fix(deps): vuln minor upgrades — 15 packages (minor: 2 · patch: 13)

[gh-worker-campaigns-3e9aa4]

Summary: High-severity security update — 15 packages upgraded (MINOR changes included)

Manifests changed:

• . (go)

---

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

---

Updates

Package	From	To	Type	Dep Type	Vulnerabilities Fixed
github.com/moby/spdystream	v0.5.0	v0.5.1	patch	Transitive	1 HIGH
github.com/nwaples/rardecode	v1.1.0	v1.1.3	patch	Transitive	3 MODERATE
github.com/ulikunitz/xz	v0.5.14	v0.5.15	patch	Transitive	1 MODERATE, 2 MEDIUM
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp	v1.33.0	v1.43.0	minor	Transitive	1 MODERATE
helm.sh/helm/v3	v3.18.5	v3.20.2	minor	Direct	1 MODERATE
github.com/aws/aws-sdk-go-v2	v1.41.1	v1.41.6	patch	Direct	-
github.com/aws/aws-sdk-go-v2/config	v1.32.7	v1.32.16	patch	Direct	-
github.com/aws/aws-sdk-go-v2/service/iam	v1.53.2	v1.53.8	patch	Direct	-
github.com/aws/aws-sdk-go-v2/service/sts	v1.41.6	v1.41.10	patch	Direct	-
github.com/aws/smithy-go	v1.24.0	v1.24.3	patch	Direct	-
github.com/hashicorp/go-retryablehttp	v0.7.7	v0.7.8	patch	Direct	-
github.com/mattn/go-runewidth	v0.0.17	v0.0.23	patch	Direct	-
k8s.io/api	v0.35.3	v0.35.4	patch	Direct	-
k8s.io/apiextensions-apiserver	v0.35.1	v0.35.4	patch	Direct	-
k8s.io/apimachinery	v0.35.3	v0.35.4	patch	Direct	-

Packages marked with "-" are updated due to dependency constraints.

---

Security Details

🚨 Critical & High Severity (1 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
github.com/moby/spdystream	GHSA-pc3f-x583-g7j2	HIGH	SpdyStream: DOS on CRI	v0.5.0	0.5.1

ℹ️ Other Vulnerabilities (8)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
github.com/ulikunitz/xz	GO-2025-3922	medium	Memory leaks when decoding a corrupted multiple LZMA archives in github.com/ulikunitz/xz	v0.5.14	0.5.15
github.com/ulikunitz/xz	CVE-2025-58058	medium	github.com/ulikunitz/xz leaks memory when decoding a corrupted multiple LZMA archives	v0.5.14	-
github.com/nwaples/rardecode	GHSA-rwvp-r38j-9rgg	MODERATE	rardecode: DoS risk due to unrestricted RAR dictionary sizes	v1.1.0	-
github.com/nwaples/rardecode	CVE-2025-11579	MODERATE	-	v1.1.0	-
github.com/nwaples/rardecode	GO-2025-4020	MODERATE	DoS risk due to unrestricted RAR dictionary sizes in github.com/nwaples/rardecode	v1.1.0	-
github.com/ulikunitz/xz	GHSA-jc7w-c686-c4v9	MODERATE	github.com/ulikunitz/xz leaks memory when decoding a corrupted multiple LZMA archives	v0.5.14	0.5.15
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp	GHSA-w8rr-5gcm-pp58	MODERATE	opentelemetry-go: OTLP HTTP exporters read unbounded HTTP response bodies	v1.33.0	1.43.0
helm.sh/helm/v3	GHSA-hr2v-4r36-88hr	MODERATE	Helm Chart extraction output directory collapse via Chart.yaml name dot-segment	v3.18.5	3.20.2

⚠️ Dependencies that have Reached EOL (1)

Dependency	Unsafe Version	EOL Date	New Version	Path
github.com/nwaples/rardecode	v1.1.0	-	v1.1.3	go.mod

---

Review Checklist

Standard review:

• Review changes for compatibility with your code
• Check for breaking changes in release notes
• Run tests locally or wait for CI
• Approve and merge this PR

---

Update Mode: Vulnerability Remediation (High)

🤖 Generated by DataDog Automated Dependency Management System

[gh-worker-campaigns-3e9aa4]

Auto-rebase complete

Branch is up to date with main — rebased onto 654839d.

---

_{Auto-Rebase · Add no-auto-rebase to opt out}

[gh-worker-campaigns-3e9aa4]

Auto-rebase failed

Could not update your branch. This may be due to a concurrent update; the next push to main will retry automatically.

Error details

activity error (type: auto_rebase.AutoRebase_ForcePush, scheduledEventID: 78, startedEventID: 79, identity: 1@auto-rebase-worker-777ddbc6d6-qtgcq@): commit-headless push to engraver-auto-version-upgrade/minorpatch/go/0-1776958158: commit-headless push failed: Pushing to DataDog/datadog-operator (branch: engraver-auto-version-upgrade/minorpatch/go/0-1776958158)
Commits: d315bec21e4ed3c7265cf4272140c71a091a8475, fb4bcaef9efbdcb83a81c2b45f8969fb47b20e8f
Remote head commit: 4c40cf4
Creating working branch engraver-auto-version-upgrade/minorpatch/go/0-1776958158--headless-tmp-onhlqfzv
Commit d315bec2: Executing automated changes
Author: dd-octo-sts-98cdbc[bot] <256648516+dd-octo-sts-98cdbc[bot]@users.noreply.github.com>
Body: Co-authored-by: dd-octo-sts-98cdbc[bot] <256648516+dd-octo-sts-98cdbc[bot]@users.noreply.github.com>
Changed files: 5

• MODIFY: test/e2e/go.sum
• MODIFY: api/go.sum
• MODIFY: go.mod
• MODIFY: go.sum
• MODIFY: test/e2e/go.mod
  Strategy: GraphQL
  Cleaning up working branch engraver-auto-version-upgrade/minorpatch/go/0-1776958158--headless-tmp-onhlqfzv
  commit-headless: error: push change 0: create commit: GraphQL createCommitOnBranch: graphql errors: Something went wrong while executing your query on 2026-05-04T15:37:06Z. Please include DE38:152E0:1909A51:63C9C8A:69F8BD20 when reporting this issue.: exit status 1 (type: wrapError, retryable: true): commit-headless push failed: Pushing to DataDog/datadog-operator (branch: engraver-auto-version-upgrade/minorpatch/go/0-1776958158)
  Commits: d315bec21e4ed3c7265cf4272140c71a091a8475, fb4bcaef9efbdcb83a81c2b45f8969fb47b20e8f
  Remote head commit: 4c40cf4
  Creating working branch engraver-auto-version-upgrade/minorpatch/go/0-1776958158--headless-tmp-onhlqfzv
  Commit d315bec2: Executing automated changes
  Author: dd-octo-sts-98cdbc[bot] <256648516+dd-octo-sts-98cdbc[bot]@users.noreply.github.com>
  Body: Co-authored-by: dd-octo-sts-98cdbc[bot] <256648516+dd-octo-sts-98cdbc[bot]@users.noreply.github.com>
  Changed files: 5
• MODIFY: test/e2e/go.sum
• MODIFY: api/go.sum
• MODIFY: go.mod
• MODIFY: go.sum
• MODIFY: test/e2e/go.mod
  Strategy: GraphQL
  Cleaning up working branch engraver-auto-version-upgrade/minorpatch/go/0-1776958158--headless-tmp-onhlqfzv
  commit-headless: error: push change 0: create commit: GraphQL createCommitOnBranch: graphql errors: Something went wrong while executing your query on 2026-05-04T15:37:06Z. Please include DE38:152E0:1909A51:63C9C8A:69F8BD20 when reporting this issue.: exit status 1 (type: wrapError, retryable: true): exit status 1 (type: ExitError, retryable: true)

---

_{Auto-Rebase · Add no-auto-rebase to opt out}