Skip to content

fix: update proton and migrate to runtime proto validation #1490

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ravisuhag merged 5 commits into from
Apr 1, 2026
Merged

fix: update proton and migrate to runtime proto validation #1490

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
bd459d8
chore: update proton and migrate to runtime proto validation
ravisuhag Mar 31, 2026
73cbd81
fix: remove test cases that relied on inline proto validation
ravisuhag Mar 31, 2026
b0ea2cf
Merge branch 'main' into chore/update-proton-gen-code
ravisuhag Mar 31, 2026
32fcfd1
Merge branch 'main' into chore/update-proton-gen-code
ravisuhag Apr 1, 2026
8c4927d
fix: move validation interceptor between authn and authz
ravisuhag Apr 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ TAG := $(shell git rev-list --tags --max-count=1)
VERSION := $(shell git describe --tags ${TAG})
.PHONY: build check fmt lint test test-race vet test-cover-html help install proto admin-app compose-up-dev
.DEFAULT_GOAL := build
PROTON_COMMIT := "eeb82738610b07efaf8f8205c3b00f8b774cf31e"
PROTON_COMMIT := "0b6548e706d14b39f4d2dbd44567d6d4c2c3159e"

admin-app:
@echo " > generating admin build"
Expand Down
6 changes: 2 additions & 4 deletions buf.gen.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,17 +4,15 @@ managed:
enabled: true
disable:
- module: buf.build/googleapis/googleapis
- module: buf.build/envoyproxy/protoc-gen-validate
- file_option: go_package
module: buf.build/bufbuild/protovalidate
override:
- file_option: "go_package"
value: "github.com/raystack/frontier/proto/v1beta1;frontierv1beta1"
plugins:
- remote: "buf.build/protocolbuffers/go:v1.30.0"
out: "proto"
opt: "paths=source_relative"
- remote: "buf.build/bufbuild/validate-go:v1.0.0"
out: "proto"
opt: "paths=source_relative"
- remote: buf.build/connectrpc/go:v1.18.1
out: "proto"
opt: "paths=source_relative"
10 changes: 0 additions & 10 deletions cmd/group.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,11 +64,6 @@ func createGroupCommand(cliConfig *Config) *cli.Command {
return err
}

err := reqBody.ValidateAll()
Comment thread
rohilsurana marked this conversation as resolved.
if err != nil {
return err
}

client, err := createClient(cliConfig.Host)
if err != nil {
return err
Expand Down Expand Up @@ -121,11 +116,6 @@ func editGroupCommand(cliConfig *Config) *cli.Command {
return err
}

err := reqBody.ValidateAll()
if err != nil {
return err
}

client, err := createClient(cliConfig.Host)
if err != nil {
return err
Expand Down
10 changes: 0 additions & 10 deletions cmd/organization.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,11 +65,6 @@ func createOrganizationCommand(cliConfig *Config) *cli.Command {
return err
}

err := reqBody.ValidateAll()
if err != nil {
return err
}

client, err := createClient(cliConfig.Host)
if err != nil {
return err
Expand Down Expand Up @@ -122,11 +117,6 @@ func editOrganizationCommand(cliConfig *Config) *cli.Command {
return err
}

err := reqBody.ValidateAll()
if err != nil {
return err
}

client, err := createClient(cliConfig.Host)
if err != nil {
return err
Expand Down
10 changes: 0 additions & 10 deletions cmd/permission.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,11 +64,6 @@ func createPermissionCommand(cliConfig *Config) *cli.Command {
return err
}

err := reqBody.ValidateAll()
if err != nil {
return err
}

client, err := createAdminClient(cliConfig.Host)
if err != nil {
return err
Expand Down Expand Up @@ -121,11 +116,6 @@ func editPermissionCommand(cliConfig *Config) *cli.Command {
return err
}

err := reqBody.ValidateAll()
if err != nil {
return err
}

client, err := createAdminClient(cliConfig.Host)
if err != nil {
return err
Expand Down
10 changes: 0 additions & 10 deletions cmd/policy.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,11 +62,6 @@ func createPolicyCommand(cliConfig *Config) *cli.Command {
return err
}

err := reqBody.ValidateAll()
if err != nil {
return err
}

client, err := createClient(cliConfig.Host)
if err != nil {
return err
Expand Down Expand Up @@ -119,11 +114,6 @@ func editPolicyCommand(cliConfig *Config) *cli.Command {
return err
}

err := reqBody.ValidateAll()
if err != nil {
return err
}

client, err := createClient(cliConfig.Host)
if err != nil {
return err
Expand Down
10 changes: 0 additions & 10 deletions cmd/project.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,11 +64,6 @@ func createProjectCommand(cliConfig *Config) *cli.Command {
return err
}

err := reqBody.ValidateAll()
if err != nil {
return err
}

client, err := createClient(cliConfig.Host)
if err != nil {
return err
Expand Down Expand Up @@ -121,11 +116,6 @@ func editProjectCommand(cliConfig *Config) *cli.Command {
return err
}

err := reqBody.ValidateAll()
if err != nil {
return err
}

client, err := createClient(cliConfig.Host)
if err != nil {
return err
Expand Down
10 changes: 0 additions & 10 deletions cmd/role.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,11 +65,6 @@ func createRoleCommand(cliConfig *Config) *cli.Command {
return err
}

err := reqBody.ValidateAll()
if err != nil {
return err
}

client, err := createClient(cliConfig.Host)
if err != nil {
return err
Expand Down Expand Up @@ -122,11 +117,6 @@ func editRoleCommand(cliConfig *Config) *cli.Command {
return err
}

err := reqBody.ValidateAll()
if err != nil {
return err
}

client, err := createClient(cliConfig.Host)
if err != nil {
return err
Expand Down
10 changes: 0 additions & 10 deletions cmd/user.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,11 +65,6 @@ func createUserCommand(cliConfig *Config) *cli.Command {
return err
}

err := reqBody.ValidateAll()
if err != nil {
return err
}

if reqBody.GetName() == "" {
reqBody.Name = str.GenerateUserSlug(reqBody.GetEmail())
}
Expand Down Expand Up @@ -127,11 +122,6 @@ func editUserCommand(cliConfig *Config) *cli.Command {
return err
}

err := reqBody.ValidateAll()
if err != nil {
return err
}

client, err := createClient(cliConfig.Host)
if err != nil {
return err
Expand Down
45 changes: 25 additions & 20 deletions go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,21 +1,22 @@
module github.com/raystack/frontier

go 1.23.0
go 1.24.0

require (
connectrpc.com/connect v1.18.1
buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.36.11-20260209202127-80ab13bee0bf.1
connectrpc.com/connect v1.19.0
connectrpc.com/cors v0.1.0
connectrpc.com/grpchealth v1.4.0
connectrpc.com/grpcreflect v1.3.0
connectrpc.com/otelconnect v0.7.2
connectrpc.com/validate v0.6.0
github.com/MakeNowJust/heredoc v1.0.0
github.com/authzed/authzed-go v0.11.2-0.20240507202708-8b150c491e4a
github.com/authzed/grpcutil v0.0.0-20240123092924-129dc0a6a6e1
github.com/authzed/spicedb v1.33.1
github.com/cespare/xxhash v1.1.0
github.com/coreos/go-oidc/v3 v3.5.0
github.com/doug-martin/goqu/v9 v9.18.0
github.com/envoyproxy/protoc-gen-validate v1.1.0
github.com/ghodss/yaml v1.0.0
github.com/go-resty/resty/v2 v2.1.1-0.20191201195748-d7b97669fe48
github.com/go-webauthn/webauthn v0.8.6
Expand Down Expand Up @@ -43,30 +44,32 @@ require (
github.com/robfig/cron/v3 v3.0.1
github.com/rs/cors v1.11.1
github.com/spf13/cobra v1.8.1
github.com/stretchr/testify v1.10.0
github.com/stretchr/testify v1.11.1
github.com/stripe/stripe-go/v79 v79.5.0
github.com/ua-parser/uap-go v0.0.0-20250917011043-9c86a9b0f8f0
go.opentelemetry.io/otel/sdk/metric v1.37.0
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check for patched otel/sdk versions
echo "=== Checking OpenTelemetry SDK vulnerability advisory ==="
gh api graphql -f query='
{
  securityVulnerabilities(first: 5, ecosystem: GO, package: "go.opentelemetry.io/otel/sdk") {
    nodes {
      advisory {
        summary
        severity
        publishedAt
      }
      vulnerableVersionRange
      firstPatchedVersion {
        identifier
      }
    }
  }
}'

echo ""
echo "=== Available otel/sdk versions ==="
curl -s "https://proxy.golang.org/go.opentelemetry.io/otel/sdk/@v/list" | tail -10

Repository: raystack/frontier

Length of output: 395

🏁 Script executed:

#!/bin/bash
# Get full list of otel/sdk/metric versions (not just last 10)
echo "=== Full list of go.opentelemetry.io/otel/sdk/metric versions ==="
curl -s "https://proxy.golang.org/go.opentelemetry.io/otel/sdk/metric/@v/list"

echo ""
echo "=== Check if v1.37.0 exists ==="
curl -s -I "https://proxy.golang.org/go.opentelemetry.io/otel/sdk/metric/@v/v1.37.0.info"

Repository: raystack/frontier

Length of output: 1277

🌐 Web query:

GHSA-9h8m-3fm2-qjrq vulnerability OpenTelemetry PATH hijacking

💡 Result:

GHSA-9h8m-3fm2-qjrq (CVE-2026-24051) is a high-severity vulnerability (CVSS 7.0) in the OpenTelemetry Go SDK (go.opentelemetry.io/otel/sdk), affecting versions 1.21.0 to 1.39.0. It enables arbitrary code execution via PATH hijacking on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the 'ioreg' system command without specifying a full path, relying on the PATH environment variable. A local attacker with low privileges who can modify PATH (e.g., by placing a malicious 'ioreg' executable in a directory prioritized in PATH) can achieve arbitrary code execution in the application's context. Associated with CWE-426 (Untrusted Search Path). Patched in commit d45961b, released in v1.40.0 (February 2026). Upgrade to v1.40.0 or later. As of 2026-03-31, the patch is available. Official sources: GitHub Advisory Database, OpenTelemetry Go security advisory, NVD.

Citations:

🌐 Web query:

CVE OpenTelemetry SDK metric PATH hijacking vulnerability 2024 2025

💡 Result:

No vulnerability matching "OpenTelemetry SDK metric PATH hijacking" was found in searches across 2024-2025 or later. The closest match is CVE-2026-24051 (disclosed Feb 2026), a PATH hijacking vulnerability in the OpenTelemetry Go SDK (go.opentelemetry.io/otel/sdk/resource, versions >=1.21.0, <=1.39.0) affecting macOS/Darwin systems. It allows arbitrary code execution via untrusted PATH when executing the 'ioreg' command in sdk/resource/host_id.go for resource detection (host ID). CVSS 3.1: 7.0 (High). Patched in v1.40.0 via commit d45961bcda453fcbdb6469c22d6e88a1f9970a53. This issue is unrelated to metrics or path traversal in metric handling. Other OpenTelemetry vulnerabilities (e.g., CVE-2023-25151 for high-cardinality metrics DoS in otelhttp, CVE-2024-36129 for DoS in Collector, CVE-2023-43810 for unbound metrics cardinality) do not involve PATH hijacking or path traversal in metrics.

Citations:

🏁 Script executed:

#!/bin/bash
# Check the go.mod file in the repo to see all OpenTelemetry dependencies
echo "=== OpenTelemetry dependencies in go.mod ==="
grep -i "go.opentelemetry" go.mod

echo ""
echo "=== Checking otel/sdk/metric v1.37.0 dependencies ==="
curl -s "https://proxy.golang.org/go.opentelemetry.io/otel/sdk/metric/@v/v1.37.0.mod" | head -20

Repository: raystack/frontier

Length of output: 1244

🌐 Web query:

go.opentelemetry.io/otel/sdk/metric v1.37.0 dependencies PATH hijacking vulnerability

💡 Result:

Yes, go.opentelemetry.io/otel/sdk/metric v1.37.0 is vulnerable to the PATH hijacking vulnerability CVE-2026-24051 (GHSA-9h8m-3fm2-qjrq, GO-2026-4394). This affects the broader OpenTelemetry Go SDK (go.opentelemetry.io/otel/sdk) versions >=v1.21.0 and <v1.40.0, specifically due to untrusted search path usage when executing the 'ioreg' command on macOS/Darwin systems in sdk/resource/host_id.go, allowing local authenticated attackers to achieve arbitrary code execution by modifying the PATH environment variable. The sdk/metric module depends on the vulnerable go.opentelemetry.io/otel/sdk (as shown in pkg.go.dev listings for similar versions like v1.38.0, which lists go.opentelemetry.io/otel/sdk v1.38.0). Version alignment across OpenTelemetry Go modules means v1.37.0 of sdk/metric pulls in the vulnerable sdk v1.37.0. The fix is in v1.40.0 via commit d45961b, which specifies the full path for the ioreg command. CVSS v3.1: 7.0 High (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H). Patched in v1.40.0. Upgrade to v1.40.0 or later. Workarounds: avoid running on macOS/Darwin or ensure PATH cannot be modified by untrusted users.

Citations:

Upgrade go.opentelemetry.io/otel/sdk/metric to v1.40.0 or later.

go.opentelemetry.io/otel/sdk/metric v1.37.0 contains a HIGH severity vulnerability (GHSA-9h8m-3fm2-qjrq / CVE-2026-24051) that enables arbitrary code execution via PATH hijacking on macOS/Darwin systems. The vulnerability exists in the base SDK's resource detection code, which executes the 'ioreg' command without specifying a full path. A patched version (v1.40.0+) is available.

🧰 Tools
🪛 OSV Scanner (2.3.5)

[HIGH] 50-50: go.opentelemetry.io/otel/sdk 1.37.0: OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking in go.opentelemetry.io/otel/sdk

(GO-2026-4394)

[HIGH] 50-50: go.opentelemetry.io/otel/sdk 1.37.0: OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking

(GHSA-9h8m-3fm2-qjrq)

go.uber.org/zap v1.26.0
gocloud.dev v0.28.0
golang.org/x/net v0.42.0
golang.org/x/net v0.44.0
golang.org/x/oauth2 v0.30.0
golang.org/x/sync v0.16.0
google.golang.org/genproto/googleapis/api v0.0.0-20241007155032-5fefd90f89a9
google.golang.org/grpc v1.67.1
google.golang.org/protobuf v1.36.6
golang.org/x/sync v0.17.0
google.golang.org/genproto/googleapis/api v0.0.0-20250922171735-9219d122eba9
google.golang.org/grpc v1.71.0
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check for patched gRPC versions and vulnerability details
echo "=== Checking gRPC vulnerability advisory ==="
gh api graphql -f query='
{
  securityVulnerabilities(first: 5, ecosystem: GO, package: "google.golang.org/grpc") {
    nodes {
      advisory {
        summary
        severity
        publishedAt
      }
      vulnerableVersionRange
      firstPatchedVersion {
        identifier
      }
    }
  }
}'

echo ""
echo "=== Available gRPC versions from proxy ==="
curl -s "https://proxy.golang.org/google.golang.org/grpc/@v/list" | tail -10

Repository: raystack/frontier

Length of output: 409

🌐 Web query:

GHSA-p77j-4mvh-x3m3 gRPC vulnerability

💡 Result:

GHSA-p77j-4mvh-x3m3 is a critical authorization bypass vulnerability (CVE-2026-33186) in gRPC-Go, the Go implementation of gRPC. Description: The gRPC-Go server improperly validates the HTTP/2 :path pseudo-header, accepting requests without a leading slash (e.g., "Service/Method" instead of "/Service/Method"). While routing works, authorization interceptors like grpc/authz evaluate the raw non-canonical path, bypassing "deny" rules for canonical paths if a fallback "allow" exists. Affected: gRPC-Go versions < 1.79.3, specifically servers using path-based authorization with deny rules and fallback allow. Impact: Attackers can send malformed HTTP/2 requests to bypass auth, gaining unauthorized access (CVSS 3.1: 9.1 Critical, AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N). Fixed: Upgrade to 1.79.3 or later, which rejects invalid :path headers with codes.Unimplemented. Published: March 17-20, 2026. Official advisory: grpc/grpc-go GitHub security page.

Citations:

🌐 Web query:

google.golang.org/grpc v1.71.0 security vulnerability authorization bypass

💡 Result:

google.golang.org/grpc v1.71.0 is affected by CVE-2026-33186 (authorization bypass), because the advisory lists all versions < 1.79.3 as vulnerable. [1][2]

  • What the bypass is: gRPC-Go accepted HTTP/2 requests whose :path omitted the required leading slash (e.g., Service/Method instead of /Service/Method). The server could still route the call, but path-based authorization (including google.golang.org/grpc/authz) could evaluate the non-canonical path and fail to match “deny” rules written for canonical paths—allowing a bypass when a fallback “allow” exists. [1][2]
  • Who is impacted: gRPC-Go servers using path-based authorization (e.g., grpc/authz / RBAC, or custom interceptors relying on info.FullMethod / grpc.Method(ctx)) with policies that include canonical-path denies but otherwise allow by default. [1][2]
  • Fix: upgrade to v1.79.3+ (patched). The fix rejects :path values that don’t start with /. [2]
  • Workaround (if you can’t upgrade immediately): add an outermost interceptor that rejects requests where info.FullMethod doesn’t start with /, and/or move to a “default deny” policy posture. [2]

Sources: GitHub Security Advisory GHSA-p77j-4mvh-x3m3 / CVE-2026-33186, and NVD entry for CVE-2026-33186. [1][2]

🌐 Web query:

gRPC Go v1.71.1 security patch release notes

💡 Result:

gRPC-Go v1.71.1 (released Apr 1) — “security patch” release notes

In the upstream grpc-go GitHub release entry for v1.71.1, there is no separate “Security” section; it’s published as a bug-fix release with the following items: (github.com)

  • grpc: Fix extra read from the compressor when a compressed message is exactly at the limit (could panic with the built-in gzip compressor). (github.com)
  • xds: Read bootstrap config before creating the first xDS client (instead of at package init time). (github.com)
  • stats/opentelemetry: Use TextMapPropagator and TracerProvider from TraceOptions instead of OpenTelemetry globals. (github.com)
  • client: Fix proxy-related races that could lead to deadlocks/panics. (github.com)
  • client: Fix RPC failures (“no children to pick from”) when using a custom resolver that calls deprecated NewAddress. (github.com)
  • wrr: Fix slow processing of address updates that could lead to issues including RPC failures with many backends. (github.com)

Source

  1. grpc/grpc-go GitHub releases page (v1.71.1 entry). (github.com)

Citations:

Upgrade google.golang.org/grpc to v1.79.3 or later to fix critical authorization bypass vulnerability.

gRPC-Go v1.71.0 is affected by CVE-2026-33186 (GHSA-p77j-4mvh-x3m3), a critical authorization bypass vulnerability (CVSS 9.1). Servers using path-based authorization can be bypassed via malformed HTTP/2 requests with missing leading slash in the :path pseudo-header. The vulnerability is fixed in v1.79.3+; earlier patch versions in the v1.71.x line do not address this issue.

🧰 Tools
🪛 OSV Scanner (2.3.5)

[CRITICAL] 57-57: google.golang.org/grpc 1.71.0: Authorization bypass in gRPC-Go via missing leading slash in :path in google.golang.org/grpc

(GO-2026-4762)

[CRITICAL] 57-57: google.golang.org/grpc 1.71.0: gRPC-Go has an authorization bypass via missing leading slash in :path

(GHSA-p77j-4mvh-x3m3)

google.golang.org/protobuf v1.36.11
gopkg.in/dnaeon/go-vcr.v3 v3.1.2
gopkg.in/mail.v2 v2.3.1
gopkg.in/yaml.v2 v2.4.0
gopkg.in/yaml.v3 v3.0.1
)

require (
buf.build/go/protovalidate v1.0.0 // indirect
cel.dev/expr v0.24.0 // indirect
cloud.google.com/go/auth v0.3.0 // indirect
cloud.google.com/go/auth/oauth2adapt v0.2.2 // indirect
dario.cat/mergo v1.0.0 // indirect
filippo.io/edwards25519 v1.1.0 // indirect
github.com/antlr4-go/antlr/v4 v4.13.0 // indirect
github.com/antlr4-go/antlr/v4 v4.13.1 // indirect
github.com/authzed/cel-go v0.20.2 // indirect
github.com/aws/aws-sdk-go-v2 v1.26.1 // indirect
github.com/aws/aws-sdk-go-v2/config v1.27.11 // indirect
Expand All @@ -87,6 +90,7 @@ require (
github.com/creasty/defaults v1.7.0 // indirect
github.com/distribution/reference v0.6.0 // indirect
github.com/ecordell/optgen v0.0.10-0.20230609182709-018141bf9698 // indirect
github.com/envoyproxy/protoc-gen-validate v1.2.1 // indirect
github.com/felixge/httpsnoop v1.0.4 // indirect
github.com/fxamacker/cbor/v2 v2.4.0 // indirect
github.com/go-errors/errors v1.5.1 // indirect
Expand All @@ -99,6 +103,7 @@ require (
github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
github.com/golang-jwt/jwt/v5 v5.0.0 // indirect
github.com/golang/protobuf v1.5.4 // indirect
github.com/google/cel-go v0.26.1 // indirect
github.com/google/go-tpm v0.9.0 // indirect
github.com/google/s2a-go v0.1.7 // indirect
github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.1.0 // indirect
Expand All @@ -123,18 +128,18 @@ require (
go.opentelemetry.io/otel/metric v1.37.0 // indirect
go.opentelemetry.io/otel/sdk v1.37.0 // indirect
go.opentelemetry.io/otel/trace v1.37.0 // indirect
golang.org/x/mod v0.25.0 // indirect
golang.org/x/mod v0.28.0 // indirect
golang.org/x/time v0.5.0 // indirect
golang.org/x/tools v0.34.0 // indirect
golang.org/x/tools v0.37.0 // indirect
google.golang.org/genproto v0.0.0-20240401170217-c3f982113cda // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20241007155032-5fefd90f89a9 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20250922171735-9219d122eba9 // indirect
gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect
gopkg.in/square/go-jose.v2 v2.6.0 // indirect
)

require (
cloud.google.com/go v0.112.2 // indirect
cloud.google.com/go/compute/metadata v0.5.0 // indirect
cloud.google.com/go/compute/metadata v0.6.0 // indirect
cloud.google.com/go/iam v1.1.7 // indirect
cloud.google.com/go/storage v1.39.1 // indirect
github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
Expand Down Expand Up @@ -225,7 +230,7 @@ require (
github.com/spf13/cast v1.6.0
github.com/spf13/pflag v1.0.5 // indirect
github.com/spf13/viper v1.19.0 // indirect
github.com/stoewer/go-strcase v1.3.0 // indirect
github.com/stoewer/go-strcase v1.3.1 // indirect
github.com/stretchr/objx v0.5.2 // indirect
github.com/subosito/gotenv v1.6.0 // indirect
github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
Expand All @@ -236,11 +241,11 @@ require (
go.opentelemetry.io/otel/exporters/prometheus v0.59.0
go.uber.org/atomic v1.11.0 // indirect
go.uber.org/multierr v1.11.0 // indirect
golang.org/x/crypto v0.40.0
golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842
golang.org/x/sys v0.34.0 // indirect
golang.org/x/term v0.33.0 // indirect
golang.org/x/text v0.27.0 // indirect
golang.org/x/crypto v0.42.0
golang.org/x/exp v0.0.0-20250911091902-df9299821621
golang.org/x/sys v0.36.0 // indirect
golang.org/x/term v0.35.0 // indirect
golang.org/x/text v0.29.0 // indirect
golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect
google.golang.org/api v0.176.1 // indirect
gopkg.in/ini.v1 v1.67.0 // indirect
Expand Down
Loading
Loading