fix(deps): vuln minor upgrades — 8 packages (minor: 5 · patch: 3) [test/e2e]

[gh-worker-campaigns-3e9aa4]

Summary: Critical-severity security update — 8 packages upgraded (MINOR changes included)

Manifests changed:

• test/e2e (go)

---

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

---

Updates

Package	From	To	Type	Dep Type	Vulnerabilities Fixed
google.golang.org/grpc	v1.72.2	v1.81.0	minor	Transitive	3 CRITICAL
go.opentelemetry.io/otel	v1.36.0	v1.43.0	minor	Transitive	1 HIGH
github.com/moby/spdystream	v0.5.0	v0.5.1	patch	Transitive	1 HIGH
github.com/go-git/go-git/v5	v5.13.2	v5.18.0	minor	Transitive	3 MODERATE, 4 MEDIUM, 3 LOW
github.com/aws/aws-sdk-go	v1.55.7	v1.55.8	patch	Transitive	2 MODERATE, 2 LOW
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream	v1.6.11	v1.7.10	minor	Transitive	1 MODERATE
github.com/aws/aws-sdk-go-v2/service/s3	v1.83.0	v1.100.1	minor	Transitive	1 MODERATE
github.com/cloudflare/circl	v1.6.1	v1.6.3	patch	Transitive	3 LOW

---

Security Details

🚨 Critical & High Severity (5 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
google.golang.org/grpc	GHSA-p77j-4mvh-x3m3	CRITICAL	gRPC-Go has an authorization bypass via missing leading slash in :path	v1.72.2	1.79.3
google.golang.org/grpc	CVE-2026-33186	critical	gRPC-Go has an authorization bypass via missing leading slash in :path	v1.72.2	-
google.golang.org/grpc	GO-2026-4762	critical	Authorization bypass in gRPC-Go via missing leading slash in :path in google.golang.org/grpc	v1.72.2	1.79.3
github.com/moby/spdystream	GHSA-pc3f-x583-g7j2	HIGH	SpdyStream: DOS on CRI	v0.5.0	0.5.1
go.opentelemetry.io/otel	GHSA-mh2q-q3fh-2475	HIGH	OpenTelemetry-Go: multi-value baggage header extraction causes excessive allocations (remote dos amplification)	v1.36.0	1.41.0

ℹ️ Other Vulnerabilities (19)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
github.com/go-git/go-git/v5	GO-2026-4910	medium	Maliciously crafted idx file can cause asymmetric memory consumption in github.com/go-git/go-git	v5.13.2	5.17.1
github.com/go-git/go-git/v5	GO-2026-4473	medium	Improper verification of data integrity values for .idx and .pack files in github.com/go-git/go-git	v5.13.2	5.16.5
github.com/go-git/go-git/v5	CVE-2026-25934	medium	go-git improperly verifies data integrity values for .idx and .pack files	v5.13.2	-
github.com/go-git/go-git/v5	CVE-2026-34165	medium	go-git: Maliciously crafted idx file can cause asymmetric memory consumption	v5.13.2	-
github.com/aws/aws-sdk-go	GHSA-f5pg-7wfw-84q9	MODERATE	CBC padding oracle issue in AWS S3 Crypto SDK for golang	v1.55.7	1.34.0
github.com/aws/aws-sdk-go	GO-2022-0646	MODERATE	CBC padding oracle issue in AWS S3 Crypto SDK for golang in github.com/aws/aws-sdk-go	v1.55.7	-
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream	GHSA-xmrv-pmrh-hhx2	MODERATE	Denial of Service due to Panic in AWS SDK for Go v2 SDK EventStream Decoder	v1.6.11	1.7.8
github.com/aws/aws-sdk-go-v2/service/s3	GHSA-xmrv-pmrh-hhx2	MODERATE	Denial of Service due to Panic in AWS SDK for Go v2 SDK EventStream Decoder	v1.83.0	1.97.3
github.com/go-git/go-git/v5	GHSA-jhf3-xxhw-2wpp	MODERATE	go-git: Maliciously crafted idx file can cause asymmetric memory consumption	v5.13.2	5.17.1
github.com/go-git/go-git/v5	GHSA-37cx-329c-33x3	MODERATE	go-git improperly verifies data integrity values for .idx and .pack files	v5.13.2	5.16.5
github.com/go-git/go-git/v5	GHSA-3xc5-wrhm-f963	MODERATE	go-git: Credential leak via cross-host redirect in smart HTTP transport	v5.13.2	5.18.0
github.com/aws/aws-sdk-go	GO-2022-0635	LOW	In-band key negotiation issue in AWS S3 Crypto SDK for golang in github.com/aws/aws-sdk-go	v1.55.7	-
github.com/aws/aws-sdk-go	GHSA-7f33-f4f5-xwgw	LOW	In-band key negotiation issue in AWS S3 Crypto SDK for golang	v1.55.7	1.34.0
github.com/cloudflare/circl	GHSA-q9hv-hpm4-hj6x	LOW	CIRCL has an incorrect calculation in secp384r1 CombinedMult	v1.6.1	1.6.3
github.com/cloudflare/circl	CVE-2026-1229	LOW	-	v1.6.1	-
github.com/cloudflare/circl	GO-2026-4550	LOW	CIRCL has an incorrect calculation in secp384r1 CombinedMult in github.com/cloudflare/circl	v1.6.1	1.6.3
github.com/go-git/go-git/v5	GO-2026-4909	LOW	Missing validation decoding Index v4 files leads to panic in github.com/go-git/go-git	v5.13.2	5.17.1
github.com/go-git/go-git/v5	CVE-2026-33762	LOW	go-git: Missing validation decoding Index v4 files leads to panic	v5.13.2	-
github.com/go-git/go-git/v5	GHSA-gm2x-2g9h-ccm8	LOW	go-git missing validation decoding Index v4 files leads to panic	v5.13.2	5.17.1

---

Review Checklist

Standard review:

• Review changes for compatibility with your code
• Check for breaking changes in release notes
• Run tests locally or wait for CI
• Approve and merge this PR

---

Update Mode: Vulnerability Remediation (Critical/High)

🤖 Generated by DataDog Automated Dependency Management System

[dd-prapprover]

PRApprover will approve and merge this PR, FAQ, #dx-source-code-management

🛠️ PRApproval Status

• ✅ PR is eligible for auto-approval by rule dependency-management-version-updater - 2026-05-07T21:33:20Z
• ✅ CI tests passed - 2026-05-07T21:33:26Z
• ✅ Approved (commit: 8c75762) - 2026-05-07T21:33:28Z
• ✅ Merge Started
• ✅ Merged - 2026-05-07T21:33:37Z

➡️ Current phase: PR merged successfully! ✅

[dd-prapprover]

This PR has been automatically approved by the DD PR Approver bot.