[release-v0.39] chore(deps): update grpc to v1.79.3#2690
[release-v0.39] chore(deps): update grpc to v1.79.3#2690theakshaypant merged 1 commit intotektoncd:release-v0.39.6from
Conversation
Upgrade google.golang.org/grpc to v1.79.3 to fix CVE-2026-33186 (GHSA-p77j-4mvh-x3m3), a critical HTTP/2 :path validation flaw that allows bypassing authorization rules in gRPC interceptors. Signed-off-by: Akshay Pant <akpant@redhat.com>
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates several Go dependencies in go.mod and go.sum, primarily focusing on golang.org/x packages, Google Cloud libraries, and gRPC. Feedback was provided regarding the update of github.com/go-jose/go-jose/v4, which is currently rendered ineffective by a replace directive pinning it to an older version.
| github.com/fxamacker/cbor/v2 v2.9.0 // indirect | ||
| github.com/go-jose/go-jose/v3 v3.0.4 // indirect | ||
| github.com/go-jose/go-jose/v4 v4.1.2 // indirect | ||
| github.com/go-jose/go-jose/v4 v4.1.3 // indirect |
There was a problem hiding this comment.
The update of github.com/go-jose/go-jose/v4 to v4.1.3 is currently ineffective because it is being overridden by a replace directive at line 162, which pins the version to v4.0.5. Since this pull request is intended to update dependencies (likely for security or stability), you should update or remove the replace directive to allow the build to use the newer version. This ensures the dependency version is correct and that any security scanner alerts are properly addressed.
References
- Security scanner alerts may persist as false positives even after a dependency has been updated. When a bot flags a security issue that is believed to be resolved, confirm the dependency version is correct and investigate if the alert is a false positive before making further code changes.
|
Merging this as the deps update are same as the ones already done for 0.37 and 0.42 |
|
The * noctx: 9
* staticcheck: 2 |
theakshaypant
merged commit ff5b628
into
tektoncd:release-v0.39.6
1 participant
📝 Description of the Change
Upgrade google.golang.org/grpc to v1.79.3 to fix CVE-2026-33186 (GHSA-p77j-4mvh-x3m3), a critical HTTP/2 :path validation flaw that allows bypassing authorization rules in gRPC interceptors.
🔗 Linked GitHub Issue
N/A
🧪 Testing Strategy
🤖 AI Assistance
AI assistance can be used for various tasks, such as code generation,
documentation, or testing.
Please indicate whether you have used AI assistance
for this PR and provide details if applicable.
Important
Slop will be simply rejected, if you are using AI assistance you need to make sure you
understand the code generated and that it meets the project's standards. you
need at least know how to run the code and deploy it (if needed). See
startpaac to make it easy
to deploy and test your code changes.
If the majority of the code in this PR was generated by an AI, please add a
Co-authored-bytrailer to your commit message.For example:
Co-authored-by: Claude noreply@anthropic.com
✅ Submitter Checklist
fix:,feat:) matches the "Type of Change" I selected above.make testandmake lintlocally to check for and fix anyissues. For an efficient workflow, I have considered installing
pre-commit and running
pre-commit installtoautomate these checks.