VULN UPGRADE: major upgrades — 7 packages (unstable: 3 · minor: 2 · patch: 2)

[campaigner-prod]

Summary: High-severity security update — 7 packages upgraded (MAJOR changes included)

Manifests changed:

• . (go)

Updates

Package	From	To	Type	Vulnerabilities Fixed
golang.org/x/net	v0.25.0	v0.49.0	major	2 HIGH, 6 MODERATE, 1 UNKNOWN
github.com/hashicorp/go-retryablehttp	v0.7.6	v0.7.8	patch	1 MODERATE, 2 MEDIUM
github.com/hashicorp/vault/sdk	v0.12.0	v0.23.0	major	-
golang.org/x/time	v0.5.0	v0.14.0	major	-
github.com/hashicorp/vault/api	v1.14.0	v1.22.0	minor	-
github.com/stretchr/testify	v1.9.0	v1.11.1	minor	-
github.com/hashicorp/go-metrics	v0.5.3	v0.5.4	patch	-

Packages marked with "-" are updated due to dependency constraints.

---

Warning

Major Version Upgrade

This update includes major version changes that may contain breaking changes. Please:

• Review the changelog/release notes for breaking changes
• Test thoroughly in a staging environment
• Update any code that depends on changed APIs
• Ensure all tests pass before merging

Security Details

🚨 Critical & High Severity (2 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
golang.org/x/net	GO-2024-3333	HIGH	Non-linear parsing of case-insensitive content in golang.org/x/net/html	v0.25.0	0.33.0
golang.org/x/net	GHSA-w32m-9786-jp63	HIGH	Non-linear parsing of case-insensitive content in golang.org/x/net/html	v0.25.0	-

ℹ️ Other Vulnerabilities (10)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
github.com/hashicorp/go-retryablehttp	GO-2024-2947	medium	Leak of sensitive information to log files in github.com/hashicorp/go-retryablehttp	v0.7.6	0.7.7
github.com/hashicorp/go-retryablehttp	CVE-2024-6104	medium	-	v0.7.6	-
github.com/hashicorp/go-retryablehttp	GHSA-v6v8-xj6m-xwqh	MODERATE	go-retryablehttp can leak basic auth credentials to log files	v0.7.6	0.7.7
golang.org/x/net	GHSA-vvgc-356p-c3xw	MODERATE	golang.org/x/net vulnerable to Cross-site Scripting	v0.25.0	0.38.0
golang.org/x/net	GO-2025-3595	MODERATE	Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net	v0.25.0	0.38.0
golang.org/x/net	GO-2026-4440	MODERATE	Quadratic parsing complexity in golang.org/x/net/html	v0.25.0	0.45.0
golang.org/x/net	GHSA-w4gw-w5jq-g9jh	MODERATE	golang.org/x/net/html has a Quadratic Parsing Complexity issue	v0.25.0	-
golang.org/x/net	GHSA-qxp5-gwg8-xv66	MODERATE	HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net	v0.25.0	0.36.0
golang.org/x/net	GO-2025-3503	MODERATE	HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net	v0.25.0	0.36.0
golang.org/x/net	GO-2026-4441	unknown	Infinite parsing loop in golang.org/x/net	v0.25.0	0.45.0

---

Review Checklist

Extra review is recommended for this update:

• Review changes for compatibility with your code
• Check release notes for breaking changes
• Run integration tests to verify service behavior
• Test in staging environment before production
• Monitor key metrics after deployment

---

Update Mode: Vulnerability Remediation (High)

🤖 Generated by DataDog Automated Dependency Management System