Skip to content

go.mod: bump google.golang.org/grpc from 1.77.0 to 1.79.3#28

Merged
github-actions[bot] merged 1 commit intomainfrom
dependabot/go_modules/google.golang.org/grpc-1.79.3
Apr 7, 2026
Merged

go.mod: bump google.golang.org/grpc from 1.77.0 to 1.79.3#28
github-actions[bot] merged 1 commit intomainfrom
dependabot/go_modules/google.golang.org/grpc-1.79.3

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Mar 19, 2026
edited
Loading

Bumps google.golang.org/grpc from 1.77.0 to 1.79.3.

Release notes

Sourced from google.golang.org/grpc's releases.

Release 1.79.3

Security

  • server: fix an authorization bypass where malformed :path headers (missing the leading slash) could bypass path-based restricted "deny" rules in interceptors like grpc/authz. Any request with a non-canonical path is now immediately rejected with an Unimplemented error. (#8981)

Release 1.79.2

Bug Fixes

  • stats: Prevent redundant error logging in health/ORCA producers by skipping stats/tracing processing when no stats handler is configured. (grpc/grpc-go#8874)

Release 1.79.1

Bug Fixes

Release 1.79.0

API Changes

  • mem: Add experimental API SetDefaultBufferPool to change the default buffer pool. (#8806)
  • experimental/stats: Update MetricsRecorder to require embedding the new UnimplementedMetricsRecorder (a no-op struct) in all implementations for forward compatibility. (#8780)

Behavior Changes

  • balancer/weightedtarget: Remove handling of Addresses and only handle Endpoints in resolver updates. (#8841)

New Features

  • experimental/stats: Add support for asynchronous gauge metrics through the new AsyncMetricReporter and RegisterAsyncReporter APIs. (#8780)
  • pickfirst: Add support for weighted random shuffling of endpoints, as described in gRFC A113.
    • This is enabled by default, and can be turned off using the environment variable GRPC_EXPERIMENTAL_PF_WEIGHTED_SHUFFLING. (#8864)
  • xds: Implement :authority rewriting, as specified in gRFC A81. (#8779)
  • balancer/randomsubsetting: Implement the random_subsetting LB policy, as specified in gRFC A68. (#8650)

Bug Fixes

  • credentials/tls: Fix a bug where the port was not stripped from the authority override before validation. (#8726)
  • xds/priority: Fix a bug causing delayed failover to lower-priority clusters when a higher-priority cluster is stuck in CONNECTING state. (#8813)
  • health: Fix a bug where health checks failed for clients using legacy compression options (WithDecompressor or RPCDecompressor). (#8765)
  • transport: Fix an issue where the HTTP/2 server could skip header size checks when terminating a stream early. (#8769)
  • server: Propagate status detail headers, if available, when terminating a stream during request header processing. (#8754)

Performance Improvements

  • credentials/alts: Optimize read buffer alignment to reduce copies. (#8791)
  • mem: Optimize pooling and creation of buffer objects. (#8784)
  • transport: Reduce slice re-allocations by reserving slice capacity. (#8797)

... (truncated)

Commits

@dependabot dependabot Bot added the dependencies Dependabot version/security updates label Mar 19, 2026
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented Mar 19, 2026

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 4f00483b-7db6-4bc1-8070-db12e6824ec0

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch dependabot/go_modules/google.golang.org/grpc-1.79.3
📝 Coding Plan
  • Generate coding plan for human review comments

Comment @coderabbitai help to get the list of available commands and usage tips.

@danielorbach
Copy link
Copy Markdown
Collaborator

danielorbach commented Apr 6, 2026

@dependabot rebase

@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github Apr 6, 2026

Looks like this PR is already up-to-date with main! If you'd still like to recreate it from scratch, overwriting any edits, you can request @dependabot recreate.

@galactic-king galactic-king mentioned this pull request Apr 7, 2026
Merged
danielorbach added a commit that referenced this pull request Apr 7, 2026
@galactic-king @danielorbach
Restore ClauDependabot reviews by checking out the repository (#36)
7abe48e 
`claude-code-action@v1` added a `restoreConfigFromBase()` security step
(around v1.0.79, 2026-03-18) that runs `git fetch` before the Claude
prompt executes. The ClauDependabot workflow intentionally skipped
`actions/checkout` to avoid giving the agent write access, but the new
step crashes with `fatal: not a git repository` when no working
directory exists. Both open Dependabot PRs (#28, #35) are stuck because
of this.

Adding a checkout with `persist-credentials: false` satisfies the git
requirement without granting push capability; the review steps already
authenticate through `gh` which manages its own token. The `GH_REPO` env
override and the comments documenting harmless git errors are no longer
needed and are removed. `Read`, `Glob`, and `Grep` are added to the tool
allowlists so Claude can inspect the checked-out source during reviews
rather than relying solely on `gh pr diff`.

---------

Co-authored-by: Daniel Orbach <ddorbach@gmail.com>
@danielorbach
Copy link
Copy Markdown
Collaborator

danielorbach commented Apr 7, 2026

@dependabot rebase

@dependabot
go.mod: bump google.golang.org/grpc from 1.77.0 to 1.79.3
9c84c18 
Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.77.0 to 1.79.3.
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](grpc/grpc-go@v1.77.0...v1.79.3)

---
updated-dependencies:
- dependency-name: google.golang.org/grpc
  dependency-version: 1.79.3
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/go_modules/google.golang.org/grpc-1.79.3 branch from 599cd06 to 9c84c18 Compare April 7, 2026 01:12
claude[bot]
claude Bot approved these changes Apr 7, 2026
View reviewed changes
Copy link
Copy Markdown

@claude claude Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed by claude-sonnet-4-6.

This is a routine dependency bump of google.golang.org/grpc from 1.77.0 → 1.79.3, with corresponding minor updates to genproto/googleapis/api, genproto/googleapis/rpc, and golang.org/x/oauth2. Only go.mod and go.sum are changed — no application code is affected.

Notably, 1.79.3 includes a security fix for an authorization bypass where malformed :path headers could bypass path-based deny rules in interceptors (grpc/grpc-go#8981). This makes the update especially worthwhile. Changes are backwards-compatible.

@github-actions github-actions Bot enabled auto-merge (squash) April 7, 2026 01:13
@github-actions github-actions Bot merged commit 5ce7b43 into main Apr 7, 2026
8 checks passed
@dependabot dependabot Bot deleted the dependabot/go_modules/google.golang.org/grpc-1.79.3 branch April 7, 2026 01:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@claude claude[bot] claude[bot] approved these changes

Assignees

No one assigned

Labels

dependencies Dependabot version/security updates

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@danielorbach