Bump google.golang.org/grpc from 1.69.2 to 1.79.3

[dependabot]

Bumps google.golang.org/grpc from 1.69.2 to 1.79.3.

Release notes

Sourced from google.golang.org/grpc's releases.

Release 1.79.3

Security

• server: fix an authorization bypass where malformed :path headers (missing the leading slash) could bypass path-based restricted "deny" rules in interceptors like grpc/authz. Any request with a non-canonical path is now immediately rejected with an Unimplemented error. (#8981)

Release 1.79.2

Bug Fixes

• stats: Prevent redundant error logging in health/ORCA producers by skipping stats/tracing processing when no stats handler is configured. (grpc/grpc-go#8874)

Release 1.79.1

Bug Fixes

• grpc: Remove the -dev suffix from the User-Agent header. (grpc/grpc-go#8902)

Release 1.79.0

API Changes

• mem: Add experimental API SetDefaultBufferPool to change the default buffer pool. (#8806)
  • Special Thanks: @​vanja-p
• experimental/stats: Update MetricsRecorder to require embedding the new UnimplementedMetricsRecorder (a no-op struct) in all implementations for forward compatibility. (#8780)

Behavior Changes

• balancer/weightedtarget: Remove handling of Addresses and only handle Endpoints in resolver updates. (#8841)

New Features

• experimental/stats: Add support for asynchronous gauge metrics through the new AsyncMetricReporter and RegisterAsyncReporter APIs. (#8780)
• pickfirst: Add support for weighted random shuffling of endpoints, as described in gRFC A113.
  • This is enabled by default, and can be turned off using the environment variable GRPC_EXPERIMENTAL_PF_WEIGHTED_SHUFFLING. (#8864)
• xds: Implement :authority rewriting, as specified in gRFC A81. (#8779)
• balancer/randomsubsetting: Implement the random_subsetting LB policy, as specified in gRFC A68. (#8650)
  • Special Thanks: @​marek-szews

Bug Fixes

• credentials/tls: Fix a bug where the port was not stripped from the authority override before validation. (#8726)
  • Special Thanks: @​Atul1710
• xds/priority: Fix a bug causing delayed failover to lower-priority clusters when a higher-priority cluster is stuck in CONNECTING state. (#8813)
• health: Fix a bug where health checks failed for clients using legacy compression options (WithDecompressor or RPCDecompressor). (#8765)
  • Special Thanks: @​sanki92
• transport: Fix an issue where the HTTP/2 server could skip header size checks when terminating a stream early. (#8769)
  • Special Thanks: @​joybestourous
• server: Propagate status detail headers, if available, when terminating a stream during request header processing. (#8754)
  • Special Thanks: @​joybestourous

Performance Improvements

• credentials/alts: Optimize read buffer alignment to reduce copies. (#8791)
• mem: Optimize pooling and creation of buffer objects. (#8784)
• transport: Reduce slice re-allocations by reserving slice capacity. (#8797)

... (truncated)

Commits

• dda86db Change version to 1.79.3 (#8983)
• 72186f1 grpc: enforce strict path checking for incoming requests on the server (#8981)
• 97ca352 Changing version to 1.79.3-dev (#8954)
• 8902ab6 Change the version to release 1.79.2 (#8947)
• a928670 Cherry-pick #8874 to v1.79.x (#8904)
• 06df363 Change version to 1.79.2-dev (#8903)
• 782f2de Change version to 1.79.1 (#8902)
• 850eccb Change version to 1.79.1-dev (#8851)
• 765ff05 Change version to 1.79.0 (#8850)
• 68804be Cherry pick #8864 to v1.79.x (#8896)
• Additional commits viewable in compare view

[kusari-inspector]

Kusari Analysis Results:

Caution

Flagged Issues Detected
These changes contain flagged issues that may introduce security risks.

Both analyses independently recommend blocking this PR. While the grpc upgrade from v1.69.2 to v1.79.3 correctly resolves CVE-2026-33186 (authorization bypass), it introduces or retains four unresolved HIGH-severity transitive dependency vulnerabilities that must be pinned in go.mod before merging: (1) CVE-2026-34986 in github.com/go-jose/go-jose/v4 v4.1.3 - unauthenticated remote DoS via panic on JWE decryption with empty encrypted_key; fixed at v4.1.4. (2) CVE-2026-29181 in go.opentelemetry.io/otel v1.39.0 - remote DoS via baggage header amplification; fixed at v1.43.0. (3) CVE-2026-24051 and CVE-2026-39883 in go.opentelemetry.io/otel/sdk v1.39.0 - PATH hijacking enabling arbitrary code execution on BSD/Solaris; fixed at v1.43.0. (4) CVE-2026-33814 in golang.org/x/net v0.48.0 - remote DoS via HTTP/2 infinite loop triggered by SETTINGS_MAX_FRAME_SIZE of 0; fixed at v0.54.0. All four are remotely exploitable with no authentication required (availability or integrity impact), making this a net negative security posture change if merged as-is. The static code scan returned zero findings, confirming no direct code issues, but does not negate the dependency risks. Required actions before merge: add explicit require directives in go.mod to pin github.com/go-jose/go-jose/v4 to v4.1.4, go.opentelemetry.io/otel and go.opentelemetry.io/otel/sdk to v1.43.0, and golang.org/x/net to v0.54.0, then run go mod tidy and re-validate.

Note

View full detailed analysis result for more information on the output and the checks that were run.

Required Code Mitigations

Pin go.opentelemetry.io/otel and go.opentelemetry.io/otel/sdk to v1.43.0 or later to resolve CVE-2026-29181 (remote DoS via baggage header amplification) and CVE-2026-24051 / CVE-2026-39883 (PATH hijacking enabling arbitrary code execution on BSD/Solaris).

• Potential Code Fix:

require go.opentelemetry.io/otel v1.43.0
require go.opentelemetry.io/otel/sdk v1.43.0

Pin github.com/go-jose/go-jose/v4 to v4.1.4 or later to resolve CVE-2026-34986 (unauthenticated remote DoS via panic on JWE decryption with empty encrypted_key).

• Potential Code Fix:

require github.com/go-jose/go-jose/v4 v4.1.4

Pin golang.org/x/net to v0.54.0 or later to resolve CVE-2026-33814 (remote DoS via HTTP/2 infinite loop triggered by SETTINGS_MAX_FRAME_SIZE of 0).

• Potential Code Fix:

require golang.org/x/net v0.54.0

Required Dependency Mitigations

• CVE-2026-34986 (GHSA-78h2-9frx-2jm8) - HIGH (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/A:H): Newly introduced transitive dependency github.com/go-jose/go-jose/v4 at v4.1.3 is vulnerable to a remote unauthenticated panic/DoS. Decrypting a JWE object with key wrapping algorithms (any alg ending in KW, except GCMKW variants) and an empty encrypted_key field will cause the server to panic, enabling denial of service. Fixed version: v4.1.4. Dependency path: github.com/ossf/package-analysis -> google.golang.org/grpc -> github.com/spiffe/go-spiffe/v2 -> github.com/go-jose/go-jose/v4. Action: Add an explicit require directive in go.mod to pin the fixed version: require github.com/go-jose/go-jose/v4 v4.1.4 then run: go mod tidy

---

@kusari-inspector rerun - Trigger a re-analysis of this PR
@kusari-inspector feedback [your message] - Send feedback to our AI and team
See Kusari's documentation for setup and configuration.
Commit: a7964c4, performed at: 2026-05-15T00:04:44Z

Found this helpful? Give it a 👍 or 👎 reaction!

[kusari-inspector]

Kusari PR Analysis rerun based on - faa6047 performed at: 2026-05-14T23:46:27Z - link to updated analysis

[kusari-inspector]

Kusari PR Analysis rerun based on - beb6a68 performed at: 2026-05-14T23:59:52Z - link to updated analysis

[kusari-inspector]

Kusari PR Analysis rerun based on - a7964c4 performed at: 2026-05-15T00:05:21Z - link to updated analysis