fix(deps): vuln unstable upgrades — 45 packages (unstable: 4 · minor: 37 · patch: 4)

[gh-worker-campaigns-3e9aa4]

Summary: Critical-severity security update — 49 packages upgraded (UNSTABLE changes included)

Manifests changed:

• . (go)

---

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

---

Updates

Package	From	To	Type	Dep Type	Vulnerabilities Fixed
google.golang.org/grpc	v1.78.0	v1.81.1	minor	Transitive	3 CRITICAL
github.com/moby/buildkit	v0.27.1	v0.30.0	unstable	Direct	6 HIGH
go.opentelemetry.io/otel/sdk	v1.39.0	v1.44.0	minor	Transitive	4 HIGH
go.opentelemetry.io/otel	v1.39.0	v1.44.0	minor	Transitive	1 HIGH
github.com/in-toto/in-toto-golang	v0.10.0	v0.11.0	unstable	Direct	1 MEDIUM
github.com/aws/aws-sdk-go-v2/service/s3	v1.95.1	v1.103.3	minor	Direct	1 MEDIUM
github.com/google/go-containerregistry	v0.20.7	v0.21.6	unstable	Direct	-
github.com/secure-systems-lab/go-securesystemslib	v0.10.0	v0.11.0	unstable	Direct	-
github.com/Azure/azure-sdk-for-go/sdk/azcore	v1.21.0	v1.22.0	minor	Direct	-
github.com/Azure/azure-sdk-for-go/sdk/internal	v1.11.2	v1.12.0	minor	Transitive	-
github.com/AzureAD/microsoft-authentication-library-for-go	v1.6.0	v1.7.2	minor	Transitive	-
github.com/ProtonMail/go-crypto	v1.3.0	v1.4.1	minor	Transitive	-
github.com/aws/aws-sdk-go-v2	v1.41.1	v1.42.0	minor	Direct	-
github.com/aws/aws-sdk-go-v2/service/signin	v1.0.5	v1.2.0	minor	Transitive	-
github.com/aws/aws-sdk-go-v2/service/sso	v1.30.9	v1.31.3	minor	Transitive	-
github.com/aws/aws-sdk-go-v2/service/ssooidc	v1.35.13	v1.36.6	minor	Transitive	-
github.com/aws/aws-sdk-go-v2/service/sts	v1.41.6	v1.43.3	minor	Transitive	-
github.com/aws/smithy-go	v1.24.0	v1.27.2	minor	Direct	-
github.com/containerd/containerd/api	v1.10.0	v1.11.1	minor	Transitive	-
github.com/containerd/plugin	v1.0.0	v1.1.0	minor	Transitive	-
github.com/containerd/typeurl/v2	v2.2.3	v2.3.0	minor	Transitive	-
github.com/felixge/httpsnoop	v1.0.4	v1.1.0	minor	Transitive	-
github.com/fsnotify/fsnotify	v1.9.0	v1.10.1	minor	Transitive	-
github.com/grpc-ecosystem/grpc-gateway/v2	v2.27.3	v2.29.0	minor	Transitive	-
github.com/in-toto/attestation	v1.1.2	v1.2.0	minor	Transitive	-
github.com/morikuni/aec	v1.0.0	v1.1.0	minor	Transitive	-
github.com/opencontainers/selinux	v1.13.1	v1.15.1	minor	Transitive	-
github.com/pelletier/go-toml/v2	v2.2.4	v2.3.1	minor	Transitive	-
github.com/sigstore/rekor-tiles/v2	v2.0.1	v2.3.0	minor	Transitive	-
github.com/sigstore/sigstore-go	v1.1.4	v1.2.1	minor	Transitive	-
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc	v1.38.0	v1.44.0	minor	Transitive	-
go.opentelemetry.io/otel/exporters/otlp/otlptrace	v1.39.0	v1.44.0	minor	Transitive	-
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc	v1.39.0	v1.44.0	minor	Transitive	-
go.opentelemetry.io/otel/metric	v1.39.0	v1.44.0	minor	Transitive	-
go.opentelemetry.io/otel/sdk/metric	v1.39.0	v1.44.0	minor	Transitive	-
go.opentelemetry.io/otel/trace	v1.39.0	v1.44.0	minor	Transitive	-
go.opentelemetry.io/proto/otlp	v1.9.0	v1.10.0	minor	Transitive	-
golang.org/x/crypto	v0.48.0	v0.53.0	minor	Direct	13 UNKNOWN
golang.org/x/mod	v0.33.0	v0.37.0	minor	Direct	-
golang.org/x/net	v0.50.0	v0.56.0	minor	Direct	8 UNKNOWN
golang.org/x/sync	v0.19.0	v0.21.0	minor	Direct	-
golang.org/x/sys	v0.41.0	v0.46.0	minor	Transitive	1 UNKNOWN
golang.org/x/term	v0.40.0	v0.44.0	minor	Direct	-
golang.org/x/text	v0.34.0	v0.38.0	minor	Direct	-
golang.org/x/time	v0.14.0	v0.15.0	minor	Transitive	-
github.com/Azure/azure-sdk-for-go/sdk/azcore	v1.21.0	v1.21.1	patch	Direct	-
github.com/aws/aws-sdk-go-v2	v1.41.1	v1.41.12	patch	Direct	-
github.com/aws/aws-sdk-go-v2/service/sso	v1.30.9	v1.30.19	patch	Transitive	-
github.com/grpc-ecosystem/grpc-gateway/v2	v2.27.3	v2.27.8	patch	Transitive	-

---

Security Details

🚨 Critical & High Severity (14 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
google.golang.org/grpc	GO-2026-4762	CRITICAL	Authorization bypass in gRPC-Go via missing leading slash in :path in google.golang.org/grpc	v1.78.0	1.79.3
google.golang.org/grpc	GHSA-p77j-4mvh-x3m3	CRITICAL	gRPC-Go has an authorization bypass via missing leading slash in :path	v1.78.0	1.79.3
google.golang.org/grpc	CVE-2026-33186	CRITICAL	gRPC-Go has an authorization bypass via missing leading slash in :path	v1.78.0	-
github.com/moby/buildkit	GO-2026-4859	high	BuildKit Git URL subdir component can cause access to restricted files in github.com/moby/buildkit	v0.27.1	0.28.1
github.com/moby/buildkit	CVE-2026-33748	high	BuildKit Git URL subdir component can cause access to restricted files	v0.27.1	-
github.com/moby/buildkit	GHSA-4vrq-3vrq-g6gg	HIGH	BuildKit Git URL subdir component can cause access to restricted files	v0.27.1	0.28.1
github.com/moby/buildkit	GHSA-4c29-8rgm-jvjj	HIGH	BuildKit's Malicious frontend can cause file escape outside of storage root	v0.27.1	0.28.1
github.com/moby/buildkit	CVE-2026-33747	HIGH	BuildKit vulnerable to malicious frontend causing file escape outside of storage root	v0.27.1	-
github.com/moby/buildkit	GO-2026-4858	HIGH	BuildKit's Malicious frontend can cause file escape outside of storage root in github.com/moby/buildkit	v0.27.1	0.28.1
go.opentelemetry.io/otel	GHSA-mh2q-q3fh-2475	HIGH	OpenTelemetry-Go: multi-value baggage header extraction causes excessive allocations (remote dos amplification)	v1.39.0	1.41.0
go.opentelemetry.io/otel/sdk	GO-2026-4394	HIGH	OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking in go.opentelemetry.io/otel/sdk	v1.39.0	1.40.0
go.opentelemetry.io/otel/sdk	CVE-2026-24051	HIGH	OpenTelemetry-Go Affected by Arbitrary Code Execution via PATH Hijacking	v1.39.0	-
go.opentelemetry.io/otel/sdk	GHSA-hfvc-g4fc-pqhx	HIGH	opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking	v1.39.0	1.43.0
go.opentelemetry.io/otel/sdk	GHSA-9h8m-3fm2-qjrq	HIGH	OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking	v1.39.0	1.40.0

ℹ️ Other Vulnerabilities (24)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
github.com/aws/aws-sdk-go-v2/service/s3	GHSA-xmrv-pmrh-hhx2	MODERATE	Denial of Service due to Panic in AWS SDK for Go v2 SDK EventStream Decoder	v1.95.1	1.97.3
github.com/in-toto/in-toto-golang	GHSA-pmwq-pjrm-6p5r	MODERATE	in-toto-golang and in-toto-python have inconsistent negation behavior	v0.10.0	0.11.0
golang.org/x/crypto	GO-2026-5006	unknown	Invoking agent constraints dropped when forwarding keys in golang.org/x/crypto/ssh/agent	v0.48.0	0.52.0
golang.org/x/crypto	GO-2026-5020	unknown	Invoking infinite loop on large channel writes in golang.org/x/crypto/ssh	v0.48.0	0.52.0
golang.org/x/crypto	GO-2026-5013	unknown	Invoking byte arithmetic causes underflow and panic in golang.org/x/crypto/ssh	v0.48.0	0.52.0
golang.org/x/crypto	GO-2026-5023	unknown	Invoking VerifiedPublicKeyCallback permissions skip enforcement in golang.org/x/crypto/ssh	v0.48.0	0.52.0
golang.org/x/crypto	GO-2026-5005	unknown	Invoking key constraints not enforced in golang.org/x/crypto/ssh/agent	v0.48.0	0.52.0
golang.org/x/crypto	GO-2026-5018	unknown	Invoking pathological RSA/DSA parameters may cause DoS in golang.org/x/crypto/ssh	v0.48.0	0.52.0
golang.org/x/crypto	GO-2026-5014	unknown	Invoking bypass of certificate restrictions in golang.org/x/crypto/ssh	v0.48.0	0.52.0
golang.org/x/crypto	GO-2026-5016	unknown	Invoking memory leak when rejecting channels can lead to DoS in golang.org/x/crypto/ssh	v0.48.0	0.52.0
golang.org/x/crypto	GO-2026-5019	unknown	Invoking bypass of FIDO/U2F security keys physical interaction in golang.org/x/crypto/ssh	v0.48.0	0.52.0
golang.org/x/crypto	GO-2026-5021	unknown	Invoking auth bypass via unenforced @Revoked status in golang.org/x/crypto/ssh/knownhosts	v0.48.0	0.52.0
golang.org/x/crypto	GO-2026-5015	unknown	Invoking server panic during CheckHostKey/Authenticate in golang.org/x/crypto/ssh	v0.48.0	0.52.0
golang.org/x/crypto	GO-2026-5017	unknown	Invoking client can cause server deadlock on unexpected responses in golang.org/x/crypto/ssh	v0.48.0	0.52.0
golang.org/x/crypto	GO-2026-5033	unknown	Invoking pathological inputs can lead to client panic in golang.org/x/crypto/ssh/agent	v0.48.0	0.52.0
golang.org/x/net	GO-2026-5025	unknown	Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html	v0.50.0	0.55.0
golang.org/x/net	GO-2026-5029	unknown	Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html	v0.50.0	0.55.0
golang.org/x/net	GO-2026-5027	unknown	Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html	v0.50.0	0.55.0
golang.org/x/net	GO-2026-4918	unknown	Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net	v0.50.0	0.53.0
golang.org/x/net	GO-2026-5026	unknown	Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna	v0.50.0	0.55.0
golang.org/x/net	GO-2026-4559	unknown	Sending certain HTTP/2 frames can cause a server to panic in golang.org/x/net	v0.50.0	0.51.0
golang.org/x/net	GO-2026-5030	unknown	Invoking duplicate attributes can cause XSS in golang.org/x/net/html	v0.50.0	0.55.0
golang.org/x/net	GO-2026-5028	unknown	Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html	v0.50.0	0.55.0
golang.org/x/sys	GO-2026-5024	unknown	Invoking integer overflow in NewNTUnicodeString in golang.org/x/sys/windows	v0.41.0	0.44.0

⚠️ Dependencies that have Reached EOL (1)

Dependency	Unsafe Version	EOL Date	New Version	Path
github.com/morikuni/aec	v1.0.0	-	v1.1.0	go.mod

---

Review Checklist

Standard review:

• Review changes for compatibility with your code
• Check for breaking changes in release notes
• Run tests locally or wait for CI
• Approve and merge this PR

---

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

[datadog-prod-us1-4]

✨ Fix all issues with BitsAI

⚠️ Warnings

🚦 1 Pipeline job failed

Test | Test (macos-latest)     

Useful? React with 👍 / 👎

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: c427d5b | Docs | Datadog PR Page | Give us feedback!}