Skip to content

fix(deps): vuln minor upgrades — 5 packages (minor: 3 · patch: 2) [tests/integration_tests]#249

Open
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/minorpatch/go/integration_tests/0-1776959836
Open

fix(deps): vuln minor upgrades — 5 packages (minor: 3 · patch: 2) [tests/integration_tests]#249
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/minorpatch/go/integration_tests/0-1776959836

Conversation

@gh-worker-campaigns-3e9aa4
Copy link
Copy Markdown
Contributor

@gh-worker-campaigns-3e9aa4 gh-worker-campaigns-3e9aa4 Bot commented Apr 23, 2026

Summary: High-severity security update — 8 packages upgraded (MINOR changes included)

Manifests changed:

  • tests/integration_tests (go)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

Updates

Package From To Type Dep Type Vulnerabilities Fixed
go.opentelemetry.io/otel/sdk v1.39.0 v1.43.0 minor Transitive 4 HIGH
go.opentelemetry.io/otel/sdk v1.39.0 v1.43.0 minor Transitive 4 HIGH
github.com/go-viper/mapstructure/v2 v2.3.0 v2.5.0 minor Transitive 1 MODERATE, 2 MEDIUM
github.com/DataDog/datadog-lambda-go v1.31.0 v1.32.0 minor Direct -
github.com/DataDog/datadog-lambda-go v1.31.0 v1.32.0 minor Direct -
github.com/DataDog/datadog-lambda-go v1.31.0 v1.32.0 minor Direct -
github.com/DataDog/dd-trace-go/contrib/net/http/v2 v2.7.1 v2.7.3 patch Direct -
github.com/DataDog/dd-trace-go/v2 v2.7.1 v2.7.3 patch Direct -

Packages marked with "-" are updated due to dependency constraints.

Security Details

🚨 Critical & High Severity (8 fixed)
Package CVE Severity Summary Unsafe Version Fixed In
go.opentelemetry.io/otel/sdk GHSA-hfvc-g4fc-pqhx HIGH opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking v1.39.0 1.43.0
go.opentelemetry.io/otel/sdk GO-2026-4394 high OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking in go.opentelemetry.io/otel/sdk v1.39.0 1.40.0
go.opentelemetry.io/otel/sdk CVE-2026-24051 high OpenTelemetry-Go Affected by Arbitrary Code Execution via PATH Hijacking v1.39.0 -
go.opentelemetry.io/otel/sdk GHSA-9h8m-3fm2-qjrq HIGH OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking v1.39.0 1.40.0
go.opentelemetry.io/otel/sdk GHSA-hfvc-g4fc-pqhx HIGH opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking v1.39.0 1.43.0
go.opentelemetry.io/otel/sdk GO-2026-4394 high OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking in go.opentelemetry.io/otel/sdk v1.39.0 1.40.0
go.opentelemetry.io/otel/sdk CVE-2026-24051 high OpenTelemetry-Go Affected by Arbitrary Code Execution via PATH Hijacking v1.39.0 -
go.opentelemetry.io/otel/sdk GHSA-9h8m-3fm2-qjrq HIGH OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking v1.39.0 1.40.0
ℹ️ Other Vulnerabilities (3)
Package CVE Severity Summary Unsafe Version Fixed In
github.com/go-viper/mapstructure/v2 GO-2025-3900 medium Go-viper's mapstructure May Leak Sensitive Information in Logs in github.com/go-viper/mapstructure v2.3.0 2.4.0
github.com/go-viper/mapstructure/v2 CVE-2025-11065 medium - v2.3.0 -
github.com/go-viper/mapstructure/v2 GHSA-2464-8j7c-4cjm MODERATE go-viper's mapstructure May Leak Sensitive Information in Logs When Processing Malformed Data v2.3.0 2.4.0

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI
  • Approve and merge this PR

Update Mode: Vulnerability Remediation (High)

🤖 Generated by DataDog Automated Dependency Management System

@campaigner-prod campaigner-prod Bot marked this pull request as ready for review April 24, 2026 14:43
@campaigner-prod campaigner-prod Bot requested a review from a team as a code owner April 24, 2026 14:43
@dd-prapprover
Copy link
Copy Markdown

dd-prapprover Bot commented Apr 24, 2026
edited
Loading

PRApprover will approve and merge this PR, FAQ, #dx-source-code-management

🛠️ PRApproval Status

  • ✅ PR is eligible for auto-approval by rule dependency-management-version-updater - 2026-04-24T14:44:35Z
  • ⬜ CI tests passed
  • ⬜ Approved
  • ⬜ Merge Started
  • ⬜ Merged

➡️ Current phase: CI tests failed. Please fix the failing tests to continue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

adms-dependency-update adms-go adms-high-severity adms-medium-severity adms-minor-update adms-mode-all-updates campaigner-automated-change

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants