Skip to content

security: bump vulnerable dependencies#47

Merged
SyniRon merged 1 commit intodevelopfrom
fix/security-vuln-updates
Apr 1, 2026
Merged

security: bump vulnerable dependencies#47
SyniRon merged 1 commit intodevelopfrom
fix/security-vuln-updates

Conversation

@SyniRon
Copy link
Copy Markdown
Collaborator

@SyniRon SyniRon commented Apr 1, 2026

Summary

  • Bumps 8 vulnerable packages addressing 11 of 13 open Dependabot alerts
  • Fixes two latent Printf-directive bugs in milpacs/profiles.go and datastores/mysql.go surfaced by Go 1.24's stricter vet checks
  • Also adds docker-compose.yaml to .gitignore

Alerts Addressed

Severity Package Before After Alert
🔴 Critical google.golang.org/grpc v1.72.0 v1.79.3 AuthZ bypass via missing leading slash in :path
🟠 High github.com/containerd/containerd v1.7.25 v1.7.29 Local privesc via wide CRI directory permissions
🟠 High github.com/docker/cli v28.1.1 v29.2.0 Local privesc via uncontrolled search path (Windows)
🟡 Medium github.com/containerd/containerd v1.7.25 v1.7.29 Host memory exhaustion via goroutine leak
🟡 Medium github.com/containerd/containerd v1.7.25 v1.7.29 Integer overflow in User ID handling
🟡 Medium github.com/quic-go/quic-go v0.51.0 v0.57.0 HTTP/3 QPACK header expansion DoS
🟡 Medium golang.org/x/crypto v0.38.0 v0.46.0 ssh/agent panic on malformed message
🟡 Medium golang.org/x/crypto v0.38.0 v0.46.0 ssh unbounded memory consumption
🟡 Medium github.com/go-chi/chi/v5 v5.2.1 v5.2.2 Host header injection / open redirect
🔵 Low github.com/redis/go-redis/v9 v9.7.0 v9.7.3 Out-of-order responses on CLIENT SETINFO timeout
🔵 Low filippo.io/edwards25519 v1.1.0 v1.1.1 Invalid MultiScalarMult results

Remaining Open Alerts

Test plan

  • go build ./... passes clean
  • Tests passed locally
  • Verify Dependabot alerts close after merge

🤖 Generated with Claude Code

@SyniRon @claude
security: bump vulnerable dependencies
9587ff2 
Addresses 11 of 13 open Dependabot alerts:
- google.golang.org/grpc v1.72.0 -> v1.79.3 (CRITICAL: authz bypass)
- github.com/containerd/containerd v1.7.25 -> v1.7.29 (HIGH/MEDIUM: privesc, mem exhaustion, int overflow)
- github.com/docker/cli v28.1.1 -> v29.2.0 (HIGH: local privesc on Windows)
- github.com/quic-go/quic-go v0.51.0 -> v0.57.0 (MEDIUM: DoS)
- golang.org/x/crypto v0.38.0 -> v0.46.0 (MEDIUM: ssh panic, mem consumption)
- github.com/go-chi/chi/v5 v5.2.1 -> v5.2.2 (MEDIUM: open redirect)
- github.com/redis/go-redis/v9 v9.7.0 -> v9.7.3 (LOW: out-of-order responses)
- filippo.io/edwards25519 v1.1.0 -> v1.1.1 (LOW: invalid MultiScalarMult results)

Also fixes two latent Printf-directive bugs surfaced by Go 1.24 vet.

Remaining: docker/docker HIGH/MEDIUM alerts require v29.3.1 which is
not yet available in the Go module proxy.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@SyniRon SyniRon merged commit bee1dba into develop Apr 1, 2026
2 checks passed
@SyniRon SyniRon deleted the fix/security-vuln-updates branch April 1, 2026 21:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@SyniRon