fix(deps): vuln minor upgrades — 10 packages (minor: 8 · patch: 2) by gh-worker-campaigns-3e9aa4[bot] · Pull Request #457 · DataDog/kafka-kit

gh-worker-campaigns-3e9aa4 · 2026-04-23T11:03:33Z

Summary: Critical-severity security update — 10 packages upgraded (MINOR changes included)

Manifests changed:

. (go)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

Updates

Package	From	To	Type	Dep Type	Vulnerabilities Fixed
google.golang.org/grpc	v1.54.0	v1.80.0	minor	Direct	3 CRITICAL, 2 HIGH
github.com/golang/glog	v1.1.1	v1.2.5	minor	Transitive	2 MODERATE
google.golang.org/protobuf	v1.30.0	v1.36.11	minor	Direct	2 MODERATE
github.com/confluentinc/confluent-kafka-go	v1.4.0	v1.9.2	minor	Direct	-
github.com/grpc-ecosystem/grpc-gateway/v2	v2.15.2	v2.29.0	minor	Direct	-
github.com/spf13/cobra	v1.5.0	v1.10.2	minor	Direct	-
google.golang.org/grpc/cmd/protoc-gen-go-grpc	v1.3.0	v1.6.1	minor	Direct	-
gopkg.in/DataDog/dd-trace-go.v1	v1.40.1	v1.74.8	minor	Direct	-
github.com/go-zookeeper/zk	v1.0.3	v1.0.4	patch	Direct	-
github.com/stretchr/testify	v1.8.2	v1.8.4	patch	Direct	-

Packages marked with "-" are updated due to dependency constraints.

Security Details

🚨 Critical & High Severity (5 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
google.golang.org/grpc	GO-2026-4762	critical	Authorization bypass in gRPC-Go via missing leading slash in :path in google.golang.org/grpc	v1.54.0	1.79.3
google.golang.org/grpc	CVE-2026-33186	critical	gRPC-Go has an authorization bypass via missing leading slash in :path	v1.54.0	-
google.golang.org/grpc	GHSA-p77j-4mvh-x3m3	CRITICAL	gRPC-Go has an authorization bypass via missing leading slash in :path	v1.54.0	1.79.3
google.golang.org/grpc	GO-2023-2153	HIGH	Denial of service from HTTP/2 Rapid Reset in google.golang.org/grpc	v1.54.0	1.56.3
google.golang.org/grpc	GHSA-m425-mq94-257g	HIGH	gRPC-Go HTTP/2 Rapid Reset vulnerability	v1.54.0	1.56.3

ℹ️ Other Vulnerabilities (4)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
github.com/golang/glog	GO-2025-3372	MODERATE	Vulnerability when creating log files in github.com/golang/glog	v1.1.1	1.2.4
github.com/golang/glog	GHSA-6wxm-mpqj-6jpf	MODERATE	Insecure Temporary File usage in github.com/golang/glog	v1.1.1	1.2.4
google.golang.org/protobuf	GHSA-8r3f-844c-mc37	MODERATE	Golang protojson.Unmarshal function infinite loop when unmarshaling certain forms of invalid JSON	v1.30.0	1.33.0
google.golang.org/protobuf	GO-2024-2611	MODERATE	Infinite loop in JSON unmarshaling in google.golang.org/protobuf	v1.30.0	1.33.0

⚠️ Dependencies that have Reached EOL (10)

Dependency	Unsafe Version	EOL Date	New Version	Path
github.com/confluentinc/confluent-kafka-go	`v1.4.0`	-	`v1.9.2`	`go.mod`
github.com/go-zookeeper/zk	`v1.0.3`	Jul 22, 2025	`v1.0.4`	`go.mod`
github.com/golang/glog	`v1.1.1`	Mar 22, 2026	`v1.2.5`	`go.mod`
github.com/grpc-ecosystem/grpc-gateway/v2	`v2.15.2`	Feb 24, 2026	`v2.29.0`	`go.mod`
github.com/spf13/cobra	`v1.5.0`	Jun 21, 2025	`v1.10.2`	`go.mod`
github.com/stretchr/testify	`v1.8.2`	Feb 25, 2026	`v1.8.4`	`go.mod`
google.golang.org/grpc	`v1.54.0`	Mar 21, 2026	`v1.80.0`	`go.mod`
google.golang.org/grpc/cmd/protoc-gen-go-grpc	`v1.3.0`	Mar 1, 2026	`v1.6.1`	`go.mod`
google.golang.org/protobuf	`v1.30.0`	Mar 16, 2026	`v1.36.11`	`go.mod`
gopkg.in/DataDog/dd-trace-go.v1	`v1.40.1`	Jul 19, 2025	`v1.74.8`	`go.mod`

Review Checklist

Standard review:

Review changes for compatibility with your code
Check for breaking changes in release notes
Run tests locally or wait for CI
Approve and merge this PR

Update Mode: Vulnerability Remediation (Critical/High)

🤖 Generated by DataDog Automated Dependency Management System

Executing automated changes

ca2f3d2

gh-worker-campaigns-3e9aa4 Bot added campaigner-automated-change adms-critical-severity adms-fixes-eol adms-go adms-high-severity adms-medium-severity adms-minor-update adms-mode-all-updates adms-dependency-update labels Apr 23, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(deps): vuln minor upgrades — 10 packages (minor: 8 · patch: 2) #457

fix(deps): vuln minor upgrades — 10 packages (minor: 8 · patch: 2) #457
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit intomasterfrom
engraver-auto-version-upgrade/minorpatch/go/0-1776942160

gh-worker-campaigns-3e9aa4 Bot commented Apr 23, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

gh-worker-campaigns-3e9aa4 Bot commented Apr 23, 2026

Updates

Security Details

Review Checklist

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants