[release-4.19] OCPBUGS-80420: Bump google.golang.org/grpc to v1.79.3

[ocp-sustaining-admins]

This is an automated PR from the ARC system.

Go version used: go1.23.12

Patch applied: github.com/openshift-sustaining/grpc-go@v1.75.1-sec.1

Modules affected: .

The commands used to generate this PR were:

go mod edit -replace google.golang.org/grpc=github.com/openshift-sustaining/grpc-go@v1.75.1-sec.1
go mod tidy
go mod vendor

A member of the Red Hat Openshift Sustaining Team will review the PR and take appropriate action.

Summary by CodeRabbit

• Chores
  • Updated Go dependencies to latest versions for improved stability and security.
  • Optimized continuous integration linter configuration to reduce resource consumption during builds.
  • Updated internal import declarations to use standard library components.

[openshift-ci-robot]

@ocp-sustaining-admins: This pull request references Jira Issue OCPBUGS-80420, which is invalid:

• release note text must be set and not match the template OR release note type must be set to "Release Note Not Required". For more information you can reference the OpenShift Bug Process.
• expected Jira Issue OCPBUGS-80420 to depend on a bug targeting a version in 4.20.0, 4.20.z and in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but no dependents were found

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

This is an automated PR from the ARC system.

Go version used: go1.23.12

Patch applied: github.com/openshift-sustaining/grpc-go@v1.75.1-sec.1

Modules affected: .

The commands used to generate this PR were:

go mod edit -replace google.golang.org/grpc=github.com/openshift-sustaining/grpc-go@v1.75.1-sec.1
go mod tidy
go mod vendor

A member of the Red Hat Openshift Sustaining Team will review the PR and take appropriate action.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

This PR updates Go dependencies to newer versions, adds a gRPC fork override directive, adjusts linter timeout and concurrency settings, and switches the context import in a controller from the external golang.org/x/net/context package to the standard library context.

Changes

Tooling, Dependencies, and Code Modernization

Layer / File(s)	Summary
Linter Configuration .golangci.yaml	Lint timeout increases from 4m to 10m and concurrency is set to 2 to manage memory usage in CI.
Dependency Updates and Directives go.mod	Direct dependencies updated: github.com/go-logr/logr (v1.4.2 → v1.4.3), github.com/stretchr/testify (v1.9.0 → v1.10.0), golang.org/x/text (v0.19.0 → v0.26.0). Indirect dependencies bumped across OpenTelemetry, Google, and gRPC modules. Adds replace directive to override google.golang.org/grpc with github.com/openshift-sustaining/grpc-go v1.75.1-sec.1.
Code Modernization pkg/controller/dynamicrequiredmanifest_controller.go	Context import switched from golang.org/x/net/context to standard library context.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title claims to bump google.golang.org/grpc to v1.79.3, but the actual changes use v1.75.1-sec.1 (a fork from openshift-sustaining/grpc-go), which contradicts the stated version.	Update the PR title to accurately reflect the actual version being used: '[release-4.19] OCPBUGS-80420: Bump google.golang.org/grpc to v1.75.1-sec.1' or clarify the version discrepancy.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.12.1)

Error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions
The command is terminated due to an error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

Hi @ocp-sustaining-admins. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: ocp-sustaining-admins
Once this PR has been reviewed and has the lgtm label, please assign lalatendumohanty for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[MrSanketkumar]

/ok-to-test

[tmshort]

/test lint

[MrSanketkumar]

/test lint

[MrSanketkumar]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Around line 125-126: The go.mod currently pins grpc to the OpenShift fork
github.com/openshift-sustaining/grpc-go v1.75.1-sec.1; confirm whether that fork
contains all post-1.75 security/backport fixes (not just CVE-2026-33186) or
whether the project should instead upgrade to the upstream
google.golang.org/grpc v1.79.3; to fix, audit the fork's changelog/commit
differences against upstream v1.79.3 for any missing CVE fixes and either (a)
document/confirm in the PR that the fork includes all required fixes (reference
github.com/openshift-sustaining/grpc-go v1.75.1-sec.1 and CVE-2026-33186) or (b)
update go.mod to target google.golang.org/grpc v1.79.3 and run go mod tidy and
tests to ensure compatibility.
- Around line 106-111: The listed OpenTelemetry dependencies
(go.opentelemetry.io/otel, go.opentelemetry.io/otel/exporters/otlp/otlptrace,
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc,
go.opentelemetry.io/otel/metric, go.opentelemetry.io/otel/sdk,
go.opentelemetry.io/otel/trace) are pinned to v1.37.0 which is vulnerable;
update these module versions to v1.43.0 (or later) to include the security
fixes, then run module resolution (e.g., go get <module>@v1.43.0 and go mod
tidy) to ensure the go.mod and go.sum are consistent and build passes.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 764ccb3c-9104-4472-8525-e49334075296

📥 Commits

Reviewing files that changed from the base of the PR and between efb9139 and 1f32218.

⛔ Files ignored due to path filters (297)

• go.sum is excluded by !**/*.sum
• vendor/cel.dev/expr/.bazelversion is excluded by !**/vendor/**, !vendor/**
• vendor/cel.dev/expr/MODULE.bazel is excluded by !**/vendor/**, !vendor/**
• vendor/cel.dev/expr/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/cel.dev/expr/cloudbuild.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/cel.dev/expr/eval.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/go-logr/logr/.golangci.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-logr/logr/funcr/funcr.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/go-cmp/cmp/internal/function/func.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/go-cmp/cmp/options.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/stretchr/testify/assert/assertion_compare.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/stretchr/testify/assert/assertion_format.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/stretchr/testify/assert/assertion_forward.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/stretchr/testify/assert/assertion_order.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/stretchr/testify/assert/assertions.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/stretchr/testify/assert/yaml/yaml_custom.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/stretchr/testify/assert/yaml/yaml_default.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/stretchr/testify/assert/yaml/yaml_fail.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/auto/sdk/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/auto/sdk/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/auto/sdk/VERSIONING.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/auto/sdk/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/attr.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/id.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/number.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/resource.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/scope.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/span.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/status.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/traces.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/value.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/auto/sdk/limit.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/auto/sdk/span.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/auto/sdk/tracer.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/auto/sdk/tracer_provider.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/.clomonitor.yml is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/.gitignore is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/.golangci.yml is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/CODEOWNERS is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/Makefile is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/RELEASING.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/VERSIONING.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/filter.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/internal/attribute.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/rawhelpers.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/set.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/value.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/baggage/baggage.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/codes/codes.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/dependencies.Dockerfile is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/get_main_pkgs.sh is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/internal/gen.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/internal/global/handler.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/internal/global/instruments.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/internal/global/meter.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/internal/global/trace.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/internal/rawhelpers.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/metric/asyncfloat64.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/metric/asyncint64.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/metric/instrument.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/metric/meter.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/metric/noop/noop.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/propagation/baggage.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/propagation/propagation.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/renovate.json is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/requirements.txt is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/instrumentation/scope.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/internal/env/env.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/auto.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/builtin.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/container.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/env.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/host_id.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/host_id_windows.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/os.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/os_release_darwin.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/os_windows.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/process.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/resource.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/batch_span_processor.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/evictedqueue.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/id_generator.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/provider.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/sampler_env.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/sampling.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/simple_span_processor.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/span.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/tracer.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/version.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/internal/http.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.34.0/MIGRATION.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.34.0/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.34.0/attribute_group.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.34.0/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.34.0/exception.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.34.0/schema.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/auto.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/config.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/context.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/internal/telemetry/attr.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/internal/telemetry/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/internal/telemetry/id.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/internal/telemetry/number.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/internal/telemetry/resource.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/internal/telemetry/scope.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/internal/telemetry/span.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/internal/telemetry/status.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/internal/telemetry/traces.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/internal/telemetry/value.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/noop.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/verify_examples.sh is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/verify_readmes.sh is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/version.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/versions.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/crypto/cryptobyte/asn1.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/crypto/internal/poly1305/mac_noasm.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/crypto/internal/poly1305/sum_asm.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/crypto/internal/poly1305/sum_loong64.s is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/crypto/internal/poly1305/sum_ppc64le.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/crypto/internal/poly1305/sum_ppc64x.s is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/context/context.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/context/go17.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/context/go19.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/context/pre_go17.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/context/pre_go19.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/client_conn_pool.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/config.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/config_go124.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/frame.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/http2.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/server.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/transport.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/unencrypted.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/write.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/internal/httpcommon/ascii.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/internal/httpcommon/headermap.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/internal/httpcommon/request.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/trace/events.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/websocket/websocket.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/oauth2/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/oauth2/internal/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/oauth2/internal/oauth2.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/oauth2/internal/token.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/oauth2/internal/transport.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/oauth2/oauth2.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/oauth2/pkce.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/oauth2/token.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/oauth2/transport.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/asm_darwin_x86_gc.s is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_darwin_x86.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_gc_x86.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_gc_x86.s is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_gccgo_x86.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_linux_arm64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_linux_loong64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_linux_noinit.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_linux_riscv64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_loong64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_loong64.s is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_other_x86.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_riscv64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_x86.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/parse.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/syscall_darwin_x86_gc.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/auxv.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/auxv_unsupported.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ioctl_linux.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/mkerrors.sh is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/syscall_darwin.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/syscall_dragonfly.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/syscall_linux.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/syscall_solaris.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/syscall_zos_s390x.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_386.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_arm.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_loong64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_mips.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_mips64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_ppc.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_ppc64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_ppc64le.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_riscv64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_s390x.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_sparc64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsyscall_darwin_amd64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsyscall_darwin_amd64.s is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsyscall_darwin_arm64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsyscall_darwin_arm64.s is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsyscall_linux.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsyscall_solaris_amd64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_386.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_amd64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_arm.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_arm64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_loong64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_mips.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_mips64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_mips64le.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_mipsle.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_ppc.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64le.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_riscv64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_s390x.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_sparc64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ztypes_darwin_amd64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ztypes_darwin_arm64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ztypes_zos_s390x.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/windows/dll_windows.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/windows/registry/key.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/windows/registry/value.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/windows/security_windows.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/windows/syscall_windows.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/windows/types_windows.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/windows/zsyscall_windows.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/term/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/term/terminal.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/internal/number/format.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/language/parse.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/genproto/googleapis/api/annotations/annotations.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/genproto/googleapis/api/annotations/client.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/genproto/googleapis/api/annotations/field_behavior.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/genproto/googleapis/api/annotations/field_info.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/genproto/googleapis/api/annotations/http.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/genproto/googleapis/api/annotations/resource.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/genproto/googleapis/api/annotations/routing.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/checked.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/eval.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/explain.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/syntax.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/value.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/genproto/googleapis/api/httpbody/httpbody.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/genproto/googleapis/api/launch_stage.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/genproto/googleapis/rpc/errdetails/error_details.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/genproto/googleapis/rpc/status/status.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/MAINTAINERS.md is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/balancer/balancer.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/balancer/base/balancer.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/balancer/endpointsharding/endpointsharding.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/balancer/pickfirst/internal/internal.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/balancer/pickfirst/pickfirst.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/balancer/pickfirst/pickfirstleaf/pickfirstleaf.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/balancer/roundrobin/roundrobin.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/balancer/subconn.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/balancer_wrapper.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/binarylog/grpc_binarylog_v1/binarylog.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/clientconn.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/codec.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/credentials/credentials.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/credentials/insecure/insecure.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/credentials/tls.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/dialoptions.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/experimental/stats/metricregistry.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/experimental/stats/metrics.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/grpclog/internal/loggerv2.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/health/grpc_health_v1/health.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/health/grpc_health_v1/health_grpc.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/backoff/backoff.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/balancer/gracefulswitch/config.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/balancer/gracefulswitch/gracefulswitch.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/channelz/channel.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/channelz/server.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/channelz/socket.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/channelz/subchannel.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/channelz/trace.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/credentials/credentials.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/envconfig/envconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/envconfig/xds.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/grpcsync/callback_serializer.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/grpcsync/event.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/grpcutil/method.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/idle/idle.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/internal.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/metadata/metadata.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/proxyattributes/proxyattributes.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/resolver/delegatingresolver/delegatingresolver.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/resolver/dns/dns_resolver.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/stats/metrics_recorder_list.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/status/status.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/transport/client_stream.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/transport/controlbuf.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/transport/flowcontrol.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/transport/handler_server.go is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (3)

• .golangci.yaml
• go.mod
• pkg/controller/dynamicrequiredmanifest_controller.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

`What are the first patched versions for:

1. GHSA-mh2q-q3fh-2475 (go.opentelemetry.io/otel),
2. GHSA-9h8m-3fm2-qjrq and GHSA-hfvc-g4fc-pqhx (go.opentelemetry.io/otel/sdk)?
   Please include official advisories/release notes.`

💡 Result:

First patched versions (per official GitHub security advisories for open-telemetry/opentelemetry-go): 1) GHSA-mh2q-q3fh-2475 (go.opentelemetry.io/otel) - First patched version: go.opentelemetry.io/otel v1.41.0 [1] 2) GHSA-9h8m-3fm2-qjrq (go.opentelemetry.io/otel/sdk) - First patched version: go.opentelemetry.io/otel/sdk v1.40.0 [2] 3) GHSA-hfvc-g4fc-pqhx (go.opentelemetry.io/otel/sdk) - First patched version: Not found in the accessible official advisory/release note sources returned in this research run. - (The OpenTelemetry Go security advisories index shows GHSA-hfvc-g4fc-pqhx exists and is published on Apr 8, 2026, but the returned snippets did not include the “Patched versions” field needed to determine the first patched version.) [3][4] Notes / official advisories referenced: - GHSA-mh2q-q3fh-2475 lists patched version v1.41.0 for go.opentelemetry.io/otel. [1] - GHSA-9h8m-3fm2-qjrq lists patched version 1.40.0 for go.opentelemetry.io/otel/sdk (macOS/Darwin ioreg PATH hijacking; patched in d45961b released with v1.40.0). [2] - The official OpenTelemetry Go security advisory index confirms GHSA-hfvc-g4fc-pqhx is an OpenTelemetry Go advisory published Apr 8, 2026, but the returned excerpt did not expose patched version details. [3][4]

Citations:

• 1: GHSA-mh2q-q3fh-2475
• 2: GHSA-9h8m-3fm2-qjrq
• 3: https://www.github.com/open-telemetry/opentelemetry-go/security/advisories
• 4: https://github.com/open-telemetry/opentelemetry-go/security

---

🌐 Web query:

GHSA-mh2q-q3fh-2475 go.opentelemetry.io/otel vulnerability details and severity

💡 Result:

GHSA-mh2q-q3fh-2475 is a high-severity vulnerability in the OpenTelemetry Go SDK (go.opentelemetry.io/otel), specifically in the baggage propagation module. It involves multi-value baggage header extraction causing excessive allocations, enabling remote DoS amplification via specially crafted HTTP requests with many multi-value baggage headers[1][2][3][4]. Severity is HIGH with CVSS v3.1 score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), impacting availability[1][3]. Published on April 7, 2026[1][3]. The vulnerable code is in propagation/baggage.go:58 extractMultiBaggage[3]. Applications using the vulnerable opentelemetry-go library that process inbound HTTP requests are affected[2]. Fix is available; upgrade to patched versions (specific versions not detailed in snippets, check official advisory)[1].

Citations:

• 1: GHSA-mh2q-q3fh-2475
• 2: https://www.resolvedsecurity.com/vulnerability-catalog/GHSA-mh2q-q3fh-2475
• 3: https://mondoo.com/vulnerability-intelligence/vulnerability/GHSA-mh2q-q3fh-2475
• 4: https://www.github.com/open-telemetry/opentelemetry-go/security/advisories

---

🌐 Web query:

GHSA-hfvc-g4fc-pqhx go.opentelemetry.io/otel/sdk patched version and details

💡 Result:

GHSA-hfvc-g4fc-pqhx is a security advisory for an incomplete fix in go.opentelemetry.io/otel/sdk. It affects versions >= v1.15.0 and <= v1.42.0. The vulnerability allows PATH hijacking on BSD and Solaris platforms because the BSD kenv command in sdk/resource/host_id.go does not use an absolute path (e.g., /bin/kenv), unlike the fixed Darwin ioreg command from prior advisory GHSA-9h8m-3fm2-qjrq (CVE-2026-24051).[1][2][3] The issue was fixed by changing execCommand("kenv",...) to execCommand("/bin/kenv",...) in commit #8113, included in the v1.43.0 release on 2026-04-03.[1][2][4][3] Patched version: v1.43.0 and later.[1][5][2][6]

Citations:

• 1: GHSA-hfvc-g4fc-pqhx
• 2: https://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.43.0
• 3: open-telemetry/opentelemetry-go@35214b6
• 4: https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md
• 5: Upgrade OpenTelemetry Go dependencies to v1.43.0 to address GHSA-hfvc-g4fc-pqhx dapr/dapr#9852
• 6: chore(deps): bump go.opentelemetry.io/otel/sdk from 1.42.0 to 1.43.0 in /test/apps/otelsdk open-telemetry/opentelemetry-go-compile-instrumentation#424

---

OpenTelemetry v1.37.0 is vulnerable to three confirmed HIGH-severity security advisories.

The versions pinned here (go.opentelemetry.io/otel, go.opentelemetry.io/otel/sdk, etc. at v1.37.0) are below patched versions for:

• GHSA-mh2q-q3fh-2475 (otel v1.37.0 < v1.41.0): Remote DoS via excessive allocations in baggage propagation (CVSS 7.5)
• GHSA-9h8m-3fm2-qjrq (otel/sdk v1.37.0 < v1.40.0): PATH hijacking on macOS/Darwin via ioreg command
• GHSA-hfvc-g4fc-pqhx (otel/sdk v1.37.0 < v1.43.0): PATH hijacking on BSD/Solaris via kenv command (incomplete prior fix)

Upgrade to v1.43.0 or later to address all three.

🧰 Tools

🪛 OSV Scanner (2.3.6)

[HIGH] 106-106: go.opentelemetry.io/otel 1.37.0: OpenTelemetry-Go: multi-value baggage header extraction causes excessive allocations (remote dos amplification)

(GHSA-mh2q-q3fh-2475)

---

[HIGH] 110-110: go.opentelemetry.io/otel/sdk 1.37.0: OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking in go.opentelemetry.io/otel/sdk

(GO-2026-4394)

---

[HIGH] 110-110: go.opentelemetry.io/otel/sdk 1.37.0: OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking

(GHSA-9h8m-3fm2-qjrq)

---

[HIGH] 110-110: go.opentelemetry.io/otel/sdk 1.37.0: opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking

(GHSA-hfvc-g4fc-pqhx)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` around lines 106 - 111, The listed OpenTelemetry dependencies
(go.opentelemetry.io/otel, go.opentelemetry.io/otel/exporters/otlp/otlptrace,
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc,
go.opentelemetry.io/otel/metric, go.opentelemetry.io/otel/sdk,
go.opentelemetry.io/otel/trace) are pinned to v1.37.0 which is vulnerable;
update these module versions to v1.43.0 (or later) to include the security
fixes, then run module resolution (e.g., go get <module>@v1.43.0 and go mod
tidy) to ensure the go.mod and go.sum are consistent and build passes.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== go.mod grpc lines =="
rg -n 'google\.golang\.org/grpc|openshift-sustaining/grpc-go|replace ' go.mod

echo
echo "== vendor/modules.txt grpc resolution (if vendored) =="
if [ -f vendor/modules.txt ]; then
  rg -n 'google\.golang\.org/grpc|openshift-sustaining/grpc-go' vendor/modules.txt
else
  echo "vendor/modules.txt not present in this checkout."
fi

Repository: openshift/cluster-olm-operator

Length of output: 3598

---

🏁 Script executed:

# Check for PR or commit metadata that shows the target version
git log --oneline -20 | head -20

Repository: openshift/cluster-olm-operator

Length of output: 110

---

🏁 Script executed:

# Search for any comments or documentation about the grpc fork choice
rg -i 'v1\.79|v1\.75|grpc-go|openshift-sustaining' --max-count=20 -B2 -A2 go.mod go.sum 2>/dev/null || true

Repository: openshift/cluster-olm-operator

Length of output: 830

---

🌐 Web query:

github.com/openshift-sustaining/grpc-go v1.75.1-sec.1 CVE security fix

💡 Result:

The OpenShift Sustaining gRPC-Go security fix for v1.75.1-sec.1 is tied to the gRPC authorization-bypass vulnerability published as CVE-2026-33186 (GHSA-p77j-4mvh-x3m3). The upstream fix is included in google.golang.org/grpc v1.79.3, where malformed HTTP/2:path values missing the leading slash are rejected immediately (Unimplemented), preventing authorization interceptors from evaluating a non-canonical path and bypassing deny rules. [1][2][3] Evidence and what to do: 1) Vulnerability description and affected versions: CVE-2026-33186 is an authorization bypass in google.golang.org/grpc resulting from improper input validation of the HTTP/2:path pseudo-header; affected versions are google.golang.org/grpc < v1.79.3. [1][2] 2) Upstream/scan-driven fix version: Fix available in grpc v1.79.3 (Kubernetes autoscaler issue referencing the fix). [4] 3) How OpenShift Sustaining consumes this fix: OpenShift Sustaining PRs explicitly bump google.golang.org/grpc from v1.75.1 to v1.79.3 “to address CVE-2026-33186” (e.g., cluster-monitoring-operator). [5] 4) Release engineering workflow evidence: The Sustaining bump PRs are generated by running “go get google.golang.org/grpc@v1.79.3” followed by go mod tidy and vendor updates. [6][7] Practical takeaway (for any component still on v1.75.1-sec.1 / <1.79.3): upgrade google.golang.org/grpc to v1.79.3 (or later) to receive the fix for CVE-2026-33186. [5][4][2]

Citations:

• 1: GHSA-p77j-4mvh-x3m3
• 2: security: CVE-2026-33186 — google.golang.org/grpc Authorization Bypass (CVSS 9.1 Critical) DataDog/datadog-agent#48151
• 3: OCPBUGS-83613: Bump grpc package for CVE fix azure-service-operator#21
• 4: Critical gRPC vulnerability (CVE-2026-33186) kubernetes/autoscaler#9406
• 5: OCPBUGS-81554: CVE-2026-33186 - bump google.golang.org/grpc to v1.79.3 cluster-monitoring-operator#2872
• 6: OCPBUGS-79897, OCPBUGS-79895, OCPBUGS-79875, OCPBUGS-79896: Bump google.golang.org/grpc to v1.79.3 installer#10446
• 7: OCPBUGS-80235: Bump google.golang.org/grpc to v1.79.3 cluster-monitoring-operator#2864

---

🌐 Web query:

grpc-go v1.79.3 release security fixes CVE

💡 Result:

grpc-go v1.79.3 was released on 2026-03-17 to fix CVE-2026-33186, a critical authorization bypass vulnerability (CVSS 9.1) in versions prior to 1.79.3 [1][2][3]. The issue allows attackers to bypass path-based authorization rules in interceptors like grpc/authz by sending HTTP/2 requests with malformed:path headers missing the leading slash (e.g., Service/Method instead of /Service/Method). The server routes these requests correctly, but interceptors fail to match "deny" rules on canonical paths, falling back to "allow" if present [2][4][3]. The fix rejects any request without a leading slash in:path with an Unimplemented error before reaching interceptors [1][3]. Affected servers use path-based auth with default-allow policies. Upgrade to v1.79.3 or later [5][6][7].

Citations:

• 1: https://github.com/grpc/grpc-go/releases/tag/v1.79.3
• 2: https://nvd.nist.gov/vuln/detail/CVE-2026-33186
• 3: GHSA-p77j-4mvh-x3m3
• 4: https://nvd.nist.gov/vuln/detail/cve-2026-33186
• 5: https://vulert.com/vuln-db/grpc-go-is-the-go-language-implementation-of-grpc--versions-prior-to-1-79-3-have-an-authorization-by---
• 6: Update grpc-go to >= 1.79.3 to resolve CVE-2026-33186 fluxcd/flux2#5867
• 7: Bump google.golang.org/grpc to v1.79.3+ to fix CVE-2026-33186 (CVSS 9.1 Critical) traefik/traefik#12844

---

Verify grpc fork contains all intended CVE fixes or clarify version targeting strategy.

go.mod resolves grpc to github.com/openshift-sustaining/grpc-go v1.75.1-sec.1 (Line 142), a backport of CVE-2026-33186 fixes to grpc v1.75.1. However, the full upstream fix is available in grpc v1.79.3. This gap between the fork (v1.75.1) and upstream (v1.79.3) means post-1.75 security patches are not included. Other OpenShift projects (e.g., cluster-monitoring-operator) directly upgrade to v1.79.3 rather than using the fork. Confirm whether the fork includes all necessary fixes beyond CVE-2026-33186, or whether upgrading to v1.79.3 directly is the intended approach.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` around lines 125 - 126, The go.mod currently pins grpc to the
OpenShift fork github.com/openshift-sustaining/grpc-go v1.75.1-sec.1; confirm
whether that fork contains all post-1.75 security/backport fixes (not just
CVE-2026-33186) or whether the project should instead upgrade to the upstream
google.golang.org/grpc v1.79.3; to fix, audit the fork's changelog/commit
differences against upstream v1.79.3 for any missing CVE fixes and either (a)
document/confirm in the PR that the fork includes all required fixes (reference
github.com/openshift-sustaining/grpc-go v1.75.1-sec.1 and CVE-2026-33186) or (b)
update go.mod to target google.golang.org/grpc v1.79.3 and run go mod tidy and
tests to ensure compatibility.

[openshift-ci]

@ocp-sustaining-admins: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.