Skip to content

Fix go.mod security alerts (Snyk)#496

Draft
inFocus7 wants to merge 7 commits into
agentregistry-dev:mainfrom
inFocus7:infocus7/fix-security-alerts
Draft

Fix go.mod security alerts (Snyk)#496
inFocus7 wants to merge 7 commits into
agentregistry-dev:mainfrom
inFocus7:infocus7/fix-security-alerts

Conversation

@inFocus7
Copy link
Copy Markdown
Collaborator

@inFocus7 inFocus7 commented May 14, 2026
edited
Loading

TODO: There is a PR up to remove the scorecard work, so the bump to scorecard + changes may not matter as much.
TODO: Test locally

Description

Motivation: Clearing up security alerts - focused on our go dependencies.

What Changed:

Previous New Notes
Go 1.25.7 1.25.10 Closes 8 stdlib CVEs. No breaking changes (patch).
Scorecard v4 4.13.1 v5 5.5.0 Closes 12+ transitive CVEs (jwt, go-jose, retryablehttp, go-git, grpc). Breaking: API rename + import path moved; adapted in pkg/importer/scanners/scorecard/scorecard.go.
PGX 5.7.6 5.9.2 Closes 4 CVEs (SQL injection, pgproto3 validation). No breaking changes.
MCP Go SDK 1.4.0 1.4.1 Closes CSRF + segmentio/encoding/json CVE. No breaking changes.
OpenTelemetry 1.38.0 1.43.0 Closes 4 CVEs (propagation, baggage, sdk/resource). API-compatible.

⚠️ Behavior change: exporters/prometheus now defaults to underscore-escaping metric names (as of v1.39). Prometheus dashboards querying dotted names need updating.
golang.org/x/net (indirect) 0.50.0 0.54.0 Closes 2 http2 CVEs ahead of upstream. No breaking changes (no direct imports).

Change Type

/kind bump

Changelog

Bumps various go mod dependencies to resolve CVEs.
**Behavior change:** Prometheus now defaults to underscore-escaping metric names (v1.39 default flip). Prometheus dashboards querying dotted names (e.g. `agent_registry.http.requests`, `agent_registry.http.request.duration`) need updating to use `_`.

Local Snyk Scans

brew tap snyk/tap
brew install snyk
snyk test

Before 🐛

✗ Low severity vulnerability found in std/html/template
  Description: Cross-site Scripting (XSS)
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-STDHTMLTEMPLATE-15928853
  Introduced through: github.com/ossf/scorecard/v4/clients@4.13.1, github.com/ossf/scorecard/v4/checker@4.13.1, github.com/ossf/scorecard/v4/checks@4.13.1, github.com/ossf/scorecard/v4/pkg@4.13.1
  Fixed in: 1.25.9, 1.26.2

✗ Low severity vulnerability found in github.com/jackc/pgx/v5/internal/sanitize
  Description: SQL Injection
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMJACKCPGXV5INTERNALSANITIZE-16134558
  Introduced through: github.com/jackc/pgx/v5@5.7.6, github.com/jackc/pgx/v5/pgxpool@5.7.6
  Fixed in: 5.9.2

✗ Low severity vulnerability found in github.com/jackc/pgx/v5
  Description: SQL Injection
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMJACKCPGXV5-16134557
  Introduced through: github.com/jackc/pgx/v5@5.7.6, github.com/jackc/pgx/v5/pgxpool@5.7.6
  Fixed in: 5.9.2

✗ Low severity vulnerability found in github.com/golang-jwt/jwt/v4
  Description: Insufficient Documentation of Error Handling Techniques
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGOLANGJWTJWTV4-8341242
  Introduced through: github.com/ossf/scorecard/v4/checker@4.13.1, github.com/ossf/scorecard/v4/checks@4.13.1, github.com/ossf/scorecard/v4/pkg@4.13.1
  Fixed in: 4.5.1

✗ Medium severity vulnerability found in std/os
  Description: Directory Traversal
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-STDOS-15440726
  Introduced through: std/os@1.25.7, github.com/caarlos0/env/v11@11.3.1, github.com/charmbracelet/bubbletea@1.3.10, github.com/compose-spec/compose-go/v2/types@2.9.1, github.com/danielgtaylor/huma/v2@2.34.1, github.com/fsnotify/fsnotify@1.9.0, github.com/google/go-containerregistry/pkg/authn@0.20.6, github.com/joho/godotenv@1.5.1, k8s.io/apimachinery/pkg/runtime@0.35.0, k8s.io/client-go/rest@0.35.0, github.com/modelcontextprotocol/go-sdk/mcp@1.4.0, go.opentelemetry.io/otel/sdk/metric@1.38.0, go.opentelemetry.io/otel/sdk/resource@1.38.0, github.com/ossf/scorecard/v4/checks@4.13.1, github.com/spf13/cobra@1.10.2, github.com/ossf/scorecard/v4/pkg@4.13.1, github.com/rs/cors@1.11.1, k8s.io/client-go/tools/clientcmd@0.35.0, sigs.k8s.io/controller-runtime/pkg/client/config@0.23.0, github.com/charmbracelet/bubbles/textarea@0.21.0, github.com/charmbracelet/bubbles/textinput@0.21.0, github.com/charmbracelet/bubbles/spinner@0.21.0, github.com/charmbracelet/bubbles/viewport@0.21.0, github.com/charmbracelet/lipgloss@1.1.0, github.com/ossf/scorecard/v4/log@4.13.1, github.com/danielgtaylor/huma/v2/adapters/humago@2.34.1, github.com/google/go-containerregistry/pkg/v1/remote/transport@0.20.6, github.com/google/go-containerregistry/pkg/v1/remote@0.20.6, github.com/jackc/pgx/v5@5.7.6, github.com/jackc/pgx/v5/pgxpool@5.7.6, k8s.io/api/core/v1@0.35.0, k8s.io/apimachinery/pkg/apis/meta/v1@0.35.0, k8s.io/apimachinery/pkg/util/runtime@0.35.0, trpc.group/trpc-go/trpc-a2a-go/protocol@0.2.5, sigs.k8s.io/controller-runtime/pkg/client@0.23.0, github.com/ossf/scorecard/v4/checker@4.13.1, github.com/ossf/scorecard/v4/clients@4.13.1, go.opentelemetry.io/contrib/instrumentation/runtime@0.63.0, go.opentelemetry.io/otel/exporters/prometheus@0.60.0, go.opentelemetry.io/otel@1.38.0, github.com/prometheus/client_golang/prometheus/promhttp@1.23.2, github.com/muesli/reflow/wordwrap@0.3.0, github.com/kagent-dev/kagent/go/api/v1alpha2@#232ca4ff4a82, github.com/kagent-dev/kmcp/api/v1alpha1@0.2.7, k8s.io/apimachinery/pkg/apis/meta/v1/unstructured@0.35.0, k8s.io/client-go/kubernetes/scheme@0.35.0, trpc.group/trpc-go/trpc-a2a-go/client@0.2.5
  Fixed in: 1.25.8, 1.26.1

✗ Medium severity vulnerability found in std/net/url
  Description: Server-side Request Forgery (SSRF)
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-STDNETURL-15440727
  Introduced through: std/net/url@1.25.7, github.com/caarlos0/env/v11@11.3.1, github.com/danielgtaylor/huma/v2@2.34.1, github.com/danielgtaylor/huma/v2/adapters/humago@2.34.1, github.com/google/go-containerregistry/pkg/name@0.20.6, github.com/google/go-containerregistry/pkg/v1/remote/transport@0.20.6, github.com/google/go-containerregistry/pkg/v1/remote@0.20.6, k8s.io/apimachinery/pkg/runtime@0.35.0, sigs.k8s.io/controller-runtime/pkg/client@0.23.0, k8s.io/apimachinery/pkg/apis/meta/v1@0.35.0, k8s.io/client-go/rest@0.35.0, github.com/modelcontextprotocol/go-sdk/mcp@1.4.0, go.opentelemetry.io/otel/sdk/resource@1.38.0, k8s.io/client-go/tools/clientcmd@0.35.0, trpc.group/trpc-go/trpc-a2a-go/client@0.2.5, github.com/charmbracelet/bubbles/textarea@0.21.0, github.com/charmbracelet/bubbletea@1.3.10, github.com/charmbracelet/bubbles/viewport@0.21.0, github.com/compose-spec/compose-go/v2/types@2.9.1, github.com/google/go-containerregistry/pkg/authn@0.20.6, github.com/jackc/pgx/v5@5.7.6, github.com/jackc/pgx/v5/pgxpool@5.7.6, k8s.io/api/core/v1@0.35.0, github.com/kagent-dev/kagent/go/api/v1alpha2@#232ca4ff4a82, k8s.io/apimachinery/pkg/apis/meta/v1/unstructured@0.35.0, github.com/ossf/scorecard/v4/checker@4.13.1, go.opentelemetry.io/otel/exporters/prometheus@0.60.0, go.opentelemetry.io/otel/sdk/metric@1.38.0, github.com/ossf/scorecard/v4/clients@4.13.1, github.com/ossf/scorecard/v4/checks@4.13.1, sigs.k8s.io/controller-runtime/pkg/client/config@0.23.0, github.com/charmbracelet/lipgloss@1.1.0, github.com/kagent-dev/kmcp/api/v1alpha1@0.2.7, go.opentelemetry.io/contrib/instrumentation/runtime@0.63.0, github.com/ossf/scorecard/v4/pkg@4.13.1, github.com/charmbracelet/bubbles/spinner@0.21.0, github.com/charmbracelet/bubbles/textinput@0.21.0, k8s.io/client-go/kubernetes/scheme@0.35.0, go.opentelemetry.io/otel@1.38.0
  Fixed in: 1.25.8, 1.26.1

✗ Medium severity vulnerability found in std/net/mail
  Description: Allocation of Resources Without Limits or Throttling
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-STDNETMAIL-16535168
  Introduced through: github.com/danielgtaylor/huma/v2@2.34.1, github.com/danielgtaylor/huma/v2/adapters/humago@2.34.1, github.com/ossf/scorecard/v4/clients@4.13.1, github.com/ossf/scorecard/v4/checker@4.13.1, github.com/ossf/scorecard/v4/pkg@4.13.1, github.com/ossf/scorecard/v4/checks@4.13.1
  Fixed in: 1.25.10, 1.26.3

✗ Medium severity vulnerability found in std/net/http/httputil
  Description: Information Exposure
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-STDNETHTTPHTTPUTIL-16535163
  Introduced through: github.com/google/go-containerregistry/pkg/v1/remote/transport@0.20.6, github.com/google/go-containerregistry/pkg/v1/remote@0.20.6, github.com/ossf/scorecard/v4/checks@4.13.1, github.com/ossf/scorecard/v4/clients@4.13.1, github.com/ossf/scorecard/v4/pkg@4.13.1, github.com/ossf/scorecard/v4/checker@4.13.1
  Fixed in: 1.25.10, 1.26.3

✗ Medium severity vulnerability found in std/html/template
  Description: Cross-site Scripting (XSS)
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-STDHTMLTEMPLATE-15440731
  Introduced through: github.com/ossf/scorecard/v4/clients@4.13.1, github.com/ossf/scorecard/v4/checker@4.13.1, github.com/ossf/scorecard/v4/checks@4.13.1, github.com/ossf/scorecard/v4/pkg@4.13.1
  Fixed in: 1.25.8, 1.26.1

✗ Medium severity vulnerability found in std/html/template
  Description: Improper Encoding or Escaping of Output
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-STDHTMLTEMPLATE-16535164
  Introduced through: github.com/ossf/scorecard/v4/clients@4.13.1, github.com/ossf/scorecard/v4/checker@4.13.1, github.com/ossf/scorecard/v4/checks@4.13.1, github.com/ossf/scorecard/v4/pkg@4.13.1
  Fixed in: 1.25.10, 1.26.3

✗ Medium severity vulnerability found in std/html/template
  Description: Cross-site Scripting (XSS)
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-STDHTMLTEMPLATE-16535165
  Introduced through: github.com/ossf/scorecard/v4/clients@4.13.1, github.com/ossf/scorecard/v4/checker@4.13.1, github.com/ossf/scorecard/v4/checks@4.13.1, github.com/ossf/scorecard/v4/pkg@4.13.1
  Fixed in: 1.25.10, 1.26.3

✗ Medium severity vulnerability found in std/crypto/x509
  Description: Allocation of Resources Without Limits or Throttling
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-STDCRYPTOX509-15928852
  Introduced through: github.com/golang-jwt/jwt/v5@5.3.0, github.com/jackc/pgx/v5@5.7.6, github.com/jackc/pgx/v5/pgxpool@5.7.6, k8s.io/client-go/rest@0.35.0, github.com/ossf/scorecard/v4/checker@4.13.1, github.com/ossf/scorecard/v4/clients@4.13.1, github.com/kagent-dev/kagent/go/api/v1alpha2@#232ca4ff4a82, trpc.group/trpc-go/trpc-a2a-go/client@0.2.5, k8s.io/client-go/tools/clientcmd@0.35.0, github.com/modelcontextprotocol/go-sdk/mcp@1.4.0, sigs.k8s.io/controller-runtime/pkg/client/config@0.23.0, sigs.k8s.io/controller-runtime/pkg/client@0.23.0, github.com/ossf/scorecard/v4/checks@4.13.1, github.com/ossf/scorecard/v4/pkg@4.13.1
  Fixed in: 1.25.9, 1.26.2

✗ Medium severity vulnerability found in std/archive/tar
  Description: Allocation of Resources Without Limits or Throttling
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-STDARCHIVETAR-15928858
  Introduced through: github.com/google/go-containerregistry/pkg/v1/remote@0.20.6, github.com/ossf/scorecard/v4/checker@4.13.1, github.com/ossf/scorecard/v4/checks@4.13.1, github.com/ossf/scorecard/v4/pkg@4.13.1
  Fixed in: 1.25.9, 1.26.2

✗ Medium severity vulnerability found in golang.org/x/net/http2
  Description: Uncaught Exception
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-15363313
  Introduced through: k8s.io/client-go/rest@0.35.0, k8s.io/client-go/tools/clientcmd@0.35.0, k8s.io/apimachinery/pkg/apis/meta/v1@0.35.0, sigs.k8s.io/controller-runtime/pkg/client/config@0.23.0, github.com/ossf/scorecard/v4/clients@4.13.1, k8s.io/api/core/v1@0.35.0, k8s.io/apimachinery/pkg/apis/meta/v1/unstructured@0.35.0, sigs.k8s.io/controller-runtime/pkg/client@0.23.0, github.com/kagent-dev/kagent/go/api/v1alpha2@#232ca4ff4a82, github.com/kagent-dev/kmcp/api/v1alpha1@0.2.7, github.com/ossf/scorecard/v4/checker@4.13.1, k8s.io/client-go/kubernetes/scheme@0.35.0, github.com/ossf/scorecard/v4/pkg@4.13.1, github.com/ossf/scorecard/v4/checks@4.13.1
  Fixed in: 0.51.0

✗ Medium severity vulnerability found in github.com/hashicorp/go-retryablehttp
  Description: Insertion of Sensitive Information into Log File
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGORETRYABLEHTTP-7362036
  Introduced through: github.com/ossf/scorecard/v4/checker@4.13.1, github.com/ossf/scorecard/v4/checks@4.13.1, github.com/ossf/scorecard/v4/pkg@4.13.1
  Fixed in: 0.7.7

✗ Medium severity vulnerability found in github.com/go-git/go-git/v5/storage/filesystem
  Description: Improper Validation of Integrity Check Value
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGOGITGOGITV5STORAGEFILESYSTEM-15253024
  Introduced through: github.com/ossf/scorecard/v4/clients@4.13.1, github.com/ossf/scorecard/v4/checker@4.13.1, github.com/ossf/scorecard/v4/pkg@4.13.1, github.com/ossf/scorecard/v4/checks@4.13.1
  Fixed in: 5.16.5

✗ Medium severity vulnerability found in github.com/go-git/go-git/v5/plumbing/transport
  Description: Arbitrary Argument Injection
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGOGITGOGITV5PLUMBINGTRANSPORT-8602418
  Introduced through: github.com/ossf/scorecard/v4/clients@4.13.1, github.com/ossf/scorecard/v4/checker@4.13.1, github.com/ossf/scorecard/v4/pkg@4.13.1, github.com/ossf/scorecard/v4/checks@4.13.1
  Fixed in: 5.13.0

✗ Medium severity vulnerability found in github.com/go-git/go-git/v5/plumbing/format/index
  Description: Allocation of Resources Without Limits or Throttling
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGOGITGOGITV5PLUMBINGFORMATINDEX-15855220
  Introduced through: github.com/ossf/scorecard/v4/clients@4.13.1, github.com/ossf/scorecard/v4/checker@4.13.1, github.com/ossf/scorecard/v4/pkg@4.13.1, github.com/ossf/scorecard/v4/checks@4.13.1
  Fixed in: 5.17.1

✗ Medium severity vulnerability found in github.com/go-git/go-git/v5/plumbing/format/index
  Description: Improper Validation of Array Index
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGOGITGOGITV5PLUMBINGFORMATINDEX-15855246
  Introduced through: github.com/ossf/scorecard/v4/clients@4.13.1, github.com/ossf/scorecard/v4/checker@4.13.1, github.com/ossf/scorecard/v4/pkg@4.13.1, github.com/ossf/scorecard/v4/checks@4.13.1
  Fixed in: 5.17.1

✗ Medium severity vulnerability found in github.com/go-git/go-git/v5/plumbing
  Description: Uncontrolled Resource Consumption ('Resource Exhaustion')
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGOGITGOGITV5PLUMBING-6140319
  Introduced through: github.com/ossf/scorecard/v4/clients@4.13.1, github.com/ossf/scorecard/v4/checker@4.13.1, github.com/ossf/scorecard/v4/pkg@4.13.1, github.com/ossf/scorecard/v4/checks@4.13.1
  Fixed in: 5.11.0

✗ High severity vulnerability found in std/net/mail
  Description: Allocation of Resources Without Limits or Throttling
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-STDNETMAIL-16535166
  Introduced through: github.com/danielgtaylor/huma/v2@2.34.1, github.com/danielgtaylor/huma/v2/adapters/humago@2.34.1, github.com/ossf/scorecard/v4/clients@4.13.1, github.com/ossf/scorecard/v4/checker@4.13.1, github.com/ossf/scorecard/v4/pkg@4.13.1, github.com/ossf/scorecard/v4/checks@4.13.1
  Fixed in: 1.25.10, 1.26.3

✗ High severity vulnerability found in std/net/http
  Description: Infinite loop
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-STDNETHTTP-16535158
  Introduced through: std/net/http@1.25.7, github.com/danielgtaylor/huma/v2@2.34.1, github.com/danielgtaylor/huma/v2/adapters/humago@2.34.1, github.com/google/go-containerregistry/pkg/v1/remote/transport@0.20.6, github.com/google/go-containerregistry/pkg/v1/remote@0.20.6, sigs.k8s.io/controller-runtime/pkg/client@0.23.0, k8s.io/apimachinery/pkg/util/runtime@0.35.0, k8s.io/client-go/rest@0.35.0, github.com/modelcontextprotocol/go-sdk/mcp@1.4.0, github.com/ossf/scorecard/v4/clients@4.13.1, github.com/prometheus/client_golang/prometheus/promhttp@1.23.2, github.com/rs/cors@1.11.1, k8s.io/client-go/tools/clientcmd@0.35.0, trpc.group/trpc-go/trpc-a2a-go/client@0.2.5, github.com/kagent-dev/kagent/go/api/v1alpha2@#232ca4ff4a82, k8s.io/apimachinery/pkg/runtime@0.35.0, github.com/ossf/scorecard/v4/checker@4.13.1, sigs.k8s.io/controller-runtime/pkg/client/config@0.23.0, k8s.io/api/core/v1@0.35.0, k8s.io/apimachinery/pkg/apis/meta/v1@0.35.0, k8s.io/client-go/kubernetes/scheme@0.35.0, go.opentelemetry.io/otel@1.38.0, go.opentelemetry.io/otel/exporters/prometheus@0.60.0, github.com/kagent-dev/kmcp/api/v1alpha1@0.2.7, k8s.io/apimachinery/pkg/apis/meta/v1/unstructured@0.35.0, go.opentelemetry.io/otel/sdk/resource@1.38.0, github.com/ossf/scorecard/v4/checks@4.13.1, go.opentelemetry.io/otel/sdk/metric@1.38.0, go.opentelemetry.io/contrib/instrumentation/runtime@0.63.0, github.com/ossf/scorecard/v4/pkg@4.13.1
  Fixed in: 1.25.10, 1.26.3

✗ High severity vulnerability found in std/net
  Description: Double Free
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-STDNET-16535159
  Introduced through: std/net@1.25.7, github.com/danielgtaylor/huma/v2@2.34.1, github.com/google/go-containerregistry/pkg/name@0.20.6, github.com/google/go-containerregistry/pkg/v1/remote/transport@0.20.6, github.com/google/go-containerregistry/pkg/v1/remote@0.20.6, github.com/jackc/pgx/v5/pgtype@5.7.6, k8s.io/client-go/rest@0.35.0, github.com/modelcontextprotocol/go-sdk/mcp@1.4.0, github.com/prometheus/client_golang/prometheus/promhttp@1.23.2, github.com/compose-spec/compose-go/v2/types@2.9.1, github.com/danielgtaylor/huma/v2/adapters/humago@2.34.1, github.com/google/go-containerregistry/pkg/authn@0.20.6, github.com/jackc/pgx/v5@5.7.6, github.com/jackc/pgx/v5/pgxpool@5.7.6, trpc.group/trpc-go/trpc-a2a-go/protocol@0.2.5, go.opentelemetry.io/otel/sdk/resource@1.38.0, github.com/spf13/cobra@1.10.2, k8s.io/client-go/tools/clientcmd@0.35.0, k8s.io/apimachinery/pkg/apis/meta/v1@0.35.0, go.opentelemetry.io/otel/exporters/prometheus@0.60.0, go.opentelemetry.io/otel/sdk/metric@1.38.0, github.com/ossf/scorecard/v4/checker@4.13.1, github.com/ossf/scorecard/v4/clients@4.13.1, sigs.k8s.io/controller-runtime/pkg/client/config@0.23.0, k8s.io/api/core/v1@0.35.0, k8s.io/apimachinery/pkg/apis/meta/v1/unstructured@0.35.0, go.opentelemetry.io/contrib/instrumentation/runtime@0.63.0, github.com/ossf/scorecard/v4/pkg@4.13.1, github.com/ossf/scorecard/v4/checks@4.13.1, github.com/kagent-dev/kagent/go/api/v1alpha2@#232ca4ff4a82, github.com/kagent-dev/kmcp/api/v1alpha1@0.2.7, sigs.k8s.io/controller-runtime/pkg/client@0.23.0, trpc.group/trpc-go/trpc-a2a-go/client@0.2.5, k8s.io/client-go/kubernetes/scheme@0.35.0
  Fixed in: 1.25.10, 1.26.3

✗ High severity vulnerability found in std/net
  Description: Uncaught Exception
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-STDNET-16535161
  Introduced through: std/net@1.25.7, github.com/danielgtaylor/huma/v2@2.34.1, github.com/google/go-containerregistry/pkg/name@0.20.6, github.com/google/go-containerregistry/pkg/v1/remote/transport@0.20.6, github.com/google/go-containerregistry/pkg/v1/remote@0.20.6, github.com/jackc/pgx/v5/pgtype@5.7.6, k8s.io/client-go/rest@0.35.0, github.com/modelcontextprotocol/go-sdk/mcp@1.4.0, github.com/prometheus/client_golang/prometheus/promhttp@1.23.2, github.com/compose-spec/compose-go/v2/types@2.9.1, github.com/danielgtaylor/huma/v2/adapters/humago@2.34.1, github.com/google/go-containerregistry/pkg/authn@0.20.6, github.com/jackc/pgx/v5@5.7.6, github.com/jackc/pgx/v5/pgxpool@5.7.6, trpc.group/trpc-go/trpc-a2a-go/protocol@0.2.5, go.opentelemetry.io/otel/sdk/resource@1.38.0, github.com/spf13/cobra@1.10.2, k8s.io/client-go/tools/clientcmd@0.35.0, k8s.io/apimachinery/pkg/apis/meta/v1@0.35.0, go.opentelemetry.io/otel/exporters/prometheus@0.60.0, go.opentelemetry.io/otel/sdk/metric@1.38.0, github.com/ossf/scorecard/v4/checker@4.13.1, github.com/ossf/scorecard/v4/clients@4.13.1, sigs.k8s.io/controller-runtime/pkg/client/config@0.23.0, k8s.io/api/core/v1@0.35.0, k8s.io/apimachinery/pkg/apis/meta/v1/unstructured@0.35.0, go.opentelemetry.io/contrib/instrumentation/runtime@0.63.0, github.com/ossf/scorecard/v4/pkg@4.13.1, github.com/ossf/scorecard/v4/checks@4.13.1, github.com/kagent-dev/kagent/go/api/v1alpha2@#232ca4ff4a82, github.com/kagent-dev/kmcp/api/v1alpha1@0.2.7, sigs.k8s.io/controller-runtime/pkg/client@0.23.0, trpc.group/trpc-go/trpc-a2a-go/client@0.2.5, k8s.io/client-go/kubernetes/scheme@0.35.0
  Fixed in: 1.25.10, 1.26.3

✗ High severity vulnerability found in std/crypto/x509
  Description: Allocation of Resources Without Limits or Throttling
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-STDCRYPTOX509-15928851
  Introduced through: github.com/golang-jwt/jwt/v5@5.3.0, github.com/jackc/pgx/v5@5.7.6, github.com/jackc/pgx/v5/pgxpool@5.7.6, k8s.io/client-go/rest@0.35.0, github.com/ossf/scorecard/v4/checker@4.13.1, github.com/ossf/scorecard/v4/clients@4.13.1, github.com/kagent-dev/kagent/go/api/v1alpha2@#232ca4ff4a82, trpc.group/trpc-go/trpc-a2a-go/client@0.2.5, k8s.io/client-go/tools/clientcmd@0.35.0, github.com/modelcontextprotocol/go-sdk/mcp@1.4.0, sigs.k8s.io/controller-runtime/pkg/client/config@0.23.0, sigs.k8s.io/controller-runtime/pkg/client@0.23.0, github.com/ossf/scorecard/v4/checks@4.13.1, github.com/ossf/scorecard/v4/pkg@4.13.1
  Fixed in: 1.25.9, 1.26.2

✗ High severity vulnerability found in std/crypto/tls
  Description: Allocation of Resources Without Limits or Throttling
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-STDCRYPTOTLS-15928849
  Introduced through: github.com/danielgtaylor/huma/v2@2.34.1, github.com/danielgtaylor/huma/v2/adapters/humago@2.34.1, k8s.io/client-go/rest@0.35.0, github.com/prometheus/client_golang/prometheus/promhttp@1.23.2, github.com/jackc/pgx/v5@5.7.6, github.com/jackc/pgx/v5/pgxpool@5.7.6, k8s.io/client-go/tools/clientcmd@0.35.0, k8s.io/apimachinery/pkg/apis/meta/v1@0.35.0, github.com/ossf/scorecard/v4/clients@4.13.1, sigs.k8s.io/controller-runtime/pkg/client/config@0.23.0, k8s.io/api/core/v1@0.35.0, k8s.io/apimachinery/pkg/apis/meta/v1/unstructured@0.35.0, github.com/ossf/scorecard/v4/checker@4.13.1, github.com/ossf/scorecard/v4/checks@4.13.1, sigs.k8s.io/controller-runtime/pkg/client@0.23.0, github.com/kagent-dev/kagent/go/api/v1alpha2@#232ca4ff4a82, github.com/kagent-dev/kmcp/api/v1alpha1@0.2.7, k8s.io/client-go/kubernetes/scheme@0.35.0, github.com/ossf/scorecard/v4/pkg@4.13.1
  Fixed in: 1.25.9, 1.26.2

✗ High severity vulnerability found in golang.org/x/net/http2
  Description: Infinite loop
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-16535157
  Introduced through: k8s.io/client-go/rest@0.35.0, k8s.io/client-go/tools/clientcmd@0.35.0, k8s.io/apimachinery/pkg/apis/meta/v1@0.35.0, sigs.k8s.io/controller-runtime/pkg/client/config@0.23.0, github.com/ossf/scorecard/v4/clients@4.13.1, k8s.io/api/core/v1@0.35.0, k8s.io/apimachinery/pkg/apis/meta/v1/unstructured@0.35.0, sigs.k8s.io/controller-runtime/pkg/client@0.23.0, github.com/kagent-dev/kagent/go/api/v1alpha2@#232ca4ff4a82, github.com/kagent-dev/kmcp/api/v1alpha1@0.2.7, github.com/ossf/scorecard/v4/checker@4.13.1, k8s.io/client-go/kubernetes/scheme@0.35.0, github.com/ossf/scorecard/v4/pkg@4.13.1, github.com/ossf/scorecard/v4/checks@4.13.1
  Fixed in: 0.53.0

✗ High severity vulnerability found in go.opentelemetry.io/otel/sdk/resource
  Description: Untrusted Search Path
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOOPENTELEMETRYIOOTELSDKRESOURCE-15182758
  Introduced through: go.opentelemetry.io/otel/sdk/resource@1.38.0, go.opentelemetry.io/otel/exporters/prometheus@0.60.0, go.opentelemetry.io/otel/sdk/metric@1.38.0, go.opentelemetry.io/contrib/instrumentation/runtime@0.63.0, github.com/ossf/scorecard/v4/clients@4.13.1, github.com/ossf/scorecard/v4/checker@4.13.1, github.com/ossf/scorecard/v4/pkg@4.13.1, github.com/ossf/scorecard/v4/checks@4.13.1
  Fixed in: 1.40.0

✗ High severity vulnerability found in go.opentelemetry.io/otel/sdk/resource
  Description: Untrusted Search Path
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOOPENTELEMETRYIOOTELSDKRESOURCE-15954212
  Introduced through: go.opentelemetry.io/otel/sdk/resource@1.38.0, go.opentelemetry.io/otel/exporters/prometheus@0.60.0, go.opentelemetry.io/otel/sdk/metric@1.38.0, go.opentelemetry.io/contrib/instrumentation/runtime@0.63.0, github.com/ossf/scorecard/v4/clients@4.13.1, github.com/ossf/scorecard/v4/checker@4.13.1, github.com/ossf/scorecard/v4/pkg@4.13.1, github.com/ossf/scorecard/v4/checks@4.13.1
  Fixed in: 1.43.0

✗ High severity vulnerability found in go.opentelemetry.io/otel/propagation
  Description: Allocation of Resources Without Limits or Throttling
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOOPENTELEMETRYIOOTELPROPAGATION-15928420
  Introduced through: go.opentelemetry.io/otel@1.38.0, go.opentelemetry.io/otel/sdk/resource@1.38.0, go.opentelemetry.io/otel/exporters/prometheus@0.60.0, go.opentelemetry.io/otel/sdk/metric@1.38.0, go.opentelemetry.io/contrib/instrumentation/runtime@0.63.0, github.com/ossf/scorecard/v4/clients@4.13.1, github.com/ossf/scorecard/v4/checker@4.13.1, github.com/ossf/scorecard/v4/pkg@4.13.1, github.com/ossf/scorecard/v4/checks@4.13.1
  Fixed in: 1.41.0

✗ High severity vulnerability found in go.opentelemetry.io/otel/internal/global
  Description: Allocation of Resources Without Limits or Throttling
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOOPENTELEMETRYIOOTELINTERNALGLOBAL-15928418
  Introduced through: go.opentelemetry.io/otel/sdk/metric@1.38.0, go.opentelemetry.io/otel/exporters/prometheus@0.60.0, go.opentelemetry.io/otel@1.38.0, go.opentelemetry.io/contrib/instrumentation/runtime@0.63.0, go.opentelemetry.io/otel/sdk/resource@1.38.0, github.com/ossf/scorecard/v4/clients@4.13.1, github.com/ossf/scorecard/v4/checker@4.13.1, github.com/ossf/scorecard/v4/pkg@4.13.1, github.com/ossf/scorecard/v4/checks@4.13.1
  Fixed in: 1.41.0

✗ High severity vulnerability found in go.opentelemetry.io/otel/baggage
  Description: Allocation of Resources Without Limits or Throttling
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOOPENTELEMETRYIOOTELBAGGAGE-15928416
  Introduced through: go.opentelemetry.io/otel@1.38.0, go.opentelemetry.io/otel/sdk/resource@1.38.0, go.opentelemetry.io/otel/exporters/prometheus@0.60.0, go.opentelemetry.io/otel/sdk/metric@1.38.0, github.com/ossf/scorecard/v4/clients@4.13.1, go.opentelemetry.io/contrib/instrumentation/runtime@0.63.0, github.com/ossf/scorecard/v4/checker@4.13.1, github.com/ossf/scorecard/v4/pkg@4.13.1, github.com/ossf/scorecard/v4/checks@4.13.1
  Fixed in: 1.41.0

✗ High severity vulnerability found in github.com/segmentio/encoding/json
  Description: Interpretation Conflict
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMSEGMENTIOENCODINGJSON-15701709
  Introduced through: github.com/modelcontextprotocol/go-sdk/mcp@1.4.0
  Fixed in: 0.5.4

✗ High severity vulnerability found in github.com/modelcontextprotocol/go-sdk/mcp
  Description: Cross-site Request Forgery (CSRF)
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMMODELCONTEXTPROTOCOLGOSDKMCP-15701711
  Introduced through: github.com/modelcontextprotocol/go-sdk/mcp@1.4.0
  Fixed in: 1.4.1

✗ High severity vulnerability found in github.com/jackc/pgx/v5/pgproto3
  Description: Incorrect Comparison
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMJACKCPGXV5PGPROTO3-15923570
  Introduced through: github.com/jackc/pgx/v5@5.7.6, github.com/jackc/pgx/v5/pgxpool@5.7.6
  Fixed in: 5.9.0

✗ High severity vulnerability found in github.com/jackc/pgx/v5/pgproto3
  Description: Improper Validation of Array Index
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMJACKCPGXV5PGPROTO3-15923580
  Introduced through: github.com/jackc/pgx/v5@5.7.6, github.com/jackc/pgx/v5/pgxpool@5.7.6
  Fixed in: 5.9.0

✗ High severity vulnerability found in github.com/golang-jwt/jwt/v4
  Description: Asymmetric Resource Consumption (Amplification)
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGOLANGJWTJWTV4-9510921
  Introduced through: github.com/ossf/scorecard/v4/checker@4.13.1, github.com/ossf/scorecard/v4/checks@4.13.1, github.com/ossf/scorecard/v4/pkg@4.13.1
  Fixed in: 4.5.2

✗ High severity vulnerability found in github.com/go-jose/go-jose/v4/cipher
  Description: Uncaught Exception
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGOJOSEGOJOSEV4CIPHER-15875224
  Introduced through: github.com/ossf/scorecard/v4/clients@4.13.1, github.com/ossf/scorecard/v4/checker@4.13.1, github.com/ossf/scorecard/v4/pkg@4.13.1, github.com/ossf/scorecard/v4/checks@4.13.1
  Fixed in: 4.1.4

✗ High severity vulnerability found in github.com/go-jose/go-jose/v4
  Description: Uncaught Exception
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGOJOSEGOJOSEV4-15875221
  Introduced through: github.com/ossf/scorecard/v4/clients@4.13.1, github.com/ossf/scorecard/v4/checker@4.13.1, github.com/ossf/scorecard/v4/pkg@4.13.1, github.com/ossf/scorecard/v4/checks@4.13.1
  Fixed in: 4.1.4

✗ High severity vulnerability found in github.com/go-git/go-git/v5/plumbing/transport/http
  Description: Insufficiently Protected Credentials
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGOGITGOGITV5PLUMBINGTRANSPORTHTTP-16109639
  Introduced through: github.com/ossf/scorecard/v4/clients@4.13.1, github.com/ossf/scorecard/v4/checker@4.13.1, github.com/ossf/scorecard/v4/pkg@4.13.1, github.com/ossf/scorecard/v4/checks@4.13.1
  Fixed in: 5.18.0

✗ High severity vulnerability found in github.com/go-git/go-git/v5/plumbing/object
  Description: Incorrect Behavior Order: Validate Before Canonicalize
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGOGITGOGITV5PLUMBINGOBJECT-16638689
  Introduced through: github.com/ossf/scorecard/v4/clients@4.13.1, github.com/ossf/scorecard/v4/checker@4.13.1, github.com/ossf/scorecard/v4/pkg@4.13.1, github.com/ossf/scorecard/v4/checks@4.13.1
  Fixed in: 5.19.0

✗ High severity vulnerability found in github.com/go-git/go-git/v5/plumbing
  Description: Allocation of Resources Without Limits or Throttling
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGOGITGOGITV5PLUMBING-8602520
  Introduced through: github.com/ossf/scorecard/v4/clients@4.13.1, github.com/ossf/scorecard/v4/checker@4.13.1, github.com/ossf/scorecard/v4/pkg@4.13.1, github.com/ossf/scorecard/v4/checks@4.13.1
  Fixed in: 5.13.0

✗ Critical severity vulnerability found in google.golang.org/grpc
  Description: Incorrect Authorization
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOOGLEGOLANGORGGRPC-15691172
  Introduced through: github.com/ossf/scorecard/v4/clients@4.13.1, github.com/ossf/scorecard/v4/checker@4.13.1, github.com/ossf/scorecard/v4/checks@4.13.1, github.com/ossf/scorecard/v4/pkg@4.13.1
  Fixed in: 1.79.3

✗ Critical severity vulnerability found in github.com/go-git/go-git/v5
  Description: Path Traversal
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGOGITGOGITV5-6150754
  Introduced through: github.com/ossf/scorecard/v4/clients@4.13.1, github.com/ossf/scorecard/v4/checker@4.13.1, github.com/ossf/scorecard/v4/pkg@4.13.1, github.com/ossf/scorecard/v4/checks@4.13.1
  Fixed in: 5.11.0



Organization:      ***
Package manager:   gomodules
Target file:       go.mod
Project name:      github.com/agentregistry-dev/agentregistry
Open source:       no
Project path:      ***
Licenses:          enabled

Tested 1322 dependencies for known issues, found 44 issues, 4430 vulnerable paths.

Tip: Detected multiple supported manifests (4), use --all-projects to scan all of them at once.

After 🍾

Organization:      ***
Package manager:   gomodules
Target file:       go.mod
Project name:      github.com/agentregistry-dev/agentregistry
Open source:       no
Project path:      ***
Licenses:          enabled

✔ Tested 1945 dependencies for known issues, no vulnerable paths found.

Tip: Detected multiple supported manifests (4), use --all-projects to scan all of them at once.

Next steps:
- Run `snyk monitor` to be notified about new related vulnerabilities.
- Run `snyk test` as part of your CI/test.

inFocus7 added 3 commits May 14, 2026 12:38
@inFocus7
bump huma, pgx, go-containerregistry, mcp go-sdk, k8s clients
3adc75d 
Signed-off-by: Fabian Gonzalez <fabian.gonzalez@solo.io>
@inFocus7
bump scorecard to resolve a ton of vulns caught by snyk
2369be6 
Signed-off-by: Fabian Gonzalez <fabian.gonzalez@solo.io>
@inFocus7
bump go version, x/net, and go-git
937ee02 
Signed-off-by: Fabian Gonzalez <fabian.gonzalez@solo.io>
inFocus7 added 4 commits May 15, 2026 10:52
@inFocus7
make verify
a0b35d0 
Signed-off-by: Fabian Gonzalez <fabian.gonzalez@solo.io>
@inFocus7
revert huma version to avoid change in api (this upgrade wasn't neede…
5e8493a 
…d for cves)

Signed-off-by: Fabian Gonzalez <fabian.gonzalez@solo.io>
@inFocus7
revert go-containerregistry (this upgrade wasn't needed for cves)
9d36f0b 
Signed-off-by: Fabian Gonzalez <fabian.gonzalez@solo.io>
@inFocus7
revert k8s.io bumps (this upgrade wasn't needed for cves)
8e751d2 
Signed-off-by: Fabian Gonzalez <fabian.gonzalez@solo.io>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

kind/bump release-note

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@inFocus7