Skip to content

chore(deps): bump the otel-libs group across 1 directory with 10 updates #159

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
dependabot wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): bump the otel-libs group across 1 directory with 10 updates #159

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 27 additions & 27 deletions go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,20 +22,20 @@ require (
go.etcd.io/etcd/api/v3 v3.5.21
go.etcd.io/etcd/client/v3 v3.5.21
go.etcd.io/etcd/server/v3 v3.5.21
go.opentelemetry.io/contrib/propagators/autoprop v0.63.0
go.opentelemetry.io/contrib/samplers/jaegerremote v0.37.0
go.opentelemetry.io/otel v1.43.0
go.opentelemetry.io/otel/bridge/opentracing v1.36.0
go.opentelemetry.io/otel/exporters/jaeger v1.16.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.38.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.38.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.36.0
go.opentelemetry.io/otel/sdk v1.43.0
go.opentelemetry.io/otel/trace v1.43.0
go.opentelemetry.io/contrib/propagators/autoprop v0.69.0
go.opentelemetry.io/contrib/samplers/jaegerremote v0.37.1
go.opentelemetry.io/otel v1.44.0
go.opentelemetry.io/otel/bridge/opentracing v1.44.0
go.opentelemetry.io/otel/exporters/jaeger v1.17.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.44.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.44.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.44.0
go.opentelemetry.io/otel/sdk v1.44.0
go.opentelemetry.io/otel/trace v1.44.0
go.uber.org/atomic v1.11.0
go.uber.org/zap v1.27.0
golang.org/x/sys v0.42.0
google.golang.org/grpc v1.80.0
golang.org/x/sys v0.45.0
google.golang.org/grpc v1.81.1

@coderabbitai coderabbitai Bot Jun 4, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify effective grpc version constraints and override in go.mod.
rg -n 'google.golang.org/grpc' go.mod
rg -n '^replace\s+google.golang.org/grpc' go.mod

Repository: kubeservice-stack/common

Length of output: 342

🏁 Script executed:

#!/bin/bash
set -euo pipefail
# Inspect surrounding go.mod lines to confirm require/replace semantics.
nl -ba go.mod | sed -n '25,60p'
echo "-----"
nl -ba go.mod | sed -n '155,205p'
echo "-----"
# Check for any other grpc entries.
rg -n 'google\.golang\.org/grpc' go.mod

Repository: kubeservice-stack/common

Length of output: 111

🌐 Web query:

GHSA-p77j-4mvh-x3m3 grpc patched version 1.79.3

💡 Result:

GHSA-p77j-4mvh-x3m3 is a security vulnerability (CVE-2026-33186) affecting the gRPC-Go library [1][2][3]. It involves an authorization bypass caused by improper input validation of the HTTP/2:path pseudo-header [1][4][5]. Specifically, gRPC-Go servers were previously too lenient, accepting requests where the:path header omitted the mandatory leading slash (e.g., Service/Method instead of /Service/Method) [1][2]. If a server used path-based authorization interceptors—such as the official grpc/authz package—the interceptor would evaluate this non-canonical path string [1][5]. Consequently, deny rules relying on canonical paths (starting with /) would fail to match the request, potentially allowing it to bypass security policies if a fallback allow rule was present [1][4][6]. Version 1.79.3 is the patched release that addresses this issue [1][7][8]. This version ensures that any request with a:path that does not start with a leading slash is immediately rejected with a codes.Unimplemented error, thereby preventing the malformed path from reaching authorization interceptors or application handlers [1][4][8]. Users of gRPC-Go are strongly advised to upgrade to version 1.79.3 or newer to mitigate this vulnerability [1][7][6].

Citations:

🌐 Web query:

GO-2026-4762 google.golang.org/grpc affected versions patched at

💡 Result:

The vulnerability identified by GO-2026-4762 (also tracked as CVE-2026-33186 and GHSA-p77j-4mvh-x3m3) is an authorization bypass in the google.golang.org/grpc package [1][2][3]. Affected versions include all versions of google.golang.org/grpc prior to 1.79.3 [1][2]. The vulnerability was patched in version 1.79.3 [1][2][3]. The issue arises from improper input validation of the HTTP/2:path pseudo-header [2][3]. The gRPC-Go server was previously lenient in its routing logic, accepting requests where the:path omitted the mandatory leading slash (e.g., Service/Method instead of /Service/Method) [2][3]. This allowed requests to bypass path-based authorization interceptors (such as those using the official grpc/authz package) because the interceptors evaluated the non-canonical, raw path string, causing "deny" rules based on canonical paths to fail [2][3]. Version 1.79.3 resolves this by ensuring such requests are rejected with a codes.Unimplemented error [2][3].

Citations:

grpc bump is neutralized by replace pinning a vulnerable version

go.mod requires google.golang.org/grpc v1.81.1, but the replace directive still forces google.golang.org/grpc v1.63.2—which is before the patched release (v1.79.3) for GHSA-p77j-4mvh-x3m3 / GO-2026-4762 (CVE-2026-33186). This means the dependency upgrade doesn’t remediate the vulnerability.

Suggested fix 
-replace google.golang.org/grpc => google.golang.org/grpc v1.63.2
+replace google.golang.org/grpc => google.golang.org/grpc v1.81.1

(or remove the replace entirely if it’s no longer required).

🧰 Tools
🪛 OSV Scanner (2.3.8)

[CRITICAL] 38-38: google.golang.org/grpc 1.63.2: Authorization bypass in gRPC-Go via missing leading slash in :path in google.golang.org/grpc

(GO-2026-4762)

[CRITICAL] 38-38: google.golang.org/grpc 1.63.2: gRPC-Go has an authorization bypass via missing leading slash in :path

(GHSA-p77j-4mvh-x3m3)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 38, The go.mod currently lists google.golang.org/grpc v1.81.1
but a replace directive pins google.golang.org/grpc to v1.63.2, neutralizing the
upgrade and leaving GHSA-p77j-4mvh-x3m3 (CVE-2026-33186) unpatched; update the
replace directive for module google.golang.org/grpc to at least v1.79.3 (or
remove the replace entirely if no longer required) so the effective version
matches the fixed release, then run go mod tidy to refresh go.sum and verify the
vulnerability is resolved.

gopkg.in/natefinch/lumberjack.v2 v2.2.1
gopkg.in/yaml.v2 v2.4.0
gorm.io/driver/mysql v1.6.0
Expand Down Expand Up @@ -86,15 +86,15 @@ require (
github.com/grpc-ecosystem/go-grpc-middleware v1.3.0 // indirect
github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect
github.com/grpc-ecosystem/grpc-gateway v1.16.0 // indirect
github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2 // indirect
github.com/grpc-ecosystem/grpc-gateway/v2 v2.29.0 // indirect
github.com/hashicorp/errwrap v1.1.0 // indirect
github.com/hashicorp/go-multierror v1.1.1 // indirect
github.com/hashicorp/go-version v1.6.0 // indirect
github.com/jackc/pgpassfile v1.0.0 // indirect
github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
github.com/jackc/pgx/v5 v5.6.0 // indirect

@coderabbitai coderabbitai Bot Jun 10, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check GitHub Security Advisory for pgx vulnerabilities
gh api graphql -f query='
{
  securityVulnerabilities(first: 10, ecosystem: GO, package: "github.com/jackc/pgx/v5") {
    nodes {
      advisory {
        summary
        severity
        identifiers { type value }
      }
      vulnerableVersionRange
      firstPatchedVersion { identifier }
    }
  }
}'

# Check if upgrading gorm.io/driver/postgres brings in a newer pgx
echo "---"
echo "Current gorm postgres driver version check:"
rg -n 'gorm.io/driver/postgres' go.mod

Repository: kubeservice-stack/common

Length of output: 1345

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== go.mod relevant lines =="
nl -ba go.mod | sed -n '35,110p' | sed -n '35,80p'
echo "..."
nl -ba go.mod | sed -n '80,110p'
echo "== rg pgx/v5 in go.mod =="
rg -n 'github\.com/jackc/pgx/v5' go.mod || true

Repository: kubeservice-stack/common

Length of output: 157

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== go.mod relevant lines (around gorm driver and pgx) =="
nl -ba go.mod | sed -n '30,115p'

echo "== rg pgx/v5 in go.mod =="
rg -n 'github\.com/jackc/pgx/v5' go.mod || true

echo "== rg gorm.io/driver/postgres in go.mod =="
rg -n 'gorm\.io/driver/postgres' go.mod || true

Repository: kubeservice-stack/common

Length of output: 186

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== go.mod relevant lines =="
awk 'NR>=30 && NR<=115 {printf "%d\t%s\n", NR, $0}' go.mod

echo "== rg pgx/v5 in go.mod =="
rg -n 'github\.com/jackc/pgx/v5' go.mod || true

echo "== rg gorm.io/driver/postgres in go.mod =="
rg -n 'gorm\.io/driver/postgres' go.mod || true

echo "== rg pgx/v5 in go.sum (first 50 matches) =="
rg -n 'github\.com/jackc/pgx/v5 v' go.sum | head -n 50 || true

Repository: kubeservice-stack/common

Length of output: 4961

🏁 Script executed:

#!/bin/bash
set -euo pipefail
go mod why -m github.com/jackc/pgx/v5

Repository: kubeservice-stack/common

Length of output: 4952

Upgrade github.com/jackc/pgx/v5 (v5.6.0 is affected by critical vulnerabilities).

  • go.mod pins github.com/jackc/pgx/v5 v5.6.0 // indirect (pulled in via gorm.io/driver/postgres v1.6.0).
  • gh advisory data shows:
  • Upgrade gorm.io/driver/postgres so it resolves github.com/jackc/pgx/v5 >= v5.9.2 (or add a direct require github.com/jackc/pgx/v5 v5.9.2 to force the patched version).
🧰 Tools
🪛 OSV Scanner (2.3.8)

[CRITICAL] 95-95: github.com/jackc/pgx/v5 5.6.0: CVE-2026-33815 in github.com/jackc/pgx

(GO-2026-4771)

[CRITICAL] 95-95: github.com/jackc/pgx/v5 5.6.0: CVE-2026-33816 in github.com/jackc/pgx

(GO-2026-4772)

[CRITICAL] 95-95: github.com/jackc/pgx/v5 5.6.0: Memory-safety vulnerability in github.com/jackc/pgx/v5.

(GHSA-9jj7-4m8r-rfcm)

[CRITICAL] 95-95: github.com/jackc/pgx/v5 5.6.0: pgx: SQL Injection via placeholder confusion with dollar quoted string literals

(GHSA-j88v-2chj-qfwx)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 95, go.mod currently resolves github.com/jackc/pgx/v5 to
v5.6.0 which is vulnerable; update dependency resolution so pgx is at least
v5.9.2 by either bumping the gorm postgres driver or adding an explicit require
for github.com/jackc/pgx/v5 v5.9.2: locate the module block in go.mod and add or
update a require entry for github.com/jackc/pgx/v5 to v5.9.2 (or upgrade
gorm.io/driver/postgres to a version that itself requires >= v5.9.2), then run
go get / go mod tidy to update the go.sum and vendor files and verify the
resolved version.

github.com/jackc/puddle/v2 v2.2.2 // indirect
github.com/jaegertracing/jaeger-idl v0.6.0 // indirect
github.com/jaegertracing/jaeger-idl v0.9.0 // indirect
github.com/jinzhu/inflection v1.0.0 // indirect
github.com/jinzhu/now v1.1.5 // indirect
github.com/jonboulle/clockwork v0.2.2 // indirect
Expand Down Expand Up @@ -139,26 +139,26 @@ require (
go.etcd.io/etcd/raft/v3 v3.5.21 // indirect
go.opentelemetry.io/auto/sdk v1.2.1 // indirect
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.54.0 // indirect
go.opentelemetry.io/contrib/propagators/aws v1.38.0 // indirect
go.opentelemetry.io/contrib/propagators/b3 v1.38.0 // indirect
go.opentelemetry.io/contrib/propagators/jaeger v1.38.0 // indirect
go.opentelemetry.io/contrib/propagators/ot v1.38.0 // indirect
go.opentelemetry.io/otel/metric v1.43.0 // indirect
go.opentelemetry.io/proto/otlp v1.7.1 // indirect
go.opentelemetry.io/contrib/propagators/aws v1.44.0 // indirect
go.opentelemetry.io/contrib/propagators/b3 v1.44.0 // indirect
go.opentelemetry.io/contrib/propagators/jaeger v1.44.0 // indirect
go.opentelemetry.io/contrib/propagators/ot v1.44.0 // indirect
go.opentelemetry.io/otel/metric v1.44.0 // indirect
go.opentelemetry.io/proto/otlp v1.10.0 // indirect
go.uber.org/mock v0.5.0 // indirect
go.uber.org/multierr v1.11.0 // indirect
go.yaml.in/yaml/v2 v2.4.2 // indirect
golang.org/x/arch v0.20.0 // indirect
golang.org/x/crypto v0.49.0 // indirect
golang.org/x/mod v0.33.0 // indirect
golang.org/x/net v0.52.0 // indirect
golang.org/x/crypto v0.51.0 // indirect
golang.org/x/mod v0.35.0 // indirect
golang.org/x/net v0.55.0 // indirect
golang.org/x/sync v0.20.0 // indirect
golang.org/x/text v0.35.0 // indirect
golang.org/x/text v0.37.0 // indirect
golang.org/x/time v0.9.0 // indirect
golang.org/x/tools v0.42.0 // indirect
golang.org/x/tools v0.44.0 // indirect
google.golang.org/genproto v0.0.0-20240823204242-4ba0660f739c // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20260406210006-6f92a3bedf2d // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20260526163538-3dc84a4a5aaa // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20260526163538-3dc84a4a5aaa // indirect
google.golang.org/protobuf v1.36.11 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
gorm.io/driver/clickhouse v0.7.0 // indirect
Expand Down
Loading
Loading