From 6370da082227c9c906d399a364296cfbab70e199 Mon Sep 17 00:00:00 2001 From: Albert Wu Date: Mon, 1 Jun 2026 09:47:15 -0700 Subject: [PATCH] chore(deps): revert grpc to v1.68.1 known-good and pin genproto/rpc Revert google.golang.org/grpc from v1.67.3 to v1.68.1 -- the pre-security-bump (#146) known-good version -- and pin the transitive google.golang.org/genproto/googleapis/rpc to v0.0.0-20241230172942-26aa7a208def to match the internal monorepo. grpc v1.68.1 only transitively requires genproto/rpc ...20240903143218, so the explicit Dec-2024 pin holds cleanly under MVS. Update the dependabot ignore comment to v1.68.x (the ignore rule itself is unchanged and still blocks all grpc bumps). Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/dependabot.yml | 2 +- go.mod | 4 ++-- go.sum | 8 ++++---- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 4a34d0e..48b6e35 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -8,6 +8,6 @@ updates: # which run independently of this limit. open-pull-requests-limit: 0 ignore: - # grpc-go is pinned to v1.67.x intentionally. Do not auto-bump it, + # grpc-go is pinned to v1.68.x intentionally. Do not auto-bump it, # including for security advisories. Re-evaluate manually. - dependency-name: "google.golang.org/grpc" diff --git a/go.mod b/go.mod index ea22cac..12ec655 100644 --- a/go.mod +++ b/go.mod @@ -14,7 +14,7 @@ require ( go.uber.org/yarpc v1.81.0 go.uber.org/zap v1.27.1 golang.org/x/oauth2 v0.34.0 - google.golang.org/grpc v1.67.3 + google.golang.org/grpc v1.68.1 google.golang.org/protobuf v1.36.10 gopkg.in/yaml.v3 v3.0.1 ) @@ -55,7 +55,7 @@ require ( golang.org/x/text v0.34.0 // indirect golang.org/x/tools v0.41.0 // indirect golang.org/x/tools/go/expect v0.1.1-deprecated // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20241230172942-26aa7a208def // indirect gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect honnef.co/go/tools v0.4.3 // indirect ) diff --git a/go.sum b/go.sum index 3a0273a..b12bd5d 100644 --- a/go.sum +++ b/go.sum @@ -291,11 +291,11 @@ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8T golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/genproto v0.0.0-20180518175338-11a468237815/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= -google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 h1:gRkg/vSppuSQoDjxyiGfN4Upv/h/DQmIR10ZU8dh4Ww= -google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk= +google.golang.org/genproto/googleapis/rpc v0.0.0-20241230172942-26aa7a208def h1:4P81qv5JXI/sDNae2ClVx88cgDDA6DPilADkG9tYKz8= +google.golang.org/genproto/googleapis/rpc v0.0.0-20241230172942-26aa7a208def/go.mod h1:bdAgzvd4kFrpykc5/AC2eLUiegK9T/qxZHD4hXYf/ho= google.golang.org/grpc v1.12.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw= -google.golang.org/grpc v1.67.3 h1:OgPcDAFKHnH8X3O4WcO4XUc8GRDeKsKReqbQtiCj7N8= -google.golang.org/grpc v1.67.3/go.mod h1:YGaHCc6Oap+FzBJTZLBzkGSYt/cvGPFTPxkn7QfSU8s= +google.golang.org/grpc v1.68.1 h1:oI5oTa11+ng8r8XMMN7jAOmWfPZWbYpCFaMUTACxkM0= +google.golang.org/grpc v1.68.1/go.mod h1:+q1XYFJjShcqn0QZHvCyeR4CXPA+llXIeUIfIe00waw= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=