Skip to content

fix(deps): vuln minor upgrades — 9 packages (minor: 7 · patch: 2) #454

Draft
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit intomasterfrom
engraver-auto-version-upgrade/minorpatch/go/0-1775072449
Draft

fix(deps): vuln minor upgrades — 9 packages (minor: 7 · patch: 2) #454
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit intomasterfrom
engraver-auto-version-upgrade/minorpatch/go/0-1775072449

Conversation

@gh-worker-campaigns-3e9aa4
Copy link
Copy Markdown

@gh-worker-campaigns-3e9aa4 gh-worker-campaigns-3e9aa4 bot commented Apr 1, 2026

Summary: Critical-severity security update — 9 packages upgraded (MINOR changes included)

Manifests changed:

  • . (go)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

Updates

Package From To Type Vulnerabilities Fixed
google.golang.org/grpc v1.54.0 v1.79.3 minor 2 CRITICAL, 2 HIGH
google.golang.org/protobuf v1.30.0 v1.36.11 minor 2 MODERATE
github.com/confluentinc/confluent-kafka-go v1.4.0 v1.9.2 minor -
github.com/grpc-ecosystem/grpc-gateway/v2 v2.15.2 v2.28.0 minor -
github.com/spf13/cobra v1.5.0 v1.10.2 minor -
google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.3.0 v1.6.1 minor -
gopkg.in/DataDog/dd-trace-go.v1 v1.40.1 v1.74.8 minor -
github.com/go-zookeeper/zk v1.0.3 v1.0.4 patch -
github.com/stretchr/testify v1.8.2 v1.8.4 patch -

Packages marked with "-" are updated due to dependency constraints.

Security Details

🚨 Critical & High Severity (4 fixed)
Package CVE Severity Summary Unsafe Version Fixed In
google.golang.org/grpc GO-2026-4762 CRITICAL Authorization bypass in gRPC-Go via missing leading slash in :path in google.golang.org/grpc v1.54.0 1.79.3
google.golang.org/grpc GHSA-p77j-4mvh-x3m3 CRITICAL gRPC-Go has an authorization bypass via missing leading slash in :path v1.54.0 1.79.3
google.golang.org/grpc GHSA-m425-mq94-257g HIGH gRPC-Go HTTP/2 Rapid Reset vulnerability v1.54.0 1.56.3
google.golang.org/grpc GO-2023-2153 HIGH Denial of service from HTTP/2 Rapid Reset in google.golang.org/grpc v1.54.0 1.56.3
ℹ️ Other Vulnerabilities (2)
Package CVE Severity Summary Unsafe Version Fixed In
google.golang.org/protobuf GHSA-8r3f-844c-mc37 MODERATE Golang protojson.Unmarshal function infinite loop when unmarshaling certain forms of invalid JSON v1.30.0 1.33.0
google.golang.org/protobuf GO-2024-2611 MODERATE Infinite loop in JSON unmarshaling in google.golang.org/protobuf v1.30.0 1.33.0
⚠️ Dependencies that have Reached EOL (9)
Dependency Unsafe Version EOL Date New Version Path
github.com/confluentinc/confluent-kafka-go v1.4.0 - v1.9.2 go.mod
github.com/go-zookeeper/zk v1.0.3 Jul 22, 2025 v1.0.4 go.mod
github.com/grpc-ecosystem/grpc-gateway/v2 v2.15.2 Feb 24, 2026 v2.28.0 go.mod
github.com/spf13/cobra v1.5.0 Jun 21, 2025 v1.10.2 go.mod
github.com/stretchr/testify v1.8.2 Feb 25, 2026 v1.8.4 go.mod
google.golang.org/grpc v1.54.0 Mar 21, 2026 v1.79.3 go.mod
google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.3.0 Mar 1, 2026 v1.6.1 go.mod
google.golang.org/protobuf v1.30.0 Mar 16, 2026 v1.36.11 go.mod
gopkg.in/DataDog/dd-trace-go.v1 v1.40.1 Jul 19, 2025 v1.74.8 go.mod

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI
  • Approve and merge this PR

Update Mode: Vulnerability Remediation (Critical/High)

🤖 Generated by DataDog Automated Dependency Management System

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

adms-critical-severity adms-dependency-update adms-fixes-eol adms-go adms-high-severity adms-medium-severity adms-minor-update adms-mode-all-updates campaigner-automated-change

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants