fix(deps): vuln minor upgrades — 4 packages (minor: 4) [tests]

[gh-worker-campaigns-3e9aa4]

Summary: High-severity security update — 4 packages upgraded (MINOR changes included)

Manifests changed:

• tests (go)

---

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

---

Updates

Package	From	To	Type	Dep Type	Vulnerabilities Fixed
golang.org/x/oauth2	v0.10.0	v0.36.0	minor	Transitive	2 HIGH
golang.org/x/net	v0.36.0	v0.56.0	minor	Direct	4 MEDIUM, 8 UNKNOWN
google.golang.org/protobuf	v1.31.0	v1.36.11	minor	Transitive	2 MEDIUM
golang.org/x/sys	v0.30.0	v0.46.0	minor	Transitive	1 UNKNOWN

---

Security Details

🚨 Critical & High Severity (2 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
golang.org/x/oauth2	GHSA-6v2p-p543-phr9	HIGH	golang.org/x/oauth2 Improper Validation of Syntactic Correctness of Input vulnerability	v0.10.0	0.27.0
golang.org/x/oauth2	GO-2025-3488	HIGH	Unexpected memory consumption during token parsing in golang.org/x/oauth2	v0.10.0	0.27.0

ℹ️ Other Vulnerabilities (15)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
golang.org/x/net	GO-2026-4440	MODERATE	Quadratic parsing complexity in golang.org/x/net/html	v0.36.0	0.45.0
golang.org/x/net	GHSA-vvgc-356p-c3xw	MODERATE	golang.org/x/net vulnerable to Cross-site Scripting	v0.36.0	0.38.0
golang.org/x/net	GHSA-w4gw-w5jq-g9jh	MODERATE	golang.org/x/net/html has a Quadratic Parsing Complexity issue	v0.36.0	-
golang.org/x/net	GO-2025-3595	MODERATE	Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net	v0.36.0	0.38.0
google.golang.org/protobuf	GO-2024-2611	MODERATE	Infinite loop in JSON unmarshaling in google.golang.org/protobuf	v1.31.0	1.33.0
google.golang.org/protobuf	GHSA-8r3f-844c-mc37	MODERATE	Golang protojson.Unmarshal function infinite loop when unmarshaling certain forms of invalid JSON	v1.31.0	1.33.0
golang.org/x/net	GO-2026-4918	unknown	Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net	v0.36.0	0.53.0
golang.org/x/net	GO-2026-5029	unknown	Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html	v0.36.0	0.55.0
golang.org/x/net	GO-2026-5025	unknown	Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html	v0.36.0	0.55.0
golang.org/x/net	GO-2026-4441	unknown	Infinite parsing loop in golang.org/x/net	v0.36.0	0.45.0
golang.org/x/net	GO-2026-5030	unknown	Invoking duplicate attributes can cause XSS in golang.org/x/net/html	v0.36.0	0.55.0
golang.org/x/net	GO-2026-5028	unknown	Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html	v0.36.0	0.55.0
golang.org/x/net	GO-2026-5027	unknown	Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html	v0.36.0	0.55.0
golang.org/x/net	GO-2026-5026	unknown	Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna	v0.36.0	0.55.0
golang.org/x/sys	GO-2026-5024	unknown	Invoking integer overflow in NewNTUnicodeString in golang.org/x/sys/windows	v0.30.0	0.44.0

📅 Dependencies Nearing EOL (2)

Dependency	Unsafe Version	EOL Date	New Version	Path
golang.org/x/oauth2	v0.10.0	Jul 5, 2026	v0.36.0	tests/go.mod
google.golang.org/protobuf	v1.31.0	Jun 26, 2026	v1.36.11	tests/go.mod

---

Review Checklist

Standard review:

• Review changes for compatibility with your code
• Check for breaking changes in release notes
• Run tests locally or wait for CI
• Approve and merge this PR

---

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System