OCPBUGS-83941: bump gRPC-Go package

[jhadvig]

Analysis / Root cause:
CVE-2026-33186 — gRPC-Go versions prior to v1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 :path
pseudo-header. Requests with a non-canonical path (missing the leading /) bypass "deny" rules in path-based authorization interceptors. The
console-operator does not directly use gRPC (it's an indirect dependency via library-go/apiserver), so the practical risk is low, but the dependency
must be bumped per Red Hat security tracking requirements.

Solution description:
Bump google.golang.org/grpc from v1.72.2 to v1.79.3 and re-vendor. This also upgrades transitive dependencies (otel, protobuf, golang.org/x/*
packages) as required by the new gRPC version.

Test setup:
No special setup required.

Test cases:

• make test-unit — all tests pass
• gofmt check — clean
• govet check — clean

Browser conformance:
N/A — no UI changes.

Additional info:

• Jira: https://redhat.atlassian.net/browse/OCPBUGS-83941
• CVE: CVE-2026-33186
• Fixed upstream in gRPC-Go v1.79.3

/assign @Leo6Leo

Summary by CodeRabbit

• Chores
  • Updated core dependencies including expression evaluation, observability, and supporting libraries to latest stable versions for improved system stability and compatibility.

[openshift-ci-robot]

@jhadvig: This pull request references Jira Issue OCPBUGS-83941, which is invalid:

• expected the vulnerability to target either version "5.0." or "openshift-5.0.", but it targets "4.22.0" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Analysis / Root cause:
CVE-2026-33186 — gRPC-Go versions prior to v1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 :path
pseudo-header. Requests with a non-canonical path (missing the leading /) bypass "deny" rules in path-based authorization interceptors. The
console-operator does not directly use gRPC (it's an indirect dependency via library-go/apiserver), so the practical risk is low, but the dependency
must be bumped per Red Hat security tracking requirements.

Solution description:
Bump google.golang.org/grpc from v1.72.2 to v1.79.3 and re-vendor. This also upgrades transitive dependencies (otel, protobuf, golang.org/x/*
packages) as required by the new gRPC version.

Test setup:
No special setup required.

Test cases:

• make test-unit — all tests pass
• gofmt check — clean
• govet check — clean

Browser conformance:
N/A — no UI changes.

Additional info:

• Jira: https://redhat.atlassian.net/browse/OCPBUGS-83941
• CVE: CVE-2026-33186
• Fixed upstream in gRPC-Go v1.79.3

/assign @Leo6Leo

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

This PR updates module dependency versions in go.mod: CEL expression library to v0.25.1, OpenTelemetry packages to v1.39.0/v1.34.0-series releases, and several utility modules from golang.org/x and google.golang.org to newer versions. No functional code or exported entity changes.

Changes

Dependency Version Updates

Layer / File(s)	Summary
CEL expression library go.mod	cel.dev/expr updated from v0.24.0 to v0.25.1.
OpenTelemetry ecosystem go.mod	OpenTelemetry packages (go.opentelemetry.io/auto/sdk, otel, otel/metric, otel/sdk, otel/trace) and OTLP exporter/trace packages bumped to v1.39.0/v1.34.0-series versions.
Standard library and Google utilities go.mod	golang.org/x/* modules (crypto, net, oauth2, sync, sys, term, text), google.golang.org/genproto, google.golang.org/grpc, and google.golang.org/protobuf advanced to newer releases.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 1 warning)

Check name	Status	Explanation	Resolution
Ote Binary Stdout Contract	❌ Error	The PR introduces test/e2e/main_test.go with 6 fmt.Print*/Println calls in TestMain() that violate OTE stdout contract by corrupting JSON output to openshift-tests.	Replace all fmt.Printf/Println calls in TestMain() and waitForOperator() with os.Stderr writes or remove them entirely. Use fmt.Fprintf(os.Stderr, ...) instead of fmt.Printf/Println.
Topology-Aware Scheduling Compatibility	⚠️ Warning	PR removes DualReplicaTopologyMode from ShouldDeployHA(), reducing console deployment from 2 to 1 replica on Two-Node Fixed (TNF) topology, breaking HA requirements for that topology.	Restore DualReplicaTopologyMode check in ShouldDeployHA() function to maintain 2-replica HA deployment on DualReplica topologies. Verify TNF topology support with CI jobs before merging.

✅ Passed checks (10 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately reflects the main change: bumping the gRPC-Go package to address CVE-2026-33186, with proper Jira issue prefix.
Description check	✅ Passed	The description follows the template and provides all critical sections: root cause analysis of CVE-2026-33186, solution details, test results, and relevant references.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	Repository does not use Ginkgo framework. All tests use standard Go testing with static, deterministic names. PR only updates Go dependencies.
Test Structure And Quality	✅ Passed	Ginkgo test quality check not applicable. Repository uses standard Go testing (func Test*), not Ginkgo BDD-style. Check targets Ginkgo patterns which don't exist here.
Microshift Test Compatibility	✅ Passed	No Ginkgo e2e tests added. The PR adds standard Go testing framework tests (TestXxx with testing.T), not Ginkgo tests. The custom check specifically applies to Ginkgo tests and is not applicable here.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR does not add any new Ginkgo e2e tests. The test/e2e files use standard Go testing.T pattern, not Ginkgo patterns (g.It, g.Describe, etc.). The custom check is only applicable to Ginkgo tests.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	Check not applicable: The custom check applies only to new Ginkgo e2e test additions. This PR only updates go.mod dependency versions with no test code changes.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jhadvig

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [jhadvig]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Around line 85-90: The OpenTelemetry modules in go.mod
(go.opentelemetry.io/otel, go.opentelemetry.io/otel/sdk,
go.opentelemetry.io/otel/metric, go.opentelemetry.io/otel/trace and the
exporters otlptrace and otlptrace/otlptracegrpc) are pinned to vulnerable
v1.34.0–v1.39.0 releases; update all these module versions to v1.43.0 or later
(ensure otlptrace and otlptrace/otlptracegrpc are also bumped from v1.34.0) in
go.mod, then run module resolution (e.g., go get <module>@v1.43.0 and go mod
tidy) and run the build/tests to confirm no regressions.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: c1080aa0-85b3-4ab3-a3a6-4ca07c583fc9

📥 Commits

Reviewing files that changed from the base of the PR and between ee0e804 and 85247a9.

⛔ Files ignored due to path filters (230)

• go.sum is excluded by !**/*.sum
• vendor/cel.dev/expr/BUILD.bazel is excluded by !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/MODULE.bazel is excluded by !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/checked.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/eval.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/explain.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/syntax.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/value.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/id.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/number.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/span.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/status.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/traces.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/value.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/auto/sdk/span.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/auto/sdk/tracer.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/.clomonitor.yml is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/.codespellignore is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/.golangci.yml is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/.lycheeignore is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/CHANGELOG.md is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/CODEOWNERS is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/CONTRIBUTING.md is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/Makefile is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/README.md is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/RELEASING.md is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/SECURITY-INSIGHTS.yml is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/VERSIONING.md is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/attribute/encoder.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/attribute/filter.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/attribute/hash.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/attribute/internal/attribute.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/attribute/internal/xxhash/xxhash.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/attribute/iterator.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/attribute/key.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/attribute/kv.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/attribute/set.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/attribute/type_string.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/attribute/value.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/baggage/baggage.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/codes/codes.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/dependencies.Dockerfile is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/internal/global/internal_logging.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/internal/global/meter.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/internal/global/trace.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/metric.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/metric/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/metric/config.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/propagation/baggage.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/propagation/propagation.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/propagation/trace_context.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/internal/x/features.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/internal/x/x.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/builtin.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/container.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/env.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/host_id.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/host_id_bsd.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/host_id_linux.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/host_id_unsupported.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/host_id_windows.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/os.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/os_release_unix.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/os_unix.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/os_unsupported.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/process.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/resource.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/batch_span_processor.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/id_generator.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/internal/env/env.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/internal/observ/batch_span_processor.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/internal/observ/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/internal/observ/simple_span_processor.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/internal/observ/tracer.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/provider.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/sampling.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/simple_span_processor.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/snapshot.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/span.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/span_limits.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/tracer.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/version.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/version.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/semconv/internal/http.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.37.0/MIGRATION.md is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.37.0/README.md is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.37.0/attribute_group.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.37.0/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.37.0/error_type.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.37.0/exception.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.37.0/otelconv/metric.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.37.0/schema.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/trace/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/trace/auto.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/trace/config.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/trace/hex.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/trace/internal/telemetry/attr.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/trace/internal/telemetry/id.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/trace/internal/telemetry/value.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/trace/noop.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/trace/noop/noop.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/trace/span.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/trace/trace.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/trace/tracestate.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/version.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/versions.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/net/http2/transport.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/net/trace/events.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/oauth2/deviceauth.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/oauth2/oauth2.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/oauth2/pkce.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/oauth2/token.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/oauth2/transport.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/cpu/cpu.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/cpu/cpu_arm64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/cpu/cpu_arm64.s is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/cpu/cpu_gc_arm64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/cpu/cpu_gccgo_arm64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/cpu/cpu_netbsd_arm64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/cpu/cpu_openbsd_arm64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/mkerrors.sh is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_386.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_arm.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_loong64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_mips.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_mips64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_ppc.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_ppc64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_ppc64le.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_riscv64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_s390x.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_sparc64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/ztypes_netbsd_arm.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/genproto/googleapis/api/annotations/annotations.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/google.golang.org/genproto/googleapis/api/annotations/client.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/google.golang.org/genproto/googleapis/api/annotations/field_behavior.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/google.golang.org/genproto/googleapis/api/annotations/field_info.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/google.golang.org/genproto/googleapis/api/annotations/http.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/google.golang.org/genproto/googleapis/api/annotations/resource.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/google.golang.org/genproto/googleapis/api/annotations/routing.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/checked.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/eval.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/explain.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/syntax.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/value.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/google.golang.org/genproto/googleapis/api/httpbody/httpbody.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/google.golang.org/genproto/googleapis/api/launch_stage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/CONTRIBUTING.md is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/MAINTAINERS.md is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/README.md is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/balancer/balancer.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/balancer/endpointsharding/endpointsharding.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/balancer/pickfirst/internal/internal.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/balancer/pickfirst/pickfirst.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/balancer/pickfirst/pickfirstleaf/pickfirstleaf.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/balancer/roundrobin/roundrobin.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/balancer/subconn.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/balancer_wrapper.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/binarylog/grpc_binarylog_v1/binarylog.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/clientconn.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/credentials/credentials.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/credentials/insecure/insecure.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/credentials/tls.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/dialoptions.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/encoding/encoding.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/encoding/gzip/gzip.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/encoding/internal/internal.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/encoding/proto/proto.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/experimental/stats/metricregistry.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/experimental/stats/metrics.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/health/grpc_health_v1/health.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/health/grpc_health_v1/health_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/interceptor.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/balancer/gracefulswitch/gracefulswitch.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/balancer/weight/weight.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/buffer/unbounded.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/channelz/trace.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/credentials/credentials.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/envconfig/envconfig.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/envconfig/xds.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/experimental.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/grpcsync/callback_serializer.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/grpcsync/event.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/idle/idle.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/internal.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/resolver/delegatingresolver/delegatingresolver.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/resolver/dns/dns_resolver.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/stats/metrics_recorder_list.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/stats/stats.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/status/status.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/transport/client_stream.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/transport/controlbuf.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/transport/flowcontrol.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/transport/handler_server.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/transport/http2_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/transport/http2_server.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/transport/http_util.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/transport/server_stream.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/transport/transport.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/mem/buffer_pool.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/mem/buffer_slice.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/mem/buffers.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/picker_wrapper.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/preloader.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/resolver/resolver.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/resolver_wrapper.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/rpc_util.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/server.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/stats/handlers.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/stats/stats.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/stream.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/version.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/protobuf/internal/editionssupport/editions.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/protobuf/internal/filedesc/desc.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/protobuf/internal/filedesc/desc_init.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/protobuf/internal/filedesc/desc_lazy.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/protobuf/internal/filedesc/editions.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/protobuf/internal/version/version.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/protobuf/reflect/protodesc/desc.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/protobuf/reflect/protodesc/desc_init.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/protobuf/reflect/protodesc/proto.go is excluded by !vendor/**, !**/vendor/**
• vendor/modules.txt is excluded by !vendor/**, !**/vendor/**

📒 Files selected for processing (1)

• go.mod

📜 Review details

🧰 Additional context used

📓 Path-based instructions (2)

**/*.{go,mod,sum}

📄 CodeRabbit inference engine (AGENTS.md)

Use Go version 1.24.0 (toolchain: go1.24.4) for the OpenShift Console Operator project

Files:

• go.mod

**/{Makefile,*.mk,go.mod}

📄 CodeRabbit inference engine (AGENTS.md)

Use GOFLAGS="-mod=vendor" for all builds and tests to ensure vendored dependencies are used

Files:

• go.mod

🪛 OSV Scanner (2.3.8)

go.mod

[HIGH] 85-85: go.opentelemetry.io/otel 1.39.0: OpenTelemetry-Go: multi-value baggage header extraction causes excessive allocations (remote dos amplification)

(GHSA-mh2q-q3fh-2475)

---

[HIGH] 89-89: go.opentelemetry.io/otel/sdk 1.39.0: OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking in go.opentelemetry.io/otel/sdk

(GO-2026-4394)

---

[HIGH] 89-89: go.opentelemetry.io/otel/sdk 1.39.0: OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking

(GHSA-9h8m-3fm2-qjrq)

---

[HIGH] 89-89: go.opentelemetry.io/otel/sdk 1.39.0: opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking

(GHSA-hfvc-g4fc-pqhx)

🔀 Multi-repo context openshift/console

Findings

openshift/console

• go.mod currently pins google.golang.org/grpc v1.72.2 (indirect). [::openshift/console::go.mod:206]
• vendor/modules.txt and vendor/ show vendored grpc v1.72.2 and many grpc packages under vendor/google.golang.org/grpc/* — indicates grpc is vendored at v1.72.2. [::openshift/console::vendor/modules.txt:970][::openshift/console::vendor/google.golang.org/grpc/README.md:44]
• Generated protobuf gRPC client usage: vendor/github.com/operator-framework/operator-registry/pkg/api/registry_grpc.pb.go imports grpc/codes/status — a consumer of grpc APIs. [::openshift/console::vendor/github.com/operator-framework/operator-registry/pkg/api/registry_grpc.pb.go:11-13]
• Other vendored consumers/reference points to grpc types (examples):
  • vendor/github.com/containerd/containerd/errdefs/grpc.go imports grpc codes/status. [::openshift/console::vendor/github.com/containerd/containerd/errdefs/grpc.go:24-25]
  • Multiple internal grpc usages in vendored grpc implementation (e.g., internal/transport/http2_server.go) — shows codepaths dealing with HTTP/2 handling are present in vendored grpc. [::openshift/console::vendor/google.golang.org/grpc/internal/transport/http2_server.go:38-55]
• go.opentelemetry.io/otel changelog notes exporter code moved to grpc.NewClient and DialContext deprecation; updates to grpc may affect otel exporters behavior/options. [::openshift/console::vendor/go.opentelemetry.io/otel/CHANGELOG.md:429-431]

Implication: The console repo currently uses vendored grpc v1.72.2; bumping grpc to v1.79.3 (as in the console-operator PR) would update many transitive packages (otel, protobuf, golang.org/x/*) and may require re-vendoring and verifying generated gRPC clients and OTEL exporters for any API/behavior changes (HTTP/2 handling, Dial vs NewClient). Specific files referenced above are direct consumers to review after bump.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "Querying OSV for go.opentelemetry.io/otel@v1.39.0 and go.opentelemetry.io/otel/sdk@v1.39.0"
curl -s https://api.osv.dev/v1/querybatch \
  -H 'Content-Type: application/json' \
  -d '{
    "queries": [
      {"package":{"name":"go.opentelemetry.io/otel","ecosystem":"Go"},"version":"1.39.0"},
      {"package":{"name":"go.opentelemetry.io/otel/sdk","ecosystem":"Go"},"version":"1.39.0"}
    ]
  }' | jq '.results[]?.vulns[] | {id, summary, affected: .affected}'

Repository: openshift/console-operator

Length of output: 446

---

🏁 Script executed (no clone):

#!/bin/bash
# Get detailed information about the flagged vulnerabilities
for vuln_id in "GHSA-mh2q-q3fh-2475" "GHSA-9h8m-3fm2-qjrq" "GHSA-hfvc-g4fc-pqhx" "GO-2026-4394"; do
  echo "=== Checking $vuln_id ==="
  curl -s "https://api.osv.dev/v1/query" \
    -H 'Content-Type: application/json' \
    -d "{\"query\": \"$vuln_id\"}" | jq '.vulns[0] | {id, summary, affected: .affected}' 2>/dev/null || echo "Error fetching $vuln_id"
  echo ""
done

Length of output: 400

---

🏁 Script executed:

#!/bin/bash
# Check the actual go.mod file at the lines mentioned in the review
echo "=== Checking go.mod lines 85-90 ==="
sed -n '80,95p' go.mod | cat -n
echo ""
echo "=== Full go.mod to see context ==="
head -110 go.mod | tail -30

Repository: openshift/console-operator

Length of output: 2711

---

🏁 Script executed (no clone):

#!/bin/bash
# Try alternative OSV query format and check Go's official vulnerability database
echo "=== Trying different OSV query format ==="
curl -s "https://api.osv.dev/v1/query" \
  -H 'Content-Type: application/json' \
  -d '{"package":{"name":"go.opentelemetry.io/otel","ecosystem":"Go"}}' | jq '.vulns[] | {id, summary}' 2>/dev/null | head -20

echo ""
echo "=== Checking for known advisories via web ==="
# Search for otel v1.39.0 vulnerabilities more broadly
curl -s "https://vuln.go.dev/?q=go.opentelemetry.io/otel" 2>/dev/null | head -100

Length of output: 1809

---

🏁 Script executed:

#!/bin/bash
# Check what versions the console repo uses for comparison
echo "=== OpenTelemetry versions in openshift/console ==="
grep -A 2 "go.opentelemetry.io/otel" go.mod 2>/dev/null | head -20
echo ""
echo "=== Check if there are vendor advisories or security notes ==="
if [ -f "vendor/modules.txt" ]; then
  grep "go.opentelemetry.io/otel" vendor/modules.txt | head -10
fi

Repository: openshift/console

Length of output: 771

---

🏁 Script executed (no clone):

#!/bin/bash
# Get detailed vulnerability information with affected ranges
echo "=== Detailed vulnerability info ==="
curl -s "https://api.osv.dev/v1/query" \
  -H 'Content-Type: application/json' \
  -d '{"package":{"name":"go.opentelemetry.io/otel","ecosystem":"Go"}}' | jq '.vulns[] | {id, summary, affected_ranges: .affected[].ranges}' 2>/dev/null

echo ""
echo "=== Check v1.39.0 specifically against known CVEs ==="
# Try to get json data on these specific IDs from GitHub Advisory API
for vuln in "GHSA-mh2q-q3fh-2475" "GHSA-9h8m-3fm2-qjrq" "GHSA-hfvc-g4fc-pqhx" "GO-2026-4394"; do
  echo "Checking $vuln..."
  curl -s "https://api.github.com/advisories/$vuln" 2>/dev/null | jq '{id: .ghsa_id, summary: .summary, affected: .vulnerabilities[0].vulnerable_version_range, patched: .vulnerabilities[0].patched_versions}' 2>/dev/null | head -5
  echo ""
done

Length of output: 603

---

🏁 Script executed:

#!/bin/bash
# Check if there's any documentation or changelog about these updates
echo "=== Check for CHANGELOG or release notes about otel bump ==="
find . -iname "CHANGELOG*" -o -iname "CHANGES*" -o -iname "release*" | head -5

echo ""
echo "=== Check git history for context on this otel bump ==="
git log --oneline -20 -- go.mod 2>/dev/null | head -10

Repository: openshift/console-operator

Length of output: 481

---

🏁 Script executed (no clone):

#!/bin/bash
# Check all otel packages for vulnerabilities
echo "=== Querying all go.opentelemetry.io packages ==="
for pkg in "go.opentelemetry.io/otel" "go.opentelemetry.io/otel/sdk" "go.opentelemetry.io/otel/metric" "go.opentelemetry.io/otel/trace"; do
  echo "Package: $pkg"
  curl -s "https://api.osv.dev/v1/query" \
    -H 'Content-Type: application/json' \
    -d "{\"package\":{\"name\":\"$pkg\",\"ecosystem\":\"Go\"}}" | jq '.vulns[] | {id, summary, fixed_in: .affected[0].ranges[0].events[] | select(.fixed) | .fixed}' 2>/dev/null
  echo ""
done

Length of output: 913

---

🏁 Script executed:

#!/bin/bash
# Confirm all the otel versions in the PR
echo "=== All OpenTelemetry versions in this PR's go.mod ==="
grep "go.opentelemetry.io" go.mod

Repository: openshift/console-operator

Length of output: 762

---

Bump OpenTelemetry to v1.43.0+ to avoid introducing multiple vulnerabilities.

Lines 85, 88-90 introduce go.opentelemetry.io/otel and go.opentelemetry.io/otel/sdk at v1.39.0, which contain multiple high-severity vulnerabilities:

• GHSA-mh2q-q3fh-2475: Remote DoS amplification via multi-value baggage header extraction (fixed in v1.41.0)
• GHSA-9h8m-3fm2-qjrq & GO-2026-4394: Arbitrary code execution via PATH hijacking (fixed in v1.40.0)
• GHSA-hfvc-g4fc-pqhx: BSD kenv command not using absolute path (fixed in v1.43.0)

Bump all OpenTelemetry packages to v1.43.0+ to resolve these before merge. Note: Line 87 (otlptrace v1.34.0) may also need verification against the same advisories.

🧰 Tools

🪛 OSV Scanner (2.3.8)

[HIGH] 85-85: go.opentelemetry.io/otel 1.39.0: OpenTelemetry-Go: multi-value baggage header extraction causes excessive allocations (remote dos amplification)

(GHSA-mh2q-q3fh-2475)

---

[HIGH] 89-89: go.opentelemetry.io/otel/sdk 1.39.0: OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking in go.opentelemetry.io/otel/sdk

(GO-2026-4394)

---

[HIGH] 89-89: go.opentelemetry.io/otel/sdk 1.39.0: OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking

(GHSA-9h8m-3fm2-qjrq)

---

[HIGH] 89-89: go.opentelemetry.io/otel/sdk 1.39.0: opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking

(GHSA-hfvc-g4fc-pqhx)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` around lines 85 - 90, The OpenTelemetry modules in go.mod
(go.opentelemetry.io/otel, go.opentelemetry.io/otel/sdk,
go.opentelemetry.io/otel/metric, go.opentelemetry.io/otel/trace and the
exporters otlptrace and otlptrace/otlptracegrpc) are pinned to vulnerable
v1.34.0–v1.39.0 releases; update all these module versions to v1.43.0 or later
(ensure otlptrace and otlptrace/otlptracegrpc are also bumped from v1.34.0) in
go.mod, then run module resolution (e.g., go get <module>@v1.43.0 and go mod
tidy) and run the build/tests to confirm no regressions.

[Leo6Leo]

The target branch should be release-4.22 instead of main.

[openshift-ci-robot]

@jhadvig: This pull request references Jira Issue OCPBUGS-83941, which is invalid:

• release note text must be set and not match the template OR release note type must be set to "Release Note Not Required". For more information you can reference the OpenShift Bug Process.
• expected Jira Issue OCPBUGS-83941 to depend on a bug targeting a version in 5.0.0 and in one of the following states: MODIFIED, ON_QA, VERIFIED, but no dependents were found

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

Analysis / Root cause:
CVE-2026-33186 — gRPC-Go versions prior to v1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 :path
pseudo-header. Requests with a non-canonical path (missing the leading /) bypass "deny" rules in path-based authorization interceptors. The
console-operator does not directly use gRPC (it's an indirect dependency via library-go/apiserver), so the practical risk is low, but the dependency
must be bumped per Red Hat security tracking requirements.

Solution description:
Bump google.golang.org/grpc from v1.72.2 to v1.79.3 and re-vendor. This also upgrades transitive dependencies (otel, protobuf, golang.org/x/*
packages) as required by the new gRPC version.

Test setup:
No special setup required.

Test cases:

• make test-unit — all tests pass
• gofmt check — clean
• govet check — clean

Browser conformance:
N/A — no UI changes.

Additional info:

• Jira: https://redhat.atlassian.net/browse/OCPBUGS-83941
• CVE: CVE-2026-33186
• Fixed upstream in gRPC-Go v1.79.3

/assign @Leo6Leo

Summary by CodeRabbit

• Chores
• Updated core dependencies including expression evaluation, observability, and supporting libraries to latest stable versions for improved system stability and compatibility.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[jhadvig]

/retest

[openshift-ci]

@jhadvig: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.