Skip to content

fix(deps): vuln minor: github.com/jackc/pgx/v5, go.opentelemetry.io/otel, go.opentelemetry.io/otel/sdk [sticker-award]#258

Closed
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/minorpatch/go/sticker-award/0-1778178778
Closed

fix(deps): vuln minor: github.com/jackc/pgx/v5, go.opentelemetry.io/otel, go.opentelemetry.io/otel/sdk [sticker-award]#258
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/minorpatch/go/sticker-award/0-1778178778

Conversation

@gh-worker-campaigns-3e9aa4

Copy link
Copy Markdown

Summary: Critical-severity security update — 3 packages upgraded (MINOR changes included)

Manifests changed:

  • sticker-award (go)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.


Updates

Package From To Type Dep Type Vulnerabilities Fixed
github.com/jackc/pgx/v5 v5.7.5 v5.9.2 minor Transitive 4 CRITICAL, 1 LOW
go.opentelemetry.io/otel/sdk v1.38.0 v1.43.0 minor Transitive 4 HIGH
go.opentelemetry.io/otel v1.38.0 v1.43.0 minor Transitive 1 HIGH

Security Details

🚨 Critical & High Severity (9 fixed)
Package CVE Severity Summary Unsafe Version Fixed In
github.com/jackc/pgx/v5 GO-2026-4771 CRITICAL CVE-2026-33815 in github.com/jackc/pgx v5.7.5 5.9.0
github.com/jackc/pgx/v5 GHSA-xgrm-4fwx-7qm8 CRITICAL pgx contains memory-safety vulnerability v5.7.5 -
github.com/jackc/pgx/v5 GO-2026-4772 CRITICAL CVE-2026-33816 in github.com/jackc/pgx v5.7.5 5.9.0
github.com/jackc/pgx/v5 GHSA-9jj7-4m8r-rfcm CRITICAL Memory-safety vulnerability in github.com/jackc/pgx/v5. v5.7.5 5.9.0
go.opentelemetry.io/otel GHSA-mh2q-q3fh-2475 HIGH OpenTelemetry-Go: multi-value baggage header extraction causes excessive allocations (remote dos amplification) v1.38.0 1.41.0
go.opentelemetry.io/otel/sdk GHSA-9h8m-3fm2-qjrq HIGH OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking v1.38.0 1.40.0
go.opentelemetry.io/otel/sdk CVE-2026-24051 HIGH OpenTelemetry-Go Affected by Arbitrary Code Execution via PATH Hijacking v1.38.0 -
go.opentelemetry.io/otel/sdk GO-2026-4394 HIGH OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking in go.opentelemetry.io/otel/sdk v1.38.0 1.40.0
go.opentelemetry.io/otel/sdk GHSA-hfvc-g4fc-pqhx HIGH opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking v1.38.0 1.43.0
ℹ️ Other Vulnerabilities (1)
Package CVE Severity Summary Unsafe Version Fixed In
github.com/jackc/pgx/v5 GHSA-j88v-2chj-qfwx LOW pgx: SQL Injection via placeholder confusion with dollar quoted string literals v5.7.5 5.9.2

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI
  • Approve and merge this PR

Update Mode: Vulnerability Remediation (Critical/High)

🤖 Generated by DataDog Automated Dependency Management System

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants