Skip to content

[deps] Update safe patch dependencies (2 updates) #21545

New issue
New issue
Open
Open
[deps] Update safe patch dependencies (2 updates)#21545
Labels
cookieIssue Monster Loves Cookies!dependenciesPull requests that update a dependency filego
@github-actions

Description

@github-actions
github-actions
bot
opened on Mar 18, 2026

Summary

This issue groups together 2 safe patch updates that can be applied together. One includes a security fix for an authorization bypass in gRPC. All updates are single-version patch increments with bug/security fixes only and no breaking changes.

⚠️ Note: Dependabot alerts API returned 403 (insufficient permissions). This analysis was performed by manually checking latest GitHub releases for all dependencies.

Updates

Package Current Proposed Update Type Key Changes
google.golang.org/grpc v1.79.2 v1.79.3 Security Patch Authorization bypass fix for malformed :path headers
google.golang.org/protobuf v1.36.10 v1.36.11 Patch Bug fixes in lazy decoding validation, encoding improvements

Safety Assessment

All updates are safe patches

  • Both are single-version patch increments (v1.79.2 → v1.79.3, v1.36.10 → v1.36.11)
  • No breaking changes or new features
  • No API changes
  • Explicitly backward compatible

🔒 Security Note: google.golang.org/grpc v1.79.3 fixes an authorization bypass where malformed :path headers (missing the leading slash) could bypass path-based restricted "deny" rules in interceptors like grpc/authz. Any request with a non-canonical path is now immediately rejected with an Unimplemented error.

Links

Note: google.golang.org/grpc is hosted at github.com/grpc/grpc-go. google.golang.org/protobuf is hosted at github.com/protocolbuffers/protobuf-go. Both packages use their own GitHub repositories despite the google.golang.org import paths.

Recommended Action

Apply all updates together:

go get google.golang.org/grpc@v1.79.3
go get google.golang.org/protobuf@v1.36.11
go mod tidy

Testing Notes

  • Run all tests: make test-unit
  • Verify gRPC connections work correctly (if used in workflow compilation)
  • Check for any deprecation warnings
  • Run: make agent-finish before committing

References:

Generated by Dependabot Dependency Checker ·

Warning

⚠️ Firewall blocked 2 domains

The following domains were blocked by the firewall during workflow execution:

  • pkg.go.dev
  • proxy.golang.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "pkg.go.dev"
    - "proxy.golang.org"

See Network Configuration for more information.

  • expires on Mar 20, 2026, 9:36 AM UTC

Metadata

Metadata

Assignees

No one assigned

    Labels

    cookieIssue Monster Loves Cookies!dependenciesPull requests that update a dependency filego

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions