Shreyas Sriram 2922de784b Bump google.golang.org/grpc to v1.79.3 (CVE-2026-33186 + 3 transitive CVEs) (#559) ...

* Bump google.golang.org/grpc to v1.79.3 and transitive deps

Upgrades google.golang.org/grpc from v1.66.2 to v1.79.3 to remediate
CVE-2026-33186 (Critical severity, known exploit per VulnCheck).

This also pulls in updated transitive deps that fix additional CVEs:
- golang.org/x/net v0.38.0 → v0.48.0 (CVE-2025-22870, CVE-2025-22872)
- golang.org/x/oauth2 v0.27.0 → v0.34.0 (CVE-2025-22868)
- golang.org/x/sys v0.31.0 → v0.39.0
- golang.org/x/text v0.23.0 → v0.32.0
- cel.dev/expr v0.15.0 → v0.25.1

All existing tests pass.

* Also bump github.com/go-jose/go-jose/v4 to v4.1.4 (Medium vuln)

2026-05-26 15:01:26 -04:00

1.3 KiB

Raw Blame History

View Raw