VULN UPGRADE: minor upgrades — 10 packages (minor: 8 · patch: 2) by campaigner-prod[bot] · Pull Request #449 · DataDog/kafka-kit

campaigner-prod · 2026-02-12T22:45:00Z

Summary: High-severity security update — 10 packages upgraded (MINOR changes included)

Manifests changed:

. (go)

Updates

Package	From	To	Type	Vulnerabilities Fixed
google.golang.org/grpc	v1.54.0	v1.78.0	minor	2 HIGH
google.golang.org/protobuf	v1.30.0	v1.36.11	minor	2 MODERATE
github.com/confluentinc/confluent-kafka-go	v1.4.0	v1.9.2	minor	-
github.com/grpc-ecosystem/grpc-gateway/v2	v2.15.2	v2.27.7	minor	-
github.com/spf13/cobra	v1.5.0	v1.10.2	minor	-
github.com/spf13/viper	v1.10.1	v1.21.0	minor	-
google.golang.org/grpc/cmd/protoc-gen-go-grpc	v1.3.0	v1.6.1	minor	-
gopkg.in/DataDog/dd-trace-go.v1	v1.40.1	v1.74.8	minor	-
github.com/go-zookeeper/zk	v1.0.3	v1.0.4	patch	-
github.com/stretchr/testify	v1.8.2	v1.8.4	patch	-

Packages marked with "-" are updated due to dependency constraints.

Security Details

🚨 Critical & High Severity (2 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
google.golang.org/grpc	GHSA-m425-mq94-257g	HIGH	gRPC-Go HTTP/2 Rapid Reset vulnerability	v1.54.0	1.56.3
google.golang.org/grpc	GO-2023-2153	HIGH	Denial of service from HTTP/2 Rapid Reset in google.golang.org/grpc	v1.54.0	1.56.3

ℹ️ Other Vulnerabilities (2)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
google.golang.org/protobuf	GHSA-8r3f-844c-mc37	MODERATE	Golang protojson.Unmarshal function infinite loop when unmarshaling certain forms of invalid JSON	v1.30.0	1.33.0
google.golang.org/protobuf	GO-2024-2611	MODERATE	Infinite loop in JSON unmarshaling in google.golang.org/protobuf	v1.30.0	1.33.0

⚠️ Dependencies that have Reached EOL (5)

Dependency	Unsafe Version	EOL Date	New Version	Path
github.com/confluentinc/confluent-kafka-go	`v1.4.0`	-	`v1.9.2`	`go.mod`
github.com/go-zookeeper/zk	`v1.0.3`	Jul 22, 2025	`v1.0.4`	`go.mod`
github.com/spf13/cobra	`v1.5.0`	Jun 21, 2025	`v1.10.2`	`go.mod`
github.com/spf13/viper	`v1.10.1`	-	`v1.21.0`	`go.mod`
gopkg.in/DataDog/dd-trace-go.v1	`v1.40.1`	Jul 19, 2025	`v1.74.8`	`go.mod`

📅 Dependencies Nearing EOL (3)

Dependency	Unsafe Version	EOL Date	New Version	Path
github.com/grpc-ecosystem/grpc-gateway/v2	`v2.15.2`	Feb 24, 2026	`v2.27.7`	`go.mod`
github.com/stretchr/testify	`v1.8.2`	Feb 25, 2026	`v1.8.4`	`go.mod`
google.golang.org/grpc/cmd/protoc-gen-go-grpc	`v1.3.0`	Mar 1, 2026	`v1.6.1`	`go.mod`

Review Checklist

Standard review:

Review changes for compatibility with your code
Check for breaking changes in release notes
Run tests locally or wait for CI

Update Mode: Vulnerability Remediation (High)

🤖 Generated by DataDog Automated Dependency Management System

dd-prapprover · 2026-02-12T22:45:14Z

PRApprover will approve and merge this PR, FAQ, #dx-source-code-management

🛠️ PRApproval Status

🔗 Workflow Link

✅ PR is eligible for auto-approval by rule dependency-management-version-updater - 2026-02-12T22:45:14Z
⬜ CI tests passed
⬜ Approved
⬜ Merge Started
⬜ Merged

➡️ Current phase: CI tests failed, please fix and re-trigger

Executing automated changes

bcd0b14

campaigner-prod bot added the campaigner-automated-change label Feb 12, 2026

campaigner-prod bot added the adms-dependency-update label Feb 12, 2026

campaigner-prod bot closed this Mar 1, 2026

campaigner-prod bot deleted the engraver-auto-version-upgrade/minorpatch/go/0-1770936261 branch March 1, 2026 15:39

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

VULN UPGRADE: minor upgrades — 10 packages (minor: 8 · patch: 2) #449

VULN UPGRADE: minor upgrades — 10 packages (minor: 8 · patch: 2) #449
campaigner-prod[bot] wants to merge 1 commit intomasterfrom
engraver-auto-version-upgrade/minorpatch/go/0-1770936261

campaigner-prod bot commented Feb 12, 2026

Uh oh!

dd-prapprover bot commented Feb 12, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

campaigner-prod bot commented Feb 12, 2026

Updates

Security Details

Review Checklist

Uh oh!

dd-prapprover bot commented Feb 12, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

🛠️ PRApproval Status

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

dd-prapprover bot commented Feb 12, 2026 •

edited

Loading