[Backport 7.75.x][VULN-15676] Upgrade github.com/envoyproxy/gateway (#45496) by wdhif · Pull Request #45809 · DataDog/datadog-agent

wdhif · 2026-02-02T13:18:02Z

Backport 2e582b2 from #45649.

What does this PR do?

Ran go get github.com/envoyproxy/gateway@v1.5.7

Motivation

https://datadoghq.atlassian.net/browse/VULN-15676

Describe how you validated your changes

Additional Notes

Ran `go get github.com/envoyproxy/gateway@v1.5.7` https://datadoghq.atlassian.net/browse/VULN-15676 Co-authored-by: JSGette <joseph.gette@datadoghq.com> Co-authored-by: eliott.bouhana <eliott.bouhana@datadoghq.com> (cherry picked from commit 2e582b2)

agent-platform-auto-pr · 2026-02-02T13:35:32Z

Go Package Import Differences

Baseline: c6b79bd
Comparison: 17d7e63

binary	os	arch	change
heroku-agent	linux	amd64	+1, -0 +github.com/docker/cli/cli/config/memorystore
cluster-agent	linux	amd64	+1, -0 +sigs.k8s.io/gateway-api/apis/v1alpha3
cluster-agent	linux	arm64	+1, -0 +sigs.k8s.io/gateway-api/apis/v1alpha3
installer	linux	amd64	+1, -0 +github.com/docker/cli/cli/config/memorystore
installer	linux	arm64	+1, -0 +github.com/docker/cli/cli/config/memorystore
installer	windows	amd64	+1, -0 +github.com/docker/cli/cli/config/memorystore

agent-platform-auto-pr · 2026-02-02T13:53:42Z

Static quality checks

✅ Please find below the results from static quality gates
Comparison made with ancestor 8754f93
📊 Static Quality Gates Dashboard

Successful checks

Info

	Quality gate	Delta	On disk size (MiB)	Delta	On wire size (MiB)
✅	agent_deb_amd64	DataNotFound	$${708.22}$$ < $${708.6}$$	DataNotFound	$${173.9}$$ < $${174.5}$$
✅	agent_deb_amd64_fips	DataNotFound	$${703.5}$$ < $${703.97}$$	DataNotFound	$${172.71}$$ < $${173.77}$$
✅	agent_heroku_amd64	DataNotFound	$${328.69}$$ < $${329.53}$$	DataNotFound	$${87.44}$$ < $${88.43}$$
✅	agent_msi	DataNotFound	$${571.03}$$ < $${982.08}$$	DataNotFound	$${142.79}$$ < $${143.02}$$
✅	agent_rpm_amd64	DataNotFound	$${708.21}$$ < $${708.85}$$	DataNotFound	$${176.45}$$ < $${177.66}$$
✅	agent_rpm_amd64_fips	DataNotFound	$${703.49}$$ < $${703.96}$$	DataNotFound	$${175.93}$$ < $${176.63}$$
✅	agent_rpm_arm64	DataNotFound	$${689.73}$$ < $${693.49}$$	DataNotFound	$${159.93}$$ < $${161.21}$$
✅	agent_rpm_arm64_fips	DataNotFound	$${685.88}$$ < $${688.44}$$	DataNotFound	$${159.4}$$ < $${160.46}$$
✅	agent_suse_amd64	DataNotFound	$${708.21}$$ < $${708.85}$$	DataNotFound	$${176.45}$$ < $${177.66}$$
✅	agent_suse_amd64_fips	DataNotFound	$${703.49}$$ < $${703.96}$$	DataNotFound	$${175.93}$$ < $${176.63}$$
✅	agent_suse_arm64	DataNotFound	$${689.73}$$ < $${693.49}$$	DataNotFound	$${159.93}$$ < $${161.21}$$
✅	agent_suse_arm64_fips	DataNotFound	$${685.88}$$ < $${688.44}$$	DataNotFound	$${159.4}$$ < $${160.46}$$
✅	docker_agent_amd64	DataNotFound	$${769.99}$$ < $${770.69}$$	DataNotFound	$${261.8}$$ < $${262.46}$$
✅	docker_agent_arm64	DataNotFound	$${776.09}$$ < $${780.17}$$	DataNotFound	$${250.85}$$ < $${252.63}$$
✅	docker_agent_jmx_amd64	DataNotFound	$${960.87}$$ < $${961.57}$$	DataNotFound	$${330.43}$$ < $${331.09}$$
✅	docker_agent_jmx_arm64	DataNotFound	$${955.69}$$ < $${959.77}$$	DataNotFound	$${315.47}$$ < $${317.26}$$
✅	docker_cluster_agent_amd64	DataNotFound	$${180.79}$$ < $${181.2}$$	DataNotFound	$${63.87}$$ < $${64.51}$$
✅	docker_cluster_agent_arm64	DataNotFound	$${196.61}$$ < $${198.49}$$	DataNotFound	$${60.13}$$ < $${61.17}$$
✅	docker_cws_instrumentation_amd64	DataNotFound	$${7.13}$$ < $${7.18}$$	DataNotFound	$${2.99}$$ < $${3.33}$$
✅	docker_cws_instrumentation_arm64	DataNotFound	$${6.69}$$ < $${6.92}$$	DataNotFound	$${2.73}$$ < $${3.09}$$
✅	docker_dogstatsd_amd64	DataNotFound	$${38.81}$$ < $${39.38}$$	DataNotFound	$${15.02}$$ < $${15.82}$$
✅	docker_dogstatsd_arm64	DataNotFound	$${37.13}$$ < $${37.94}$$	DataNotFound	$${14.34}$$ < $${14.83}$$
✅	dogstatsd_deb_amd64	DataNotFound	$${30.02}$$ < $${30.61}$$	DataNotFound	$${7.94}$$ < $${8.79}$$
✅	dogstatsd_deb_arm64	DataNotFound	$${28.18}$$ < $${29.11}$$	DataNotFound	$${6.82}$$ < $${7.71}$$
✅	dogstatsd_rpm_amd64	DataNotFound	$${30.02}$$ < $${30.61}$$	DataNotFound	$${7.95}$$ < $${8.8}$$
✅	dogstatsd_suse_amd64	DataNotFound	$${30.02}$$ < $${30.61}$$	DataNotFound	$${7.95}$$ < $${8.8}$$
✅	iot_agent_deb_amd64	DataNotFound	$${42.97}$$ < $${43.29}$$	DataNotFound	$${11.25}$$ < $${12.04}$$
✅	iot_agent_deb_arm64	DataNotFound	$${40.1}$$ < $${40.92}$$	DataNotFound	$${9.62}$$ < $${10.45}$$
✅	iot_agent_deb_armhf	DataNotFound	$${40.68}$$ < $${41.03}$$	DataNotFound	$${9.81}$$ < $${10.62}$$
✅	iot_agent_rpm_amd64	DataNotFound	$${42.97}$$ < $${43.29}$$	DataNotFound	$${11.27}$$ < $${12.06}$$
✅	iot_agent_suse_amd64	DataNotFound	$${42.97}$$ < $${43.29}$$	DataNotFound	$${11.27}$$ < $${12.06}$$

cit-pr-commenter-54b7da · 2026-02-02T14:11:19Z

Regression Detector

Regression Detector Results

Metrics dashboard
Target profiles
Run ID: 2b28b04a-7290-48c2-a3b4-6fe4b4084b9d

Baseline: c6b79bd
Comparison: 17d7e63
Diff

Optimization Goals: ✅ No significant changes detected

Experiments ignored for regressions

Regressions in experiments with settings containing erratic: true are ignored.

perf	experiment	goal	Δ mean %	Δ mean % CI	trials	links
➖	docker_containers_cpu	% cpu utilization	-1.04	[-3.96, +1.87]	1	Logs

Fine details of change detection per experiment

perf	experiment	goal	Δ mean %	Δ mean % CI	trials	links
➖	otlp_ingest_logs	memory utilization	+0.83	[+0.73, +0.93]	1	Logs
➖	ddot_metrics_sum_delta	memory utilization	+0.49	[+0.28, +0.70]	1	Logs
➖	quality_gate_metrics_logs	memory utilization	+0.38	[+0.17, +0.58]	1	Logs bounds checks dashboard
➖	uds_dogstatsd_20mb_12k_contexts_20_senders	memory utilization	+0.30	[+0.25, +0.35]	1	Logs
➖	ddot_metrics_sum_cumulativetodelta_exporter	memory utilization	+0.23	[-0.00, +0.46]	1	Logs
➖	quality_gate_idle	memory utilization	+0.22	[+0.18, +0.27]	1	Logs bounds checks dashboard
➖	docker_containers_memory	memory utilization	+0.18	[+0.11, +0.26]	1	Logs
➖	ddot_metrics	memory utilization	+0.13	[-0.08, +0.34]	1	Logs
➖	file_tree	memory utilization	+0.07	[+0.01, +0.12]	1	Logs
➖	file_to_blackhole_500ms_latency	egress throughput	+0.02	[-0.35, +0.39]	1	Logs
➖	uds_dogstatsd_to_api_v3	ingress throughput	+0.00	[-0.12, +0.13]	1	Logs
➖	tcp_dd_logs_filter_exclude	ingress throughput	+0.00	[-0.07, +0.08]	1	Logs
➖	uds_dogstatsd_to_api	ingress throughput	-0.01	[-0.14, +0.12]	1	Logs
➖	file_to_blackhole_100ms_latency	egress throughput	-0.01	[-0.05, +0.04]	1	Logs
➖	file_to_blackhole_1000ms_latency	egress throughput	-0.01	[-0.40, +0.39]	1	Logs
➖	file_to_blackhole_0ms_latency	egress throughput	-0.01	[-0.39, +0.37]	1	Logs
➖	quality_gate_idle_all_features	memory utilization	-0.06	[-0.10, -0.03]	1	Logs bounds checks dashboard
➖	quality_gate_logs	% cpu utilization	-0.14	[-1.59, +1.31]	1	Logs bounds checks dashboard
➖	ddot_logs	memory utilization	-0.24	[-0.31, -0.17]	1	Logs
➖	otlp_ingest_metrics	memory utilization	-0.47	[-0.62, -0.32]	1	Logs
➖	tcp_syslog_to_blackhole	ingress throughput	-0.62	[-0.68, -0.55]	1	Logs
➖	ddot_metrics_sum_cumulative	memory utilization	-0.63	[-0.78, -0.47]	1	Logs
➖	docker_containers_cpu	% cpu utilization	-1.04	[-3.96, +1.87]	1	Logs

Bounds Checks: ✅ Passed

perf	experiment	bounds_check_name	replicates_passed	links
✅	docker_containers_cpu	simple_check_run	10/10
✅	docker_containers_memory	memory_usage	10/10
✅	docker_containers_memory	simple_check_run	10/10
✅	file_to_blackhole_0ms_latency	lost_bytes	10/10
✅	file_to_blackhole_0ms_latency	memory_usage	10/10
✅	file_to_blackhole_1000ms_latency	lost_bytes	10/10
✅	file_to_blackhole_1000ms_latency	memory_usage	10/10
✅	file_to_blackhole_100ms_latency	lost_bytes	10/10
✅	file_to_blackhole_100ms_latency	memory_usage	10/10
✅	file_to_blackhole_500ms_latency	lost_bytes	10/10
✅	file_to_blackhole_500ms_latency	memory_usage	10/10
✅	quality_gate_idle	intake_connections	10/10	bounds checks dashboard
✅	quality_gate_idle	memory_usage	10/10	bounds checks dashboard
✅	quality_gate_idle_all_features	intake_connections	10/10	bounds checks dashboard
✅	quality_gate_idle_all_features	memory_usage	10/10	bounds checks dashboard
✅	quality_gate_logs	intake_connections	10/10	bounds checks dashboard
✅	quality_gate_logs	lost_bytes	10/10	bounds checks dashboard
✅	quality_gate_logs	memory_usage	10/10	bounds checks dashboard
✅	quality_gate_metrics_logs	cpu_usage	10/10	bounds checks dashboard
✅	quality_gate_metrics_logs	intake_connections	10/10	bounds checks dashboard
✅	quality_gate_metrics_logs	lost_bytes	10/10	bounds checks dashboard
✅	quality_gate_metrics_logs	memory_usage	10/10	bounds checks dashboard

Explanation

Confidence level: 90.00%
Effect size tolerance: |Δ mean %| ≥ 5.00%

Performance changes are noted in the perf column of each table:

✅ = significantly better comparison variant performance
❌ = significantly worse comparison variant performance
➖ = no significant change in performance

A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".

For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:

Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.
Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.
Its configuration does not mark it "erratic".

CI Pass/Fail Decision

✅ Passed. All Quality Gates passed.

quality_gate_metrics_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.
quality_gate_metrics_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.
quality_gate_metrics_logs, bounds check lost_bytes: 10/10 replicas passed. Gate passed.
quality_gate_metrics_logs, bounds check cpu_usage: 10/10 replicas passed. Gate passed.
quality_gate_idle, bounds check intake_connections: 10/10 replicas passed. Gate passed.
quality_gate_idle, bounds check memory_usage: 10/10 replicas passed. Gate passed.
quality_gate_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.
quality_gate_logs, bounds check lost_bytes: 10/10 replicas passed. Gate passed.
quality_gate_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.
quality_gate_idle_all_features, bounds check intake_connections: 10/10 replicas passed. Gate passed.
quality_gate_idle_all_features, bounds check memory_usage: 10/10 replicas passed. Gate passed.

Signed-off-by: Wassim DHIF <wassim.dhif@datadoghq.com>

Copilot

Pull request overview

This PR backports an upgrade of github.com/envoyproxy/gateway from v1.3.3 to v1.5.7 to address security vulnerability VULN-15676. The upgrade also brings in several transitive dependency updates, including gateway-api, Docker CLI, MySQL driver, PostgreSQL driver, and various container registry and OpenAPI libraries.

Changes:

Upgrades envoyproxy/gateway from v1.3.3 to v1.5.7 (2 minor versions)
Updates multiple transitive dependencies to newer versions
Adjusts Docker cluster agent size limits to accommodate slight increases from dependency updates

Reviewed changes

Copilot reviewed 9 out of 16 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
go.mod	Updates envoyproxy/gateway and related direct dependencies (hcsshim, go-sql-driver/mysql, go-containerregistry, jackc/pgx/v5, gateway-api, honnef.co/go/tools)
go.sum	Updates checksums for all dependency changes including transitive dependencies
test/new-e2e/go.mod	Updates docker/cli and go-containerregistry dependencies for e2e tests
test/new-e2e/go.sum	Updates checksums for test framework dependencies
test/e2e-framework/go.mod	Updates docker/cli dependency for e2e framework
test/e2e-framework/go.sum	Updates checksums for e2e framework dependencies
pkg/fleet/installer/go.mod	Updates go-containerregistry dependency for fleet installer
pkg/fleet/installer/go.sum	Updates checksums for fleet installer dependencies
comp/otelcol/*/go.mod	Updates OpenAPI and envoyproxy dependencies for OTel collector components
comp/otelcol/*/go.sum	Updates checksums for OTel collector component dependencies
test/static/static_quality_gates.yml	Increases size limits for Docker cluster agent to accommodate dependency updates (~120 KiB increase)
LICENSE-3rdparty.csv	Adds new dependency licenses and updates copyright information for updated dependencies

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

test/static/static_quality_gates.yml

go.mod

FlorentClarret · 2026-02-06T07:41:54Z

/merge

gh-worker-devflow-routing-ef8351 · 2026-02-06T07:41:59Z

View all feedbacks in Devflow UI.

2026-02-06 07:41:58 UTC ℹ️ Start processing command /merge

2026-02-06 07:42:03 UTC ℹ️ MergeQueue: pull request added to the queue

The expected merge time in 7.75.x is approximately 42m (p90).

2026-02-06 08:50:51 UTC ℹ️ MergeQueue: This merge request was merged

github-actions bot added the long review PR is complex, plan time to review it label Feb 2, 2026

wdhif added changelog/no-changelog No changelog entry needed qa/done QA done before merge and regressions are covered by tests labels Feb 2, 2026

chore: generate licences

17d7e63

Signed-off-by: Wassim DHIF <wassim.dhif@datadoghq.com>

wdhif requested a review from eliottness February 2, 2026 14:26

eliottness approved these changes Feb 2, 2026

View reviewed changes

wdhif marked this pull request as ready for review February 2, 2026 14:31

wdhif requested review from a team and cmourot as code owners February 2, 2026 14:31

Copilot AI review requested due to automatic review settings February 2, 2026 14:31

wdhif requested review from a team and dd-ddamien as code owners February 2, 2026 14:31

Copilot started reviewing on behalf of wdhif February 2, 2026 14:31 View session

Copilot AI reviewed Feb 2, 2026

View reviewed changes

test/static/static_quality_gates.yml Show resolved Hide resolved

go.mod Show resolved Hide resolved

aiuto requested changes Feb 2, 2026

View reviewed changes

go.mod Show resolved Hide resolved

aiuto approved these changes Feb 5, 2026

View reviewed changes

FlorentClarret approved these changes Feb 6, 2026

View reviewed changes

gh-worker-dd-mergequeue-cf854d bot merged commit 212a623 into 7.75.x Feb 6, 2026
609 of 610 checks passed

gh-worker-dd-mergequeue-cf854d bot deleted the backport-45496-to-7.75.x branch February 6, 2026 08:50

github-actions bot added this to the 7.75.2 milestone Feb 6, 2026

FlorentClarret mentioned this pull request Feb 16, 2026

Update the changelog for 7.75.4 #46478

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Backport 7.75.x][VULN-15676] Upgrade github.com/envoyproxy/gateway (#45496)#45809

[Backport 7.75.x][VULN-15676] Upgrade github.com/envoyproxy/gateway (#45496)#45809
gh-worker-dd-mergequeue-cf854d[bot] merged 2 commits into7.75.xfrom
backport-45496-to-7.75.x

wdhif commented Feb 2, 2026 •

edited by gabedos

Loading

Uh oh!

agent-platform-auto-pr bot commented Feb 2, 2026 •

edited

Loading

Uh oh!

agent-platform-auto-pr bot commented Feb 2, 2026 •

edited

Loading

Info

Uh oh!

cit-pr-commenter-54b7da bot commented Feb 2, 2026 •

edited

Loading

Experiments ignored for regressions

Fine details of change detection per experiment

Bounds Checks: ✅ Passed

Explanation

Uh oh!

Copilot AI left a comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

FlorentClarret commented Feb 6, 2026

Uh oh!

gh-worker-devflow-routing-ef8351 bot commented Feb 6, 2026 •

edited

Loading

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants

Conversation

wdhif commented Feb 2, 2026 • edited by gabedos Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

What does this PR do?

Motivation

Describe how you validated your changes

Additional Notes

Uh oh!

agent-platform-auto-pr bot commented Feb 2, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Go Package Import Differences

Uh oh!

agent-platform-auto-pr bot commented Feb 2, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Static quality checks

Info

Uh oh!

cit-pr-commenter-54b7da bot commented Feb 2, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Regression Detector

Regression Detector Results

Optimization Goals: ✅ No significant changes detected

Experiments ignored for regressions

Fine details of change detection per experiment

Bounds Checks: ✅ Passed

Explanation

CI Pass/Fail Decision

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Reviewed changes

Uh oh!

Uh oh!

Uh oh!

Uh oh!

FlorentClarret commented Feb 6, 2026

Uh oh!

gh-worker-devflow-routing-ef8351 bot commented Feb 6, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants

wdhif commented Feb 2, 2026 •

edited by gabedos

Loading

agent-platform-auto-pr bot commented Feb 2, 2026 •

edited

Loading

agent-platform-auto-pr bot commented Feb 2, 2026 •

edited

Loading

cit-pr-commenter-54b7da bot commented Feb 2, 2026 •

edited

Loading

gh-worker-devflow-routing-ef8351 bot commented Feb 6, 2026 •

edited

Loading