fix(deps): vuln unstable upgrades — 5 packages (unstable: 1 · minor: 4)

[gh-worker-campaigns-3e9aa4]

Summary: Security update — 5 packages upgraded (UNSTABLE changes included)

Manifests changed:

• . (go)

---

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

---

Updates

Package	From	To	Type	Dep Type	Vulnerabilities Fixed
google.golang.org/protobuf	v1.28.1	v1.36.11	minor	Transitive	2 MODERATE
k8s.io/apimachinery	v0.26.2	v0.35.4	unstable	Direct	-
github.com/go-logr/logr	v1.2.3	v1.4.3	minor	Transitive	-
k8s.io/klog/v2	v2.80.1	v2.140.0	minor	Transitive	-
sigs.k8s.io/yaml	v1.3.0	v1.6.0	minor	Transitive	-

Packages marked with "-" are updated due to dependency constraints.

---

Security Details

ℹ️ Other Vulnerabilities (2)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
google.golang.org/protobuf	GHSA-8r3f-844c-mc37	MODERATE	Golang protojson.Unmarshal function infinite loop when unmarshaling certain forms of invalid JSON	v1.28.1	1.33.0
google.golang.org/protobuf	GO-2024-2611	MODERATE	Infinite loop in JSON unmarshaling in google.golang.org/protobuf	v1.28.1	1.33.0

⚠️ Dependencies that have Reached EOL (5)

Dependency	Unsafe Version	EOL Date	New Version	Path
github.com/go-logr/logr	v1.2.3	-	v1.4.3	go.mod
google.golang.org/protobuf	v1.28.1	Jul 28, 2025	v1.36.11	go.mod
k8s.io/apimachinery	v0.26.2	Feb 15, 2026	v0.35.4	go.mod
k8s.io/klog/v2	v2.80.1	Sep 9, 2025	v2.140.0	go.mod
sigs.k8s.io/yaml	v1.3.0	-	v1.6.0	go.mod

---

Review Checklist

Standard review:

• Review changes for compatibility with your code
• Check for breaking changes in release notes
• Run tests locally or wait for CI
• Approve and merge this PR

---

Update Mode: Vulnerability Remediation

🤖 Generated by DataDog Automated Dependency Management System

[campaigner-prod]

Release Notes

google.golang.org/protobuf (v1.28.1 → v1.36.11) — GitHub Release

v1.36.11

Full Changelog: protocolbuffers/protobuf-go@v1.36.10...v1.36.11

User-visible changes:
CL/726780: encoding/prototext: Support URL chars in type URLs in text-format.

Bug fixes:
CL/728680: internal/impl: check recursion limit in lazy decoding validation
CL/711015: reflect/protodesc: fix handling of import options in dynamic builds

Maintenance:
CL/728681: reflect/protodesc: add support for edition unstable
CL/727960: all: add EDITION_UNSTABLE support
CL/727940: types: regenerate using latest protobuf v33.2 release
CL/727140: internal/testprotos/lazy: convert .proto files to editions
CL/723440: cmd/protoc-gen-go: add missing annotations for few generated protobuf symbols.
CL/720980: internal/filedesc: remove duplicative Message.unmarshalOptions
CL/716360: internal/encoding/tag: use proto3 defaults if proto3
CL/716520: proto: un-flake TestHasExtensionNoAlloc
CL/713342: compiler/protogen: properly filter option dependencies in go-protobuf plugin.
CL/711200: proto: add test for oneofs containing messages with required fields
CL/710855: proto: add explicit test for a non-nil but empty byte slice

v1.36.10

Full Changelog: protocolbuffers/protobuf-go@v1.36.9...v1.36.10

Bug fixes:
CL/704415: reflect/protodesc: edition-2024-specific properties should not be lost when converting FileDescriptorProto to protoreflect.FileDescriptor

Maintenance:
CL/708555: internal/race_test: add missing impl.LazyEnabled() t.Skip
CL/703295: proto: add more invalid group encoding test cases
CL/703276: internal/impl: verify lazy unmarshal on Deterministic encoding
CL/703275: internal/impl: stop using deprecated .Field in lazy_test.go
CL/702795: all: update to latest github.com/google/go-cmp

v1.36.9

Full Changelog: protocolbuffers/protobuf-go@v1.36.8...v1.36.9

User-visible changes:
CL/699715: cmd/protoc-gen-go: add test for "import option" directive
CL/699115: internal/editionssupport: declare support for edition 2024
CL/697595: editions: Fix spelling mistake in panic message

v1.36.8

Maintenance:

CL/696316: all: set Go language version to Go 1.23
CL/696315: types: regenerate using latest protobuf v32 release

v1.36.7

Maintenance / optimizations:

CL/683955: encoding/protowire: micro-optimize SizeVarint (-20% on Intel)
CL/674055: internal/impl: remove unnecessary atomic access for non-lazy lists
CL/674015: impl: remove unnecessary nil check from presence.Present
CL/673495: types/descriptorpb: regenerate using latest protobuf v31 release
CL/670516: cmd/protoc-gen-go: centralize presence and lazy logic into filedesc
CL/670515: internal: move usePresenceForField to internal/filedesc
CL/670275: internal/impl: clean up usePresenceForField() (no-op)

v1.36.6

Full Changelog: protocolbuffers/protobuf-go@v1.36.5...v1.36.6

User-visible changes:
CL/657895: internal_gengo: generate a const string literal for the raw descriptor
CL/653536: proto: Add CloneOf[M Message](m M) M

Maintenance:
CL/649135: all: set Go language version to Go 1.22
CL/654955: types/descriptorpb: regenerate using latest protobuf v30 release

v1.36.5

Full Changelog: protocolbuffers/protobuf-go@v1.36.4...v1.36.5

Bug fixes:
CL/644437: protogen: fix name mangling for fields with identical GoCamelCase

Maintenance:
CL/641655: all: remove weak field support

v1.36.4

Full Changelog: protocolbuffers/protobuf-go@v1.36.3...v1.36.4

Bug fixes:
CL/642975: reflect/protodesc: fix panic when working with dynamicpb

Maintenance:
CL/643276: internal_gengo: avoid allocations in rawDescGZIP() accessors
CL/642857: internal_gengo: switch back from string literal to hex byte slice
CL/642055: internal_gengo: use unsafe.StringData() to avoid a descriptor copy
CL/638135: internal_gengo: store raw descriptor in .rodata section

v1.36.3

Full Changelog: protocolbuffers/protobuf-go@v1.36.2...v1.36.3

Bug fixes:
CL/642575: reflect/protodesc: fix panic when working with dynamicpb
CL/641036: cmd/protoc-gen-go: remove json struct tags from unexported fields

User-visible changes:
CL/641876: proto: add example for GetExtension, SetExtension
CL/642015: runtime/protolazy: replace internal doc link with external link

Maintenance:
CL/641635: all: split flags.ProtoLegacyWeak out of flags.ProtoLegacy
CL/641019: internal/impl: remove unused exporter parameter
CL/641018: internal/impl: switch to reflect.Value.IsZero
CL/641035: internal/impl: clean up unneeded Go<1.12 MapRange() alternative
CL/641017: types/dynamicpb: switch atomicExtFiles to atomic.Uint64 type

(and 14 more releases — view all)

k8s.io/apimachinery (v0.26.2 → v0.35.4) — Commit comparison

• 8ac57a9 Merge pull request https://github.com/kubernetes/apimachinery/issues/115065 from apelisse/apimachinery-managed-fields
• 027c209 Detect and clean up unneeded after_roundtrip fixtures
• 279f5e8 Update kube-openapi to 15aac26d736a
• 0993673 Add a Clear() function to generic sets
• 9bf9334 wait: Group ExponentialBackoff* functions together in file
• 72a7bb1 replaced spew.Sprintf with a util pretty print function
• 75694b8 managedfields: Move most of fieldmanager package to managefields
• f357b1f Merge pull request https://github.com/kubernetes/apimachinery/issues/116166 from pohly/test-go-vet
• 5b1cff8 Merge pull request https://github.com/kubernetes/apimachinery/issues/116162 from apelisse/update-openapi
• 4e8035c Update kube-openapi to afdc3dddf62d31f5e3868d699379c571a6007920
• 76eb944 Merge pull request https://github.com/kubernetes/apimachinery/issues/115402 from p0lyn0mial/upstream-sendinitialevents-take-2
• 590a261 Merge pull request https://github.com/kubernetes/apimachinery/issues/115277 from pohly/klog-update
• 776e66c Merge pull request https://github.com/kubernetes/apimachinery/issues/116176 from aojea/testpingspdy
• b1ad786 start to count time since the connection was actually established
• 0fe4390 staging: fix "go vet" issues

... and 85 more commits

k8s.io/klog/v2 (v2.80.1 → v2.140.0) — GitHub Release

v2.140.0

What's Changed

• Add dependabot by @lucacome in Add dependabot kubernetes/klog#410
• Use strconv.AppendQuote instead of strconv.Quote for message formatting by @astef in Use strconv.AppendQuote instead of strconv.Quote for message formatting kubernetes/klog#413
• de-duplication of key/value pairs by @pohly in de-duplication of key/value pairs kubernetes/klog#415
• Fix: Ensure constant format strings in fmt and printf calls by @mikelolasagasti in Fix: Ensure constant format strings in fmt and printf calls kubernetes/klog#417
• Remove old note on Go version requirements by @guettli in Remove old note on Go version requirements kubernetes/klog#425
• test with 1.24 and 1.25 by @pohly in test with 1.24 and 1.25 kubernetes/klog#428
• ktesting: fix vmodule support by @pohly in ktesting: fix vmodule support kubernetes/klog#431
• ktesting: support multi-line result from AnyToStringHook by @pohly in ktesting: support multi-line result from AnyToStringHook kubernetes/klog#433
• textlogger: optionally turn off header by @pohly in textlogger: optionally turn off header kubernetes/klog#430
• feat: fix stderrthreshold not honored when logtostderr is set (stderrthreshold not honored when logtostderr is set kubernetes/klog#212) + two new flags by @pierluigilenoci in feat: fix stderrthreshold not honored when logtostderr is set (#212) + two new flags kubernetes/klog#432

New Contributors

• @lucacome made their first contribution in Add dependabot kubernetes/klog#410
• @astef made their first contribution in Use strconv.AppendQuote instead of strconv.Quote for message formatting kubernetes/klog#413
• @mikelolasagasti made their first contribution in Fix: Ensure constant format strings in fmt and printf calls kubernetes/klog#417
• @guettli made their first contribution in Remove old note on Go version requirements kubernetes/klog#425
• @pierluigilenoci made their first contribution in feat: fix stderrthreshold not honored when logtostderr is set (#212) + two new flags kubernetes/klog#432

Full Changelog: kubernetes/klog@v2.130.1...v2.140.0

v2.130.1

What's Changed

• data race: avoid unprotected access to sb.file by @pohly in data race: avoid unprotected access to sb.file kubernetes/klog#408

Full Changelog: kubernetes/klog@v2.130.0...v2.130.1

v2.130.0

What's Changed

• chore(*): fix spelling of Intel Corporation by @jsoref in chore(*): fix spelling of Intel Corporation kubernetes/klog#399
• build: fix some linter warnings by @pohly in build: fix some linter warnings kubernetes/klog#402
• examples: fix linter warning by @pohly in examples: fix linter warning kubernetes/klog#406
• Do not acquire lock for file.Sync() fsync call by @1978629634 in Do not acquire lock for file.Sync() fsync call kubernetes/klog#404
• ktesting: tone down warning about leaked test goroutine by @pohly in ktesting: tone down warning about leaked test goroutine kubernetes/klog#401

New Contributors

• @jsoref made their first contribution in chore(*): fix spelling of Intel Corporation kubernetes/klog#399
• @1978629634 made their first contribution in Do not acquire lock for file.Sync() fsync call kubernetes/klog#404

Full Changelog: kubernetes/klog@v2.120.1...v2.130.0

v2.120.1

What's Changed

• textlogger: allow caller to override stack unwinding by @pohly in textlogger: allow caller to override stack unwinding kubernetes/klog#397

Full Changelog: kubernetes/klog@v2.120.0...v2.120.1

v2.120.0

What's Changed

• OWNERS: remove serathius, add mengjiao-liu, promote pohly by @pohly in OWNERS: remove serathius, add mengjiao-liu, promote pohly kubernetes/klog#394
• docs: clarify relationship between different features by @pohly in docs: clarify relationship between different features kubernetes/klog#395
• Add SafePtr wrapper by @kaisoz in Add SafePtr wrapper kubernetes/klog#393
• logr v1.4.1 + SetSlogLogger by @pohly in logr v1.4.1 + SetSlogLogger kubernetes/klog#396

New Contributors

• @kaisoz made their first contribution in Add SafePtr wrapper kubernetes/klog#393

Full Changelog: kubernetes/klog@v2.110.1...v2.120.0

v2.110.1

What's Changed

• fix: SetLogger via klog.SetLogger will output an unexpected newline by @aimuz in fix: SetLogger via klog.SetLogger will output an unexpected newline kubernetes/klog#378
• resolve comments warning by @lowang-bh in resolve comments warning kubernetes/klog#379
• stderrthreshold: fix flag comment by @pohly in stderrthreshold: fix flag comment kubernetes/klog#376
• enable "go vet" checks for parameters by @pohly in enable "go vet" checks for parameters kubernetes/klog#390
• promote experimental code to stable by @pohly in promote experimental code to stable kubernetes/klog#392
• golangci-lint action by @pohly in golangci-lint action kubernetes/klog#380
• output: handle WithName like zapr does by @pohly in output: handle WithName like zapr does kubernetes/klog#391
• slog support + logr 1.3.0 update by @pohly in slog support + logr 1.3.0 update kubernetes/klog#384

New Contributors

• @aimuz made their first contribution in fix: SetLogger via klog.SetLogger will output an unexpected newline kubernetes/klog#378
• @lowang-bh made their first contribution in resolve comments warning kubernetes/klog#379

Full Changelog: kubernetes/klog@v2.100.1...v2.110.1

v2.100.1

What's Changed

• expose logBridge via NewStandardLog() by @mikedanese in expose logBridge via NewStandardLog() kubernetes/klog#369
• add Format wrapper by @pohly in add Format wrapper kubernetes/klog#374
• JSON as fallback encoding by @pohly in JSON as fallback encoding kubernetes/klog#375

New Contributors

• @mikedanese made their first contribution in expose logBridge via NewStandardLog() kubernetes/klog#369

Full Changelog: kubernetes/klog@v2.90.1...v2.100.1

v2.90.1

What's Changed

• buffer: restore dropping of too large buffers by @pohly in buffer: restore dropping of too large buffers kubernetes/klog#366
• ktesting improvements by @pohly in ktesting improvements kubernetes/klog#365
• ktesting + textlogger config api by @pohly in ktesting + textlogger config api kubernetes/klog#368
• textlogger write through by @pohly in textlogger write through kubernetes/klog#363

Full Changelog: kubernetes/klog@v2.90.0...v2.90.1

v2.90.0

What's Changed

• klog: benchmark the overhead when logging is off by @pohly in klog: benchmark the overhead when logging is off kubernetes/klog#355
• improve textlogger by @pohly in improve textlogger kubernetes/klog#362

Full Changelog: kubernetes/klog@v2.80.1...v2.90.0

There are some API differences from previous version

k8s.io/klog/v2/klogr contains incompatible changes:
 - klogger.Enabled: removed
 - klogger.Error: removed
 - klogger.Info: removed

k8s.io/klog/v2/test contains incompatible changes:
 - InitKlog: changed from func() to func(testing.TB) *flag.FlagSet

---

Generated by ADMS Sources: 2 GitHub Releases, 1 Commit comparison, 2 not available.

[pohly]

#46 (comment) pings all upstream contributors. Please stop that by quoting the PR authors or disabling this bot!

[moezein0]

@pohly this was a bug in the changelog. We have turned it off now

[seberm-6]

Hey, sorry for the noise. This was caused by a bug in our automated dependency update system that incorrectly included upstream changelog content in PR comments, triggering notifications to external contributors. The feature flag has been turned off and we're working on a fix. Sorry about that again.