Skip to content

fix(deps): vuln minor upgrades — 10 packages (minor: 8 · patch: 2) [src/accountingservice]#77

Closed
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit intomainfrom
engraver-auto-version-upgrade/minorpatch/go/accountingservice/2-1776936102
Closed

fix(deps): vuln minor upgrades — 10 packages (minor: 8 · patch: 2) [src/accountingservice]#77
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit intomainfrom
engraver-auto-version-upgrade/minorpatch/go/accountingservice/2-1776936102

Conversation

@gh-worker-campaigns-3e9aa4
Copy link
Copy Markdown

@gh-worker-campaigns-3e9aa4 gh-worker-campaigns-3e9aa4 Bot commented Apr 23, 2026

Summary: Critical-severity security update — 10 packages upgraded (MINOR changes included)

Manifests changed:

  • src/accountingservice (go)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

Updates

Package From To Type Dep Type Vulnerabilities Fixed
google.golang.org/grpc v1.59.0 v1.80.0 minor Direct 3 CRITICAL
go.opentelemetry.io/otel/sdk v1.20.0 v1.43.0 minor Direct 1 HIGH
google.golang.org/protobuf v1.31.0 v1.36.11 minor Direct 2 MODERATE
github.com/IBM/sarama v1.42.1 v1.47.0 minor Direct -
go.opentelemetry.io/otel v1.20.0 v1.43.0 minor Direct -
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.20.0 v1.43.0 minor Direct -
go.opentelemetry.io/otel/trace v1.20.0 v1.43.0 minor Direct -
google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.3.0 v1.6.1 minor Direct -
github.com/golang/protobuf v1.5.3 v1.5.4 patch Direct -
github.com/sirupsen/logrus v1.9.3 v1.9.4 patch Direct -

Packages marked with "-" are updated due to dependency constraints.

Security Details

🚨 Critical & High Severity (4 fixed)
Package CVE Severity Summary Unsafe Version Fixed In
google.golang.org/grpc GO-2026-4762 critical Authorization bypass in gRPC-Go via missing leading slash in :path in google.golang.org/grpc v1.59.0 1.79.3
google.golang.org/grpc GHSA-p77j-4mvh-x3m3 CRITICAL gRPC-Go has an authorization bypass via missing leading slash in :path v1.59.0 1.79.3
google.golang.org/grpc CVE-2026-33186 critical gRPC-Go has an authorization bypass via missing leading slash in :path v1.59.0 -
go.opentelemetry.io/otel/sdk GHSA-hfvc-g4fc-pqhx HIGH opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking v1.20.0 1.43.0
ℹ️ Other Vulnerabilities (2)
Package CVE Severity Summary Unsafe Version Fixed In
google.golang.org/protobuf GHSA-8r3f-844c-mc37 MODERATE Golang protojson.Unmarshal function infinite loop when unmarshaling certain forms of invalid JSON v1.31.0 1.33.0
google.golang.org/protobuf GO-2024-2611 MODERATE Infinite loop in JSON unmarshaling in google.golang.org/protobuf v1.31.0 1.33.0
⚠️ Dependencies that have Reached EOL (2)
Dependency Unsafe Version EOL Date New Version Path
github.com/golang/protobuf v1.5.3 Mar 8, 2026 v1.5.4 src/accountingservice/go.mod
google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.3.0 Mar 1, 2026 v1.6.1 src/accountingservice/go.mod

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI
  • Approve and merge this PR

Update Mode: Vulnerability Remediation (Critical/High)

🤖 Generated by DataDog Automated Dependency Management System

@campaigner-prod
Copy link
Copy Markdown

campaigner-prod Bot commented Apr 23, 2026

Release Notes

google.golang.org/grpc (v1.59.0 → v1.80.0) — GitHub Release

v1.80.0

Behavior Changes

Bug Fixes

New Features

Performance Improvements

(truncated)

v1.79.3

Security

v1.79.2

Bug Fixes

v1.79.1

Bug Fixes

v1.79.0

API Changes

Behavior Changes

New Features

Bug Fixes

(truncated)

v1.78.0

Behavior Changes

(truncated — see source for full notes)

go.opentelemetry.io/otel/sdk (v1.20.0 → v1.43.0) — GitHub Release

v1.43.0

Added

Changed

  • Introduce the EMPTY Type in go.opentelemetry.io/otel/attribute to reflect that an empty value is now a valid value, with INVALID remaining as a deprecated

(truncated)

v1.42.0

Added

Changed

Fixed

Removed

What's Changed

(truncated)

v1.41.0

This release is the last to support Go 1.24. The next release will require at least Go 1.25.

Added

Fixed

What's Changed

(truncated — see source for full notes)

google.golang.org/protobuf (v1.31.0 → v1.36.11) — GitHub Release

v1.36.11

Full Changelog: protocolbuffers/protobuf-go@v1.36.10...v1.36.11

User-visible changes:
CL/726780: encoding/prototext: Support URL chars in type URLs in text-format.

Bug fixes:
CL/728680: internal/impl: check recursion limit in lazy decoding validation
CL/711015: reflect/protodesc: fix handling of import options in dynamic builds

Maintenance:
CL/728681: reflect/protodesc: add support for edition unstable
CL/727960: all: add EDITION_UNSTABLE support
CL/727940: types: regenerate using latest protobuf v33.2 release
CL/727140: internal/testprotos/lazy: convert .proto files to editions
CL/723440: cmd/protoc-gen-go: add missing annotations for few generated protobuf symbols.
CL/720980: internal/filedesc: remove duplicative Message.unmarshalOptions
CL/716360: internal/encoding/tag: use proto3 defaults if proto3
CL/716520: proto: un-flake TestHasExtensionNoAlloc
CL/713342: compiler/protogen: properly filter option dependencies in go-protobuf plugin.
CL/711200: proto: add test for oneofs containing messages with required fields
CL/710855: proto: add explicit test for a non-nil but empty byte slice

v1.36.10

Full Changelog: protocolbuffers/protobuf-go@v1.36.9...v1.36.10

Bug fixes:
CL/704415: reflect/protodesc: edition-2024-specific properties should not be lost when converting FileDescriptorProto to protoreflect.FileDescriptor

Maintenance:
CL/708555: internal/race_test: add missing impl.LazyEnabled() t.Skip
CL/703295: proto: add more invalid group encoding test cases
CL/703276: internal/impl: verify lazy unmarshal on Deterministic encoding
CL/703275: internal/impl: stop using deprecated .Field in lazy_test.go
CL/702795: all: update to latest github.com/google/go-cmp

v1.36.9

Full Changelog: protocolbuffers/protobuf-go@v1.36.8...v1.36.9

User-visible changes:
CL/699715: cmd/protoc-gen-go: add test for "import option" directive
CL/699115: internal/editionssupport: declare support for edition 2024
CL/697595: editions: Fix spelling mistake in panic message

v1.36.8

Maintenance:

CL/696316: all: set Go language version to Go 1.23
CL/696315: types: regenerate using latest protobuf v32 release

v1.36.7

Maintenance / optimizations:

CL/683955: encoding/protowire: micro-optimize SizeVarint (-20% on Intel)
CL/674055: internal/impl: remove unnecessary atomic access for non-lazy lists
CL/674015: impl: remove unnecessary nil check from presence.Present
CL/673495: types/descriptorpb: regenerate using latest protobuf v31 release
CL/670516: cmd/protoc-gen-go: centralize presence and lazy logic into filedesc
CL/670515: internal: move usePresenceForField to internal/filedesc
CL/670275: internal/impl: clean up usePresenceForField() (no-op)

v1.36.6

Full Changelog: protocolbuffers/protobuf-go@v1.36.5...v1.36.6

User-visible changes:
CL/657895: internal_gengo: generate a const string literal for the raw descriptor
CL/653536: proto: Add CloneOf[M Message](m M) M

Maintenance:
CL/649135: all: set Go language version to Go 1.22
CL/654955: types/descriptorpb: regenerate using latest protobuf v30 release

v1.36.5

Full Changelog: protocolbuffers/protobuf-go@v1.36.4...v1.36.5

Bug fixes:
CL/644437: protogen: fix name mangling for fields with identical GoCamelCase

Maintenance:
CL/641655: all: remove weak field support

v1.36.4

Full Changelog: protocolbuffers/protobuf-go@v1.36.3...v1.36.4

Bug fixes:
CL/642975: reflect/protodesc: fix panic when working with dynamicpb

Maintenance:

(truncated — see source for full notes)

github.com/IBM/sarama (v1.42.1 → v1.47.0) — GitHub Release

v1.47.0

What's Changed

🎉 New Features / Improvements

🐛 Fixes

🔧 Maintenance

📦 Dependency updates

(truncated)

v1.46.3

What's Changed

🐛 Fixes

📦 Dependency updates

🔧 Maintenance

Full Changelog: IBM/sarama@v1.46.2...v1.46.3

v1.46.2

What's Changed

A big focus on improving our support for newer protocol versions in this release, particularly supporting a wider range of flexible versions

🎉 New Features / Improvements

🐛 Fixes

(truncated)

v1.46.1

[!NOTE]
The go.mod directive has been bumped to 1.24.0 as the minimum version of Go required for the module. This was necessary to continue to receive updates from some of the third party dependencies that Sarama makes use of.

What's Changed

🎉 New Features / Improvements

(truncated — see source for full notes)

go.opentelemetry.io/otel (v1.20.0 → v1.43.0) — GitHub Release

v1.43.0

Added

Changed

  • Introduce the EMPTY Type in go.opentelemetry.io/otel/attribute to reflect that an empty value is now a valid value, with INVALID remaining as a deprecated

(truncated)

v1.42.0

Added

Changed

Fixed

Removed

What's Changed

(truncated)

v1.41.0

This release is the last to support Go 1.24. The next release will require at least Go 1.25.

Added

Fixed

What's Changed

(truncated — see source for full notes)

go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc (v1.20.0 → v1.43.0) — GitHub Release

v1.43.0

Added

Changed

  • Introduce the EMPTY Type in go.opentelemetry.io/otel/attribute to reflect that an empty value is now a valid value, with INVALID remaining as a deprecated

(truncated)

v1.42.0

Added

Changed

Fixed

Removed

What's Changed

(truncated)

v1.41.0

This release is the last to support Go 1.24. The next release will require at least Go 1.25.

Added

Fixed

What's Changed

(truncated — see source for full notes)

go.opentelemetry.io/otel/trace (v1.20.0 → v1.43.0) — GitHub Release

v1.43.0

Added

Changed

  • Introduce the EMPTY Type in go.opentelemetry.io/otel/attribute to reflect that an empty value is now a valid value, with INVALID remaining as a deprecated

(truncated)

v1.42.0

Added

Changed

Fixed

Removed

What's Changed

(truncated)

v1.41.0

This release is the last to support Go 1.24. The next release will require at least Go 1.25.

Added

Fixed

What's Changed

(truncated — see source for full notes)

github.com/sirupsen/logrus (v1.9.3 → v1.9.4) — GitHub Release

Notable changes

Full Changelog: sirupsen/logrus@v1.9.3...v1.9.4

Generated by ADMS Sources: 8 GitHub Releases, 2 not available.

@seberm-6
Copy link
Copy Markdown

seberm-6 commented Apr 23, 2026

Hey, sorry for the noise. This was caused by a bug in our automated dependency update system that incorrectly included upstream changelog content in PR comments, triggering notifications to external contributors. The feature flag has been turned off and we're working on a fix. Sorry about that again.

@seberm-6 seberm-6 closed this Apr 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

adms-critical-severity adms-dependency-update adms-fixes-eol adms-go adms-high-severity adms-medium-severity adms-minor-update adms-mode-all-updates campaigner-automated-change

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@seberm-6