chore(deps): bump the go-minor-patch group with 2 updates

[dependabot]

Bumps the go-minor-patch group with 2 updates: google.golang.org/api and google.golang.org/grpc.

Updates google.golang.org/api from 0.279.0 to 0.280.0

Release notes

Sourced from google.golang.org/api's releases.

v0.280.0

0.280.0 (2026-05-19)

Features

• all: Auto-regenerate discovery clients (#3591) (55ba2fa)
• all: Auto-regenerate discovery clients (#3593) (054d4b6)
• all: Auto-regenerate discovery clients (#3594) (0382916)
• all: Auto-regenerate discovery clients (#3595) (13e1ad2)
• all: Auto-regenerate discovery clients (#3596) (4c77865)
• all: Auto-regenerate discovery clients (#3598) (ae2f330)
• all: Auto-regenerate discovery clients (#3599) (f82d204)

Changelog

Sourced from google.golang.org/api's changelog.

0.280.0 (2026-05-19)

Features

• all: Auto-regenerate discovery clients (#3591) (55ba2fa)
• all: Auto-regenerate discovery clients (#3593) (054d4b6)
• all: Auto-regenerate discovery clients (#3594) (0382916)
• all: Auto-regenerate discovery clients (#3595) (13e1ad2)
• all: Auto-regenerate discovery clients (#3596) (4c77865)
• all: Auto-regenerate discovery clients (#3598) (ae2f330)
• all: Auto-regenerate discovery clients (#3599) (f82d204)

Commits

• 3887b09 chore(main): release 0.280.0 (#3592)
• f82d204 feat(all): auto-regenerate discovery clients (#3599)
• 13e7314 chore(all): update all (#3597)
• ae2f330 feat(all): auto-regenerate discovery clients (#3598)
• 4c77865 feat(all): auto-regenerate discovery clients (#3596)
• 13e1ad2 feat(all): auto-regenerate discovery clients (#3595)
• 0382916 feat(all): auto-regenerate discovery clients (#3594)
• 054d4b6 feat(all): auto-regenerate discovery clients (#3593)
• 55ba2fa feat(all): auto-regenerate discovery clients (#3591)
• See full diff in compare view

Updates google.golang.org/grpc from 1.80.0 to 1.81.1

Release notes

Sourced from google.golang.org/grpc's releases.

Release 1.81.1

Security

• xds/rbac: Fix a potential authorization bypass caused by incorrectly falling through URI/DNS SANs to Subject Distinguished Name (DN) when matching the authenticated principal name. With this fix, only the first non-empty identity source will be used, as per gRFC A41. (#9111)
  • Special Thanks: @​al4an444

Bug Fixes

• otel: Segregate client and server RPC information used for metrics and traces, to avoid one overwriting the other. (#9081)

Release 1.81.0

Behavior Changes

• balancer/rls: Switch gauge metrics to asynchronous emission (once per collection cycle) to reduce telemetry noise and align with other gRPC language implementations. (#8808)

Dependencies

• Minimum supported Go version is now 1.25. (#8969)

Bug Fixes

• xds: Use the leaf cluster's security config for the TLS handshake instead of the aggregate cluster's config. (#8956)
• transport: Send a RST_STREAM when receiving an END_STREAM when the stream is not already half-closed. (#8832)
• xds: Fix ADS resource name validation to prevent a panic. (#8970)

New Features

• grpc/stats: Add support for custom labels in per-call metrics (gRFC A108). (#9008)
• xds: Add support for Server Name Indication (SNI) and SAN validation (gRFC A101). Disabled by default. To enable, set GRPC_EXPERIMENTAL_XDS_SNI=true environment variable. (#9016)
• xds: Add support to control which fields get propagated from ORCA backend metric reports to LRS load reports (gRFC A85). Disabled by default. To enable, set GRPC_EXPERIMENTAL_XDS_ORCA_LRS_PROPAGATION=true. (#9005)
• xds: Add metrics to track xDS client connectivity and cached resource state (gRFC A78). (#8807)
• stats/otel: Enhance grpc.subchannel.disconnections metric by adding disconnection reason to the grpc.disconnect_error label (gRFC A94). This provides granular insights into why subchannels are closing. (#8973)
• mem: Add mem.Buffer.Slice() API to slice the buffer like a slice. (#8977)
  • Special Thanks: @​ash2k

Performance Improvements

• alts: Pool read buffers to lower memory utilization when sockets are unreadable. (#8964)
• transport: Pool HTTP/2 framer read buffers to reduce idle memory consumption. Currently limited to Linux for ALTS and non-encrypted transports (TCP, Unix). To disable, set GRPC_GO_EXPERIMENTAL_HTTP_FRAMER_READ_BUFFER_POOLING=false and report any issues. (#9032)

Commits

• caf0772 Change version from 1.81.1-dev to 1.81.1 (#9122)
• 6ccbeeb Cherry-pick #9111 into v1.81.x (#9121)
• b33c29e Cherry-pick #9081 into v1.81.x (#9102)
• c45fae6 Change version to 1.81.1-dev (#9063)
• cb18228 Change version to 1.81.0 (#9062)
• 96748f9 Cherry-pick #9105 to 1.81.x (#9106)
• 9183222 Cherry pick #9055, #9032 to v1.81.x (#9095)
• 5cba6da Revert "deps: update dependencies for all modules (#9065)" (#9067)
• af8a936 deps: update dependencies for all modules (#9065)
• cdc60df transport: optimize heap allocations in ready reader and update syscall conne...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Summary by CodeRabbit

• Chores
  • Updated Go module dependencies to latest versions.

[dependabot]

Labels

The following labels could not be found: dependencies, go-sidecar. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[greptile-apps]

dependabot[bot] has reached the 50-review limit for trial accounts. To continue receiving code reviews, upgrade your plan.

[coderabbitai]

📝 Walkthrough

Walkthrough

Go module dependencies updated across direct and indirect requirements: google.golang.org/api and google.golang.org/grpc advanced to newer versions, alongside golang.org/x/* cryptography, networking, system, and text libraries. The google.golang.org/genproto/googleapis/rpc pseudo-version refreshed.

Changes

Dependency Updates

Layer / File(s)	Summary
Direct and indirect dependency version bumps go.mod	google.golang.org/api (v0.279.0→v0.280.0), google.golang.org/grpc (v1.80.0→v1.81.1), golang.org/x/crypto (v0.50.0→v0.51.0), golang.org/x/net (v0.53.0→v0.54.0), golang.org/x/sys (v0.43.0→v0.44.0), golang.org/x/text (v0.36.0→v0.37.0), and google.golang.org/genproto/googleapis/rpc pseudo-version updated.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 A hop, a skip, a version bump,
Dependencies climb the update stump,
Google and gRPC dance anew,
Security patches bloom on through,
Our go.mod sings fresh and light!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is largely incomplete relative to the template. It lacks mandatory sections including 📝 Description, 🧩 Type of Change, and all ✅ Strict Checklist items (security, code quality, testing, etc.).	Add the missing template sections: provide a 📝 Description explaining the improvements, select appropriate 🧩 Type of Change (likely Infrastructure/Ecosystem), and complete all mandatory checklist items, especially the security and dependency review checklist.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and accurately summarizes the main change: a dependency bump for the go-minor-patch group with 2 updates to Google API and gRPC libraries.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/go_modules/go-minor-patch-d2956c83a4

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Around line 37-38: Update the indirect dependency "golang.org/x/net" from
v0.54.0 to at least v0.7.0 to address the HIGH "Uncontrolled Resource
Consumption" advisory: change the go.mod requirement for golang.org/x/net to a
version >= v0.7.0 (e.g., v0.7.0), then run the module commands to propagate the
update (use go get golang.org/x/net@v0.7.0 and go mod tidy or go get -u ./... as
appropriate) to ensure transitive resolution picks the patched version; leave
"golang.org/x/crypto v0.51.0" and "golang.org/x/text v0.37.0" unchanged since
they are outside the affected ranges.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 137e9367-11d7-4a62-8c5a-2bfeba21925b

📥 Commits

Reviewing files that changed from the base of the PR and between e9d472a and 4ff0fa6.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Check security advisories for updated indirect dependencies

echo "=== Checking Security Advisories for golang.org/x/crypto ==="
gh api graphql -f query='
{
  securityVulnerabilities(first: 10, ecosystem: GO, package: "golang.org/x/crypto") {
    nodes {
      advisory {
        summary
        severity
        publishedAt
      }
      vulnerableVersionRange
      firstPatchedVersion {
        identifier
      }
    }
  }
}' 2>/dev/null || echo "Could not fetch security advisories"

echo -e "\n=== Checking Security Advisories for golang.org/x/net ==="
gh api graphql -f query='
{
  securityVulnerabilities(first: 10, ecosystem: GO, package: "golang.org/x/net") {
    nodes {
      advisory {
        summary
        severity
        publishedAt
      }
      vulnerableVersionRange
      firstPatchedVersion {
        identifier
      }
    }
  }
}' 2>/dev/null || echo "Could not fetch security advisories"

echo -e "\n=== Checking Security Advisories for golang.org/x/text ==="
gh api graphql -f query='
{
  securityVulnerabilities(first: 10, ecosystem: GO, package: "golang.org/x/text") {
    nodes {
      advisory {
        summary
        severity
        publishedAt
      }
      vulnerableVersionRange
      firstPatchedVersion {
        identifier
      }
    }
  }
}' 2>/dev/null || echo "Could not fetch security advisories"

Repository: AIX-Format/PiWorker-OS

Length of output: 6181

---

Handle HIGH security advisory affecting golang.org/x/net v0.54.0

• golang.org/x/net v0.54.0 // indirect is still within a reported HIGH vulnerability: “Uncontrolled Resource Consumption” (vulnerableVersionRange: < 0.7.0, first patched: 0.7.0). Bump golang.org/x/net to >= 0.7.0 (or ensure transitive resolution pulls the patched version).
• golang.org/x/crypto v0.51.0 // indirect: the reported advisories are for older ranges (e.g., < 0.45.0, < 0.35.0), so they don’t cover the current version.
• golang.org/x/text v0.37.0 // indirect: reported advisories target < 0.3.7, < 0.3.8, < 0.3.3, so the current version is outside those ranges.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` around lines 37 - 38, Update the indirect dependency
"golang.org/x/net" from v0.54.0 to at least v0.7.0 to address the HIGH
"Uncontrolled Resource Consumption" advisory: change the go.mod requirement for
golang.org/x/net to a version >= v0.7.0 (e.g., v0.7.0), then run the module
commands to propagate the update (use go get golang.org/x/net@v0.7.0 and go mod
tidy or go get -u ./... as appropriate) to ensure transitive resolution picks
the patched version; leave "golang.org/x/crypto v0.51.0" and "golang.org/x/text
v0.37.0" unchanged since they are outside the affected ranges.