Skip to content

fix(deps): vuln minor upgrades — 6 packages (minor: 2 · patch: 4) #477

Draft
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit intomasterfrom
engraver-auto-version-upgrade/minorpatch/go/0-1776942024
Draft

fix(deps): vuln minor upgrades — 6 packages (minor: 2 · patch: 4) #477
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit intomasterfrom
engraver-auto-version-upgrade/minorpatch/go/0-1776942024

Conversation

@gh-worker-campaigns-3e9aa4
Copy link
Copy Markdown

@gh-worker-campaigns-3e9aa4 gh-worker-campaigns-3e9aa4 Bot commented Apr 23, 2026

Summary: Critical-severity security update — 6 packages upgraded (MINOR changes included)

Manifests changed:

  • . (go)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

Updates

Package From To Type Dep Type Vulnerabilities Fixed
google.golang.org/grpc v1.79.0 v1.79.3 patch Direct 3 CRITICAL
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c v3.0.1 patch Transitive 3 HIGH
github.com/DataDog/zstd v1.4.8 v1.5.7 minor Direct -
github.com/stretchr/testify v1.6.1 v1.11.1 minor Direct -
github.com/klauspost/compress v1.18.0 v1.18.5 patch Direct -
google.golang.org/protobuf v1.36.10 v1.36.11 patch Direct -

Packages marked with "-" are updated due to dependency constraints.

Security Details

🚨 Critical & High Severity (6 fixed)
Package CVE Severity Summary Unsafe Version Fixed In
google.golang.org/grpc GHSA-p77j-4mvh-x3m3 CRITICAL gRPC-Go has an authorization bypass via missing leading slash in :path v1.79.0 1.79.3
google.golang.org/grpc CVE-2026-33186 CRITICAL gRPC-Go has an authorization bypass via missing leading slash in :path v1.79.0 -
google.golang.org/grpc GO-2026-4762 CRITICAL Authorization bypass in gRPC-Go via missing leading slash in :path in google.golang.org/grpc v1.79.0 1.79.3
gopkg.in/yaml.v3 GO-2022-0603 high Panic in gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c 3.0.0-20220521103104-8f96da9f5d5e
gopkg.in/yaml.v3 CVE-2022-28948 high - v3.0.0-20200313102051-9f266ea9e77c -
gopkg.in/yaml.v3 GHSA-hp87-p4gw-j4gq HIGH gopkg.in/yaml.v3 Denial of Service v3.0.0-20200313102051-9f266ea9e77c 3.0.1
⚠️ Dependencies that have Reached EOL (3)
Dependency Unsafe Version EOL Date New Version Path
github.com/DataDog/zstd v1.4.8 - v1.5.7 go.mod
github.com/stretchr/testify v1.6.1 - v1.11.1 go.mod
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c - v3.0.1 go.mod

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI
  • Approve and merge this PR

Update Mode: Vulnerability Remediation (Critical/High)

🤖 Generated by DataDog Automated Dependency Management System

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

campaigner-automated-change

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants