fix(cli): bump grpc-go v1.79.3 -- CVE-2026-33186 auth bypass

[Aureliolo]

Summary

• Bump google.golang.org/grpc v1.79.2 -> v1.79.3 (indirect dep via sigstore-go)
• Fixes CVE-2026-33186: authorization bypass via missing leading slash in :path header (critical severity)
• Not exploitable in this CLI (no gRPC server exposed), but clears the Dependabot alert
• Dependabot can't auto-PR indirect Go deps -- manual bump required

Test plan

• go test ./... passes (all 11 packages)
• Patch version bump only -- no API changes

🤖 Generated with Claude Code

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
gomod/google.golang.org/grpc	1.79.3	🟢 7.7	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 30 commit(s) and 6 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Security-Policy 🟢 9 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo License 🟢 10 license file detected Fuzzing 🟢 10 project is fuzzed Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST 🟢 7 SAST tool detected but not run on all commits

Scanned Files

• cli/go.mod

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request focuses on a critical security update by bumping an indirect gRPC dependency to mitigate a known authorization bypass vulnerability. While the immediate impact on this specific CLI is minimal due to its architecture, the update ensures compliance with security best practices and resolves automated security alerts, maintaining the project's integrity.

Highlights

• Dependency Update: The google.golang.org/grpc dependency has been bumped from version v1.79.2 to v1.79.3.
• Security Fix: This update addresses CVE-2026-33186, which is an authorization bypass vulnerability related to a missing leading slash in the :path header.
• Impact Assessment: Although the vulnerability is critical, it is noted that this specific CLI is not exploitable as it does not expose a gRPC server. The update primarily serves to clear a Dependabot alert.
• Manual Intervention: The dependency update was performed manually because Dependabot is unable to automatically create pull requests for indirect Go dependencies.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request correctly bumps the google.golang.org/grpc dependency to v1.79.3 to address a reported security vulnerability. The changes in go.mod and go.sum are appropriate for this update. However, the CVE identifier CVE-2026-33186 referenced in the pull request title and description appears to be invalid, as its year is in the future. For accurate security tracking and maintainability, this should be corrected to the valid CVE identifier for the vulnerability being addressed.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: f5461df5-b601-4871-a023-ed2042947148

📥 Commits

Reviewing files that changed from the base of the PR and between 5bfc2c6 and a49ee0b.

⛔ Files ignored due to path filters (1)

• cli/go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• cli/go.mod

📜 Recent review details

🧰 Additional context used

🧠 Learnings (3)

📓 Common learnings

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T11:48:14.867Z
Learning: Applies to cli/** : CLI: Go 1.26+, dependencies in cli/go.mod (Cobra, charmbracelet/huh).

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-19T09:01:47.243Z
Learning: Applies to go.mod : Maintain Go 1.26+ requirement. Dependencies: Cobra (CLI framework), charmbracelet/huh and charmbracelet/lipgloss (UI), sigstore-go (code signing), go-containerregistry (container image verification), go-tuf (TUF client for Sigstore).

📚 Learning: 2026-03-15T11:48:14.867Z

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T11:48:14.867Z
Learning: Applies to cli/** : CLI: Go 1.26+, dependencies in cli/go.mod (Cobra, charmbracelet/huh).

Applied to files:

• cli/go.mod

📚 Learning: 2026-03-19T09:01:47.243Z

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-19T09:01:47.243Z
Learning: Applies to go.mod : Maintain Go 1.26+ requirement. Dependencies: Cobra (CLI framework), charmbracelet/huh and charmbracelet/lipgloss (UI), sigstore-go (code signing), go-containerregistry (container image verification), go-tuf (TUF client for Sigstore).

Applied to files:

• cli/go.mod

🔇 Additional comments (1)

cli/go.mod (1)

112-112: Security patch bump looks correct and scoped.

Updating google.golang.org/grpc to v1.79.3 as an indirect dependency is appropriate for the CVE remediation objective, and the change is narrowly scoped in go.mod.

Based on learnings: Maintain Go 1.26+ requirement. Dependencies: Cobra (CLI framework), charmbracelet/huh and charmbracelet/lipgloss (UI), sigstore-go (code signing), go-containerregistry (container image verification), go-tuf (TUF client for Sigstore).

---

📝 Walkthrough

Summary by CodeRabbit

• Chores
  • Updated a dependency to the latest patch version.

Walkthrough

Updated the indirect Go module dependency google.golang.org/grpc from version v1.79.2 to v1.79.3 in the CLI module. No logic, control flow, or public API changes are involved.

Changes

Cohort / File(s)	Summary
Dependency Version Update cli/go.mod	Bumped google.golang.org/grpc indirect dependency from v1.79.2 to v1.79.3.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: bumping grpc-go to v1.79.3 and the security CVE it addresses.
Description check	✅ Passed	The description is clearly related to the changeset, providing context about the dependency bump, CVE details, and test results.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/bump-grpc-go-cve-33186

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch fix/bump-grpc-go-cve-33186

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}