chore(deps): bump google.golang.org/grpc from 1.77.0 to 1.79.3#86
Conversation
dependabot
Bot
added
dependencies
Dependency Review: google.golang.org/grpc 1.77.0 → 1.79.3Assessment: Safe to merge. What changed
Usage in this repo
CI statusAll substantive checks pass: Build, Test, Lint, Integration Tests, Security Scan, Go Security Scanner, Dependency Vulnerability Check. The only failures are No action needed beyond merging. This is a pure patch/minor security fix in a transitive dependency. |
dependabot
Bot
force-pushed
the
dependabot/go_modules/google.golang.org/grpc-1.79.3
branch
from
4b5eaff to
565ef95
Compare
ajitpratap0
left a comment
ajitpratap0
left a comment
There was a problem hiding this comment.
Safe indirect bump — grpc is pulled in transitively only. Includes 1.79.3 path-based authz bypass security fix. The Dependency Review failure was a false-positive on the longstanding golang.org/x/net patent license grant; this has now been fixed in main (allowlist updated in pr-checks.yml). ✅ Approve and merge.
ajitpratap0
left a comment
ajitpratap0
left a comment
There was a problem hiding this comment.
Safe indirect bump — grpc is purely transitive, no direct usage. Includes 1.79.3 path-based authz bypass security fix. The Dependency Review failure was a false-positive on the golang.org/x/net Google patent license grant (longstanding, not a new restriction); the allowlist in pr-checks.yml has been updated on main to prevent recurrence.
Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.77.0 to 1.79.3. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](grpc/grpc-go@v1.77.0...v1.79.3) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-version: 1.79.3 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
ajitpratap0
force-pushed
the
dependabot/go_modules/google.golang.org/grpc-1.79.3
branch
from
565ef95 to
9e18f59
Compare
|
PR Review: Dependabot bump google.golang.org/grpc 1.77.0 to 1.79.3 Summary: Routine Dependabot dependency update confined to go.mod and go.sum. Spans three minor versions and includes a security fix. SECURITY (Important): grpc v1.79.3 patches an authorization bypass where malformed :path headers missing the leading slash could bypass path-based deny rules in grpc/authz interceptors. Any non-canonical path is now immediately rejected with Unimplemented. CryptoFunk uses gRPC as an indirect dependency via OpenTelemetry and Envoy control plane libraries, not directly for inbound servers. Merging is strongly recommended to pick up the security fix. Indirect dependencies bumped:
Code quality: Only go.mod and go.sum modified. Hashes updated correctly. All bumped packages are indirect with no call-site changes needed. No direct gRPC server usage in CryptoFunk so the new path-rejection behavior in v1.79.3 has no impact on existing functionality. Note: The x/net bump underlies HTTP/2 - worth running task test-unit post-merge to confirm the MCP Streamable HTTP transport is unaffected. Recommendation: Approve and merge. Security fix makes this a priority. Run task validate in CI before merging. |
Dependency Bump Review: google.golang.org/grpc v1.77.0 to v1.79.3This is a Dependabot security + maintenance bump. Recommend merging. Security Fix (v1.79.3) Authorization bypass patched: Malformed This project uses gRPC as an indirect dependency pulled in via cloud/observability libraries. While the orchestrator and agents use HTTP/MCP rather than gRPC directly, this fix eliminates the vulnerability in any gRPC-speaking component in the dependency chain. Other Transitive Updates
All transitive updates are consistent with the gRPC version bump (xDS, Envoy control plane, and cel-go are gRPC ecosystem libraries). Code Quality Only go.mod and go.sum are modified — no application code changes. No breaking API changes in this upgrade path that would affect this project's indirect usage. Verdict: Approve and merge. The security fix in v1.79.3 is important and the diff is clean. No risk to application behavior. |
|
Dependency Bump Review: grpc 1.77.0 to 1.79.3 Recommendation: Approve and merge - this bump contains a security fix. Security Fix (1.79.3): Authorization bypass where malformed :path headers (missing leading slash) could bypass path-based restricted deny rules in interceptors like grpc/authz. Requests with non-canonical paths are now rejected with Unimplemented. While CryptoFunk grpc usage is indirect (via cloud SDKs and OTel transitive deps), picking up this fix is the right call. Changes: google.golang.org/grpc 1.77.0 to 1.79.3, golang.org/x/net 0.47.0 to 0.48.0, golang.org/x/oauth2 0.32.0 to 0.34.0, envoyproxy/go-control-plane/envoy 1.35.0 to 1.36.0, plus several other indirect deps. Intermediate releases: 1.79.0 adds UnimplementedMetricsRecorder requirement in experimental/stats (no impact on CryptoFunk); 1.79.2 prevents redundant error logging in health/ORCA producers; 1.79.1 removes -dev User-Agent suffix. Verdict: Safe additive change. No API breakage expected. go.sum hashes are consistent with the bumps. Good to merge. Reviewed by Claude Code |
|
Dependency Bump Review: google.golang.org/grpc 1.77.0 to 1.79.3 Summary Routine Dependabot update. Changes are limited to Security — Merge Recommended The headline change is a security fix in gRPC 1.79.3:
Even though All Version Bumps
Assessment
Recommendation: Approve and merge promptly. The gRPC security fix (authorization bypass) alone justifies not delaying this. |
dependabot
Bot
deleted the
dependabot/go_modules/google.golang.org/grpc-1.79.3
branch
1 participant
Bumps google.golang.org/grpc from 1.77.0 to 1.79.3.
Release notes
Sourced from google.golang.org/grpc's releases.
... (truncated)
Commits
dda86dbChange version to 1.79.3 (#8983)72186f1grpc: enforce strict path checking for incoming requests on the server (#8981)97ca352Changing version to 1.79.3-dev (#8954)8902ab6Change the version to release 1.79.2 (#8947)a928670Cherry-pick #8874 to v1.79.x (#8904)06df363Change version to 1.79.2-dev (#8903)782f2deChange version to 1.79.1 (#8902)850eccbChange version to 1.79.1-dev (#8851)765ff05Change version to 1.79.0 (#8850)68804beCherry pick #8864 to v1.79.x (#8896)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.