fix CVE-2026-33186

[louisinger]

@altafan please review

Summary by CodeRabbit

• Chores
  • Updated module dependencies to latest stable versions for improved compatibility and security.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 74482b6c-ed8a-4b8e-bae1-a388e0c8e3d4

📥 Commits

Reviewing files that changed from the base of the PR and between 137daae and acd1fbf.

⛔ Files ignored due to path filters (9)

• api-spec/go.sum is excluded by !**/*.sum
• go.sum is excluded by !**/*.sum
• pkg/ark-cli/go.sum is excluded by !**/*.sum
• pkg/ark-lib/go.sum is excluded by !**/*.sum
• pkg/arkd-wallet/go.sum is excluded by !**/*.sum
• pkg/client-lib/go.sum is excluded by !**/*.sum
• pkg/errors/go.sum is excluded by !**/*.sum
• pkg/kvdb/go.sum is excluded by !**/*.sum
• pkg/macaroons/go.sum is excluded by !**/*.sum

📒 Files selected for processing (9)

• api-spec/go.mod
• go.mod
• pkg/ark-cli/go.mod
• pkg/ark-lib/go.mod
• pkg/arkd-wallet/go.mod
• pkg/client-lib/go.mod
• pkg/errors/go.mod
• pkg/kvdb/go.mod
• pkg/macaroons/go.mod

---

Walkthrough

Go module dependencies updated across the project. google.golang.org/grpc bumped from v1.79.1 to v1.79.3 across multiple go.mod files (and from v1.75.0 to v1.79.3 in api-spec). api-spec also updates google.golang.org/protobuf and indirect dependencies.

Changes

Cohort / File(s)	Summary
api-spec Module api-spec/go.mod	Updated google.golang.org/grpc from v1.75.0 to v1.79.3, google.golang.org/protobuf from v1.36.7 to v1.36.10, and indirect dependencies (golang.org/x/net, golang.org/x/sys, golang.org/x/text, google.golang.org/genproto submodules).
Core & Package Modules go.mod, pkg/ark-cli/go.mod, pkg/ark-lib/go.mod, pkg/arkd-wallet/go.mod, pkg/client-lib/go.mod, pkg/errors/go.mod, pkg/macaroons/go.mod	Updated google.golang.org/grpc from v1.79.1 to v1.79.3 across all modules.
kvdb Module pkg/kvdb/go.mod	Updated indirect google.golang.org/grpc dependency from v1.78.0 to v1.79.3.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• update otel sdk to v1.40.0 #947: Updates overlapping Go module dependencies (google.golang.org/grpc and google.golang.org/protobuf) across the same go.mod files.

Suggested reviewers

• altafan

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix CVE-2026-33186' accurately references the security vulnerability being addressed. The PR updates google.golang.org/grpc across multiple go.mod files from v1.79.1 to v1.79.3 and other gRPC-related dependencies, which directly addresses a CVE fix.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[arkanaai]

🔍 Arkana Review — arkade-os/arkd#985

Summary: Bumps google.golang.org/grpc from v1.75.0→v1.79.3 (api-spec) and v1.79.1→v1.79.3 / v1.78.0→v1.79.3 (other modules) to fix CVE-2026-33186. Also bumps transitive deps: protobuf v1.36.7→v1.36.10, opentelemetry, golang.org/x/{net,sys,text}, and genproto.

Assessment: ✅ Clean dependency-only change across all 8 go.mod/go.sum pairs. No code changes. Consistent pinning to grpc v1.79.3 everywhere — good, no version skew.

Notes:

• The api-spec module was further behind (grpc v1.75.0) — this catches it up to the rest of the monorepo.
• pkg/kvdb was on v1.78.0, also now aligned.
• CVE fix via patch version bump is the right approach.

No issues found.