forgejo/forgejo
forgejo/forgejo
120
4.9k
Fork 843
Code Issues 1.3k Pull requests 152 Projects Releases 106 Packages 1 Activity Actions 22

Update google.golang.org/grpc (indirect) to v1.79.3 [SECURITY] (forgejo) #12794

Merged
mfenniak merged 1 commit from renovate/forgejo-go-google.golang.org-grpc-vulnerability into forgejo 2026-05-28 22:16:02 +02:00
Conversation 1 Commits 1 Files changed 2 +11 -11
viceice-bot commented 2026-05-28 21:10:56 +02:00
Member
Copy link

This PR contains the following updates:

Package Change Age Confidence
google.golang.org/grpc v1.75.0v1.79.3 age confidence

gRPC-Go has an authorization bypass via missing leading slash in :path

CVE-2026-33186 / GHSA-p77j-4mvh-x3m3 / GO-2026-4762

More information

Details

Impact

What kind of vulnerability is it? Who is impacted?

It is an Authorization Bypass resulting from Improper Input Validation of the HTTP/2 :path pseudo-header.

The gRPC-Go server was too lenient in its routing logic, accepting requests where the :path omitted the mandatory leading slash (e.g., Service/Method instead of /Service/Method). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official grpc/authz package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with /) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present.

Who is impacted?
This affects gRPC-Go servers that meet both of the following criteria:

  1. They use path-based authorization interceptors, such as the official RBAC implementation in google.golang.org/grpc/authz or custom interceptors relying on info.FullMethod or grpc.Method(ctx).
  2. Their security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule).

The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed :path headers directly to the gRPC server.

Patches

Has the problem been patched? What versions should users upgrade to?

Yes, the issue has been patched. The fix ensures that any request with a :path that does not start with a leading slash is immediately rejected with a codes.Unimplemented error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string.

Users should upgrade to the following versions (or newer):

  • v1.79.3
  • The latest master branch.

It is recommended that all users employing path-based authorization (especially grpc/authz) upgrade as soon as the patch is available in a tagged release.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods:

1. Use a Validating Interceptor (Recommended Mitigation)

Add an "outermost" interceptor to your server that validates the path before any other authorization logic runs:

func pathValidationInterceptor(ctx context.Context, req any, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (any, error) {
    if info.FullMethod == "" || info.FullMethod[0] != '/' {
        return nil, status.Errorf(codes.Unimplemented, "malformed method name")
    }   
    return handler(ctx, req)
}

// Ensure this is the FIRST interceptor in your chain
s := grpc.NewServer(
    grpc.ChainUnaryInterceptor(pathValidationInterceptor, authzInterceptor),
)
2. Infrastructure-Level Normalization

If your gRPC server is behind a reverse proxy or load balancer (such as Envoy, NGINX, or an L7 Cloud Load Balancer), ensure it is configured to enforce strict HTTP/2 compliance for pseudo-headers and reject or normalize requests where the :path header does not start with a leading slash.

3. Policy Hardening

Switch to a "default deny" posture in your authorization policies (explicitly listing all allowed paths and denying everything else) to reduce the risk of bypasses via malformed inputs.

Severity

  • CVSS Score: 9.1 / 10 (Critical)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Authorization bypass in gRPC-Go via missing leading slash in :path in google.golang.org/grpc

CVE-2026-33186 / GHSA-p77j-4mvh-x3m3 / GO-2026-4762

More information

Details

Authorization bypass in gRPC-Go via missing leading slash in :path in google.golang.org/grpc

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

Release Notes

grpc/grpc-go (google.golang.org/grpc)

v1.79.3: Release 1.79.3

Compare Source

Security

  • server: fix an authorization bypass where malformed :path headers (missing the leading slash) could bypass path-based restricted "deny" rules in interceptors like grpc/authz. Any request with a non-canonical path is now immediately rejected with an Unimplemented error. (#​8981)

v1.79.2: Release 1.79.2

Compare Source

Bug Fixes

  • stats: Prevent redundant error logging in health/ORCA producers by skipping stats/tracing processing when no stats handler is configured. (#​8874)

v1.79.1: Release 1.79.1

Compare Source

Bug Fixes

  • grpc: Remove the -dev suffix from the User-Agent header. (#​8902)

v1.79.0: Release 1.79.0

Compare Source

API Changes

  • mem: Add experimental API SetDefaultBufferPool to change the default buffer pool. (#​8806)
  • experimental/stats: Update MetricsRecorder to require embedding the new UnimplementedMetricsRecorder (a no-op struct) in all implementations for forward compatibility. (#​8780)

Behavior Changes

  • balancer/weightedtarget: Remove handling of Addresses and only handle Endpoints in resolver updates. (#​8841)

New Features

  • experimental/stats: Add support for asynchronous gauge metrics through the new AsyncMetricReporter and RegisterAsyncReporter APIs. (#​8780)
  • pickfirst: Add support for weighted random shuffling of endpoints, as described in gRFC A113.
    • This is enabled by default, and can be turned off using the environment variable GRPC_EXPERIMENTAL_PF_WEIGHTED_SHUFFLING. (#​8864)
  • xds: Implement :authority rewriting, as specified in gRFC A81. (#​8779)
  • balancer/randomsubsetting: Implement the random_subsetting LB policy, as specified in gRFC A68. (#​8650)

Bug Fixes

  • credentials/tls: Fix a bug where the port was not stripped from the authority override before validation. (#​8726)
  • xds/priority: Fix a bug causing delayed failover to lower-priority clusters when a higher-priority cluster is stuck in CONNECTING state. (#​8813)
  • health: Fix a bug where health checks failed for clients using legacy compression options (WithDecompressor or RPCDecompressor). (#​8765)
  • transport: Fix an issue where the HTTP/2 server could skip header size checks when terminating a stream early. (#​8769)
  • server: Propagate status detail headers, if available, when terminating a stream during request header processing. (#​8754)

Performance Improvements

  • credentials/alts: Optimize read buffer alignment to reduce copies. (#​8791)
  • mem: Optimize pooling and creation of buffer objects. (#​8784)
  • transport: Reduce slice re-allocations by reserving slice capacity. (#​8797)

v1.78.0: Release 1.78.0

Compare Source

Behavior Changes

  • client: Align URL validation with Go 1.26+ to now reject target URLs with unbracketed colons in the hostname. (#​8716)
  • transport/client : Return status code Unknown on malformed grpc-status. (#​8735)
    • xds/resolver:
    • Drop previous route resources and report an error when no matching virtual host is found.
    • Only log LDS/RDS configuration errors following a successful update and retain the last valid resource to prevent transient failures. (#​8711)

New Features

  • stats/otel: Add backend service label to weighted round robin metrics as part of A89. (#​8737)
  • stats/otel: Add subchannel metrics (without the disconnection reason) to eventually replace the pickfirst metrics. (#​8738)
  • client: Wait for all pending goroutines to complete when closing a graceful switch balancer. (#​8746)
  • client: Add experimental.AcceptCompressors so callers can restrict the grpc-accept-encoding header advertised for a call. (#​8718)

Bug Fixes

  • xds: Fix a bug in StringMatcher where regexes would match incorrectly when ignore_case is set to true. (#​8723)
  • client:
    • Change connectivity state to CONNECTING when creating the name resolver (as part of exiting IDLE).
    • Change connectivity state to TRANSIENT_FAILURE if name resolver creation fails (as part of exiting IDLE).
    • Change connectivity state to IDLE after idle timeout expires even when current state is TRANSIENT_FAILURE.
    • Fix a bug that resulted in OnFinish call option not being invoked for RPCs where stream creation failed. (#​8710)
  • xdsclient: Fix a race in the xdsClient that could lead to resource-not-found errors. (#​8627)

Performance Improvements

  • mem: Round up to nearest 4KiB for pool allocations larger than 1MiB. (#​8705)

v1.77.0: Release 1.77.0

Compare Source

API Changes

  • mem: Replace the Reader interface with a struct for better performance and maintainability. (#​8669)

Behavior Changes

  • balancer/pickfirst: Remove support for the old pick_first LB policy via the environment variable GRPC_EXPERIMENTAL_ENABLE_NEW_PICK_FIRST=false. The new pick_first has been the default since v1.71.0. (#​8672)

Bug Fixes

  • xdsclient: Fix a race condition in the ADS stream implementation that could result in resource-not-found errors, causing the gRPC client channel to move to TransientFailure. (#​8605)
  • client: Ignore HTTP status header for gRPC streams. (#​8548)
  • client: Set a read deadline when closing a transport to prevent it from blocking indefinitely on a broken connection. (#​8534)
  • client: Fix a bug where default port 443 was not automatically added to addresses without a specified port when sent to a proxy.
    • Setting environment variable GRPC_EXPERIMENTAL_ENABLE_DEFAULT_PORT_FOR_PROXY_TARGET=false disables this change; please file a bug if any problems are encountered as we will remove this option soon. (#​8613)
  • balancer/pickfirst: Fix a bug where duplicate addresses were not being ignored as intended. (#​8611)
  • server: Fix a bug that caused overcounting of channelz metrics for successful and failed streams. (#​8573)
  • balancer/pickfirst: When configured, shuffle addresses in resolver updates that lack endpoints. Since gRPC automatically adds endpoints to resolver updates, this bug only affects custom LB policies that delegate to pick_first but don't set endpoints. (#​8610)
  • mem: Clear large buffers before re-using. (#​8670)

Performance Improvements

New Features

  • outlierdetection: Add metrics specified in gRFC A91. (#​8644)
  • stats/opentelemetry: Add support for optional label grpc.lb.backend_service in per-call metrics (#​8637)
  • xds: Add support for JWT Call Credentials as specified in gRFC A97. Set environment variable GRPC_EXPERIMENTAL_XDS_BOOTSTRAP_CALL_CREDS=true to enable this feature. (#​8536)
  • experimental/stats: Add support for up/down counters. (#​8581)

v1.76.0: Release 1.76.0

Compare Source

Dependencies

Bug Fixes

  • client: Return status INTERNAL when a server sends zero response messages for a unary or client-streaming RPC. (#​8523)
  • client: Fail RPCs with status INTERNAL instead of UNKNOWN upon receiving http headers with status 1xx and END_STREAM flag set. (#​8518)
  • pick_first: Fix race condition that could cause pick_first to get stuck in IDLE state on backend address change. (#​8615)

New Features

  • credentials: Add credentials/jwt package providing file-based JWT PerRPCCredentials (A97). (#​8431)

Performance Improvements

  • client: Improve HTTP/2 header size estimate to reduce re-allocations. (#​8547)
  • encoding/proto: Avoid redundant message size calculation when marshaling. (#​8569)

v1.75.1: Release 1.75.1

Compare Source

Bug Fixes

  • transport: Fix a data race while copying headers for stats handlers in the std lib http2 server transport. (#​8519)
  • xdsclient:
    • Fix a data race caused while reporting load to LRS. (#​8483)
    • Fix regression preventing empty node IDs when creating an LRS client. (#​8483)
  • server: Fix a regression preventing streams from being cancelled or timed out when blocked on flow control. (#​8528)

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • Between 12:00 AM and 03:59 AM (* 0-3 * * *)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [google.golang.org/grpc](https://github.com/grpc/grpc-go) | `v1.75.0` → `v1.79.3` | ![age](https://developer.mend.io/api/mc/badges/age/go/google.golang.org%2fgrpc/v1.79.3?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/go/google.golang.org%2fgrpc/v1.75.0/v1.79.3?slim=true) | --- ### gRPC-Go has an authorization bypass via missing leading slash in :path [CVE-2026-33186](https://nvd.nist.gov/vuln/detail/CVE-2026-33186) / [GHSA-p77j-4mvh-x3m3](https://github.com/advisories/GHSA-p77j-4mvh-x3m3) / [GO-2026-4762](https://pkg.go.dev/vuln/GO-2026-4762) <details> <summary>More information</summary> #### Details ##### Impact _What kind of vulnerability is it? Who is impacted?_ It is an **Authorization Bypass** resulting from **Improper Input Validation** of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present. **Who is impacted?** This affects gRPC-Go servers that meet both of the following criteria: 1. They use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`. 2. Their security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. ##### Patches _Has the problem been patched? What versions should users upgrade to?_ Yes, the issue has been patched. The fix ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. Users should upgrade to the following versions (or newer): * **v1.79.3** * The latest **master** branch. It is recommended that all users employing path-based authorization (especially `grpc/authz`) upgrade as soon as the patch is available in a tagged release. ##### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: ##### 1. Use a Validating Interceptor (Recommended Mitigation) Add an "outermost" interceptor to your server that validates the path before any other authorization logic runs: ```go func pathValidationInterceptor(ctx context.Context, req any, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (any, error) { if info.FullMethod == "" || info.FullMethod[0] != '/' { return nil, status.Errorf(codes.Unimplemented, "malformed method name") } return handler(ctx, req) } // Ensure this is the FIRST interceptor in your chain s := grpc.NewServer( grpc.ChainUnaryInterceptor(pathValidationInterceptor, authzInterceptor), ) ``` ##### 2. Infrastructure-Level Normalization If your gRPC server is behind a reverse proxy or load balancer (such as Envoy, NGINX, or an L7 Cloud Load Balancer), ensure it is configured to enforce strict HTTP/2 compliance for pseudo-headers and reject or normalize requests where the `:path` header does not start with a leading slash. ##### 3. Policy Hardening Switch to a "default deny" posture in your authorization policies (explicitly listing all allowed paths and denying everything else) to reduce the risk of bypasses via malformed inputs. #### Severity - CVSS Score: 9.1 / 10 (Critical) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N` #### References - [https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3](https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3) - [https://nvd.nist.gov/vuln/detail/CVE-2026-33186](https://nvd.nist.gov/vuln/detail/CVE-2026-33186) - [https://github.com/grpc/grpc-go](https://github.com/grpc/grpc-go) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-p77j-4mvh-x3m3) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Authorization bypass in gRPC-Go via missing leading slash in :path in google.golang.org/grpc [CVE-2026-33186](https://nvd.nist.gov/vuln/detail/CVE-2026-33186) / [GHSA-p77j-4mvh-x3m3](https://github.com/advisories/GHSA-p77j-4mvh-x3m3) / [GO-2026-4762](https://pkg.go.dev/vuln/GO-2026-4762) <details> <summary>More information</summary> #### Details Authorization bypass in gRPC-Go via missing leading slash in :path in google.golang.org/grpc #### Severity Unknown #### References - [https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3](https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-4762) and the [Go Vulnerability Database](https://github.com/golang/vulndb) ([CC-BY 4.0](https://github.com/golang/vulndb#license)). </details> --- ### Release Notes <details> <summary>grpc/grpc-go (google.golang.org/grpc)</summary> ### [`v1.79.3`](https://github.com/grpc/grpc-go/releases/tag/v1.79.3): Release 1.79.3 [Compare Source](https://github.com/grpc/grpc-go/compare/v1.79.2...v1.79.3) ### Security - server: fix an authorization bypass where malformed :path headers (missing the leading slash) could bypass path-based restricted "deny" rules in interceptors like `grpc/authz`. Any request with a non-canonical path is now immediately rejected with an `Unimplemented` error. ([#&#8203;8981](https://github.com/grpc/grpc-go/issues/8981)) ### [`v1.79.2`](https://github.com/grpc/grpc-go/releases/tag/v1.79.2): Release 1.79.2 [Compare Source](https://github.com/grpc/grpc-go/compare/v1.79.1...v1.79.2) ### Bug Fixes - stats: Prevent redundant error logging in health/ORCA producers by skipping stats/tracing processing when no stats handler is configured. ([#&#8203;8874](https://github.com/grpc/grpc-go/pull/8874)) ### [`v1.79.1`](https://github.com/grpc/grpc-go/releases/tag/v1.79.1): Release 1.79.1 [Compare Source](https://github.com/grpc/grpc-go/compare/v1.79.0...v1.79.1) ### Bug Fixes - grpc: Remove the `-dev` suffix from the User-Agent header. ([#&#8203;8902](https://github.com/grpc/grpc-go/pull/8902)) ### [`v1.79.0`](https://github.com/grpc/grpc-go/releases/tag/v1.79.0): Release 1.79.0 [Compare Source](https://github.com/grpc/grpc-go/compare/v1.78.0...v1.79.0) ### API Changes - mem: Add experimental API `SetDefaultBufferPool` to change the default buffer pool. ([#&#8203;8806](https://github.com/grpc/grpc-go/issues/8806)) - Special Thanks: [@&#8203;vanja-p](https://github.com/vanja-p) - experimental/stats: Update `MetricsRecorder` to require embedding the new `UnimplementedMetricsRecorder` (a no-op struct) in all implementations for forward compatibility. ([#&#8203;8780](https://github.com/grpc/grpc-go/issues/8780)) ### Behavior Changes - balancer/weightedtarget: Remove handling of `Addresses` and only handle `Endpoints` in resolver updates. ([#&#8203;8841](https://github.com/grpc/grpc-go/issues/8841)) ### New Features - experimental/stats: Add support for asynchronous gauge metrics through the new `AsyncMetricReporter` and `RegisterAsyncReporter` APIs. ([#&#8203;8780](https://github.com/grpc/grpc-go/issues/8780)) - pickfirst: Add support for weighted random shuffling of endpoints, as described in [gRFC A113](https://github.com/grpc/proposal/pull/535). - This is enabled by default, and can be turned off using the environment variable `GRPC_EXPERIMENTAL_PF_WEIGHTED_SHUFFLING`. ([#&#8203;8864](https://github.com/grpc/grpc-go/issues/8864)) - xds: Implement `:authority` rewriting, as specified in [gRFC A81](https://github.com/grpc/proposal/blob/master/A81-xds-authority-rewriting.md). ([#&#8203;8779](https://github.com/grpc/grpc-go/issues/8779)) - balancer/randomsubsetting: Implement the `random_subsetting` LB policy, as specified in [gRFC A68](https://github.com/grpc/proposal/blob/master/A68-random-subsetting.md). ([#&#8203;8650](https://github.com/grpc/grpc-go/issues/8650)) - Special Thanks: [@&#8203;marek-szews](https://github.com/marek-szews) ### Bug Fixes - credentials/tls: Fix a bug where the port was not stripped from the authority override before validation. ([#&#8203;8726](https://github.com/grpc/grpc-go/issues/8726)) - Special Thanks: [@&#8203;Atul1710](https://github.com/Atul1710) - xds/priority: Fix a bug causing delayed failover to lower-priority clusters when a higher-priority cluster is stuck in `CONNECTING` state. ([#&#8203;8813](https://github.com/grpc/grpc-go/issues/8813)) - health: Fix a bug where health checks failed for clients using legacy compression options (`WithDecompressor` or `RPCDecompressor`). ([#&#8203;8765](https://github.com/grpc/grpc-go/issues/8765)) - Special Thanks: [@&#8203;sanki92](https://github.com/sanki92) - transport: Fix an issue where the HTTP/2 server could skip header size checks when terminating a stream early. ([#&#8203;8769](https://github.com/grpc/grpc-go/issues/8769)) - Special Thanks: [@&#8203;joybestourous](https://github.com/joybestourous) - server: Propagate status detail headers, if available, when terminating a stream during request header processing. ([#&#8203;8754](https://github.com/grpc/grpc-go/issues/8754)) - Special Thanks: [@&#8203;joybestourous](https://github.com/joybestourous) ### Performance Improvements - credentials/alts: Optimize read buffer alignment to reduce copies. ([#&#8203;8791](https://github.com/grpc/grpc-go/issues/8791)) - mem: Optimize pooling and creation of `buffer` objects. ([#&#8203;8784](https://github.com/grpc/grpc-go/issues/8784)) - transport: Reduce slice re-allocations by reserving slice capacity. ([#&#8203;8797](https://github.com/grpc/grpc-go/issues/8797)) ### [`v1.78.0`](https://github.com/grpc/grpc-go/releases/tag/v1.78.0): Release 1.78.0 [Compare Source](https://github.com/grpc/grpc-go/compare/v1.77.0...v1.78.0) ### Behavior Changes - client: Align URL validation with Go 1.26+ to now reject target URLs with unbracketed colons in the hostname. ([#&#8203;8716](https://github.com/grpc/grpc-go/issues/8716)) - Special Thanks: [@&#8203;neild](https://github.com/neild) - transport/client : Return status code `Unknown` on malformed grpc-status. ([#&#8203;8735](https://github.com/grpc/grpc-go/issues/8735)) - - xds/resolver: - Drop previous route resources and report an error when no matching virtual host is found. - Only log LDS/RDS configuration errors following a successful update and retain the last valid resource to prevent transient failures. ([#&#8203;8711](https://github.com/grpc/grpc-go/issues/8711)) ### New Features - stats/otel: Add backend service label to weighted round robin metrics as part of A89. ([#&#8203;8737](https://github.com/grpc/grpc-go/issues/8737)) - stats/otel: Add subchannel metrics (without the disconnection reason) to eventually replace the pickfirst metrics. ([#&#8203;8738](https://github.com/grpc/grpc-go/issues/8738)) - client: Wait for all pending goroutines to complete when closing a graceful switch balancer. ([#&#8203;8746](https://github.com/grpc/grpc-go/issues/8746)) - Special Thanks: [@&#8203;twz123](https://github.com/twz123) - client: Add `experimental.AcceptCompressors` so callers can restrict the `grpc-accept-encoding` header advertised for a call. ([#&#8203;8718](https://github.com/grpc/grpc-go/issues/8718)) - Special Thanks: [@&#8203;iblancasa](https://github.com/iblancasa) ### Bug Fixes - xds: Fix a bug in `StringMatcher` where regexes would match incorrectly when ignore\_case is set to true. ([#&#8203;8723](https://github.com/grpc/grpc-go/issues/8723)) - client: - Change connectivity state to CONNECTING when creating the name resolver (as part of exiting IDLE). - Change connectivity state to TRANSIENT\_FAILURE if name resolver creation fails (as part of exiting IDLE). - Change connectivity state to IDLE after idle timeout expires even when current state is TRANSIENT\_FAILURE. - Fix a bug that resulted in `OnFinish` call option not being invoked for RPCs where stream creation failed. ([#&#8203;8710](https://github.com/grpc/grpc-go/issues/8710)) - xdsclient: Fix a race in the xdsClient that could lead to resource-not-found errors. ([#&#8203;8627](https://github.com/grpc/grpc-go/issues/8627)) ### Performance Improvements - mem: Round up to nearest 4KiB for pool allocations larger than 1MiB. ([#&#8203;8705](https://github.com/grpc/grpc-go/issues/8705)) - Special Thanks: [@&#8203;cjc25](https://github.com/cjc25) ### [`v1.77.0`](https://github.com/grpc/grpc-go/releases/tag/v1.77.0): Release 1.77.0 [Compare Source](https://github.com/grpc/grpc-go/compare/v1.76.0...v1.77.0) ### API Changes - mem: Replace the `Reader` interface with a struct for better performance and maintainability. ([#&#8203;8669](https://github.com/grpc/grpc-go/issues/8669)) ### Behavior Changes - balancer/pickfirst: Remove support for the old `pick_first` LB policy via the environment variable `GRPC_EXPERIMENTAL_ENABLE_NEW_PICK_FIRST=false`. The new `pick_first` has been the default since `v1.71.0`. ([#&#8203;8672](https://github.com/grpc/grpc-go/issues/8672)) ### Bug Fixes - xdsclient: Fix a race condition in the ADS stream implementation that could result in `resource-not-found` errors, causing the gRPC client channel to move to `TransientFailure`. ([#&#8203;8605](https://github.com/grpc/grpc-go/issues/8605)) - client: Ignore HTTP status header for gRPC streams. ([#&#8203;8548](https://github.com/grpc/grpc-go/issues/8548)) - client: Set a read deadline when closing a transport to prevent it from blocking indefinitely on a broken connection. ([#&#8203;8534](https://github.com/grpc/grpc-go/issues/8534)) - Special Thanks: [@&#8203;jgold2-stripe](https://github.com/jgold2-stripe) - client: Fix a bug where default port 443 was not automatically added to addresses without a specified port when sent to a proxy. - Setting environment variable `GRPC_EXPERIMENTAL_ENABLE_DEFAULT_PORT_FOR_PROXY_TARGET=false` disables this change; please file a bug if any problems are encountered as we will remove this option soon. ([#&#8203;8613](https://github.com/grpc/grpc-go/issues/8613)) - balancer/pickfirst: Fix a bug where duplicate addresses were not being ignored as intended. ([#&#8203;8611](https://github.com/grpc/grpc-go/issues/8611)) - server: Fix a bug that caused overcounting of channelz metrics for successful and failed streams. ([#&#8203;8573](https://github.com/grpc/grpc-go/issues/8573)) - Special Thanks: [@&#8203;hugehoo](https://github.com/hugehoo) - balancer/pickfirst: When configured, shuffle addresses in resolver updates that lack endpoints. Since gRPC automatically adds endpoints to resolver updates, this bug only affects custom LB policies that delegate to `pick_first` but don't set endpoints. ([#&#8203;8610](https://github.com/grpc/grpc-go/issues/8610)) - mem: Clear large buffers before re-using. ([#&#8203;8670](https://github.com/grpc/grpc-go/issues/8670)) ### Performance Improvements - transport: Reduce heap allocations to reduce time spent in garbage collection. ([#&#8203;8624](https://github.com/grpc/grpc-go/issues/8624), [#&#8203;8630](https://github.com/grpc/grpc-go/issues/8630), [#&#8203;8639](https://github.com/grpc/grpc-go/issues/8639), [#&#8203;8668](https://github.com/grpc/grpc-go/issues/8668)) - transport: Avoid copies when reading and writing Data frames. ([#&#8203;8657](https://github.com/grpc/grpc-go/issues/8657), [#&#8203;8667](https://github.com/grpc/grpc-go/issues/8667)) - mem: Avoid clearing newly allocated buffers. ([#&#8203;8670](https://github.com/grpc/grpc-go/issues/8670)) ### New Features - outlierdetection: Add metrics specified in [gRFC A91](https://github.com/grpc/proposal/blob/master/A91-outlier-detection-metrics.md). ([#&#8203;8644](https://github.com/grpc/grpc-go/issues/8644)) - Special Thanks: [@&#8203;davinci26](https://github.com/davinci26), [@&#8203;PardhuKonakanchi](https://github.com/PardhuKonakanchi) - stats/opentelemetry: Add support for optional label `grpc.lb.backend_service` in per-call metrics ([#&#8203;8637](https://github.com/grpc/grpc-go/issues/8637)) - xds: Add support for JWT Call Credentials as specified in [gRFC A97](https://github.com/grpc/proposal/blob/master/A97-xds-jwt-call-creds.md). Set environment variable `GRPC_EXPERIMENTAL_XDS_BOOTSTRAP_CALL_CREDS=true` to enable this feature. ([#&#8203;8536](https://github.com/grpc/grpc-go/issues/8536)) - Special Thanks: [@&#8203;dimpavloff](https://github.com/dimpavloff) - experimental/stats: Add support for up/down counters. ([#&#8203;8581](https://github.com/grpc/grpc-go/issues/8581)) ### [`v1.76.0`](https://github.com/grpc/grpc-go/releases/tag/v1.76.0): Release 1.76.0 [Compare Source](https://github.com/grpc/grpc-go/compare/v1.75.1...v1.76.0) ### Dependencies - Minimum supported Go version is now 1.24 ([#&#8203;8509](https://github.com/grpc/grpc-go/issues/8509)) - Special Thanks: [@&#8203;kevinGC](https://github.com/kevinGC) ### Bug Fixes - client: Return status `INTERNAL` when a server sends zero response messages for a unary or client-streaming RPC. ([#&#8203;8523](https://github.com/grpc/grpc-go/issues/8523)) - client: Fail RPCs with status `INTERNAL` instead of `UNKNOWN` upon receiving http headers with status 1xx and `END_STREAM` flag set. ([#&#8203;8518](https://github.com/grpc/grpc-go/issues/8518)) - Special Thanks: [@&#8203;vinothkumarr227](https://github.com/vinothkumarr227) - pick\_first: Fix race condition that could cause pick\_first to get stuck in `IDLE` state on backend address change. ([#&#8203;8615](https://github.com/grpc/grpc-go/issues/8615)) ### New Features - credentials: Add `credentials/jwt` package providing file-based JWT PerRPCCredentials (A97). ([#&#8203;8431](https://github.com/grpc/grpc-go/issues/8431)) - Special Thanks: [@&#8203;dimpavloff](https://github.com/dimpavloff) ### Performance Improvements - client: Improve HTTP/2 header size estimate to reduce re-allocations. ([#&#8203;8547](https://github.com/grpc/grpc-go/issues/8547)) - encoding/proto: Avoid redundant message size calculation when marshaling. ([#&#8203;8569](https://github.com/grpc/grpc-go/issues/8569)) - Special Thanks: [@&#8203;rs-unity](https://github.com/rs-unity) ### [`v1.75.1`](https://github.com/grpc/grpc-go/releases/tag/v1.75.1): Release 1.75.1 [Compare Source](https://github.com/grpc/grpc-go/compare/v1.75.0...v1.75.1) ### Bug Fixes - transport: Fix a data race while copying headers for stats handlers in the std lib http2 server transport. ([#&#8203;8519](https://github.com/grpc/grpc-go/issues/8519)) - xdsclient: - Fix a data race caused while reporting load to LRS. ([#&#8203;8483](https://github.com/grpc/grpc-go/pull/8483)) - Fix regression preventing empty node IDs when creating an LRS client. ([#&#8203;8483](https://github.com/grpc/grpc-go/issues/8483)) - server: Fix a regression preventing streams from being cancelled or timed out when blocked on flow control. ([#&#8203;8528](https://github.com/grpc/grpc-go/issues/8528)) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - "" - Automerge - Between 12:00 AM and 03:59 AM (`* 0-3 * * *`) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xOTUuMSIsInVwZGF0ZWRJblZlciI6IjQzLjE5NS4xIiwidGFyZ2V0QnJhbmNoIjoiZm9yZ2VqbyIsImxhYmVscyI6WyJkZXBlbmRlbmN5LXVwZ3JhZGUiLCJ0ZXN0L25vdC1uZWVkZWQiXX0=-->
Update google.golang.org/grpc (indirect) to v1.79.3 [SECURITY]
All checks were successful
testing / semgrep/ci (pull_request) Successful in 24s
Details
testing / frontend-checks (pull_request) Successful in 1m13s
Details
issue-labels / release-notes (pull_request_target) Has been skipped
Details
issue-labels / cascade (pull_request_target) Has been skipped
Details
requirements / merge-conditions (pull_request) Successful in 2s
Details
testing / backend-checks (pull_request) Successful in 4m50s
Details
testing / test-unit (pull_request) Successful in 6m27s
Details
testing / test-remote-cacher (redis) (pull_request) Successful in 2m33s
Details
testing / test-remote-cacher (valkey) (pull_request) Successful in 2m28s
Details
testing / test-remote-cacher (garnet) (pull_request) Successful in 2m27s
Details
testing / test-remote-cacher (redict) (pull_request) Successful in 2m8s
Details
testing / test-mysql (pull_request) Successful in 31m35s
Details
testing / test-e2e (pull_request) Successful in 32m45s
Details
testing / test-sqlite (pull_request) Successful in 37m14s
Details
testing / test-pgsql (pull_request) Successful in 41m50s
Details
issue-labels / backporting (pull_request_target) Has been skipped
Details
milestone / set (pull_request_target) Successful in 5s
Details
testing / security-check (pull_request) Successful in 1m6s
Details
484483f725
viceice-bot commented 2026-05-28 21:11:07 +02:00
Author
Member
Copy link

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 2 additional dependencies were updated

Details:

Package Change
cloud.google.com/go/compute/metadata v0.7.0 -> v0.9.0
google.golang.org/genproto/googleapis/rpc v0.0.0-20250825161204-c5933d9347a5 -> v0.0.0-20251202230838-ff82c1b0f217
### ℹ️ Artifact update notice ##### File name: go.mod In order to perform the update(s) described in the table above, Renovate ran the `go get` command, which resulted in the following additional change(s): - 2 additional dependencies were updated Details: | **Package** | **Change** | | :------------------------------------------ | :--------------------------------------------------------------------------- | | `cloud.google.com/go/compute/metadata` | `v0.7.0` -> `v0.9.0` | | `google.golang.org/genproto/googleapis/rpc` | `v0.0.0-20250825161204-c5933d9347a5` -> `v0.0.0-20251202230838-ff82c1b0f217` |
mfenniak approved these changes 2026-05-28 21:52:06 +02:00
mfenniak left a comment
Copy link

No impact from the security defect, as the grpc library isn't used as a server in Forgejo (connectrpc, a different but similar library, is used for Runner->Forgejo comms). But, approving the upgrade for cleanliness and no reason not to.

No impact from the security defect, as the grpc library isn't used as a server in Forgejo (connectrpc, a different but similar library, is used for Runner->Forgejo comms). But, approving the upgrade for cleanliness and no reason not to.
👍 1
mfenniak scheduled this pull request to auto merge when all checks succeed 2026-05-28 21:52:22 +02:00
mfenniak merged commit c37f5a96a9 into forgejo 2026-05-28 22:16:02 +02:00
mfenniak deleted branch renovate/forgejo-go-google.golang.org-grpc-vulnerability 2026-05-28 22:16:06 +02:00
Sign in to join this conversation.
Reviewers
No reviewers
mfenniak
forgejo/Reviewers
Labels
Clear labels   
arch
riscv64

Archived

  
backport/v1.19
Scheduled for backport to Forgejo v1.19

Archived

  
backport/v1.20
Scheduled for backport to Forgejo v1.20

Archived

  
backport/v1.21/forgejo
Scheduled for backport to Forgejo v1.21

Archived

  
backport/v10.0/forgejo
Automated backport to v10.0

Archived

  
backport/v11.0/forgejo
Automated backport to v11.0

  
backport/v12.0/forgejo
Automated backport to v12.0

Archived

  
backport/v13.0/forgejo
Automated backport to v13.0

Archived

  
backport/v14.0/forgejo
Automated backport to v14.0

Archived

  
backport/v15.0/forgejo
Automated backport to v15.0

  
backport/v7.0/forgejo
Scheduled for backport to Forgejo v7.0

Archived

  
backport/v8.0/forgejo
Scheduled for backport to Forgejo v8.0

Archived

  
backport/v9.0/forgejo
Scheduled for backport to Forgejo v9.0

Archived

  
breaking
The release containing this change is not backward compatible

  
bug
Something is not working

Archived

  
bug
confirmed
 it can be reproduced

  
bug
duplicate
 bug has already been reported in the Forgejo tracker

  
bug
needs-more-info
 the information provided does not contain enough details

  
bug
new-report
 bug has just been reported and need triage (default label on issue creation)

  
bug
reported-upstream
 bug cannot be fixed within Forgejo easily, it has been reported upstream

  
code/actions
Forgejo Actions feature

  
code/api
API

  
code/auth
Forgejo Authentication

  
code/auth/faidp
Forgejo as Identity Provider (in OAuth/OIDC flow)

  
code/auth/farp
Forgejo as Relying Party / Client (in OAuth/OIDC flow)

  
code/email
Everything related to email in Forgejo

  
code/federation
Federation

  
code/git
Related to the Git backend in Forgejo

  
code/migrations
Migration between Git forges (i.e. for GitHub, GitLab, Gitea, Forgejo, etc.). NOT for database migrations.

  
code/packages
Forgejo package and container registry

  
code/wiki
  
database
MySQL
 https://www.mysql.com/

  
database
PostgreSQL
 https://www.postgresql.org/

  
database
SQLite
 https://sqlite.org/

  
dependency-upgrade
https://codeberg.org/forgejo/forgejo/issues/2779

  
dependency
Chi
 https://github.com/go-chi/chi/

Archived

  
dependency
Chroma
 https://github.com/alecthomas/chroma/

Archived

  
dependency
F3
 https://f3.forgefriends.org/

  
dependency
ForgeFed
 https://forgefed.org

  
dependency
garage
 https://git.deuxfleurs.fr/Deuxfleurs/garage

  
dependency
Gitea
 https://github.com/go-gitea/gitea

Archived

  
dependency
Golang
 https://go.dev/

  
Discussion

   
duplicate
This issue or pull request already exists

  
enhancement/feature
New feature

  
forgejo/accessibility
Accessibility (a11y)

  
forgejo/branding
Branding (logo, name, tagline etc.)

  
forgejo/ci
Forgejo Actions CI configuration

  
forgejo/commit-graph
The commit graph feature and page.

  
forgejo/documentation

   
forgejo/furnace cleanup
Keeping Forgejo in sync with its dependencies and contributing back to them

Archived

  
forgejo/i18n
t9n/translation, l10n/localization, and i18n/internationalization of Forgejo

  
forgejo/interop
Interoperability with other services: Webhooks, bridges, integrations

  
forgejo/moderation
Moderation

  
forgejo/privacy
Privacy first

  
forgejo/release
Release management

  
forgejo/scaling
Performance and scaling

  
forgejo/security
Security (please disclose responsibly)

  
forgejo/ui
User interface

  
Gain
High
 User research provides indicators that this would be good to have, interested contributors are encouraged to pick this.

  
Gain
Nice to have
 This is likely worth having, but the assumption is not backed by user research data (it might benefit a small amount of users only.) Unlikely to receive much attention, but feel free to pick.

  
Gain
Undefined
 Not enough information to assess the request's benefits. This issue may be closed if no gain is established: You can help by giving us more input.

  
Gain
Very High
 User research indicates that this is an important improvement for Forgejo users. Contributions very welcome!

  
good first issue
Optimal for first-timers! Make sure to look for further explanations and ask for help if needed. If you want, you can consider the person who added this label as a point of contact.

  
i18n/backport-stable
This PR needs to be backported to stable branch of Forgejo safely and manually, using a migration script.

  
impact
large
 Large impact: Potential data loss, many users affected, major degradation in UX.

  
impact
medium
 Medium impact: Several users affected, degradation in UX, workarounds might be available but inconvenient.

  
impact
small
 Small impact: No data loss, workarounds might be available, affects few users.

  
impact
unknown
 Report was not yet triaged to assess impact.

  
Incompatible license
This pull request contains changes that are not (yet) compatible with the current Forgejo license

  
issue
closed
 The issue was resolved in the repository of the dependency

  
issue
do-not-exist-yet
 An issue should be created in the respository of the dependency

  
issue
open
 An open issue exists in the upstream repository of the dependency

  
manual test
Pull requests that have been merged with a manual test

Archived

  
Manually tested during feature freeze
The manual test instructions were followed

  
OS
FreeBSD
 Specific to the FreeBSD Operating System

  
OS
Linux
 Specific to (GNU/)Linux Operating Systems

  
OS
macOS
 Specific to the MacOS Operating System

  
OS
Windows
 Specific to the Windows Operating System

  
problem
A user report about a problem. Needs to be triaged to find potential solutions.

  
QA

   
regression
found in the version of the milestone and not before

  
release blocker
Issues that must be fixed before the release can be published

  
Release Cycle
Feature Freeze
 Only bug fixes with automated tests (except for CSS/JavaScript)

  
release-blocker
v7.0
 Issues that must be fixed before Forgejo v7.0 can be released 17 April 2024

Archived

  
release-blocker
v7.0.1
 Issues that must be fixed before Forgejo v7.0.1 can be released

Archived

  
release-blocker
v7.0.2
 Issues that must be fixed before Forgejo v7.0.2 can be released

Archived

  
release-blocker
v7.0.3
 Issues that must be fixed before Forgejo v7.0.3 can be released

Archived

  
release-blocker
v7.0.4
 Issues that must be fixed before Forgejo v7.0.4 can be released

Archived

  
release-blocker
v8.0.0
 Issues that must be fixed before Forgejo v8.0.0 can be released

Archived

  
release-blocker/v9.0.0
Issues that must be fixed before Forgejo v9.0.0 can be released

Archived

  
run-all-playwright-tests
Add this label to a PR to run all playwright tests manually.

  
run-end-to-end-tests
Trigger additional tests on the PR when it is ready to be merged

  
stage
2-research
 Needs research to moe on.

  
stage
3-design
 Needs design to move on

  
stage
4-implementation
 This is actionable and waits for implementation

  
test
manual
 manual testing has been documented

  
test
needed
 test should be added

  
test
needs-help
 help needed to add a test

  
test
not-needed
 no additional test is needed

  
test
present
 test has been added

  
untested
Pull requests that have been merged with no test and submitted as is to the dependency where they belong

Archived

  
User research - time-tracker
Time tracking feature for issues and the JS stopwatch.

  
valuable code
This PR was closed because the implementation is incomplete

  
worth a release-note
Add this PR to the release notes

  
User research - Accessibility
Requires input about accessibility features, likely involves user testing.

  
User research - Blocked
Do not pick as-is! We are happy if you can help, but please coordinate with ongoing redesign in this area.

  
User research - Community
Community features, such as discovering other people's work or otherwise feeling welcome on a Forgejo instance.

  
User research - Config (instance)
Instance-wide configuration, authentication and other admin-only needs.

  
User research - Errors
How to deal with errors in the application and write helpful error messages.

  
User research - Filters
How filter and search is being worked with.

  
User research - Future backlog
The issue might be inspiring for future design work.

  
User research - Git workflow
AGit, fork-based and new Git workflow, PR creation etc

  
User research - Labels
Active research about Labels

  
User research - Moderation
Moderation Featuers for Admins are undergoing active User Research

  
User research - Needs input
Use this label to let the User Research team know their input is requested.

  
User research - Notifications/Dashboard
Research on how users should know what to do next.

  
User research - Rendering
Text rendering, markup languages etc

  
User research - Repo creation
Active research about the New Repo dialog.

  
User research - Repo units
The repo sections, disabling them and the "Add more" button.

  
User research - Security

   
User research - Settings (in-app)
How to structure in-app settings in the future?

No labels
arch
riscv64
backport/v1.19
backport/v1.20
backport/v1.21/forgejo
backport/v10.0/forgejo
backport/v11.0/forgejo
backport/v12.0/forgejo
backport/v13.0/forgejo
backport/v14.0/forgejo
backport/v15.0/forgejo
backport/v7.0/forgejo
backport/v8.0/forgejo
backport/v9.0/forgejo
breaking
bug
bug
confirmed
bug
duplicate
bug
needs-more-info
bug
new-report
bug
reported-upstream
code/actions
code/api
code/auth
code/auth/faidp
code/auth/farp
code/email
code/federation
code/git
code/migrations
code/packages
code/wiki
database
MySQL
database
PostgreSQL
database
SQLite
dependency-upgrade
dependency
Chi
dependency
Chroma
dependency
F3
dependency
ForgeFed
dependency
garage
dependency
Gitea
dependency
Golang
Discussion
duplicate
enhancement/feature
forgejo/accessibility
forgejo/branding
forgejo/ci
forgejo/commit-graph
forgejo/documentation
forgejo/furnace cleanup
forgejo/i18n
forgejo/interop
forgejo/moderation
forgejo/privacy
forgejo/release
forgejo/scaling
forgejo/security
forgejo/ui
Gain
High
Gain
Nice to have
Gain
Undefined
Gain
Very High
good first issue
i18n/backport-stable
impact
large
impact
medium
impact
small
impact
unknown
Incompatible license
issue
closed
issue
do-not-exist-yet
issue
open
manual test
Manually tested during feature freeze
OS
FreeBSD
OS
Linux
OS
macOS
OS
Windows
problem
QA
regression
release blocker
Release Cycle
Feature Freeze
release-blocker
v7.0
release-blocker
v7.0.1
release-blocker
v7.0.2
release-blocker
v7.0.3
release-blocker
v7.0.4
release-blocker
v8.0.0
release-blocker/v9.0.0
run-all-playwright-tests
run-end-to-end-tests
stage
2-research
stage
3-design
stage
4-implementation
test
manual
test
needed
test
needs-help
test
not-needed
test
present
untested
User research - time-tracker
valuable code
worth a release-note
User research - Accessibility
User research - Blocked
User research - Community
User research - Config (instance)
User research - Errors
User research - Filters
User research - Future backlog
User research - Git workflow
User research - Labels
User research - Moderation
User research - Needs input
User research - Notifications/Dashboard
User research - Rendering
User research - Repo creation
User research - Repo units
User research - Security
User research - Settings (in-app)
Milestone
Clear milestone
No items
No milestone
Forgejo v16.0.0
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
forgejo/forgejo!12794
No description provided.