fix(deps): vuln unstable upgrades — 45 packages (unstable: 3 · minor: 42) [test]

[gh-worker-campaigns-3e9aa4]

Summary: Critical-severity security update — 45 packages upgraded (UNSTABLE changes included)

Manifests changed:

• test (go)

---

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

---

Updates

Package	From	To	Type	Dep Type	Vulnerabilities Fixed
google.golang.org/grpc	v1.75.1	v1.80.0	minor	Transitive	3 CRITICAL
github.com/go-git/go-git/v5	v5.13.2	v5.18.0	minor	Transitive	3 MODERATE, 4 MEDIUM, 3 LOW
github.com/aws/aws-sdk-go-v2/service/s3	v1.88.1	v1.99.1	minor	Transitive	1 MODERATE
github.com/DataDog/datadog-agent/pkg/util/testutil	v0.72.2	v0.78.0	unstable	Direct	-
github.com/DataDog/datadog-agent/test/fakeintake	v0.72.2	v0.78.0	unstable	Direct	-
github.com/DataDog/datadog-agent/test/new-e2e	v0.72.2	v0.78.0	unstable	Direct	-
github.com/BurntSushi/toml	v1.4.1-0.20240526193622-a339e1f7089c	v1.6.0	minor	Transitive	-
github.com/DataDog/datadog-api-client-go/v2	v2.46.0	v2.58.0	minor	Transitive	-
github.com/ProtonMail/go-crypto	v1.1.6	v1.4.1	minor	Transitive	-
github.com/alessio/shellescape	v1.4.2	v1.6.0	minor	Transitive	-
github.com/aws/aws-sdk-go-v2	v1.39.0	v1.41.6	minor	Transitive	-
github.com/aws/aws-sdk-go-v2/config	v1.31.9	v1.32.16	minor	Transitive	-
github.com/aws/aws-sdk-go-v2/credentials	v1.18.13	v1.19.15	minor	Transitive	-
github.com/aws/aws-sdk-go-v2/service/ecr	v1.45.1	v1.57.1	minor	Transitive	-
github.com/aws/aws-sdk-go-v2/service/ecs	v1.64.0	v1.78.1	minor	Transitive	-
github.com/aws/aws-sdk-go-v2/service/internal/checksum	v1.8.7	v1.9.14	minor	Transitive	-
github.com/aws/aws-sdk-go-v2/service/ssm	v1.64.4	v1.68.5	minor	Transitive	-
github.com/aws/aws-sdk-go-v2/service/sso	v1.29.3	v1.30.16	minor	Transitive	-
github.com/aws/aws-sdk-go-v2/service/ssooidc	v1.34.5	v1.35.20	minor	Transitive	-
github.com/aws/aws-sdk-go-v2/service/sts	v1.38.4	v1.42.0	minor	Transitive	-
github.com/aws/smithy-go	v1.23.0	v1.25.0	minor	Transitive	-
github.com/charmbracelet/bubbletea	v1.2.4	v1.3.10	minor	Transitive	-
github.com/emicklei/go-restful/v3	v3.12.1	v3.13.0	minor	Transitive	-
github.com/fxamacker/cbor/v2	v2.7.0	v2.9.1	minor	Transitive	-
github.com/go-errors/errors	v1.4.2	v1.5.1	minor	Transitive	-
github.com/go-git/go-billy/v5	v5.6.2	v5.8.0	minor	Transitive	-
github.com/hashicorp/hcl/v2	v2.23.0	v2.24.0	minor	Transitive	-
github.com/kevinburke/ssh_config	v1.2.0	v1.6.0	minor	Transitive	-
github.com/lucasb-eyer/go-colorful	v1.2.0	v1.4.0	minor	Transitive	-
github.com/pulumi/pulumi-aws/sdk/v6	v6.66.2	v6.83.3	minor	Transitive	-
github.com/pulumi/pulumi-awsx/sdk/v2	v2.19.0	v2.22.0	minor	Transitive	-
github.com/pulumi/pulumi-azure-native-sdk/v2	v2.81.0	v2.92.2	minor	Transitive	-
github.com/pulumi/pulumi-command/sdk	v1.0.1	v1.2.1	minor	Transitive	-
github.com/pulumi/pulumi-docker/sdk/v4	v4.9.0	v4.11.2	minor	Transitive	-
github.com/pulumi/pulumi-eks/sdk/v3	v3.7.0	v3.9.1	minor	Transitive	-
github.com/pulumi/pulumi-kubernetes/sdk/v4	v4.23.0	v4.29.0	minor	Transitive	-
github.com/pulumi/pulumi-random/sdk/v4	v4.18.4	v4.19.2	minor	Transitive	-
github.com/samber/lo	v1.51.0	v1.53.0	minor	Transitive	-
github.com/tinylib/msgp	v1.4.0	v1.6.4	minor	Transitive	-
github.com/zclconf/go-cty	v1.15.1	v1.18.1	minor	Transitive	-
go.opentelemetry.io/otel	v1.38.0	v1.43.0	minor	Transitive	-
go.opentelemetry.io/otel/metric	v1.38.0	v1.43.0	minor	Transitive	-
go.opentelemetry.io/otel/trace	v1.38.0	v1.43.0	minor	Transitive	-
gopkg.in/evanphx/json-patch.v4	v4.12.0	v4.13.0	minor	Transitive	-
k8s.io/klog/v2	v2.130.1	v2.140.0	minor	Transitive	-

Packages marked with "-" are updated due to dependency constraints.

---

Security Details

🚨 Critical & High Severity (3 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
google.golang.org/grpc	GO-2026-4762	CRITICAL	Authorization bypass in gRPC-Go via missing leading slash in :path in google.golang.org/grpc	v1.75.1	1.79.3
google.golang.org/grpc	CVE-2026-33186	CRITICAL	gRPC-Go has an authorization bypass via missing leading slash in :path	v1.75.1	-
google.golang.org/grpc	GHSA-p77j-4mvh-x3m3	CRITICAL	gRPC-Go has an authorization bypass via missing leading slash in :path	v1.75.1	1.79.3

ℹ️ Other Vulnerabilities (11)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
github.com/go-git/go-git/v5	GO-2026-4473	medium	Improper verification of data integrity values for .idx and .pack files in github.com/go-git/go-git	v5.13.2	5.16.5
github.com/go-git/go-git/v5	GO-2026-4910	medium	Maliciously crafted idx file can cause asymmetric memory consumption in github.com/go-git/go-git	v5.13.2	5.17.1
github.com/go-git/go-git/v5	CVE-2026-34165	medium	go-git: Maliciously crafted idx file can cause asymmetric memory consumption	v5.13.2	-
github.com/go-git/go-git/v5	CVE-2026-25934	medium	go-git improperly verifies data integrity values for .idx and .pack files	v5.13.2	-
github.com/aws/aws-sdk-go-v2/service/s3	GHSA-xmrv-pmrh-hhx2	MODERATE	Denial of Service due to Panic in AWS SDK for Go v2 SDK EventStream Decoder	v1.88.1	1.97.3
github.com/go-git/go-git/v5	GHSA-jhf3-xxhw-2wpp	MODERATE	go-git: Maliciously crafted idx file can cause asymmetric memory consumption	v5.13.2	5.17.1
github.com/go-git/go-git/v5	GHSA-3xc5-wrhm-f963	MODERATE	go-git: Credential leak via cross-host redirect in smart HTTP transport	v5.13.2	5.18.0
github.com/go-git/go-git/v5	GHSA-37cx-329c-33x3	MODERATE	go-git improperly verifies data integrity values for .idx and .pack files	v5.13.2	5.16.5
github.com/go-git/go-git/v5	GO-2026-4909	LOW	Missing validation decoding Index v4 files leads to panic in github.com/go-git/go-git	v5.13.2	5.17.1
github.com/go-git/go-git/v5	CVE-2026-33762	LOW	go-git: Missing validation decoding Index v4 files leads to panic	v5.13.2	-
github.com/go-git/go-git/v5	GHSA-gm2x-2g9h-ccm8	LOW	go-git missing validation decoding Index v4 files leads to panic	v5.13.2	5.17.1

⚠️ Dependencies that have Reached EOL (4)

Dependency	Unsafe Version	EOL Date	New Version	Path
github.com/go-errors/errors	v1.4.2	-	v1.5.1	test/go.mod
github.com/kevinburke/ssh_config	v1.2.0	-	v1.6.0	test/go.mod
github.com/lucasb-eyer/go-colorful	v1.2.0	-	v1.4.0	test/go.mod
gopkg.in/evanphx/json-patch.v4	v4.12.0	-	v4.13.0	test/go.mod

---

Review Checklist

Standard review:

• Review changes for compatibility with your code
• Check for breaking changes in release notes
• Run tests locally or wait for CI
• Approve and merge this PR

---

Update Mode: Vulnerability Remediation (Critical)

🤖 Generated by DataDog Automated Dependency Management System

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 369ccc95ad

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Use a released Go version in test module

Bumping test/go.mod to go 1.25.8 makes the test module unbuildable right now: running go test -C test ./datadog attempts to auto-fetch go1.25.8 and fails (golang.org/toolchain ... 403 Forbidden), which means CI jobs that run this module cannot execute. This also conflicts with the current workflows that still provision Go 1.24 (for example .github/workflows/go-test-datadog.yaml:33), so this commit introduces a hard failure path until the module targets an actually available toolchain (or workflows are updated to a released matching version).

Useful? React with 👍 / 👎.

[gh-worker-campaigns-3e9aa4]

Auto-rebase complete

Branch is up to date with main — rebased onto 41b352b.

---

_{Auto-Rebase · Add no-auto-rebase to opt out}