OCPBUGS-83940: bump gRPC-Go to v1.79.3

[jhadvig]

Analysis / Root cause:

CVE-2026-33186: gRPC-Go versions prior to 1.79.3 accept HTTP/2 requests where the :path pseudo-header omits the mandatory leading slash (e.g.,
Service/Method instead of /Service/Method). Authorization interceptors evaluate the raw, non-canonical path string, so "deny" rules for canonical
paths fail to match — enabling an authorization bypass.

The console backend pulls google.golang.org/grpc as an indirect dependency (no console Go code imports it directly). Practical risk is low, but
the bump is required for CVE compliance on the openshift4/ose-console-rhel9 component.

Solution description:

• Bump google.golang.org/grpc from v1.72.2 to v1.79.3 (the fixed version)
• Re-vendor dependencies (transitive updates: cel-go, OpenTelemetry, oauth2, protobuf)

Test cases:

• Backend builds successfully (go build ./cmd/... ./pkg/...)
• Backend tests pass (go test ./pkg/... ./cmd/...)
• No code changes beyond dependency bump — no functional changes to verify

/assign @Leo6Leo

[openshift-ci-robot]

@jhadvig: This pull request references Jira Issue OCPBUGS-83940, which is invalid:

• release note text must be set and not match the template OR release note type must be set to "Release Note Not Required". For more information you can reference the OpenShift Bug Process.
• expected Jira Issue OCPBUGS-83940 to depend on a bug targeting a version in 5.0.0 and in one of the following states: MODIFIED, ON_QA, VERIFIED, but no dependents were found

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Analysis / Root cause:

CVE-2026-33186: gRPC-Go versions prior to 1.79.3 accept HTTP/2 requests where the :path pseudo-header omits the mandatory leading slash (e.g.,
Service/Method instead of /Service/Method). Authorization interceptors evaluate the raw, non-canonical path string, so "deny" rules for canonical
paths fail to match — enabling an authorization bypass.

The console backend pulls google.golang.org/grpc as an indirect dependency (no console Go code imports it directly). Practical risk is low, but
the bump is required for CVE compliance on the openshift4/ose-console-rhel9 component.

Solution description:

• Bump google.golang.org/grpc from v1.72.2 to v1.79.3 (the fixed version)
• Re-vendor dependencies (transitive updates: cel-go, OpenTelemetry, oauth2, protobuf)

Test cases:

• Backend builds successfully (go build ./cmd/... ./pkg/...)
• Backend tests pass (go test ./pkg/... ./cmd/...)
• No code changes beyond dependency bump — no functional changes to verify

/assign @Leo6Leo

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@Leo6Leo: This PR has been marked as verified by @Leo6Leo.

Details

In response to this:

Built the console backend from this branch and ran it against a live OCP 4.23 nightly cluster (4.23.0-0.nightly-2026-05-14-045943).

Build & Static Checks:

• go build ./cmd/... ./pkg/... — clean
• go vet ./cmd/... ./pkg/... — clean
• go mod verify — all modules verified
• go test ./pkg/... ./cmd/... -short — all pass (pre-existing helm/actions failure unrelated, requires local Zot registry)

/lgtm
/verified by @Leo6Leo
/label backport-risk-assessed

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jhadvig, Leo6Leo

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [jhadvig]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[Leo6Leo]

Built the console backend from this branch and ran it against a live OCP 4.23 nightly cluster (4.23.0-0.nightly-2026-05-14-045943).

Build & Static Checks:

• go build ./cmd/... ./pkg/... — clean
• go vet ./cmd/... ./pkg/... — clean
• go mod verify — all modules verified
• go test ./pkg/... ./cmd/... -short — all pass (pre-existing helm/actions failure unrelated, requires local Zot registry)

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD 3e866b8 and 2 for PR HEAD d47df8b in total

[openshift-ci]

@jhadvig: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci-robot]

@jhadvig: Jira Issue OCPBUGS-83940: Some pull requests linked via external trackers have merged:

The following pull request, linked via external tracker, has not merged:

• openshift/console#16442 is open

All associated pull requests must be merged or unlinked from the Jira bug in order for it to move to the next state. Once unlinked, request a bug refresh with /jira refresh.

Jira Issue OCPBUGS-83940 has not been moved to the MODIFIED state.

This PR is marked as verified. If the remaining PRs listed above are marked as verified before merging, the issue will automatically be moved to VERIFIED after all of the changes from the PRs are available in an accepted nightly payload.

Details

In response to this:

Analysis / Root cause:

CVE-2026-33186: gRPC-Go versions prior to 1.79.3 accept HTTP/2 requests where the :path pseudo-header omits the mandatory leading slash (e.g.,
Service/Method instead of /Service/Method). Authorization interceptors evaluate the raw, non-canonical path string, so "deny" rules for canonical
paths fail to match — enabling an authorization bypass.

The console backend pulls google.golang.org/grpc as an indirect dependency (no console Go code imports it directly). Practical risk is low, but
the bump is required for CVE compliance on the openshift4/ose-console-rhel9 component.

Solution description:

• Bump google.golang.org/grpc from v1.72.2 to v1.79.3 (the fixed version)
• Re-vendor dependencies (transitive updates: cel-go, OpenTelemetry, oauth2, protobuf)

Test cases:

• Backend builds successfully (go build ./cmd/... ./pkg/...)
• Backend tests pass (go test ./pkg/... ./cmd/...)
• No code changes beyond dependency bump — no functional changes to verify

/assign @Leo6Leo

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.