From 6a393428da698c3d4fa19f7746b6c963d2fe28eb Mon Sep 17 00:00:00 2001
From: Jon Rogers <67245+devnullvoid@users.noreply.github.com>
Date: Tue, 24 Mar 2026 19:03:16 -0400
Subject: [PATCH 1/2] fix: bump grpc for CVE-2026-33186

---
 CHANGELOG.md | 4 ++++
 go.mod       | 2 +-
 go.sum       | 2 ++
 3 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8584d3d..d694cfe 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Fixed
+
+- **gRPC Security Update**: Upgraded indirect dependency `google.golang.org/grpc` from `v1.79.1` to `v1.79.3` to address CVE-2026-33186, an authorization bypass in HTTP/2 `:path` pseudo-header validation.
+
 ## [1.3.0] - 2026-03-21
 
 ### Added
diff --git a/go.mod b/go.mod
index 4f4ef3b..750e762 100644
--- a/go.mod
+++ b/go.mod
@@ -169,7 +169,7 @@ require (
 	google.golang.org/genproto v0.0.0-20260128011058-8636f8732409 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20260203192932-546029d2fa20 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20260203192932-546029d2fa20 // indirect
-	google.golang.org/grpc v1.79.1 // indirect
+	google.golang.org/grpc v1.79.3 // indirect
 	google.golang.org/protobuf v1.36.11 // indirect
 	gopkg.in/ini.v1 v1.67.1 // indirect
 )
diff --git a/go.sum b/go.sum
index be61e92..19aa064 100644
--- a/go.sum
+++ b/go.sum
@@ -548,6 +548,8 @@ google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQ
 google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
 google.golang.org/grpc v1.79.1 h1:zGhSi45ODB9/p3VAawt9a+O/MULLl9dpizzNNpq7flY=
 google.golang.org/grpc v1.79.1/go.mod h1:KmT0Kjez+0dde/v2j9vzwoAScgEPx/Bw1CYChhHLrHQ=
+google.golang.org/grpc v1.79.3 h1:sybAEdRIEtvcD68Gx7dmnwjZKlyfuc61Dyo9pGXXkKE=
+google.golang.org/grpc v1.79.3/go.mod h1:KmT0Kjez+0dde/v2j9vzwoAScgEPx/Bw1CYChhHLrHQ=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=

From 9ae3c79590069749199c8138434c5f4435b9c7b9 Mon Sep 17 00:00:00 2001
From: devnullvoid <67245+devnullvoid@users.noreply.github.com>
Date: Tue, 24 Mar 2026 23:04:37 +0000
Subject: [PATCH 2/2] chore(nix): update vendorHash

---
 flake.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/flake.nix b/flake.nix
index b47aed1..451fbdd 100644
--- a/flake.nix
+++ b/flake.nix
@@ -17,7 +17,7 @@
 
           src = self;
 
-          vendorHash = "sha256-8o3HvWPSNrrKipjiE/Qqu3CRUtzHQTt0i6fpgpN433U=";
+          vendorHash = "sha256-ocvTfV9JNG7ZTkWKEYEPW6HlLHOjk12gLjUExNcoZeM=";
 
           subPackages = [ "cmd/pvetui" ];