fix(deps): vuln minor upgrades — 5 packages (minor: 2 · patch: 3) by gh-worker-campaigns-3e9aa4[bot] · Pull Request #469 · DataDog/agent-payload

gh-worker-campaigns-3e9aa4 · 2026-04-06T14:43:29Z

Summary: Critical-severity security update — 5 packages upgraded (MINOR changes included)

Manifests changed:

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

Updates

Package	From	To	Type	Vulnerabilities Fixed
google.golang.org/grpc	v1.79.0	v1.79.3	patch	3 CRITICAL
github.com/DataDog/zstd	v1.4.8	v1.5.7	minor	-
github.com/stretchr/testify	v1.6.1	v1.11.1	minor	-
github.com/klauspost/compress	v1.18.0	v1.18.5	patch	-
google.golang.org/protobuf	v1.36.10	v1.36.11	patch	-

Packages marked with "-" are updated due to dependency constraints.

🚨 Critical & High Severity (3 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
google.golang.org/grpc	GO-2026-4762	critical	Authorization bypass in gRPC-Go via missing leading slash in :path in google.golang.org/grpc	v1.79.0	1.79.3
google.golang.org/grpc	CVE-2026-33186	critical	gRPC-Go has an authorization bypass via missing leading slash in :path	v1.79.0	-
google.golang.org/grpc	GHSA-p77j-4mvh-x3m3	CRITICAL	gRPC-Go has an authorization bypass via missing leading slash in :path	v1.79.0	1.79.3

⚠️ Dependencies that have Reached EOL (2)

Dependency	Unsafe Version	EOL Date	New Version	Path
github.com/DataDog/zstd	`v1.4.8`	-	`v1.5.7`	`go.mod`
github.com/stretchr/testify	`v1.6.1`	-	`v1.11.1`	`go.mod`

Standard review:

Update Mode: Vulnerability Remediation (Critical)

🤖 Generated by DataDog Automated Dependency Management System

Executing automated changes

75cc328

gh-worker-campaigns-3e9aa4 bot added the campaigner-automated-change label Apr 6, 2026