fix(deps): vuln minor upgrades — 7 packages (minor: 4 · patch: 3) [test/e2e]

[gh-worker-campaigns-3e9aa4]

Summary: High-severity security update — 7 packages upgraded (MINOR changes included)

Manifests changed:

• test/e2e (go)

---

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

---

Updates

Package	From	To	Type	Dep Type	Vulnerabilities Fixed
github.com/moby/spdystream	v0.5.0	v0.5.1	patch	Transitive	2 HIGH
github.com/go-git/go-git/v5	v5.16.5	v5.19.1	minor	Transitive	1 HIGH, 6 MEDIUM, 4 LOW
github.com/go-git/go-billy/v5	v5.6.2	v5.9.0	minor	Transitive	1 HIGH, 1 MEDIUM
github.com/containerd/containerd	v1.7.30	v1.7.32	patch	Transitive	1 HIGH
github.com/aws/aws-sdk-go-v2/service/s3	v1.93.1	v1.103.3	minor	Transitive	1 MEDIUM
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream	v1.7.4	v1.7.13	patch	Transitive	1 MEDIUM
golang.org/x/crypto	v0.51.0	v0.53.0	minor	Transitive	13 UNKNOWN

---

Security Details

🚨 Critical & High Severity (5 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
github.com/containerd/containerd	GHSA-fqw6-gf59-qr4w	HIGH	containerd user ID handling bypass allows runAsNonRoot evasion	v1.7.30	1.7.32
github.com/go-git/go-billy/v5	GHSA-qw64-3x98-g7q2	HIGH	go-billy has path traversal vulnerabilities	v5.6.2	5.9.0
github.com/go-git/go-git/v5	GHSA-389r-gv7p-r3rp	HIGH	go-git's improper parsing of specially crafted objects may lead to inconsistent interpretation compared to upstream Git	v5.16.5	5.19.0
github.com/moby/spdystream	GHSA-pc3f-x583-g7j2	HIGH	SpdyStream: DOS on CRI	v0.5.0	0.5.1
github.com/moby/spdystream	GO-2026-4958	HIGH	Uncontrolled resource consumption when parsing SPDY frames in github.com/moby/spdystream	v0.5.0	0.5.1

ℹ️ Other Vulnerabilities (26)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
github.com/go-git/go-git/v5	GO-2026-4910	medium	Maliciously crafted idx file can cause asymmetric memory consumption in github.com/go-git/go-git	v5.16.5	5.17.1
github.com/go-git/go-git/v5	CVE-2026-34165	medium	go-git: Maliciously crafted idx file can cause asymmetric memory consumption	v5.16.5	-
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream	GHSA-xmrv-pmrh-hhx2	MODERATE	Denial of Service due to Panic in AWS SDK for Go v2 SDK EventStream Decoder	v1.7.4	1.7.8
github.com/aws/aws-sdk-go-v2/service/s3	GHSA-xmrv-pmrh-hhx2	MODERATE	Denial of Service due to Panic in AWS SDK for Go v2 SDK EventStream Decoder	v1.93.1	1.97.3
github.com/go-git/go-billy/v5	GHSA-m3xc-h892-ggx6	MODERATE	go-billy: Lack of depth and cycle detection in symlink resolution may lead to infinite loops and resource exhaustion	v5.6.2	5.9.0
github.com/go-git/go-git/v5	GHSA-w5pp-99ch-qj29	MODERATE	go-git: Malformed Git object data may cause panics or resource exhaustion	v5.16.5	5.19.1
github.com/go-git/go-git/v5	GHSA-3xc5-wrhm-f963	MODERATE	go-git: Credential leak via cross-host redirect in smart HTTP transport	v5.16.5	5.18.0
github.com/go-git/go-git/v5	GHSA-crhj-59gh-8x96	MODERATE	go-git: Crafted repositories may modify main and submodule .git directories	v5.16.5	5.19.1
github.com/go-git/go-git/v5	GHSA-jhf3-xxhw-2wpp	MODERATE	go-git: Maliciously crafted idx file can cause asymmetric memory consumption	v5.16.5	5.17.1
github.com/go-git/go-git/v5	GHSA-m7cr-m3pv-hgrp	LOW	go-git: Improper single-quote escaping in go-git SSH transport	v5.16.5	5.19.1
github.com/go-git/go-git/v5	GO-2026-4909	LOW	Missing validation decoding Index v4 files leads to panic in github.com/go-git/go-git	v5.16.5	5.17.1
github.com/go-git/go-git/v5	CVE-2026-33762	LOW	go-git: Missing validation decoding Index v4 files leads to panic	v5.16.5	-
github.com/go-git/go-git/v5	GHSA-gm2x-2g9h-ccm8	LOW	go-git missing validation decoding Index v4 files leads to panic	v5.16.5	5.17.1
golang.org/x/crypto	GO-2026-5016	unknown	Invoking memory leak when rejecting channels can lead to DoS in golang.org/x/crypto/ssh	v0.51.0	0.52.0
golang.org/x/crypto	GO-2026-5013	unknown	Invoking byte arithmetic causes underflow and panic in golang.org/x/crypto/ssh	v0.51.0	0.52.0
golang.org/x/crypto	GO-2026-5021	unknown	Invoking auth bypass via unenforced @Revoked status in golang.org/x/crypto/ssh/knownhosts	v0.51.0	0.52.0
golang.org/x/crypto	GO-2026-5005	unknown	Invoking key constraints not enforced in golang.org/x/crypto/ssh/agent	v0.51.0	0.52.0
golang.org/x/crypto	GO-2026-5019	unknown	Invoking bypass of FIDO/U2F security keys physical interaction in golang.org/x/crypto/ssh	v0.51.0	0.52.0
golang.org/x/crypto	GO-2026-5018	unknown	Invoking pathological RSA/DSA parameters may cause DoS in golang.org/x/crypto/ssh	v0.51.0	0.52.0
golang.org/x/crypto	GO-2026-5014	unknown	Invoking bypass of certificate restrictions in golang.org/x/crypto/ssh	v0.51.0	0.52.0
golang.org/x/crypto	GO-2026-5017	unknown	Invoking client can cause server deadlock on unexpected responses in golang.org/x/crypto/ssh	v0.51.0	0.52.0
golang.org/x/crypto	GO-2026-5006	unknown	Invoking agent constraints dropped when forwarding keys in golang.org/x/crypto/ssh/agent	v0.51.0	0.52.0
golang.org/x/crypto	GO-2026-5015	unknown	Invoking server panic during CheckHostKey/Authenticate in golang.org/x/crypto/ssh	v0.51.0	0.52.0
golang.org/x/crypto	GO-2026-5033	unknown	Invoking pathological inputs can lead to client panic in golang.org/x/crypto/ssh/agent	v0.51.0	0.52.0
golang.org/x/crypto	GO-2026-5020	unknown	Invoking infinite loop on large channel writes in golang.org/x/crypto/ssh	v0.51.0	0.52.0
golang.org/x/crypto	GO-2026-5023	unknown	Invoking VerifiedPublicKeyCallback permissions skip enforcement in golang.org/x/crypto/ssh	v0.51.0	0.52.0

---

Review Checklist

Standard review:

• Review changes for compatibility with your code
• Check for breaking changes in release notes
• Run tests locally or wait for CI
• Approve and merge this PR

---

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

[datadog-prod-us1-3]

 

✨ Fix all issues with BitsAI

⚠️ Warnings

🚦 2 Pipeline jobs failed

pull request linter | Check Milestone     

pull request linter | build     

ℹ️ Info

🎯 Code Coverage (details)
• Patch Coverage: 100.00%
• Overall Coverage: 44.27% (+0.00%)

Useful? React with 👍 / 👎

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 20092dd | Docs | Datadog PR Page | Give us feedback!}

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 43.79%. Comparing base (68e2ee9) to head (ea89383).

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #3147   +/-   ##
=======================================
  Coverage   43.79%   43.79%           
=======================================
  Files         375      375           
  Lines       30575    30575           
=======================================
  Hits        13390    13390           
  Misses      16276    16276           
  Partials      909      909           

Flag	Coverage Δ
unittests	43.79% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

---

Continue to review full report in Codecov by Harness.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 68e2ee9...ea89383. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[gh-worker-campaigns-3e9aa4]

Auto-rebase failed

Lockfile regeneration failed during rebase onto main. Your branch was not updated. You may need to rebase and regenerate lockfiles manually.

Error details

child workflow execution error (type: engraver.Engraver_AllManagersWorkflow, workflowID: 019eee53-94f3-7b77-bb74-da49dcac4376_57, runID: 019eee53-b5e8-78b6-8849-3dca88d6129d, initiatedEventID: 57, startedEventID: 58): activity error (type: engraver.Engraver_GetChanges, scheduledEventID: 8, startedEventID: 9, identity: 1@engraver-worker-54fc6f45bb-hrxk8@): unable to clone github repository: git clone failed: exit status 128 (type: wrapError, retryable: true): git clone failed: exit status 128 (type: wrapError, retryable: true): exit status 128 (type: ExitError, retryable: true)

---

_{Auto-Rebase · Add no-auto-rebase to opt out}

[gh-worker-campaigns-3e9aa4]

Auto-rebase complete

Branch is up to date with main — rebased onto 5fcb7f8.

---

_{Auto-Rebase · Add no-auto-rebase to opt out}