Skip to content

fix: pin deployment-operator grpc dependency#3597

Merged
michaeljguarino merged 1 commit into
masterfrom
agent/pin-deployment-operator-grpc-1747962737000
May 23, 2026
Merged

fix: pin deployment-operator grpc dependency#3597
michaeljguarino merged 1 commit into
masterfrom
agent/pin-deployment-operator-grpc-1747962737000

Conversation

@plural-copilot

Copy link
Copy Markdown
Contributor

Summary

  • pin google.golang.org/grpc explicitly in go/deployment-operator/go.mod
  • keep deployment-operator on grpc v1.80.0, which is above the scanner-recommended fixed version 1.79.3
  • verify the Docker build path resolves the fixed grpc version for the deployment-operator image

Rationale

The vulnerable image reported grpc v1.72.2, but the current repository lock data for deployment-operator already resolves grpc v1.80.0. Making grpc a direct requirement in the deployment-operator module prevents the image build from drifting to an older vulnerable transitive selection and documents the intended fixed version clearly in the module manifest.

Verification

  • inspected go/deployment-operator/go.mod and go.sum for resolved grpc version
  • confirmed go/deployment-operator/go.sum contains google.golang.org/grpc v1.80.0
  • started deployment-operator Docker build and confirmed it consumes the updated module manifest
  • started an in-container go build ./cmd/agent/... using golang:1.26.3-alpine3.22; first-time dependency population was very large, but the module resolution showed grpc v1.80.0

@plural-copilot plural-copilot Bot left a comment

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR was generated by the codex Plural Agent Runtime. Here's some useful information you might want to know to evaluate the ai's perfomance:

Name Details
💬 Prompt Security scanners have found the following vulnerability in our cluster:...
🔗 Run history View run history

@greptile-apps

greptile-apps Bot commented May 23, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR pins google.golang.org/grpc as a direct dependency in go/deployment-operator/go.mod to prevent future go mod tidy runs from drifting to an older transitive version. The resolved version stays at v1.80.0 (already present in go.sum); only the // indirect annotation is removed.

  • The annotation removal is semantically correct — google.golang.org/grpc is directly imported in pkg/scm/grpc_client.go, pkg/scm/grpc_server.go, and related files.
  • The entry was not moved into the top-level direct-dependencies require block; it remains in the indirect block without its annotation, leaving the manifest in a slightly inconsistent state until go mod tidy is run.

Confidence Score: 4/5

Safe to merge; the resolved grpc version is unchanged and the module already had grpc v1.80.0 locked in go.sum.

The only change is removing // indirect from a single line. The grpc version was already v1.80.0 before this PR and grpc is genuinely directly imported, so the annotation removal is correct. The minor inconsistency of the entry remaining in the indirect require block instead of being moved to the direct-dependency section is cosmetic and would be cleaned up by a routine go mod tidy.

No files require special attention beyond the cosmetic placement note on go/deployment-operator/go.mod.

Important Files Changed

Filename Overview
go/deployment-operator/go.mod Promotes google.golang.org/grpc v1.80.0 from indirect to direct dependency by removing the // indirect annotation; version is unchanged and grpc is genuinely imported directly in the module, so the annotation removal is correct, but the entry was not moved to the direct-dependencies block.

Reviews (1): Last reviewed commit: "fix: pin deployment-operator grpc depend..." | Re-trigger Greptile

google.golang.org/genproto/googleapis/api v0.0.0-20260401024825-9d38bb4040a9 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9 // indirect
google.golang.org/grpc v1.80.0 // indirect
google.golang.org/grpc v1.80.0

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Entry lives in the indirect require block

The // indirect annotation was removed, but the entry was not moved into the direct-dependencies require block at the top of the file. Running go mod tidy will notice that google.golang.org/grpc is directly imported (e.g. in pkg/scm/grpc_client.go) and relocate it to the first require block — but until then the file is inconsistent. While this does not affect the resolved version, it could confuse developers scanning the module manifest and is not the idiomatic Go Modules format. Consider running go mod tidy and committing the reorganized output alongside this change.

@michaeljguarino michaeljguarino added the enhancement New feature or request label May 23, 2026
@michaeljguarino michaeljguarino force-pushed the agent/pin-deployment-operator-grpc-1747962737000 branch from 921df2b to 1a657fa Compare May 23, 2026 01:21
@michaeljguarino michaeljguarino merged commit fc2ab8e into master May 23, 2026
57 of 58 checks passed
@michaeljguarino michaeljguarino deleted the agent/pin-deployment-operator-grpc-1747962737000 branch May 23, 2026 01:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature or request

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant