Skip to content

chore(deps): Bump google.golang.org/grpc from 1.80.0 to 1.81.1#596

Merged
HerbHall merged 1 commit into
mainfrom
dependabot/go_modules/google.golang.org/grpc-1.81.1
Jun 2, 2026
Merged

chore(deps): Bump google.golang.org/grpc from 1.80.0 to 1.81.1#596
HerbHall merged 1 commit into
mainfrom
dependabot/go_modules/google.golang.org/grpc-1.81.1

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 18, 2026
edited
Loading

Bumps google.golang.org/grpc from 1.80.0 to 1.81.1.

Release notes

Sourced from google.golang.org/grpc's releases.

Release 1.81.1

Security

  • xds/rbac: Fix a potential authorization bypass caused by incorrectly falling through URI/DNS SANs to Subject Distinguished Name (DN) when matching the authenticated principal name. With this fix, only the first non-empty identity source will be used, as per gRFC A41. (#9111)

Bug Fixes

  • otel: Segregate client and server RPC information used for metrics and traces, to avoid one overwriting the other. (#9081)

Release 1.81.0

Behavior Changes

  • balancer/rls: Switch gauge metrics to asynchronous emission (once per collection cycle) to reduce telemetry noise and align with other gRPC language implementations. (#8808)

Dependencies

  • Minimum supported Go version is now 1.25. (#8969)

Bug Fixes

  • xds: Use the leaf cluster's security config for the TLS handshake instead of the aggregate cluster's config. (#8956)
  • transport: Send a RST_STREAM when receiving an END_STREAM when the stream is not already half-closed. (#8832)
  • xds: Fix ADS resource name validation to prevent a panic. (#8970)

New Features

  • grpc/stats: Add support for custom labels in per-call metrics (gRFC A108). (#9008)
  • xds: Add support for Server Name Indication (SNI) and SAN validation (gRFC A101). Disabled by default. To enable, set GRPC_EXPERIMENTAL_XDS_SNI=true environment variable. (#9016)
  • xds: Add support to control which fields get propagated from ORCA backend metric reports to LRS load reports (gRFC A85). Disabled by default. To enable, set GRPC_EXPERIMENTAL_XDS_ORCA_LRS_PROPAGATION=true. (#9005)
  • xds: Add metrics to track xDS client connectivity and cached resource state (gRFC A78). (#8807)
  • stats/otel: Enhance grpc.subchannel.disconnections metric by adding disconnection reason to the grpc.disconnect_error label (gRFC A94). This provides granular insights into why subchannels are closing. (#8973)
  • mem: Add mem.Buffer.Slice() API to slice the buffer like a slice. (#8977)

Performance Improvements

  • alts: Pool read buffers to lower memory utilization when sockets are unreadable. (#8964)
  • transport: Pool HTTP/2 framer read buffers to reduce idle memory consumption. Currently limited to Linux for ALTS and non-encrypted transports (TCP, Unix). To disable, set GRPC_GO_EXPERIMENTAL_HTTP_FRAMER_READ_BUFFER_POOLING=false and report any issues. (#9032)
Commits

@dependabot dependabot Bot added chore Maintenance, refactor, tooling, dependencies dependencies Dependency updates labels May 18, 2026
@dependabot dependabot Bot requested a review from HerbHall as a code owner May 18, 2026 17:35
@dependabot dependabot Bot mentioned this pull request May 18, 2026
Closed
@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github Jun 1, 2026

Dependabot can't resolve your Go dependency files. Because of this, Dependabot cannot update this pull request.

@HerbHall
Copy link
Copy Markdown
Owner

HerbHall commented Jun 2, 2026

@dependabot squash and merge

@HerbHall
Copy link
Copy Markdown
Owner

HerbHall commented Jun 2, 2026

@dependabot rebase

@dependabot dependabot Bot force-pushed the dependabot/go_modules/google.golang.org/grpc-1.81.1 branch from e27d33f to ca8cc8c Compare June 2, 2026 22:27
@HerbHall
Copy link
Copy Markdown
Owner

HerbHall commented Jun 2, 2026

@dependabot squash and merge

1 similar comment
@HerbHall
Copy link
Copy Markdown
Owner

HerbHall commented Jun 2, 2026

@dependabot squash and merge

@dependabot dependabot Bot force-pushed the dependabot/go_modules/google.golang.org/grpc-1.81.1 branch from ca8cc8c to 49c7989 Compare June 2, 2026 22:46
@HerbHall HerbHall mentioned this pull request Jun 2, 2026
Merged
HerbHall added a commit that referenced this pull request Jun 2, 2026
@HerbHall @claude
fix(deps): bump Go 1.25.10 -> 1.25.11 for new stdlib CVEs (#606)
30cfd68 
## Summary

A fresh govulncheck DB update (one day after #602) flagged two new
**stdlib** vulnerabilities in go1.25.10, re-blocking the entire PR queue
— main itself, the remaining Dependabot PRs (#588/#591/#596), and
release #603 all fail `Vulnerability Check`:

| Vuln | Package | Fixed in |
|------|---------|----------|
| GO-2026-5039 | net/textproto | go1.25.11 |
| GO-2026-5037 | crypto/x509 | go1.25.11 |

Pure toolchain bump — no module changes. Bumps the `go` directive
**and** the Dockerfile `go-builder` image in lockstep (CI reads
`go-version-file: go.mod`; the Docker build pins the builder explicitly
and fails on a version mismatch otherwise).

## Verification (local)

- `go build ./...` / `go vet ./...` — clean
- `GOTOOLCHAIN=go1.25.11 govulncheck ./...` — **"No vulnerabilities
found"**

Once merged, rebasing #588/#591/#596 onto main clears their vuln check,
and #603 (v0.6.5) can be cut.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: HerbHall <HerbHall@users.noreply.github.com>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@HerbHall
Copy link
Copy Markdown
Owner

HerbHall commented Jun 2, 2026

@dependabot rebase

@dependabot
chore(deps): Bump google.golang.org/grpc from 1.80.0 to 1.81.1
f9577fd 
Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.80.0 to 1.81.1.
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](grpc/grpc-go@v1.80.0...v1.81.1)

---
updated-dependencies:
- dependency-name: google.golang.org/grpc
  dependency-version: 1.81.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/go_modules/google.golang.org/grpc-1.81.1 branch from 49c7989 to f9577fd Compare June 2, 2026 23:12
@HerbHall
Copy link
Copy Markdown
Owner

HerbHall commented Jun 2, 2026

@dependabot squash and merge

@HerbHall HerbHall merged commit 0cc0a48 into main Jun 2, 2026
17 checks passed
@HerbHall HerbHall deleted the dependabot/go_modules/google.golang.org/grpc-1.81.1 branch June 2, 2026 23:25
@github-actions github-actions Bot locked and limited conversation to collaborators Jun 2, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@HerbHall HerbHall Awaiting requested review from HerbHall HerbHall is a code owner

Assignees

No one assigned

Labels

chore Maintenance, refactor, tooling, dependencies dependencies Dependency updates

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@HerbHall