fix(deps): upgrade grpc-go to v1.79.3 (critical CVE)

[onlyjackfrost]

Summary

• Upgrades google.golang.org/grpc from v1.74.2 to v1.79.3 in wren-launcher/go.mod
• Fixes Dependabot alert #236: gRPC-Go authorization bypass via missing leading slash in :path header (critical severity)

Test plan

• Verify wren-launcher builds successfully
• Run existing tests to ensure no regressions from transitive dependency upgrades

Summary by CodeRabbit

• Chores
  • Updated underlying Go dependencies for observability, networking, and security to newer stable releases to improve reliability and compatibility.
• Style
  • Minor formatting adjustment to a public constant (cosmetic only; no behavioral change).

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 32ead86b-c9af-4d51-b684-ec152c81a8c3

📥 Commits

Reviewing files that changed from the base of the PR and between cef6dec and 0534c8e.

⛔ Files ignored due to path filters (1)

• wren-launcher/go.sum is excluded by !**/*.sum

📒 Files selected for processing (2)

• wren-launcher/go.mod
• wren-launcher/utils/docker.go

---

Walkthrough

Updated indirect Go module versions in wren-launcher/go.mod (OpenTelemetry, gRPC/protobuf, golang.org/x/*, backoff, grpc-gateway). Minor whitespace formatting change to WREN_PRODUCT_VERSION in wren-launcher/utils/docker.go. No exported APIs or functional behavior changed.

Changes

Cohort / File(s)	Summary
Go Module Dependency Updates wren-launcher/go.mod	Bumped multiple indirect dependencies: OpenTelemetry packages, github.com/cenkalti/backoff → v5, github.com/grpc-ecosystem/grpc-gateway bumped, google.golang.org/grpc/protobuf/genproto updated, and several golang.org/x/* modules advanced. No source/API changes.
Formatting tweak wren-launcher/utils/docker.go	Whitespace/alignment adjustment of exported constant WREN_PRODUCT_VERSION (value unchanged).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

• release 0.16.0 #1405 — Also touches wren-launcher/utils/docker.go and the WREN_PRODUCT_VERSION constant (version change vs whitespace here).
• release oss: 0.19.2 (ai-env-changed) #1552 — Modifies the same WREN_PRODUCT_VERSION declaration (related at code level).
• chore(wren-launcher): add CI flow and apply lint tools #1877 — Edits in wren-launcher/utils/docker.go, including WREN_PRODUCT_VERSION (strong overlap).

Suggested reviewers

• wwwy3y3

Poem

🐰 I hopped through modules, tidy and bright,
Bumped OTEL, gRPC, and deps through the night.
A nibble of whitespace, a version well spun—
The launcher stands ready, the upgrades all done! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: upgrading grpc-go to address a critical CVE vulnerability.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/dependabot-236-grpc-authz-bypass

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@wren-launcher/go.mod`:
- Around line 146-150: The go.mod lists mismatched OpenTelemetry module
versions: the exporters otlpmetricgrpc, otlpmetrichttp, otlptrace, and
otlptracegrpc
(go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc,
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp,
go.opentelemetry.io/otel/exporters/otlp/otlptrace,
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc) are pinned at
v1.35.0 while core SDK modules (go.opentelemetry.io/otel/sdk/metric and core
otel) are v1.39.0; update those exporter module versions to v1.39.0 (and any
other otlp exporter entries around lines ~200) so all OpenTelemetry modules use
the coordinated v1.39.0 series to resolve the go mod version conflict.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: c40e8c08-cf3f-48ad-bee6-9ccd7a4d7e0c

📥 Commits

Reviewing files that changed from the base of the PR and between d93835b and 77b30ee.

⛔ Files ignored due to path filters (1)

• wren-launcher/go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• wren-launcher/go.mod

[fredalai]

LGTM

[onlyjackfrost]

@CodeRabbit review again

[coderabbitai]

@onlyjackfrost Sure, I'll review the PR again right away!

✅ Actions performed

Full review triggered.