fix(deps): vuln minor upgrades — 15 packages (minor: 2 · patch: 13)

[gh-worker-campaigns-3e9aa4]

Summary: High-severity security update — 15 packages upgraded (MINOR changes included)

Manifests changed:

• . (go)

---

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

---

Updates

Package	From	To	Type	Dep Type	Vulnerabilities Fixed
github.com/moby/spdystream	v0.5.0	v0.5.1	patch	Transitive	1 HIGH
github.com/nwaples/rardecode	v1.1.0	v1.1.3	patch	Transitive	3 MODERATE
github.com/ulikunitz/xz	v0.5.14	v0.5.15	patch	Transitive	1 MODERATE, 2 MEDIUM
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp	v1.33.0	v1.43.0	minor	Transitive	1 MODERATE
helm.sh/helm/v3	v3.18.5	v3.20.2	minor	Direct	1 MODERATE
github.com/aws/aws-sdk-go-v2	v1.41.1	v1.41.6	patch	Direct	-
github.com/aws/aws-sdk-go-v2/config	v1.32.7	v1.32.16	patch	Direct	-
github.com/aws/aws-sdk-go-v2/service/iam	v1.53.2	v1.53.8	patch	Direct	-
github.com/aws/aws-sdk-go-v2/service/sts	v1.41.6	v1.41.10	patch	Direct	-
github.com/aws/smithy-go	v1.24.0	v1.24.3	patch	Direct	-
github.com/hashicorp/go-retryablehttp	v0.7.7	v0.7.8	patch	Direct	-
github.com/mattn/go-runewidth	v0.0.17	v0.0.23	patch	Direct	-
k8s.io/api	v0.35.3	v0.35.4	patch	Direct	-
k8s.io/apiextensions-apiserver	v0.35.1	v0.35.4	patch	Direct	-
k8s.io/apimachinery	v0.35.3	v0.35.4	patch	Direct	-

Packages marked with "-" are updated due to dependency constraints.

---

Security Details

🚨 Critical & High Severity (1 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
github.com/moby/spdystream	GHSA-pc3f-x583-g7j2	HIGH	SpdyStream: DOS on CRI	v0.5.0	0.5.1

ℹ️ Other Vulnerabilities (8)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
github.com/ulikunitz/xz	GO-2025-3922	medium	Memory leaks when decoding a corrupted multiple LZMA archives in github.com/ulikunitz/xz	v0.5.14	0.5.15
github.com/ulikunitz/xz	CVE-2025-58058	medium	github.com/ulikunitz/xz leaks memory when decoding a corrupted multiple LZMA archives	v0.5.14	-
github.com/nwaples/rardecode	GHSA-rwvp-r38j-9rgg	MODERATE	rardecode: DoS risk due to unrestricted RAR dictionary sizes	v1.1.0	-
github.com/nwaples/rardecode	CVE-2025-11579	MODERATE	-	v1.1.0	-
github.com/nwaples/rardecode	GO-2025-4020	MODERATE	DoS risk due to unrestricted RAR dictionary sizes in github.com/nwaples/rardecode	v1.1.0	-
github.com/ulikunitz/xz	GHSA-jc7w-c686-c4v9	MODERATE	github.com/ulikunitz/xz leaks memory when decoding a corrupted multiple LZMA archives	v0.5.14	0.5.15
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp	GHSA-w8rr-5gcm-pp58	MODERATE	opentelemetry-go: OTLP HTTP exporters read unbounded HTTP response bodies	v1.33.0	1.43.0
helm.sh/helm/v3	GHSA-hr2v-4r36-88hr	MODERATE	Helm Chart extraction output directory collapse via Chart.yaml name dot-segment	v3.18.5	3.20.2

⚠️ Dependencies that have Reached EOL (1)

Dependency	Unsafe Version	EOL Date	New Version	Path
github.com/nwaples/rardecode	v1.1.0	-	v1.1.3	go.mod

---

Review Checklist

Standard review:

• Review changes for compatibility with your code
• Check for breaking changes in release notes
• Run tests locally or wait for CI
• Approve and merge this PR

---

Update Mode: Vulnerability Remediation (High)

🤖 Generated by DataDog Automated Dependency Management System