fix(deps): vuln minor upgrades — 6 packages (minor: 2 · patch: 4) by gh-worker-campaigns-3e9aa4[bot] · Pull Request #3148 · DataDog/datadog-operator

gh-worker-campaigns-3e9aa4 · 2026-06-15T22:36:14Z

Summary: High-severity security update — 6 packages upgraded (MINOR changes included)

Manifests changed:

. (go)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

Updates

Package	From	To	Type	Dep Type	Vulnerabilities Fixed
github.com/moby/spdystream	v0.5.0	v0.5.1	patch	Transitive	2 HIGH
github.com/containerd/containerd	v1.7.30	v1.7.32	patch	Transitive	1 HIGH
github.com/nwaples/rardecode	v1.1.0	v1.1.3	patch	Transitive	3 MEDIUM
github.com/ulikunitz/xz	v0.5.14	v0.5.15	patch	Transitive	3 MEDIUM
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp	v1.33.0	v1.44.0	minor	Transitive	2 MEDIUM
golang.org/x/crypto	v0.51.0	v0.53.0	minor	Transitive	13 UNKNOWN

Security Details

🚨 Critical & High Severity (3 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
github.com/containerd/containerd	GHSA-fqw6-gf59-qr4w	HIGH	containerd user ID handling bypass allows runAsNonRoot evasion	v1.7.30	1.7.32
github.com/moby/spdystream	GO-2026-4958	HIGH	Uncontrolled resource consumption when parsing SPDY frames in github.com/moby/spdystream	v0.5.0	0.5.1
github.com/moby/spdystream	GHSA-pc3f-x583-g7j2	HIGH	SpdyStream: DOS on CRI	v0.5.0	0.5.1

ℹ️ Other Vulnerabilities (21)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
github.com/ulikunitz/xz	CVE-2025-58058	medium	github.com/ulikunitz/xz leaks memory when decoding a corrupted multiple LZMA archives	v0.5.14	-
github.com/ulikunitz/xz	GO-2025-3922	medium	Memory leaks when decoding a corrupted multiple LZMA archives in github.com/ulikunitz/xz	v0.5.14	0.5.15
github.com/nwaples/rardecode	GO-2025-4020	MODERATE	DoS risk due to unrestricted RAR dictionary sizes in github.com/nwaples/rardecode	v1.1.0	-
github.com/nwaples/rardecode	CVE-2025-11579	MODERATE	-	v1.1.0	-
github.com/nwaples/rardecode	GHSA-rwvp-r38j-9rgg	MODERATE	rardecode: DoS risk due to unrestricted RAR dictionary sizes	v1.1.0	-
github.com/ulikunitz/xz	GHSA-jc7w-c686-c4v9	MODERATE	github.com/ulikunitz/xz leaks memory when decoding a corrupted multiple LZMA archives	v0.5.14	0.5.15
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp	GO-2026-4985	MODERATE	Oversized OTLP HTTP response bodies can cause memory exhaustion in go.opentelemetry.io/otel/exporters/otlp	v1.33.0	1.43.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp	GHSA-w8rr-5gcm-pp58	MODERATE	opentelemetry-go: OTLP HTTP exporters read unbounded HTTP response bodies	v1.33.0	1.43.0
golang.org/x/crypto	GO-2026-5015	unknown	Invoking server panic during CheckHostKey/Authenticate in golang.org/x/crypto/ssh	v0.51.0	0.52.0
golang.org/x/crypto	GO-2026-5014	unknown	Invoking bypass of certificate restrictions in golang.org/x/crypto/ssh	v0.51.0	0.52.0
golang.org/x/crypto	GO-2026-5017	unknown	Invoking client can cause server deadlock on unexpected responses in golang.org/x/crypto/ssh	v0.51.0	0.52.0
golang.org/x/crypto	GO-2026-5006	unknown	Invoking agent constraints dropped when forwarding keys in golang.org/x/crypto/ssh/agent	v0.51.0	0.52.0
golang.org/x/crypto	GO-2026-5018	unknown	Invoking pathological RSA/DSA parameters may cause DoS in golang.org/x/crypto/ssh	v0.51.0	0.52.0
golang.org/x/crypto	GO-2026-5019	unknown	Invoking bypass of FIDO/U2F security keys physical interaction in golang.org/x/crypto/ssh	v0.51.0	0.52.0
golang.org/x/crypto	GO-2026-5005	unknown	Invoking key constraints not enforced in golang.org/x/crypto/ssh/agent	v0.51.0	0.52.0
golang.org/x/crypto	GO-2026-5021	unknown	Invoking auth bypass via unenforced @Revoked status in golang.org/x/crypto/ssh/knownhosts	v0.51.0	0.52.0
golang.org/x/crypto	GO-2026-5013	unknown	Invoking byte arithmetic causes underflow and panic in golang.org/x/crypto/ssh	v0.51.0	0.52.0
golang.org/x/crypto	GO-2026-5033	unknown	Invoking pathological inputs can lead to client panic in golang.org/x/crypto/ssh/agent	v0.51.0	0.52.0
golang.org/x/crypto	GO-2026-5020	unknown	Invoking infinite loop on large channel writes in golang.org/x/crypto/ssh	v0.51.0	0.52.0
golang.org/x/crypto	GO-2026-5023	unknown	Invoking VerifiedPublicKeyCallback permissions skip enforcement in golang.org/x/crypto/ssh	v0.51.0	0.52.0
golang.org/x/crypto	GO-2026-5016	unknown	Invoking memory leak when rejecting channels can lead to DoS in golang.org/x/crypto/ssh	v0.51.0	0.52.0

⚠️ Dependencies that have Reached EOL (1)

Dependency	Unsafe Version	EOL Date	New Version	Path
github.com/nwaples/rardecode	`v1.1.0`	-	`v1.1.3`	`go.mod`

Review Checklist

Standard review:

Review changes for compatibility with your code
Check for breaking changes in release notes
Run tests locally or wait for CI
Approve and merge this PR

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

datadog-official · 2026-06-15T22:36:40Z

✨ Fix all issues with BitsAI

⚠️ Warnings

🚦 3 Pipeline jobs failed

DataDog/datadog-operator | e2e: [1.30]

DataDog/datadog-operator | e2e: [1.24]

DataDog/datadog-operator | e2e: [1.19]

ℹ️ Info

🎯 Code Coverage (details)
• Patch Coverage: 100.00%
• Overall Coverage: 44.94% (+0.00%)

Useful? React with 👍 / 👎

_{This comment will be updated automatically if new data arrives.

🔗 Commit SHA: 45a3864 | Docs | Datadog PR Page | Give us feedback!}

gh-worker-campaigns-3e9aa4 · 2026-06-16T08:37:25Z

Auto-rebase complete

Branch is up to date with main — rebased onto 72bc0a0.

_{Auto-Rebase · Add no-auto-rebase to opt out}

gh-worker-campaigns-3e9aa4 · 2026-06-19T11:29:58Z

Auto-rebase failed

Lockfile regeneration failed during rebase onto main. Your branch was not updated. You may need to rebase and regenerate lockfiles manually.

Error details

child workflow execution error (type: engraver.Engraver_AllManagersWorkflow, workflowID: 019eee53-9504-7e36-acb7-b8231dfbba3a_57, runID: 019eee53-bb70-72f8-ae82-a3062f4c9dcb, initiatedEventID: 57, startedEventID: 58): activity error (type: engraver.Engraver_GetChanges, scheduledEventID: 8, startedEventID: 9, identity: 1@engraver-worker-54fc6f45bb-p5mdp@): unable to clone github repository: git clone failed: exit status 128 (type: wrapError, retryable: true): git clone failed: exit status 128 (type: wrapError, retryable: true): exit status 128 (type: ExitError, retryable: true)

_{Auto-Rebase · Add no-auto-rebase to opt out}

gh-worker-campaigns-3e9aa4 · 2026-06-22T15:30:34Z

Auto-rebase complete

Branch is up to date with main — rebased onto 04ff744.

_{Auto-Rebase · Add no-auto-rebase to opt out}

Co-authored-by: dd-octo-sts-26fcfa[bot] <266798054+dd-octo-sts-26fcfa[bot]@users.noreply.github.com>

The upgrade from github.com/moby/spdystream v0.5.0 to v0.5.1 introduced a new sub-package github.com/moby/spdystream/spdy with a BSD-3-Clause license. Add the missing entry to keep LICENSE-3rdparty.csv up to date. Environment: Datadog workspace Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: levan-m <116471169+levan-m@users.noreply.github.com> Co-authored-by: dd-octo-sts-26fcfa[bot] <266798054+dd-octo-sts-26fcfa[bot]@users.noreply.github.com>

Run 'go work sync' to keep api/go.mod consistent with the transitive dependency updates from the main module (golang.org/x/* version bumps pulled in by the moby/spdystream and opentelemetry upgrades). Environment: Datadog workspace Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: levan-m <116471169+levan-m@users.noreply.github.com> Co-authored-by: dd-octo-sts-26fcfa[bot] <266798054+dd-octo-sts-26fcfa[bot]@users.noreply.github.com>

'go mod tidy' adds .mod file hash entries that 'go work sync' omits. Required to satisfy the check-golang-version CI validation. Environment: Datadog workspace Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: levan-m <116471169+levan-m@users.noreply.github.com> Co-authored-by: dd-octo-sts-26fcfa[bot] <266798054+dd-octo-sts-26fcfa[bot]@users.noreply.github.com>

gh-worker-campaigns-3e9aa4 Bot added the campaigner-automated-change label Jun 15, 2026

github-actions Bot added the team/container-platform label Jun 15, 2026

gh-worker-campaigns-3e9aa4 Bot added adms-fixes-eol adms-go adms-high-severity adms-medium-severity adms-minor-update adms-mode-all-vulns adms-dependency-update labels Jun 15, 2026

dd-octo-sts-4aefcb Bot force-pushed the engraver-auto-version-upgrade/minorpatch/go/1-1781562948 branch from 56752cb to 41cdf08 Compare June 16, 2026 08:37

dd-octo-sts-b8cf80 Bot force-pushed the engraver-auto-version-upgrade/minorpatch/go/1-1781562948 branch from 41cdf08 to d23ef0c Compare June 22, 2026 15:30

dd-octo-sts-dcc400 Bot force-pushed the engraver-auto-version-upgrade/minorpatch/go/1-1781562948 branch from d23ef0c to 3f4fb19 Compare June 23, 2026 17:16

dd-octo-sts-4caf68 Bot force-pushed the engraver-auto-version-upgrade/minorpatch/go/1-1781562948 branch from 3f4fb19 to af43f8a Compare June 23, 2026 17:22

dd-octo-sts-019303 Bot force-pushed the engraver-auto-version-upgrade/minorpatch/go/1-1781562948 branch 2 times, most recently from f3240ee to 7f31609 Compare June 24, 2026 13:38

levan-m added dependencies Pull requests that update a dependency file qa/skip-qa labels Jun 24, 2026

levan-m force-pushed the engraver-auto-version-upgrade/minorpatch/go/1-1781562948 branch from 189b11b to f26050c Compare June 24, 2026 21:06

dd-octo-sts-0c48d7 Bot force-pushed the engraver-auto-version-upgrade/minorpatch/go/1-1781562948 branch from f26050c to d92bef6 Compare June 25, 2026 09:02

dd-octo-sts-4191dd Bot force-pushed the engraver-auto-version-upgrade/minorpatch/go/1-1781562948 branch from d92bef6 to c283570 Compare June 25, 2026 09:46

dd-octo-sts-26fcfa Bot force-pushed the engraver-auto-version-upgrade/minorpatch/go/1-1781562948 branch from c283570 to 1137790 Compare June 25, 2026 11:11

dd-octo-sts-0c48d7 Bot force-pushed the engraver-auto-version-upgrade/minorpatch/go/1-1781562948 branch from 1137790 to efcf30f Compare June 25, 2026 12:21

dd-octo-sts-aad58d Bot force-pushed the engraver-auto-version-upgrade/minorpatch/go/1-1781562948 branch from efcf30f to a51853c Compare June 25, 2026 12:24

dd-octo-sts-26fcfa Bot force-pushed the engraver-auto-version-upgrade/minorpatch/go/1-1781562948 branch from a51853c to 9474b53 Compare June 25, 2026 15:14

levan-m marked this pull request as ready for review June 25, 2026 18:15

levan-m requested a review from a team June 25, 2026 18:15

levan-m approved these changes Jun 25, 2026

View reviewed changes

dd-octo-sts-26fcfa Bot added 5 commits June 26, 2026 13:57

ADMS: vuln minor upgrades — 6 packages (minor: 2 · patch: 4)

aec5016

Co-authored-by: dd-octo-sts-26fcfa[bot] <266798054+dd-octo-sts-26fcfa[bot]@users.noreply.github.com>

chore: regenerate lockfiles after rebase

7a33c45

Co-authored-by: dd-octo-sts-26fcfa[bot] <266798054+dd-octo-sts-26fcfa[bot]@users.noreply.github.com>

dd-octo-sts-26fcfa Bot force-pushed the engraver-auto-version-upgrade/minorpatch/go/1-1781562948 branch from 9474b53 to 45a3864 Compare June 26, 2026 13:57

levan-m merged commit db2335b into main Jun 26, 2026
40 of 43 checks passed

levan-m deleted the engraver-auto-version-upgrade/minorpatch/go/1-1781562948 branch June 26, 2026 15:08

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

fix(deps): vuln minor upgrades — 6 packages (minor: 2 · patch: 4) #3148

fix(deps): vuln minor upgrades — 6 packages (minor: 2 · patch: 4) #3148
levan-m merged 5 commits into
mainfrom
engraver-auto-version-upgrade/minorpatch/go/1-1781562948

gh-worker-campaigns-3e9aa4 Bot commented Jun 15, 2026

Uh oh!

datadog-official Bot commented Jun 15, 2026 •

edited

Loading

Uh oh!

gh-worker-campaigns-3e9aa4 Bot commented Jun 16, 2026

Uh oh!

gh-worker-campaigns-3e9aa4 Bot commented Jun 19, 2026 •

edited

Loading

Uh oh!

gh-worker-campaigns-3e9aa4 Bot commented Jun 22, 2026 •

edited

Loading

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Uh oh!

Conversation

gh-worker-campaigns-3e9aa4 Bot commented Jun 15, 2026

Updates

Security Details

Review Checklist

Uh oh!

datadog-official Bot commented Jun 15, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

⚠️ Warnings

ℹ️ Info

Uh oh!

gh-worker-campaigns-3e9aa4 Bot commented Jun 16, 2026

Auto-rebase complete

Uh oh!

gh-worker-campaigns-3e9aa4 Bot commented Jun 19, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Auto-rebase failed

Uh oh!

gh-worker-campaigns-3e9aa4 Bot commented Jun 22, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Auto-rebase complete

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

datadog-official Bot commented Jun 15, 2026 •

edited

Loading

gh-worker-campaigns-3e9aa4 Bot commented Jun 19, 2026 •

edited

Loading

gh-worker-campaigns-3e9aa4 Bot commented Jun 22, 2026 •

edited

Loading