Bump google.golang.org/grpc to v1.79.3 (CVE-2026-33186 + 3 transitive CVEs) (#559)

* Bump google.golang.org/grpc to v1.79.3 and transitive deps Upgrades google.golang.org/grpc from v1.66.2 to v1.79.3 to remediate CVE-2026-33186 (Critical severity, known exploit per VulnCheck). This also pulls in updated transitive deps that fix additional CVEs: - golang.org/x/net v0.38.0 → v0.48.0 (CVE-2025-22870, CVE-2025-22872) - golang.org/x/oauth2 v0.27.0 → v0.34.0 (CVE-2025-22868) - golang.org/x/sys v0.31.0 → v0.39.0 - golang.org/x/text v0.23.0 → v0.32.0 - cel.dev/expr v0.15.0 → v0.25.1 All existing tests pass. * Also bump github.com/go-jose/go-jose/v4 to v4.1.4 (Medium vuln)
2026-06-27 13:21:11 +03:00 · 2026-05-26 15:01:26 -04:00
parent f30a5a5545
commit 2922de784b
2 changed files with 70 additions and 44 deletions
@@ -7,26 +7,28 @@ toolchain go1.24.1
 require (
 	github.com/golang/protobuf v1.5.4
 	github.com/jhump/protoreflect v1.18.0
-	google.golang.org/grpc v1.66.2
+	google.golang.org/grpc v1.79.3
 	google.golang.org/protobuf v1.36.11
 )

 require (
-	cel.dev/expr v0.15.0 // indirect
-	cloud.google.com/go/compute/metadata v0.3.0 // indirect
-	github.com/census-instrumentation/opencensus-proto v0.4.1 // indirect
+	cel.dev/expr v0.25.1 // indirect
+	cloud.google.com/go/compute/metadata v0.9.0 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
-	github.com/cncf/xds/go v0.0.0-20240423153145-555b57ec207b // indirect
-	github.com/envoyproxy/go-control-plane v0.12.1-0.20240621013728-1eb8caab5155 // indirect
-	github.com/envoyproxy/protoc-gen-validate v1.0.4 // indirect
+	github.com/cncf/xds/go v0.0.0-20251210132809-ee656c7534f5 // indirect
+	github.com/envoyproxy/go-control-plane/envoy v1.36.0 // indirect
+	github.com/envoyproxy/protoc-gen-validate v1.3.0 // indirect
+	github.com/go-jose/go-jose/v4 v4.1.4 // indirect
 	github.com/jhump/protoreflect/v2 v2.0.0-beta.1 // indirect
 	github.com/petermattis/goid v0.0.0-20260113132338-7c7de50cc741 // indirect
 	github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
-	golang.org/x/net v0.38.0 // indirect
-	golang.org/x/oauth2 v0.27.0 // indirect
-	golang.org/x/sync v0.12.0 // indirect
-	golang.org/x/sys v0.31.0 // indirect
-	golang.org/x/text v0.23.0 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20240604185151-ef581f913117 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20240604185151-ef581f913117 // indirect
+	github.com/spiffe/go-spiffe/v2 v2.6.0 // indirect
+	github.com/stretchr/testify v1.11.1 // indirect
+	golang.org/x/net v0.48.0 // indirect
+	golang.org/x/oauth2 v0.34.0 // indirect
+	golang.org/x/sync v0.19.0 // indirect
+	golang.org/x/sys v0.39.0 // indirect
+	golang.org/x/text v0.32.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 // indirect
 )