Skip to content

Fix/2026 03 19 grpc CVE#759

Merged
hallyn merged 2 commits intoproject-stacker:mainfrom
raharper:fix/2026-03-19-grpc-cve
Mar 20, 2026
Merged

Fix/2026 03 19 grpc CVE#759
hallyn merged 2 commits intoproject-stacker:mainfrom
raharper:fix/2026-03-19-grpc-cve

Conversation

@raharper
Copy link
Contributor

@raharper raharper commented Mar 19, 2026

What type of PR is this?

bug

Which issue does this PR fix:

Dependabot Alert on gprc: CVE-2026-33186

GHSA-p77j-4mvh-x3m3

What does this PR do / Why do we need it:

Bump grpc to v1.79.3 which includes fix for CVE-2026-33186

If an issue # is not available please add repro steps and logs showing the issue:

1. $ git log --pretty=oneline -1
8e9e9d688687e737e68c888699fddb16da85e43a (HEAD -> main, origin/main, origin/HEAD) fix: Add warning for stacker files with bom: set
2. $ grype --version
grype 0.110.0
3. 

$ grype stacker
 ✔ Indexed file system                   stacker
 ✔ Cataloged contents                    57b8f1fe1e1d380b8c82ecb19ec6bcabcf4a24a6e8be79a14a8a1cf85b4f2dde
   ├── ✔ Packages                        [134 packages]
   ├── ✔ Executables                     [1 executables]
   ├── ✔ File digests                    [1 files]
   └── ✔ File metadata                   [1 locations]
 ✔ Scanned for vulnerabilities     [1 vulnerability matches]
   ├── by severity: 1 critical, 0 high, 0 medium, 0 low, 0 negligible
   └── by status:   1 fixed, 0 not-fixed, 0 ignored
NAME                    INSTALLED  FIXED IN  TYPE       VULNERABILITY        SEVERITY  EPSS  RISK
google.golang.org/grpc  v1.76.0    1.79.3    go-module  GHSA-p77j-4mvh-x3m3  Critical  N/A   N/A

Testing done on this change:

Automation added to e2e:

None

Will this break upgrades or downgrades?

No

Does this PR introduce any user-facing change?:

No

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@raharper raharper added the dependencies Pull requests that update a dependency file label Mar 19, 2026
@codecov
Copy link

codecov bot commented Mar 19, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 54.22%. Comparing base (551b30d) to head (62576ca).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #759   +/-   ##
=======================================
  Coverage   54.22%   54.22%           
=======================================
  Files          55       55           
  Lines        5909     5909           
=======================================
  Hits         3204     3204           
  Misses       2126     2126           
  Partials      579      579

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@raharper raharper force-pushed the fix/2026-03-19-grpc-cve branch from 1dbbbd5 to aa4b57f Compare March 20, 2026 14:24
hallyn
hallyn approved these changes Mar 20, 2026
View reviewed changes
Copy link
Contributor

@hallyn hallyn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, Ryan!

Should we just have github squash-merge, or were you going to rebase -i?

@raharper
Copy link
Contributor Author

raharper commented Mar 20, 2026

Thanks, Ryan!

Should we just have github squash-merge, or were you going to rebase -i?

#760

Let's merge this (just the fix) and I'll rebase this PR

raharper added 2 commits March 20, 2026 12:27
@raharper
fix: Bump go.mod grpc and x/net
f4c466b 
CVE in grpc requires bump to v1.79.3 which requires newer x/net
and other friends.

The older x/net 0.38.0 was incompatible with newer grpc HTTP2 and
running latest allows us to use v1.79.3

Signed-off-by: Ryan Harper <rharper@woxford.com>
@raharper
fix: go.sum update after go.mod update for grpc v1.79.3
62576ca 
Signed-off-by: Ryan Harper <rharper@woxford.com>
@raharper raharper force-pushed the fix/2026-03-19-grpc-cve branch from aa4b57f to 62576ca Compare March 20, 2026 17:27
@hallyn hallyn merged commit 259ff7b into project-stacker:main Mar 20, 2026
11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hallyn hallyn hallyn approved these changes

@rchincha rchincha Awaiting requested review from rchincha rchincha is a code owner

@smoser smoser Awaiting requested review from smoser smoser is a code owner

@tych0 tych0 Awaiting requested review from tych0 tych0 is a code owner

@mikemccracken mikemccracken Awaiting requested review from mikemccracken mikemccracken is a code owner

@rchamarthy rchamarthy Awaiting requested review from rchamarthy rchamarthy is a code owner

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@raharper @hallyn