Skip to content

VULN UPGRADE: major upgrades — 8 packages (unstable: 6 · minor: 2) [v2]#760

Open
campaigner-prod[bot] wants to merge 1 commit intomainfrom
engraver-auto-version-upgrade/major/go/v2/0-1770981576
Open

VULN UPGRADE: major upgrades — 8 packages (unstable: 6 · minor: 2) [v2]#760
campaigner-prod[bot] wants to merge 1 commit intomainfrom
engraver-auto-version-upgrade/major/go/v2/0-1770981576

Conversation

@campaigner-prod
Copy link

@campaigner-prod campaigner-prod bot commented Feb 13, 2026

Summary: Security update — 8 packages upgraded (MAJOR changes included)

Manifests changed:

  • v2 (go)

Updates

Package From To Type Vulnerabilities Fixed
golang.org/x/crypto v0.41.0 v0.47.0 major 6 MODERATE, 1 UNKNOWN
github.com/hashicorp/hc-install v0.6.4 v0.9.2 major -
github.com/hashicorp/terraform-exec v0.21.0 v0.24.0 major -
golang.org/x/oauth2 v0.27.0 v0.35.0 major -
golang.org/x/sync v0.16.0 v0.19.0 major -
google.golang.org/api v0.218.0 v0.265.0 major -
github.com/fatih/color v1.16.0 v1.18.0 minor -
github.com/hashicorp/go-version v1.6.0 v1.8.0 minor -

Packages marked with "-" are updated due to dependency constraints.

Warning

Major Version Upgrade

This update includes major version changes that may contain breaking changes. Please:

  • Review the changelog/release notes for breaking changes
  • Test thoroughly in a staging environment
  • Update any code that depends on changed APIs
  • Ensure all tests pass before merging

Security Details

ℹ️ Other Vulnerabilities (7)
Package CVE Severity Summary Unsafe Version Fixed In
golang.org/x/crypto GHSA-f6x5-jh6r-wrfv MODERATE golang.org/x/crypto/ssh/agent vulnerable to panic if message is malformed due to out of bounds read v0.41.0 0.45.0
golang.org/x/crypto CVE-2025-47914 MODERATE - v0.41.0 -
golang.org/x/crypto GO-2025-4135 MODERATE Malformed constraint may cause denial of service in golang.org/x/crypto/ssh/agent v0.41.0 0.45.0
golang.org/x/crypto GHSA-j5w8-q4qc-rx2x MODERATE golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption v0.41.0 0.45.0
golang.org/x/crypto CVE-2025-58181 MODERATE - v0.41.0 -
golang.org/x/crypto GO-2025-4134 MODERATE Unbounded memory consumption in golang.org/x/crypto/ssh v0.41.0 0.45.0
golang.org/x/crypto GO-2025-4116 unknown Potential denial of service in golang.org/x/crypto/ssh/agent v0.41.0 0.43.0
⚠️ Dependencies that have Reached EOL (1)
Dependency Unsafe Version EOL Date New Version Path
github.com/hashicorp/go-version v1.6.0 Jun 28, 2025 v1.8.0 v2/go.mod

Review Checklist

Extra review is recommended for this update:

  • Review changes for compatibility with your code
  • Check release notes for breaking changes
  • Run integration tests to verify service behavior
  • Test in staging environment before production
  • Monitor key metrics after deployment

Update Mode: Vulnerability Remediation

🤖 Generated by DataDog Automated Dependency Management System

@campaigner-prod campaigner-prod bot requested a review from a team as a code owner February 13, 2026 11:20
@campaigner-prod campaigner-prod bot requested a review from a team as a code owner February 13, 2026 11:20
@dd-prapprover
Copy link

dd-prapprover bot commented Feb 13, 2026
edited
Loading

PRApprover will approve and merge this PR, FAQ, #dx-source-code-management

🛠️ PRApproval Status

🔗 Workflow Link

  • ✅ PR is eligible for auto-approval by rule dependency-management-version-updater - 2026-02-13T11:20:31Z
  • ⬜ CI tests passed
  • ⬜ Approved
  • ⬜ Merge Started
  • ⬜ Merged

➡️ Current phase: CI tests failed, please fix and re-trigger

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

adms-dependency-update adms-fixes-eol adms-go adms-major-update adms-medium-severity adms-mode-all-updates campaigner-automated-change

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants