Skip to content

build(deps): bump the go_modules group across 3 directories with 2 updates#2103

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/dot-claude/skills/datadog-operations/datadog-skill-go/go_modules-07fbb1220c
Open

build(deps): bump the go_modules group across 3 directories with 2 updates#2103
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/dot-claude/skills/datadog-operations/datadog-skill-go/go_modules-07fbb1220c

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 3, 2026
edited
Loading

Bumps the go_modules group with 1 update in the /.claude/skills/datadog-operations/datadog-skill-go directory: github.com/go-git/go-git/v5.
Bumps the go_modules group with 1 update in the /dd-skill-test/datadog-skill-go directory: github.com/go-git/go-git/v5.
Bumps the go_modules group with 1 update in the /infrastructure/packer/provisioner/vfkit directory: github.com/go-jose/go-jose/v3.

Updates github.com/go-git/go-git/v5 from 5.16.5 to 5.17.1

Release notes

Sourced from github.com/go-git/go-git/v5's releases.

v5.17.1

What's Changed

Full Changelog: go-git/go-git@v5.17.0...v5.17.1

v5.17.0

What's Changed

Full Changelog: go-git/go-git@v5.16.5...v5.17.0

Commits
  • 5e23dfd Merge pull request #1937 from pjbgf/idx-v5
  • 6b38a32 Merge pull request #1935 from pjbgf/index-v5
  • cd757fc plumbing: format/idxfile, Fix version and fanout checks
  • 3ec0d70 plumbing: format/index, Fix tree extension invalidated entry parsing
  • dbe10b6 plumbing: format/index, Align V2/V3 long name and V4 prefix encoding with Git
  • e9b65df plumbing: format/index, Improve v4 entry name validation
  • adad18d Merge pull request #1930 from go-git/renovate/releases/v5.x-go-github.com-clo...
  • 29470bd build: Update module github.com/cloudflare/circl to v1.6.3 [SECURITY]
  • bdf0688 Merge pull request #1864 from pjbgf/v5-issue-55
  • 5290e52 storage: filesystem, Avoid overwriting loose obj files. Fixes #55
  • Additional commits viewable in compare view

Updates github.com/go-git/go-git/v5 from 5.16.5 to 5.17.1

Release notes

Sourced from github.com/go-git/go-git/v5's releases.

v5.17.1

What's Changed

Full Changelog: go-git/go-git@v5.17.0...v5.17.1

v5.17.0

What's Changed

Full Changelog: go-git/go-git@v5.16.5...v5.17.0

Commits
  • 5e23dfd Merge pull request #1937 from pjbgf/idx-v5
  • 6b38a32 Merge pull request #1935 from pjbgf/index-v5
  • cd757fc plumbing: format/idxfile, Fix version and fanout checks
  • 3ec0d70 plumbing: format/index, Fix tree extension invalidated entry parsing
  • dbe10b6 plumbing: format/index, Align V2/V3 long name and V4 prefix encoding with Git
  • e9b65df plumbing: format/index, Improve v4 entry name validation
  • adad18d Merge pull request #1930 from go-git/renovate/releases/v5.x-go-github.com-clo...
  • 29470bd build: Update module github.com/cloudflare/circl to v1.6.3 [SECURITY]
  • bdf0688 Merge pull request #1864 from pjbgf/v5-issue-55
  • 5290e52 storage: filesystem, Avoid overwriting loose obj files. Fixes #55
  • Additional commits viewable in compare view

Updates github.com/go-jose/go-jose/v3 from 3.0.4 to 3.0.5

Commits

You can trigger a rebase of this PR by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

@dependabot
build(deps): bump the go_modules group across 3 directories with 2 up…
e5b3bc4 
…dates

Bumps the go_modules group with 1 update in the /.claude/skills/datadog-operations/datadog-skill-go directory: [github.com/go-git/go-git/v5](https://github.com/go-git/go-git).
Bumps the go_modules group with 1 update in the /dd-skill-test/datadog-skill-go directory: [github.com/go-git/go-git/v5](https://github.com/go-git/go-git).
Bumps the go_modules group with 1 update in the /infrastructure/packer/provisioner/vfkit directory: [github.com/go-jose/go-jose/v3](https://github.com/go-jose/go-jose).


Updates `github.com/go-git/go-git/v5` from 5.16.5 to 5.17.1
- [Release notes](https://github.com/go-git/go-git/releases)
- [Commits](go-git/go-git@v5.16.5...v5.17.1)

Updates `github.com/go-git/go-git/v5` from 5.16.5 to 5.17.1
- [Release notes](https://github.com/go-git/go-git/releases)
- [Commits](go-git/go-git@v5.16.5...v5.17.1)

Updates `github.com/go-jose/go-jose/v3` from 3.0.4 to 3.0.5
- [Release notes](https://github.com/go-jose/go-jose/releases)
- [Commits](go-jose/go-jose@v3.0.4...v3.0.5)

---
updated-dependencies:
- dependency-name: github.com/go-git/go-git/v5
  dependency-version: 5.17.1
  dependency-type: direct:production
  dependency-group: go_modules
- dependency-name: github.com/go-git/go-git/v5
  dependency-version: 5.17.1
  dependency-type: direct:production
  dependency-group: go_modules
- dependency-name: github.com/go-jose/go-jose/v3
  dependency-version: 3.0.5
  dependency-type: indirect
  dependency-group: go_modules
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels Apr 3, 2026
@dependabot dependabot Bot requested a review from ryanmaclean as a code owner April 3, 2026 03:41
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels Apr 3, 2026
@dependabot dependabot Bot mentioned this pull request Apr 3, 2026
Closed
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 3, 2026

PR Analysis 📊

Changed Files Summary:

  • JavaScript/TypeScript files: 0
  • Test files: 0
  • Documentation files: 0
  • Configuration files: 0

CI Status: Running automated checks...

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 3, 2026

Dependency Audit Results

# npm audit report

@hono/node-server  <1.19.10
Severity: high
@hono/node-server has authorization bypass for protected static paths via encoded slashes in Serve Static Middleware - https://github.com/advisories/GHSA-wc8c-qw6v-h7f6
fix available via `npm audit fix --force`
Will install prisma@7.6.0, which is outside the stated dependency range
node_modules/@hono/node-server
  @prisma/dev  <=0.22.0
  Depends on vulnerable versions of @hono/node-server
  Depends on vulnerable versions of @mrleebo/prisma-ast
  node_modules/@prisma/dev
    prisma  6.13.0-dev.1 - 6.19.2 || 6.20.0-dev.1 - 7.6.0-integration-feat-prisma-bootstrap.13
    Depends on vulnerable versions of @prisma/config
    Depends on vulnerable versions of @prisma/dev
    node_modules/prisma

basic-ftp  <5.2.0
Severity: critical
Basic FTP has Path Traversal Vulnerability in its downloadToDir() method - https://github.com/advisories/GHSA-5rq4-664w-9x2c
fix available via `npm audit fix`
node_modules/basic-ftp

brace-expansion  <=1.1.12 || 2.0.0 - 2.0.2 || 4.0.0 - 5.0.4
Severity: moderate
brace-expansion: Zero-step sequence causes process hang and memory exhaustion - https://github.com/advisories/GHSA-f886-m6hf-6m8v
brace-expansion: Zero-step sequence causes process hang and memory exhaustion - https://github.com/advisories/GHSA-f886-m6hf-6m8v
brace-expansion: Zero-step sequence causes process hang and memory exhaustion - https://github.com/advisories/GHSA-f886-m6hf-6m8v
fix available via `npm audit fix`
node_modules/@eslint/config-array/node_modules/brace-expansion
node_modules/@eslint/eslintrc/node_modules/brace-expansion
node_modules/brace-expansion
node_modules/eslint-plugin-import/node_modules/brace-expansion
node_modules/eslint-plugin-jsx-a11y/node_modules/brace-expansion
node_modules/eslint-plugin-react/node_modules/brace-expansion
node_modules/eslint/node_modules/brace-expansion
node_modules/readdir-glob/node_modules/brace-expansion
node_modules/test-exclude/node_modules/brace-expansion

dompurify  <=3.3.1
Severity: moderate
DOMPurify is vulnerable to mutation-XSS via Re-Contextualization  - https://github.com/advisories/GHSA-h8r8-wccr-v5f2
DOMPurify contains a Cross-site Scripting vulnerability - https://github.com/advisories/GHSA-v2wj-7wpq-c8vv
fix available via `npm audit fix --force`
Will install monaco-editor@0.53.0, which is a breaking change
node_modules/dompurify
  monaco-editor  >=0.54.0-dev-20250909
  Depends on vulnerable versions of dompurify
  node_modules/monaco-editor

effect  <3.20.0
Severity: high
Effect `AsyncLocalStorage` context lost/contaminated inside Effect fibers under concurrent load with RPC - https://github.com/advisories/GHSA-38f7-945m-qr2g
fix available via `npm audit fix --force`
Will install prisma@7.6.0, which is outside the stated dependency range
node_modules/effect
  @prisma/config  6.13.0-dev.1 - 6.19.2 || 6.20.0-dev.1 - 7.6.0-integration-feat-prisma-bootstrap.13
  Depends on vulnerable versions of effect
  node_modules/@prisma/config

express-rate-limit  8.2.0 - 8.2.1
Severity: high
express-rate-limit: IPv4-mapped IPv6 addresses bypass per-client rate limiting on servers with dual-stack network - https://github.com/advisories/GHSA-46wh-pxpv-q5gq
fix available via `npm audit fix`
node_modules/express-rate-limit

fast-xml-parser  4.0.0-beta.3 - 5.5.6
Severity: high
fast-xml-parser has stack overflow in XMLBuilder with preserveOrder - https://github.com/advisories/GHSA-fj3w-jwp8-x2g3
fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278) - https://github.com/advisories/GHSA-8gc5-j5rx-235r
Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser - https://github.com/advisories/GHSA-jp2q-39xq-3w4g
fix available via `npm audit fix`
node_modules/fast-xml-parser
  @aws-sdk/xml-builder  3.894.0 - 3.972.8
  Depends on vulnerable versions of fast-xml-parser
  node_modules/@aws-sdk/xml-builder

flatted  <=3.4.1
Severity: high
flatted vulnerable to unbounded recursion DoS in parse() revive phase - https://github.com/advisories/GHSA-25h7-pfq9-p65f
Prototype Pollution via parse() in NodeJS flatted - https://github.com/advisories/GHSA-rf6f-7fwh-wjgh
fix available via `npm audit fix`
node_modules/flatted

hono  <=4.12.6
Severity: high
Hono is Vulnerable to Authentication Bypass by IP Spoofing in AWS Lambda ALB conninfo - https://github.com/advisories/GHSA-xh87-mx6m-69f3
Hono Vulnerable to Cookie Attribute Injection via Unsanitized domain and path in setCookie() - https://github.com/advisories/GHSA-5pq2-9x2x-5p6w
Hono Vulnerable to SSE Control Field Injection via CR/LF in writeSSE() - https://github.com/advisories/GHSA-p6xx-57qc-3wxr
Hono vulnerable to arbitrary file access via serveStatic vulnerability  - https://github.com/advisories/GHSA-q5qw-h33p-qvwr
Hono vulnerable to Prototype Pollution possible through __proto__ key allowed in parseBody({ dot: true }) - https://github.com/advisories/GHSA-v8w9-8mx6-g223
fix available via `npm audit fix`
node_modules/hono

lodash  <=4.17.23
Severity: high
lodash vulnerable to Code Injection via `_.template` imports key names - https://github.com/advisories/GHSA-r5fr-rjxr-66jc
lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` - https://github.com/advisories/GHSA-f23m-r3pf-42rh
fix available via `npm audit fix --force`
Will install prisma@7.6.0, which is outside the stated dependency range
node_modules/lodash
  @chevrotain/cst-dts-gen  10.0.0 - 10.5.0
  Depends on vulnerable versions of @chevrotain/gast
  Depends on vulnerable versions of lodash
  node_modules/@chevrotain/cst-dts-gen
  @chevrotain/gast  <=10.5.0
  Depends on vulnerable versions of lodash
  node_modules/@chevrotain/gast
  chevrotain  10.0.0 - 10.5.0
  Depends on vulnerable versions of @chevrotain/cst-dts-gen
  Depends on vulnerable versions of @chevrotain/gast
  Depends on vulnerable versions of lodash
  node_modules/chevrotain
    @mrleebo/prisma-ast  0.4.2 - 0.13.1
    Depends on vulnerable versions of chevrotain
    node_modules/@mrleebo/prisma-ast

lodash-es  <=4.17.23
Severity: high
lodash vulnerable to Code Injection via `_.template` imports key names - https://github.com/advisories/GHSA-r5fr-rjxr-66jc
lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` - https://github.com/advisories/GHSA-f23m-r3pf-42rh
fix available via `npm audit fix`
node_modules/lodash-es

next  16.0.0-beta.0 - 16.1.6
Severity: moderate
Next.js: HTTP request smuggling in rewrites - https://github.com/advisories/GHSA-ggv3-7p47-pfv8
Next.js: Unbounded next/image disk cache growth can exhaust storage - https://github.com/advisories/GHSA-3x4c-7xq6-9pq8
Next.js: Unbounded postponed resume buffering can lead to DoS - https://github.com/advisories/GHSA-h27x-g6w4-24gq
Next.js: null origin can bypass Server Actions CSRF checks - https://github.com/advisories/GHSA-mq59-m269-xvcx
Next.js: null origin can bypass dev HMR websocket CSRF checks - https://github.com/advisories/GHSA-jcc7-9wpm-mj36
fix available via `npm audit fix --force`
Will install next@16.2.2, which is outside the stated dependency range
node_modules/next

path-to-regexp  8.0.0 - 8.3.0
Severity: high
path-to-regexp vulnerable to Denial of Service via sequential optional groups - https://github.com/advisories/GHSA-j3q9-mxjg-w52f
path-to-regexp vulnerable to Regular Expression Denial of Service via multiple wildcards - https://github.com/advisories/GHSA-27v5-c462-wpq7
fix available via `npm audit fix`
node_modules/router/node_modules/path-to-regexp

picomatch  <=2.3.1 || 4.0.0 - 4.0.3
Severity: high
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching - https://github.com/advisories/GHSA-3v7f-55p6-f55p
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching - https://github.com/advisories/GHSA-3v7f-55p6-f55p
Picomatch has a ReDoS vulnerability via extglob quantifiers - https://github.com/advisories/GHSA-c2c7-rcm5-vvqj
Picomatch has a ReDoS vulnerability via extglob quantifiers - https://github.com/advisories/GHSA-c2c7-rcm5-vvqj
fix available via `npm audit fix`
node_modules/jest-util/node_modules/picomatch
node_modules/picomatch
node_modules/tinyglobby/node_modules/picomatch

serialize-javascript  <=7.0.4
Severity: high
Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString() - https://github.com/advisories/GHSA-5c6j-r48x-rmvq
Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects - https://github.com/advisories/GHSA-qj8w-gfj5-8c6v
fix available via `npm audit fix --force`
Will install terser-webpack-plugin@5.4.0, which is outside the stated dependency range
node_modules/serialize-javascript
  terser-webpack-plugin  <=5.3.16
  Depends on vulnerable versions of serialize-javascript
  node_modules/terser-webpack-plugin

simple-git  3.15.0 - 3.32.2
Severity: critical
simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE - https://github.com/advisories/GHSA-r275-fr43-pm7q
fix available via `npm audit fix --force`
Will install @datadog/datadog-ci@5.11.0, which is outside the stated dependency range
node_modules/simple-git
  @datadog/datadog-ci-base  <=5.9.0
  Depends on vulnerable versions of simple-git
  node_modules/@datadog/datadog-ci-base
    @datadog/datadog-ci  3.21.1 - 5.9.0
    Depends on vulnerable versions of @datadog/datadog-ci-base
    Depends on vulnerable versions of @datadog/datadog-ci-plugin-coverage
    Depends on vulnerable versions of @datadog/datadog-ci-plugin-deployment
    Depends on vulnerable versions of @datadog/datadog-ci-plugin-dora
    Depends on vulnerable versions of @datadog/datadog-ci-plugin-sarif
    Depends on vulnerable versions of @datadog/datadog-ci-plugin-sbom
    node_modules/@datadog/datadog-ci
  @datadog/datadog-ci-plugin-coverage  5.3.0 - 5.9.0
  Depends on vulnerable versions of simple-git
  node_modules/@datadog/datadog-ci-plugin-coverage
  @datadog/datadog-ci-plugin-deployment  <=5.9.0
  Depends on vulnerable versions of simple-git
  node_modules/@datadog/datadog-ci-plugin-deployment
  @datadog/datadog-ci-plugin-dora  <=5.9.0
  Depends on vulnerable versions of simple-git
  node_modules/@datadog/datadog-ci-plugin-dora
  @datadog/datadog-ci-plugin-sarif  <=5.9.0
  Depends on vulnerable versions of simple-git
  node_modules/@datadog/datadog-ci-plugin-sarif
  @datadog/datadog-ci-plugin-sbom  <=5.9.0
  Depends on vulnerable versions of simple-git
  node_modules/@datadog/datadog-ci-plugin-sbom

socket.io-parser  4.0.0 - 4.2.5
Severity: high
socket.io allows an unbounded number of binary attachments - https://github.com/advisories/GHSA-677m-j7p3-52f9
fix available via `npm audit fix`
node_modules/socket.io-parser

undici  7.0.0 - 7.23.0
Severity: high
Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client - https://github.com/advisories/GHSA-f269-vfmq-vjvj
Undici has an HTTP Request/Response Smuggling issue - https://github.com/advisories/GHSA-2mjp-6q6p-2qxm
Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression - https://github.com/advisories/GHSA-vrm6-8vpv-qv8q
Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation - https://github.com/advisories/GHSA-v9p9-hfj2-hcw8
Undici has CRLF Injection in undici via `upgrade` option - https://github.com/advisories/GHSA-4992-7rv2-5pvq
Undici has Unbounded Memory Consumption in its DeduplicationHandler via Response Buffering that leads to DoS - https://github.com/advisories/GHSA-phc3-fgpg-7m6h
fix available via `npm audit fix`
node_modules/undici

yaml  1.0.0 - 1.10.2 || 2.0.0 - 2.8.2
Severity: moderate
yaml is vulnerable to Stack Overflow via deeply nested YAML collections - https://github.com/advisories/GHSA-48c2-rrv3-qjmp
yaml is vulnerable to Stack Overflow via deeply nested YAML collections - https://github.com/advisories/GHSA-48c2-rrv3-qjmp
fix available via `npm audit fix`
node_modules/cosmiconfig/node_modules/yaml
node_modules/yaml

36 vulnerabilities (1 low, 5 moderate, 21 high, 9 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 3, 2026

Build Status ✅ Build successful

✅ Build completed successfully!

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 3, 2026

Quick Checks Results

Check Status
ESLint
TypeScript

✅ All quick checks passed!

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 3, 2026

🔒 Security Audit Results

Secret Scanning: No secrets detected
⚠️ Environment Config: Missing variables
NPM Audit: Critical/High vulnerabilities
Secret Patterns: None detected

📊 View full results: Security Audit Summary
⏱️ Duration: < 2 minutes

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 3, 2026

Test Results ✅ Passed

Test Suites: 57 failed, 5 skipped, 488 passed, 545 of 550 total
Tests: 380 failed, 104 skipped, 30 todo, 10665 passed, 11179 total

✅ All tests passed! Ready for review.

View test output

Check the Actions tab for detailed test output.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 3, 2026

PR Status Summary

Check Status
Quick Checks ✅ Passed
Tests ✅ Passed
Build ✅ Passed

All checks passed! This PR is ready to merge. 🎉

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ryanmaclean ryanmaclean Awaiting requested review from ryanmaclean ryanmaclean is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file go Pull requests that update go code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants