OCPBUGS-85650: bump gRPC-Go package

[jhadvig]

Analysis / Root cause:
CVE-2026-33186 — gRPC-Go versions prior to v1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 :path pseudo-header. Requests with a non-canonical path (missing the
leading /) bypass "deny" rules in path-based authorization interceptors. The console-operator does not directly use gRPC (it's an indirect dependency via library-go/apiserver), so the practical risk is low, but
the dependency must be bumped per Red Hat security tracking requirements.

Solution description:
Bump google.golang.org/grpc from v1.72.2 to v1.79.3 and re-vendor. This also upgrades transitive dependencies (otel, protobuf, golang.org/x/* packages) as required by the new gRPC version.

Test setup:
No special setup required.

Test cases:

• make test-unit — all tests pass
• gofmt check — clean
• govet check — clean

Browser conformance:
N/A — no UI changes.

Additional info:

• Jira: https://redhat.atlassian.net/browse/OCPBUGS-85650
• CVE: CVE-2026-33186
• Fixed upstream in gRPC-Go v1.79.3

[openshift-ci-robot]

@jhadvig: This pull request references Jira Issue OCPBUGS-83941, which is invalid:

• expected the vulnerability to target either version "5.0." or "openshift-5.0.", but it targets "4.22.0" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Analysis / Root cause:
CVE-2026-33186 — gRPC-Go versions prior to v1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 :path pseudo-header. Requests with a non-canonical path (missing the
leading /) bypass "deny" rules in path-based authorization interceptors. The console-operator does not directly use gRPC (it's an indirect dependency via library-go/apiserver), so the practical risk is low, but
the dependency must be bumped per Red Hat security tracking requirements.

Solution description:
Bump google.golang.org/grpc from v1.72.2 to v1.79.3 and re-vendor. This also upgrades transitive dependencies (otel, protobuf, golang.org/x/* packages) as required by the new gRPC version.

Test setup:
No special setup required.

Test cases:

• make test-unit — all tests pass
• gofmt check — clean
• govet check — clean

Browser conformance:
N/A — no UI changes.

Additional info:

• Jira: https://redhat.atlassian.net/browse/OCPBUGS-83941
• CVE: CVE-2026-33186
• Fixed upstream in gRPC-Go v1.79.3

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

This PR updates the Go module manifest to bump indirect dependencies across multiple libraries: CEL expressions from v0.24.0 to v0.25.1, OpenTelemetry SDK and auto-instrumentation to v1.2.1 and v1.39.0 respectively, standard library extensions (crypto, net, oauth2, sync, sys, term, text), and Google Cloud/gRPC packages including grpc to v1.79.3 and protobuf to v1.36.10.

Changes

Dependency Version Updates

Layer / File(s)	Summary
CEL expressions and OpenTelemetry module upgrades go.mod	cel.dev/expr bumped to v0.25.1; OpenTelemetry auto/sdk and otel core/metric/sdk/trace submodules updated to v1.2.1 and v1.39.0 respectively.
Standard library extensions and Google Cloud packages go.mod	golang.org/x/* (crypto, net, oauth2, sync, sys, term, text) packages updated to newer patch/minor versions; google.golang.org/grpc updated from v1.72.2 to v1.79.3; google.golang.org/protobuf updated from v1.36.8 to v1.36.10; google.golang.org/genproto/googleapis API and RPC modules updated to new commits.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 1 warning)

Check name	Status	Explanation	Resolution
Ote Binary Stdout Contract	❌ Error	PR adds test/e2e/main_test.go with TestMain() containing 6 fmt.Print/Printf calls writing to stdout, violating OTE Binary Stdout Contract for process-level code.	Replace all fmt.Print*/Printf calls with fmt.Fprintf(os.Stderr,...) or os.Stderr writes in TestMain and waitForOperator functions.
Title check	⚠️ Warning	The title references 'OCPBUGS-85650' but the PR objectives indicate the actual issue is 'OCPBUGS-83941', creating a mismatch between the stated problem and the title.	Update the PR title to reference the correct issue 'OCPBUGS-83941' to maintain consistency with the actual PR objectives and tracking system.

✅ Passed checks (10 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	This PR only modifies go.mod/go.sum (dependency versions). The repository uses standard Go testing framework, not Ginkgo. No Ginkgo test names exist to validate against the custom check.
Test Structure And Quality	✅ Passed	Custom check not applicable. PR only modifies go.mod (dependency bump for gRPC-Go CVE fix). No test code files or Ginkgo test blocks were modified, so test structure quality requirements do not apply.
Microshift Test Compatibility	✅ Passed	This PR contains only dependency updates in go.mod/go.sum. No new Ginkgo e2e tests are added. The existing e2e tests use standard Go testing.T pattern, not Ginkgo. The custom check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	Custom check not applicable. PR adds standard Go tests (50+ TestXxx functions), not Ginkgo e2e tests. Check targets Ginkgo tests with It(), Describe(), Context(), When() patterns - none found.
Topology-Aware Scheduling Compatibility	✅ Passed	Custom check not applicable. PR only modifies go.mod/go.sum (dependency versions), not deployment manifests, operator code, or controllers. No scheduling constraints introduced.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR only modifies go.mod dependencies and adds no Ginkgo e2e tests. The custom check for IPv6 and disconnected network compatibility is not applicable when no e2e tests are added.
Description check	✅ Passed	The PR description includes all required template sections with relevant details about the CVE, solution, test cases, and additional info.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[jhadvig]

/assign @TheRealJon

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

go.mod (1)

106-107: Cross-repository version coordination needed.

The linked repository openshift/console still vendors google.golang.org/grpc at v1.72.2 and google.golang.org/protobuf at v1.36.8 (the pre-patch versions). Consider coordinating this security fix across related OpenShift repositories to ensure consistent vulnerability remediation.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` around lines 106 - 107, The go.mod bump updated
google.golang.org/grpc to v1.79.3 and google.golang.org/protobuf to v1.36.10 to
address security fixes, but related repo openshift/console still vendors
grpc@v1.72.2 and protobuf@v1.36.8; update the corresponding go.mod and vendor
state in the openshift/console repository (and any other dependent OpenShift
repos) so they require google.golang.org/grpc v1.79.3 and
google.golang.org/protobuf v1.36.10 (or a consistent patched version), run
module tidy/vendor refresh to propagate changes, and ensure CI passes to verify
the coordinated vulnerability remediation for the symbols google.golang.org/grpc
and google.golang.org/protobuf.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 85: The go.mod currently pins go.opentelemetry.io/otel at v1.39.0 which
has multiple HIGH severity vulnerabilities; update the module versions in go.mod
so that go.opentelemetry.io/otel is bumped to at least v1.41.0 and
go.opentelemetry.io/otel/sdk is bumped to at least v1.43.0 (or later), then run
go mod tidy to refresh the sum file and vendor if used; ensure imports
referencing go.opentelemetry.io/otel and go.opentelemetry.io/otel/sdk compile
cleanly and run tests to verify no breaking API changes.

---

Nitpick comments:
In `@go.mod`:
- Around line 106-107: The go.mod bump updated google.golang.org/grpc to v1.79.3
and google.golang.org/protobuf to v1.36.10 to address security fixes, but
related repo openshift/console still vendors grpc@v1.72.2 and protobuf@v1.36.8;
update the corresponding go.mod and vendor state in the openshift/console
repository (and any other dependent OpenShift repos) so they require
google.golang.org/grpc v1.79.3 and google.golang.org/protobuf v1.36.10 (or a
consistent patched version), run module tidy/vendor refresh to propagate
changes, and ensure CI passes to verify the coordinated vulnerability
remediation for the symbols google.golang.org/grpc and
google.golang.org/protobuf.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 985514c2-6e80-4c70-8171-d14a053f699f

📥 Commits

Reviewing files that changed from the base of the PR and between ee0e804 and 39004a7.

⛔ Files ignored due to path filters (230)

• go.sum is excluded by !**/*.sum
• vendor/cel.dev/expr/BUILD.bazel is excluded by !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/MODULE.bazel is excluded by !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/checked.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/eval.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/explain.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/syntax.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/value.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/id.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/number.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/span.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/status.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/traces.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/value.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/auto/sdk/span.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/auto/sdk/tracer.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/.clomonitor.yml is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/.codespellignore is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/.golangci.yml is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/.lycheeignore is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/CHANGELOG.md is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/CODEOWNERS is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/CONTRIBUTING.md is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/Makefile is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/README.md is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/RELEASING.md is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/SECURITY-INSIGHTS.yml is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/VERSIONING.md is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/attribute/encoder.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/attribute/filter.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/attribute/hash.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/attribute/internal/attribute.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/attribute/internal/xxhash/xxhash.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/attribute/iterator.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/attribute/key.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/attribute/kv.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/attribute/set.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/attribute/type_string.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/attribute/value.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/baggage/baggage.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/codes/codes.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/dependencies.Dockerfile is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/internal/global/internal_logging.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/internal/global/meter.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/internal/global/trace.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/metric.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/metric/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/metric/config.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/propagation/baggage.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/propagation/propagation.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/propagation/trace_context.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/internal/x/features.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/internal/x/x.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/builtin.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/container.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/env.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/host_id.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/host_id_bsd.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/host_id_linux.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/host_id_unsupported.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/host_id_windows.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/os.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/os_release_unix.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/os_unix.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/os_unsupported.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/process.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/resource.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/batch_span_processor.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/id_generator.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/internal/env/env.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/internal/observ/batch_span_processor.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/internal/observ/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/internal/observ/simple_span_processor.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/internal/observ/tracer.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/provider.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/sampling.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/simple_span_processor.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/snapshot.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/span.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/span_limits.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/tracer.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/version.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/version.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/semconv/internal/http.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.37.0/MIGRATION.md is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.37.0/README.md is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.37.0/attribute_group.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.37.0/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.37.0/error_type.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.37.0/exception.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.37.0/otelconv/metric.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.37.0/schema.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/trace/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/trace/auto.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/trace/config.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/trace/hex.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/trace/internal/telemetry/attr.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/trace/internal/telemetry/id.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/trace/internal/telemetry/value.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/trace/noop.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/trace/noop/noop.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/trace/span.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/trace/trace.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/trace/tracestate.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/version.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/versions.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/net/http2/transport.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/net/trace/events.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/oauth2/deviceauth.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/oauth2/oauth2.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/oauth2/pkce.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/oauth2/token.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/oauth2/transport.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/cpu/cpu.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/cpu/cpu_arm64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/cpu/cpu_arm64.s is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/cpu/cpu_gc_arm64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/cpu/cpu_gccgo_arm64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/cpu/cpu_netbsd_arm64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/cpu/cpu_openbsd_arm64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/mkerrors.sh is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_386.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_arm.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_loong64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_mips.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_mips64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_ppc.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_ppc64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_ppc64le.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_riscv64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_s390x.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_sparc64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/ztypes_netbsd_arm.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/genproto/googleapis/api/annotations/annotations.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/google.golang.org/genproto/googleapis/api/annotations/client.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/google.golang.org/genproto/googleapis/api/annotations/field_behavior.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/google.golang.org/genproto/googleapis/api/annotations/field_info.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/google.golang.org/genproto/googleapis/api/annotations/http.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/google.golang.org/genproto/googleapis/api/annotations/resource.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/google.golang.org/genproto/googleapis/api/annotations/routing.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/checked.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/eval.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/explain.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/syntax.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/value.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/google.golang.org/genproto/googleapis/api/httpbody/httpbody.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/google.golang.org/genproto/googleapis/api/launch_stage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/CONTRIBUTING.md is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/MAINTAINERS.md is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/README.md is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/balancer/balancer.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/balancer/endpointsharding/endpointsharding.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/balancer/pickfirst/internal/internal.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/balancer/pickfirst/pickfirst.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/balancer/pickfirst/pickfirstleaf/pickfirstleaf.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/balancer/roundrobin/roundrobin.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/balancer/subconn.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/balancer_wrapper.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/binarylog/grpc_binarylog_v1/binarylog.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/clientconn.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/credentials/credentials.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/credentials/insecure/insecure.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/credentials/tls.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/dialoptions.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/encoding/encoding.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/encoding/gzip/gzip.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/encoding/internal/internal.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/encoding/proto/proto.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/experimental/stats/metricregistry.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/experimental/stats/metrics.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/health/grpc_health_v1/health.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/health/grpc_health_v1/health_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/interceptor.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/balancer/gracefulswitch/gracefulswitch.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/balancer/weight/weight.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/buffer/unbounded.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/channelz/trace.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/credentials/credentials.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/envconfig/envconfig.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/envconfig/xds.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/experimental.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/grpcsync/callback_serializer.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/grpcsync/event.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/idle/idle.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/internal.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/resolver/delegatingresolver/delegatingresolver.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/resolver/dns/dns_resolver.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/stats/metrics_recorder_list.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/stats/stats.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/status/status.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/transport/client_stream.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/transport/controlbuf.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/transport/flowcontrol.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/transport/handler_server.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/transport/http2_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/transport/http2_server.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/transport/http_util.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/transport/server_stream.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/transport/transport.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/mem/buffer_pool.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/mem/buffer_slice.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/mem/buffers.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/picker_wrapper.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/preloader.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/resolver/resolver.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/resolver_wrapper.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/rpc_util.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/server.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/stats/handlers.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/stats/stats.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/stream.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/version.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/protobuf/internal/editionssupport/editions.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/protobuf/internal/filedesc/desc.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/protobuf/internal/filedesc/desc_init.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/protobuf/internal/filedesc/desc_lazy.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/protobuf/internal/filedesc/editions.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/protobuf/internal/version/version.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/protobuf/reflect/protodesc/desc.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/protobuf/reflect/protodesc/desc_init.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/protobuf/reflect/protodesc/proto.go is excluded by !vendor/**, !**/vendor/**
• vendor/modules.txt is excluded by !vendor/**, !**/vendor/**

📒 Files selected for processing (1)

• go.mod

📜 Review details

🧰 Additional context used

📓 Path-based instructions (2)

**/*.{go,mod,sum}

📄 CodeRabbit inference engine (AGENTS.md)

Use Go version 1.24.0 (toolchain: go1.24.4) for the OpenShift Console Operator project

Files:

• go.mod

**/{Makefile,*.mk,go.mod}

📄 CodeRabbit inference engine (AGENTS.md)

Use GOFLAGS="-mod=vendor" for all builds and tests to ensure vendored dependencies are used

Files:

• go.mod

🪛 OSV Scanner (2.3.8)

go.mod

[HIGH] 85-85: go.opentelemetry.io/otel 1.39.0: OpenTelemetry-Go: multi-value baggage header extraction causes excessive allocations (remote dos amplification)

(GHSA-mh2q-q3fh-2475)

---

[HIGH] 89-89: go.opentelemetry.io/otel/sdk 1.39.0: OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking in go.opentelemetry.io/otel/sdk

(GO-2026-4394)

---

[HIGH] 89-89: go.opentelemetry.io/otel/sdk 1.39.0: OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking

(GHSA-9h8m-3fm2-qjrq)

---

[HIGH] 89-89: go.opentelemetry.io/otel/sdk 1.39.0: opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking

(GHSA-hfvc-g4fc-pqhx)

🔀 Multi-repo context openshift/console

[::openshift/console::] vendor/modules.txt — lists google.golang.org/grpc at v1.72.2 (entries around lines ~970–1032) and google.golang.org/protobuf at v1.36.8 (entries around lines ~1032–1075).
[::openshift/console::] vendor/google.golang.org/grpc/internal/transport/http2_server.go — imports google.golang.org/grpc/internal/grpcutil and google.golang.org/protobuf/proto (shows vendored gRPC/HTTP2 server transport code).
[::openshift/console::] vendor/google.golang.org/grpc/server.go — gRPC server implementation present in vendor.
[::openshift/console::] vendor/google.golang.org/grpc/clientconn.go — gRPC client connection code present in vendor.
[::openshift/console::] vendor/google.golang.org/genproto/googleapis/rpc/status/status.pb.go and vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/*.pb.go — generated protobuf code referencing google.golang.org/protobuf types.

Reflection: the repository contains vendored gRPC and protobuf modules (currently older versions), plus generated protos under vendor. These files indicate consumers/build artifacts that would be affected if a dependency like google.golang.org/grpc or google.golang.org/protobuf is upgraded in a related repo — but I did not find non-vendor direct references outside vendor to grpc (search results are from vendor). All findings above are from the openshift/console vendor tree.

🔇 Additional comments (2)

go.mod (2)

31-31: LGTM!

Also applies to: 82-82, 88-88, 90-90, 96-102, 104-105, 107-107

---

106-106: gRPC version v1.79.3 correctly addresses CVE-2026-33186.

The authorization bypass vulnerability (improper validation of HTTP/2 :path pseudo-header) is fixed in v1.79.3, which rejects non-canonical paths missing the leading slash.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check for security advisories and latest versions of OpenTelemetry packages

echo "=== Checking go.opentelemetry.io/otel ==="
gh api graphql -f query='
{
  securityVulnerabilities(first: 10, ecosystem: GO, package: "go.opentelemetry.io/otel") {
    nodes {
      advisory {
        summary
        severity
        publishedAt
      }
      vulnerableVersionRange
      firstPatchedVersion {
        identifier
      }
    }
  }
}'

echo ""
echo "=== Checking go.opentelemetry.io/otel/sdk ==="
gh api graphql -f query='
{
  securityVulnerabilities(first: 10, ecosystem: GO, package: "go.opentelemetry.io/otel/sdk") {
    nodes {
      advisory {
        summary
        severity
        publishedAt
      }
      vulnerableVersionRange
      firstPatchedVersion {
        identifier
      }
    }
  }
}'

Repository: openshift/console-operator

Length of output: 1057

---

🌐 Web query:

OpenTelemetry Go GHSA-mh2q-q3fh-2475 GHSA-9h8m-3fm2-qjrq patched versions

💡 Result:

Patched (fixed) OpenTelemetry Go versions for the two GHSA advisories: 1) GHSA-9h8m-3fm2-qjrq (CVE-2026-24051, PATH hijacking on macOS/Darwin) - Vulnerable range: >= 1.21.0, <= 1.39.0. - Patched in: v1.40.0 (introduced with patch commit d45961b). [1] 2) GHSA-mh2q-q3fh-2475 (multi-value baggage header extraction causing excessive allocations / remote DoS amplification) - Vulnerable range: >= v1.36.0, <= v1.40.0. - Patched in: v1.41.0 and later. [2] Recommendation: upgrade to at least v1.40.0 for the PATH hijacking issue and to at least v1.41.0 if you want to be safe against both issues simultaneously. [1][2]

Citations:

• 1: GHSA-9h8m-3fm2-qjrq
• 2: GHSA-mh2q-q3fh-2475

---

🏁 Script executed:

#!/bin/bash
# Check the actual go.mod file for OpenTelemetry versions
sed -n '80,95p' go.mod

Repository: openshift/console-operator

Length of output: 960

---

Upgrade OpenTelemetry packages to address HIGH severity vulnerabilities.

The current versions (v1.39.0) contain multiple HIGH severity vulnerabilities:

• GHSA-mh2q-q3fh-2475: Remote DoS amplification via multi-value baggage header extraction — patched in v1.41.0
• PATH hijacking (GO-2026-4394 / GHSA-9h8m-3fm2-qjrq): Arbitrary Code Execution via unsafe PATH handling in SDK — patched in v1.40.0
• GHSA-hfvc-g4fc-pqhx: BSD kenv command PATH hijacking enabling code execution — patched in v1.43.0

Upgrade go.opentelemetry.io/otel to v1.41.0 or later and go.opentelemetry.io/otel/sdk to v1.43.0 or later to address all issues.

🧰 Tools

🪛 OSV Scanner (2.3.8)

[HIGH] 85-85: go.opentelemetry.io/otel 1.39.0: OpenTelemetry-Go: multi-value baggage header extraction causes excessive allocations (remote dos amplification)

(GHSA-mh2q-q3fh-2475)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 85, The go.mod currently pins go.opentelemetry.io/otel at
v1.39.0 which has multiple HIGH severity vulnerabilities; update the module
versions in go.mod so that go.opentelemetry.io/otel is bumped to at least
v1.41.0 and go.opentelemetry.io/otel/sdk is bumped to at least v1.43.0 (or
later), then run go mod tidy to refresh the sum file and vendor if used; ensure
imports referencing go.opentelemetry.io/otel and go.opentelemetry.io/otel/sdk
compile cleanly and run tests to verify no breaking API changes.

[openshift-ci-robot]

@jhadvig: This pull request references Jira Issue OCPBUGS-85650, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Analysis / Root cause:
CVE-2026-33186 — gRPC-Go versions prior to v1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 :path pseudo-header. Requests with a non-canonical path (missing the
leading /) bypass "deny" rules in path-based authorization interceptors. The console-operator does not directly use gRPC (it's an indirect dependency via library-go/apiserver), so the practical risk is low, but
the dependency must be bumped per Red Hat security tracking requirements.

Solution description:
Bump google.golang.org/grpc from v1.72.2 to v1.79.3 and re-vendor. This also upgrades transitive dependencies (otel, protobuf, golang.org/x/* packages) as required by the new gRPC version.

Test setup:
No special setup required.

Test cases:

• make test-unit — all tests pass
• gofmt check — clean
• govet check — clean

Browser conformance:
N/A — no UI changes.

Additional info:

• Jira: https://redhat.atlassian.net/browse/OCPBUGS-83941
• CVE: CVE-2026-33186
• Fixed upstream in gRPC-Go v1.79.3

Summary by CodeRabbit

• Chores
• Updated project dependencies to newer stable versions, including expression evaluation and observability libraries for improved compatibility and latest feature support.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[Leo6Leo]

The description hasn't been updated, the correct Jira issue should be:
5.0: https://redhat.atlassian.net/browse/OCPBUGS-85650

The old link is pointing to 4.22

@jhadvig

[openshift-ci-robot]

@jhadvig: This pull request references Jira Issue OCPBUGS-85650, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

Analysis / Root cause:
CVE-2026-33186 — gRPC-Go versions prior to v1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 :path pseudo-header. Requests with a non-canonical path (missing the
leading /) bypass "deny" rules in path-based authorization interceptors. The console-operator does not directly use gRPC (it's an indirect dependency via library-go/apiserver), so the practical risk is low, but
the dependency must be bumped per Red Hat security tracking requirements.

Solution description:
Bump google.golang.org/grpc from v1.72.2 to v1.79.3 and re-vendor. This also upgrades transitive dependencies (otel, protobuf, golang.org/x/* packages) as required by the new gRPC version.

Test setup:
No special setup required.

Test cases:

• make test-unit — all tests pass
• gofmt check — clean
• govet check — clean

Browser conformance:
N/A — no UI changes.

Additional info:

• Jira: https://redhat.atlassian.net/browse/OCPBUGS-85650
• CVE: CVE-2026-33186
• Fixed upstream in gRPC-Go v1.79.3

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[jhadvig]

@Leo6Leo updated 🫡

[Leo6Leo]

Verified on OCP 4.23 nightly (4.23.0-0.nightly-2026-05-14-045943):

• make, make test-unit, gofmt, govet — all pass
• go mod verify — all modules verified
• Built container image from PR branch and deployed to cluster
• Operator starts cleanly, acquires leader lease, all controllers sync
• ClusterOperator status: Available=True, Progressing=False, Degraded=False, Upgradeable=True
• Console pods (2 replicas + 2 downloads) healthy, no runtime errors

/lgtm
/verified by @Leo6Leo

[openshift-ci-robot]

@Leo6Leo: This PR has been marked as verified by @Leo6Leo.

Details

In response to this:

Verified on OCP 4.23 nightly (4.23.0-0.nightly-2026-05-14-045943):

• make, make test-unit, gofmt, govet — all pass
• go mod verify — all modules verified
• Built container image from PR branch and deployed to cluster
• Operator starts cleanly, acquires leader lease, all controllers sync
• ClusterOperator status: Available=True, Progressing=False, Degraded=False, Upgradeable=True
• Console pods (2 replicas + 2 downloads) healthy, no runtime errors

/lgtm
/verified by @Leo6Leo

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jhadvig, Leo6Leo

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [jhadvig]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD ee0e804 and 2 for PR HEAD 39004a7 in total

[openshift-ci]

@jhadvig: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-gcp-ovn	39004a7	link	true	/test e2e-gcp-ovn

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.