fix(deps): vuln minor: github.com/aws/aws-sdk-go-v2/service/s3, github.com/go-git/go-git/v5 [test/e2e-framework]

[gh-worker-campaigns-3e9aa4]

Summary: Security update — 2 packages upgraded (MINOR changes included)

Manifests changed:

• test/e2e-framework (go)

---

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

---

Updates

Package	From	To	Type	Dep Type	Vulnerabilities Fixed
github.com/go-git/go-git/v5	v5.16.5	v5.19.0	minor	Transitive	2 MODERATE, 2 MEDIUM, 3 LOW
github.com/aws/aws-sdk-go-v2/service/s3	v1.97.2	v1.101.0	minor	Direct	1 MODERATE

---

Security Details

ℹ️ Other Vulnerabilities (8)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
github.com/go-git/go-git/v5	GO-2026-4910	medium	Maliciously crafted idx file can cause asymmetric memory consumption in github.com/go-git/go-git	v5.16.5	5.17.1
github.com/go-git/go-git/v5	CVE-2026-34165	medium	go-git: Maliciously crafted idx file can cause asymmetric memory consumption	v5.16.5	-
github.com/aws/aws-sdk-go-v2/service/s3	GHSA-xmrv-pmrh-hhx2	MODERATE	Denial of Service due to Panic in AWS SDK for Go v2 SDK EventStream Decoder	v1.97.2	1.97.3
github.com/go-git/go-git/v5	GHSA-jhf3-xxhw-2wpp	MODERATE	go-git: Maliciously crafted idx file can cause asymmetric memory consumption	v5.16.5	5.17.1
github.com/go-git/go-git/v5	GHSA-3xc5-wrhm-f963	MODERATE	go-git: Credential leak via cross-host redirect in smart HTTP transport	v5.16.5	5.18.0
github.com/go-git/go-git/v5	GHSA-gm2x-2g9h-ccm8	LOW	go-git missing validation decoding Index v4 files leads to panic	v5.16.5	5.17.1
github.com/go-git/go-git/v5	CVE-2026-33762	LOW	go-git: Missing validation decoding Index v4 files leads to panic	v5.16.5	-
github.com/go-git/go-git/v5	GO-2026-4909	LOW	Missing validation decoding Index v4 files leads to panic in github.com/go-git/go-git	v5.16.5	5.17.1

---

Review Checklist

Standard review:

• Review changes for compatibility with your code
• Check for breaking changes in release notes
• Run tests locally or wait for CI
• Approve and merge this PR

---

Update Mode: Vulnerability Remediation

🤖 Generated by DataDog Automated Dependency Management System

[datadog-datadog-prod-us1]

✨ Fix all issues with BitsAI

⚠️ Warnings

🚦 7 Pipeline jobs failed

DataDog/datadog-agent | bazel:run-go-mod-tidy     

DataDog/datadog-agent | go_mod_tidy_check     

DataDog/datadog-agent | new-e2e-containers-eks-init     

View all 7 failed jobs.

ℹ️ Info

🎯 Code Coverage (details)
• Patch Coverage: 100.00%
• Overall Coverage: 50.88% (+0.11%)

Useful? React with 👍 / 👎

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 0440f52 | Docs | Datadog PR Page | Give us feedback!}

[dd-octo-sts]

Files inventory check summary

File checks results against ancestor f8e962f1:

Results for datadog-agent_7.81.0~devel.git.747.970be15.pipeline.118322510-1_amd64.deb:

No change detected

[gh-worker-campaigns-3e9aa4]

Auto-rebase complete

Branch is up to date with main — rebased onto abc1689.

---

_{Auto-Rebase · Add no-auto-rebase to opt out}

[gh-worker-campaigns-3e9aa4]

Auto-rebase failed

Lockfile regeneration failed during rebase onto main. Your branch was not updated. You may need to rebase and regenerate lockfiles manually.

Error details

• Go Mod Tidy: ❌ exit status 127

Error Details (up to 4000 chars)

gimme: sha256sum failed for '/tmp/gimme/go1.25.5.linux.amd64.tar.gz'
gimme: continuing to next candidate URL
I don't have any idea what to do with '1.25.5'.
  (using download type 'binary')
bash: line 1: go: command not found

• Custom Action: registry.ddbuild.io/engraver-custom-action:update-go-mod-dd-source ✅ (0.45s)

• Custom Action: registry.ddbuild.io/engraver-custom-action:update-go-mod-dd-source ✅ (0.43s)

---

_{Auto-Rebase · Add no-auto-rebase to opt out}

[gh-worker-campaigns-3e9aa4]

Auto-rebase complete

Branch is up to date with main — rebased onto fb06699.

---

_{Auto-Rebase · Add no-auto-rebase to opt out}

[github-actions]

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. 🎉

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[gh-worker-campaigns-3e9aa4]

Auto-rebase complete

Branch is up to date with main — rebased onto 06da375.

---

_{Auto-Rebase · Add no-auto-rebase to opt out}

[github-actions]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 393e04c0a9

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Upgrade go-git past vulnerable v5.19.0

This security-remediation bump selects github.com/go-git/go-git/v5 v5.19.0, but GitHub advisory GHSA-w5pp-99ch-qj29 lists <=5.19.0 as affected and 5.19.1 as the patched version (GHSA-w5pp-99ch-qj29). As a result, dependency scanning can still flag this module, and any e2e-framework path that processes untrusted Git repository data via this transitive dependency remains exposed to the documented DoS issue.

Useful? React with 👍 / 👎.

[gh-worker-campaigns-3e9aa4]

Auto-rebase complete

Branch is up to date with main — rebased onto 9847ec0.

---

_{Auto-Rebase · Add no-auto-rebase to opt out}

[github-actions]

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. 🎉

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[gh-worker-campaigns-3e9aa4]

Auto-rebase complete

Branch is up to date with main — rebased onto f8e962f.

---

_{Auto-Rebase · Add no-auto-rebase to opt out}

[github-actions]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 970be1540d

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Upgrade go-git to the patched 5.19.1 release

This remediation pins github.com/go-git/go-git/v5 to v5.19.0, but current advisories still classify all versions before 5.19.1 as affected by malicious-repository issues, including path validation allowing crafted repos to modify .git directories and malformed object data causing panics/resource exhaustion (see https://advisories.gitlab.com/golang/github.com/go-git/go-git/v5/CVE-2026-45571/ and https://advisories.gitlab.com/golang/github.com/go-git/go-git/v5/GHSA-w5pp-99ch-qj29/). In environments where the e2e framework’s transitive go-git dependency processes untrusted repos, this leaves the module vulnerable and dependency scanning will keep flagging it; please bump to v5.19.1 or newer instead.

Useful? React with 👍 / 👎.

[gh-worker-campaigns-3e9aa4]

Auto-rebase complete

Branch is up to date with main — rebased onto 58d5a5f.

---

_{Auto-Rebase · Add no-auto-rebase to opt out}

[github-actions]

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Already looking forward to the next diff.

Reviewed commit: 0440f52b9c

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".