fix(deps): vuln minor upgrades — 15 packages (minor: 6 · patch: 9) [sdk]

[gh-worker-campaigns-3e9aa4]

Summary: Critical-severity security update — 15 packages upgraded (MINOR changes included)

Manifests changed:

• sdk (go)

---

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

---

Updates

Package	From	To	Type	Dep Type	Vulnerabilities Fixed
google.golang.org/grpc	v1.70.0	v1.80.0	minor	Direct	3 CRITICAL
github.com/go-jose/go-jose/v4	v4.0.5	v4.1.4	minor	Transitive	1 HIGH
cloud.google.com/go/cloudsqlconn	v1.4.3	v1.21.0	minor	Direct	-
github.com/evanphx/json-patch/v5	v5.6.0	v5.9.11	minor	Direct	-
github.com/hashicorp/go-version	v1.7.0	v1.9.0	minor	Direct	-
github.com/hashicorp/vault/api	v1.16.0	v1.23.0	minor	Direct	-
github.com/go-ldap/ldap/v3	v3.4.10	v3.4.13	patch	Direct	-
github.com/google/certificate-transparency-go	v1.3.1	v1.3.3	patch	Direct	-
github.com/hashicorp/go-kms-wrapping/v2	v2.0.18	v2.0.21	patch	Direct	-
github.com/hashicorp/go-plugin	v1.6.1	v1.6.3	patch	Direct	-
github.com/hashicorp/go-retryablehttp	v0.7.7	v0.7.8	patch	Direct	-
github.com/hashicorp/go-secure-stdlib/password	v0.1.1	v0.1.5	patch	Direct	-
github.com/hashicorp/go-secure-stdlib/plugincontainer	v0.4.1	v0.4.2	patch	Direct	-
github.com/sasha-s/go-deadlock	v0.3.5	v0.3.9	patch	Direct	-
google.golang.org/protobuf	v1.36.5	v1.36.11	patch	Direct	-

Packages marked with "-" are updated due to dependency constraints.

---

Security Details

🚨 Critical & High Severity (4 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
google.golang.org/grpc	GO-2026-4762	critical	Authorization bypass in gRPC-Go via missing leading slash in :path in google.golang.org/grpc	v1.70.0	1.79.3
google.golang.org/grpc	CVE-2026-33186	critical	gRPC-Go has an authorization bypass via missing leading slash in :path	v1.70.0	-
google.golang.org/grpc	GHSA-p77j-4mvh-x3m3	CRITICAL	gRPC-Go has an authorization bypass via missing leading slash in :path	v1.70.0	1.79.3
github.com/go-jose/go-jose/v4	GHSA-78h2-9frx-2jm8	HIGH	Go JOSE Panics in JWE decryption	v4.0.5	4.1.4

⚠️ Dependencies that have Reached EOL (2)

Dependency	Unsafe Version	EOL Date	New Version	Path
github.com/evanphx/json-patch/v5	v5.6.0	-	v5.9.11	sdk/go.mod
github.com/hashicorp/go-secure-stdlib/password	v0.1.1	-	v0.1.5	sdk/go.mod

---

Review Checklist

Standard review:

• Review changes for compatibility with your code
• Check for breaking changes in release notes
• Run tests locally or wait for CI
• Approve and merge this PR

---

Update Mode: Vulnerability Remediation (Critical/High)

🤖 Generated by DataDog Automated Dependency Management System

[campaigner-prod]

Release Notes

google.golang.org/grpc (v1.70.0 → v1.80.0) — GitHub Release

v1.80.0

Behavior Changes

• balancer: log a warning if a balancer is registered with uppercase letters, as balancer names should be lowercase. In a future release, balancer names will be treated as case-insensitive; see balancer: use case-sensitive balancer registries grpc/grpc-go#5288 for details. (balancer: introduce env flag for case-sensitive registry grpc/grpc-go#8837)
• xds: update resource error handling and re-resolution logic (xds: change cdsbalancer to use update from dependency manager grpc/grpc-go#8907)
  • Re-resolve all LOGICAL_DNS clusters simultaneously when re-resolution is requested.
  • Fail all in-flight RPCs immediately upon receipt of listener or route resource errors, instead of allowing them to complete.

Bug Fixes

• xds: support the LB policy configured in LOGICAL_DNS cluster resources instead of defaulting to pick_first. (xds/clusterresolver: implement gRFC A61 changes for LOGICAL_DNS clusters grpc/grpc-go#8733)
• credentials/tls: perform per-RPC authority validation against the leaf certificate instead of the entire peer certificate chain. (credentials/tls: verify overwritten authority against only leaf certificate grpc/grpc-go#8831)
• xds: enabling A76 ring hash endpoint keys no longer causes EDS resources with invalid proxy metadata to be NACKed when HTTP CONNECT (gRFC A86) is disabled. (xds: decouple A76 and A86 EDS metadata parsing grpc/grpc-go#8875)
• xds: validate that the sum of endpoint weights in a locality does not exceed the maximum uint32 value. (xds/xdsclient: add EDS sum of endpoint weights does not exceed MaxUint32 grpc/grpc-go#8899)
  • Special Thanks: @RAVEYUS
• xds: fix incorrect proto field access in the weighted round robin (WRR) configuration where blackout_period was used instead of weight_expiration_period. (xds: fix copy-paste bug in WeightExpirationPeriod config grpc/grpc-go#8915)
  • Special Thanks: @gregbarasch
• xds/rbac: handle addresses with ports in IP matchers. (xds/rbac: add additional handling for addresses with ports grpc/grpc-go#8990)

New Features

• ringhash: enable gRFC A76 (endpoint hash keys and request hash headers) by default. (ringhash: enable behaviors of A76 by default grpc/grpc-go#8922)

Performance Improvements

• credentials/alts: pool write buffers to reduce memory allocations and usage. (credentials/alts: Pool write buffers grpc/grpc-go#8919)
• grpc: enable the use of pooled write buffers for buffering HTTP/2 frame writes by default. This reduces memory usage when connections are idle. Use the WithSharedWriteBuffer dial option or the SharedWriteBuffer server

(truncated)

v1.79.3

Security

• server: fix an authorization bypass where malformed :path headers (missing the leading slash) could bypass path-based restricted "deny" rules in interceptors like grpc/authz. Any request with a non-canonical path is now immediately rejected with an Unimplemented error. (grpc: enforce strict path checking for incoming requests on the server grpc/grpc-go#8981)

v1.79.2

Bug Fixes

• stats: Prevent redundant error logging in health/ORCA producers by skipping stats/tracing processing when no stats handler is configured. (client: process RPC stats/tracing only when a handler is configured grpc/grpc-go#8874)

v1.79.1

Bug Fixes

• grpc: Remove the -dev suffix from the User-Agent header. (Change version to 1.79.1 grpc/grpc-go#8902)

v1.79.0

API Changes

• mem: Add experimental API SetDefaultBufferPool to change the default buffer pool. (mem: Allow overriding the default buffer pool. grpc/grpc-go#8806)
  • Special Thanks: @vanja-p
• experimental/stats: Update MetricsRecorder to require embedding the new UnimplementedMetricsRecorder (a no-op struct) in all implementations for forward compatibility. (stats/otel: a79 scaffolding to register an async gauge metric and api to record it- part 3 grpc/grpc-go#8780)

Behavior Changes

• balancer/weightedtarget: Remove handling of Addresses and only handle Endpoints in resolver updates. (xds: remove references to ResolverState.Addresses grpc/grpc-go#8841)

New Features

• experimental/stats: Add support for asynchronous gauge metrics through the new AsyncMetricReporter and RegisterAsyncReporter APIs. (stats/otel: a79 scaffolding to register an async gauge metric and api to record it- part 3 grpc/grpc-go#8780)

(truncated — see source for full notes)

github.com/go-jose/go-jose/v4 (v4.0.5 → v4.1.4) — GitHub Release

v4.1.4

What's Changed

Fixes Panic in JWE decryption. See GHSA-78h2-9frx-2jm8

Full Changelog: go-jose/go-jose@v4.1.3...v4.1.4

v4.1.3

This release drops Go 1.23 support as that Go release is no longer supported. With that, we can drop x/crypto and no longer have any external dependencies in go-jose outside of the standard library!

This release fixes a bug where a critical b64 header was ignored if in an unprotected header. It is now rejected instead of ignored.

What's Changed

• Remove Go 1.23 support by @mcpherrinm in Remove Go 1.23 support go-jose/go-jose#205
• Reject JWS with an unprotected critical b64 header by @mcpherrinm in Reject JWS with an unprotected critical b64 header go-jose/go-jose#210

Full Changelog: go-jose/go-jose@v4.1.2...v4.1.3

v4.1.2

What's Changed

go-jose v4.1.2 improves some documentation, errors, and removes the only 3rd-party dependency.

• Update go-jose documentation by @mcpherrinm in Update go-jose documentation go-jose/go-jose#198
• Remove dependency on testify by @wardviaene in Remove dependency on testify go-jose/go-jose#197
• Improve error message for invalid private keys by @ProjectMutilation in Improve error message for invalid private keys go-jose/go-jose#195
• JWK unsupported error when unmarshalling by @fprojetto in JWK unsupported error when unmarshalling go-jose/go-jose#191
• Add JSONWebKey type to makeJWERecipient by @alvarolivie in Add JSONWebKey type to makeJWERecipient go-jose/go-jose#200
• testutils/assert: remove True, Nil, NotNil by @jsha in testutils/assert: remove True, Nil, NotNil go-jose/go-jose#202

New Contributors

• @wardviaene made their first contribution in Remove dependency on testify go-jose/go-jose#197
• @fprojetto made their first contribution in JWK unsupported error when unmarshalling go-jose/go-jose#191
• @alvarolivie made their first contribution in Add JSONWebKey type to makeJWERecipient go-jose/go-jose#200

Full Changelog: go-jose/go-jose@v4.1.1...v4.1.2

v4.1.1

What's Changed

• Drop go-cmp dependency by @mcpherrinm in Drop go-cmp dependency go-jose/go-jose#186
• jws: improve performance and allocations for ParseSignedCompact by @drakkan in jws: improve performance and allocations for ParseSignedCompact go-jose/go-jose#188
• Add missing quote to unknown curve message Missing single tick in error message go-jose/go-jose#170 by @sudhanvaghebbale in Add missing quote to unknown curve message #170 go-jose/go-jose#189
• Fix incorrect validation by @ProjectMutilation in Fix incorrect validation go-jose/go-jose#192
• Restore Go 1.23 compatibility by @anuraaga in Restore Go 1.23 compatibility go-jose/go-jose#193

New Contributors

• @drakkan made their first contribution in jws: improve performance and allocations for ParseSignedCompact go-jose/go-jose#188
• @sudhanvaghebbale made their first contribution in Add missing quote to unknown curve message #170 go-jose/go-jose#189
• @ProjectMutilation made their first contribution in Fix incorrect validation go-jose/go-jose#192
• @anuraaga made their first contribution in Restore Go 1.23 compatibility go-jose/go-jose#193

Full Changelog: go-jose/go-jose@v4.1.0...v4.1.1

v4.1.0

What's Changed

• Document signatureAlgorithms argument by @tgeoghegan in Document signatureAlgorithms argument go-jose/go-jose#163
• Add custom error for unsupported JWS signature algorithms by @beautifulentropy in Add custom error for unsupported JWS signature algorithms go-jose/go-jose#181
• use stdlib pbkdf2 package on go 1.24 by @kruskall in feat: use stdlib pbkdf2 package on go 1.24 go-jose/go-jose#180
• The minimum supported Go version is now 1.24

New Contributors

• @kruskall made their first contribution in feat: use stdlib pbkdf2 package on go 1.24 go-jose/go-jose#180

Full Changelog: go-jose/go-jose@v4.0.5...v4.1.0

cloud.google.com/go/cloudsqlconn (v1.4.3 → v1.21.0) — GitHub Release

v1.21.0

1.21.0 (2026-04-16)

Features

• upgrade example go version to match minimum (feat: upgrade example go version to match minimum GoogleCloudPlatform/cloud-sql-go-connector#1087) (c950a6c)
• drop support for EOL pgxv4 driver (chore: deprecate pgv4 GoogleCloudPlatform/cloud-sql-go-connector#1085) (c950a6c)

v1.20.2

1.20.2 (2026-03-17)

Bug Fixes

• update dependencies to latest (fix: update dependencies to latest GoogleCloudPlatform/cloud-sql-go-connector#1075) (cd61b59)

Note

• Deprecate support for pgx v4. The pgx v4 library was declared end life by its maintainer as of July 2025. We will remove support for the Cloud SQL Connector in July 2026

v1.20.1

1.20.1 (2026-02-17)

Bug Fixes

• bump golang.org/x/crypto in /examples/cloudrun/sqlserver (chore(deps): bump golang.org/x/crypto from 0.43.0 to 0.45.0 in /examples/cloudrun/sqlserver GoogleCloudPlatform/cloud-sql-go-connector#1046) (2191390)

v1.20.0

1.20.0 (2026-01-12)

Features

• Use configured DNS name to lookup instance IP address (feat: Use configured DNS name to lookup instance IP address GoogleCloudPlatform/cloud-sql-go-connector#1054) (976120e), closes Use configured DNS name to lookup instance IP address GoogleCloudPlatform/cloud-sql-go-connector#1053

v1.19.1

1.19.1 (2025-12-09)

Bug Fixes

• Update dependency versions. (fix: Update dependency versions to latest. GoogleCloudPlatform/cloud-sql-go-connector#1049) (15d6f5c)

v1.19.0

1.19.0 (2025-10-23)

Features

• Add support for the Metadata Exchange protocol (feat: Add support for the Metadata Exchange protocol GoogleCloudPlatform/cloud-sql-go-connector#1011) (cea84c1)

Bug Fixes

• add important message to readme that show incompatibility with c… (fix: add important message to readme that show incompatibility with c… GoogleCloudPlatform/cloud-sql-go-connector#1028) (6b1d73a)

(truncated — see source for full notes)

github.com/hashicorp/go-version (v1.7.0 → v1.9.0) — GitHub Release

v1.9.0

What's Changed

Enhancements

• Add support for prefix of any character by @brondum in Add support for prefix of any character hashicorp/go-version#79

Internal

• Update CHANGELOG for version 1.8.0 enhancements by @sonamtenzin2 in Update CHANGELOG for version 1.8.0 enhancements hashicorp/go-version#178
• Bump the github-actions-backward-compatible group across 1 directory with 2 updates by @dependabot[bot] in Bump the github-actions-backward-compatible group across 1 directory with 2 updates hashicorp/go-version#179
• Bump the github-actions-breaking group with 4 updates by @dependabot[bot] in Bump the github-actions-breaking group with 4 updates hashicorp/go-version#180
• Bump the github-actions-backward-compatible group with 3 updates by @dependabot[bot] in Bump the github-actions-backward-compatible group with 3 updates hashicorp/go-version#182
• Update GitHub Actions to trigger on pull requests and update go version by @ssagarverma in Update GitHub Actions to trigger on pull requests and update go version hashicorp/go-version#185
• Bump actions/upload-artifact from 6.0.0 to 7.0.0 in the github-actions-breaking group across 1 directory by @dependabot[bot] in Bump actions/upload-artifact from 6.0.0 to 7.0.0 in the github-actions-breaking group across 1 directory hashicorp/go-version#183
• Bump the github-actions-backward-compatible group across 1 directory with 2 updates by @dependabot[bot] in Bump the github-actions-backward-compatible group across 1 directory with 2 updates hashicorp/go-version#186

New Contributors

• @sonamtenzin2 made their first contribution in Update CHANGELOG for version 1.8.0 enhancements hashicorp/go-version#178
• @brondum made their first contribution in Add support for prefix of any character hashicorp/go-version#79
• @ssagarverma made their first contribution in Update GitHub Actions to trigger on pull requests and update go version hashicorp/go-version#185

Full Changelog: hashicorp/go-version@v1.8.0...v1.9.0

v1.8.0

What's Changed

• Add CODEOWNERS file in .github/CODEOWNERS by @mukeshjc in Add CODEOWNERS file in .github/CODEOWNERS hashicorp/go-version#145
• Linting by @KaushikiAnand in Linting hashicorp/go-version#151
• Correct typos in comments by @alexandear in Correct typos in comments hashicorp/go-version#134
• Migrate GitHub Actions updates from TSCCR to Dependabot by @nodyhub in Migrate GitHub Actions updates from TSCCR to Dependabot hashicorp/go-version#155
• Bump the github-actions-backward-compatible group with 2 updates by @dependabot[bot] in Bump the github-actions-backward-compatible group with 2 updates hashicorp/go-version#157
• Update doc reference in README by @alexandear in Update doc reference in README hashicorp/go-version#135
• Bump the github-actions-breaking group with 3 updates by @dependabot[bot] in Bump the github-actions-breaking group with 3 updates hashicorp/go-version#156
• [Compliance] - PR Template Changes Required by @compliance-pr-automation-bot[bot] in [Compliance] - PR Template Changes Required hashicorp/go-version#158
• Add benchmark test for version.String() by @Manikkumar1988 in Add benchmark test for version.String() hashicorp/go-version#159
• Bytes implementation by @Manikkumar1988 in Bytes implementation hashicorp/go-version#161
• Bump actions/cache from 4.2.3 to 4.2.4 in the github-actions-backward-compatible group by @dependabot[bot] in Bump actions/cache from 4.2.3 to 4.2.4 in the github-actions-backward-compatible group hashicorp/go-version#167
• Bump actions/checkout from 4.2.2 to 5.0.0 in the github-actions-breaking group by @dependabot[bot] in Bump actions/checkout from 4.2.2 to 5.0.0 in the github-actions-breaking group hashicorp/go-version#166
• Bump the github-actions-breaking group across 1 directory with 2 updates by @dependabot[bot] in Bump the github-actions-breaking group across 1 directory with 2 updates hashicorp/go-version#171
• [IND-4226] [COMPLIANCE] Update Copyright Headers by @oss-core-libraries-dashboard[bot] in [IND-4226] [COMPLIANCE] Update Copyright Headers hashicorp/go-version#172
• drop init() by @florianl in drop init() hashicorp/go-version#175

New Contributors

• @mukeshjc made their first contribution in Add CODEOWNERS file in .github/CODEOWNERS hashicorp/go-version#145
• @KaushikiAnand made their first contribution in h

(truncated)

github.com/hashicorp/vault/api (v1.16.0 → v1.23.0) — GitHub Release

v1.21.4

SECURITY:

• Upgrade cloudflare/circl to v1.6.3 to resolve CVE-2026-1229
• Upgrade filippo.io/edwards25519 to v1.1.1 to resolve GO-2026-4503
• vault/sdk: Upgrade cloudflare/circl to v1.6.3 to resolve CVE-2026-1229
• vault/sdk: Upgrade go.opentelemetry.io/otel/sdk to v1.40.0 to resolve GO-2026-4394

CHANGES:

• core: Bump Go version to 1.25.7
• mfa/duo: Upgrade duo_api_golang client to 0.2.0 to include the new Duo certificate authorities
• ui: Remove ability to bulk delete secrets engines from the list view.

IMPROVEMENTS:

• core/seal: Enhance sys/seal-backend-status to provide more information about seal backends.
• secrets/kmip (Enterprise): Obey configured best_effort_wal_wait_duration when forwarding kmip requests.
• secrets/pki (enterprise): Return the POSTPKIOperation capability within SCEP GetCACaps endpoint for better legacy client support.

BUG FIXES:

• core (enterprise): Buffer the POST body on binary paths to allow re-reading on non-logical forwarding attempts. Addresses an issue for SCEP, EST and CMPv2 certificate issuances with slow replication of entities
• core/identity (enterprise): Fix excessive logging when updating existing aliases
• core/managed-keys (enterprise): client credentials should not be required when using Azure Managed Identities in managed keys.
• plugins (enterprise): Fix bug where requests to external plugins that modify storage weren't populating the X-Vault-Index response header.
• secrets (pki): Allow issuance of certificates without the server_flag key usage from SCEP, EST and CMPV2 protocols.
• secrets/pki (enterprise): Address cache invalidation issues with CMPv2 on performance standby nodes.
• secrets/pki (enterprise): Address issues using SCEP on performance standby nodes failing due to configuration invalidation issues along with errors writing to storage
• secrets/pki (enterprise): Modify the SCEP GetCACaps endpoint to dynamically reflect the configured encryption and digest algorithm

(truncated)

v1.21.3

February 05, 2026

SECURITY:

auth/cert: ensure that the certificate being renewed matches the certificate attached to the session.

CHANGES:

core: Bump Go version to 1.25.6

FEATURES:

UI: Hashi-Built External Plugin Support: Recognize and support Hashi-built plugins when run as external binaries

IMPROVEMENTS:

core/managed-keys (enterprise): Allow GCP managed keys to leverage workload identity federation credentials
sdk: Add alias_metadata to tokenutil fields that auth method roles use.
secret-sync (enterprise): Added telemetry counters for reconciliation loop operations, including the number of corrections detected, retry attempts, and operation outcomes (success or failure with internal/external cause labels).
secret-sync (enterprise): Added telemetry counters for sync/unsync operations with status breakdown by destination type, and exposed operation counters in the destinations list API response.

BUG FIXES:

agent: Fix Vault Agent discarding cached tokens on transient server errors instead of retrying
core (enterprise): Fix crash when seal HSM is disconnected
default-auth: Fix issue when specifying "root" explicitly in Default Auth UI
identity: Fix issue where Vault may consume more memory than intended under heavy authentication load.
secrets/pki (enterprise): Fix SCEP related digest errors when requests contained compound octet strings
ui: Fixes login form so ?with= query param correctly displays only the specified mount when multiple mounts of the same auth type are configured with listing_visibility="unauth"
ui: Reverts Kubernetes CA Certificate auth method configuration form field type to file selector

v1.21.2

1.21.2

January 07, 2026

CHANGES:

• auth/oci: bump plugin to v0.20.1
• core: Bump Go version to 1.25.5
• packaging: Container images are now exported using a compressed OCI image layout.

(truncated — see source for full notes)

github.com/go-ldap/ldap/v3 (v3.4.10 → v3.4.13) — GitHub Release

v3.4.13

What's Changed

• fix DirSync flags encoding by @johnallers in fix DirSync flags encoding go-ldap/ldap#571
• Remove execute bit from test file by @gibmat in Remove execute bit from test file go-ldap/ldap#572
• chore(deps): bump golang.org/x/crypto from 0.36.0 to 0.45.0 in /v3 by @dependabot[bot] in chore(deps): bump golang.org/x/crypto from 0.36.0 to 0.45.0 in /v3 go-ldap/ldap#573
• Update search.go: fix typo by @reshke in Update search.go: fix typo go-ldap/ldap#574
• Fix ExtendedResponse parsing by @giggsoff in Fix ExtendedResponse parsing go-ldap/ldap#575
• fix: correct extended request/response handling in Extended by @cpuschma in fix: correct extended request/response handling in Extended go-ldap/ldap#576
• refactor: simplify WhoAmI implementation using Extended API by @cpuschma in refactor: simplify WhoAmI implementation using Extended API go-ldap/ldap#577
• feat: add PostalAddress type by @cpuschma in feat: add PostalAddress type go-ldap/ldap#579
• chore: update dependencies by @cpuschma in chore: update dependencies go-ldap/ldap#581
• Address panic in GetLDAPError, add fuzzer by @TomSellers in Address panic in GetLDAPError, add fuzzer go-ldap/ldap#582

New Contributors

• @johnallers made their first contribution in fix DirSync flags encoding go-ldap/ldap#571
• @gibmat made their first contribution in Remove execute bit from test file go-ldap/ldap#572
• @reshke made their first contribution in Update search.go: fix typo go-ldap/ldap#574
• @giggsoff made their first contribution in Fix ExtendedResponse parsing go-ldap/ldap#575

Full Changelog: go-ldap/ldap@v3.4.12...v3.4.13

v3.4.12

What's New

• feat: add Github Issue templates by @cpuschma in feat: add Github Issue templates go-ldap/ldap#558
• feat: add initial support for custom entry unmarshaler by @cpuschma in feat: add initial support for custom entry unmarshaler go-ldap/ldap#557
• Added all Microsoft LDAP OIDs by @p0dalirius in Added all Microsoft LDAP OIDs go-ldap/ldap#559
• [enhancement] Added missing LDAP control ControlMicrosoftSDFlags to control.go by @p0dalirius in [enhancement] Added missing LDAP control ControlMicrosoftSDFlags to control.go go-ldap/ldap#560
• feat: Add local directory server for tests by @cpuschma in feat: Add local directory server for tests go-ldap/ldap#567
• Add RFC 5929 channel binding support for SSPI client by @Chrizpy in Add RFC 5929 channel binding support for SSPI client go-ldap/ldap#565

What's Changed

• Svace static analyzer fix by @artemseleznev in Svace static analyzer fix go-ldap/ldap#562
• test: improve test coverage by @cpuschma in test: improve test coverage go-ldap/ldap#568

New Contributors

• @artemseleznev made their first contribution in Svace static analyzer fix go-ldap/ldap#562
• @Chrizpy made their first contribution in Add RFC 5929 channel binding support for SSPI client go-ldap/ldap#565

Full Changelog: go-ldap/ldap@v3.4.11...v3.4.12

v3.4.11

What's Changed

• Allow users to specify a custom NTLM negotiator by @rtpt-erikgeiser in Allow users to specify a custom NTLM negotiator go-ldap/ldap#544
• Add go 1.24 build/testing to github workflow by @t2y in Add go 1.24 build/testing to github workflow go-ldap/ldap#548
• Fix ControlServerSideSortingResult handling for OpenLDAP by @EgorKo25 in Fix ControlServerSideSortingResult handling for OpenLDAP go-ldap/ldap#546
• Fix DIGEST-MD5 auth by @andy-igoshin in Fix DIGEST-MD5 auth go-ldap/ldap#545
• [bugfix] Added APOptions []int in client.GSSAPIBindRequest(...) and client.InitSecContext(...), fixes [bug] Could not make a working code example on connecting to LDAP with Kerberos from a linux machine to a Windows Server go-ldap/ldap#536 by @p0dalirius in [bugfix] Added APOptions []int in client.GSSAPIBindRequest(...) and client.InitSecContext(...), fixes #536 go-ldap/ldap#537
• Adding InitSecContextWithOptions to SSPI client by @stratg5 in Adding InitSecContextWithOptions to SSPI client go-ldap/ldap#549
• Update golang.org/x/net dependency by @johnweldon in Update golang.org/x/net dependency go-ldap/ldap#553
• use ldap boolean for dirsync control.criticality by @borislavfra in use ldap boolean for dirsync control.criticality go-ldap/ldap#555
• chore: update DirSync and DirSyncAsync example codes by @cpuschma in chore: update DirSync and DirSyncAsync example codes go-ldap/ldap#556

New Contributors

• @rtpt-erikgeiser made their first contribution in Allow users to specify a custom NTLM negotiator go-ldap/ldap#544
• @EgorKo25 made their first contribution in Fix ControlServerSideSortingResult handling for OpenLDAP go-ldap/ldap#546

(truncated — see source for full notes)

github.com/google/certificate-transparency-go (v1.3.1 → v1.3.3) — GitHub Release

v1.3.3

What's Changed

CTFE

• set explicit http server timeouts by @1seal in set explicit http server timeouts google/certificate-transparency-go#1755
• Regenerate protos by @phbnf in Regenerate protos google/certificate-transparency-go#1743
• Update instructions to generate protos by @phbnf in Update instructions to generate protos google/certificate-transparency-go#1742
• ctfe: Enforce max request and header size limits by @fghanmi in ctfe: Enforce max request and header size limits google/certificate-transparency-go#1720
• [CTFE] Add a /log.v3.json endpoint to help satisfy a requirement of the Chrome CT Log Policy by @robstradling in [CTFE] Add a /log.v3.json endpoint to help satisfy a requirement of the Chrome CT Log Policy google/certificate-transparency-go#1703

Tools

Log list library

• Support tiled logs in the loglist3 logfilter functions by @robstradling in Support tiled logs in the loglist3 logfilter functions google/certificate-transparency-go#1762
• Add FindTiledLog* functions by @robstradling in Add FindTiledLog* functions google/certificate-transparency-go#1763

Submission proxy

• Cap request body size in submission proxy by @1seal in Cap request body size in submission proxy google/certificate-transparency-go#1754
• add some additional log messages around CT log compatibility by @breadyzhang in add some additional log messages around CT log compatibility  google/certificate-transparency-go#1734

Other

• jsonclient: don't depend on error text from other packages in tests by @neild in jsonclient: don't depend on error text from other packages in tests google/certificate-transparency-go#1741
• Parse klog flags in preloader. by @phbnf in Parse klog flags in preloader. google/certificate-transparency-go#1711
• Fix incorrect leaf hash calculation for precertificates in upload command by @Barre in Fix incorrect leaf hash calculation for precertificates in upload command google/certificate-transparency-go#1710

Misc

• Remove internal witness by @roger2hk in Remove internal witness google/certificate-transparency-go#1765
• Update transparency-dev slack invite link by @taknira in Update transparency-dev slack invite link google/certificate-transparency-go#1718

Dependency updates

• Bump golangci-lint version to v2.10.1 by @rog

(truncated)

v1.3.2

v1.3.2

What's changed?

• CTFE - thanks to @robstradling and @rolandshoemaker
  • New feature: Rate Limiting Of Non-Fresh Submissions
  • Optimizations:
    • Better extra data storage saving
    • Better cache max-age for get-entries
  • Fixes: Disalllow mismatching signature algorithm identifiers
• Migrillian: removed support for etcd
• preloader / ct_hammer / jsconlient: a bunch of new features and fixes.
• go: bump to go 1.23 and bump to golangci-lint to 1.61.0

Misc

• [migrillian] remove etcd support in [Migrillian] Remove unused etcd support google/certificate-transparency-go#1699
• Bump golangci-lint from 1.55.1 to 1.61.0 (developers should update to this version).
• Update ctclient tool to support SCT extensions field by @liweitianux in Update ctclient to support SCT extensions google/certificate-transparency-go#1645
• Bump go to 1.23
• [ct_hammer] support HTTPS and Bearer token for Authentication.
• [preloader] support Bearer token Authentication for non temporal logs.
• [preloader] support end indexes
• [CTFE] Short cache max-age when get-entries returns fewer entries than requested by @robstradling in [CTFE] Short cache max-age when get-entries returns fewer entries than requested google/certificate-transparency-go#1707
• [CTFE] Disalllow mismatching signature algorithm identifiers in x509: disallow mismatching signature algorithm identifiers google/certificate-transparency-go#702.
• [jsonclient] surface HTTP Do and Read errors jsonclient: surface HTTP Do and Read errors google/certificate-transparency-go#1695 by @FiloSottile

CTFE Storage Saving: Extra Data Issuance Chain Deduplication

• Suppress unnecessary duplicate key errors in the IssuanceChainStorage PostgreSQL implementation by @robstradling in Suppress unnecessary duplicate key errors in the IssuanceChainStorage PostgreSQL implementation google/certificate-transparency-go#1678
• Only store IssuanceChain if not cached by @robstradling in Only store IssuanceChain if not cached google/certificate-transparency-go#1679

CTFE Rate Limiting Of Non-Fresh Submissions

(truncated — see source for full notes)

github.com/hashicorp/go-kms-wrapping/v2 (v2.0.18 → v2.0.21) — Commit comparison

• f5cd575 Add a "WithoutEnvelope" option to wrappers for raw Encrypt/Decrypt support (Add a "WithoutEnvelope" option to wrappers for raw Encrypt/Decrypt support hashicorp/go-kms-wrapping#319)
• 3aa93fd [COMPLIANCE] Update Copyright and License Headers (Batch 1 of 1) ([IND-4227] [COMPLIANCE] Update Copyright Headers (Batch 1 of 1) hashicorp/go-kms-wrapping#297)
• 7de4b70 Upgrade grpc for various example modules. (Upgrade grpc for various example modules hashicorp/go-kms-wrapping#313)
• 6c3f4f9 chore: update grpc version to 1.79.3 (chore: update grpc version to 1.79.3 hashicorp/go-kms-wrapping#307)
• c729b81 Optimize KMS key reconciliation process (Optimize KMS key reconciliation process hashicorp/go-kms-wrapping#298)
• 74501ce Use AWS KMS key ARN as the key ID (Use AWS KMS key ARN as the key ID hashicorp/go-kms-wrapping#299)
• 3000775 Update all packages with golang.org/x/crypto to v0.45.0 (Update all packages with golang.org/x/crypto to v0.45.0 hashicorp/go-kms-wrapping#296)
• b504823 Update awskms to aws-sdk-go-v2 (Update awskms to aws-sdk-go-v2 hashicorp/go-kms-wrapping#293)
• 7f7ab88 Add IBM Key Protect (IBM Cloud KMS) wrapper (Add IBM Key Protect (IBM Cloud KMS) wrapper hashicorp/go-kms-wrapping#23) (Add IBM Key Protect (IBM Cloud KMS) wrapper (#23) hashicorp/go-kms-wrapping#292)
• a58e4f4 Update codeowners (Update codeowners hashicorp/go-kms-wrapping#290)
• 0ed1bf9 Add pci pr template (Add pci pr template hashicorp/go-kms-wrapping#287)
• dec44ad Update golang.org/x/crypto to v0.39.0 to resolve GO-2025-3487 (Update golang.org/x/crypto to v0.39.0 to resolve GO-2025-3487 hashicorp/go-kms-wrapping#286)
• e54e60a Update golang.org/x/net to v0.38.0 to resolve GO-2025-3503 (Update golang.org/x/net to v0.38.0 to resolve GO-2025-3503 hashicorp/go-kms-wrapping#283)
• 7145b55 Update various Github Action versions using tsccr (Update various Github Action versions using tsccr hashicorp/go-kms-wrapping#284)
• da6aa5d Fix incompatibility between workload identity and managed identity auth (Fix incompatibility between workload identity and managed identity auth hashicorp/go-kms-wrapping#280)

... and 2 more commits

github.com/hashicorp/go-secure-stdlib/password (v0.1.1 → v0.1.5) — Commit comparison

• 07759ea build(deps): bump github.com/docker/docker in /plugincontainer (build(deps): bump github.com/docker/docker from 24.0.5+incompatible to 24.0.7+incompatible in /plugincontainer hashicorp/go-secure-stdlib#108)
• e026921 Get dependabot updated indirects
• 7015604 Bump golang.org/x/crypto in /listenerutil (Bump golang.org/x/crypto from 0.0.0-20200820211705-5c72a883971a to 0.1.0 in /listenerutil hashicorp/go-secure-stdlib#86)
• 52628ee Bump google.golang.org/grpc from 1.57.0 to 1.57.1 in /plugincontainer (Bump google.golang.org/grpc from 1.57.0 to 1.57.1 in /plugincontainer hashicorp/go-secure-stdlib#103)
• 57ad9de Bump google.golang.org/grpc from 1.44.0 to 1.56.3 in /pluginutil (Bump google.golang.org/grpc from 1.44.0 to 1.56.3 in /pluginutil hashicorp/go-secure-stdlib#102)
• c372117 Bump golang.org/x/net from 0.10.0 to 0.17.0 in /pluginutil (Bump golang.org/x/net from 0.10.0 to 0.17.0 in /pluginutil hashicorp/go-secure-stdlib#101)
• 60fa7b3 Bump golang.org/x/net from 0.9.0 to 0.17.0 in /plugincontainer (Bump golang.org/x/net from 0.9.0 to 0.17.0 in /plugincontainer hashicorp/go-secure-stdlib#100)
• 7077d7d Bump configutil deps (Bump configutil deps hashicorp/go-secure-stdlib#106)
• 463da90 Bump listenerutil deps (Bump listenerutil deps hashicorp/go-secure-stdlib#99)
• 4a201ac Bump tlsutil deps (Bump tlsutil deps hashicorp/go-secure-stdlib#98)
• 41d1bc1 Bump pluginutil deps (Bump pluginutil deps hashicorp/go-secure-stdlib#97)
• 180d0c9 Bump parseutil deps (Bump parseutil deps hashicorp/go-secure-stdlib#96)
• c6dc711 Fix double-enter issue on Windows (Fix double-enter issue on Windows hashicorp/go-secure-stdlib#95)
• 707a9aa plugincontainer: Support mlock (plugincontainer: Support mlock hashicorp/go-secure-stdlib#94)
• 22f76f8 feat(awsutil-v2): implement awsutil for aws-sdk-go-v2 (feat(awsutil-v2): implement awsutil for aws-sdk-go-v2 hashicorp/go-secure-stdlib#83)

... and 85 more commits

github.com/hashicorp/go-secure-stdlib/plugincontainer (v0.4.1 → v0.4.2) — Commit comparison

• 594f3ad [VAULT-38910]: plugincontainer: upgrade docker to resolve GO-2025-3829 ([VAULT-38910]: plugincontainer: upgrade docker to resolve GO-2025-3829 hashicorp/go-secure-stdlib#168)
• 3fcf96b Update CODEOWNERS to new shared tech team and fix mod tidy issue (Update CODEOWNERS to new shared tech team and fix go mod tidy issue hashicorp/go-secure-stdlib#167)
• 2c90c07 Add PCI pull request template (Add PCI pull request template hashicorp/go-secure-stdlib#165)
• a5126b0 Update x/crypto in listenerutil (Update x/crypto in listenerutil hashicorp/go-secure-stdlib#164)
• 079d064 Update x/crypto in configutil (Update x/crypto in configutil hashicorp/go-secure-stdlib#163)
• e1df782 Update x/crypto in pluginutil (Update x/crypto in pluginutil hashicorp/go-secure-stdlib#162)
• c6b4043 Update x/crypto in password (Update x/crypto in password hashicorp/go-secure-stdlib#161)
• 8565209 Creates the NormalizeAddr Func to Format IPv6 Addresses (Creates the NormalizeAddr Func to Format IPv6 Addresses hashicorp/go-secure-stdlib#157)
• 20f08ea Replace individual ownership with secure-leads team for scalability (Replace individual ownership with secure-leads team for scalability hashicorp/go-secure-stdlib#158)
• cd55973 Remove CODEOWNERS from non-blessed place (Remove CODEOWNERS from non-blessed place hashicorp/go-secure-stdlib#145)
• 5fe7d98 [VAULT-21456] Add a drop in replacement for the Go regexp package that interns regular expressions ([VAULT-21456] Add a drop in replacement for the Go regexp package that interns regular expressions hashicorp/go-secure-stdlib#156)
• 3f5c9b6 Avoid more instances of the DRBG in GCable RAM by reseeding rather than regenerating (Avoid more instances of the DRBG in GCable RAM by reseeding rather than regenerating. hashicorp/go-secure-stdlib#146)
• b76c43d permitpool: add new module (permitpool: add new module hashicorp/go-secure-stdlib#153)
• 2d0aa30 Add backwards compatible changes to ParsePath for extra behaviors (Add backwards compatible changes to ParsePath for extra behaviors hashicorp/go-secure-stdlib#154)
• 48acf69 Update deps (Update aws sdk deps hashicorp/go-secure-stdlib#143)

... and 11 more commits

github.com/sasha-s/go-deadlock (v0.3.5 → v0.3.9) — GitHub Release

v0.3.9

Reduce allocations from callers (sasha-s/go-deadlock#54), add new unit tests, and fix existing -race unit test failures

v0.3.8

What's Changed

• Reduce allocations per lock request (Reduce allocations per lock request sasha-s/go-deadlock#52) — replaces goroutine-per-lock deadlock detection with time.AfterFunc + sync.Pool, cutting allocations from 4 to 2 per lock/unlock cycle (~40% throughput improvement).

Full Changelog: sasha-s/go-deadlock@v0.3.7...v0.3.8

v0.3.7

Release v0.3.7

Changes

• Fix testing/synctest compatibility, including Go 1.25 support and related build tags
• Fix concurrent lock tracking under contention
• Prevent lock-order tracking from retaining mutex-containing structs on Go 1.24+

What's New

This release improves synctest compatibility, fixes concurrent lock tracking, and resolves a GC-retention issue in lock-order bookkeeping.

v0.3.6

Release v0.3.6

Changes

• Go 1.25 support
• Updated dependencies (github.com/petermattis/goid)
• Improved test coverage (90.5%)

What's New

This release includes compatibility updates for Go 1.25 and dependency updates to ensure continued reliability of deadlock detection.

google.golang.org/protobuf (v1.36.5 → v1.36.11) — GitHub Release

v1.36.11

Full Changelog: protocolbuffers/protobuf-go@v1.36.10...v1.36.11

User-visible changes:
CL/726780: encoding/prototext: Support URL chars in type URLs in text-format.

Bug fixes:
CL/728680: internal/impl: check recursion limit in lazy decoding validation
CL/711015: reflect/protodesc: fix handling of import options in dynamic builds

Maintenance:
CL/728681: reflect/protodesc: add support for edition unstable
CL/727960: all: add EDITION_UNSTABLE support
CL/727940: types: regenerate using latest protobuf v33.2 release
CL/727140: internal/testprotos/lazy: convert .proto files to editions
CL/723440: cmd/protoc-gen-go: add missing annotations for few generated protobuf symbols.
CL/720980: internal/filedesc: remove duplicative Message.unmarshalOptions
CL/716360: internal/encoding/tag: use proto3 defaults if proto3
CL/716520: proto: un-flake TestHasExtensionNoAlloc
CL/713342: compiler/protogen: properly filter option dependencies in go-protobuf plugin.
CL/711200: proto: add test for oneofs containing messages with required fields
CL/710855: proto: add explicit test for a non-nil but empty byte slice

v1.36.10

Full Changelog: protocolbuffers/protobuf-go@v1.36.9...v1.36.10

Bug fixes:
CL/704415: reflect/protodesc: edition-2024-specific properties should not be lost when converting FileDescriptorProto to protoreflect.FileDescriptor

Maintenance:
CL/708555: internal/race_test: add missing impl.LazyEnabled() t.Skip
CL/703295: proto: add more invalid group encoding test cases
CL/703276: internal/impl: verify lazy unmarshal on Deterministic encoding
CL/703275: internal/impl: stop using deprecated .Field in lazy_test.go
CL/702795: all: update to latest github.com/google/go-cmp

v1.36.9

Full Changelog: protocolbuffers/protobuf-go@v1.36.8...v1.36.9

User-visible changes:
CL/699715: cmd/protoc-gen-go: add test for "import option" directive
CL/699115: internal/editionssupport: declare support for edition 2024
CL/697595: editions: Fix spelling mistake in panic message

v1.36.8

Maintenance:

CL/696316: all: set Go language version to Go 1.23
CL/696315: types: regenerate using latest protobuf v32 release

v1.36.7

Maintenance / optimizations:

CL/683955: encoding/protowire: micro-optimize SizeVarint (-20% on Intel)

(truncated — see source for full notes)

---

Generated by ADMS Sources: 9 GitHub Releases, 3 Commit comparisons, 3 not available.

[seberm-6]

Hey, sorry for the noise. This was caused by a bug in our automated dependency update system that incorrectly included upstream changelog content in PR comments, triggering notifications to external contributors. The feature flag has been turned off and we're working on a fix. Sorry about that again.