Skip to content

fix(deps): vuln minor upgrades — 6 packages (minor: 5 · patch: 1) #30

Draft
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/minorpatch/go/0-1778227348
Draft

fix(deps): vuln minor upgrades — 6 packages (minor: 5 · patch: 1) #30
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/minorpatch/go/0-1778227348

Conversation

@gh-worker-campaigns-3e9aa4
Copy link
Copy Markdown

@gh-worker-campaigns-3e9aa4 gh-worker-campaigns-3e9aa4 Bot commented May 8, 2026

Summary: Critical-severity security update — 6 packages upgraded (MINOR changes included)

Manifests changed:

  • . (go)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

Updates

Package From To Type Dep Type Vulnerabilities Fixed
google.golang.org/grpc v1.72.0 v1.81.0 minor Direct 3 CRITICAL
go.opentelemetry.io/otel/sdk v1.35.0 v1.43.0 minor Direct 4 HIGH
github.com/go-jose/go-jose/v4 v4.0.5 v4.1.4 minor Transitive 1 HIGH
github.com/go-git/go-git/v5 v5.16.0 v5.19.0 minor Direct 5 MODERATE, 2 MEDIUM, 3 LOW
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.35.0 v1.43.0 minor Direct 1 MODERATE
github.com/cloudflare/circl v1.6.1 v1.6.3 patch Transitive 3 LOW

Security Details

🚨 Critical & High Severity (8 fixed)
Package CVE Severity Summary Unsafe Version Fixed In
google.golang.org/grpc GHSA-p77j-4mvh-x3m3 CRITICAL gRPC-Go has an authorization bypass via missing leading slash in :path v1.72.0 1.79.3
google.golang.org/grpc CVE-2026-33186 critical gRPC-Go has an authorization bypass via missing leading slash in :path v1.72.0 -
google.golang.org/grpc GO-2026-4762 critical Authorization bypass in gRPC-Go via missing leading slash in :path in google.golang.org/grpc v1.72.0 1.79.3
github.com/go-jose/go-jose/v4 GHSA-78h2-9frx-2jm8 HIGH Go JOSE Panics in JWE decryption v4.0.5 4.1.4
go.opentelemetry.io/otel/sdk GHSA-hfvc-g4fc-pqhx HIGH opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking v1.35.0 1.43.0
go.opentelemetry.io/otel/sdk GHSA-9h8m-3fm2-qjrq HIGH OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking v1.35.0 1.40.0
go.opentelemetry.io/otel/sdk CVE-2026-24051 HIGH OpenTelemetry-Go Affected by Arbitrary Code Execution via PATH Hijacking v1.35.0 -
go.opentelemetry.io/otel/sdk GO-2026-4394 HIGH OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking in go.opentelemetry.io/otel/sdk v1.35.0 1.40.0
ℹ️ Other Vulnerabilities (14)
Package CVE Severity Summary Unsafe Version Fixed In
github.com/go-git/go-git/v5 GO-2026-4473 medium Improper verification of data integrity values for .idx and .pack files in github.com/go-git/go-git v5.16.0 5.16.5
github.com/go-git/go-git/v5 CVE-2026-25934 medium go-git improperly verifies data integrity values for .idx and .pack files v5.16.0 -
github.com/go-git/go-git/v5 GHSA-37cx-329c-33x3 MODERATE go-git improperly verifies data integrity values for .idx and .pack files v5.16.0 5.16.5
github.com/go-git/go-git/v5 GHSA-3xc5-wrhm-f963 MODERATE go-git: Credential leak via cross-host redirect in smart HTTP transport v5.16.0 5.18.0
github.com/go-git/go-git/v5 GHSA-jhf3-xxhw-2wpp MODERATE go-git: Maliciously crafted idx file can cause asymmetric memory consumption v5.16.0 5.17.1
github.com/go-git/go-git/v5 GO-2026-4910 MODERATE Maliciously crafted idx file can cause asymmetric memory consumption in github.com/go-git/go-git v5.16.0 5.17.1
github.com/go-git/go-git/v5 CVE-2026-34165 MODERATE go-git: Maliciously crafted idx file can cause asymmetric memory consumption v5.16.0 -
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp GHSA-w8rr-5gcm-pp58 MODERATE opentelemetry-go: OTLP HTTP exporters read unbounded HTTP response bodies v1.35.0 1.43.0
github.com/cloudflare/circl GHSA-q9hv-hpm4-hj6x LOW CIRCL has an incorrect calculation in secp384r1 CombinedMult v1.6.1 1.6.3
github.com/cloudflare/circl GO-2026-4550 LOW CIRCL has an incorrect calculation in secp384r1 CombinedMult in github.com/cloudflare/circl v1.6.1 1.6.3
github.com/cloudflare/circl CVE-2026-1229 LOW - v1.6.1 -
github.com/go-git/go-git/v5 CVE-2026-33762 low go-git: Missing validation decoding Index v4 files leads to panic v5.16.0 -
github.com/go-git/go-git/v5 GO-2026-4909 low Missing validation decoding Index v4 files leads to panic in github.com/go-git/go-git v5.16.0 5.17.1
github.com/go-git/go-git/v5 GHSA-gm2x-2g9h-ccm8 LOW go-git missing validation decoding Index v4 files leads to panic v5.16.0 5.17.1

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI
  • Approve and merge this PR

Update Mode: Vulnerability Remediation (Critical/High)

🤖 Generated by DataDog Automated Dependency Management System

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

campaigner-automated-change

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants