Skip to content

Fix CVE-2026-33186: upgrade gRPC-Go to v1.80.0#1

Open
n8behavior wants to merge 1 commit into
masterfrom
fix/critical-security-alerts
Open

Fix CVE-2026-33186: upgrade gRPC-Go to v1.80.0#1
n8behavior wants to merge 1 commit into
masterfrom
fix/critical-security-alerts

Conversation

@n8behavior

Copy link
Copy Markdown

Summary

Resolves 1 critical Dependabot security alert by modernizing Go dependencies and regenerating protobuf code.

Critical alert resolved

  • #32CVE-2026-33186: gRPC-Go authorization bypass via missing leading slash in :path header. Upgraded google.golang.org/grpc from v1.15.0v1.80.0.

Changes

  • Updated go.mod to Go 1.24 with modern grpc (v1.80.0) and protobuf (v1.36.11) deps
  • Added go_package option to janus.proto (required by modern protoc-gen-go)
  • Regenerated golang/janus.pb.go and new golang/janus_grpc.pb.go with protoc-gen-go v1.36.11 and protoc-gen-go-grpc v1.6.1
  • Regenerated golang/mock/janus_mock.pb.go with go.uber.org/mock v0.6.0 (replacing deprecated github.com/golang/mock)
  • Dropped deprecated golang.org/x/net/context import (stdlib context since Go 1.7)

Test plan

  • go build ./... passes
  • go vet ./... passes
  • Verify Dependabot alert #32 auto-closes after merge

Resolves critical Dependabot alert #32:
- CVE-2026-33186: gRPC-Go authorization bypass via missing leading slash
  in :path header. Upgraded google.golang.org/grpc v1.15.0 -> v1.80.0.

Changes:
- Updated go.mod to Go 1.24, modern grpc/protobuf deps
- Added go_package option to janus.proto (required by modern protoc-gen-go)
- Regenerated golang/janus.pb.go and golang/janus_grpc.pb.go with
  protoc-gen-go v1.36.11 and protoc-gen-go-grpc v1.6.1
- Regenerated golang/mock/janus_mock.pb.go with go.uber.org/mock v0.6.0
  (replacing deprecated github.com/golang/mock)
- Verified with `go build ./...` and `go vet ./...`
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant