Skip to content

VULN UPGRADE: minor upgrades — 26 packages (minor: 11 · patch: 15) [internal/orchestrion]#4416

Closed
campaigner-prod[bot] wants to merge 1 commit intomainfrom
engraver-auto-version-upgrade/minorpatch/go/orchestrion/1-1770928788
Closed

VULN UPGRADE: minor upgrades — 26 packages (minor: 11 · patch: 15) [internal/orchestrion]#4416
campaigner-prod[bot] wants to merge 1 commit intomainfrom
engraver-auto-version-upgrade/minorpatch/go/orchestrion/1-1770928788

Conversation

@campaigner-prod
Copy link

@campaigner-prod campaigner-prod bot commented Feb 12, 2026

Summary: Critical-severity security update — 26 packages upgraded (MINOR changes included)

Manifests changed:

  • internal/orchestrion (go)

Updates

Package From To Type Vulnerabilities Fixed
github.com/gofiber/fiber/v2 v2.52.9 v2.52.11 patch 2 CRITICAL
github.com/aws/aws-sdk-go v1.55.5 v1.55.8 patch 2 MODERATE, 2 LOW
github.com/go-chi/chi/v5 v5.2.2 v5.2.5 patch 2 MODERATE
cloud.google.com/go/pubsub/v2 v2.0.0 v2.4.0 minor -
github.com/DataDog/orchestrion v1.6.1 v1.7.0 minor -
github.com/Shopify/sarama v1.38.1 v1.46.3 minor -
github.com/aws/aws-sdk-go-v2/service/dynamodb v1.31.1 v1.55.0 minor -
github.com/confluentinc/confluent-kafka-go/v2 v2.4.0 v2.13.0 minor -
github.com/gin-gonic/gin v1.10.1 v1.11.0 minor -
github.com/graph-gophers/graphql-go v1.5.0 v1.8.0 minor -
github.com/valyala/fasthttp v1.58.0 v1.69.0 minor -
go.mongodb.org/mongo-driver/v2 v2.2.2 v2.5.0 minor -
gorm.io/driver/sqlite v1.5.7 v1.6.0 minor -
gorm.io/gorm v1.25.12 v1.31.1 minor -
github.com/99designs/gqlgen v0.17.83 v0.17.86 patch -
github.com/elastic/go-elasticsearch/v6 v6.8.5 v6.8.10 patch -
github.com/elastic/go-elasticsearch/v7 v7.17.1 v7.17.10 patch -
github.com/gomodule/redigo v1.9.2 v1.9.3 patch -
github.com/graphql-go/handler v0.2.3 v0.2.4 patch -
github.com/labstack/echo/v4 v4.13.3 v4.13.4 patch -
github.com/mattn/go-sqlite3 v1.14.22 v1.14.34 patch -
github.com/redis/rueidis v1.0.56 v1.0.71 patch -
github.com/segmentio/kafka-go v0.4.42 v0.4.50 patch -
github.com/tinylib/msgp v1.6.1 v1.6.3 patch -
github.com/valkey-io/valkey-go v1.0.56 v1.0.71 patch -
go.mongodb.org/mongo-driver v1.17.1 v1.17.8 patch -

Packages marked with "-" are updated due to dependency constraints.

Security Details

🚨 Critical & High Severity (2 fixed)
Package CVE Severity Summary Unsafe Version Fixed In
github.com/gofiber/fiber/v2 GHSA-68rr-p4fp-j59v CRITICAL Fiber has an insecure fallback in utils.UUIDv4() / utils.UUID() — predictable / zero‑UUID on crypto/rand failure v2.52.9 2.52.11
github.com/gofiber/fiber/v2 CVE-2025-66630 CRITICAL Fiber insecurely fallsback in utils.UUIDv4() / utils.UUID() — predictable / zero‑UUID on crypto/rand failure v2.52.9 -
ℹ️ Other Vulnerabilities (6)
Package CVE Severity Summary Unsafe Version Fixed In
github.com/aws/aws-sdk-go GO-2022-0646 MODERATE CBC padding oracle issue in AWS S3 Crypto SDK for golang in github.com/aws/aws-sdk-go v1.55.5 -
github.com/aws/aws-sdk-go GHSA-f5pg-7wfw-84q9 MODERATE CBC padding oracle issue in AWS S3 Crypto SDK for golang v1.55.5 1.34.0
github.com/go-chi/chi/v5 GO-2026-4316 MODERATE Open redirect vulnerability in the RedirectSlashes middleware in github.com/go-chi/chi v5.2.2 5.2.4
github.com/go-chi/chi/v5 GHSA-mqqf-5wvp-8fh8 MODERATE chi has an open redirect vulnerability in the RedirectSlashes middleware v5.2.2 -
github.com/aws/aws-sdk-go GO-2022-0635 LOW In-band key negotiation issue in AWS S3 Crypto SDK for golang in github.com/aws/aws-sdk-go v1.55.5 -
github.com/aws/aws-sdk-go GHSA-7f33-f4f5-xwgw LOW In-band key negotiation issue in AWS S3 Crypto SDK for golang v1.55.5 1.34.0
⚠️ Dependencies that have Reached EOL (4)
Dependency Unsafe Version EOL Date New Version Path
github.com/Shopify/sarama v1.38.1 Jan 22, 2026 v1.46.3 internal/orchestrion/_integration/go.mod
github.com/elastic/go-elasticsearch/v6 v6.8.5 - v6.8.10 internal/orchestrion/_integration/go.mod
github.com/elastic/go-elasticsearch/v7 v7.17.1 - v7.17.10 internal/orchestrion/_integration/go.mod
github.com/graph-gophers/graphql-go v1.5.0 Dec 19, 2025 v1.8.0 internal/orchestrion/_integration/go.mod

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI

Update Mode: Vulnerability Remediation (Critical)

🤖 Generated by DataDog Automated Dependency Management System

@codecov
Copy link

codecov bot commented Feb 12, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 55.50%. Comparing base (ab547c3) to head (ee317dc).

Additional details and impacted files

see 3 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@pr-commenter
Copy link

pr-commenter bot commented Feb 12, 2026

Benchmarks

Benchmark execution time: 2026-02-12 21:01:25

Comparing candidate commit ee317dc in PR branch engraver-auto-version-upgrade/minorpatch/go/orchestrion/1-1770928788 with baseline commit ab547c3 in branch main.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 155 metrics, 9 unstable metrics.

Explanation

This is an A/B test comparing a candidate commit's performance against that of a baseline commit. Performance changes are noted in the tables below as:

  • 🟩 = significantly better candidate vs. baseline
  • 🟥 = significantly worse candidate vs. baseline

We compute a confidence interval (CI) over the relative difference of means between metrics from the candidate and baseline commits, considering the baseline as the reference.

If the CI is entirely outside the configured SIGNIFICANT_IMPACT_THRESHOLD (or the deprecated UNCONFIDENCE_THRESHOLD), the change is considered significant.

Feel free to reach out to #apm-benchmarking-platform on Slack if you have any questions.

More details about the CI and significant changes

You can imagine this CI as a range of values that is likely to contain the true difference of means between the candidate and baseline commits.

CIs of the difference of means are often centered around 0%, because often changes are not that big:

---------------------------------(------|---^--------)-------------------------------->
                              -0.6%    0%  0.3%     +1.2%
                                 |          |        |
         lower bound of the CI --'          |        |
sample mean (center of the CI) -------------'        |
         upper bound of the CI ----------------------'

As described above, a change is considered significant if the CI is entirely outside the configured SIGNIFICANT_IMPACT_THRESHOLD (or the deprecated UNCONFIDENCE_THRESHOLD).

For instance, for an execution time metric, this confidence interval indicates a significantly worse performance:

----------------------------------------|---------|---(---------^---------)---------->
                                       0%        1%  1.3%      2.2%      3.1%
                                                  |   |         |         |
       significant impact threshold --------------'   |         |         |
                      lower bound of CI --------------'         |         |
       sample mean (center of the CI) --------------------------'         |
                      upper bound of CI ----------------------------------'

@darccio darccio closed this Feb 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

adms-dependency-update campaigner-automated-change

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@darccio