Skip to content

fix(deps): vuln minor: golang.org/x/net, golang.org/x/sys, google.golang.org/grpc [src/productcatalogservice]#47

Open
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/minorpatch/go/productcatalogservice/6-1781532572
Open

fix(deps): vuln minor: golang.org/x/net, golang.org/x/sys, google.golang.org/grpc [src/productcatalogservice]#47
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/minorpatch/go/productcatalogservice/6-1781532572

Conversation

@gh-worker-campaigns-3e9aa4

@gh-worker-campaigns-3e9aa4 gh-worker-campaigns-3e9aa4 Bot commented Jun 15, 2026

Copy link
Copy Markdown

Summary: Critical-severity security update — 3 packages upgraded (MINOR changes included)

Manifests changed:

  • src/productcatalogservice (go)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

Updates

Package From To Type Dep Type Vulnerabilities Fixed
google.golang.org/grpc v1.57.1 v1.81.1 minor Direct 3 CRITICAL
golang.org/x/net v0.23.0 v0.56.0 minor Direct 2 HIGH, 6 MEDIUM, 8 UNKNOWN
golang.org/x/sys v0.20.0 v0.46.0 minor Transitive 1 UNKNOWN

Security Details

🚨 Critical & High Severity (5 fixed)
Package CVE Severity Summary Unsafe Version Fixed In
google.golang.org/grpc GHSA-p77j-4mvh-x3m3 CRITICAL gRPC-Go has an authorization bypass via missing leading slash in :path v1.57.1 1.79.3
google.golang.org/grpc CVE-2026-33186 critical gRPC-Go has an authorization bypass via missing leading slash in :path v1.57.1 -
google.golang.org/grpc GO-2026-4762 critical Authorization bypass in gRPC-Go via missing leading slash in :path in google.golang.org/grpc v1.57.1 1.79.3
golang.org/x/net GO-2024-3333 HIGH Non-linear parsing of case-insensitive content in golang.org/x/net/html v0.23.0 0.33.0
golang.org/x/net GHSA-w32m-9786-jp63 HIGH Non-linear parsing of case-insensitive content in golang.org/x/net/html v0.23.0 -
ℹ️ Other Vulnerabilities (15)
Package CVE Severity Summary Unsafe Version Fixed In
golang.org/x/net GO-2025-3503 MODERATE HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net v0.23.0 0.36.0
golang.org/x/net GO-2026-4440 MODERATE Quadratic parsing complexity in golang.org/x/net/html v0.23.0 0.45.0
golang.org/x/net GHSA-w4gw-w5jq-g9jh MODERATE golang.org/x/net/html has a Quadratic Parsing Complexity issue v0.23.0 -
golang.org/x/net GHSA-vvgc-356p-c3xw MODERATE golang.org/x/net vulnerable to Cross-site Scripting v0.23.0 0.38.0
golang.org/x/net GO-2025-3595 MODERATE Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net v0.23.0 0.38.0
golang.org/x/net GHSA-qxp5-gwg8-xv66 MODERATE HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net v0.23.0 0.36.0
golang.org/x/net GO-2026-5030 unknown Invoking duplicate attributes can cause XSS in golang.org/x/net/html v0.23.0 0.55.0
golang.org/x/net GO-2026-5028 unknown Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html v0.23.0 0.55.0
golang.org/x/net GO-2026-5027 unknown Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html v0.23.0 0.55.0
golang.org/x/net GO-2026-4918 unknown Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net v0.23.0 0.53.0
golang.org/x/net GO-2026-5025 unknown Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html v0.23.0 0.55.0
golang.org/x/net GO-2026-4441 unknown Infinite parsing loop in golang.org/x/net v0.23.0 0.45.0
golang.org/x/net GO-2026-5026 unknown Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna v0.23.0 0.55.0
golang.org/x/net GO-2026-5029 unknown Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html v0.23.0 0.55.0
golang.org/x/sys GO-2026-5024 unknown Invoking integer overflow in NewNTUnicodeString in golang.org/x/sys/windows v0.20.0 0.44.0

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI
  • Approve and merge this PR

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

@campaigner-prod campaigner-prod Bot marked this pull request as ready for review June 16, 2026 12:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

adms-critical-severity adms-dependency-update adms-go adms-high-severity adms-medium-severity adms-minor-update adms-mode-all-vulns campaigner-automated-change

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants