Bump google.golang.org/grpc from 1.69.4 to 1.79.3 in /function/loader

[dependabot]

Bumps google.golang.org/grpc from 1.69.4 to 1.79.3.

Release notes

Sourced from google.golang.org/grpc's releases.

Release 1.79.3

Security

• server: fix an authorization bypass where malformed :path headers (missing the leading slash) could bypass path-based restricted "deny" rules in interceptors like grpc/authz. Any request with a non-canonical path is now immediately rejected with an Unimplemented error. (#8981)

Release 1.79.2

Bug Fixes

• stats: Prevent redundant error logging in health/ORCA producers by skipping stats/tracing processing when no stats handler is configured. (grpc/grpc-go#8874)

Release 1.79.1

Bug Fixes

• grpc: Remove the -dev suffix from the User-Agent header. (grpc/grpc-go#8902)

Release 1.79.0

API Changes

• mem: Add experimental API SetDefaultBufferPool to change the default buffer pool. (#8806)
  • Special Thanks: @​vanja-p
• experimental/stats: Update MetricsRecorder to require embedding the new UnimplementedMetricsRecorder (a no-op struct) in all implementations for forward compatibility. (#8780)

Behavior Changes

• balancer/weightedtarget: Remove handling of Addresses and only handle Endpoints in resolver updates. (#8841)

New Features

• experimental/stats: Add support for asynchronous gauge metrics through the new AsyncMetricReporter and RegisterAsyncReporter APIs. (#8780)
• pickfirst: Add support for weighted random shuffling of endpoints, as described in gRFC A113.
  • This is enabled by default, and can be turned off using the environment variable GRPC_EXPERIMENTAL_PF_WEIGHTED_SHUFFLING. (#8864)
• xds: Implement :authority rewriting, as specified in gRFC A81. (#8779)
• balancer/randomsubsetting: Implement the random_subsetting LB policy, as specified in gRFC A68. (#8650)
  • Special Thanks: @​marek-szews

Bug Fixes

• credentials/tls: Fix a bug where the port was not stripped from the authority override before validation. (#8726)
  • Special Thanks: @​Atul1710
• xds/priority: Fix a bug causing delayed failover to lower-priority clusters when a higher-priority cluster is stuck in CONNECTING state. (#8813)
• health: Fix a bug where health checks failed for clients using legacy compression options (WithDecompressor or RPCDecompressor). (#8765)
  • Special Thanks: @​sanki92
• transport: Fix an issue where the HTTP/2 server could skip header size checks when terminating a stream early. (#8769)
  • Special Thanks: @​joybestourous
• server: Propagate status detail headers, if available, when terminating a stream during request header processing. (#8754)
  • Special Thanks: @​joybestourous

Performance Improvements

• credentials/alts: Optimize read buffer alignment to reduce copies. (#8791)
• mem: Optimize pooling and creation of buffer objects. (#8784)
• transport: Reduce slice re-allocations by reserving slice capacity. (#8797)

... (truncated)

Commits

• dda86db Change version to 1.79.3 (#8983)
• 72186f1 grpc: enforce strict path checking for incoming requests on the server (#8981)
• 97ca352 Changing version to 1.79.3-dev (#8954)
• 8902ab6 Change the version to release 1.79.2 (#8947)
• a928670 Cherry-pick #8874 to v1.79.x (#8904)
• 06df363 Change version to 1.79.2-dev (#8903)
• 782f2de Change version to 1.79.1 (#8902)
• 850eccb Change version to 1.79.1-dev (#8851)
• 765ff05 Change version to 1.79.0 (#8850)
• 68804be Cherry pick #8864 to v1.79.x (#8896)
• Additional commits viewable in compare view

[kusari-inspector]

Kusari Analysis Results:

Caution

Flagged Issues Detected
These changes contain flagged issues that may introduce security risks.

Both independent analyses unanimously recommend blocking this PR. While the grpc upgrade from v1.69.4 to v1.79.3 is beneficial in resolving CVE-2026-33186 (authorization bypass), it introduces or exposes two unresolved HIGH-severity, unauthenticated remote DoS vulnerabilities in transitive dependencies: (1) CVE-2026-29181 in go.opentelemetry.io/otel v1.39.0 - multi-value baggage header amplification enabling CPU and memory exhaustion by any unauthenticated remote attacker (CVSS AV:N/AC:L/PR:N/UI:N/A:H); and (2) CVE-2026-33814 in golang.org/x/net v0.48.0 - HTTP/2 infinite loop DoS when SETTINGS_MAX_FRAME_SIZE is 0 (CVSS AV:N/AC:L/PR:N/UI:N/A:H). Both vulnerabilities are network-exploitable with no authentication required, posing direct availability risk to production services. No code-level issues were identified, but the dependency vulnerabilities are blocking. Required actions before re-review: (1) In function/loader/go.mod, explicitly pin go.opentelemetry.io/otel to v1.43.0 or later and also update related sub-modules (otel/metric, otel/trace) for version consistency. (2) In function/loader/go.mod, explicitly pin golang.org/x/net to v0.54.0 or later. (3) Run go mod tidy in the function/loader directory. (4) Re-run govulncheck to confirm both CVEs are resolved before re-submitting.

Note

View full detailed analysis result for more information on the output and the checks that were run.

Required Code Mitigations

Pin go.opentelemetry.io/otel to v1.43.0 or later to resolve CVE-2026-29181. Run: go get go.opentelemetry.io/otel@v1.43.0 and go mod tidy in the function/loader directory, then add or update the explicit require directive.

• Potential Code Fix:

require go.opentelemetry.io/otel v1.43.0

Pin golang.org/x/net to v0.54.0 or later to resolve CVE-2026-33814. Run: go get golang.org/x/net@v0.54.0 and go mod tidy in the function/loader directory, then add or update the explicit require directive.

• Potential Code Fix:

require golang.org/x/net v0.54.0

Required Dependency Mitigations

• ACTIVE HIGH VULNERABILITY: go.opentelemetry.io/otel v1.39.0 - CVE-2026-29181 (GHSA-mh2q-q3fh-2475)

Summary: Multi-value baggage header extraction parses each header field-value independently and aggregates members, allowing an unauthenticated remote attacker to amplify CPU and memory allocations by sending many baggage header lines, causing high per-request latency and resource exhaustion (remote DoS). CVSS: AV:N/AC:L/PR:N/UI:N/A:H.

Dependency path: github.com/ossf/package-analysis/loader → cloud.google.com/go/bigquery → cloud.google.com/go → go.opentelemetry.io/otel

This is a transitive dependency. Fix by explicitly pinning go.opentelemetry.io/otel to v1.43.0 in function/loader/go.mod.

Run in the function/loader directory:
go get go.opentelemetry.io/otel@v1.43.0
go mod tidy

Then add or update the explicit require directive in function/loader/go.mod:
require go.opentelemetry.io/otel v1.43.0

Also verify that the related sub-modules (go.opentelemetry.io/otel/metric, go.opentelemetry.io/otel/trace) are correspondingly updated to v1.43.0 to maintain version consistency.

---

@kusari-inspector rerun - Trigger a re-analysis of this PR
@kusari-inspector feedback [your message] - Send feedback to our AI and team
See Kusari's documentation for setup and configuration.
Commit: f31116c, performed at: 2026-05-15T02:01:52Z

Found this helpful? Give it a 👍 or 👎 reaction!

[kusari-inspector]

Kusari PR Analysis rerun based on - 0d57863 performed at: 2026-05-14T23:45:38Z - link to updated analysis

[calebbrown]

@dependabot rebase

[kusari-inspector]

Kusari PR Analysis rerun based on - 7e2051f performed at: 2026-05-15T00:09:10Z - link to updated analysis

[calebbrown]

@dependabot rebase

[kusari-inspector]

Kusari PR Analysis rerun based on - f31116c performed at: 2026-05-15T00:23:15Z - link to updated analysis

[kusari-inspector]

Kusari PR Analysis rerun based on - f31116c performed at: 2026-05-15T00:38:44Z - link to updated analysis

[kusari-inspector]

Kusari PR Analysis rerun based on - f31116c performed at: 2026-05-15T01:02:32Z - link to updated analysis

[kusari-inspector]

Kusari PR Analysis rerun based on - f31116c performed at: 2026-05-15T01:17:00Z - link to updated analysis

[kusari-inspector]

Kusari PR Analysis rerun based on - f31116c performed at: 2026-05-15T02:02:28Z - link to updated analysis