[BUG] go-grpc-compression has a zstd decompression bombing vulnerability

[ZsoltPath]

AWS Inspector recently alerts about the following vulnerability: go-grpc-compression has a zstd decompression bombing vulnerability https://github.com/advisories/GHSA-87m9-rv8p-rgmg

Agent Environment

v7.54.0

Describe what happened:

Describe what you expected:

Steps to reproduce the issue:

Additional environment details (Operating System, Cloud provider, etc): AWS Lambda extension

[AndreiMazu]

To follow up on this occurring issue.

It would seem that the vulnerable module has been updated to the fix version provided in https://github.com/advisories/GHSA-87m9-rv8p-rgmg as can be seen in https://github.com/DataDog/datadog-agent/blob/main/go.mod#L478 in https://github.com/DataDog/datadog-agent/commit/054a65c46b290fa3bb9f4ff09fed5cf6d0029123.

This was done as part of this PR: https://github.com/DataDog/datadog-agent/pull/26609, and then was added as a backport to 7.55.x in https://github.com/DataDog/datadog-agent/pull/26615

However the 7.55 milestone https://github.com/DataDog/datadog-agent/milestone/192 that now includes the backport mentioned above hasn’t yet been released.

Would it be possible to provide any info on a potential timeline of this fix being released and a new datadog-lambda-extension with the fix being published?

[sgnn7]

Hi @AndreiMazu (et al.), We don't provide our release dates in advance as the process itself takes a variable amount of time after the code freeze (e.g. for testing, QA of changes, etc). With that said, we are in the later stages of the process for the next Agent release.