fix(deps): vuln minor upgrades — 10 packages (minor: 9 · patch: 1)

[gh-worker-campaigns-3e9aa4]

Summary: Critical-severity security update — 10 packages upgraded (MINOR changes included)

Manifests changed:

• . (go)

---

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

---

Updates

Package	From	To	Type	Dep Type	Vulnerabilities Fixed
golang.org/x/crypto	v0.25.0	v0.53.0	minor	Transitive	3 CRITICAL, 2 HIGH, 6 MEDIUM, 14 UNKNOWN
google.golang.org/grpc	v1.65.0	v1.81.1	minor	Transitive	3 CRITICAL
github.com/sirupsen/logrus	v1.4.1	v1.9.4	minor	Direct	3 HIGH
github.com/golang-jwt/jwt/v5	v5.2.1	v5.2.3	patch	Transitive	3 HIGH
golang.org/x/net	v0.27.0	v0.56.0	minor	Transitive	2 HIGH, 6 MEDIUM, 8 UNKNOWN
golang.org/x/oauth2	v0.21.0	v0.36.0	minor	Transitive	2 HIGH
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream	v1.6.3	v1.7.13	minor	Transitive	1 MEDIUM
github.com/aws/aws-sdk-go-v2/service/lambda	v1.56.1	v1.92.3	minor	Transitive	1 MEDIUM
github.com/aws/aws-sdk-go-v2/service/s3	v1.58.0	v1.103.3	minor	Transitive	1 MEDIUM
golang.org/x/sys	v0.22.0	v0.46.0	minor	Transitive	1 UNKNOWN

---

Security Details

🚨 Critical & High Severity (18 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
golang.org/x/crypto	GHSA-v778-237x-gjrc	CRITICAL	Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto	v0.25.0	0.31.0
golang.org/x/crypto	CVE-2024-45337	critical	-	v0.25.0	-
golang.org/x/crypto	GO-2024-3321	critical	Misuse of connection.serverAuthenticate may cause authorization bypass in golang.org/x/crypto	v0.25.0	0.31.0
google.golang.org/grpc	GO-2026-4762	critical	Authorization bypass in gRPC-Go via missing leading slash in :path in google.golang.org/grpc	v1.65.0	1.79.3
google.golang.org/grpc	GHSA-p77j-4mvh-x3m3	CRITICAL	gRPC-Go has an authorization bypass via missing leading slash in :path	v1.65.0	1.79.3
google.golang.org/grpc	CVE-2026-33186	critical	gRPC-Go has an authorization bypass via missing leading slash in :path	v1.65.0	-
github.com/golang-jwt/jwt/v5	GO-2025-3553	HIGH	Excessive memory allocation during header parsing in github.com/golang-jwt/jwt	v5.2.1	5.2.2
github.com/golang-jwt/jwt/v5	CVE-2025-30204	HIGH	jwt-go allows excessive memory allocation during header parsing	v5.2.1	-
github.com/golang-jwt/jwt/v5	GHSA-mh63-6h87-95cp	HIGH	jwt-go allows excessive memory allocation during header parsing	v5.2.1	5.2.2
github.com/sirupsen/logrus	GO-2025-4188	HIGH	Logrus is vulnerable to DoS when using Entry.writerScanner in github.com/sirupsen/logrus	v1.4.1	1.8.3
github.com/sirupsen/logrus	CVE-2025-65637	HIGH	-	v1.4.1	-
github.com/sirupsen/logrus	GHSA-4f99-4q7p-p3gh	HIGH	Logrus is vulnerable to DoS when using Entry.Writer()	v1.4.1	1.8.3
golang.org/x/crypto	GHSA-hcg3-q754-cr77	HIGH	golang.org/x/crypto Vulnerable to Denial of Service (DoS) via Slow or Incomplete Key Exchange	v0.25.0	0.35.0
golang.org/x/crypto	GO-2025-3487	HIGH	Potential denial of service in golang.org/x/crypto	v0.25.0	0.35.0
golang.org/x/net	GO-2024-3333	HIGH	Non-linear parsing of case-insensitive content in golang.org/x/net/html	v0.27.0	0.33.0
golang.org/x/net	GHSA-w32m-9786-jp63	HIGH	Non-linear parsing of case-insensitive content in golang.org/x/net/html	v0.27.0	-
golang.org/x/oauth2	GHSA-6v2p-p543-phr9	HIGH	golang.org/x/oauth2 Improper Validation of Syntactic Correctness of Input vulnerability	v0.21.0	0.27.0
golang.org/x/oauth2	GO-2025-3488	HIGH	Unexpected memory consumption during token parsing in golang.org/x/oauth2	v0.21.0	0.27.0

ℹ️ Other Vulnerabilities (38)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
golang.org/x/crypto	CVE-2025-58181	medium	-	v0.25.0	-
golang.org/x/crypto	CVE-2025-47914	medium	-	v0.25.0	-
golang.org/x/crypto	GO-2025-4135	medium	Malformed constraint may cause denial of service in golang.org/x/crypto/ssh/agent	v0.25.0	0.45.0
golang.org/x/crypto	GO-2025-4134	medium	Unbounded memory consumption in golang.org/x/crypto/ssh	v0.25.0	0.45.0
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream	GHSA-xmrv-pmrh-hhx2	MODERATE	Denial of Service due to Panic in AWS SDK for Go v2 SDK EventStream Decoder	v1.6.3	1.7.8
github.com/aws/aws-sdk-go-v2/service/lambda	GHSA-xmrv-pmrh-hhx2	MODERATE	Denial of Service due to Panic in AWS SDK for Go v2 SDK EventStream Decoder	v1.56.1	1.88.5
github.com/aws/aws-sdk-go-v2/service/s3	GHSA-xmrv-pmrh-hhx2	MODERATE	Denial of Service due to Panic in AWS SDK for Go v2 SDK EventStream Decoder	v1.58.0	1.97.3
golang.org/x/crypto	GHSA-f6x5-jh6r-wrfv	MODERATE	golang.org/x/crypto/ssh/agent vulnerable to panic if message is malformed due to out of bounds read	v0.25.0	0.45.0
golang.org/x/crypto	GHSA-j5w8-q4qc-rx2x	MODERATE	golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption	v0.25.0	0.45.0
golang.org/x/net	GHSA-qxp5-gwg8-xv66	MODERATE	HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net	v0.27.0	0.36.0
golang.org/x/net	GHSA-vvgc-356p-c3xw	MODERATE	golang.org/x/net vulnerable to Cross-site Scripting	v0.27.0	0.38.0
golang.org/x/net	GO-2025-3595	MODERATE	Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net	v0.27.0	0.38.0
golang.org/x/net	GO-2025-3503	MODERATE	HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net	v0.27.0	0.36.0
golang.org/x/net	GO-2026-4440	MODERATE	Quadratic parsing complexity in golang.org/x/net/html	v0.27.0	0.45.0
golang.org/x/net	GHSA-w4gw-w5jq-g9jh	MODERATE	golang.org/x/net/html has a Quadratic Parsing Complexity issue	v0.27.0	-
golang.org/x/crypto	GO-2026-5013	unknown	Invoking byte arithmetic causes underflow and panic in golang.org/x/crypto/ssh	v0.25.0	0.52.0
golang.org/x/crypto	GO-2026-5033	unknown	Invoking pathological inputs can lead to client panic in golang.org/x/crypto/ssh/agent	v0.25.0	0.52.0
golang.org/x/crypto	GO-2026-5020	unknown	Invoking infinite loop on large channel writes in golang.org/x/crypto/ssh	v0.25.0	0.52.0
golang.org/x/crypto	GO-2026-5017	unknown	Invoking client can cause server deadlock on unexpected responses in golang.org/x/crypto/ssh	v0.25.0	0.52.0
golang.org/x/crypto	GO-2026-5015	unknown	Invoking server panic during CheckHostKey/Authenticate in golang.org/x/crypto/ssh	v0.25.0	0.52.0
golang.org/x/crypto	GO-2026-5014	unknown	Invoking bypass of certificate restrictions in golang.org/x/crypto/ssh	v0.25.0	0.52.0
golang.org/x/crypto	GO-2026-5018	unknown	Invoking pathological RSA/DSA parameters may cause DoS in golang.org/x/crypto/ssh	v0.25.0	0.52.0
golang.org/x/crypto	GO-2026-5023	unknown	Invoking VerifiedPublicKeyCallback permissions skip enforcement in golang.org/x/crypto/ssh	v0.25.0	0.52.0
golang.org/x/crypto	GO-2026-5006	unknown	Invoking agent constraints dropped when forwarding keys in golang.org/x/crypto/ssh/agent	v0.25.0	0.52.0
golang.org/x/crypto	GO-2026-5016	unknown	Invoking memory leak when rejecting channels can lead to DoS in golang.org/x/crypto/ssh	v0.25.0	0.52.0
golang.org/x/crypto	GO-2026-5005	unknown	Invoking key constraints not enforced in golang.org/x/crypto/ssh/agent	v0.25.0	0.52.0
golang.org/x/crypto	GO-2026-5021	unknown	Invoking auth bypass via unenforced @Revoked status in golang.org/x/crypto/ssh/knownhosts	v0.25.0	0.52.0
golang.org/x/crypto	GO-2025-4116	unknown	Potential denial of service in golang.org/x/crypto/ssh/agent	v0.25.0	0.43.0
golang.org/x/crypto	GO-2026-5019	unknown	Invoking bypass of FIDO/U2F security keys physical interaction in golang.org/x/crypto/ssh	v0.25.0	0.52.0
golang.org/x/net	GO-2026-5026	unknown	Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna	v0.27.0	0.55.0
golang.org/x/net	GO-2026-4441	unknown	Infinite parsing loop in golang.org/x/net	v0.27.0	0.45.0
golang.org/x/net	GO-2026-5029	unknown	Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html	v0.27.0	0.55.0
golang.org/x/net	GO-2026-5028	unknown	Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html	v0.27.0	0.55.0
golang.org/x/net	GO-2026-5027	unknown	Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html	v0.27.0	0.55.0
golang.org/x/net	GO-2026-4918	unknown	Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net	v0.27.0	0.53.0
golang.org/x/net	GO-2026-5025	unknown	Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html	v0.27.0	0.55.0
golang.org/x/net	GO-2026-5030	unknown	Invoking duplicate attributes can cause XSS in golang.org/x/net/html	v0.27.0	0.55.0
golang.org/x/sys	GO-2026-5024	unknown	Invoking integer overflow in NewNTUnicodeString in golang.org/x/sys/windows	v0.22.0	0.44.0

---

Review Checklist

Standard review:

• Review changes for compatibility with your code
• Check for breaking changes in release notes
• Run tests locally or wait for CI
• Approve and merge this PR

---

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

[datadog-official]

✨ Fix all issues with BitsAI

⚠️ Warnings

🚦 2 Pipeline jobs failed

Test | Run Go static analysis     

go static analysis | Run Go static analysis     

Useful? React with 👍 / 👎

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: ccd9a30 | Docs | Datadog PR Page | Give us feedback!}