[TT-16932] CVE-2026-39883 Fix #8081
+22
−22
Merged
probelabs / Visor: security
succeeded
Apr 17, 2026 in 39s
✅ Check Passed (Warnings Found)
security check passed. Found 1 warning, but fail_if condition was not met.
Details
📊 Summary
- Total Issues: 1
- Warning Issues: 1
🔍 Failure Condition Results
Passed Conditions
- global_fail_if: Condition passed
Issues by Category
Security (1)
⚠️ go.mod:575 - Thego.opentelemetry.io/contrib/instrumentation/net/http/otelhttppackage is explicitly pinned to an older versionv0.49.0using areplacedirective, while newer versions up tov0.60.0are available in the dependency tree. While versionv0.49.0is patched for known vulnerabilities (e.g., CVE-2024-28180), this pinning prevents the project from receiving future security patches and bug fixes for this package, creating a potential security risk.
Powered by Visor from Probelabs
💡 TIP: You can chat with Visor using /visor ask <your question>
Annotations
Check warning on line 575 in go.mod
probelabs / Visor: security
security Issue
The `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` package is explicitly pinned to an older version `v0.49.0` using a `replace` directive, while newer versions up to `v0.60.0` are available in the dependency tree. While version `v0.49.0` is patched for known vulnerabilities (e.g., CVE-2024-28180), this pinning prevents the project from receiving future security patches and bug fixes for this package, creating a potential security risk.
Raw output
It is recommended to update the application code to be compatible with the latest version of `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` and remove the `replace` directive. If the pin is required to avoid breaking changes, a comment should be added to the `go.mod` file explaining the reason for the pin and a ticket should be created to address the required refactoring.
Loading