Skip to content

fix(deps): vuln major upgrades — 15 packages (major: 1 · minor: 14) #1832

Closed
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/major/go/0-1776966878
Closed

fix(deps): vuln major upgrades — 15 packages (major: 1 · minor: 14) #1832
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/major/go/0-1776966878

Conversation

@gh-worker-campaigns-3e9aa4
Copy link
Copy Markdown

@gh-worker-campaigns-3e9aa4 gh-worker-campaigns-3e9aa4 Bot commented Apr 23, 2026

Summary: Critical-severity security update — 15 packages upgraded (MAJOR changes included)

Manifests changed:

  • . (go)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

Updates

Package From To Type Dep Type Vulnerabilities Fixed
google.golang.org/grpc v1.71.1 v1.80.0 minor Transitive 3 CRITICAL
github.com/go-git/go-git/v5 v5.13.1 v5.18.0 minor Transitive 5 MODERATE, 2 MEDIUM, 3 LOW
github.com/pulumi/pulumi-gcp/sdk/v7 v7.38.0 v9.20.0 major Direct -
github.com/ProtonMail/go-crypto v1.1.3 v1.4.1 minor Transitive -
github.com/go-git/go-billy/v5 v5.6.1 v5.8.0 minor Transitive -
github.com/hashicorp/hcl/v2 v2.22.0 v2.24.0 minor Transitive -
github.com/kevinburke/ssh_config v1.2.0 v1.6.0 minor Transitive -
github.com/lucasb-eyer/go-colorful v1.2.0 v1.4.0 minor Transitive -
github.com/pulumi/pulumi/sdk/v3 v3.190.0 v3.231.0 minor Direct -
github.com/rogpeppe/go-internal v1.13.1 v1.14.1 minor Transitive -
github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 v1.4.0 minor Transitive -
github.com/spf13/cast v1.6.0 v1.10.0 minor Transitive -
github.com/spf13/cobra v1.8.0 v1.10.2 minor Transitive -
github.com/zclconf/go-cty v1.14.4 v1.18.1 minor Transitive -
lukechampine.com/frand v1.4.2 v1.5.1 minor Transitive -

Packages marked with "-" are updated due to dependency constraints.

Warning

Major Version Upgrade

This update includes major version changes that may contain breaking changes. Please:

  • Review the changelog/release notes for breaking changes
  • Test thoroughly in a staging environment
  • Update any code that depends on changed APIs
  • Ensure all tests pass before merging

Security Details

🚨 Critical & High Severity (3 fixed)
Package CVE Severity Summary Unsafe Version Fixed In
google.golang.org/grpc GHSA-p77j-4mvh-x3m3 CRITICAL gRPC-Go has an authorization bypass via missing leading slash in :path v1.71.1 1.79.3
google.golang.org/grpc CVE-2026-33186 critical gRPC-Go has an authorization bypass via missing leading slash in :path v1.71.1 -
google.golang.org/grpc GO-2026-4762 critical Authorization bypass in gRPC-Go via missing leading slash in :path in google.golang.org/grpc v1.71.1 1.79.3
ℹ️ Other Vulnerabilities (10)
Package CVE Severity Summary Unsafe Version Fixed In
github.com/go-git/go-git/v5 GO-2026-4910 medium Maliciously crafted idx file can cause asymmetric memory consumption in github.com/go-git/go-git v5.13.1 5.17.1
github.com/go-git/go-git/v5 CVE-2026-34165 medium go-git: Maliciously crafted idx file can cause asymmetric memory consumption v5.13.1 -
github.com/go-git/go-git/v5 GO-2026-4473 MODERATE Improper verification of data integrity values for .idx and .pack files in github.com/go-git/go-git v5.13.1 5.16.5
github.com/go-git/go-git/v5 GHSA-37cx-329c-33x3 MODERATE go-git improperly verifies data integrity values for .idx and .pack files v5.13.1 5.16.5
github.com/go-git/go-git/v5 CVE-2026-25934 MODERATE go-git improperly verifies data integrity values for .idx and .pack files v5.13.1 -
github.com/go-git/go-git/v5 GHSA-3xc5-wrhm-f963 MODERATE go-git: Credential leak via cross-host redirect in smart HTTP transport v5.13.1 5.18.0
github.com/go-git/go-git/v5 GHSA-jhf3-xxhw-2wpp MODERATE go-git: Maliciously crafted idx file can cause asymmetric memory consumption v5.13.1 5.17.1
github.com/go-git/go-git/v5 GO-2026-4909 LOW Missing validation decoding Index v4 files leads to panic in github.com/go-git/go-git v5.13.1 5.17.1
github.com/go-git/go-git/v5 CVE-2026-33762 LOW go-git: Missing validation decoding Index v4 files leads to panic v5.13.1 -
github.com/go-git/go-git/v5 GHSA-gm2x-2g9h-ccm8 LOW go-git missing validation decoding Index v4 files leads to panic v5.13.1 5.17.1
⚠️ Dependencies that have Reached EOL (3)
Dependency Unsafe Version EOL Date New Version Path
github.com/kevinburke/ssh_config v1.2.0 - v1.6.0 go.mod
github.com/lucasb-eyer/go-colorful v1.2.0 - v1.4.0 go.mod
lukechampine.com/frand v1.4.2 - v1.5.1 go.mod

Review Checklist

Extra review is recommended for this update:

  • Review changes for compatibility with your code
  • Check release notes for breaking changes
  • Run integration tests to verify service behavior
  • Test in staging environment before production
  • Monitor key metrics after deployment
  • Approve and merge this PR

Update Mode: Vulnerability Remediation (Critical)

🤖 Generated by DataDog Automated Dependency Management System

@gh-worker-campaigns-3e9aa4 gh-worker-campaigns-3e9aa4 Bot deleted the engraver-auto-version-upgrade/major/go/0-1776966878 branch May 8, 2026 08:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

adms-dependency-update campaigner-automated-change

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants