Skip to content

fix(deps): patch 5 Dependabot vulnerabilities (2 critical, 1 high, 2 medium)#2103

Open
osmontero wants to merge 1 commit into
release/v11.2.9from
fix/dependabot-remediation
Open

fix(deps): patch 5 Dependabot vulnerabilities (2 critical, 1 high, 2 medium)#2103
osmontero wants to merge 1 commit into
release/v11.2.9from
fix/dependabot-remediation

Conversation

@osmontero
Copy link
Copy Markdown
Member

@osmontero osmontero commented May 25, 2026

Dependabot Remediation

Patches 5 open Dependabot alerts that affect the release/v11.2.9 branch.

Fixes

# Package Change CVEs Severity
1 google.golang.org/grpc 1.78.0 → 1.79.3 GHSA-p77j-4mvh-x3m3 🔴 Critical
2 github.com/jackc/pgx/v5 5.8.0 → 5.9.2 GHSA-9jj7-4m8r-rfcm (critical) + GHSA-j88v-2chj-qfwx (low) 🔴 Critical + 🟢 Low
3 go.opentelemetry.io/otel 1.39.0 → 1.41.0 GHSA-mh2q-q3fh-2475 🟠 High
4 com.itextpdf:itext7-core 7.1.7 → 7.2.0 GHSA-hhh6, GHSA-8c9h, GHSA-c32g 🟡 Medium × 3
5 org.postgresql:postgresql 42.7.2 → 42.7.11 GHSA-98qh 🟠 High

Files Changed

  • plugins/compliance-orchestrator/go.mod + go.sum
  • agent-manager/go.mod + go.sum
  • installer/go.mod + go.sum
  • backend/pom.xml
  • user-auditor/pom.xml

All go mod tidy passes cleanly.

Not Fixed (Out of Scope)

  • NPM transitive deps (6 alerts) — dompurify, follow-redirects, postcss, uuid, webpack-dev-server are transitive from Angular 7 build toolchain. Require major framework upgrade.
  • github.com/docker/docker (6 alerts) — no upstream patch available yet.
  • mutate/ pip deps (4 alerts) — directory removed; stale alerts on default branch only.

@osmontero
fix(deps): patch 5 Dependabot vulnerabilities (2 critical, 1 high, 2 …
3701c7f 
…medium)

- google.golang.org/grpc: 1.78.0 -> 1.79.3 (GHSA-p77j-4mvh-x3m3, critical)
- github.com/jackc/pgx/v5: 5.8.0 -> 5.9.2 (GHSA-9jj7-4m8r-rfcm critical, GHSA-j88v-2chj-qfwx low)
- go.opentelemetry.io/otel: 1.39.0 -> 1.41.0 (GHSA-mh2q-q3fh-2475, high)
- com.itextpdf:itext7-core: 7.1.7 -> 7.2.0 (GHSA-hhh6-cm2m-3fhc, GHSA-8c9h-4q7g-fp7h, GHSA-c32g-2mgr-cfq7, medium x3)
- org.postgresql:postgresql: 42.7.2 -> 42.7.11 (GHSA-98qh-xjc8-98pq, high)
@osmontero osmontero requested a review from a team May 25, 2026 21:16
utmstackprapprover[bot]
utmstackprapprover Bot suggested changes May 25, 2026
View reviewed changes
Copy link
Copy Markdown

@utmstackprapprover utmstackprapprover Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes requested — see approver comments above.

@utmstack utmstack deleted a comment from github-actions Bot May 26, 2026
@utmstack utmstack deleted a comment from github-actions Bot May 26, 2026
@AlexSanchez-bit
Copy link
Copy Markdown
Contributor

AlexSanchez-bit commented May 29, 2026

itext7-core is not used at all in this project, dependency is removable, the real pdf dependency is: flying-saucer-pdf v9.1.22
org.postgresql -> 42.7.11 didnt introduce breaking changes update is viable

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AlexSanchez-bit AlexSanchez-bit Awaiting requested review from AlexSanchez-bit

@Kbayero Kbayero Awaiting requested review from Kbayero

1 more reviewer

@utmstackprapprover utmstackprapprover[bot] utmstackprapprover[bot] requested changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@osmontero @AlexSanchez-bit