fix(deps): vuln minor: google.golang.org/grpc, google.golang.org/protobuf [grpc_check/tests]

[gh-worker-campaigns-3e9aa4]

Summary: Critical-severity security update — 2 packages upgraded (MINOR changes included)

Manifests changed:

• grpc_check/tests (go)

---

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

---

Updates

Package	From	To	Type	Dep Type	Vulnerabilities Fixed
google.golang.org/grpc	v1.48.0	v1.80.0	minor	Direct	3 CRITICAL, 2 HIGH
google.golang.org/protobuf	v1.27.1	v1.36.11	minor	Transitive	2 MODERATE

---

Security Details

🚨 Critical & High Severity (5 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
google.golang.org/grpc	GHSA-p77j-4mvh-x3m3	CRITICAL	gRPC-Go has an authorization bypass via missing leading slash in :path	v1.48.0	1.79.3
google.golang.org/grpc	CVE-2026-33186	CRITICAL	gRPC-Go has an authorization bypass via missing leading slash in :path	v1.48.0	-
google.golang.org/grpc	GO-2026-4762	CRITICAL	Authorization bypass in gRPC-Go via missing leading slash in :path in google.golang.org/grpc	v1.48.0	1.79.3
google.golang.org/grpc	GHSA-m425-mq94-257g	HIGH	gRPC-Go HTTP/2 Rapid Reset vulnerability	v1.48.0	1.56.3
google.golang.org/grpc	GO-2023-2153	HIGH	Denial of service from HTTP/2 Rapid Reset in google.golang.org/grpc	v1.48.0	1.56.3

ℹ️ Other Vulnerabilities (2)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
google.golang.org/protobuf	GO-2024-2611	MODERATE	Infinite loop in JSON unmarshaling in google.golang.org/protobuf	v1.27.1	1.33.0
google.golang.org/protobuf	GHSA-8r3f-844c-mc37	MODERATE	Golang protojson.Unmarshal function infinite loop when unmarshaling certain forms of invalid JSON	v1.27.1	1.33.0

⚠️ Dependencies that have Reached EOL (2)

Dependency	Unsafe Version	EOL Date	New Version	Path
google.golang.org/grpc	v1.48.0	Jul 12, 2025	v1.80.0	grpc_check/tests/docker/go.mod
google.golang.org/protobuf	v1.27.1	-	v1.36.11	grpc_check/tests/docker/go.mod

---

Review Checklist

Standard review:

• Review changes for compatibility with your code
• Check for breaking changes in release notes
• Run tests locally or wait for CI
• Approve and merge this PR

---

Update Mode: Vulnerability Remediation (Critical/High)

🤖 Generated by DataDog Automated Dependency Management System

[campaigner-prod]

Release Notes

google.golang.org/grpc (v1.48.0 → v1.80.0) — GitHub Release

v1.80.0

Behavior Changes

• balancer: log a warning if a balancer is registered with uppercase letters, as balancer names should be lowercase. In a future release, balancer names will be treated as case-insensitive; see balancer: use case-sensitive balancer registries grpc/grpc-go#5288 for details. (balancer: introduce env flag for case-sensitive registry grpc/grpc-go#8837)
• xds: update resource error handling and re-resolution logic (xds: change cdsbalancer to use update from dependency manager grpc/grpc-go#8907)
  • Re-resolve all LOGICAL_DNS clusters simultaneously when re-resolution is requested.
  • Fail all in-flight RPCs immediately upon receipt of listener or route resource errors, instead of allowing them to complete.

Bug Fixes

• xds: support the LB policy configured in LOGICAL_DNS cluster resources instead of defaulting to pick_first. (xds/clusterresolver: implement gRFC A61 changes for LOGICAL_DNS clusters grpc/grpc-go#8733)
• credentials/tls: perform per-RPC authority validation against the leaf certificate instead of the entire peer certificate chain. (credentials/tls: verify overwritten authority against only leaf certificate grpc/grpc-go#8831)
• xds: enabling A76 ring hash endpoint keys no longer causes EDS resources with invalid proxy metadata to be NACKed when HTTP CONNECT (gRFC A86) is disabled. (xds: decouple A76 and A86 EDS metadata parsing grpc/grpc-go#8875)
• xds: validate that the sum of endpoint weights in a locality does not exceed the maximum uint32 value. (xds/xdsclient: add EDS sum of endpoint weights does not exceed MaxUint32 grpc/grpc-go#8899)
  • Special Thanks: @RAVEYUS
• xds: fix incorrect proto field access in the weighted round robin (WRR) configuration where blackout_period was used instead of weight_expiration_period. (xds: fix copy-paste bug in WeightExpirationPeriod config grpc/grpc-go#8915)
  • Special Thanks: @gregbarasch
• xds/rbac: handle addresses with ports in IP matchers. (xds/rbac: add additional handling for addresses with ports grpc/grpc-go#8990)

New Features

• ringhash: enable gRFC A76 (endpoint hash keys and request hash headers) by default. (ringhash: enable behaviors of A76 by default grpc/grpc-go#8922)

Performance Improvements

• credentials/alts: pool write buffers to reduce memory allocations and usage. (credentials/alts: Pool write buffers grpc/grpc-go#8919)
• grpc: enable the use of pooled write buffers for buffering HTTP/2 frame writes by default. This reduces memory usage when connections are idle. Use the WithSharedWriteBuffer dial option or the SharedWriteBuffer server

(truncated)

v1.79.3

Security

• server: fix an authorization bypass where malformed :path headers (missing the leading slash) could bypass path-based restricted "deny" rules in interceptors like grpc/authz. Any request with a non-canonical path is now immediately rejected with an Unimplemented error. (grpc: enforce strict path checking for incoming requests on the server grpc/grpc-go#8981)

v1.79.2

Bug Fixes

• stats: Prevent redundant error logging in health/ORCA producers by skipping stats/tracing processing when no stats handler is configured. (client: process RPC stats/tracing only when a handler is configured grpc/grpc-go#8874)

v1.79.1

Bug Fixes

• grpc: Remove the -dev suffix from the User-Agent header. (Change version to 1.79.1 grpc/grpc-go#8902)

v1.79.0

API Changes

• mem: Add experimental API SetDefaultBufferPool to change the default buffer pool. (mem: Allow overriding the default buffer pool. grpc/grpc-go#8806)
  • Special Thanks: @vanja-p
• experimental/stats: Update MetricsRecorder to require embedding the new UnimplementedMetricsRecorder (a no-op struct) in all implementations for forward compatibility. (stats/otel: a79 scaffolding to register an async gauge metric and api to record it- part 3 grpc/grpc-go#8780)

Behavior Changes

• balancer/weightedtarget: Remove handling of Addresses and only handle Endpoints in resolver updates. (xds: remove references to ResolverState.Addresses grpc/grpc-go#8841)

New Features

• experimental/stats: Add support for asynchronous gauge metrics through the new AsyncMetricReporter and RegisterAsyncReporter APIs. (stats/otel: a79 scaffolding to register an async gauge metric and api to record it- part 3 grpc/grpc-go#8780)
• pickfirst: Add support for weighted random shuffling of endpoints, as described in gRFC A113.
  • This is enabled by default, and can be turned off using the environment variable GRPC_EXPERIMENTAL_PF_WEIGHTED_SHUFFLING. (*: Implementation of weighted random shuffling (A113) grpc/grpc-go#8864)
• xds: Implement :authority rewriting, as specified in gRFC A81. (xds: implement :authority header rewriting in xds_cluster_impl LB policy (gRFC A81) grpc/grpc-go#8779)
• balancer/randomsubsetting: Implement the random_subsetting LB policy, as specified in gRFC A68. (balancer/randomsubsetting: Implementation of the random_subsetting LB policy grpc/grpc-go#8650)
  • Special Thanks: @marek-szews

Bug Fixes

• credentials/tls: Fix a bug where the port was not stripped from the authority override before validation. (credentials/tls: Strip port before validating authority override grpc/grpc-go#8726)
  • Special Thanks: @Atul1710
• xds/priority: Fix a bug causing delayed failover to lower-priority clusters when a higher-priority cluster is stuck in CONNECTING state. (priority: prevent init timer restarting when a child transitions from CONNECTING to CONNECTING grpc/grpc-go#8813)
• health: Fix a bug where health checks failed for clients using legacy compression options (WithDecompressor or RPCDecompressor). (grpc: initialize decompressor for health check streams grpc/grpc-go#8765)
  • Special Thanks: @sanki92
• transport: Fix an issue where the HTTP/2 server could skip header size checks when terminating a stream early. (transport: http2 server must validates header list size when early aborting stream grpc/grpc-go#8769)
  • Special Thanks: @joybestourous
• server: Propagate status detail headers, if availab

(truncated)

v1.78.0

Behavior Changes

• client: Align URL validation with Go 1.26+ to now reject target URLs with unbracketed colons in the hostname. (dns: drop test depending on invalid URL "dns://::1/foo.bar.com" grpc/grpc-go#8716)
  • Special Thanks: @neild
• transport/client : Return status code Unknown on malformed grpc-status. (transport/client: Return status code Unknown on malformed grpc-status grpc/grpc-go#8735)
• • xds/resolver:
  • Drop previous route resources and report an error when no matching virtual host is found.
  • Only log LDS/RDS configuration errors following a successful update and retain the last valid resource to prevent transient failures. (internal/xds: change xds_resolver to use dependency manager grpc/grpc-go#8711)

New Features

• stats/otel: Add backend service label to weighted round robin metrics as part of A89. (stats/otel: Add grpc.lb.backend_service label to wrr metrics (A89) grpc/grpc-go#8737)
• stats/otel: Add subchannel metrics (without the disconnection reason) to eventually replace the pickfirst metrics. (stats/otel: Add subchannel metrics (A94) grpc/grpc-go#8738)
• client: Wait for all pending goroutines to complete when closing a graceful switch balancer. (gracefulswitch: Wait for all goroutines on close grpc/grpc-go#8746)
  • Special Thanks: @twz123
• client: Add experimental.AcceptCompressors so callers can restrict the grpc-accept-encoding header advertised for a call. (client: allow overriding grpc-accept-encoding header grpc/grpc-go#8718)
  • Special Thanks: @iblancasa

Bug Fixes

• xds: Fix a bug in StringMatcher where regexes would match incorrectly when ignore_case is set to true. (xds: make it possible to create a StringMatcher from arguments outside of test code grpc/grpc-go#8723)
• client:
  • Change connectivity state to CONNECTING when creating the name resolver (as part of exiting IDLE).
  • Change connectivity state to TRANSIENT_FAILURE if name resolver creation fails (as part of exiting IDLE).
  • Change connectivity state to IDLE after idle timeout expires even when current state is TRANSIENT_FAILURE.
  • Fix a bug that resulted in OnFinish call option not being invoked for RPCs where stream creation failed. (client: Change connectivity state to CONNECTING when creating the name resolver grpc/grpc-go#8710)
• xdsclient: Fix a race in the xdsClient that could lead to resource-not-found errors. (xdsclient: stop batching writes on the ADS stream grpc/grpc-go#8627)

Performance Improvements

• mem: Round up to nearest 4KiB for pool allocations larger than 1MiB. (mem: Allocate at 4KiB boundaries in the fallback buffer pool. grpc/grpc-go#8705)
  • Special Thanks: @cjc25

(truncated — see source for full notes)

google.golang.org/protobuf (v1.27.1 → v1.36.11) — GitHub Release

v1.36.11

Full Changelog: protocolbuffers/protobuf-go@v1.36.10...v1.36.11

User-visible changes:
CL/726780: encoding/prototext: Support URL chars in type URLs in text-format.

Bug fixes:
CL/728680: internal/impl: check recursion limit in lazy decoding validation
CL/711015: reflect/protodesc: fix handling of import options in dynamic builds

Maintenance:
CL/728681: reflect/protodesc: add support for edition unstable
CL/727960: all: add EDITION_UNSTABLE support
CL/727940: types: regenerate using latest protobuf v33.2 release
CL/727140: internal/testprotos/lazy: convert .proto files to editions
CL/723440: cmd/protoc-gen-go: add missing annotations for few generated protobuf symbols.
CL/720980: internal/filedesc: remove duplicative Message.unmarshalOptions
CL/716360: internal/encoding/tag: use proto3 defaults if proto3
CL/716520: proto: un-flake TestHasExtensionNoAlloc
CL/713342: compiler/protogen: properly filter option dependencies in go-protobuf plugin.
CL/711200: proto: add test for oneofs containing messages with required fields
CL/710855: proto: add explicit test for a non-nil but empty byte slice

v1.36.10

Full Changelog: protocolbuffers/protobuf-go@v1.36.9...v1.36.10

Bug fixes:
CL/704415: reflect/protodesc: edition-2024-specific properties should not be lost when converting FileDescriptorProto to protoreflect.FileDescriptor

Maintenance:
CL/708555: internal/race_test: add missing impl.LazyEnabled() t.Skip
CL/703295: proto: add more invalid group encoding test cases
CL/703276: internal/impl: verify lazy unmarshal on Deterministic encoding
CL/703275: internal/impl: stop using deprecated .Field in lazy_test.go
CL/702795: all: update to latest github.com/google/go-cmp

v1.36.9

Full Changelog: protocolbuffers/protobuf-go@v1.36.8...v1.36.9

User-visible changes:
CL/699715: cmd/protoc-gen-go: add test for "import option" directive
CL/699115: internal/editionssupport: declare support for edition 2024
CL/697595: editions: Fix spelling mistake in panic message

v1.36.8

Maintenance:

CL/696316: all: set Go language version to Go 1.23
CL/696315: types: regenerate using latest protobuf v32 release

v1.36.7

Maintenance / optimizations:

CL/683955: encoding/protowire: micro-optimize SizeVarint (-20% on Intel)
CL/674055: internal/impl: remove unnecessary atomic access for non-lazy lists
CL/674015: impl: remove unnecessary nil check from presence.Present
CL/673495: types/descriptorpb: regenerate using latest protobuf v31 release
CL/670516: cmd/protoc-gen-go: centralize presence and lazy logic into filedesc
CL/670515: internal: move usePresenceForField to internal/filedesc
CL/670275: internal/impl: clean up usePresenceForField() (no-op)

v1.36.6

Full Changelog: protocolbuffers/protobuf-go@v1.36.5...v1.36.6

User-visible changes:
CL/657895: internal_gengo: generate a const string literal for the raw descriptor
CL/653536: proto: Add CloneOf[M Message](m M) M

Maintenance:
CL/649135: all: set Go language version to Go 1.22
CL/654955: types/descriptorpb: regenerate using latest protobuf v30 release

v1.36.5

Full Changelog: protocolbuffers/protobuf-go@v1.36.4...v1.36.5

Bug fixes:
CL/644437: protogen: fix name mangling for fields with identical GoCamelCase

Maintenance:
CL/641655: all: remove weak field support

v1.36.4

Full Changelog: protocolbuffers/protobuf-go@v1.36.3...v1.36.4

Bug fixes:
CL/642975: reflect/protodesc: fix panic when working with dynamicpb

Maintenance:
CL/643276: internal_gengo: avoid allocations in rawDescGZIP() accessors
CL/642857: internal_gengo: switch back from string literal to hex byte slice
CL/642055: internal_gengo: use unsafe.StringData() to avoid a descriptor copy
CL/638135: internal_gengo: store raw descriptor in .rodata section

v1.36.3

Full Changelog: protocolbuffers/protobuf-go@v1.36.2...v1.36.3

Bug fixes:
CL/642575: reflect/protodesc: fix panic when working with dynamicpb
CL/641036: cmd/protoc-gen-go: remove json struct tags from unexported fields

User-visible changes:
CL/641876: proto: add example for GetExtension, SetExtension
CL/642015: runtime/protolazy: replace internal doc link with external link

Maintenance:
CL/641635: all: split flags.ProtoLegacyWeak out of flags.ProtoLegacy
CL/641019: internal/impl: remove unused exporter parameter
CL/641018: internal/impl: switch to reflect.Value.IsZero
CL/641035: internal/impl: clean up unneeded Go<1.12 MapRange() alternative
CL/641017: types/dynamicpb: switch atomicExtFiles to atomic.Uint64 type

(and 16 more releases — view all)

---

Generated by ADMS Sources: 2 GitHub Releases.

[seberm-6]

Hey, sorry for the noise. This was caused by a bug in our automated dependency update system that incorrectly included upstream changelog content in PR comments, triggering notifications to external contributors. The feature flag has been turned off and we're working on a fix. Sorry about that again.