Skip to content

fix(deps): vuln major upgrades — 14 packages (major: 1 · minor: 12 · patch: 1) #132

Draft
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/major/go/0-1783415527
Draft

fix(deps): vuln major upgrades — 14 packages (major: 1 · minor: 12 · patch: 1) #132
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/major/go/0-1783415527

Conversation

@gh-worker-campaigns-3e9aa4

Copy link
Copy Markdown
Contributor

Summary: Critical-severity security update — 15 packages upgraded (MAJOR changes included)

Manifests changed:

  • . (go)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.


Updates

Package From To Type Dep Type Vulnerabilities Fixed
golang.org/x/crypto v0.26.0 v0.53.0 minor Transitive 17 CRITICAL, 8 HIGH, 14 MEDIUM
google.golang.org/grpc v1.67.3 v1.82.0 minor Transitive 3 CRITICAL
github.com/containerd/containerd v1.7.20 v2.3.2 major Direct 9 HIGH, 10 MEDIUM
github.com/urfave/cli/v2 v2.27.2 v3.10.1 major Direct -
github.com/felixge/httpsnoop v1.0.4 v1.1.0 minor Transitive -
github.com/klauspost/compress v1.17.8 v1.19.0 minor Transitive -
github.com/prometheus/client_golang v1.19.1 v1.23.2 minor Transitive -
github.com/stretchr/testify v1.9.0 v1.11.1 minor Direct -
go.opentelemetry.io/otel v1.28.0 v1.44.0 minor Transitive -
go.opentelemetry.io/otel/metric v1.28.0 v1.44.0 minor Transitive -
go.opentelemetry.io/otel/trace v1.28.0 v1.44.0 minor Transitive -
golang.org/x/sync v0.11.0 v0.21.0 minor Direct -
golang.org/x/sys v0.30.0 v0.46.0 minor Transitive 1 UNKNOWN
google.golang.org/protobuf v1.34.2 v1.36.11 minor Transitive -
github.com/urfave/cli/v2 v2.27.2 v2.27.7 patch Direct -

⚠️ Constraint Violations Detected

The following version constraints in your dependency declarations will be violated by this update. This may cause build failures or require manual constraint updates:

Package Current Constraint Updated To
google.golang.org/protobuf v1.36.12-0.20260120151049-f2248ac996af v1.36.11

Action Required: Update your dependency constraints before merging this PR to avoid build failures.

Warning

Major Version Upgrade

This update includes major version changes that may contain breaking changes. Please:

  • Review the changelog/release notes for breaking changes
  • Test thoroughly in a staging environment
  • Update any code that depends on changed APIs
  • Ensure all tests pass before merging

Security Details

🚨 Critical & High Severity (37 fixed)
Package CVE Severity Summary Unsafe Version Fixed In Case
golang.org/x/crypto GO-2024-3321 critical Misuse of connection.serverAuthenticate may cause authorization bypass in golang.org/x/crypto v0.26.0 0.31.0 -
golang.org/x/crypto GO-2026-5019 CRITICAL Invoking bypass of FIDO/U2F security keys physical interaction in golang.org/x/crypto/ssh v0.26.0 0.52.0 -
golang.org/x/crypto GO-2026-5017 CRITICAL Invoking client can cause server deadlock on unexpected responses in golang.org/x/crypto/ssh v0.26.0 0.52.0 -
golang.org/x/crypto GHSA-89gr-r52h-f8rx CRITICAL golang.org/x/crypto/ssh: FIDO/U2F security key physical presence check can be bypassed v0.26.0 - -
golang.org/x/crypto GO-2026-5006 CRITICAL Invoking agent constraints dropped when forwarding keys in golang.org/x/crypto/ssh/agent v0.26.0 0.52.0 -
golang.org/x/crypto GHSA-jppx-rxg9-jmrx CRITICAL golang.org/x/crypto/ssh/agent doesn't enforce invoking key constraints v0.26.0 - -
golang.org/x/crypto GO-2026-5005 CRITICAL Invoking key constraints not enforced in golang.org/x/crypto/ssh/agent v0.26.0 0.52.0 -
golang.org/x/crypto CVE-2024-45337 critical - v0.26.0 - -
golang.org/x/crypto GHSA-f5wc-c3c7-36mc CRITICAL golang.org/x/crypto/ssh/agent doesn't drop invoking agent constraints when forwarding keys v0.26.0 - -
golang.org/x/crypto GHSA-vgwf-h737-ff37 CRITICAL golang.org/x/crypto/ssh: Invoking client can cause server deadlock on unexpected responses v0.26.0 - -
golang.org/x/crypto GHSA-v778-237x-gjrc CRITICAL Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto v0.26.0 0.31.0 -
golang.org/x/crypto GO-2026-5020 CRITICAL Invoking infinite loop on large channel writes in golang.org/x/crypto/ssh v0.26.0 0.52.0 -
golang.org/x/crypto GHSA-rm3j-f69w-wqmq CRITICAL golang.org/x/crypto/ssh vulnerable to infinite loop on large channel writes v0.26.0 - -
golang.org/x/crypto GO-2026-5021 CRITICAL Invoking auth bypass via unenforced @Revoked status in golang.org/x/crypto/ssh/knownhosts v0.26.0 0.52.0 -
golang.org/x/crypto GHSA-5cgq-3rg8-m6cv CRITICAL golang.org/x/crypto/ssh/knownhosts vulnerable to auth bypass via unenforced @Revoked status v0.26.0 - -
golang.org/x/crypto GO-2026-5023 CRITICAL Invoking VerifiedPublicKeyCallback permissions skip enforcement in golang.org/x/crypto/ssh v0.26.0 0.52.0 -
golang.org/x/crypto GHSA-x527-x647-q7gg CRITICAL golang.org/x/crypto/ssh: Invoking VerifiedPublicKeyCallback permissions skip enforcement v0.26.0 - -
google.golang.org/grpc CVE-2026-33186 CRITICAL gRPC-Go has an authorization bypass via missing leading slash in :path v1.67.3 - -
google.golang.org/grpc GHSA-p77j-4mvh-x3m3 CRITICAL gRPC-Go has an authorization bypass via missing leading slash in :path v1.67.3 1.79.3 -
google.golang.org/grpc GO-2026-4762 CRITICAL Authorization bypass in gRPC-Go via missing leading slash in :path in google.golang.org/grpc v1.67.3 1.79.3 -
github.com/containerd/containerd GO-2026-5758 HIGH containerd CRI — image-config LABEL flows to restart-monitor binary:// logger: host-root command execution from an image pull in github.com/containerd/containerd v1.7.20 1.7.33 -
github.com/containerd/containerd GHSA-33vj-92qq-66hc HIGH containerd CRI checkpoint restore CDI annotation smuggling v1.7.20 - -
github.com/containerd/containerd GO-2026-5064 HIGH containerd CRI checkpoint restore CDI annotation smuggling in github.com/containerd/containerd v1.7.20 - -
github.com/containerd/containerd GO-2025-4100 high containerd affected by a local privilege escalation via wide permissions on CRI directory in github.com/containerd/containerd v1.7.20 1.7.29 -
github.com/containerd/containerd GHSA-rgh6-rfwx-v388 HIGH Arbitrary host CRI log file read via symlink following in CRI checkpoint restore v1.7.20 - -
github.com/containerd/containerd GO-2026-5622 HIGH Arbitrary host CRI log file read via symlink following in CRI checkpoint restore in github.com/containerd/containerd v1.7.20 - -
github.com/containerd/containerd GHSA-xhf5-7wjv-pqxp HIGH containerd CRI — image-config LABEL flows to restart-monitor binary:// logger: host-root command execution from an image pull v1.7.20 1.7.33 -
github.com/containerd/containerd GHSA-pwhc-rpq9-4c8w HIGH containerd affected by a local privilege escalation via wide permissions on CRI directory v1.7.20 1.7.29 -
github.com/containerd/containerd CVE-2024-25621 high containerd affected by a local privilege escalation via wide permissions on CRI directory v1.7.20 - -
golang.org/x/crypto GO-2026-5013 HIGH Invoking byte arithmetic causes underflow and panic in golang.org/x/crypto/ssh v0.26.0 0.52.0 -
golang.org/x/crypto GHSA-w879-237q-wc7r HIGH golang.org/x/crypto/ssh: Invoking pathological RSA/DSA parameters may cause DoS v0.26.0 - -
golang.org/x/crypto GHSA-56w8-48fp-6mgv HIGH golang.org/x/crypto/ssh/agent has a potential denial of service v0.26.0 - -
golang.org/x/crypto GO-2025-3487 HIGH Potential denial of service in golang.org/x/crypto v0.26.0 0.35.0 -
golang.org/x/crypto GHSA-hcg3-q754-cr77 HIGH golang.org/x/crypto Vulnerable to Denial of Service (DoS) via Slow or Incomplete Key Exchange v0.26.0 0.35.0 -
golang.org/x/crypto GO-2026-5018 HIGH Invoking pathological RSA/DSA parameters may cause DoS in golang.org/x/crypto/ssh v0.26.0 0.52.0 -
golang.org/x/crypto GHSA-q4h4-gmj2-qvw2 HIGH golang.org/x/crypto/ssh: Invoking byte arithmetic causes underflow and panic v0.26.0 - -
golang.org/x/crypto GO-2025-4116 HIGH Potential denial of service in golang.org/x/crypto/ssh/agent v0.26.0 0.43.0 -
ℹ️ Other Vulnerabilities (25)
Package CVE Severity Summary Unsafe Version Fixed In Case
github.com/containerd/containerd GO-2025-3528 medium containerd has an integer overflow in User ID handling in github.com/containerd/containerd v1.7.20 1.6.38 -
github.com/containerd/containerd CVE-2025-64329 medium containerd CRI server: Host memory exhaustion through Attach goroutine leak v1.7.20 - -
github.com/containerd/containerd GO-2025-4108 medium containerd CRI server: Host memory exhaustion through Attach goroutine leak in github.com/containerd/containerd v1.7.20 1.7.29 -
github.com/containerd/containerd CVE-2024-40635 medium containerd has an integer overflow in User ID handling v1.7.20 - -
golang.org/x/crypto GO-2025-4135 medium Malformed constraint may cause denial of service in golang.org/x/crypto/ssh/agent v0.26.0 0.45.0 -
golang.org/x/crypto CVE-2025-47914 medium - v0.26.0 - -
github.com/containerd/containerd GO-2026-5475 MODERATE containerd image-triggered runtime DoS via unbounded group parsing in github.com/containerd/containerd v1.7.20 1.7.33 -
github.com/containerd/containerd GHSA-cvxm-645q-p574 MODERATE containerd: CRI checkpoint import allows local image tag poisoning v1.7.20 - -
github.com/containerd/containerd GHSA-m6hq-p25p-ffr2 MODERATE containerd CRI server: Host memory exhaustion through Attach goroutine leak v1.7.20 1.7.29 -
github.com/containerd/containerd GO-2026-5338 MODERATE containerd: CRI checkpoint import allows local image tag poisoning in github.com/containerd/containerd v1.7.20 - -
github.com/containerd/containerd GHSA-265r-hfxg-fhmg MODERATE containerd has an integer overflow in User ID handling v1.7.20 1.7.27 -
github.com/containerd/containerd GHSA-jpcc-p29g-p8mq MODERATE containerd image-triggered runtime DoS via unbounded group parsing v1.7.20 1.7.33 -
golang.org/x/crypto GHSA-f6x5-jh6r-wrfv MODERATE golang.org/x/crypto/ssh/agent vulnerable to panic if message is malformed due to out of bounds read v0.26.0 0.45.0 -
golang.org/x/crypto GO-2025-4134 MODERATE Unbounded memory consumption in golang.org/x/crypto/ssh v0.26.0 0.45.0 -
golang.org/x/crypto CVE-2025-58181 MODERATE - v0.26.0 - -
golang.org/x/crypto GO-2026-5015 MODERATE Invoking server panic during CheckHostKey/Authenticate in golang.org/x/crypto/ssh v0.26.0 0.52.0 -
golang.org/x/crypto GHSA-78mq-xcr3-xm33 MODERATE golang.org/x/crypto/ssh is vulnerable to invoking server panic during CheckHostKey/Authenticate flow v0.26.0 - -
golang.org/x/crypto GHSA-j5w8-q4qc-rx2x MODERATE golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption v0.26.0 0.45.0 -
golang.org/x/crypto GO-2026-5014 MODERATE Invoking bypass of certificate restrictions in golang.org/x/crypto/ssh v0.26.0 0.52.0 -
golang.org/x/crypto GHSA-45gg-vh54-h5m9 MODERATE golang.org/x/crypto/ssh vulnerable to invoking bypass of certificate restrictions v0.26.0 - -
golang.org/x/crypto GO-2026-5016 MODERATE Invoking memory leak when rejecting channels can lead to DoS in golang.org/x/crypto/ssh v0.26.0 0.52.0 -
golang.org/x/crypto GHSA-qpw4-5x99-6vjp MODERATE golang.org/x/crypto/ssh: Invoking memory leak when rejecting channels can lead to DoS v0.26.0 - -
golang.org/x/crypto GO-2026-5033 MODERATE Invoking pathological inputs can lead to client panic in golang.org/x/crypto/ssh/agent v0.26.0 0.52.0 -
golang.org/x/crypto GHSA-9m57-25v3-79x9 MODERATE golang.org/x/crypto/ssh/agent: Invoking pathological inputs can lead to client panic v0.26.0 - -
golang.org/x/sys GO-2026-5024 unknown Invoking integer overflow in NewNTUnicodeString in golang.org/x/sys/windows v0.30.0 0.44.0 -

Review Checklist

Extra review is recommended for this update:

  • Review changes for compatibility with your code
  • Check release notes for breaking changes
  • Run integration tests to verify service behavior
  • Test in staging environment before production
  • Update dependency constraints in your manifest files
  • Monitor key metrics after deployment
  • Approve and merge this PR

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

@gh-worker-campaigns-3e9aa4

Copy link
Copy Markdown
Contributor Author

Auto-rebase failed

Lockfile regeneration failed during rebase onto main. Your branch was not updated. You may need to rebase and regenerate lockfiles manually.

Error details

child workflow execution error (type: engraver.Engraver_AllManagersWorkflow, workflowID: 019f3cf8-cc9d-7ace-8311-6f8122f315e2_63, runID: 019f3cf8-e07c-7c8a-8b2a-78cfa704de49, initiatedEventID: 63, startedEventID: 64): custom action(s) failed and produced no changes: [Go Mod Tidy]


Auto-Rebase · Add no-auto-rebase to opt out

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants