Affected versions: v1.9.10 (latest)
Snyk ID: SNYK-GOLANG-GOOGLEGOLANGORGGRPC-15691172
Affected packages: google.golang.org/grpc (v1.78.0 in argo-events binary, v1.72.2 in bundled argo-workflows CLI binary)
Fix available: google.golang.org/grpc v1.79.3
Severity: Critical
Description
Snyk is flagging an Incorrect Authorization vulnerability in google.golang.org/grpc in quay.io/argoproj/argo-events:v1.9.10. The fix requires upgrading to grpc v1.79.3.
Request
Could you update google.golang.org/grpc to v1.79.3 in a future argo-events release?
Notes
The grpc v1.79.3 fix addresses a server-side path-based authorization bypass in grpc/authz interceptors. While argo-events uses grpc exclusively as a client (no grpc.NewServer calls in the codebase), upgrading the dependency would clear the Snyk finding and keep dependencies current.
Affected versions: v1.9.10 (latest)
Snyk ID: SNYK-GOLANG-GOOGLEGOLANGORGGRPC-15691172
Affected packages: google.golang.org/grpc (v1.78.0 in argo-events binary, v1.72.2 in bundled argo-workflows CLI binary)
Fix available: google.golang.org/grpc v1.79.3
Severity: Critical
Description
Snyk is flagging an Incorrect Authorization vulnerability in
google.golang.org/grpcinquay.io/argoproj/argo-events:v1.9.10. The fix requires upgrading to grpc v1.79.3.Request
Could you update
google.golang.org/grpcto v1.79.3 in a future argo-events release?Notes
The grpc v1.79.3 fix addresses a server-side path-based authorization bypass in
grpc/authzinterceptors. While argo-events uses grpc exclusively as a client (nogrpc.NewServercalls in the codebase), upgrading the dependency would clear the Snyk finding and keep dependencies current.