chore: fix CVE-2026-33186 for grpc go below 1.80.1

[Skarlso]

What this PR does / why we need it

Fixes CVE-2026-33186 for grpc go below 1.80.1 version throughout the entire monorepo.

Which issue(s) this PR fixes

Testing

How to test the changes

Verification

• I have added/updated tests for my changes (see Test Requirements)
• Tests pass locally (task test and task test/integration if applicable)
• If touching multiple modules, go work is enabled (see go.work)
• My changes do not decrease test coverage
• I have tested the changes locally by running ocm

[netlify]

✅ Deploy Preview for ocm-website ready!

Name	Link
🔨 Latest commit	e3ff57c
🔍 Latest deploy log	https://app.netlify.com/projects/ocm-website/deploys/69fae44bf08fbe0008389981
😎 Deploy Preview	https://deploy-preview-2443--ocm-website.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.
🤖 Make changes	Run an agent on this branch

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f0edacdf-7719-4ac8-9f8a-ed13cedbdffe

📥 Commits

Reviewing files that changed from the base of the PR and between f7d1087 and e3ff57c.

⛔ Files ignored due to path filters (9)

• bindings/go/examples/go.sum is excluded by !**/*.sum
• bindings/go/helm/go.sum is excluded by !**/*.sum
• bindings/go/oci/integration/go.sum is excluded by !**/*.sum
• bindings/go/transfer/go.sum is excluded by !**/*.sum
• bindings/go/transfer/integration/go.sum is excluded by !**/*.sum
• cli/go.sum is excluded by !**/*.sum
• cli/integration/go.sum is excluded by !**/*.sum
• kubernetes/controller/go.sum is excluded by !**/*.sum
• website/hack/generate-cli-docs/go.sum is excluded by !**/*.sum

📒 Files selected for processing (9)

• bindings/go/examples/go.mod
• bindings/go/helm/go.mod
• bindings/go/oci/integration/go.mod
• bindings/go/transfer/go.mod
• bindings/go/transfer/integration/go.mod
• cli/go.mod
• cli/integration/go.mod
• kubernetes/controller/go.mod
• website/hack/generate-cli-docs/go.mod

---

📝 Walkthrough

Walkthrough

Go module dependencies are updated across nine files in bindings and CLI directories, bumping security and compatibility packages (crypto, net, gRPC, OpenTelemetry) to newer versions and adding indirect dependencies for OpenTelemetry SDK, YAML serialization, and Google Protobuf tooling. A new replace directive for ThalesIgnite/crypto11 is added in the Kubernetes controller module.

Changes

Dependency Version Updates

Layer / File(s)	Summary
Direct dependency bumps bindings/go/examples/go.mod, bindings/go/helm/go.mod, bindings/go/oci/integration/go.mod, bindings/go/transfer/go.mod, bindings/go/transfer/integration/go.mod, cli/go.mod, cli/integration/go.mod, kubernetes/controller/go.mod, website/hack/generate-cli-docs/go.mod	golang.org/x/crypto upgraded from v0.48.0–v0.49.0 to v0.50.0 across all modules. golang.org/x/net bumped to v0.53.0; golang.org/x/term to v0.42.0; golang.org/x/text to v0.36.0; google.golang.org/grpc to v1.81.0; google.golang.org/genproto/googleapis/rpc to v0.0.0-20260504160031-60b97b32f348.
New indirect dependencies bindings/go/examples/go.mod, bindings/go/transfer/go.mod, cli/go.mod, cli/integration/go.mod, kubernetes/controller/go.mod	OpenTelemetry stack (otel, otel/metric, otel/sdk, otel/sdk/metric, otel/trace) v1.43.0; YAML serialization (go.yaml.in/yaml/v2, v3); golang.org/x/exp, golang.org/x/oauth2, golang.org/x/sync, golang.org/x/sys, golang.org/x/time; google.golang.org/genproto/googleapis/api.
Module replacement directive kubernetes/controller/go.mod	New replace rule: github.com/ThalesIgnite/crypto11 => github.com/ThalesGroup/crypto11 v1.6.0.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• open-component-model/open-component-model#2237: Dependency updates to the same Go modules with overlapping version targets.

Suggested labels

kind/chore, kind/dependency, size/l

Suggested reviewers

• frewilhelm
• morri-son
• fabianburth

Poem

🐰 Hops through go.mod with glee,
Security bumps for all to see,
Otel and gRPC find their way,
Dependencies dance in bright array!
Thump thump – a safer build today! 🎉

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately reflects the main change: upgrading grpc-go and related dependencies to fix CVE-2026-33186 across the monorepo.
Description check	✅ Passed	The description is clearly related to the changeset, explaining the CVE fix and providing testing guidance aligned with the dependency updates.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}