build(deps): bump google.golang.org/grpc from 1.70.0 to 1.80.0 in /controller

[dependabot]

Bumps google.golang.org/grpc from 1.70.0 to 1.80.0.

Release notes

Sourced from google.golang.org/grpc's releases.

Release 1.80.0

Behavior Changes

• balancer: log a warning if a balancer is registered with uppercase letters, as balancer names should be lowercase. In a future release, balancer names will be treated as case-insensitive; see #5288 for details. (#8837)
• xds: update resource error handling and re-resolution logic (#8907)
  • Re-resolve all LOGICAL_DNS clusters simultaneously when re-resolution is requested.
  • Fail all in-flight RPCs immediately upon receipt of listener or route resource errors, instead of allowing them to complete.

Bug Fixes

• xds: support the LB policy configured in LOGICAL_DNS cluster resources instead of defaulting to pick_first. (#8733)
• credentials/tls: perform per-RPC authority validation against the leaf certificate instead of the entire peer certificate chain. (#8831)
• xds: enabling A76 ring hash endpoint keys no longer causes EDS resources with invalid proxy metadata to be NACKed when HTTP CONNECT (gRFC A86) is disabled. (#8875)
• xds: validate that the sum of endpoint weights in a locality does not exceed the maximum uint32 value. (#8899)
  • Special Thanks: @​RAVEYUS
• xds: fix incorrect proto field access in the weighted round robin (WRR) configuration where blackout_period was used instead of weight_expiration_period. (#8915)
  • Special Thanks: @​gregbarasch
• xds/rbac: handle addresses with ports in IP matchers. (#8990)

New Features

• ringhash: enable gRFC A76 (endpoint hash keys and request hash headers) by default. (#8922)

Performance Improvements

• credentials/alts: pool write buffers to reduce memory allocations and usage. (#8919)
• grpc: enable the use of pooled write buffers for buffering HTTP/2 frame writes by default. This reduces memory usage when connections are idle. Use the WithSharedWriteBuffer dial option or the SharedWriteBuffer server option to disable this feature. (#8957)
• xds/priority: stop caching child LB policies removed from the configuration. This will help reduce memory and cpu usage when localities are constantly switching between priorities. (#8997)
• mem: add a faster tiered buffer pool; use the experimental mem.NewBinaryTieredBufferPool function to create such pools. (#8775)

Release 1.79.3

Security

• server: fix an authorization bypass where malformed :path headers (missing the leading slash) could bypass path-based restricted "deny" rules in interceptors like grpc/authz. Any request with a non-canonical path is now immediately rejected with an Unimplemented error. (#8981)

Release 1.79.2

Bug Fixes

• stats: Prevent redundant error logging in health/ORCA producers by skipping stats/tracing processing when no stats handler is configured. (grpc/grpc-go#8874)

Release 1.79.1

Bug Fixes

• grpc: Remove the -dev suffix from the User-Agent header. (grpc/grpc-go#8902)

Release 1.79.0

API Changes

• mem: Add experimental API SetDefaultBufferPool to change the default buffer pool. (#8806)
  • Special Thanks: @​vanja-p
• experimental/stats: Update MetricsRecorder to require embedding the new UnimplementedMetricsRecorder (a no-op struct) in all implementations for forward compatibility. (#8780)

... (truncated)

Commits

• 397e45e Change version to 1.80.0 (#8948)
• 64ebf0a Cherry-pick #8997 to v1.80.x (#9027)
• e45ed24 xds/rbac: add additional handling for addresses with ports (#8990) (#9022)
• c78d26e Cherry-pick #8957 to v1.80.x (#9007)
• bd7cd3c grpc: enforce strict path checking for incoming requests on the server (#8987)
• b6597b3 xds/clusterimpl: use xdsConfig for updates and remove redundant fields from L...
• 1d4fa8a xds: change cdsbalancer to use update from dependency manager (#8907)
• 8f47d36 attributes: Replace internal map with linked list (#8933)
• 22e1ee8 xds: add panic recovery in xdsclient resource unmarshalling. (#8895)
• 7136e99 credentials/alts: Pool write buffers (#8919)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d7c438e2-c24c-4db5-92b4-f42c42cec041

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/go_modules/controller/google.golang.org/grpc-1.80.0

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[netlify]

✅ Deploy Preview for jumpstarter-docs ready!

Name	Link
🔨 Latest commit	df42643
🔍 Latest deploy log	https://app.netlify.com/projects/jumpstarter-docs/deploys/69d6637644dc180008c1314e
😎 Deploy Preview	https://deploy-preview-413--jumpstarter-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[ambient-code]

The CI failures are caused by the operator submodule (controller/deploy/operator/) having its own go.mod with a replace directive pointing to the parent controller/ module. When Dependabot bumped grpc to v1.80.0 in controller/go.mod, the transitive dependency versions diverged — the operator's go.mod still referenced older versions of shared deps (otel, golang.org/x, etc.). This caused controller-gen to fail with go: updates to go.mod needed; to update it: go mod tidy.

Pushed a fix: ran go mod tidy in controller/deploy/operator/ to sync the transitive dependencies.

[ambient-code]

CI Status

CI is looking good so far — all core checks (lint-go, tests, deploy-kind) have passed. E2e tests are still running.

This PR correctly updates both controller/go.mod and controller/deploy/operator/go.mod with the grpc bump, so the multi-module consistency issue that affects other dependabot PRs is not present here.

[ambient-code]

E2E Test Flakiness

The remaining CI failure (e2e-tests (ubuntu-24.04, helm)) is a flaky test, not caused by the grpc bump. Tests 47 and 48 ("can lease and connect to exporters" / "can lease and connect to exporters by name") fail with Error: Connection to exporter lost — the same error seen on completely unrelated branches (e.g. driver-mitmproxy). Other e2e variants (arm, operator, kind-based) all pass.

This PR looks good to merge — the dependency bump and operator submodule sync are correct. The e2e flake should be investigated separately.

[ambient-code]

Dependabot PR Analysis

CI Status

The e2e-tests (ubuntu-24.04, helm) failure is a flaky test — not caused by this dependency change. Tests 47 & 48 ("can lease and connect to exporters" / "can lease and connect to exporters by name") fail with Connection to exporter lost, which is a known race condition in listenQueues cleanup after transient exporter disconnects. The same failure is happening on multiple unrelated PRs today. PR #417 (fix-listen-queue-race) addresses the root cause — once merged, these flaky failures should stop.

All other 50+ tests pass, including lint-go, tests, deploy-kind, and e2e-compat-*.

Dependency Analysis

This PR bumps google.golang.org/grpc from v1.70.0 to v1.80.0 in /controller. It correctly updates both controller/go.mod and controller/deploy/operator/go.mod. The bump also pulls in significant transitive dependency updates:

• golang.org/x/{sync,crypto,net,sys} — major version bumps
• go.opentelemetry.io/otel — v1.33.0 → v1.39.0
• cel.dev/expr — v0.19.1 → v0.25.1
• go-jose/go-jose/v4 — v4.0.4 → v4.1.3 (as transitive; note PR build(deps): bump github.com/go-jose/go-jose/v4 from 4.0.4 to 4.1.4 in /controller #410 bumps this directly to v4.1.4)
• google.golang.org/protobuf — v1.36.5 → v1.36.11

Notable: grpc v1.79.3 includes a security fix (authorization bypass with malformed :path headers — #8981).

⚠️ This PR conflicts with PR #410 (go-jose bump). If this is merged first, #410 can still cleanly apply (v4.1.3 → v4.1.4).

🤖 Generated with Claude Code

[mangelajo]

@ambient-code please rebase this