Skip to content

Upgrade to rules_proto_grpc 5+, bazel 8.0 and migrate to use bzlmod, and grpc 1.76.0 #286

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

Upgrade to rules_proto_grpc 5+, bazel 8.0 and migrate to use bzlmod, and grpc 1.76.0 #286

wants to merge 2 commits into from

Conversation

@karenyrx
Copy link
Collaborator

@karenyrx karenyrx commented Nov 5, 2025
edited
Loading

Description

Fix the 19 Java security vulnerabilities in rules_proto_grpc (netty, okio, google-auth, etc), by upgrading rules_proto_grpc to 5.x.x +. However this version is only compatible with bazel 8+, which only supports BzlMod (MODULE.bazel, MODULE.bazel.lock) rather than WORKSPACE files, so many bazel changes arose as a result.

Verification it worked: 19/21 vulnerabilities fixed:
Screenshot 2025-11-04 at 11 38 02 PM

The renaming 2 are related to Typescript deps, which is the proto tooling, not the bazel files which generate the proto generated code, so those will be fixed separately

Issues Resolved

List any issues this PR will resolve, e.g. Closes [...].

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@karenyrx karenyrx changed the title Security vulnerabilities Upgrade to rules_proto_grpc 5+, bazel 8.0 and migrate to use bzlmod, and grpc 1.76.0 Nov 5, 2025
@karenyrx karenyrx closed this Nov 5, 2025
@karenyrx karenyrx reopened this Nov 5, 2025
@karenyrx karenyrx closed this Nov 5, 2025
@karenyrx karenyrx reopened this Nov 5, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@amberzsy amberzsy Awaiting requested review from amberzsy amberzsy will be requested when the pull request is marked ready for review amberzsy is a code owner

@lucy66hw lucy66hw Awaiting requested review from lucy66hw lucy66hw will be requested when the pull request is marked ready for review lucy66hw is a code owner

@philiplhchan philiplhchan Awaiting requested review from philiplhchan philiplhchan will be requested when the pull request is marked ready for review philiplhchan is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@karenyrx