fix(deps): update module google.golang.org/grpc to v1.64.1 [security] (release-1.20)

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
google.golang.org/grpc	v1.64.0 -> v1.64.1

---

Private tokens could appear in logs if context containing gRPC metadata is logged in github.com/grpc/grpc-go

GHSA-xr7q-jx4m-x55m / GO-2024-2978

More information

Details

Impact

This issue represents a potential PII concern. If applications were printing or logging a context containing gRPC metadata, the affected versions will contain all the metadata, which may include private information.

Patches

The issue first appeared in 1.64.0 and is patched in 1.64.1 and 1.65.0

Workarounds

If using an affected version and upgrading is not possible, ensuring you do not log or print contexts will avoid the problem.

Severity

Low

References

• https://github.com/grpc/grpc-go/security/advisories/GHSA-xr7q-jx4m-x55m
• https://github.com/grpc/grpc-go/commit/ab292411ddc0f3b7a7786754d1fe05264c3021eb
• https://github.com/grpc/grpc-go

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Private tokens could appear in logs if context containing gRPC metadata is logged in google.golang.org/grpc

GHSA-xr7q-jx4m-x55m / GO-2024-2978

More information

Details

If applications print or log a context containing gRPC metadata, the output will contain all the metadata, which may include private information. This represents a potential PII concern.

Severity

Unknown

References

• https://github.com/grpc/grpc-go/security/advisories/GHSA-xr7q-jx4m-x55m
• https://github.com/grpc/grpc-go/commit/ab292411ddc0f3b7a7786754d1fe05264c3021eb

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

Release Notes

grpc/grpc-go (google.golang.org/grpc)

v1.64.1: Release 1.64.1

Compare Source

Dependencies

• Update x/net/http2 to address CVE-2023-45288 (#​7352)
• metadata: remove String method from MD to make printing consistent (#​7374)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: dagger/go.sum

Command failed: go get -d -t ./...
go: -d flag is deprecated. -d=true is a no-op
go: dagger imports
	dagger/internal/dagger: package dagger/internal/dagger is not in std (/opt/containerbase/tools/golang/1.23.5/src/dagger/internal/dagger)