fix(deps): vuln minor: golang.org/x/crypto, golang.org/x/sys

[gh-worker-campaigns-3e9aa4]

Summary: Critical-severity security update — 2 packages upgraded (MINOR changes included)

Manifests changed:

• . (go)

---

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

---

Updates

Package	From	To	Type	Dep Type	Vulnerabilities Fixed
golang.org/x/crypto	v0.11.0	v0.53.0	minor	Direct	3 CRITICAL, 2 HIGH, 9 MEDIUM, 14 UNKNOWN
golang.org/x/sys	v0.10.0	v0.46.0	minor	Transitive	1 UNKNOWN

---

Security Details

🚨 Critical & High Severity (5 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
golang.org/x/crypto	GO-2024-3321	critical	Misuse of connection.serverAuthenticate may cause authorization bypass in golang.org/x/crypto	v0.11.0	0.31.0
golang.org/x/crypto	CVE-2024-45337	critical	-	v0.11.0	-
golang.org/x/crypto	GHSA-v778-237x-gjrc	CRITICAL	Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto	v0.11.0	0.31.0
golang.org/x/crypto	GO-2025-3487	HIGH	Potential denial of service in golang.org/x/crypto	v0.11.0	0.35.0
golang.org/x/crypto	GHSA-hcg3-q754-cr77	HIGH	golang.org/x/crypto Vulnerable to Denial of Service (DoS) via Slow or Incomplete Key Exchange	v0.11.0	0.35.0

ℹ️ Other Vulnerabilities (24)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
golang.org/x/crypto	GO-2025-4135	medium	Malformed constraint may cause denial of service in golang.org/x/crypto/ssh/agent	v0.11.0	0.45.0
golang.org/x/crypto	CVE-2025-58181	medium	-	v0.11.0	-
golang.org/x/crypto	GO-2025-4134	medium	Unbounded memory consumption in golang.org/x/crypto/ssh	v0.11.0	0.45.0
golang.org/x/crypto	CVE-2025-47914	medium	-	v0.11.0	-
golang.org/x/crypto	GHSA-j5w8-q4qc-rx2x	MODERATE	golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption	v0.11.0	0.45.0
golang.org/x/crypto	GHSA-f6x5-jh6r-wrfv	MODERATE	golang.org/x/crypto/ssh/agent vulnerable to panic if message is malformed due to out of bounds read	v0.11.0	0.45.0
golang.org/x/crypto	GHSA-45x7-px36-x8w8	MODERATE	Prefix Truncation Attack against ChaCha20-Poly1305 and Encrypt-then-MAC aka Terrapin	v0.11.0	0.17.0
golang.org/x/crypto	CVE-2023-48795	MODERATE	-	v0.11.0	-
golang.org/x/crypto	GO-2023-2402	MODERATE	Man-in-the-middle attacker can compromise integrity of secure channel in golang.org/x/crypto	v0.11.0	0.17.0
golang.org/x/crypto	GO-2025-4116	unknown	Potential denial of service in golang.org/x/crypto/ssh/agent	v0.11.0	0.43.0
golang.org/x/crypto	GO-2026-5017	unknown	Invoking client can cause server deadlock on unexpected responses in golang.org/x/crypto/ssh	v0.11.0	0.52.0
golang.org/x/crypto	GO-2026-5019	unknown	Invoking bypass of FIDO/U2F security keys physical interaction in golang.org/x/crypto/ssh	v0.11.0	0.52.0
golang.org/x/crypto	GO-2026-5016	unknown	Invoking memory leak when rejecting channels can lead to DoS in golang.org/x/crypto/ssh	v0.11.0	0.52.0
golang.org/x/crypto	GO-2026-5013	unknown	Invoking byte arithmetic causes underflow and panic in golang.org/x/crypto/ssh	v0.11.0	0.52.0
golang.org/x/crypto	GO-2026-5015	unknown	Invoking server panic during CheckHostKey/Authenticate in golang.org/x/crypto/ssh	v0.11.0	0.52.0
golang.org/x/crypto	GO-2026-5021	unknown	Invoking auth bypass via unenforced @Revoked status in golang.org/x/crypto/ssh/knownhosts	v0.11.0	0.52.0
golang.org/x/crypto	GO-2026-5033	unknown	Invoking pathological inputs can lead to client panic in golang.org/x/crypto/ssh/agent	v0.11.0	0.52.0
golang.org/x/crypto	GO-2026-5005	unknown	Invoking key constraints not enforced in golang.org/x/crypto/ssh/agent	v0.11.0	0.52.0
golang.org/x/crypto	GO-2026-5014	unknown	Invoking bypass of certificate restrictions in golang.org/x/crypto/ssh	v0.11.0	0.52.0
golang.org/x/crypto	GO-2026-5006	unknown	Invoking agent constraints dropped when forwarding keys in golang.org/x/crypto/ssh/agent	v0.11.0	0.52.0
golang.org/x/crypto	GO-2026-5020	unknown	Invoking infinite loop on large channel writes in golang.org/x/crypto/ssh	v0.11.0	0.52.0
golang.org/x/crypto	GO-2026-5018	unknown	Invoking pathological RSA/DSA parameters may cause DoS in golang.org/x/crypto/ssh	v0.11.0	0.52.0
golang.org/x/crypto	GO-2026-5023	unknown	Invoking VerifiedPublicKeyCallback permissions skip enforcement in golang.org/x/crypto/ssh	v0.11.0	0.52.0
golang.org/x/sys	GO-2026-5024	unknown	Invoking integer overflow in NewNTUnicodeString in golang.org/x/sys/windows	v0.10.0	0.44.0

📅 Dependencies Nearing EOL (2)

Dependency	Unsafe Version	EOL Date	New Version	Path
golang.org/x/crypto	v0.11.0	Jul 5, 2026	v0.53.0	go.mod
golang.org/x/sys	v0.10.0	Jul 4, 2026	v0.46.0	go.mod

---

Review Checklist

Standard review:

• Review changes for compatibility with your code
• Check for breaking changes in release notes
• Run tests locally or wait for CI
• Approve and merge this PR

---

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

[datadog-prod-us1-5]

✨ Fix all issues with BitsAI

⚠️ Warnings

🚦 7 Pipeline jobs failed

CI | tests / run (macos-latest, 1.25)     

CI | tests / run (macos-latest, 1.26)     

CI | tests / run (ubuntu-latest, 1.25)     

View all 7 failed jobs.

Useful? React with 👍 / 👎

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: da18342 | Docs | Datadog PR Page | Give us feedback!}