Skip to content

fix(deps): vuln minor upgrades — 10 packages (minor: 9 · patch: 1) #248

Closed
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/minorpatch/go/1-1776959836
Closed

fix(deps): vuln minor upgrades — 10 packages (minor: 9 · patch: 1) #248
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/minorpatch/go/1-1776959836

Conversation

@gh-worker-campaigns-3e9aa4
Copy link
Copy Markdown
Contributor

@gh-worker-campaigns-3e9aa4 gh-worker-campaigns-3e9aa4 Bot commented Apr 23, 2026

Summary: High-severity security update — 10 packages upgraded (MINOR changes included)

Manifests changed:

  • . (go)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

Updates

Package From To Type Dep Type Vulnerabilities Fixed
go.opentelemetry.io/otel/sdk v1.39.0 v1.43.0 minor Transitive 4 HIGH
github.com/go-viper/mapstructure/v2 v2.3.0 v2.5.0 minor Transitive 1 MODERATE, 2 MEDIUM
github.com/DataDog/datadog-go/v5 v5.6.0 v5.8.3 minor Direct -
github.com/aws/aws-lambda-go v1.46.0 v1.54.0 minor Direct -
github.com/aws/aws-sdk-go-v2 v1.26.1 v1.41.6 minor Direct -
github.com/aws/aws-sdk-go-v2/config v1.27.11 v1.32.16 minor Direct -
github.com/aws/aws-sdk-go-v2/service/kms v1.27.9 v1.50.5 minor Direct -
github.com/cenkalti/backoff/v4 v4.2.1 v4.3.0 minor Direct -
go.opentelemetry.io/otel v1.39.0 v1.43.0 minor Direct -
gopkg.in/DataDog/dd-trace-go.v1 v1.74.6 v1.74.8 patch Direct -

Packages marked with "-" are updated due to dependency constraints.

Security Details

🚨 Critical & High Severity (4 fixed)
Package CVE Severity Summary Unsafe Version Fixed In
go.opentelemetry.io/otel/sdk GHSA-hfvc-g4fc-pqhx HIGH opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking v1.39.0 1.43.0
go.opentelemetry.io/otel/sdk GO-2026-4394 high OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking in go.opentelemetry.io/otel/sdk v1.39.0 1.40.0
go.opentelemetry.io/otel/sdk CVE-2026-24051 high OpenTelemetry-Go Affected by Arbitrary Code Execution via PATH Hijacking v1.39.0 -
go.opentelemetry.io/otel/sdk GHSA-9h8m-3fm2-qjrq HIGH OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking v1.39.0 1.40.0
ℹ️ Other Vulnerabilities (3)
Package CVE Severity Summary Unsafe Version Fixed In
github.com/go-viper/mapstructure/v2 GO-2025-3900 medium Go-viper's mapstructure May Leak Sensitive Information in Logs in github.com/go-viper/mapstructure v2.3.0 2.4.0
github.com/go-viper/mapstructure/v2 CVE-2025-11065 medium - v2.3.0 -
github.com/go-viper/mapstructure/v2 GHSA-2464-8j7c-4cjm MODERATE go-viper's mapstructure May Leak Sensitive Information in Logs When Processing Malformed Data v2.3.0 2.4.0
⚠️ Dependencies that have Reached EOL (1)
Dependency Unsafe Version EOL Date New Version Path
github.com/cenkalti/backoff/v4 v4.2.1 Apr 17, 2026 v4.3.0 go.mod

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI
  • Approve and merge this PR

Update Mode: Vulnerability Remediation (High)

🤖 Generated by DataDog Automated Dependency Management System

@gh-worker-campaigns-3e9aa4 gh-worker-campaigns-3e9aa4 Bot deleted the engraver-auto-version-upgrade/minorpatch/go/1-1776959836 branch May 8, 2026 06:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

adms-dependency-update adms-fixes-eol adms-go adms-high-severity adms-medium-severity adms-minor-update adms-mode-all-updates campaigner-automated-change

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants