VULN UPGRADE: major upgrades — 7 packages (unstable: 3 · minor: 3 · patch: 1) [src/checkoutservice]

[campaigner-prod]

Summary: High-severity security update — 7 packages upgraded (MAJOR changes included)

Manifests changed:

• src/checkoutservice (go)

Updates

Package	From	To	Type	Vulnerabilities Fixed
golang.org/x/net	v0.4.0	v0.49.0	major	8 HIGH, 13 MODERATE, 1 UNKNOWN
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc	v0.37.0	v0.65.0	major	3 HIGH
google.golang.org/grpc	v1.51.0	v1.78.0	minor	2 HIGH
cloud.google.com/go/profiler	v0.3.1	v0.4.3	major	-
go.opentelemetry.io/otel	v1.11.2	v1.40.0	minor	-
go.opentelemetry.io/otel/sdk	v1.11.2	v1.40.0	minor	-
github.com/google/uuid	v1.3.0	v1.3.1	patch	-

Packages marked with "-" are updated due to dependency constraints.

---

⚠️ Constraint Violations Detected

The following version constraints in your dependency declarations will be violated by this update. This may cause build failures or require manual constraint updates:

Package	Current Constraint	Updated To
github.com/google/uuid	v1.6.0	v1.3.1

Action Required: Update your dependency constraints before merging this PR to avoid build failures.

Warning

Major Version Upgrade

This update includes major version changes that may contain breaking changes. Please:

• Review the changelog/release notes for breaking changes
• Test thoroughly in a staging environment
• Update any code that depends on changed APIs
• Ensure all tests pass before merging

Security Details

🚨 Critical & High Severity (13 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc	GO-2023-2331	high	Denial of service in go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc	v0.37.0	0.46.0
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc	CVE-2023-47108	high	DoS vulnerability in otelgrpc (uncontrolled resource consumption) due to unbound cardinality metrics	v0.37.0	-
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc	GHSA-8pgv-569h-w5rw	HIGH	otelgrpc DoS vulnerability due to unbound cardinality metrics	v0.37.0	0.46.0
golang.org/x/net	CVE-2023-39325	HIGH	-	v0.4.0	-
golang.org/x/net	GO-2023-1571	HIGH	Denial of service via crafted HTTP/2 stream in net/http and golang.org/x/net	v0.4.0	0.7.0
golang.org/x/net	CVE-2022-41723	HIGH	-	v0.4.0	-
golang.org/x/net	GO-2023-2102	HIGH	HTTP/2 rapid reset can cause excessive work in net/http	v0.4.0	0.17.0
golang.org/x/net	GO-2024-3333	HIGH	Non-linear parsing of case-insensitive content in golang.org/x/net/html	v0.4.0	0.33.0
golang.org/x/net	GHSA-4374-p667-p6c8	HIGH	HTTP/2 rapid reset can cause excessive work in net/http	v0.4.0	0.17.0
golang.org/x/net	GHSA-w32m-9786-jp63	HIGH	Non-linear parsing of case-insensitive content in golang.org/x/net/html	v0.4.0	-
golang.org/x/net	GHSA-vvpx-j8f3-3w6h	HIGH	golang.org/x/net vulnerable to Uncontrolled Resource Consumption	v0.4.0	0.7.0
google.golang.org/grpc	GHSA-m425-mq94-257g	HIGH	gRPC-Go HTTP/2 Rapid Reset vulnerability	v1.51.0	1.56.3
google.golang.org/grpc	GO-2023-2153	HIGH	Denial of service from HTTP/2 Rapid Reset in google.golang.org/grpc	v1.51.0	1.56.3

ℹ️ Other Vulnerabilities (14)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
golang.org/x/net	CVE-2023-44487	MODERATE	-	v0.4.0	-
golang.org/x/net	GO-2024-2687	MODERATE	HTTP/2 CONTINUATION flood in net/http	v0.4.0	0.23.0
golang.org/x/net	GO-2023-1988	MODERATE	Improper rendering of text nodes in golang.org/x/net/html	v0.4.0	0.13.0
golang.org/x/net	GHSA-2wrh-6pvc-2jm9	MODERATE	Improper rendering of text nodes in golang.org/x/net/html	v0.4.0	0.13.0
golang.org/x/net	GHSA-qppj-fm5r-hxr3	MODERATE	HTTP/2 Stream Cancellation Attack	v0.4.0	0.17.0
golang.org/x/net	GO-2026-4440	MODERATE	Quadratic parsing complexity in golang.org/x/net/html	v0.4.0	0.45.0
golang.org/x/net	GHSA-w4gw-w5jq-g9jh	MODERATE	golang.org/x/net/html has a Quadratic Parsing Complexity issue	v0.4.0	-
golang.org/x/net	CVE-2023-3978	MODERATE	-	v0.4.0	-
golang.org/x/net	GHSA-4v7x-pqxf-cx7m	MODERATE	net/http, x/net/http2: close connections when receiving too many headers	v0.4.0	0.23.0
golang.org/x/net	GHSA-vvgc-356p-c3xw	MODERATE	golang.org/x/net vulnerable to Cross-site Scripting	v0.4.0	0.38.0
golang.org/x/net	GO-2025-3503	MODERATE	HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net	v0.4.0	0.36.0
golang.org/x/net	GHSA-qxp5-gwg8-xv66	MODERATE	HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net	v0.4.0	0.36.0
golang.org/x/net	GO-2025-3595	MODERATE	Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net	v0.4.0	0.38.0
golang.org/x/net	GO-2026-4441	unknown	Infinite parsing loop in golang.org/x/net	v0.4.0	0.45.0

⚠️ Dependencies that have Reached EOL (7)

Dependency	Unsafe Version	EOL Date	New Version	Path
cloud.google.com/go/profiler	v0.3.1	Dec 2, 2025	v0.4.3	src/checkoutservice/go.mod
github.com/google/uuid	v1.3.0	-	v1.3.1	src/checkoutservice/go.mod
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc	v0.37.0	Dec 5, 2025	v0.65.0	src/checkoutservice/go.mod
go.opentelemetry.io/otel	v1.11.2	Dec 5, 2025	v1.40.0	src/checkoutservice/go.mod
go.opentelemetry.io/otel/sdk	v1.11.2	Dec 5, 2025	v1.40.0	src/checkoutservice/go.mod
golang.org/x/net	v0.4.0	Dec 7, 2025	v0.49.0	src/checkoutservice/go.mod
google.golang.org/grpc	v1.51.0	Nov 18, 2025	v1.78.0	src/checkoutservice/go.mod

---

Review Checklist

Extra review is recommended for this update:

• Review changes for compatibility with your code
• Check release notes for breaking changes
• Run integration tests to verify service behavior
• Test in staging environment before production
• Update dependency constraints in your manifest files
• Monitor key metrics after deployment

---

Update Mode: Vulnerability Remediation (High)

🤖 Generated by DataDog Automated Dependency Management System