Skip to content

chore(deps): Bump go 1.25.0 and google.golang.org/grpc >= 1.79.3 to fix CVE-2026-33186#6421

Merged
ntkathole merged 1 commit into
feast-dev:masterfrom
patelchaitany:fix/CVE-2026-33186-grpc-go
May 21, 2026
Merged

chore(deps): Bump go 1.25.0 and google.golang.org/grpc >= 1.79.3 to fix CVE-2026-33186#6421
ntkathole merged 1 commit into
feast-dev:masterfrom
patelchaitany:fix/CVE-2026-33186-grpc-go

Conversation

@patelchaitany
Copy link
Copy Markdown
Contributor

@patelchaitany patelchaitany commented May 20, 2026

Summary

  • Upgrade Go version from 1.24.12 to 1.25.0 in infra/feast-operator/go.mod
  • Bump google.golang.org/grpc from v1.68.1 to v1.79.3 to fix CVE-2026-33186 (authorization bypass due to improper HTTP/2 :path validation)
  • Regenerated go.sum with transitive dependency updates

Context

CVE-2026-33186 affects gRPC-Go servers using path-based authorization interceptors. While the feast-operator uses grpc only as an indirect/transitive dependency (via controller-runtime → k8s.io/apiserver) and only in client mode, the container image scanner flags the version. This bump clears the scanner finding.

Ref: RHOAIENG-55304

Test plan

  • make fmt passes
  • make vet passes
  • make lint passes (0 issues)
  • make test passes (all operator unit tests green)
  • CI tests pass

Made with Cursor

@patelchaitany patelchaitany requested a review from a team as a code owner May 20, 2026 09:44
@patelchaitany patelchaitany force-pushed the fix/CVE-2026-33186-grpc-go branch from 6317a6a to 468bc6c Compare May 20, 2026 09:47
@patelchaitany patelchaitany changed the title chore(deps): bump go 1.25.0 and google.golang.org/grpc >= 1.79.3 to fix CVE-2026-33186 chore(deps): Bump go 1.25.0 and google.golang.org/grpc >= 1.79.3 to fix CVE-2026-33186 May 20, 2026
@patelchaitany patelchaitany force-pushed the fix/CVE-2026-33186-grpc-go branch from 468bc6c to 502238a Compare May 20, 2026 09:51
@ntkathole ntkathole force-pushed the fix/CVE-2026-33186-grpc-go branch from 502238a to c9ce501 Compare May 21, 2026 05:05
@ntkathole
Copy link
Copy Markdown
Member

ntkathole commented May 21, 2026

@patelchaitany good to update CI ymls as well touse updated go version

.github/workflows/release.yml
.github/workflows/registry-rest-api-tests.yml
.github/workflows/pr_local_integration_tests.yml

@ntkathole
Copy link
Copy Markdown
Member

ntkathole commented May 21, 2026

Also, check if go toolset version needs updated in
infra/feast-operator/Dockerfile and
infra/feast-operator/Dockerfile.cross

@patelchaitany patelchaitany force-pushed the fix/CVE-2026-33186-grpc-go branch 2 times, most recently from 3e8a7ca to c1e5700 Compare May 21, 2026 06:07
@patelchaitany @cursoragent
chore(deps): Bump go 1.25.0 and google.golang.org/grpc >= 1.79.3 to fix
7fa3553 
CVE-2026-33186

Upgrade Go version from 1.24.12 to 1.25.0 and bump google.golang.org/grpc
from v1.68.1 to v1.79.3 in the feast-operator to address CVE-2026-33186
(gRPC-Go authorization bypass due to improper HTTP/2 path validation).

Updated:
- infra/feast-operator/go.mod (go directive and grpc dep)
- infra/feast-operator/Dockerfile (go-toolset:1.24 -> 1.25)
- All CI workflow files (go-version: 1.25.0)

Ref: RHOAIENG-55304
Signed-off-by: Chaitany patel <[email protected]>
Co-authored-by: Cursor <[email protected]>
@patelchaitany patelchaitany force-pushed the fix/CVE-2026-33186-grpc-go branch from c1e5700 to 7fa3553 Compare May 21, 2026 06:23
@ntkathole ntkathole merged commit 7ab3502 into feast-dev:master May 21, 2026
27 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ntkathole ntkathole Awaiting requested review from ntkathole

Assignees

No one assigned

Labels

ok-to-test

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@patelchaitany @ntkathole