Conversation
Addresses all CRITICAL and HIGH vulnerabilities plus MEDIUM where feasible: ## go.mod - github.com/jackc/pgx/v5: v5.8.0 → v5.9.2 (CRITICAL: memory-safety vuln #108) - github.com/moby/spdystream: v0.5.0 → v0.5.1 (HIGH: DOS on CRI #107) - github.com/docker/docker: v28.5.1 → v28.5.2 (HIGH: AuthZ plugin bypass #92) - github.com/moby/moby: v26.1.0 → v28.5.2 (HIGH: AuthZ plugin bypass #90) - github.com/go-git/go-git/v5: v5.17.1 → v5.18.0 (MEDIUM: credential leak #109) ## dagger/go.mod - go.opentelemetry.io/otel/sdk: v1.42.0 → v1.43.0 (HIGH: BSD kenv PATH hijacking #103) - go.opentelemetry.io/otel/exporters: v0.14.0/v1.38.0 → v0.19.0/v1.43.0 (MEDIUM: unbounded HTTP #101, #102) - Updated replace directives for log exporters from v0.14.0 → v0.19.0 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit cde4aa7. Configure here.
| go.opentelemetry.io/otel v1.43.0/go.mod h1:JuG+u74mvjvcm8vj8pI5XiHy1zDeoCS2LB1spIq7Ay0= | ||
| go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.14.0 h1:OMqPldHt79PqWKOMYIAQs3CxAi7RLgPxwfFSwr4ZxtM= | ||
| go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.14.0/go.mod h1:1biG4qiqTxKiUCtoWDPpL3fB3KxVwCiGw81j3nKMuHE= | ||
| go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.19.0/go.mod h1:gMk9F0xDgyN9M/3Ed5Y1wKcx/9mlU91NXY2SNq7RQuU= |
There was a problem hiding this comment.
Incomplete go.sum missing h1 hashes for updated modules
Medium Severity
dagger/go.sum is missing h1: content hashes for the new v0.19.0 versions of otlploggrpc, otlploghttp, otel/log, otel/sdk/log, and for golang.org/x/sync v0.20.0 — only /go.mod hashes were added. Meanwhile, the now-stale v0.14.0 entries still have both hash types. This pattern indicates go mod tidy was not run after updating dagger/go.mod, which can cause build failures in -mod=readonly mode (the default).
Additional Locations (2)
Reviewed by Cursor Bugbot for commit cde4aa7. Configure here.
1 participant
Summary
Resolves open Dependabot security alerts:
Go (go.mod):
github.com/jackc/pgx/v5— CRITICAL memory-safety vulnerabilitygithub.com/moby/spdystreamv0.5.0 → v0.5.1 — HIGH DOS on CRIgithub.com/docker/dockerv28.5.1 → v28.5.2 — HIGH AuthZ plugin bypass (oversized request body)github.com/moby/mobyv26.1.0 → v28.5.2 — HIGH AuthZ plugin bypassGo (dagger/go.mod):
go.opentelemetry.io/otel/sdkv1.42.0 → v1.43.0 — HIGH BSD kenv PATH hijackingGo (go.mod MEDIUM):
github.com/go-git/go-git/v5v5.17.1 → v5.18.0 — credential leak via cross-host redirectTest plan
🤖 Generated with Claude Code