Skip to content

fix: upgrade extras/dagger deps to resolve 4 security advisories#3277

Merged
migmartri merged 1 commit into
chainloop-dev:mainfrom
migmartri:fix/extras-dagger-combined-dep-upgrades
Jul 9, 2026
Merged

fix: upgrade extras/dagger deps to resolve 4 security advisories#3277
migmartri merged 1 commit into
chainloop-dev:mainfrom
migmartri:fix/extras-dagger-combined-dep-upgrades

Conversation

@migmartri

@migmartri migmartri commented Jul 9, 2026

Copy link
Copy Markdown
Member

Summary

Combined upgrade of the extras/dagger module dependencies to resolve all four open security advisories in a single change. The individual bot PRs (#3273, #3274, #3275, #3276) conflict with each other because they all modify the same go.mod lines, so they cannot be merged independently.

Advisories Resolved

Advisory Severity Package Fixed Version
GHSA-p77j-4mvh-x3m3 CRITICAL google.golang.org/grpc v1.80.0 (≥ v1.79.3)
GHSA-mh2q-q3fh-2475 HIGH go.opentelemetry.io/otel v1.43.0 (≥ v1.41.0)
GHSA-hfvc-g4fc-pqhx HIGH go.opentelemetry.io/otel/sdk v1.43.0
GO-2026-5026 HIGH golang.org/x/net v0.55.0

Why a combined PR?

The four bot PRs each touch the same extras/dagger/go.mod lines (OTel, x/net, grpc). Merging any one of them causes merge conflicts on the others. This PR takes the highest version of each dependency across all four PRs and applies them together.

Supersedes

Closes #3273, #3274, #3275, #3276.

Assisted-by: Claude Code

@migmartri migmartri requested a review from a team July 9, 2026 14:04
Combined upgrade of the extras/dagger module dependencies to resolve
all four open security advisories in a single change, since the
individual bot PRs (chainloop-dev#3273, chainloop-dev#3274, chainloop-dev#3275, chainloop-dev#3276) conflict with each
other by modifying the same go.mod lines.

Advisories resolved:
- GHSA-p77j-4mvh-x3m3 (CRITICAL): gRPC-Go authorization bypass via
  missing leading slash in :path. Fixed by grpc v1.80.0 (>= v1.79.3).
- GHSA-mh2q-q3fh-2475 (HIGH): OpenTelemetry-Go baggage header DoS.
  Fixed by OTel v1.43.0 (>= v1.41.0).
- GHSA-hfvc-g4fc-pqhx (HIGH): OpenTelemetry-Go BSD kenv PATH hijack.
  Fixed by OTel SDK v1.43.0.
- GO-2026-5026 (HIGH): golang.org/x/net idna Punycode bypass.
  Fixed by x/net v0.55.0.

Assisted-by: Claude Code
Signed-off-by: Miguel Martinez <migmartri@gmail.com>
Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>
@migmartri migmartri force-pushed the fix/extras-dagger-combined-dep-upgrades branch from 22a8ad4 to 27512a4 Compare July 9, 2026 14:04
@migmartri

Copy link
Copy Markdown
Member Author

@matiasinsaurralde could I get a review here? I want to remove the noise

@matiasinsaurralde matiasinsaurralde left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@migmartri migmartri merged commit 4c56f6d into chainloop-dev:main Jul 9, 2026
14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants