Skip to content

fix: upgrade nats, grpc, and mcp#4619

Merged
gh-worker-dd-mergequeue-cf854d[bot] merged 2 commits into
mainfrom
hannahkm/fix-vulns-again
Mar 30, 2026
Merged

fix: upgrade nats, grpc, and mcp#4619
gh-worker-dd-mergequeue-cf854d[bot] merged 2 commits into
mainfrom
hannahkm/fix-vulns-again

Conversation

@hannahkm

@hannahkm hannahkm commented Mar 30, 2026

Copy link
Copy Markdown
Contributor

What does this PR do?

Address security vulns, upgrading:

  • google.golang.org/grpc to v1.79.3
  • github.com/nats-io/nats-server/v2 to v2.12.6
  • github.com/modelcontextprotocol/go-sdk to v1.4.1

Motivation

Critical and high level security vulnerabilities. Examples:

https://github.com/DataDog/dd-trace-go/security/dependabot/437
https://github.com/DataDog/dd-trace-go/security/dependabot/449
https://github.com/DataDog/dd-trace-go/security/dependabot/439

Reviewer's Checklist

  • Changed code has unit tests for its functionality at or near 100% coverage.
  • System-Tests covering this feature have been added and enabled with the va.b.c-dev version tag.
  • There is a benchmark for any new code, or changes to existing code.
  • If this interacts with the agent in a new way, a system test has been added.
  • New code is free of linting errors. You can check this by running make lint locally.
  • New code doesn't break existing tests. You can check this by running make test locally.
  • Add an appropriate team label so this PR gets put in the right place for the release notes.
  • All generated files are up to date. You can check this by running make generate locally.
  • Non-trivial go.mod changes, e.g. adding new modules, are reviewed by @DataDog/dd-trace-go-guild. Make sure all nested modules are up to date by running make fix-modules locally.

Unsure? Have a question? Request a review!

@github-actions github-actions Bot added the apm:ecosystem contrib/* related feature requests or bugs label Mar 30, 2026
@hannahkm
hannahkm marked this pull request as ready for review March 30, 2026 18:27
@codecov

codecov Bot commented Mar 30, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 60.74%. Comparing base (ad8e174) to head (918b4f2).

Additional details and impacted files

see 435 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@datadog-prod-us1-4

datadog-prod-us1-4 Bot commented Mar 30, 2026

Copy link
Copy Markdown

✅ Tests

🎉 All green!

❄️ No new flaky tests detected
🧪 All tests passed

🎯 Code Coverage (details)
Patch Coverage: 100.00%
Overall Coverage: 60.09% (+3.93%)

This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 918b4f2 | Docs | Datadog PR Page | Was this helpful? React with 👍/👎 or give us feedback!

@nsrip-dd nsrip-dd left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Skimmed the APIs for the updated deps and didn't spot any breaking changes, so this seems fine in that regard. Just for posterity, could you link the the vulnerabilities this PR is addressing? Jira tickets, dependabot, etc

@pr-commenter

pr-commenter Bot commented Mar 30, 2026

Copy link
Copy Markdown

Benchmarks

Benchmark execution time: 2026-03-30 19:11:30

Comparing candidate commit 918b4f2 in PR branch hannahkm/fix-vulns-again with baseline commit ad8e174 in branch main.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 217 metrics, 7 unstable metrics.

Explanation

This is an A/B test comparing a candidate commit's performance against that of a baseline commit. Performance changes are noted in the tables below as:

  • 🟩 = significantly better candidate vs. baseline
  • 🟥 = significantly worse candidate vs. baseline

We compute a confidence interval (CI) over the relative difference of means between metrics from the candidate and baseline commits, considering the baseline as the reference.

If the CI is entirely outside the configured SIGNIFICANT_IMPACT_THRESHOLD (or the deprecated UNCONFIDENCE_THRESHOLD), the change is considered significant.

Feel free to reach out to #apm-benchmarking-platform on Slack if you have any questions.

More details about the CI and significant changes

You can imagine this CI as a range of values that is likely to contain the true difference of means between the candidate and baseline commits.

CIs of the difference of means are often centered around 0%, because often changes are not that big:

---------------------------------(------|---^--------)-------------------------------->
                              -0.6%    0%  0.3%     +1.2%
                                 |          |        |
         lower bound of the CI --'          |        |
sample mean (center of the CI) -------------'        |
         upper bound of the CI ----------------------'

As described above, a change is considered significant if the CI is entirely outside the configured SIGNIFICANT_IMPACT_THRESHOLD (or the deprecated UNCONFIDENCE_THRESHOLD).

For instance, for an execution time metric, this confidence interval indicates a significantly worse performance:

----------------------------------------|---------|---(---------^---------)---------->
                                       0%        1%  1.3%      2.2%      3.1%
                                                  |   |         |         |
       significant impact threshold --------------'   |         |         |
                      lower bound of CI --------------'         |         |
       sample mean (center of the CI) --------------------------'         |
                      upper bound of CI ----------------------------------'

@gh-worker-dd-mergequeue-cf854d
gh-worker-dd-mergequeue-cf854d Bot merged commit 8c75eb5 into main Mar 30, 2026
241 checks passed
@gh-worker-dd-mergequeue-cf854d
gh-worker-dd-mergequeue-cf854d Bot deleted the hannahkm/fix-vulns-again branch March 30, 2026 19:27
hannahkm added a commit that referenced this pull request Mar 30, 2026
<!--
* New contributors are highly encouraged to read our
  [CONTRIBUTING](/CONTRIBUTING.md) documentation.
* Commit and PR titles should be prefixed with the general area of the pull request's change.

-->

Address security vulns, upgrading:

* google.golang.org/grpc to v1.79.3
* github.com/nats-io/nats-server/v2 to v2.12.6
* github.com/modelcontextprotocol/go-sdk to v1.4.1

<!--
* A brief description of the change being made with this pull request.
* If the description here cannot be expressed in a succinct form, consider
  opening multiple pull requests instead of a single one.
-->

Critical and high level security vulnerabilities. Examples:

https://github.com/DataDog/dd-trace-go/security/dependabot/437
https://github.com/DataDog/dd-trace-go/security/dependabot/449
https://github.com/DataDog/dd-trace-go/security/dependabot/439

<!--
* What inspired you to submit this pull request?
* Link any related GitHub issues or PRs here.
* If this resolves a GitHub issue, include "Fixes #XXXX" to link the issue and auto-close it on merge.
-->

<!--
* Authors can use this list as a reference to ensure that there are no problems
  during the review but the signing off is to be done by the reviewer(s).
-->

- [ ] Changed code has unit tests for its functionality at or near 100% coverage.
- [ ] [System-Tests](https://github.com/DataDog/system-tests/) covering this feature have been added and enabled with the va.b.c-dev version tag.
- [ ] There is a benchmark for any new code, or changes to existing code.
- [ ] If this interacts with the agent in a new way, a system test has been added.
- [ ] New code is free of linting errors. You can check this by running `make lint` locally.
- [ ] New code doesn't break existing tests. You can check this by running `make test` locally.
- [ ] Add an appropriate team label so this PR gets put in the right place for the release notes.
- [ ] All generated files are up to date. You can check this by running `make generate` locally.
- [ ] Non-trivial go.mod changes, e.g. adding new modules, are reviewed by @DataDog/dd-trace-go-guild. Make sure all nested modules are up to date by running `make fix-modules` locally.

Unsure? Have a question? Request a review!

Co-authored-by: hannahs.kim <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

apm:ecosystem contrib/* related feature requests or bugs mergequeue-status: done

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants