[master] MGMT-23665: CVE-2026-33186 Bump google.golang.org/grpc to v1.79.3 using replace directive (api module)#10081
Conversation
…ng replace directive
openshift-ci-robot
added
the
jira/valid-reference
|
@cve-automation[bot]: This pull request references MGMT-23665 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the vulnerability to target the "4.22.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci
bot
added
the
size/XXL
openshift-ci
bot
added
the
api-review
|
Important Review skippedAuto reviews are limited based on label configuration. 🚫 Review skipped — only excluded labels are configured. (1)
Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: cve-automation[bot] The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
/retest |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #10081 +/- ##
=======================================
Coverage 44.17% 44.17%
=======================================
Files 416 416
Lines 72404 72404
=======================================
Hits 31985 31985
Misses 37522 37522
Partials 2897 2897 🚀 New features to boost your workflow:
|
|
/test verify-deps |
|
/override ci/prow/e2e-agent-compact-ipv4 |
|
@gamli75: Overrode contexts on behalf of gamli75: ci/prow/e2e-agent-compact-ipv4 DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@cve-automation[bot]: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
3 participants
Bump
google.golang.org/grpctov1.79.3to fixCVE-2026-33186using a replace directiveStrategy Selection
Strategies Not Applicable
Direct dependency version bump
Not applicable: dependency is indirect. Direct version bumps only work for explicitly required modules.
Direct dependency major version upgrade
Not applicable: dependency is indirect. Major version upgrades only apply to direct dependencies.
Indirect dependency fix via parent update
github.com/openshift/custom-resource-statusgithub.com/openshift/hive/apisIndirect to direct dependency conversion
Attempted to pin google.golang.org/grpc to a fixed version, but Go reverted it to indirect at v1.27.0. No other module requires this version directly, so the explicit requirement was automatically removed by Go's module resolution.
✓ Successful Strategy: Replace directive workaround
Added replace directive to override module resolution. Used as last resort when standard updates fail.
https://redhat.atlassian.net/browse/MGMT-23665
https://redhat.atlassian.net/browse/MGMT-23664
This PR was automatically generated by the CVE Automation tool.
For questions or issues, reach out in #cve-automation.