Skip to content

fix(security): remediate 4 HIGH/CRITICAL CVEs in Go dependencies#77

Open
Ompragash wants to merge 1 commit into
mainfrom
vigil/cve-remediation-4-cves-3
Open

fix(security): remediate 4 HIGH/CRITICAL CVEs in Go dependencies#77
Ompragash wants to merge 1 commit into
mainfrom
vigil/cve-remediation-4-cves-3

Conversation

@Ompragash

@Ompragash Ompragash commented Apr 9, 2026

Copy link
Copy Markdown
Member

Security Remediation — CVE Patch

CVEs Fixed

CVE ID Severity Package From To
CVE-2026-33186 CRITICAL google.golang.org/grpc v1.59.0 v1.79.3
CVE-2024-45337 CRITICAL golang.org/x/crypto v0.14.0 v0.46.0
CVE-2025-22868 HIGH golang.org/x/oauth2 v0.13.0 v0.34.0
CVE-2025-22869 HIGH golang.org/x/crypto v0.14.0 v0.46.0

Additional Dependency Updates (transitive)

  • google.golang.org/protobuf: v1.31.0 → v1.36.10
  • cloud.google.com/go/compute/metadata: v0.3.0 → v0.9.0
  • google.golang.org/appengine: removed (no longer needed after go mod tidy)

Test Results

  • go test ./...PASSED (return code 0, no test files with failures)

Scan Tools Used

  • Trivy, OSV, govulncheck

Notes

  • No Dockerfile present; only Go dependency fixes applied.
  • govulncheck confirmed no actually-called vulnerable code, but dependencies were patched proactively per policy.
  • Scanned: 2026-04-09T00:09:49Z

Do not auto-merge. This PR requires manual review.

fix: remediate CVE-2026-33186, CVE-2024-45337, CVE-2025-22868, CVE-20…
8c04ca0 
…25-22869, upgrade google.golang.org/grpc to v1.79.3, golang.org/x/crypto to v0.46.0, golang.org/x/oauth2 to v0.34.0, google.golang.org/protobuf to v1.36.10, cloud.google.com/go/compute/metadata to v0.9.0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Ompragash