fix(deps): vuln unstable upgrades — 62 packages (unstable: 1 · minor: 61) [test/e2e]

[gh-worker-campaigns-3e9aa4]

Summary: Critical-severity security update — 62 packages upgraded (UNSTABLE changes included)

Manifests changed:

• test/e2e (go)

---

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

---

Updates

Package	From	To	Type	Dep Type	Vulnerabilities Fixed
google.golang.org/grpc	v1.72.2	v1.80.0	minor	Transitive	3 CRITICAL
github.com/go-git/go-git/v5	v5.13.2	v5.18.0	minor	Transitive	3 MODERATE, 4 MEDIUM, 3 LOW
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream	v1.6.11	v1.7.9	minor	Transitive	1 MODERATE
github.com/aws/aws-sdk-go-v2/service/s3	v1.83.0	v1.99.1	minor	Transitive	1 MODERATE
github.com/DataDog/datadog-agent/test/new-e2e	v0.69.0-devel.0.20250623144139-35f8f2ceef31	v0.78.0	unstable	Direct	-
github.com/BurntSushi/toml	v1.4.1-0.20240526193622-a339e1f7089c	v1.6.0	minor	Transitive	-
github.com/DataDog/datadog-api-client-go/v2	v2.38.0	v2.58.0	minor	Transitive	-
github.com/ProtonMail/go-crypto	v1.1.6	v1.4.1	minor	Transitive	-
github.com/alessio/shellescape	v1.4.2	v1.6.0	minor	Transitive	-
github.com/aws/aws-sdk-go-v2	v1.36.5	v1.41.6	minor	Transitive	-
github.com/aws/aws-sdk-go-v2/config	v1.29.17	v1.32.16	minor	Transitive	-
github.com/aws/aws-sdk-go-v2/credentials	v1.17.70	v1.19.15	minor	Transitive	-
github.com/aws/aws-sdk-go-v2/feature/ec2/imds	v1.16.32	v1.18.22	minor	Transitive	-
github.com/aws/aws-sdk-go-v2/internal/configsources	v1.3.36	v1.4.22	minor	Transitive	-
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2	v2.6.36	v2.7.22	minor	Transitive	-
github.com/aws/aws-sdk-go-v2/internal/v4a	v1.3.36	v1.4.23	minor	Transitive	-
github.com/aws/aws-sdk-go-v2/service/ecr	v1.45.1	v1.57.1	minor	Transitive	-
github.com/aws/aws-sdk-go-v2/service/ecs	v1.58.1	v1.78.1	minor	Transitive	-
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding	v1.12.4	v1.13.8	minor	Transitive	-
github.com/aws/aws-sdk-go-v2/service/internal/checksum	v1.7.4	v1.9.14	minor	Transitive	-
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url	v1.12.17	v1.13.22	minor	Transitive	-
github.com/aws/aws-sdk-go-v2/service/internal/s3shared	v1.18.17	v1.19.22	minor	Transitive	-
github.com/aws/aws-sdk-go-v2/service/ssm	v1.56.12	v1.68.5	minor	Transitive	-
github.com/aws/aws-sdk-go-v2/service/sso	v1.25.5	v1.30.16	minor	Transitive	-
github.com/aws/aws-sdk-go-v2/service/ssooidc	v1.30.3	v1.35.20	minor	Transitive	-
github.com/aws/aws-sdk-go-v2/service/sts	v1.34.0	v1.42.0	minor	Transitive	-
github.com/aws/smithy-go	v1.22.4	v1.25.0	minor	Transitive	-
github.com/charmbracelet/bubbletea	v1.2.4	v1.3.10	minor	Transitive	-
github.com/charmbracelet/lipgloss	v1.0.0	v1.1.0	minor	Transitive	-
github.com/emicklei/go-restful/v3	v3.12.1	v3.13.0	minor	Transitive	-
github.com/fxamacker/cbor/v2	v2.7.0	v2.9.1	minor	Transitive	-
github.com/go-git/go-billy/v5	v5.6.2	v5.8.0	minor	Transitive	-
github.com/hashicorp/go-version	v1.6.0	v1.9.0	minor	Direct	-
github.com/hashicorp/hcl/v2	v2.23.0	v2.24.0	minor	Transitive	-
github.com/kevinburke/ssh_config	v1.2.0	v1.6.0	minor	Transitive	-
github.com/lucasb-eyer/go-colorful	v1.2.0	v1.4.0	minor	Transitive	-
github.com/philhofer/fwd	v1.1.3-0.20240916144458-20a13a1f6b7c	v1.2.0	minor	Transitive	-
github.com/pulumi/pulumi-aws/sdk/v6	v6.66.2	v6.83.3	minor	Transitive	-
github.com/pulumi/pulumi-awsx/sdk/v2	v2.19.0	v2.22.0	minor	Transitive	-
github.com/pulumi/pulumi-azure-native-sdk/v2	v2.81.0	v2.92.2	minor	Transitive	-
github.com/pulumi/pulumi-command/sdk	v1.0.1	v1.2.1	minor	Transitive	-
github.com/pulumi/pulumi-docker/sdk/v4	v4.5.8	v4.11.2	minor	Transitive	-
github.com/pulumi/pulumi-eks/sdk/v3	v3.7.0	v3.9.1	minor	Transitive	-
github.com/pulumi/pulumi-kubernetes/sdk/v4	v4.19.0	v4.29.0	minor	Transitive	-
github.com/pulumi/pulumi-random/sdk/v4	v4.16.8	v4.19.2	minor	Transitive	-
github.com/pulumi/pulumi/sdk/v3	v3.145.0	v3.231.0	minor	Transitive	-
github.com/rogpeppe/go-internal	v1.13.1	v1.14.1	minor	Transitive	-
github.com/samber/lo	v1.49.1	v1.53.0	minor	Transitive	-
github.com/sergi/go-diff	v1.3.2-0.20230802210424-5b0b94c5c0d3	v1.4.0	minor	Transitive	-
github.com/spf13/cast	v1.9.2	v1.10.0	minor	Transitive	-
github.com/spf13/cobra	v1.9.1	v1.10.2	minor	Transitive	-
github.com/stretchr/testify	v1.10.0	v1.11.1	minor	Direct	-
github.com/tinylib/msgp	v1.3.0	v1.6.4	minor	Transitive	-
github.com/zclconf/go-cty	v1.15.1	v1.18.1	minor	Transitive	-
go.opentelemetry.io/auto/sdk	v1.1.0	v1.2.1	minor	Transitive	-
go.opentelemetry.io/otel	v1.36.0	v1.43.0	minor	Transitive	-
go.opentelemetry.io/otel/exporters/otlp/otlptrace	v1.36.0	v1.43.0	minor	Transitive	-
go.opentelemetry.io/otel/metric	v1.36.0	v1.43.0	minor	Transitive	-
go.opentelemetry.io/otel/trace	v1.36.0	v1.43.0	minor	Transitive	-
gopkg.in/evanphx/json-patch.v4	v4.12.0	v4.13.0	minor	Transitive	-
k8s.io/klog/v2	v2.130.1	v2.140.0	minor	Transitive	-
sigs.k8s.io/yaml	v1.4.0	v1.6.0	minor	Transitive	-

Packages marked with "-" are updated due to dependency constraints.

---

Security Details

🚨 Critical & High Severity (3 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
google.golang.org/grpc	GHSA-p77j-4mvh-x3m3	CRITICAL	gRPC-Go has an authorization bypass via missing leading slash in :path	v1.72.2	1.79.3
google.golang.org/grpc	CVE-2026-33186	CRITICAL	gRPC-Go has an authorization bypass via missing leading slash in :path	v1.72.2	-
google.golang.org/grpc	GO-2026-4762	CRITICAL	Authorization bypass in gRPC-Go via missing leading slash in :path in google.golang.org/grpc	v1.72.2	1.79.3

ℹ️ Other Vulnerabilities (12)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
github.com/go-git/go-git/v5	GO-2026-4473	medium	Improper verification of data integrity values for .idx and .pack files in github.com/go-git/go-git	v5.13.2	5.16.5
github.com/go-git/go-git/v5	CVE-2026-25934	medium	go-git improperly verifies data integrity values for .idx and .pack files	v5.13.2	-
github.com/go-git/go-git/v5	CVE-2026-34165	medium	go-git: Maliciously crafted idx file can cause asymmetric memory consumption	v5.13.2	-
github.com/go-git/go-git/v5	GO-2026-4910	medium	Maliciously crafted idx file can cause asymmetric memory consumption in github.com/go-git/go-git	v5.13.2	5.17.1
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream	GHSA-xmrv-pmrh-hhx2	MODERATE	Denial of Service due to Panic in AWS SDK for Go v2 SDK EventStream Decoder	v1.6.11	1.7.8
github.com/aws/aws-sdk-go-v2/service/s3	GHSA-xmrv-pmrh-hhx2	MODERATE	Denial of Service due to Panic in AWS SDK for Go v2 SDK EventStream Decoder	v1.83.0	1.97.3
github.com/go-git/go-git/v5	GHSA-3xc5-wrhm-f963	MODERATE	go-git: Credential leak via cross-host redirect in smart HTTP transport	v5.13.2	5.18.0
github.com/go-git/go-git/v5	GHSA-jhf3-xxhw-2wpp	MODERATE	go-git: Maliciously crafted idx file can cause asymmetric memory consumption	v5.13.2	5.17.1
github.com/go-git/go-git/v5	GHSA-37cx-329c-33x3	MODERATE	go-git improperly verifies data integrity values for .idx and .pack files	v5.13.2	5.16.5
github.com/go-git/go-git/v5	CVE-2026-33762	low	go-git: Missing validation decoding Index v4 files leads to panic	v5.13.2	-
github.com/go-git/go-git/v5	GO-2026-4909	low	Missing validation decoding Index v4 files leads to panic in github.com/go-git/go-git	v5.13.2	5.17.1
github.com/go-git/go-git/v5	GHSA-gm2x-2g9h-ccm8	LOW	go-git missing validation decoding Index v4 files leads to panic	v5.13.2	5.17.1

⚠️ Dependencies that have Reached EOL (4)

Dependency	Unsafe Version	EOL Date	New Version	Path
github.com/hashicorp/go-version	v1.6.0	Jun 28, 2025	v1.9.0	test/e2e/go.mod
github.com/kevinburke/ssh_config	v1.2.0	-	v1.6.0	test/e2e/go.mod
github.com/lucasb-eyer/go-colorful	v1.2.0	-	v1.4.0	test/e2e/go.mod
gopkg.in/evanphx/json-patch.v4	v4.12.0	-	v4.13.0	test/e2e/go.mod

---

Review Checklist

Standard review:

• Review changes for compatibility with your code
• Check for breaking changes in release notes
• Run tests locally or wait for CI
• Approve and merge this PR

---

Update Mode: Vulnerability Remediation (Critical)

🤖 Generated by DataDog Automated Dependency Management System