Update vulnerable dependencies [SECURITY]

[pulumi-renovate]

This PR contains the following updates:

Package	Type	Update	Change
github.com/go-git/go-git/v5	indirect	minor	v5.16.5 -> v5.17.1
google.golang.org/grpc	indirect	minor	v1.78.0 -> v1.79.3

GitHub Vulnerability Alerts

CVE-2026-33762

Impact

go-git’s index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can trigger an out-of-bounds slice operation, resulting in a runtime panic during normal index parsing.

This issue only affects Git index format version 4. Earlier formats (go-git supports only v2 and v3) are not vulnerable to this issue.

An attacker able to supply a crafted .git/index file can cause applications using go-git to panic while reading the index. If the application does not recover from panics, this results in process termination, leading to a denial-of-service (DoS) condition.

Exploitation requires the ability to modify or inject a Git index file within the local repository in disk. This typically implies write access to the .git directory.

Patches

Users should upgrade to v5.17.1, or the latest v6 pseudo-version, in order to mitigate this vulnerability.

Credit

go-git maintainers thank @​kq5y for finding and reporting this issue privately to the go-git project.

CVE-2026-33186

Impact

What kind of vulnerability is it? Who is impacted?

It is an Authorization Bypass resulting from Improper Input Validation of the HTTP/2 :path pseudo-header.

The gRPC-Go server was too lenient in its routing logic, accepting requests where the :path omitted the mandatory leading slash (e.g., Service/Method instead of /Service/Method). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official grpc/authz package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with /) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present.

Who is impacted?
This affects gRPC-Go servers that meet both of the following criteria:

1. They use path-based authorization interceptors, such as the official RBAC implementation in google.golang.org/grpc/authz or custom interceptors relying on info.FullMethod or grpc.Method(ctx).
2. Their security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule).

The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed :path headers directly to the gRPC server.

Patches

Has the problem been patched? What versions should users upgrade to?

Yes, the issue has been patched. The fix ensures that any request with a :path that does not start with a leading slash is immediately rejected with a codes.Unimplemented error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string.

Users should upgrade to the following versions (or newer):

• v1.79.3
• The latest master branch.

It is recommended that all users employing path-based authorization (especially grpc/authz) upgrade as soon as the patch is available in a tagged release.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods:

1. Use a Validating Interceptor (Recommended Mitigation)

Add an "outermost" interceptor to your server that validates the path before any other authorization logic runs:

func pathValidationInterceptor(ctx context.Context, req any, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (any, error) {
    if info.FullMethod == "" || info.FullMethod[0] != '/' {
        return nil, status.Errorf(codes.Unimplemented, "malformed method name")
    }   
    return handler(ctx, req)
}

// Ensure this is the FIRST interceptor in your chain
s := grpc.NewServer(
    grpc.ChainUnaryInterceptor(pathValidationInterceptor, authzInterceptor),
)

2. Infrastructure-Level Normalization

If your gRPC server is behind a reverse proxy or load balancer (such as Envoy, NGINX, or an L7 Cloud Load Balancer), ensure it is configured to enforce strict HTTP/2 compliance for pseudo-headers and reject or normalize requests where the :path header does not start with a leading slash.

3. Policy Hardening

Switch to a "default deny" posture in your authorization policies (explicitly listing all allowed paths and denying everything else) to reduce the risk of bypasses via malformed inputs.

---

Release Notes

go-git/go-git (github.com/go-git/go-git/v5)

v5.17.1

Compare Source

What's Changed

• build: Update module github.com/cloudflare/circl to v1.6.3 [SECURITY] (releases/v5.x) by @​go-git-renovate[bot] inhttps://github.com/go-git/go-git/pull/19300
• [v5] plumbing: format/index, Improve v4 entry name validation by @​pjbgf in https://github.com/go-git/go-git/pull/1935
• [v5] plumbing: format/idxfile, Fix version and fanout checks by @​pjbgf in https://github.com/go-git/go-git/pull/1937

Full Changelog: go-git/go-git@v5.17.0...v5.17.1

v5.17.0

Compare Source

What's Changed

• build: Update module github.com/go-git/go-git/v5 to v5.16.5 [SECURITY] (releases/v5.x) by @​go-git-renovate[bot] inhttps://github.com/go-git/go-git/pull/18399
• git: worktree, optimize infiles function for very large repos by @​k-anshul in https://github.com/go-git/go-git/pull/1853
• git: Add strict checks for supported extensions by @​pjbgf in https://github.com/go-git/go-git/pull/1861
• backport, git: Improve Status() speed with new index.ModTime check by @​cedric-appdirect in https://github.com/go-git/go-git/pull/1862
• storage: filesystem, Avoid overwriting loose obj files by @​pjbgf in https://github.com/go-git/go-git/pull/1864

Full Changelog: go-git/go-git@v5.16.5...v5.17.0

grpc/grpc-go (google.golang.org/grpc)

v1.79.3: Release 1.79.3

Compare Source

Security

• server: fix an authorization bypass where malformed :path headers (missing the leading slash) could bypass path-based restricted "deny" rules in interceptors like grpc/authz. Any request with a non-canonical path is now immediately rejected with an Unimplemented error. (#​8981)

v1.79.2: Release 1.79.2

Compare Source

Bug Fixes

• stats: Prevent redundant error logging in health/ORCA producers by skipping stats/tracing processing when no stats handler is configured. (https://github.com/grpc/grpc-go/pull/8874)

v1.79.1: Release 1.79.1

Compare Source

Bug Fixes

• grpc: Remove the -dev suffix from the User-Agent header. (https://github.com/grpc/grpc-go/pull/8902)

v1.79.0: Release 1.79.0

Compare Source

API Changes

• mem: Add experimental API SetDefaultBufferPool to change the default buffer pool. (#​8806)
  • Special Thanks: @​vanja-p
• experimental/stats: Update MetricsRecorder to require embedding the new UnimplementedMetricsRecorder (a no-op struct) in all implementations for forward compatibility. (#​8780)

Behavior Changes

• balancer/weightedtarget: Remove handling of Addresses and only handle Endpoints in resolver updates. (#​8841)

New Features

• experimental/stats: Add support for asynchronous gauge metrics through the new AsyncMetricReporter and RegisterAsyncReporter APIs. (#​8780)
• pickfirst: Add support for weighted random shuffling of endpoints, as described in gRFC A113.
  • This is enabled by default, and can be turned off using the environment variable GRPC_EXPERIMENTAL_PF_WEIGHTED_SHUFFLING. (#​8864)
• xds: Implement :authority rewriting, as specified in gRFC A81. (#​8779)
• balancer/randomsubsetting: Implement the random_subsetting LB policy, as specified in gRFC A68. (#​8650)
  • Special Thanks: @​marek-szews

Bug Fixes

• credentials/tls: Fix a bug where the port was not stripped from the authority override before validation. (#​8726)
  • Special Thanks: @​Atul1710
• xds/priority: Fix a bug causing delayed failover to lower-priority clusters when a higher-priority cluster is stuck in CONNECTING state. (#​8813)
• health: Fix a bug where health checks failed for clients using legacy compression options (WithDecompressor or RPCDecompressor). (#​8765)
  • Special Thanks: @​sanki92
• transport: Fix an issue where the HTTP/2 server could skip header size checks when terminating a stream early. (#​8769)
  • Special Thanks: @​joybestourous
• server: Propagate status detail headers, if available, when terminating a stream during request header processing. (#​8754)
  • Special Thanks: @​joybestourous

Performance Improvements

• credentials/alts: Optimize read buffer alignment to reduce copies. (#​8791)
• mem: Optimize pooling and creation of buffer objects. (#​8784)
• transport: Reduce slice re-allocations by reserving slice capacity. (#​8797)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - Monday through Friday ( * * * * 1-5 ) (UTC).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[github-actions]

Does the PR have any schema changes?

Found 1 breaking change:

Functions

• 🔴 "xyz:index/dataSource:DataSource" missing

New functions:

• index/getDataSource.getDataSource

Maintainer note: consult the runbook for dealing with any breaking changes.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 0.00%. Comparing base (4bdc7e6) to head (b5ed293).

Additional details and impacted files

@@          Coverage Diff          @@
##            main    #483   +/-   ##
=====================================
  Coverage   0.00%   0.00%           
=====================================
  Files          1       1           
  Lines         61      61           
=====================================
  Misses        61      61           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[pulumi-renovate]

ℹ Artifact update notice

File name: examples/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 1 additional dependency was updated

Details:

Package	Change
github.com/go-git/go-billy/v5	v5.6.2 -> v5.8.0

File name: provider/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 1 additional dependency was updated

Details:

Package	Change
github.com/go-git/go-billy/v5	v5.6.2 -> v5.8.0