fix(deps): vuln minor upgrades — 6 packages (minor: 2 · patch: 4) by gh-worker-campaigns-3e9aa4[bot] · Pull Request #3148 · DataDog/datadog-operator

gh-worker-campaigns-3e9aa4 · 2026-06-15T22:36:14Z

Summary: High-severity security update — 6 packages upgraded (MINOR changes included)

Manifests changed:

. (go)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

Updates

Package	From	To	Type	Dep Type	Vulnerabilities Fixed
github.com/moby/spdystream	v0.5.0	v0.5.1	patch	Transitive	2 HIGH
github.com/containerd/containerd	v1.7.30	v1.7.32	patch	Transitive	1 HIGH
github.com/nwaples/rardecode	v1.1.0	v1.1.3	patch	Transitive	3 MEDIUM
github.com/ulikunitz/xz	v0.5.14	v0.5.15	patch	Transitive	3 MEDIUM
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp	v1.33.0	v1.44.0	minor	Transitive	2 MEDIUM
golang.org/x/crypto	v0.51.0	v0.53.0	minor	Transitive	13 UNKNOWN

Security Details

🚨 Critical & High Severity (3 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
github.com/containerd/containerd	GHSA-fqw6-gf59-qr4w	HIGH	containerd user ID handling bypass allows runAsNonRoot evasion	v1.7.30	1.7.32
github.com/moby/spdystream	GO-2026-4958	HIGH	Uncontrolled resource consumption when parsing SPDY frames in github.com/moby/spdystream	v0.5.0	0.5.1
github.com/moby/spdystream	GHSA-pc3f-x583-g7j2	HIGH	SpdyStream: DOS on CRI	v0.5.0	0.5.1

ℹ️ Other Vulnerabilities (21)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
github.com/ulikunitz/xz	CVE-2025-58058	medium	github.com/ulikunitz/xz leaks memory when decoding a corrupted multiple LZMA archives	v0.5.14	-
github.com/ulikunitz/xz	GO-2025-3922	medium	Memory leaks when decoding a corrupted multiple LZMA archives in github.com/ulikunitz/xz	v0.5.14	0.5.15
github.com/nwaples/rardecode	GO-2025-4020	MODERATE	DoS risk due to unrestricted RAR dictionary sizes in github.com/nwaples/rardecode	v1.1.0	-
github.com/nwaples/rardecode	CVE-2025-11579	MODERATE	-	v1.1.0	-
github.com/nwaples/rardecode	GHSA-rwvp-r38j-9rgg	MODERATE	rardecode: DoS risk due to unrestricted RAR dictionary sizes	v1.1.0	-
github.com/ulikunitz/xz	GHSA-jc7w-c686-c4v9	MODERATE	github.com/ulikunitz/xz leaks memory when decoding a corrupted multiple LZMA archives	v0.5.14	0.5.15
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp	GO-2026-4985	MODERATE	Oversized OTLP HTTP response bodies can cause memory exhaustion in go.opentelemetry.io/otel/exporters/otlp	v1.33.0	1.43.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp	GHSA-w8rr-5gcm-pp58	MODERATE	opentelemetry-go: OTLP HTTP exporters read unbounded HTTP response bodies	v1.33.0	1.43.0
golang.org/x/crypto	GO-2026-5015	unknown	Invoking server panic during CheckHostKey/Authenticate in golang.org/x/crypto/ssh	v0.51.0	0.52.0
golang.org/x/crypto	GO-2026-5014	unknown	Invoking bypass of certificate restrictions in golang.org/x/crypto/ssh	v0.51.0	0.52.0
golang.org/x/crypto	GO-2026-5017	unknown	Invoking client can cause server deadlock on unexpected responses in golang.org/x/crypto/ssh	v0.51.0	0.52.0
golang.org/x/crypto	GO-2026-5006	unknown	Invoking agent constraints dropped when forwarding keys in golang.org/x/crypto/ssh/agent	v0.51.0	0.52.0
golang.org/x/crypto	GO-2026-5018	unknown	Invoking pathological RSA/DSA parameters may cause DoS in golang.org/x/crypto/ssh	v0.51.0	0.52.0
golang.org/x/crypto	GO-2026-5019	unknown	Invoking bypass of FIDO/U2F security keys physical interaction in golang.org/x/crypto/ssh	v0.51.0	0.52.0
golang.org/x/crypto	GO-2026-5005	unknown	Invoking key constraints not enforced in golang.org/x/crypto/ssh/agent	v0.51.0	0.52.0
golang.org/x/crypto	GO-2026-5021	unknown	Invoking auth bypass via unenforced @Revoked status in golang.org/x/crypto/ssh/knownhosts	v0.51.0	0.52.0
golang.org/x/crypto	GO-2026-5013	unknown	Invoking byte arithmetic causes underflow and panic in golang.org/x/crypto/ssh	v0.51.0	0.52.0
golang.org/x/crypto	GO-2026-5033	unknown	Invoking pathological inputs can lead to client panic in golang.org/x/crypto/ssh/agent	v0.51.0	0.52.0
golang.org/x/crypto	GO-2026-5020	unknown	Invoking infinite loop on large channel writes in golang.org/x/crypto/ssh	v0.51.0	0.52.0
golang.org/x/crypto	GO-2026-5023	unknown	Invoking VerifiedPublicKeyCallback permissions skip enforcement in golang.org/x/crypto/ssh	v0.51.0	0.52.0
golang.org/x/crypto	GO-2026-5016	unknown	Invoking memory leak when rejecting channels can lead to DoS in golang.org/x/crypto/ssh	v0.51.0	0.52.0

⚠️ Dependencies that have Reached EOL (1)

Dependency	Unsafe Version	EOL Date	New Version	Path
github.com/nwaples/rardecode	`v1.1.0`	-	`v1.1.3`	`go.mod`

Review Checklist

Standard review:

Review changes for compatibility with your code
Check for breaking changes in release notes
Run tests locally or wait for CI
Approve and merge this PR

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

datadog-official · 2026-06-15T22:36:40Z

✨ Fix all issues with BitsAI

⚠️ Warnings

🚦 4 Pipeline jobs failed

DataDog/datadog-operator | check-golang-version

validation | build

pull request linter | Check Milestone

View all 4 failed jobs.

Useful? React with 👍 / 👎

_{This comment will be updated automatically if new data arrives.

🔗 Commit SHA: d23ef0c | Docs | Datadog PR Page | Give us feedback!}

gh-worker-campaigns-3e9aa4 · 2026-06-16T08:37:25Z

Auto-rebase complete

Branch is up to date with main — rebased onto 72bc0a0.

_{Auto-Rebase · Add no-auto-rebase to opt out}

gh-worker-campaigns-3e9aa4 · 2026-06-19T11:29:58Z

Auto-rebase failed

Lockfile regeneration failed during rebase onto main. Your branch was not updated. You may need to rebase and regenerate lockfiles manually.

Error details

child workflow execution error (type: engraver.Engraver_AllManagersWorkflow, workflowID: 019eee53-9504-7e36-acb7-b8231dfbba3a_57, runID: 019eee53-bb70-72f8-ae82-a3062f4c9dcb, initiatedEventID: 57, startedEventID: 58): activity error (type: engraver.Engraver_GetChanges, scheduledEventID: 8, startedEventID: 9, identity: 1@engraver-worker-54fc6f45bb-p5mdp@): unable to clone github repository: git clone failed: exit status 128 (type: wrapError, retryable: true): git clone failed: exit status 128 (type: wrapError, retryable: true): exit status 128 (type: ExitError, retryable: true)

_{Auto-Rebase · Add no-auto-rebase to opt out}

Co-authored-by: dd-octo-sts-4aefcb[bot] <266798660+dd-octo-sts-4aefcb[bot]@users.noreply.github.com>

gh-worker-campaigns-3e9aa4 · 2026-06-22T15:30:34Z

Auto-rebase complete

Branch is up to date with main — rebased onto 5fcb7f8.

_{Auto-Rebase · Add no-auto-rebase to opt out}

gh-worker-campaigns-3e9aa4 Bot added the campaigner-automated-change label Jun 15, 2026

github-actions Bot added the team/container-platform label Jun 15, 2026

gh-worker-campaigns-3e9aa4 Bot added adms-fixes-eol adms-go adms-high-severity adms-medium-severity adms-minor-update adms-mode-all-vulns adms-dependency-update labels Jun 15, 2026

dd-octo-sts-4aefcb Bot force-pushed the engraver-auto-version-upgrade/minorpatch/go/1-1781562948 branch from 56752cb to 41cdf08 Compare June 16, 2026 08:37

dd-octo-sts-b8cf80 Bot and others added 2 commits June 22, 2026 15:30

ADMS: vuln minor upgrades — 6 packages (minor: 2 · patch: 4)

0a6723c

Co-authored-by: dd-octo-sts-4aefcb[bot] <266798660+dd-octo-sts-4aefcb[bot]@users.noreply.github.com>

chore: regenerate lockfiles after rebase

d23ef0c

Co-authored-by: dd-octo-sts-4aefcb[bot] <266798660+dd-octo-sts-4aefcb[bot]@users.noreply.github.com>

dd-octo-sts-b8cf80 Bot force-pushed the engraver-auto-version-upgrade/minorpatch/go/1-1781562948 branch from 41cdf08 to d23ef0c Compare June 22, 2026 15:30

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(deps): vuln minor upgrades — 6 packages (minor: 2 · patch: 4) #3148

fix(deps): vuln minor upgrades — 6 packages (minor: 2 · patch: 4) #3148
gh-worker-campaigns-3e9aa4[bot] wants to merge 2 commits into
mainfrom
engraver-auto-version-upgrade/minorpatch/go/1-1781562948

gh-worker-campaigns-3e9aa4 Bot commented Jun 15, 2026

Uh oh!

datadog-official Bot commented Jun 15, 2026 •

edited by datadog-prod-us1-6 Bot

Loading

Uh oh!

gh-worker-campaigns-3e9aa4 Bot commented Jun 16, 2026

Uh oh!

gh-worker-campaigns-3e9aa4 Bot commented Jun 19, 2026 •

edited

Loading

Uh oh!

gh-worker-campaigns-3e9aa4 Bot commented Jun 22, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

gh-worker-campaigns-3e9aa4 Bot commented Jun 15, 2026

Updates

Security Details

Review Checklist

Uh oh!

datadog-official Bot commented Jun 15, 2026 • edited by datadog-prod-us1-6 Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

⚠️ Warnings

Uh oh!

gh-worker-campaigns-3e9aa4 Bot commented Jun 16, 2026

Auto-rebase complete

Uh oh!

gh-worker-campaigns-3e9aa4 Bot commented Jun 19, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Auto-rebase failed

Uh oh!

gh-worker-campaigns-3e9aa4 Bot commented Jun 22, 2026

Auto-rebase complete

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

datadog-official Bot commented Jun 15, 2026 •

edited by datadog-prod-us1-6 Bot

Loading

gh-worker-campaigns-3e9aa4 Bot commented Jun 19, 2026 •

edited

Loading