fix(deps): vuln unstable upgrades — 12 packages (unstable: 1 · minor: 10 · patch: 1) [src/checkoutservice]

[gh-worker-campaigns-3e9aa4]

Summary: Critical-severity security update — 13 packages upgraded (UNSTABLE changes included)

Manifests changed:

• src/checkoutservice (go)

---

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

---

Updates

Package	From	To	Type	Dep Type	Vulnerabilities Fixed
google.golang.org/grpc	v1.51.0	v1.81.1	minor	Direct	3 CRITICAL, 2 HIGH
golang.org/x/net	v0.4.0	v0.56.0	minor	Direct	9 HIGH, 13 MEDIUM, 8 UNKNOWN
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc	v0.37.0	v0.69.0	unstable	Direct	3 HIGH
google.golang.org/protobuf	v1.28.1	v1.36.11	minor	Transitive	2 MEDIUM
github.com/cespare/xxhash/v2	v2.2.0	v2.3.0	minor	Transitive	-
github.com/go-logr/logr	v1.2.3	v1.4.3	minor	Transitive	-
github.com/google/uuid	v1.3.0	v1.6.0	minor	Direct	-
go.opentelemetry.io/otel	v1.11.2	v1.44.0	minor	Direct	-
go.opentelemetry.io/otel/sdk	v1.11.2	v1.44.0	minor	Direct	-
go.opentelemetry.io/otel/trace	v1.11.2	v1.44.0	minor	Transitive	-
golang.org/x/sys	v0.3.0	v0.46.0	minor	Transitive	1 UNKNOWN
golang.org/x/text	v0.5.0	v0.38.0	minor	Transitive	-
github.com/google/uuid	v1.3.0	v1.3.1	patch	Direct	-

---

Security Details

🚨 Critical & High Severity (17 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
google.golang.org/grpc	CVE-2026-33186	critical	gRPC-Go has an authorization bypass via missing leading slash in :path	v1.51.0	-
google.golang.org/grpc	GO-2026-4762	critical	Authorization bypass in gRPC-Go via missing leading slash in :path in google.golang.org/grpc	v1.51.0	1.79.3
google.golang.org/grpc	GHSA-p77j-4mvh-x3m3	CRITICAL	gRPC-Go has an authorization bypass via missing leading slash in :path	v1.51.0	1.79.3
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc	GO-2023-2331	high	Denial of service in go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc	v0.37.0	0.46.0
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc	GHSA-8pgv-569h-w5rw	HIGH	otelgrpc DoS vulnerability due to unbound cardinality metrics	v0.37.0	0.46.0
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc	CVE-2023-47108	high	DoS vulnerability in otelgrpc (uncontrolled resource consumption) due to unbound cardinality metrics	v0.37.0	-
golang.org/x/net	CVE-2022-41723	high	-	v0.4.0	-
golang.org/x/net	CVE-2023-44487	high	This package is related to CVE CVE-2023-44487 which was detected by cisa.gov as actively being exploited in the wild	v0.4.0	-
golang.org/x/net	GO-2023-2102	high	HTTP/2 rapid reset can cause excessive work in net/http	v0.4.0	0.17.0
golang.org/x/net	CVE-2023-39325	high	-	v0.4.0	-
golang.org/x/net	GHSA-4374-p667-p6c8	HIGH	HTTP/2 rapid reset can cause excessive work in net/http	v0.4.0	0.17.0
golang.org/x/net	GHSA-vvpx-j8f3-3w6h	HIGH	golang.org/x/net vulnerable to Uncontrolled Resource Consumption	v0.4.0	0.7.0
golang.org/x/net	GO-2023-1571	high	Denial of service via crafted HTTP/2 stream in net/http and golang.org/x/net	v0.4.0	0.7.0
golang.org/x/net	GHSA-w32m-9786-jp63	HIGH	Non-linear parsing of case-insensitive content in golang.org/x/net/html	v0.4.0	-
golang.org/x/net	GO-2024-3333	HIGH	Non-linear parsing of case-insensitive content in golang.org/x/net/html	v0.4.0	0.33.0
google.golang.org/grpc	GO-2023-2153	HIGH	Denial of service from HTTP/2 Rapid Reset in google.golang.org/grpc	v1.51.0	1.56.3
google.golang.org/grpc	GHSA-m425-mq94-257g	HIGH	gRPC-Go HTTP/2 Rapid Reset vulnerability	v1.51.0	1.56.3

ℹ️ Other Vulnerabilities (24)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
golang.org/x/net	CVE-2023-3978	MODERATE	-	v0.4.0	-
golang.org/x/net	GO-2026-4440	MODERATE	Quadratic parsing complexity in golang.org/x/net/html	v0.4.0	0.45.0
golang.org/x/net	GO-2023-1988	MODERATE	Improper rendering of text nodes in golang.org/x/net/html	v0.4.0	0.13.0
golang.org/x/net	GO-2024-2687	MODERATE	HTTP/2 CONTINUATION flood in net/http	v0.4.0	0.23.0
golang.org/x/net	CVE-2023-44487	MODERATE	-	v0.4.0	-
golang.org/x/net	GHSA-qppj-fm5r-hxr3	MODERATE	HTTP/2 Stream Cancellation Attack	v0.4.0	0.17.0
golang.org/x/net	GHSA-w4gw-w5jq-g9jh	MODERATE	golang.org/x/net/html has a Quadratic Parsing Complexity issue	v0.4.0	-
golang.org/x/net	GHSA-4v7x-pqxf-cx7m	MODERATE	net/http, x/net/http2: close connections when receiving too many headers	v0.4.0	0.23.0
golang.org/x/net	GHSA-qxp5-gwg8-xv66	MODERATE	HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net	v0.4.0	0.36.0
golang.org/x/net	GO-2025-3503	MODERATE	HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net	v0.4.0	0.36.0
golang.org/x/net	GO-2025-3595	MODERATE	Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net	v0.4.0	0.38.0
golang.org/x/net	GHSA-vvgc-356p-c3xw	MODERATE	golang.org/x/net vulnerable to Cross-site Scripting	v0.4.0	0.38.0
golang.org/x/net	GHSA-2wrh-6pvc-2jm9	MODERATE	Improper rendering of text nodes in golang.org/x/net/html	v0.4.0	0.13.0
google.golang.org/protobuf	GO-2024-2611	MODERATE	Infinite loop in JSON unmarshaling in google.golang.org/protobuf	v1.28.1	1.33.0
google.golang.org/protobuf	GHSA-8r3f-844c-mc37	MODERATE	Golang protojson.Unmarshal function infinite loop when unmarshaling certain forms of invalid JSON	v1.28.1	1.33.0
golang.org/x/net	GO-2026-5030	unknown	Invoking duplicate attributes can cause XSS in golang.org/x/net/html	v0.4.0	0.55.0
golang.org/x/net	GO-2026-5029	unknown	Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html	v0.4.0	0.55.0
golang.org/x/net	GO-2026-5025	unknown	Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html	v0.4.0	0.55.0
golang.org/x/net	GO-2026-5028	unknown	Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html	v0.4.0	0.55.0
golang.org/x/net	GO-2026-4441	unknown	Infinite parsing loop in golang.org/x/net	v0.4.0	0.45.0
golang.org/x/net	GO-2026-4918	unknown	Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net	v0.4.0	0.53.0
golang.org/x/net	GO-2026-5027	unknown	Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html	v0.4.0	0.55.0
golang.org/x/net	GO-2026-5026	unknown	Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna	v0.4.0	0.55.0
golang.org/x/sys	GO-2026-5024	unknown	Invoking integer overflow in NewNTUnicodeString in golang.org/x/sys/windows	v0.3.0	0.44.0

⚠️ Dependencies that have Reached EOL (13)

Dependency	Unsafe Version	EOL Date	New Version	Path
github.com/cespare/xxhash/v2	v2.2.0	Dec 4, 2025	v2.3.0	src/checkoutservice/go.mod
github.com/go-logr/logr	v1.2.3	-	v1.4.3	src/checkoutservice/go.mod
github.com/google/uuid	v1.3.0	-	v1.3.1	src/checkoutservice/go.mod
github.com/google/uuid	v1.3.0	-	v1.6.0	src/checkoutservice/go.mod
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc	v0.37.0	Dec 5, 2025	v0.69.0	src/checkoutservice/go.mod
go.opentelemetry.io/otel	v1.11.2	Dec 5, 2025	v1.44.0	src/checkoutservice/go.mod
go.opentelemetry.io/otel/sdk	v1.11.2	Dec 5, 2025	v1.44.0	src/checkoutservice/go.mod
go.opentelemetry.io/otel/trace	v1.11.2	Dec 5, 2025	v1.44.0	src/checkoutservice/go.mod
golang.org/x/net	v0.4.0	Dec 7, 2025	v0.56.0	src/checkoutservice/go.mod
golang.org/x/sys	v0.3.0	Dec 4, 2025	v0.46.0	src/checkoutservice/go.mod
golang.org/x/text	v0.5.0	Dec 4, 2025	v0.38.0	src/checkoutservice/go.mod
google.golang.org/grpc	v1.51.0	Nov 18, 2025	v1.81.1	src/checkoutservice/go.mod
google.golang.org/protobuf	v1.28.1	Jul 28, 2025	v1.36.11	src/checkoutservice/go.mod

---

Review Checklist

Standard review:

• Review changes for compatibility with your code
• Check for breaking changes in release notes
• Run tests locally or wait for CI
• Approve and merge this PR

---

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System