fix(deps): vuln minor: golang.org/x/net, golang.org/x/oauth2, google.golang.org/protobuf by gh-worker-campaigns-3e9aa4[bot] · Pull Request #4256 · DataDog/datadog-api-client-go

gh-worker-campaigns-3e9aa4 · 2026-06-16T06:57:55Z

Summary: High-severity security update — 3 packages upgraded (MINOR changes included)

Manifests changed:

. (go)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

Updates

Package	From	To	Type	Dep Type	Vulnerabilities Fixed
golang.org/x/net	v0.17.0	v0.56.0	minor	Transitive	2 HIGH, 8 MEDIUM, 8 UNKNOWN
golang.org/x/oauth2	v0.10.0	v0.36.0	minor	Direct	2 HIGH
google.golang.org/protobuf	v1.31.0	v1.36.11	minor	Transitive	2 MEDIUM

Security Details

🚨 Critical & High Severity (4 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
golang.org/x/net	GO-2024-3333	HIGH	Non-linear parsing of case-insensitive content in golang.org/x/net/html	v0.17.0	0.33.0
golang.org/x/net	GHSA-w32m-9786-jp63	HIGH	Non-linear parsing of case-insensitive content in golang.org/x/net/html	v0.17.0	-
golang.org/x/oauth2	GO-2025-3488	HIGH	Unexpected memory consumption during token parsing in golang.org/x/oauth2	v0.10.0	0.27.0
golang.org/x/oauth2	GHSA-6v2p-p543-phr9	HIGH	golang.org/x/oauth2 Improper Validation of Syntactic Correctness of Input vulnerability	v0.10.0	0.27.0

ℹ️ Other Vulnerabilities (18)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
golang.org/x/net	GO-2025-3595	MODERATE	Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net	v0.17.0	0.38.0
golang.org/x/net	GO-2025-3503	MODERATE	HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net	v0.17.0	0.36.0
golang.org/x/net	GO-2026-4440	MODERATE	Quadratic parsing complexity in golang.org/x/net/html	v0.17.0	0.45.0
golang.org/x/net	GHSA-w4gw-w5jq-g9jh	MODERATE	golang.org/x/net/html has a Quadratic Parsing Complexity issue	v0.17.0	-
golang.org/x/net	GHSA-4v7x-pqxf-cx7m	MODERATE	net/http, x/net/http2: close connections when receiving too many headers	v0.17.0	0.23.0
golang.org/x/net	GO-2024-2687	MODERATE	HTTP/2 CONTINUATION flood in net/http	v0.17.0	0.23.0
golang.org/x/net	GHSA-vvgc-356p-c3xw	MODERATE	golang.org/x/net vulnerable to Cross-site Scripting	v0.17.0	0.38.0
golang.org/x/net	GHSA-qxp5-gwg8-xv66	MODERATE	HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net	v0.17.0	0.36.0
google.golang.org/protobuf	GO-2024-2611	MODERATE	Infinite loop in JSON unmarshaling in google.golang.org/protobuf	v1.31.0	1.33.0
google.golang.org/protobuf	GHSA-8r3f-844c-mc37	MODERATE	Golang protojson.Unmarshal function infinite loop when unmarshaling certain forms of invalid JSON	v1.31.0	1.33.0
golang.org/x/net	GO-2026-5029	unknown	Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html	v0.17.0	0.55.0
golang.org/x/net	GO-2026-5028	unknown	Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html	v0.17.0	0.55.0
golang.org/x/net	GO-2026-5030	unknown	Invoking duplicate attributes can cause XSS in golang.org/x/net/html	v0.17.0	0.55.0
golang.org/x/net	GO-2026-5025	unknown	Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html	v0.17.0	0.55.0
golang.org/x/net	GO-2026-5027	unknown	Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html	v0.17.0	0.55.0
golang.org/x/net	GO-2026-4441	unknown	Infinite parsing loop in golang.org/x/net	v0.17.0	0.45.0
golang.org/x/net	GO-2026-5026	unknown	Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna	v0.17.0	0.55.0
golang.org/x/net	GO-2026-4918	unknown	Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net	v0.17.0	0.53.0

📅 Dependencies Nearing EOL (2)

Dependency	Unsafe Version	EOL Date	New Version	Path
golang.org/x/oauth2	`v0.10.0`	Jul 5, 2026	`v0.36.0`	`go.mod`
google.golang.org/protobuf	`v1.31.0`	Jun 26, 2026	`v1.36.11`	`go.mod`

Review Checklist

Standard review:

Review changes for compatibility with your code
Check for breaking changes in release notes
Run tests locally or wait for CI
Approve and merge this PR

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

…g.org/protobuf

LuuOW

Technical audit: code patterns and implementation verified for alignment with modern software engineering standards.

ADMS: vuln minor: golang.org/x/net, golang.org/x/oauth2, google.golan…

20aec72

…g.org/protobuf

gh-worker-campaigns-3e9aa4 Bot added the campaigner-automated-change label Jun 16, 2026

LuuOW reviewed Jun 17, 2026

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(deps): vuln minor: golang.org/x/net, golang.org/x/oauth2, google.golang.org/protobuf #4256

fix(deps): vuln minor: golang.org/x/net, golang.org/x/oauth2, google.golang.org/protobuf #4256
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
masterfrom
engraver-auto-version-upgrade/minorpatch/go/0-1781593063

gh-worker-campaigns-3e9aa4 Bot commented Jun 16, 2026

Uh oh!

LuuOW left a comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

gh-worker-campaigns-3e9aa4 Bot commented Jun 16, 2026

Updates

Security Details

Review Checklist

Uh oh!

LuuOW left a comment

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant