Skip to content

fix(deps): vuln unstable upgrades — 5 packages (unstable: 1 · minor: 4) #46

Closed
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit intomainfrom
engraver-auto-version-upgrade/unstable/go/0-1776936381
Closed

fix(deps): vuln unstable upgrades — 5 packages (unstable: 1 · minor: 4) #46
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit intomainfrom
engraver-auto-version-upgrade/unstable/go/0-1776936381

Conversation

@gh-worker-campaigns-3e9aa4
Copy link
Copy Markdown

Summary: Security update — 5 packages upgraded (UNSTABLE changes included)

Manifests changed:

  • . (go)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.


Updates

Package From To Type Dep Type Vulnerabilities Fixed
google.golang.org/protobuf v1.28.1 v1.36.11 minor Transitive 2 MODERATE
k8s.io/apimachinery v0.26.2 v0.35.4 unstable Direct -
github.com/go-logr/logr v1.2.3 v1.4.3 minor Transitive -
k8s.io/klog/v2 v2.80.1 v2.140.0 minor Transitive -
sigs.k8s.io/yaml v1.3.0 v1.6.0 minor Transitive -

Packages marked with "-" are updated due to dependency constraints.


Security Details

ℹ️ Other Vulnerabilities (2)
Package CVE Severity Summary Unsafe Version Fixed In
google.golang.org/protobuf GHSA-8r3f-844c-mc37 MODERATE Golang protojson.Unmarshal function infinite loop when unmarshaling certain forms of invalid JSON v1.28.1 1.33.0
google.golang.org/protobuf GO-2024-2611 MODERATE Infinite loop in JSON unmarshaling in google.golang.org/protobuf v1.28.1 1.33.0
⚠️ Dependencies that have Reached EOL (5)
Dependency Unsafe Version EOL Date New Version Path
github.com/go-logr/logr v1.2.3 - v1.4.3 go.mod
google.golang.org/protobuf v1.28.1 Jul 28, 2025 v1.36.11 go.mod
k8s.io/apimachinery v0.26.2 Feb 15, 2026 v0.35.4 go.mod
k8s.io/klog/v2 v2.80.1 Sep 9, 2025 v2.140.0 go.mod
sigs.k8s.io/yaml v1.3.0 - v1.6.0 go.mod

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI
  • Approve and merge this PR

Update Mode: Vulnerability Remediation

🤖 Generated by DataDog Automated Dependency Management System

@campaigner-prod
Copy link
Copy Markdown

Release Notes

google.golang.org/protobuf (v1.28.1 → v1.36.11) — GitHub Release

v1.36.11

Full Changelog: protocolbuffers/protobuf-go@v1.36.10...v1.36.11

User-visible changes:
CL/726780: encoding/prototext: Support URL chars in type URLs in text-format.

Bug fixes:
CL/728680: internal/impl: check recursion limit in lazy decoding validation
CL/711015: reflect/protodesc: fix handling of import options in dynamic builds

Maintenance:
CL/728681: reflect/protodesc: add support for edition unstable
CL/727960: all: add EDITION_UNSTABLE support
CL/727940: types: regenerate using latest protobuf v33.2 release
CL/727140: internal/testprotos/lazy: convert .proto files to editions
CL/723440: cmd/protoc-gen-go: add missing annotations for few generated protobuf symbols.
CL/720980: internal/filedesc: remove duplicative Message.unmarshalOptions
CL/716360: internal/encoding/tag: use proto3 defaults if proto3
CL/716520: proto: un-flake TestHasExtensionNoAlloc
CL/713342: compiler/protogen: properly filter option dependencies in go-protobuf plugin.
CL/711200: proto: add test for oneofs containing messages with required fields
CL/710855: proto: add explicit test for a non-nil but empty byte slice

v1.36.10

Full Changelog: protocolbuffers/protobuf-go@v1.36.9...v1.36.10

Bug fixes:
CL/704415: reflect/protodesc: edition-2024-specific properties should not be lost when converting FileDescriptorProto to protoreflect.FileDescriptor

Maintenance:
CL/708555: internal/race_test: add missing impl.LazyEnabled() t.Skip
CL/703295: proto: add more invalid group encoding test cases
CL/703276: internal/impl: verify lazy unmarshal on Deterministic encoding
CL/703275: internal/impl: stop using deprecated .Field in lazy_test.go
CL/702795: all: update to latest github.com/google/go-cmp

v1.36.9

Full Changelog: protocolbuffers/protobuf-go@v1.36.8...v1.36.9

User-visible changes:
CL/699715: cmd/protoc-gen-go: add test for "import option" directive
CL/699115: internal/editionssupport: declare support for edition 2024
CL/697595: editions: Fix spelling mistake in panic message

v1.36.8

Maintenance:

CL/696316: all: set Go language version to Go 1.23
CL/696315: types: regenerate using latest protobuf v32 release

v1.36.7

Maintenance / optimizations:

CL/683955: encoding/protowire: micro-optimize SizeVarint (-20% on Intel)
CL/674055: internal/impl: remove unnecessary atomic access for non-lazy lists
CL/674015: impl: remove unnecessary nil check from presence.Present
CL/673495: types/descriptorpb: regenerate using latest protobuf v31 release
CL/670516: cmd/protoc-gen-go: centralize presence and lazy logic into filedesc
CL/670515: internal: move usePresenceForField to internal/filedesc
CL/670275: internal/impl: clean up usePresenceForField() (no-op)

v1.36.6

Full Changelog: protocolbuffers/protobuf-go@v1.36.5...v1.36.6

User-visible changes:
CL/657895: internal_gengo: generate a const string literal for the raw descriptor
CL/653536: proto: Add CloneOf[M Message](m M) M

Maintenance:
CL/649135: all: set Go language version to Go 1.22
CL/654955: types/descriptorpb: regenerate using latest protobuf v30 release

v1.36.5

Full Changelog: protocolbuffers/protobuf-go@v1.36.4...v1.36.5

Bug fixes:
CL/644437: protogen: fix name mangling for fields with identical GoCamelCase

Maintenance:
CL/641655: all: remove weak field support

v1.36.4

Full Changelog: protocolbuffers/protobuf-go@v1.36.3...v1.36.4

Bug fixes:
CL/642975: reflect/protodesc: fix panic when working with dynamicpb

Maintenance:
CL/643276: internal_gengo: avoid allocations in rawDescGZIP() accessors
CL/642857: internal_gengo: switch back from string literal to hex byte slice
CL/642055: internal_gengo: use unsafe.StringData() to avoid a descriptor copy
CL/638135: internal_gengo: store raw descriptor in .rodata section

v1.36.3

Full Changelog: protocolbuffers/protobuf-go@v1.36.2...v1.36.3

Bug fixes:
CL/642575: reflect/protodesc: fix panic when working with dynamicpb
CL/641036: cmd/protoc-gen-go: remove json struct tags from unexported fields

User-visible changes:
CL/641876: proto: add example for GetExtension, SetExtension
CL/642015: runtime/protolazy: replace internal doc link with external link

Maintenance:
CL/641635: all: split flags.ProtoLegacyWeak out of flags.ProtoLegacy
CL/641019: internal/impl: remove unused exporter parameter
CL/641018: internal/impl: switch to reflect.Value.IsZero
CL/641035: internal/impl: clean up unneeded Go<1.12 MapRange() alternative
CL/641017: types/dynamicpb: switch atomicExtFiles to atomic.Uint64 type

(and 14 more releases — view all)

k8s.io/apimachinery (v0.26.2 → v0.35.4) — Commit comparison

... and 85 more commits

k8s.io/klog/v2 (v2.80.1 → v2.140.0) — GitHub Release

v2.140.0

What's Changed

New Contributors

Full Changelog: kubernetes/klog@v2.130.1...v2.140.0

v2.130.1

What's Changed

Full Changelog: kubernetes/klog@v2.130.0...v2.130.1

v2.130.0

What's Changed

New Contributors

Full Changelog: kubernetes/klog@v2.120.1...v2.130.0

v2.120.1

What's Changed

Full Changelog: kubernetes/klog@v2.120.0...v2.120.1

v2.120.0

What's Changed

New Contributors

Full Changelog: kubernetes/klog@v2.110.1...v2.120.0

v2.110.1

What's Changed

New Contributors

Full Changelog: kubernetes/klog@v2.100.1...v2.110.1

v2.100.1

What's Changed

New Contributors

Full Changelog: kubernetes/klog@v2.90.1...v2.100.1

v2.90.1

What's Changed

Full Changelog: kubernetes/klog@v2.90.0...v2.90.1

v2.90.0

What's Changed

Full Changelog: kubernetes/klog@v2.80.1...v2.90.0

There are some API differences from previous version

k8s.io/klog/v2/klogr contains incompatible changes:
 - klogger.Enabled: removed
 - klogger.Error: removed
 - klogger.Info: removed

k8s.io/klog/v2/test contains incompatible changes:
 - InitKlog: changed from func() to func(testing.TB) *flag.FlagSet

Generated by ADMS Sources: 2 GitHub Releases, 1 Commit comparison, 2 not available.

@pohly
Copy link
Copy Markdown

pohly commented Apr 23, 2026

#46 (comment) pings all upstream contributors. Please stop that by quoting the PR authors or disabling this bot!

@moezein0
Copy link
Copy Markdown

@pohly this was a bug in the changelog. We have turned it off now

@seberm-6
Copy link
Copy Markdown

Hey, sorry for the noise. This was caused by a bug in our automated dependency update system that incorrectly included upstream changelog content in PR comments, triggering notifications to external contributors. The feature flag has been turned off and we're working on a fix. Sorry about that again.

@campaigner-prod campaigner-prod Bot closed this Apr 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants