fix(deps): update module google.golang.org/grpc to v1.64.1 [security]

[renovate-sh-app]

This PR contains the following updates:

Package	Change	Age	Confidence
google.golang.org/grpc	v1.64.0 → v1.64.1

GitHub Vulnerability Alerts

GHSA-xr7q-jx4m-x55m

Impact

This issue represents a potential PII concern. If applications were printing or logging a context containing gRPC metadata, the affected versions will contain all the metadata, which may include private information.

Patches

The issue first appeared in 1.64.0 and is patched in 1.64.1 and 1.65.0

Workarounds

If using an affected version and upgrading is not possible, ensuring you do not log or print contexts will avoid the problem.

---

Private tokens could appear in logs if context containing gRPC metadata is logged in google.golang.org/grpc

GHSA-xr7q-jx4m-x55m / GO-2024-2978

More information

Details

If applications print or log a context containing gRPC metadata, the output will contain all the metadata, which may include private information. This represents a potential PII concern.

Severity

Unknown

References

• https://github.com/grpc/grpc-go/security/advisories/GHSA-xr7q-jx4m-x55m
• https://github.com/grpc/grpc-go/commit/ab292411ddc0f3b7a7786754d1fe05264c3021eb

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

Private tokens could appear in logs if context containing gRPC metadata is logged in github.com/grpc/grpc-go

GHSA-xr7q-jx4m-x55m / GO-2024-2978

More information

Details

Impact

This issue represents a potential PII concern. If applications were printing or logging a context containing gRPC metadata, the affected versions will contain all the metadata, which may include private information.

Patches

The issue first appeared in 1.64.0 and is patched in 1.64.1 and 1.65.0

Workarounds

If using an affected version and upgrading is not possible, ensuring you do not log or print contexts will avoid the problem.

Severity

Low

References

• https://github.com/grpc/grpc-go/security/advisories/GHSA-xr7q-jx4m-x55m
• https://github.com/grpc/grpc-go/commit/ab292411ddc0f3b7a7786754d1fe05264c3021eb
• https://github.com/grpc/grpc-go

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

grpc/grpc-go (google.golang.org/grpc)

v1.64.1: Release 1.64.1

Compare Source

Dependencies

• Update x/net/http2 to address CVE-2023-45288 (#​7352)
• metadata: remove String method from MD to make printing consistent (#​7374)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

Need help?

You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section.

[renovate-sh-app]

⚠️ Artifact update problem

Renovate failed to update artifacts related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: demo/src/checkoutservice/go.sum

Command failed: go get -t ./...
go: downloading github.com/sirupsen/logrus v1.9.3
go: downloading google.golang.org/grpc v1.64.1
go: downloading github.com/IBM/sarama v1.43.2
go: downloading go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.27.0
go: downloading go.opentelemetry.io/otel v1.27.0
go: downloading github.com/open-feature/go-sdk v1.12.0
go: downloading go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0
go: downloading go.opentelemetry.io/otel/sdk v1.27.0
go: downloading go.opentelemetry.io/otel/sdk/metric v1.27.0
go: downloading github.com/google/uuid v1.6.0
go: downloading github.com/open-feature/go-sdk-contrib/hooks/open-telemetry v0.3.2
go: downloading go.opentelemetry.io/otel/trace v1.27.0
go: downloading go.opentelemetry.io/contrib/instrumentation/runtime v0.52.0
go: downloading go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.52.0
go: downloading github.com/open-feature/go-sdk-contrib/providers/flagd v0.2.1
go: downloading google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.4.0
go: downloading go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.52.0
go: downloading google.golang.org/protobuf v1.34.1
go: downloading go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.27.0
go: downloading golang.org/x/sys v0.21.0
go: downloading go.opentelemetry.io/otel/metric v1.27.0
go: downloading github.com/felixge/httpsnoop v1.0.4
go: downloading github.com/go-logr/logr v1.4.2
go: downloading golang.org/x/exp v0.0.0-20240531132922-fd00a4e0eefc
go: downloading go.opentelemetry.io/proto/otlp v1.2.0
go: downloading google.golang.org/genproto/googleapis/rpc v0.0.0-20240528184218-531527333157
go: downloading github.com/hashicorp/golang-lru/v2 v2.0.7
go: downloading buf.build/gen/go/open-feature/flagd/connectrpc/go v1.16.2-20240215170432-1e611e2999cc.1
go: downloading buf.build/gen/go/open-feature/flagd/protocolbuffers/go v1.34.1-20240215170432-1e611e2999cc.1
go: downloading connectrpc.com/connect v1.16.2
go: downloading connectrpc.com/otelconnect v0.7.0
go: downloading github.com/open-feature/flagd/core v0.9.2
go: downloading golang.org/x/net v0.26.0
go: downloading sigs.k8s.io/controller-runtime v0.18.3
go: downloading github.com/go-logr/stdr v1.2.2
go: downloading github.com/cenkalti/backoff/v4 v4.3.0
go: downloading github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc
go: downloading github.com/eapache/go-resiliency v1.6.0
go: downloading github.com/eapache/go-xerial-snappy v0.0.0-20230731223053-c322873962e3
go: downloading github.com/eapache/queue v1.1.0
go: downloading github.com/hashicorp/go-multierror v1.1.1
go: downloading github.com/jcmturner/gofork v1.7.6
go: downloading github.com/jcmturner/gokrb5/v8 v8.4.4
go: downloading github.com/klauspost/compress v1.17.8
go: downloading github.com/pierrec/lz4/v4 v4.1.21
go: downloading github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475
go: downloading github.com/golang/snappy v0.0.4
go: downloading github.com/hashicorp/errwrap v1.1.0
go: downloading github.com/jcmturner/dnsutils/v2 v2.0.0
go: downloading github.com/hashicorp/go-uuid v1.0.3
go: downloading golang.org/x/crypto v0.24.0
go: downloading github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0
go: downloading github.com/jcmturner/rpc/v2 v2.0.3
go: downloading github.com/jcmturner/aescts/v2 v2.0.0
go: downloading google.golang.org/genproto/googleapis/api v0.0.0-20240528184218-531527333157
go: downloading golang.org/x/text v0.16.0
go: downloading golang.org/x/mod v0.17.0
go: downloading go.uber.org/zap v1.27.0
go: downloading github.com/twmb/murmur3 v1.1.8
go: downloading github.com/zeebo/xxh3 v1.0.2
go: downloading github.com/open-feature/flagd-schemas v0.2.9-0.20240408192555-ea4f119d2bd7
go: downloading github.com/xeipuuv/gojsonschema v1.2.0
go: downloading github.com/diegoholiveira/jsonlogic/v3 v3.5.3
go: downloading github.com/fsnotify/fsnotify v1.7.0
go: downloading gopkg.in/yaml.v3 v3.0.1
go: downloading buf.build/gen/go/open-feature/flagd/grpc/go v1.3.0-20240215170432-1e611e2999cc.3
go: downloading github.com/klauspost/cpuid/v2 v2.2.7
go: downloading github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415
go: downloading go.uber.org/multierr v1.11.0
go: downloading github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb
go: downloading github.com/barkimedes/go-deepcopy v0.0.0-20220514131651-17c30cfc62df
go: downloading k8s.io/apimachinery v0.30.1
go: downloading github.com/go-logr/zapr v1.3.0
go: downloading sigs.k8s.io/structured-merge-diff/v4 v4.4.1
go: downloading github.com/google/gofuzz v1.2.0
go: downloading github.com/gogo/protobuf v1.3.2
go: downloading sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd
go: downloading gopkg.in/inf.v0 v0.9.1
go: downloading k8s.io/klog/v2 v2.120.1
go: downloading k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0
go: downloading gopkg.in/yaml.v2 v2.4.0
go: downloading github.com/json-iterator/go v1.1.12
go: downloading github.com/modern-go/reflect2 v1.0.2
go: downloading github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd
go: downloading github.com/open-telemetry/opentelemetry-demo v1.2.1
go: github.com/open-telemetry/opentelemetry-demo/src/checkoutservice imports
	github.com/open-telemetry/opentelemetry-demo/src/checkoutservice/genproto/oteldemo: cannot find module providing package github.com/open-telemetry/opentelemetry-demo/src/checkoutservice/genproto/oteldemo

File name: demo/src/productcatalogservice/go.sum

Command failed: go get -t ./...
go: github.com/opentelemetry/opentelemetry-demo/src/productcatalogservice imports
	github.com/opentelemetry/opentelemetry-demo/src/productcatalogservice/genproto/oteldemo: cannot find module providing package github.com/opentelemetry/opentelemetry-demo/src/productcatalogservice/genproto/oteldemo