build: bump grpc to v1.79.3

[ziggie1984]

Summary

• bump google.golang.org/grpc from v1.79.1 to v1.79.3
• refresh root go.sum entries
• addresses govulncheck finding GO-2026-4762 for grpc

Testing

• go test ./lnrpc/... ./rpcperms ./macaroons
• make release-install
• govulncheck -mode=binary "/Users/norbert/go/bin/lnd" exits 3 due remaining baseline findings, but GO-2026-4762/google.golang.org/grpc is no longer present

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request performs a routine dependency update for the gRPC library to resolve a specific security vulnerability. The change ensures the project remains compliant with security standards by moving to a patched version of the library.

Highlights

• Dependency Update: Updated the google.golang.org/grpc dependency from v1.79.1 to v1.79.3 in go.mod.
• Security Remediation: Addressed vulnerability GO-2026-4762 identified by govulncheck.
• Checksum Refresh: Updated go.sum to reflect the new dependency version.

New Features

🧠 You can now enable Memory (public preview) to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request updates the google.golang.org/grpc dependency from version 1.79.1 to 1.79.3 in both go.mod and go.sum. There are no review comments, and I have no feedback to provide.

[github-actions]

🟡 PR Severity: MEDIUM

Automated classification | 2 files | 6 lines changed

🟡 Medium (2 files)

• go.mod - Go module dependency update; not under any critical/high package path
• go.sum - Go module checksum file corresponding to go.mod change

Analysis

This PR exclusively modifies go.mod and go.sum, indicating a dependency version bump or addition. These files do not fall under any critical or high-severity package paths (e.g., lnwallet/, htlcswitch/, routing/, etc.) and are classified as MEDIUM under the catch-all "other Go files not categorized above" rule.

The change is very small (6 lines across 2 files) and does not trigger any severity bump rules (fewer than 20 non-test files, fewer than 500 non-test lines, no multiple critical packages touched).

While dependency changes can have indirect security implications (supply-chain concerns), the classification system addresses this through the MEDIUM level, which calls for a focused review to verify the updated dependency is trustworthy and that no unexpected transitive changes are introduced.

---

_{To override, add a severity-override-{critical,high,medium,low} label.}
<!-- pr-severity-bot -->

[ziggie1984]

Assessment of the vulnerability - LND not affected but potential middleware:

• Default lnd with macaroons enabled: likely not practically exploitable for an auth bypass, because malformed no-slash methods should be denied by lnd’s permission lookup.
• --no-macaroons deployments: auth is already disabled, so this CVE is not the meaningful bypass condition. lnd also blocks unauthenticated public RPC listener configs: /private/tmp/
  lnd-bump-grpc-v1.79.3/lncfg/address.go:47.
• Custom external validators / RPC middleware / external subservers: possible residual risk if custom code implements path-based deny rules with fallback allow using raw FullMethod. I
  didn’t audit third-party extensions.

The PR bump to grpc v1.79.3 is still the right fix because it removes the vulnerable routing behavior at the library layer.