fix(deps): vuln major upgrades — 7 packages (major: 2 · unstable: 3 · minor: 2)

[gh-worker-campaigns-3e9aa4]

Summary: Critical-severity security update — 7 packages upgraded (MAJOR changes included)

Manifests changed:

• . (go)

---

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

---

Updates

Package	From	To	Type	Dep Type	Vulnerabilities Fixed
google.golang.org/grpc	v1.72.2	v1.80.0	minor	Direct	3 CRITICAL
golang.org/x/crypto	v0.38.0	v0.50.0	unstable	Direct	2 MODERATE, 4 MEDIUM, 1 UNKNOWN
golang.org/x/net	v0.40.0	v0.53.0	unstable	Direct	2 MODERATE, 1 UNKNOWN
github.com/google/go-metrics-stackdriver	v0.2.0	v0.6.0	unstable	Direct	-
github.com/hashicorp/go-immutable-radix	v1.3.1	v2.1.0	major	Direct	-
github.com/hashicorp/golang-lru	v1.0.2	v2.0.7	major	Direct	-
github.com/googleapis/gax-go/v2	v2.14.2	v2.22.0	minor	Transitive	-

Packages marked with "-" are updated due to dependency constraints.

---

Warning

Major Version Upgrade

This update includes major version changes that may contain breaking changes. Please:

• Review the changelog/release notes for breaking changes
• Test thoroughly in a staging environment
• Update any code that depends on changed APIs
• Ensure all tests pass before merging

Security Details

🚨 Critical & High Severity (3 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
google.golang.org/grpc	CVE-2026-33186	critical	gRPC-Go has an authorization bypass via missing leading slash in :path	v1.72.2	-
google.golang.org/grpc	GHSA-p77j-4mvh-x3m3	CRITICAL	gRPC-Go has an authorization bypass via missing leading slash in :path	v1.72.2	1.79.3
google.golang.org/grpc	GO-2026-4762	critical	Authorization bypass in gRPC-Go via missing leading slash in :path in google.golang.org/grpc	v1.72.2	1.79.3

ℹ️ Other Vulnerabilities (10)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
golang.org/x/crypto	CVE-2025-47914	medium	-	v0.38.0	-
golang.org/x/crypto	GO-2025-4135	medium	Malformed constraint may cause denial of service in golang.org/x/crypto/ssh/agent	v0.38.0	0.45.0
golang.org/x/crypto	GO-2025-4134	medium	Unbounded memory consumption in golang.org/x/crypto/ssh	v0.38.0	0.45.0
golang.org/x/crypto	CVE-2025-58181	medium	-	v0.38.0	-
golang.org/x/crypto	GHSA-f6x5-jh6r-wrfv	MODERATE	golang.org/x/crypto/ssh/agent vulnerable to panic if message is malformed due to out of bounds read	v0.38.0	0.45.0
golang.org/x/crypto	GHSA-j5w8-q4qc-rx2x	MODERATE	golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption	v0.38.0	0.45.0
golang.org/x/net	GO-2026-4440	MODERATE	Quadratic parsing complexity in golang.org/x/net/html	v0.40.0	0.45.0
golang.org/x/net	GHSA-w4gw-w5jq-g9jh	MODERATE	golang.org/x/net/html has a Quadratic Parsing Complexity issue	v0.40.0	-
golang.org/x/crypto	GO-2025-4116	unknown	Potential denial of service in golang.org/x/crypto/ssh/agent	v0.38.0	0.43.0
golang.org/x/net	GO-2026-4441	unknown	Infinite parsing loop in golang.org/x/net	v0.40.0	0.45.0

⚠️ Dependencies that have Reached EOL (2)

Dependency	Unsafe Version	EOL Date	New Version	Path
github.com/google/go-metrics-stackdriver	v0.2.0	-	v0.6.0	go.mod
github.com/hashicorp/go-immutable-radix	v1.3.1	-	v2.1.0	go.mod

---

Review Checklist

Extra review is recommended for this update:

• Review changes for compatibility with your code
• Check release notes for breaking changes
• Run integration tests to verify service behavior
• Test in staging environment before production
• Monitor key metrics after deployment
• Approve and merge this PR

---

Update Mode: Vulnerability Remediation (Critical)

🤖 Generated by DataDog Automated Dependency Management System

[campaigner-prod]

Release Notes

google.golang.org/grpc (v1.72.2 → v1.80.0) — GitHub Release

v1.80.0

Behavior Changes

• balancer: log a warning if a balancer is registered with uppercase letters, as balancer names should be lowercase. In a future release, balancer names will be treated as case-insensitive; see balancer: use case-sensitive balancer registries grpc/grpc-go#5288 for details. (balancer: introduce env flag for case-sensitive registry grpc/grpc-go#8837)
• xds: update resource error handling and re-resolution logic (xds: change cdsbalancer to use update from dependency manager grpc/grpc-go#8907)
  • Re-resolve all LOGICAL_DNS clusters simultaneously when re-resolution is requested.
  • Fail all in-flight RPCs immediately upon receipt of listener or route resource errors, instead of allowing them to complete.

Bug Fixes

• xds: support the LB policy configured in LOGICAL_DNS cluster resources instead of defaulting to pick_first. (xds/clusterresolver: implement gRFC A61 changes for LOGICAL_DNS clusters grpc/grpc-go#8733)
• credentials/tls: perform per-RPC authority validation against the leaf certificate instead of the entire peer certificate chain. (credentials/tls: verify overwritten authority against only leaf certificate grpc/grpc-go#8831)
• xds: enabling A76 ring hash endpoint keys no longer causes EDS resources with invalid proxy metadata to be NACKed when HTTP CONNECT (gRFC A86) is disabled. (xds: decouple A76 and A86 EDS metadata parsing grpc/grpc-go#8875)
• xds: validate that the sum of endpoint weights in a locality does not exceed the maximum uint32 value. (xds/xdsclient: add EDS sum of endpoint weights does not exceed MaxUint32 grpc/grpc-go#8899)
  • Special Thanks: @RAVEYUS
• xds: fix incorrect proto field access in the weighted round robin (WRR) configuration where blackout_period was used instead of weight_expiration_period. (xds: fix copy-paste bug in WeightExpirationPeriod config grpc/grpc-go#8915)
  • Special Thanks: @gregbarasch
• xds/rbac: handle addresses with ports in IP matchers. (xds/rbac: add additional handling for addresses with ports grpc/grpc-go#8990)

New Features

• ringhash: enable gRFC A76 (endpoint hash keys and request hash headers) by default. (ringhash: enable behaviors of A76 by default grpc/grpc-go#8922)

Performance Improvements

• credentials/alts: pool write buffers to reduce memory allocations and usage. (credentials/alts: Pool write buffers grpc/grpc-go#8919)
• grpc: enable the use of pooled write buffers for buffering HTTP/2 frame writes by default. This reduces memory usage when connections are idle. Use the WithSharedWriteBuffer dial option or the SharedWriteBuffer server

(truncated)

v1.79.3

Security

• server: fix an authorization bypass where malformed :path headers (missing the leading slash) could bypass path-based restricted "deny" rules in interceptors like grpc/authz. Any request with a non-canonical path is now immediately rejected with an Unimplemented error. (grpc: enforce strict path checking for incoming requests on the server grpc/grpc-go#8981)

v1.79.2

Bug Fixes

• stats: Prevent redundant error logging in health/ORCA producers by skipping stats/tracing processing when no stats handler is configured. (client: process RPC stats/tracing only when a handler is configured grpc/grpc-go#8874)

v1.79.1

Bug Fixes

• grpc: Remove the -dev suffix from the User-Agent header. (Change version to 1.79.1 grpc/grpc-go#8902)

v1.79.0

API Changes

• mem: Add experimental API SetDefaultBufferPool to change the default buffer pool. (mem: Allow overriding the default buffer pool. grpc/grpc-go#8806)
  • Special Thanks: @vanja-p
• experimental/stats: Update MetricsRecorder to require embedding the new UnimplementedMetricsRecorder (a no-op struct) in all implementations for forward compatibility. (stats/otel: a79 scaffolding to register an async gauge metric and api to record it- part 3 grpc/grpc-go#8780)

Behavior Changes

• balancer/weightedtarget: Remove handling of Addresses and only handle Endpoints in resolver updates. (xds: remove references to ResolverState.Addresses grpc/grpc-go#8841)

New Features

• experimental/stats: Add support for asynchronous gauge metrics through the new AsyncMetricReporter and RegisterAsyncReporter APIs. (stats/otel: a79 scaffolding to register an async gauge metric and api to record it- part 3 grpc/grpc-go#8780)
• pickfirst: Add support for weighted random shuffling of endpoints, as described in gRFC A113.
  • This is enabled by default, and can be turned off using the environment variable GRPC_EXPERIMENTAL_PF_WEIGHTED_SHUFFLING. (*: Implementation of weighted random shuffling (A113) grpc/grpc-go#8864)
• xds: Implement :authority rewriting, as specified in gRFC A81. (xds: implement :authority header rewriting in xds_cluster_impl LB policy (gRFC A81) grpc/grpc-go#8779)
• balancer/randomsubsetting: Implement the random_subsetting LB policy, as specified in gRFC A68. (balancer/randomsubsetting: Implementation of the random_subsetting LB policy grpc/grpc-go#8650)
  • Special Thanks: @marek-szews

Bug Fixes

• credentials/tls: Fix a bug where the port was not stripped from the authority override before validation. (credentials/tls: Strip port before validating authority override grpc/grpc-go#8726)
  • Special Thanks: @Atul1710
• xds/priority: Fix a bug causing delayed failover to lower-priority clusters when a higher-priority cluster is stuck in CONNECTING state. (priority: prevent init timer restarting when a child transitions from CONNECTING to CONNECTING grpc/grpc-go#8813)
• health: Fix a bug where health checks failed for clients using legacy compression options (WithDecompressor or RPCDecompressor). (grpc: initialize decompressor for health check streams grpc/grpc-go#8765)
  • Special Thanks: @sanki92
• transport: Fix an issue where the HTTP/2 server could skip header size checks when terminating a stream early. (transport: http2 server must validates header list size when early aborting stream grpc/grpc-go#8769)
  • Special Thanks: @joybestourous
• server: Propagate status detail headers, if availab

(truncated)

v1.78.0

Behavior Changes

• client: Align URL validation with Go 1.26+ to now reject target URLs with unbracketed colons in the hostname. (dns: drop test depending on invalid URL "dns://::1/foo.bar.com" grpc/grpc-go#8716)
  • Special Thanks: @neild
• transport/client : Return status code Unknown on malformed grpc-status. (transport/client: Return status code Unknown on malformed grpc-status grpc/grpc-go#8735)
• • xds/resolver:
  • Drop previous route resources and report an error when no matching virtual host is found.
  • Only log LDS/RDS configuration errors following a successful update and retain the last valid resource to prevent transient failures. (internal/xds: change xds_resolver to use dependency manager grpc/grpc-go#8711)

New Features

• stats/otel: Add backend service label to weighted round robin metrics as part of A89. (stats/otel: Add grpc.lb.backend_service label to wrr metrics (A89) grpc/grpc-go#8737)
• stats/otel: Add subchannel metrics (without the disconnection reason) to eventually replace the pickfirst metrics. (stats/otel: Add subchannel metrics (A94) grpc/grpc-go#8738)
• client: Wait for all pending goroutines to complete when closing a graceful switch balancer. (gracefulswitch: Wait for all goroutines on close grpc/grpc-go#8746)
  • Special Thanks: @twz123
• client: Add experimental.AcceptCompressors so callers can restrict the grpc-accept-encoding header advertised for a call. (client: allow overriding grpc-accept-encoding header grpc/grpc-go#8718)
  • Special Thanks: @iblancasa

Bug Fixes

• xds: Fix a bug in StringMatcher where regexes would match incorrectly when ignore_case is set to true. (xds: make it possible to create a StringMatcher from arguments outside of test code grpc/grpc-go#8723)
• client:
  • Change connectivity state to CONNECTING when creating the name resolver (as part of exiting IDLE).
  • Change connectivity state to TRANSIENT_FAILURE if name resolver creation fails (as part of exiting IDLE).
  • Change connectivity state to IDLE after idle timeout expires even when current state is TRANSIENT_FAILURE.
  • Fix a bug that resulted in OnFinish call option not being invoked for RPCs where stream creation failed. (client: Change connectivity state to CONNECTING when creating the name resolver grpc/grpc-go#8710)
• xdsclient: Fix a race in the xdsClient that could lead to resource-not-found errors. (xdsclient: stop batching writes on the ADS stream grpc/grpc-go#8627)

Performance Improvements

• mem: Round up to nearest 4KiB for pool allocations larger than 1MiB. (mem: Allocate at 4KiB boundaries in the fallback buffer pool. grpc/grpc-go#8705)
  • Special Thanks: @cjc25

(truncated — see source for full notes)

github.com/googleapis/gax-go/v2 (v2.14.2 → v2.22.0) — GitHub Release

v2.22.0

v2.22.0 (2026-04-14)

v2.21.0

v2.21.0 (2026-04-01)

Features

• update IsFeatureEnabled to not require EXPERIMENTAL (feat(v2): update IsFeatureEnabled to not require EXPERIMENTAL googleapis/gax-go#497) (a2a329e3)

• hook transport telemetry into gax.Invoke and record (feat(v2): hook transport telemetry into gax.Invoke and record googleapis/gax-go#496) (d5310019)

v2.20.0

v2.20.0 (2026-03-25)

Features

• hook metric recording into gax.Invoke (feat(v2): hook metric recording into gax.Invoke googleapis/gax-go#494) (1f3e9aef)

• add TelemetryErrorInfo and ExtractTelemetryErrorInfo (feat(v2): implement basic metric recording function googleapis/gax-go#487) (defdded3)

v2.19.0

v2.19.0 (2026-03-17)

Features

• update WithLogger to WithLoggerContext. (feat(v2): add WithLoggerContext and LoggerFromContext googleapis/gax-go#478) (1cb70baf)

• pass logger to downstream via context (feat(v2): pass logger to downstream via context googleapis/gax-go#474) (434fa676)

• add WithClientMetrics CallOption (feat(v2): add WithClientMetrics CallOption googleapis/gax-go#479) (76f0284e)

• add TransportTelemetryData for dynamic transport attributes (feat(v2): add TransportTelemetryData for dynamic transport attributes googleapis/gax-go#481) (8a7caf00)

• add ClientMetrics initialization core (feat(v2): add ClientMetrics initialization core googleapis/gax-go#473) (f53618c2)

Bug Fixes

• lazy initialization and getters for ClientMetrics (fix(v2): lazy initialization and getters for ClientMetrics googleapis/gax-go#485) (fb6c5f4d)

v2.18.0

v2.18.0 (2026-03-09)

Features

• move gax-go to use 1.25 as the lower bound of support (feat: move gax-go to use 1.25 as the lower bound of support googleapis/gax-go#469) (01594ca5)

• add callctx telemetry helpers (feat(v2): add callctx telemetry helpers googleapis/gax-go#472) (fa319ffc)

v2.17.0

2.17.0 (2026-02-03)

Features

• update Invoke to add retry count to context (feat(v2): update Invoke to add retry count to context googleapis/gax-go#462) (ea7096d5)

v2.16.0

2.16.0 (2025-12-17)

Features

• add IsFeatureEnabled (feat(v2): add IsFeatureEnabled googleapis/gax-go#454) (2700b8ab)

v2.15.0

2.15.0 (2025-07-09)

Features

• apierror: improve gRPC status code mapping for HTTP errors (feat(apierror): improve gRPC status code mapping for HTTP errors googleapis/gax-go#431) (c207f2a)

---

Generated by ADMS Sources: 2 GitHub Releases, 5 not available.

[seberm-6]

Hey, sorry for the noise. This was caused by a bug in our automated dependency update system that incorrectly included upstream changelog content in PR comments, triggering notifications to external contributors. The feature flag has been turned off and we're working on a fix. Sorry about that again.