fix(deps): vuln major upgrades — 8 packages (major: 1 · minor: 7) [integration/testdata/fixtures/repo/gomod] by gh-worker-campaigns-3e9aa4[bot] · Pull Request #52 · DataDog/trivy

gh-worker-campaigns-3e9aa4 · 2026-06-15T14:35:04Z

Summary: Critical-severity security update — 8 packages upgraded (MAJOR changes included)

Manifests changed:

integration/testdata/fixtures/repo/gomod (go)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

Updates

Package	From	To	Type	Dep Type	Vulnerabilities Fixed
google.golang.org/grpc	v1.38.0	v1.81.1	minor	Transitive	3 CRITICAL, 2 HIGH
github.com/open-policy-agent/opa	v0.35.0	v1.17.1	major	Direct	9 HIGH, 6 MEDIUM
golang.org/x/text	v0.3.6	v0.38.0	minor	Transitive	6 HIGH
google.golang.org/protobuf	v1.27.1	v1.36.11	minor	Transitive	2 MEDIUM
golang.org/x/crypto	v0.0.0-20201002170205-7f63de1d35b0	v0.53.0	minor	Transitive	-
golang.org/x/net	v0.0.0-20211111083644-e5c967477495	v0.56.0	minor	Direct	-
golang.org/x/sys	v0.0.0-20211205182925-97ca703d548d	v0.46.0	minor	Direct	-
golang.org/x/time	v0.0.0-20210723032227-1f47c861a9ac	v0.15.0	minor	Transitive	-

Warning

Major Version Upgrade

This update includes major version changes that may contain breaking changes. Please:

Review the changelog/release notes for breaking changes
Test thoroughly in a staging environment
Update any code that depends on changed APIs
Ensure all tests pass before merging

Security Details

🚨 Critical & High Severity (20 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
google.golang.org/grpc	GHSA-p77j-4mvh-x3m3	CRITICAL	gRPC-Go has an authorization bypass via missing leading slash in :path	v1.38.0	1.79.3
google.golang.org/grpc	CVE-2026-33186	critical	gRPC-Go has an authorization bypass via missing leading slash in :path	v1.38.0	-
google.golang.org/grpc	GO-2026-4762	critical	Authorization bypass in gRPC-Go via missing leading slash in :path in google.golang.org/grpc	v1.38.0	1.79.3
github.com/open-policy-agent/opa	CVE-2025-46569	high	OPA server Data API HTTP path injection of Rego	v0.35.0	-
github.com/open-policy-agent/opa	GO-2025-3660	high	OPA server Data API HTTP path injection of Rego in github.com/open-policy-agent/opa	v0.35.0	1.4.0
github.com/open-policy-agent/opa	GO-2022-0587	high	Out of bounds memory access in github.com/open-policy-agent/opa	v0.35.0	0.40.0
github.com/open-policy-agent/opa	GHSA-6m8w-jc87-6cr7	HIGH	OPA server Data API HTTP path injection of Rego	v0.35.0	1.4.0
github.com/open-policy-agent/opa	GHSA-2m4x-4q9j-w97g	HIGH	Denial of service in Open Policy Agent	v0.35.0	0.42.0
github.com/open-policy-agent/opa	CVE-2022-33082	HIGH	-	v0.35.0	-
github.com/open-policy-agent/opa	GO-2022-0574	HIGH	Denial of service in github.com/open-policy-agent/opa	v0.35.0	0.42.0
github.com/open-policy-agent/opa	CVE-2022-28946	high	-	v0.35.0	-
github.com/open-policy-agent/opa	GHSA-x7f3-62pm-9p38	HIGH	Out of bounds memory access in github.com/open-policy-agent/opa	v0.35.0	0.40.0
golang.org/x/text	CVE-2022-32149	HIGH	-	v0.3.6	-
golang.org/x/text	GHSA-ppp9-7jff-5vj2	HIGH	golang.org/x/text/language Out-of-bounds Read vulnerability	v0.3.6	0.3.7
golang.org/x/text	GHSA-69ch-w2m2-3vjp	HIGH	golang.org/x/text/language Denial of service via crafted Accept-Language header	v0.3.6	0.3.8
golang.org/x/text	GO-2022-1059	HIGH	Denial of service via crafted Accept-Language header in golang.org/x/text/language	v0.3.6	0.3.8
golang.org/x/text	GO-2021-0113	high	Out-of-bounds read in golang.org/x/text/language	v0.3.6	0.3.7
golang.org/x/text	CVE-2021-38561	high	-	v0.3.6	-
google.golang.org/grpc	GHSA-m425-mq94-257g	HIGH	gRPC-Go HTTP/2 Rapid Reset vulnerability	v1.38.0	1.56.3
google.golang.org/grpc	GO-2023-2153	HIGH	Denial of service from HTTP/2 Rapid Reset in google.golang.org/grpc	v1.38.0	1.56.3

ℹ️ Other Vulnerabilities (8)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
github.com/open-policy-agent/opa	GO-2022-0316	medium	Incorrect calculation in github.com/open-policy-agent/opa	v0.35.0	0.37.2
github.com/open-policy-agent/opa	CVE-2022-23628	medium	Array literal misordering in github.com/open-policy-agent/opa	v0.35.0	-
github.com/open-policy-agent/opa	GO-2024-3141	MODERATE	OPA for Windows has an SMB force-authentication vulnerability in github.com/open-policy-agent/opa	v0.35.0	0.68.0
github.com/open-policy-agent/opa	GHSA-c77r-fh37-x2px	MODERATE	OPA for Windows has an SMB force-authentication vulnerability	v0.35.0	0.68.0
github.com/open-policy-agent/opa	GHSA-hcw3-j74m-qc58	MODERATE	Incorrect Calculation in github.com/open-policy-agent/opa	v0.35.0	0.37.2
github.com/open-policy-agent/opa	CVE-2024-8260	MODERATE	-	v0.35.0	-
google.golang.org/protobuf	GHSA-8r3f-844c-mc37	MODERATE	Golang protojson.Unmarshal function infinite loop when unmarshaling certain forms of invalid JSON	v1.27.1	1.33.0
google.golang.org/protobuf	GO-2024-2611	MODERATE	Infinite loop in JSON unmarshaling in google.golang.org/protobuf	v1.27.1	1.33.0

⚠️ Dependencies that have Reached EOL (8)

Dependency	Unsafe Version	EOL Date	New Version	Path
github.com/open-policy-agent/opa	`v0.35.0`	-	`v1.17.1`	`integration/testdata/fixtures/repo/gomod/go.mod`
golang.org/x/crypto	`v0.0.0-20201002170205-7f63de1d35b0`	-	`v0.53.0`	`integration/testdata/fixtures/repo/gomod/go.mod`
golang.org/x/net	`v0.0.0-20211111083644-e5c967477495`	-	`v0.56.0`	`integration/testdata/fixtures/repo/gomod/go.mod`
golang.org/x/sys	`v0.0.0-20211205182925-97ca703d548d`	-	`v0.46.0`	`integration/testdata/fixtures/repo/gomod/go.mod`
golang.org/x/text	`v0.3.6`	-	`v0.38.0`	`integration/testdata/fixtures/repo/gomod/go.mod`
golang.org/x/time	`v0.0.0-20210723032227-1f47c861a9ac`	-	`v0.15.0`	`integration/testdata/fixtures/repo/gomod/go.mod`
google.golang.org/grpc	`v1.38.0`	-	`v1.81.1`	`integration/testdata/fixtures/repo/gomod/go.mod`
google.golang.org/protobuf	`v1.27.1`	-	`v1.36.11`	`integration/testdata/fixtures/repo/gomod/go.mod`

Review Checklist

Extra review is recommended for this update:

Review changes for compatibility with your code
Check release notes for breaking changes
Run integration tests to verify service behavior
Test in staging environment before production
Monitor key metrics after deployment
Approve and merge this PR

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

…tion/testdata/fixtures/repo/gomod]

datadog-datadog-prod-us1 · 2026-06-15T14:48:57Z

✨ Fix all issues with BitsAI

⚠️ Warnings

🚦 1 Pipeline job failed

Test | Integration Test

Useful? React with 👍 / 👎

_{This comment will be updated automatically if new data arrives.

🔗 Commit SHA: 3ecce10 | Docs | Datadog PR Page | Give us feedback!}

ADMS: vuln major upgrades — 8 packages (major: 1 · minor: 7) [integra…

3ecce10

…tion/testdata/fixtures/repo/gomod]

gh-worker-campaigns-3e9aa4 Bot added campaigner-automated-change adms-dependency-update labels Jun 15, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(deps): vuln major upgrades — 8 packages (major: 1 · minor: 7) [integration/testdata/fixtures/repo/gomod]#52

fix(deps): vuln major upgrades — 8 packages (major: 1 · minor: 7) [integration/testdata/fixtures/repo/gomod]#52
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/major/go/gomod/4-1781534087

gh-worker-campaigns-3e9aa4 Bot commented Jun 15, 2026

Uh oh!

datadog-datadog-prod-us1 Bot commented Jun 15, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

gh-worker-campaigns-3e9aa4 Bot commented Jun 15, 2026

Updates

Security Details

Review Checklist

Uh oh!

datadog-datadog-prod-us1 Bot commented Jun 15, 2026

⚠️ Warnings

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants