Skip to content

fix(deps): vuln google.golang.org/protobuf (minor → v1.36.11) #30

Open
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/minorpatch/go/1-1776936178
Open

fix(deps): vuln google.golang.org/protobuf (minor → v1.36.11) #30
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/minorpatch/go/1-1776936178

Conversation

@gh-worker-campaigns-3e9aa4
Copy link
Copy Markdown

@gh-worker-campaigns-3e9aa4 gh-worker-campaigns-3e9aa4 Bot commented Apr 23, 2026

Summary: Security update — 1 package upgraded (MINOR changes included)

Manifests changed:

  • . (go)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

Updates

Package From To Type Dep Type Vulnerabilities Fixed
google.golang.org/protobuf v1.27.1 v1.36.11 minor Transitive 2 MODERATE

Security Details

ℹ️ Other Vulnerabilities (2)
Package CVE Severity Summary Unsafe Version Fixed In
google.golang.org/protobuf GO-2024-2611 MODERATE Infinite loop in JSON unmarshaling in google.golang.org/protobuf v1.27.1 1.33.0
google.golang.org/protobuf GHSA-8r3f-844c-mc37 MODERATE Golang protojson.Unmarshal function infinite loop when unmarshaling certain forms of invalid JSON v1.27.1 1.33.0
⚠️ Dependencies that have Reached EOL (1)
Dependency Unsafe Version EOL Date New Version Path
google.golang.org/protobuf v1.27.1 - v1.36.11 go.mod

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI
  • Approve and merge this PR

Update Mode: Vulnerability Remediation

🤖 Generated by DataDog Automated Dependency Management System

@campaigner-prod
Copy link
Copy Markdown

campaigner-prod Bot commented Apr 23, 2026

Release Notes

google.golang.org/protobuf (v1.27.1 → v1.36.11) — GitHub Release

v1.36.11

Full Changelog: protocolbuffers/protobuf-go@v1.36.10...v1.36.11

User-visible changes:
CL/726780: encoding/prototext: Support URL chars in type URLs in text-format.

Bug fixes:
CL/728680: internal/impl: check recursion limit in lazy decoding validation
CL/711015: reflect/protodesc: fix handling of import options in dynamic builds

Maintenance:
CL/728681: reflect/protodesc: add support for edition unstable
CL/727960: all: add EDITION_UNSTABLE support
CL/727940: types: regenerate using latest protobuf v33.2 release
CL/727140: internal/testprotos/lazy: convert .proto files to editions
CL/723440: cmd/protoc-gen-go: add missing annotations for few generated protobuf symbols.
CL/720980: internal/filedesc: remove duplicative Message.unmarshalOptions
CL/716360: internal/encoding/tag: use proto3 defaults if proto3
CL/716520: proto: un-flake TestHasExtensionNoAlloc
CL/713342: compiler/protogen: properly filter option dependencies in go-protobuf plugin.
CL/711200: proto: add test for oneofs containing messages with required fields
CL/710855: proto: add explicit test for a non-nil but empty byte slice

v1.36.10

Full Changelog: protocolbuffers/protobuf-go@v1.36.9...v1.36.10

Bug fixes:
CL/704415: reflect/protodesc: edition-2024-specific properties should not be lost when converting FileDescriptorProto to protoreflect.FileDescriptor

Maintenance:
CL/708555: internal/race_test: add missing impl.LazyEnabled() t.Skip
CL/703295: proto: add more invalid group encoding test cases
CL/703276: internal/impl: verify lazy unmarshal on Deterministic encoding
CL/703275: internal/impl: stop using deprecated .Field in lazy_test.go
CL/702795: all: update to latest github.com/google/go-cmp

v1.36.9

Full Changelog: protocolbuffers/protobuf-go@v1.36.8...v1.36.9

User-visible changes:
CL/699715: cmd/protoc-gen-go: add test for "import option" directive
CL/699115: internal/editionssupport: declare support for edition 2024
CL/697595: editions: Fix spelling mistake in panic message

v1.36.8

Maintenance:

CL/696316: all: set Go language version to Go 1.23
CL/696315: types: regenerate using latest protobuf v32 release

v1.36.7

Maintenance / optimizations:

CL/683955: encoding/protowire: micro-optimize SizeVarint (-20% on Intel)
CL/674055: internal/impl: remove unnecessary atomic access for non-lazy lists
CL/674015: impl: remove unnecessary nil check from presence.Present
CL/673495: types/descriptorpb: regenerate using latest protobuf v31 release
CL/670516: cmd/protoc-gen-go: centralize presence and lazy logic into filedesc
CL/670515: internal: move usePresenceForField to internal/filedesc
CL/670275: internal/impl: clean up usePresenceForField() (no-op)

v1.36.6

Full Changelog: protocolbuffers/protobuf-go@v1.36.5...v1.36.6

User-visible changes:
CL/657895: internal_gengo: generate a const string literal for the raw descriptor
CL/653536: proto: Add CloneOf[M Message](m M) M

Maintenance:
CL/649135: all: set Go language version to Go 1.22
CL/654955: types/descriptorpb: regenerate using latest protobuf v30 release

v1.36.5

Full Changelog: protocolbuffers/protobuf-go@v1.36.4...v1.36.5

Bug fixes:
CL/644437: protogen: fix name mangling for fields with identical GoCamelCase

Maintenance:
CL/641655: all: remove weak field support

v1.36.4

Full Changelog: protocolbuffers/protobuf-go@v1.36.3...v1.36.4

Bug fixes:
CL/642975: reflect/protodesc: fix panic when working with dynamicpb

Maintenance:
CL/643276: internal_gengo: avoid allocations in rawDescGZIP() accessors
CL/642857: internal_gengo: switch back from string literal to hex byte slice
CL/642055: internal_gengo: use unsafe.StringData() to avoid a descriptor copy
CL/638135: internal_gengo: store raw descriptor in .rodata section

v1.36.3

Full Changelog: protocolbuffers/protobuf-go@v1.36.2...v1.36.3

Bug fixes:
CL/642575: reflect/protodesc: fix panic when working with dynamicpb
CL/641036: cmd/protoc-gen-go: remove json struct tags from unexported fields

User-visible changes:
CL/641876: proto: add example for GetExtension, SetExtension
CL/642015: runtime/protolazy: replace internal doc link with external link

Maintenance:
CL/641635: all: split flags.ProtoLegacyWeak out of flags.ProtoLegacy
CL/641019: internal/impl: remove unused exporter parameter
CL/641018: internal/impl: switch to reflect.Value.IsZero
CL/641035: internal/impl: clean up unneeded Go<1.12 MapRange() alternative
CL/641017: types/dynamicpb: switch atomicExtFiles to atomic.Uint64 type

(and 16 more releases — view all)

Generated by ADMS Sources: 1 GitHub Release.

@campaigner-prod campaigner-prod Bot marked this pull request as ready for review April 23, 2026 12:18
@dd-prapprover
Copy link
Copy Markdown

dd-prapprover Bot commented Apr 23, 2026
edited
Loading

PRApprover will approve and merge this PR, FAQ, #dx-source-code-management

🛠️ PRApproval Status

  • ✅ PR is eligible for auto-approval by rule dependency-management-version-updater - 2026-04-23T12:19:09Z
  • ⬜ CI tests passed
  • ⬜ Approved
  • ⬜ Merge Started
  • ⬜ Merged

➡️ Current phase: waiting for CI tests to complete...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

adms-dependency-update adms-fixes-eol adms-go adms-medium-severity adms-minor-update adms-mode-all-updates campaigner-automated-change

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants