Skip to content

TT-16883: Update grpc and jsonparser#7914

Open
probelabs[bot] wants to merge 2 commits intorelease-5.12from
TT-16883-update-deps-5.12
Open

TT-16883: Update grpc and jsonparser#7914
probelabs[bot] wants to merge 2 commits intorelease-5.12from
TT-16883-update-deps-5.12

Conversation

@probelabs
Copy link
Contributor

@probelabs probelabs bot commented Mar 20, 2026
edited by github-actions bot
Loading

Problem / Task

Update google.golang.org/grpc to v1.79.3 and github.com/buger/jsonparser to v1.1.2 to address critical CVEs.
Also updates github.com/GoogleCloudPlatform/grpc-gcp-go/grpcgcp to v1.6.0 to fix build issues with the new grpc version.

Changes

  • Updated go.mod and go.sum with new versions.

Testing

  • make build passes.

Ticket Details

TT-16883
Status In Dev
Summary [CVE] Fix Critical CVE for google.golang.org/grpc and High CVE for github.com/buger/jsonparser

Generated at: 2026-03-20 14:50:45

@probelabs
Copy link
Contributor Author

probelabs bot commented Mar 20, 2026
edited
Loading

This PR updates google.golang.org/grpc, github.com/buger/jsonparser, and github.com/GoogleCloudPlatform/grpc-gcp-go/grpcgcp to address security vulnerabilities (CVEs). The changes are confined to go.mod and go.sum, indicating a dependency-only update. The primary risk lies in potential behavioral changes or regressions introduced by the new library versions.

Files Changed Analysis

  • go.mod: Modified to update the versions of grpc, jsonparser, and their transitive dependencies.
  • go.sum: Regenerated to reflect the checksums of the newly updated packages.

The changes solely impact the project's dependency tree, with no modifications to the application's source code.

Architecture & Impact Assessment

  • What this PR accomplishes: It patches critical and high-severity CVEs in third-party libraries, enhancing the overall security of the application.
  • Key technical changes introduced:
    • google.golang.org/grpc upgraded from v1.70.0 to v1.79.3.
    • github.com/buger/jsonparser upgraded from v1.1.1 to v1.1.2.
    • github.com/GoogleCloudPlatform/grpc-gcp-go/grpcgcp upgraded from v1.5.2 to v1.6.0.
    • Numerous other transitive dependencies were updated as a result.
  • Affected system components:
    • Coprocess Middleware (gRPC): The grpc library is fundamental to this middleware, which allows Tyk to communicate with external gRPC-based plugins for custom request processing. Any regressions in the gRPC library could impact users relying on this extensibility feature.
    • JSON-based Operations: The jsonparser library is used for efficient JSON parsing. Its update could affect any component that processes JSON, including middleware, request/response transformations, and logging.
graph TD
    subgraph "Dependency Updates & System Impact"
        grpc["google.golang.org/grpc<br>v1.70.0 ➔ v1.79.3"] -->|used by| coprocess["Coprocess Middleware (gRPC)"];
        jsonparser["github.com/buger/jsonparser<br>v1.1.1 ➔ v1.1.2"] -->|used for| json_processing["JSON Processing Logic"];
        
        coprocess --> external_plugins["External gRPC Plugins"];
        json_processing --> various_middleware["Various Middleware"];
    end
Loading

Scope Discovery & Context Expansion

While the diff is minimal, the scope of potential impact is broad due to the foundational nature of the updated libraries. The update to grpc is particularly sensitive, as it underpins a key extensibility point (Coprocess). A failure or performance degradation in this library could have significant consequences for users with custom gRPC plugins. The jsonparser update has a wide but likely shallower impact across various parts of the system that handle JSON data. Comprehensive regression testing is crucial to validate that these updates do not introduce breaking changes or performance issues. The PR description notes that make build passes, but a full test suite (unit, integration, e2e) should be run to ensure functional correctness.

Metadata
  • Review Effort: 2 / 5
  • Primary Label: n/a

Powered by Visor from Probelabs

Last updated: 2026-03-20T14:51:34.418Z | Triggered by: pr_updated | Commit: cffa1e3

💡 TIP: You can chat with Visor using /visor ask <your question>

@probelabs
Copy link
Contributor Author

probelabs bot commented Mar 20, 2026
edited
Loading

✅ Security Check Passed

No security issues found – changes LGTM.

✅ Performance Check Passed

No performance issues found – changes LGTM.

✅ Security Check Passed

No security issues found – changes LGTM.

\n\n \n\n

✅ Performance Check Passed

No performance issues found – changes LGTM.

\n\n

✅ Quality Check Passed

No quality issues found – changes LGTM.

Powered by Visor from Probelabs

Last updated: 2026-03-20T14:51:31.453Z | Triggered by: pr_updated | Commit: cffa1e3

💡 TIP: You can chat with Visor using /visor ask <your question>

@github-actions
Copy link
Contributor

github-actions bot commented Mar 20, 2026

API Changes

no api changes detected

@sonarqubecloud
Copy link

sonarqubecloud bot commented Mar 20, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pvormste pvormste pvormste approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pvormste @buger