fix: pin deployment-operator grpc dependency#3597
Conversation
There was a problem hiding this comment.
This PR was generated by the codex Plural Agent Runtime. Here's some useful information you might want to know to evaluate the ai's perfomance:
| Name | Details |
|---|---|
| 💬 Prompt | Security scanners have found the following vulnerability in our cluster:... |
| 🔗 Run history | View run history |
Greptile SummaryThis PR pins
Confidence Score: 4/5Safe to merge; the resolved grpc version is unchanged and the module already had grpc v1.80.0 locked in go.sum. The only change is removing No files require special attention beyond the cosmetic placement note on
|
| Filename | Overview |
|---|---|
| go/deployment-operator/go.mod | Promotes google.golang.org/grpc v1.80.0 from indirect to direct dependency by removing the // indirect annotation; version is unchanged and grpc is genuinely imported directly in the module, so the annotation removal is correct, but the entry was not moved to the direct-dependencies block. |
Reviews (1): Last reviewed commit: "fix: pin deployment-operator grpc depend..." | Re-trigger Greptile
| google.golang.org/genproto/googleapis/api v0.0.0-20260401024825-9d38bb4040a9 // indirect | ||
| google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9 // indirect | ||
| google.golang.org/grpc v1.80.0 // indirect | ||
| google.golang.org/grpc v1.80.0 |
There was a problem hiding this comment.
Entry lives in the indirect
require block
The // indirect annotation was removed, but the entry was not moved into the direct-dependencies require block at the top of the file. Running go mod tidy will notice that google.golang.org/grpc is directly imported (e.g. in pkg/scm/grpc_client.go) and relocate it to the first require block — but until then the file is inconsistent. While this does not affect the resolved version, it could confuse developers scanning the module manifest and is not the idiomatic Go Modules format. Consider running go mod tidy and committing the reorganized output alongside this change.
921df2b to
1a657fa
Compare
Summary
google.golang.org/grpcexplicitly ingo/deployment-operator/go.modv1.80.0, which is above the scanner-recommended fixed version1.79.3Rationale
The vulnerable image reported grpc
v1.72.2, but the current repository lock data for deployment-operator already resolves grpcv1.80.0. Making grpc a direct requirement in the deployment-operator module prevents the image build from drifting to an older vulnerable transitive selection and documents the intended fixed version clearly in the module manifest.Verification
go/deployment-operator/go.modandgo.sumfor resolved grpc versiongo/deployment-operator/go.sumcontainsgoogle.golang.org/grpc v1.80.0go build ./cmd/agent/...usinggolang:1.26.3-alpine3.22; first-time dependency population was very large, but the module resolution showed grpcv1.80.0