Summary
Steampipe has 4 open Dependabot alerts for vulnerable dependencies that need to be resolved:
| Alert |
Severity |
Package |
CVE |
Fix |
| #222 |
Critical |
google.golang.org/grpc < 1.79.3 |
CVE-2026-33186 |
Bump to v1.79.3 |
| #220 |
High |
go.opentelemetry.io/otel/sdk < 1.40.0 |
CVE-2026-24051 |
Bump to v1.40.0 |
| #221 |
High |
github.com/jackc/pgproto3/v2 <= 2.3.3 |
DoS |
Remove pgconn v1 dep |
| #223 |
High |
github.com/jackc/pgproto3/v2 <= 2.3.3 |
CVE-2026-4427 |
Remove pgconn v1 dep |
Fix
- Bump
grpc to v1.79.3 and protobuf to v1.36.11
- Bump
otel/sdk to v1.40.0 (resolved transitively via pipe-fittings update)
- Swap
github.com/jackc/pgconn v1 import in pkg/error_helpers/postgres.go to github.com/jackc/pgx/v5/pgconn — the only direct usage of pgconn v1 in this repo
go mod tidy to drop pgconn v1 and pgproto3/v2 from the module graph entirely
All vulnerable packages were transitive dependencies except the single pgconn import in error_helpers.
Summary
Steampipe has 4 open Dependabot alerts for vulnerable dependencies that need to be resolved:
google.golang.org/grpc< 1.79.3go.opentelemetry.io/otel/sdk< 1.40.0github.com/jackc/pgproto3/v2<= 2.3.3pgconnv1 depgithub.com/jackc/pgproto3/v2<= 2.3.3pgconnv1 depFix
grpcto v1.79.3 andprotobufto v1.36.11otel/sdkto v1.40.0 (resolved transitively via pipe-fittings update)github.com/jackc/pgconnv1 import inpkg/error_helpers/postgres.gotogithub.com/jackc/pgx/v5/pgconn— the only direct usage of pgconn v1 in this repogo mod tidyto droppgconnv1 andpgproto3/v2from the module graph entirelyAll vulnerable packages were transitive dependencies except the single
pgconnimport in error_helpers.