Skip to content

fix(deps): vuln minor upgrades — 4 packages (minor: 3 · patch: 1) #1097

Closed
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/minorpatch/go/0-1782223504
Closed

fix(deps): vuln minor upgrades — 4 packages (minor: 3 · patch: 1) #1097
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/minorpatch/go/0-1782223504

Conversation

@gh-worker-campaigns-3e9aa4

Copy link
Copy Markdown
Contributor

Summary: High-severity security update — 4 packages upgraded (MINOR changes included)

Manifests changed:

  • . (go)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.


Updates

Package From To Type Dep Type Vulnerabilities Fixed
github.com/containerd/containerd v1.7.30 v1.7.33 patch Direct 2 HIGH, 1 MEDIUM
golang.org/x/crypto v0.50.0 v0.53.0 minor Transitive 13 UNKNOWN
golang.org/x/net v0.53.0 v0.56.0 minor Transitive 6 UNKNOWN
golang.org/x/sys v0.43.0 v0.46.0 minor Direct 1 UNKNOWN

Security Details

🚨 Critical & High Severity (2 fixed)
Package CVE Severity Summary Unsafe Version Fixed In
github.com/containerd/containerd GHSA-fqw6-gf59-qr4w HIGH containerd user ID handling bypass allows runAsNonRoot evasion v1.7.30 1.7.32
github.com/containerd/containerd GHSA-xhf5-7wjv-pqxp HIGH containerd CRI — image-config LABEL flows to restart-monitor binary:// logger: host-root command execution from an image pull v1.7.30 1.7.33
ℹ️ Other Vulnerabilities (21)
Package CVE Severity Summary Unsafe Version Fixed In
github.com/containerd/containerd GHSA-jpcc-p29g-p8mq MODERATE containerd image-triggered runtime DoS via unbounded group parsing v1.7.30 1.7.33
golang.org/x/crypto GO-2026-5016 unknown Invoking memory leak when rejecting channels can lead to DoS in golang.org/x/crypto/ssh v0.50.0 0.52.0
golang.org/x/crypto GO-2026-5018 unknown Invoking pathological RSA/DSA parameters may cause DoS in golang.org/x/crypto/ssh v0.50.0 0.52.0
golang.org/x/crypto GO-2026-5020 unknown Invoking infinite loop on large channel writes in golang.org/x/crypto/ssh v0.50.0 0.52.0
golang.org/x/crypto GO-2026-5023 unknown Invoking VerifiedPublicKeyCallback permissions skip enforcement in golang.org/x/crypto/ssh v0.50.0 0.52.0
golang.org/x/crypto GO-2026-5005 unknown Invoking key constraints not enforced in golang.org/x/crypto/ssh/agent v0.50.0 0.52.0
golang.org/x/crypto GO-2026-5006 unknown Invoking agent constraints dropped when forwarding keys in golang.org/x/crypto/ssh/agent v0.50.0 0.52.0
golang.org/x/crypto GO-2026-5017 unknown Invoking client can cause server deadlock on unexpected responses in golang.org/x/crypto/ssh v0.50.0 0.52.0
golang.org/x/crypto GO-2026-5014 unknown Invoking bypass of certificate restrictions in golang.org/x/crypto/ssh v0.50.0 0.52.0
golang.org/x/crypto GO-2026-5015 unknown Invoking server panic during CheckHostKey/Authenticate in golang.org/x/crypto/ssh v0.50.0 0.52.0
golang.org/x/crypto GO-2026-5013 unknown Invoking byte arithmetic causes underflow and panic in golang.org/x/crypto/ssh v0.50.0 0.52.0
golang.org/x/crypto GO-2026-5021 unknown Invoking auth bypass via unenforced @Revoked status in golang.org/x/crypto/ssh/knownhosts v0.50.0 0.52.0
golang.org/x/crypto GO-2026-5033 unknown Invoking pathological inputs can lead to client panic in golang.org/x/crypto/ssh/agent v0.50.0 0.52.0
golang.org/x/crypto GO-2026-5019 unknown Invoking bypass of FIDO/U2F security keys physical interaction in golang.org/x/crypto/ssh v0.50.0 0.52.0
golang.org/x/net GO-2026-5030 unknown Invoking duplicate attributes can cause XSS in golang.org/x/net/html v0.53.0 0.55.0
golang.org/x/net GO-2026-5028 unknown Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html v0.53.0 0.55.0
golang.org/x/net GO-2026-5026 unknown Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna v0.53.0 0.55.0
golang.org/x/net GO-2026-5029 unknown Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html v0.53.0 0.55.0
golang.org/x/net GO-2026-5027 unknown Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html v0.53.0 0.55.0
golang.org/x/net GO-2026-5025 unknown Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html v0.53.0 0.55.0
golang.org/x/sys GO-2026-5024 unknown Invoking integer overflow in NewNTUnicodeString in golang.org/x/sys/windows v0.43.0 0.44.0

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI
  • Approve and merge this PR

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

@datadog-prod-us1-4

datadog-prod-us1-4 Bot commented Jun 23, 2026

Copy link
Copy Markdown

Pipelines  Tests

Fix all issues with BitsAI

⚠️ Warnings

🚦 1 Pipeline job failed

DataDog/chaos-controller | build:make   View in Datadog   GitLab

ℹ️ Info

No other issues found (see more)

🧪 All tests passed
❄️ No new flaky tests detected

🎯 Code Coverage (details)
Patch Coverage: 100.00%
Overall Coverage: 45.87% (+0.00%)

Useful? React with 👍 / 👎

This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 4fa7f4a | Docs | Datadog PR Page | Give us feedback!

@gh-worker-campaigns-3e9aa4 gh-worker-campaigns-3e9aa4 Bot deleted the engraver-auto-version-upgrade/minorpatch/go/0-1782223504 branch July 7, 2026 00:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants