Skip to content

fix(deps): vuln minor: github.com/go-viper/mapstructure/v2, go.opentelemetry.io/otel, go.opentelemetry.io/otel/sdk #251

Draft
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/minorpatch/go/0-1778222090
Draft

fix(deps): vuln minor: github.com/go-viper/mapstructure/v2, go.opentelemetry.io/otel, go.opentelemetry.io/otel/sdk #251
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/minorpatch/go/0-1778222090

Conversation

@gh-worker-campaigns-3e9aa4
Copy link
Copy Markdown
Contributor

@gh-worker-campaigns-3e9aa4 gh-worker-campaigns-3e9aa4 Bot commented May 8, 2026

Summary: High-severity security update — 3 packages upgraded (MINOR changes included)

Manifests changed:

  • . (go)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

Updates

Package From To Type Dep Type Vulnerabilities Fixed
go.opentelemetry.io/otel/sdk v1.39.0 v1.43.0 minor Transitive 4 HIGH
go.opentelemetry.io/otel v1.39.0 v1.43.0 minor Direct 1 HIGH
github.com/go-viper/mapstructure/v2 v2.3.0 v2.5.0 minor Transitive 1 MODERATE, 2 MEDIUM

Security Details

🚨 Critical & High Severity (5 fixed)
Package CVE Severity Summary Unsafe Version Fixed In
go.opentelemetry.io/otel GHSA-mh2q-q3fh-2475 HIGH OpenTelemetry-Go: multi-value baggage header extraction causes excessive allocations (remote dos amplification) v1.39.0 1.41.0
go.opentelemetry.io/otel/sdk GHSA-9h8m-3fm2-qjrq HIGH OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking v1.39.0 1.40.0
go.opentelemetry.io/otel/sdk CVE-2026-24051 HIGH OpenTelemetry-Go Affected by Arbitrary Code Execution via PATH Hijacking v1.39.0 -
go.opentelemetry.io/otel/sdk GO-2026-4394 HIGH OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking in go.opentelemetry.io/otel/sdk v1.39.0 1.40.0
go.opentelemetry.io/otel/sdk GHSA-hfvc-g4fc-pqhx HIGH opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking v1.39.0 1.43.0
ℹ️ Other Vulnerabilities (3)
Package CVE Severity Summary Unsafe Version Fixed In
github.com/go-viper/mapstructure/v2 GO-2025-3900 medium Go-viper's mapstructure May Leak Sensitive Information in Logs in github.com/go-viper/mapstructure v2.3.0 2.4.0
github.com/go-viper/mapstructure/v2 CVE-2025-11065 medium - v2.3.0 -
github.com/go-viper/mapstructure/v2 GHSA-2464-8j7c-4cjm MODERATE go-viper's mapstructure May Leak Sensitive Information in Logs When Processing Malformed Data v2.3.0 2.4.0

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI
  • Approve and merge this PR

Update Mode: Vulnerability Remediation (High)

🤖 Generated by DataDog Automated Dependency Management System

@dd-octo-sts-2c363b @gh-worker-campaigns-3e9aa4
Executing automated changes
a906e5b 
Co-authored-by: gh-worker-campaigns-3e9aa4[bot] <244854796+gh-worker-campaigns-3e9aa4[bot]@users.noreply.github.com>
@gh-worker-campaigns-3e9aa4
Copy link
Copy Markdown
Contributor Author

gh-worker-campaigns-3e9aa4 Bot commented May 8, 2026

Auto-rebase complete

Branch is up to date with main — rebased onto b0d6ebc.

Auto-Rebase · Add no-auto-rebase to opt out

@dd-octo-sts-2c363b dd-octo-sts-2c363b Bot force-pushed the engraver-auto-version-upgrade/minorpatch/go/0-1778222090 branch from 72306fc to a906e5b Compare May 8, 2026 12:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

adms-dependency-update campaigner-automated-change

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants