fix(deps): patch 5 Dependabot vulnerabilities (2 critical, 1 high, 2 medium)

[osmontero]

Dependabot Remediation

Patches 5 open Dependabot alerts that affect the release/v11.2.9 branch.

Fixes

#	Package	Change	CVEs	Severity
1	google.golang.org/grpc	1.78.0 → 1.79.3	GHSA-p77j-4mvh-x3m3	🔴 Critical
2	github.com/jackc/pgx/v5	5.8.0 → 5.9.2	GHSA-9jj7-4m8r-rfcm (critical) + GHSA-j88v-2chj-qfwx (low)	🔴 Critical + 🟢 Low
3	go.opentelemetry.io/otel	1.39.0 → 1.41.0	GHSA-mh2q-q3fh-2475	🟠 High
4	com.itextpdf:itext7-core	7.1.7 → 7.2.0	GHSA-hhh6, GHSA-8c9h, GHSA-c32g	🟡 Medium × 3
5	org.postgresql:postgresql	42.7.2 → 42.7.11	GHSA-98qh	🟠 High

Files Changed

• plugins/compliance-orchestrator/go.mod + go.sum
• agent-manager/go.mod + go.sum
• installer/go.mod + go.sum
• backend/pom.xml
• user-auditor/pom.xml

All go mod tidy passes cleanly.

Not Fixed (Out of Scope)

• NPM transitive deps (6 alerts) — dompurify, follow-redirects, postcss, uuid, webpack-dev-server are transitive from Angular 7 build toolchain. Require major framework upgrade.
• github.com/docker/docker (6 alerts) — no upstream patch available yet.
• mutate/ pip deps (4 alerts) — directory removed; stale alerts on default branch only.

[utmstackprapprover]

Changes requested — see approver comments above.

[AlexSanchez-bit]

itext7-core is not used at all in this project, dependency is removable, the real pdf dependency is: flying-saucer-pdf v9.1.22
org.postgresql -> 42.7.11 didnt introduce breaking changes update is viable

[github-actions]

❌ Go dependencies check failed

There are outdated Go dependencies, or modules that could not be inspected.
Run bash .github/scripts/go-deps.sh --update --discover locally and
commit the updated go.mod / go.sum files.

Script output

🔍 Discovered 25 Go projects

�[0;31m❌ Could not inspect the following projects (run 'go mod tidy' there):�[0m

## ./installer
go: downloading go1.25.1 (linux/amd64)
go: updates to go.mod needed; to update it:
	go mod tidy

[github-actions]

🛑 AI review — Engineer review required

This PR touches critical paths or introduces changes the model cannot judge with sufficient confidence. @Kbayero @osmontero please review.

🛑 architecture (gemini-3-flash-lite) — Tier 3 — engineer review required

Summary: Dependency updates across multiple services, including gRPC and core networking libraries, which may impact agent-manager communication.

• high installer/go.mod:80 — Major dependency updates (gRPC, OpenTelemetry, crypto) in the installer. Changes to gRPC/networking libraries in the installer or agent-manager require verification of backward compatibility with existing agents in the field.
• medium agent-manager/go.mod:32 — Update of pgx driver. While likely safe, database driver updates should be verified against existing schema interactions and connection pooling configurations.
• low user-auditor/pom.xml:46 — PostgreSQL driver update. Ensure compatibility with the existing Java/Spring backend connection pool settings.

✅ bugs (gemini-3-flash-lite) — Tier 1 — looks clean

Summary: Dependency updates across multiple modules; no functional bugs or string anomalies detected.

No findings.

🛑 security (gemini-3-flash-lite) — Tier 3 — engineer review required

Summary: Dependency updates for Go and Java modules; requires verification of security-critical library changes.

• medium agent-manager/go.mod:32 — Update of pgx/v5 to 5.9.2. Dependency updates in database drivers can introduce breaking changes in connection handling or query parameterization; verify no regressions in SQL injection protections.
• medium backend/pom.xml:272 — Update of itext7-core to 7.2.0. PDF generation libraries are frequent targets for XXE and injection vulnerabilities; verify that the new version does not alter security configurations for document parsing.
• medium installer/go.mod:80 — Update of gRPC and OpenTelemetry dependencies. Changes to gRPC/Protobuf libraries can impact authentication interceptors and transport security; verify that gRPC handlers remain secure.
• medium user-auditor/pom.xml:46 — Update of PostgreSQL JDBC driver to 42.7.11. Changes to JDBC drivers can affect how parameters are handled in prepared statements; verify no impact on existing SQL injection mitigations.

[utmstackprapprover]

Changes requested — see approver comments above.