fix(deps): vuln major upgrades — 23 packages (major: 1 · minor: 22)

[gh-worker-campaigns-3e9aa4]

Summary: High-severity security update — 23 packages upgraded (MAJOR changes included)

Manifests changed:

• . (go)

---

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

---

Updates

Package	From	To	Type	Dep Type	Vulnerabilities Fixed
go.opentelemetry.io/otel/sdk	v1.39.0	v1.43.0	minor	Transitive	4 HIGH
github.com/docker/compose/v2	v2.40.2	v5.1.3	major	Direct	3 HIGH
go.opentelemetry.io/otel	v1.39.0	v1.43.0	minor	Transitive	1 HIGH
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp	v1.35.0	v1.43.0	minor	Transitive	1 MODERATE
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp	v1.35.0	v1.43.0	minor	Transitive	1 MODERATE
github.com/compose-spec/compose-go/v2	v2.9.0	v2.10.2	minor	Direct	-
github.com/containerd/containerd/api	v1.9.0	v1.11.0	minor	Transitive	-
github.com/containerd/containerd/v2	v2.1.5	v2.3.0	minor	Transitive	-
github.com/go-viper/mapstructure/v2	v2.4.0	v2.5.0	minor	Transitive	-
github.com/golang-jwt/jwt/v5	v5.2.3	v5.3.1	minor	Transitive	-
github.com/grpc-ecosystem/grpc-gateway/v2	v2.27.1	v2.29.0	minor	Transitive	-
github.com/hashicorp/go-version	v1.7.0	v1.9.0	minor	Transitive	-
github.com/morikuni/aec	v1.0.0	v1.1.0	minor	Transitive	-
github.com/pelletier/go-toml/v2	v2.2.4	v2.3.1	minor	Transitive	-
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc	v1.37.0	v1.43.0	minor	Transitive	-
go.opentelemetry.io/otel/exporters/otlp/otlptrace	v1.37.0	v1.43.0	minor	Transitive	-
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc	v1.37.0	v1.43.0	minor	Transitive	-
go.opentelemetry.io/otel/metric	v1.39.0	v1.43.0	minor	Transitive	-
go.opentelemetry.io/otel/sdk/metric	v1.39.0	v1.43.0	minor	Transitive	-
go.opentelemetry.io/otel/trace	v1.39.0	v1.43.0	minor	Transitive	-
go.opentelemetry.io/proto/otlp	v1.7.1	v1.10.0	minor	Transitive	-
google.golang.org/grpc	v1.79.3	v1.81.0	minor	Direct	-
tags.cncf.io/container-device-interface	v1.0.1	v1.1.0	minor	Transitive	-

Packages marked with "-" are updated due to dependency constraints.

---

Warning

Major Version Upgrade

This update includes major version changes that may contain breaking changes. Please:

• Review the changelog/release notes for breaking changes
• Test thoroughly in a staging environment
• Update any code that depends on changed APIs
• Ensure all tests pass before merging

Security Details

🚨 Critical & High Severity (8 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
github.com/docker/compose/v2	GO-2026-4610	high	Docker CLI Plugins: Uncontrolled Search Path Element Leads to Local Privilege Escalation on Windows in github.com/docker/cli	v2.40.2	-
github.com/docker/compose/v2	CVE-2025-15558	high	-	v2.40.2	-
github.com/docker/compose/v2	GHSA-p436-gjf2-799p	HIGH	Docker CLI Plugins: Uncontrolled Search Path Element Leads to Local Privilege Escalation on Windows	v2.40.2	-
go.opentelemetry.io/otel	GHSA-mh2q-q3fh-2475	HIGH	OpenTelemetry-Go: multi-value baggage header extraction causes excessive allocations (remote dos amplification)	v1.39.0	1.41.0
go.opentelemetry.io/otel/sdk	GO-2026-4394	high	OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking in go.opentelemetry.io/otel/sdk	v1.39.0	1.40.0
go.opentelemetry.io/otel/sdk	CVE-2026-24051	high	OpenTelemetry-Go Affected by Arbitrary Code Execution via PATH Hijacking	v1.39.0	-
go.opentelemetry.io/otel/sdk	GHSA-9h8m-3fm2-qjrq	HIGH	OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking	v1.39.0	1.40.0
go.opentelemetry.io/otel/sdk	GHSA-hfvc-g4fc-pqhx	HIGH	opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking	v1.39.0	1.43.0

ℹ️ Other Vulnerabilities (2)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp	GHSA-w8rr-5gcm-pp58	MODERATE	opentelemetry-go: OTLP HTTP exporters read unbounded HTTP response bodies	v1.35.0	1.43.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp	GHSA-w8rr-5gcm-pp58	MODERATE	opentelemetry-go: OTLP HTTP exporters read unbounded HTTP response bodies	v1.35.0	1.43.0

⚠️ Dependencies that have Reached EOL (1)

Dependency	Unsafe Version	EOL Date	New Version	Path
github.com/morikuni/aec	v1.0.0	-	v1.1.0	go.mod

---

Review Checklist

Extra review is recommended for this update:

• Review changes for compatibility with your code
• Check release notes for breaking changes
• Run integration tests to verify service behavior
• Test in staging environment before production
• Monitor key metrics after deployment
• Approve and merge this PR

---

Update Mode: Vulnerability Remediation (High)

🤖 Generated by DataDog Automated Dependency Management System

[gh-worker-campaigns-3e9aa4]

Auto-rebase complete

Branch is up to date with main — rebased onto 3df6840.

---

_{Auto-Rebase · Add no-auto-rebase to opt out}