Skip to content

fix(deps): vuln major upgrades — 21 packages (major: 1 · minor: 16 · patch: 4) #1099

Draft
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/major/go/0-1783384953
Draft

fix(deps): vuln major upgrades — 21 packages (major: 1 · minor: 16 · patch: 4) #1099
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/major/go/0-1783384953

Conversation

@gh-worker-campaigns-3e9aa4

Copy link
Copy Markdown
Contributor

Summary: Critical-severity security update — 25 packages upgraded (MAJOR changes included)

Manifests changed:

  • . (go)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.


Updates

Package From To Type Dep Type Vulnerabilities Fixed
golang.org/x/crypto v0.50.0 v0.53.0 minor Transitive 14 CRITICAL, 4 HIGH, 8 MEDIUM
github.com/containerd/containerd v1.7.30 v2.3.2 major Direct 8 HIGH, 4 MEDIUM
golang.org/x/net v0.53.0 v0.56.0 minor Transitive 2 MEDIUM, 5 UNKNOWN
k8s.io/api v0.35.2 v0.36.2 unstable Direct -
k8s.io/apimachinery v0.35.2 v0.36.2 unstable Direct -
k8s.io/client-go v0.35.2 v0.36.2 unstable Direct -
github.com/felixge/httpsnoop v1.0.4 v1.1.0 minor Transitive -
github.com/fsnotify/fsnotify v1.9.0 v1.10.1 minor Direct -
github.com/klauspost/compress v1.18.6 v1.19.0 minor Transitive -
github.com/opencontainers/runtime-spec v1.1.0 v1.3.0 minor Transitive -
github.com/pelletier/go-toml/v2 v2.3.1 v2.4.3 minor Transitive -
go.opentelemetry.io/otel v1.43.0 v1.44.0 minor Direct -
go.opentelemetry.io/otel/metric v1.43.0 v1.44.0 minor Transitive -
go.opentelemetry.io/otel/trace v1.43.0 v1.44.0 minor Direct -
golang.org/x/mod v0.36.0 v0.37.0 minor Transitive -
golang.org/x/sync v0.20.0 v0.21.0 minor Transitive -
golang.org/x/sys v0.43.0 v0.46.0 minor Direct 1 UNKNOWN
golang.org/x/term v0.42.0 v0.44.0 minor Transitive -
golang.org/x/text v0.37.0 v0.39.0 minor Transitive -
google.golang.org/grpc v1.80.0 v1.82.0 minor Direct -
k8s.io/klog/v2 v2.130.1 v2.140.0 minor Direct -
github.com/klauspost/compress v1.18.6 v1.18.7 patch Transitive -
k8s.io/api v0.35.2 v0.35.6 patch Direct -
k8s.io/apimachinery v0.35.2 v0.35.6 patch Direct -
k8s.io/client-go v0.35.2 v0.35.6 patch Direct -

Warning

Major Version Upgrade

This update includes major version changes that may contain breaking changes. Please:

  • Review the changelog/release notes for breaking changes
  • Test thoroughly in a staging environment
  • Update any code that depends on changed APIs
  • Ensure all tests pass before merging

Security Details

🚨 Critical & High Severity (26 fixed)
Package CVE Severity Summary Unsafe Version Fixed In Case
golang.org/x/crypto GHSA-x527-x647-q7gg CRITICAL golang.org/x/crypto/ssh: Invoking VerifiedPublicKeyCallback permissions skip enforcement v0.50.0 - View
golang.org/x/crypto GO-2026-5019 CRITICAL Invoking bypass of FIDO/U2F security keys physical interaction in golang.org/x/crypto/ssh v0.50.0 0.52.0 View
golang.org/x/crypto GHSA-rm3j-f69w-wqmq CRITICAL golang.org/x/crypto/ssh vulnerable to infinite loop on large channel writes v0.50.0 - View
golang.org/x/crypto GO-2026-5020 CRITICAL Invoking infinite loop on large channel writes in golang.org/x/crypto/ssh v0.50.0 0.52.0 View
golang.org/x/crypto GHSA-jppx-rxg9-jmrx CRITICAL golang.org/x/crypto/ssh/agent doesn't enforce invoking key constraints v0.50.0 - View
golang.org/x/crypto GO-2026-5005 CRITICAL Invoking key constraints not enforced in golang.org/x/crypto/ssh/agent v0.50.0 0.52.0 View
golang.org/x/crypto GHSA-f5wc-c3c7-36mc CRITICAL golang.org/x/crypto/ssh/agent doesn't drop invoking agent constraints when forwarding keys v0.50.0 - View
golang.org/x/crypto GO-2026-5017 CRITICAL Invoking client can cause server deadlock on unexpected responses in golang.org/x/crypto/ssh v0.50.0 0.52.0 View
golang.org/x/crypto GO-2026-5006 CRITICAL Invoking agent constraints dropped when forwarding keys in golang.org/x/crypto/ssh/agent v0.50.0 0.52.0 View
golang.org/x/crypto GHSA-vgwf-h737-ff37 CRITICAL golang.org/x/crypto/ssh: Invoking client can cause server deadlock on unexpected responses v0.50.0 - View
golang.org/x/crypto GHSA-89gr-r52h-f8rx CRITICAL golang.org/x/crypto/ssh: FIDO/U2F security key physical presence check can be bypassed v0.50.0 - View
golang.org/x/crypto GO-2026-5023 CRITICAL Invoking VerifiedPublicKeyCallback permissions skip enforcement in golang.org/x/crypto/ssh v0.50.0 0.52.0 View
golang.org/x/crypto GHSA-5cgq-3rg8-m6cv CRITICAL golang.org/x/crypto/ssh/knownhosts vulnerable to auth bypass via unenforced @Revoked status v0.50.0 - View
golang.org/x/crypto GO-2026-5021 CRITICAL Invoking auth bypass via unenforced @Revoked status in golang.org/x/crypto/ssh/knownhosts v0.50.0 0.52.0 View
github.com/containerd/containerd GO-2026-5758 HIGH containerd CRI — image-config LABEL flows to restart-monitor binary:// logger: host-root command execution from an image pull in github.com/containerd/containerd v1.7.30 1.7.33 View
github.com/containerd/containerd GHSA-rgh6-rfwx-v388 HIGH Arbitrary host CRI log file read via symlink following in CRI checkpoint restore v1.7.30 - View
github.com/containerd/containerd GO-2026-5378 HIGH containerd user ID handling bypass allows runAsNonRoot evasion in github.com/containerd/containerd v1.7.30 1.7.32 View
github.com/containerd/containerd GO-2026-5622 HIGH Arbitrary host CRI log file read via symlink following in CRI checkpoint restore in github.com/containerd/containerd v1.7.30 - View
github.com/containerd/containerd GO-2026-5064 HIGH containerd CRI checkpoint restore CDI annotation smuggling in github.com/containerd/containerd v1.7.30 - View
github.com/containerd/containerd GHSA-33vj-92qq-66hc HIGH containerd CRI checkpoint restore CDI annotation smuggling v1.7.30 - View
github.com/containerd/containerd GHSA-xhf5-7wjv-pqxp HIGH containerd CRI — image-config LABEL flows to restart-monitor binary:// logger: host-root command execution from an image pull v1.7.30 1.7.33 View
github.com/containerd/containerd GHSA-fqw6-gf59-qr4w HIGH containerd user ID handling bypass allows runAsNonRoot evasion v1.7.30 1.7.32 View
golang.org/x/crypto GO-2026-5013 HIGH Invoking byte arithmetic causes underflow and panic in golang.org/x/crypto/ssh v0.50.0 0.52.0 View
golang.org/x/crypto GO-2026-5018 HIGH Invoking pathological RSA/DSA parameters may cause DoS in golang.org/x/crypto/ssh v0.50.0 0.52.0 View
golang.org/x/crypto GHSA-w879-237q-wc7r HIGH golang.org/x/crypto/ssh: Invoking pathological RSA/DSA parameters may cause DoS v0.50.0 - View
golang.org/x/crypto GHSA-q4h4-gmj2-qvw2 HIGH golang.org/x/crypto/ssh: Invoking byte arithmetic causes underflow and panic v0.50.0 - View
ℹ️ Other Vulnerabilities (20)
Package CVE Severity Summary Unsafe Version Fixed In Case
github.com/containerd/containerd GO-2026-5338 MODERATE containerd: CRI checkpoint import allows local image tag poisoning in github.com/containerd/containerd v1.7.30 - View
github.com/containerd/containerd GO-2026-5475 MODERATE containerd image-triggered runtime DoS via unbounded group parsing in github.com/containerd/containerd v1.7.30 1.7.33 View
github.com/containerd/containerd GHSA-cvxm-645q-p574 MODERATE containerd: CRI checkpoint import allows local image tag poisoning v1.7.30 - View
github.com/containerd/containerd GHSA-jpcc-p29g-p8mq MODERATE containerd image-triggered runtime DoS via unbounded group parsing v1.7.30 1.7.33 View
golang.org/x/crypto GO-2026-5016 MODERATE Invoking memory leak when rejecting channels can lead to DoS in golang.org/x/crypto/ssh v0.50.0 0.52.0 View
golang.org/x/crypto GHSA-78mq-xcr3-xm33 MODERATE golang.org/x/crypto/ssh is vulnerable to invoking server panic during CheckHostKey/Authenticate flow v0.50.0 - View
golang.org/x/crypto GO-2026-5033 MODERATE Invoking pathological inputs can lead to client panic in golang.org/x/crypto/ssh/agent v0.50.0 0.52.0 View
golang.org/x/crypto GHSA-9m57-25v3-79x9 MODERATE golang.org/x/crypto/ssh/agent: Invoking pathological inputs can lead to client panic v0.50.0 - View
golang.org/x/crypto GHSA-45gg-vh54-h5m9 MODERATE golang.org/x/crypto/ssh vulnerable to invoking bypass of certificate restrictions v0.50.0 - View
golang.org/x/crypto GO-2026-5014 MODERATE Invoking bypass of certificate restrictions in golang.org/x/crypto/ssh v0.50.0 0.52.0 View
golang.org/x/crypto GO-2026-5015 MODERATE Invoking server panic during CheckHostKey/Authenticate in golang.org/x/crypto/ssh v0.50.0 0.52.0 View
golang.org/x/crypto GHSA-qpw4-5x99-6vjp MODERATE golang.org/x/crypto/ssh: Invoking memory leak when rejecting channels can lead to DoS v0.50.0 - View
golang.org/x/net GHSA-5cv4-jp36-h3mw MODERATE Go Net HTML parser is vulnerable to denial of service v0.53.0 0.55.0 View
golang.org/x/net GO-2026-5028 MODERATE Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html v0.53.0 0.55.0 View
golang.org/x/net GO-2026-5025 unknown Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html v0.53.0 0.55.0 View
golang.org/x/net GO-2026-5030 unknown Invoking duplicate attributes can cause XSS in golang.org/x/net/html v0.53.0 0.55.0 View
golang.org/x/net GO-2026-5027 unknown Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html v0.53.0 0.55.0 View
golang.org/x/net GO-2026-5029 unknown Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html v0.53.0 0.55.0 View
golang.org/x/net GO-2026-5026 unknown Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna v0.53.0 0.55.0 View
golang.org/x/sys GO-2026-5024 unknown Invoking integer overflow in NewNTUnicodeString in golang.org/x/sys/windows v0.43.0 0.44.0 -
📅 Dependencies Nearing EOL (1)
Dependency Unsafe Version EOL Date New Version Path
github.com/opencontainers/runtime-spec v1.1.0 Jul 22, 2026 v1.3.0 go.mod

Review Checklist

Extra review is recommended for this update:

  • Review changes for compatibility with your code
  • Check release notes for breaking changes
  • Run integration tests to verify service behavior
  • Test in staging environment before production
  • Monitor key metrics after deployment
  • Approve and merge this PR

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

@datadog-datadog-prod-us1

datadog-datadog-prod-us1 Bot commented Jul 7, 2026

Copy link
Copy Markdown

Pipelines

Fix all issues with BitsAI

⚠️ Warnings

🚦 7 Pipeline jobs failed

CI | docker-build (injector)   View in Datadog   GitHub Actions

CI | docker-build (manager)   View in Datadog   GitHub Actions

CI | lint-and-format   View in Datadog   GitHub Actions

View all 7 failed jobs.

Useful? React with 👍 / 👎

This comment will be updated automatically if new data arrives.
🔗 Commit SHA: e12f848 | Docs | Datadog PR Page | Give us feedback!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants