Automated Dependency Management System