[feat(router service)]:support new option for WithAllowRouterServiceHandle for access router service

[bufferflies]

tidb dep ref : https://github.com/pingcap/tidb/compare/master...bufferflies:tidb:feat/support_router?expand=1

Summary by CodeRabbit

• Chores

  • Updated dependency versions across examples, integration tests, and root modules (multiple Go modules, gRPC/protobuf and related indirect deps).

• Improvements

  • Broadened region and store lookup to allow router-service handling during retrievals and scans.
  • Store resolution now accepts and forwards additional retrieval options on initial fetches and during cache refreshes for more reliable discovery.

• Tests

  • Test mocks adjusted to support the new optional retrieval options.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

Added router-service PD options to region and store lookups; extended store fetch API to accept variadic GetStore options (one-time router option on initial resolve); updated PD interceptor, mocks, and tests to forward GetStore options; bumped github.com/tikv/pd/client and several indirect Go module versions across examples and integration tests.

Changes

Cohort / File(s)	Summary
Dependency Version Updates go.mod, integration_tests/go.mod, examples/gcworker/go.mod, examples/rawkv/go.mod, examples/txnkv/*.go.mod	Bumped github.com/tikv/pd/client pseudo-version and multiple indirect deps (golang.org/x/*, google.golang.org/grpc, google.golang.org/protobuf, genproto entries). integration_tests/go.mod also updates/adds several indirects and uses temporary replace directives.
Region cache: PD call options internal/locate/region_cache.go	Region load/scan calls now include opt.WithAllowRouterServiceHandle() alongside existing follower options when loading or scanning regions.
Store cache: API & one-time option internal/locate/store_cache.go	storeRegistry.fetchStore and storeCacheImpl.fetchStore now accept opts ...opt.GetStoreOption; initial resolve applies a one-time opt.WithAllowRouterServiceHandleStoreRequest(); updater calls include router-store option with opt.WithExcludeTombstone().
PD interceptor & mocks: forward options util/pd_interceptor.go, internal/mockstore/mocktikv/pd.go, integration_tests/split_test.go	GetStore signature changed to accept opts ...opt.GetStoreOption; interceptor, mock, and test implementations forward opts... to underlying PD client.

Sequence Diagram(s)

sequenceDiagram
  participant Cache as Cache (region/store)
  participant PD as PD Client
  participant Router as Router Service
  participant Store as Store Meta

  Cache->>PD: GetRegion/GetStore(ctx, id, opts: AllowFollowerHandle, AllowRouterServiceHandle)
  PD->>Router: route request (router-service option present)
  Router-->>PD: routed response
  PD->>Store: GetStore(ctx, storeID, opts...)
  Store-->>PD: store metadata
  PD-->>Cache: return region/store metadata

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• *: upgrade go version to 1.25.6 and upgrade pd client #1848: PD client upgrade and related PD call-site/signature changes.

Suggested reviewers

• lhy1024
• cfzjywxk

Poem

🐇 I nudged some modules, hopped the PD trail,

A one-time wink, then routers set sail.
Caches learned new steps, calls pass options through,
Tests and mocks now echo the view.
✨ A tiny hop for code — builds bright and hale.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding support for a new WithAllowRouterServiceHandle option for accessing the router service.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@internal/locate/store_cache.go`:
- Around line 59-61: Update the method signature of storeCacheImpl.fetchStore to
accept the new variadic options parameter so it matches storeRegistry: change
fetchStore(ctx context.Context, id uint64) to fetchStore(ctx context.Context, id
uint64, opts ...opt.GetStoreOption); within the method forward those opts when
calling the underlying registry/fetch (and update any internal calls to pass
through opts), and update any places that call storeCacheImpl.fetchStore to
supply or forward the options as needed so the implementation satisfies the
storeRegistry interface.

♻️ Duplicate comments (5)

examples/txnkv/async_commit/go.mod (1)

34-34: Same pd/client bump verification applies here.
Please see the verification request in the root go.mod review comment.

examples/gcworker/go.mod (1)

34-34: Same pd/client bump verification applies here.
Please see the verification request in the root go.mod review comment.

examples/txnkv/pessimistic_txn/go.mod (1)

34-34: Same pd/client bump verification applies here.
Please see the verification request in the root go.mod review comment.

examples/rawkv/go.mod (1)

34-34: Same pd/client bump verification applies here.
Please see the verification request in the root go.mod review comment.

examples/txnkv/delete_range/go.mod (1)

34-34: Same pd/client bump verification applies here.
Please see the verification request in the root go.mod review comment.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@integration_tests/go.mod`:
- Around line 182-183: Update the PR and repository notes to document the fork
usage: state whether the TiDB changes in the go.mod replace directives
(github.com/pingcap/tidb => github.com/bufferflies/tidb and
github.com/pingcap/tidb/pkg/parser => github.com/bufferflies/tidb/pkg/parser)
are intended to be upstreamed to pingcap/tidb, provide a concrete
timeline/milestones for replacing the fork with canonical versions before
merging to master, and enumerate the exact patches/commits or feature diffs from
the fork required to support the router service so reviewers and downstreams can
reproduce and evaluate the changes.

🧹 Nitpick comments (1)

integration_tests/go.mod (1)

37-38: Check for security advisories in updated indirect dependencies.

Recent CVEs have been published for golang.org/x/crypto and golang.org/x/net. While the versions in this update (v0.47.0 and v0.49.0 respectively) are patched versions, it's good practice to review the security changelog:

• golang.org/x/crypto — Several SSH-related DoS CVEs fixed in v0.45.0 and earlier
• golang.org/x/net — NO_PROXY and HTML parsing CVEs addressed in recent patches
• Other dependencies (gopkg.in/ini.v1, Alibaba Cloud packages) have no known public advisories at their specified versions

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check if integration_tests/go.mod exists and read the relevant lines

if [ -f "integration_tests/go.mod" ]; then
  echo "=== File exists. Reading lines 180-185 for context ==="
  sed -n '180,185p' integration_tests/go.mod | cat -n
  echo ""
  echo "=== Total lines in file ==="
  wc -l integration_tests/go.mod
else
  echo "File not found at integration_tests/go.mod"
  # Try to locate it
  find . -name "go.mod" -type f 2>/dev/null | head -10
fi

Repository: tikv/client-go

Length of output: 561

---

🏁 Script executed:

#!/bin/bash
# Search for recent commits or messages related to bufferflies or this fork
echo "=== Searching git log for 'bufferflies' or 'tidb' fork references ==="
git log --oneline --all --grep="bufferflies\|fork" 2>/dev/null | head -20

echo ""
echo "=== Searching for any documentation about this fork ==="
find . -type f \( -name "*.md" -o -name "*.txt" \) -exec grep -l "bufferflies\|fork.*tidb" {} \; 2>/dev/null | head -10

Repository: tikv/client-go

Length of output: 663

---

🏁 Script executed:

#!/bin/bash
# Check recent changes to go.mod file
echo "=== Recent commits touching go.mod files ==="
git log --oneline --all -- "**/go.mod" 2>/dev/null | head -15

echo ""
echo "=== Check if there's a go.mod in root or other locations ==="
find . -maxdepth 3 -name "go.mod" -type f 2>/dev/null

Repository: tikv/client-go

Length of output: 1315

---

Fork replacement requires clarification on upstreaming and timeline.

The replace directives point to a fork (bufferflies/tidb) instead of the canonical pingcap/tidb repository. While this may be acceptable for development/testing, this setup:

1. Prevents reproducible builds in downstream consumers
2. Requires clarity on what changes in the fork are necessary
3. Needs a defined timeline and plan for migrating back to canonical versions before merging to master

Please clarify:

• Are these TiDB changes planned to be upstreamed to pingcap/tidb?
• What is the timeline for replacing this fork with canonical versions?
• What specific changes in the fork are required for the router service support?

🤖 Prompt for AI Agents

In `@integration_tests/go.mod` around lines 182 - 183, Update the PR and
repository notes to document the fork usage: state whether the TiDB changes in
the go.mod replace directives (github.com/pingcap/tidb =>
github.com/bufferflies/tidb and github.com/pingcap/tidb/pkg/parser =>
github.com/bufferflies/tidb/pkg/parser) are intended to be upstreamed to
pingcap/tidb, provide a concrete timeline/milestones for replacing the fork with
canonical versions before merging to master, and enumerate the exact
patches/commits or feature diffs from the fork required to support the router
service so reviewers and downstreams can reproduce and evaluate the changes.

[ti-chi-bot]

[LGTM Timeline notifier]

Timeline:

• 2026-01-22 02:33:21.332870758 +0000 UTC m=+634028.946827614: ☑️ agreed by lcwangchao.

[ti-chi-bot]

@okJiang: adding LGTM is restricted to approvers and reviewers in OWNERS files.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[ti-chi-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: lcwangchao, okJiang
Once this PR has been reviewed and has the lgtm label, please assign you06 for approval. For more information see the Code Review Process.
Please ensure that each of them provides their approval before proceeding.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 3

🤖 Fix all issues with AI agents

In `@examples/rawkv/go.mod`:
- Line 34: Confirm and validate the updated Go module dependencies by checking
that github.com/tikv/pd/client v0.0.0-20260122075414-848dd85011e9,
google.golang.org/grpc v1.75.1, and google.golang.org/protobuf v1.36.6 are
intentional and secure: run go mod tidy to resolve and clean modules, run a
vulnerability scan (e.g., go list -json ./... | nancy sleuth or `govulncheck`)
against these modules, and if any advisories appear pin or roll back the
offending module(s) or update to a patched release; ensure the final
go.mod/go.sum reflect the chosen, verified versions for
github.com/tikv/pd/client, google.golang.org/grpc, and
google.golang.org/protobuf.

In `@examples/txnkv/async_commit/go.mod`:
- Around line 34-49: Update the vulnerable dependency golang.org/x/net to
v0.45.0 or later in the module list (replace the existing golang.org/x/net
v0.41.0 entry), and verify the availability of the pseudo-version for
github.com/tikv/pd/client v0.0.0-20260122075414 by querying the Go module proxy
or listing available versions (use go list -m -versions or fetch the proxy
metadata) before committing; adjust the tikv/pd/client version to a resolvable
tag or commit if the pseudo-version is not present.

In `@examples/txnkv/delete_range/go.mod`:
- Around line 34-49: The google.golang.org/genproto pseudo-version listed
(v0.0.0-20250707201910-8d1bb00bc6a7) requires Go toolchain >= 1.22.11 and
changes submodule layout; verify your Go version and either upgrade the project
toolchain or pin genproto to a compatible release (or revert to the prior
genproto version) in go.mod, then run go mod tidy and build/test the code to
confirm imports resolve; also consider updating google.golang.org/grpc and
google.golang.org/protobuf to their newer patch releases (e.g., grpc v1.76.0,
protobuf v1.36.11) if you want the latest patches.

♻️ Duplicate comments (1)

integration_tests/go.mod (1)

183-185: Fork dependency issue previously flagged.

The replace directives pointing to github.com/bufferflies/tidb fork have already been identified in previous review comments. Please address the concerns raised about upstreaming timeline and migration plan.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check if versions exist and get information from pkg.go.dev
echo "=== Checking gRPC v1.75.1 ==="
curl -s -I "https://pkg.go.dev/google.golang.org/grpc@v1.75.1" | head -1

echo -e "\n=== Checking protobuf v1.36.6 ==="
curl -s -I "https://pkg.go.dev/google.golang.org/protobuf@v1.36.6" | head -1

echo -e "\n=== Checking tikv/pd/client pseudo-version ==="
curl -s -I "https://pkg.go.dev/github.com/tikv/pd/client@v0.0.0-20260122075414-848dd85011e9" | head -1

# Also try to find release info
echo -e "\n=== Checking gRPC releases on GitHub ==="
curl -s "https://api.github.com/repos/grpc/grpc-go/releases?per_page=10" | jq -r '.[].tag_name' | head -10

Repository: tikv/client-go

Length of output: 353

---

🌐 Web query:

google.golang.org/grpc version 1.75.1 release notes

💡 Result:

Here are the release notes for google.golang.org/grpc v1.75.1 (grpc-go):

• Bug fixes:
  • transport: fix a data race while copying headers for stats handlers in the std lib http2 server transport. (#8519). [1]
  • xdsclient: fix a data race caused while reporting load to LRS. (#8483). [1]
  • xdsclient: fix regression preventing empty node IDs when creating an LRS client. (#8483). [1]
  • server: fix a regression preventing streams from being cancelled or timed out when blocked on flow control. (#8528). [1]

Version constant in the module: Version = "1.75.1". [2]

Sources:
[1] grpc/grpc-go release v1.75.1.
[2] google.golang.org/grpc/version.go (module Version = "1.75.1").

---

🌐 Web query:

google.golang.org/protobuf version 1.36.6 release notes

💡 Result:

Release v1.36.6 (protocolbuffers/protobuf-go) — summary

• User-visible changes:

  • internal_gengo: generate a const string literal for the raw descriptor (CL/657895).
  • proto: Add CloneOf[M Message](m M) M (CL/653536). (github.com)

• Maintenance:

  • all: set Go language version to Go 1.22 (CL/649135).
  • types/descriptorpb: regenerate using latest protobuf v30 release (CL/654955). (github.com)

• Published: tag v1.36.6 on GitHub (see full changelog: compare v1.36.5...v1.36.6). (github.com)

Would you like the full changelog diff or the specific CL links?

Citations:

• 1: https://github.com/protocolbuffers/protobuf-go/releases?utm_source=openai
• 2: https://github.com/protocolbuffers/protobuf-go/releases?utm_source=openai
• 3: https://github.com/protocolbuffers/protobuf-go/releases?utm_source=openai

---

Verify dependency versions for security and validity.

The updated dependency versions should be checked for known vulnerabilities:

• github.com/tikv/pd/client v0.0.0-20260122075414-848dd85011e9
• google.golang.org/grpc v1.75.1 (minor version bump from v1.64.0)
• google.golang.org/protobuf v1.36.6 (minor version bump from v1.34.2)

All three versions are resolvable and available. Consider running go mod tidy and checking for security advisories using go list -json ... | nancy sleuth or similar tooling.

🤖 Prompt for AI Agents

In `@examples/rawkv/go.mod` at line 34, Confirm and validate the updated Go module
dependencies by checking that github.com/tikv/pd/client
v0.0.0-20260122075414-848dd85011e9, google.golang.org/grpc v1.75.1, and
google.golang.org/protobuf v1.36.6 are intentional and secure: run go mod tidy
to resolve and clean modules, run a vulnerability scan (e.g., go list -json
./... | nancy sleuth or `govulncheck`) against these modules, and if any
advisories appear pin or roll back the offending module(s) or update to a
patched release; ensure the final go.mod/go.sum reflect the chosen, verified
versions for github.com/tikv/pd/client, google.golang.org/grpc, and
google.golang.org/protobuf.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

golang.org/x/net v0.41.0 security advisories CVE

💡 Result:

Short answer — which CVEs relate to golang.org/x/net around v0.41.0 and whether v0.41.0 is affected:

• CVE-2024-45338 — non-linear (DoS) parsing in x/net/html. Affects versions < v0.33.0; fixed earlier, so v0.41.0 is not vulnerable. [1][2]
• CVE-2025-22872 — tokenizer / XSS-like DOM-scope issue. Affects < v0.38.0; fixed in v0.38.0, so v0.41.0 is not vulnerable. [3][1]
• CVE-2025-22870 — NO_PROXY host-matching issue. Fixed in v0.36.0; v0.41.0 is not vulnerable. [4][1]
• CVE-2025-47911 and CVE-2025-58190 — HTML parser performance (quadratic) / infinite-loop issues announced as fixed in v0.45.0; these were addressed after v0.41.0, so v0.41.0 may still be affected. [5][1]

Sources: tag/release for v0.41.0 (go.googlesource). [1] GitHub advisory / OSV entries and related advisories for CVE-2025-22872 and others. [2][3][4][5]

If you want, I can fetch the specific NVD/OSV/GitHub advisory pages for any of the CVEs above.

---

🌐 Web query:

golang.org/x/sys v0.33.0 security advisories

💡 Result:

I couldn't find any public security advisories or CVEs that specifically name golang.org/x/sys v0.33.0. The package tag v0.33.0 is published (git tag). [1][2]

Notes and related findings:

• The GitLab/Snyk advisories pages for golang.org/x/sys list older/general advisories but show no CVE tied to v0.33.0. [3][4]
• Nearby x/* modules (for example golang.org/x/net) have had CVEs that reference bumps to v0.33.0 of that module — but those are for x/net, not x/sys. [5]

Sources:

1. go.googlesource.com sys refs/tags v0.33.0. [1]
2. git activity / package updates referencing v0.33.0 (examples). [2]
3. GitLab advisory database — golang.org/x/sys. [3]
4. Snyk — golang.org/x/sys/unix vulnerabilities. [4]
5. CVE / discussion for golang.org/x/net (CVE-2024-45338) — fixed in x/net v0.33.0. [5]

If you want, I can run a deeper CVE/NVD search (by CVE list, NVD, GitHub Advisory DB, and vendor issue trackers) and return any new/ongoing findings.

---

🌐 Web query:

golang.org/x/sync v0.15.0 release notes

💡 Result:

golang.org/x/sync v0.15.0 — tag created May 28, 2025: single change "errgroup: remove duplicated comment" (errgroup/errgroup.go). [1]

Sources:
[1] go.googlesource.com/sync refs/tags/v0.15.0.

---

🌐 Web query:

google.golang.org/grpc v1.75.1 security advisories

💡 Result:

I found no security advisories specifically for google.golang.org/grpc v1.75.1. The v1.75.1 release notes list bug fixes but do not mention security fixes. (github.com)

Relevant past advisories for grpc-go (not specific to 1.75.1):

• CVE-2023-44487 (HTTP/2 rapid reset DoS) — fixed in earlier patch releases (1.56.3, 1.57.1, 1.58.3); affected older versions. (security.snyk.io)

If you want, I can:

• scan public advisory databases (NVD, GitHub Security, Snyk, OSV) for any additional entries referencing 1.75.1, or
• check whether any downstream scanners report v1.75.1 as vulnerable. Which would you like?

Citations:

• 1: https://github.com/grpc/grpc-go/releases?utm_source=openai
• 2: https://security.snyk.io/vuln/SNYK-GOLANG-GOOGLEGOLANGORGGRPC-6085451?utm_source=openai

---

🌐 Web query:

google.golang.org/protobuf v1.36.6 security vulnerabilities

💡 Result:

Short answer: There are no publicly disclosed vulnerabilities that affect google.golang.org/protobuf v1.36.6 — known protobuf-Go security issues (notably CVE-2024-24786 and earlier CVE-2023-24535) were fixed in earlier releases.

Details / evidence:

• CVE-2024-24786 (infinite loop in protojson.Unmarshal) affects versions before 1.33.0 and is fixed in 1.33.0 and later. [1][2][3]
• CVE-2023-24535 (text-format parse panic / DoS) affected v1.29.0 and was fixed in the v1.29.1 line. [4]
• v1.36.6 release notes / changelog show patch-level maintenance (v1.36.6 is a post-1.33.0 release), and downstream package trackers list 1.33.0+ as the fixed baseline for CVE-2024-24786. [5][1]

Recommended action: keep using v1.36.6 (or upgrade to the latest protobuf-go) and monitor official advisories (Go vuln DB, GitHub Releases, NVD) for new disclosures.

Sources:

1. GitLab Advisory (CVE-2024-24786) — golang google.golang.org/protobuf. [GitLab Advisory].
2. Snyk entry for CVE-2024-24786.
3. Debian security tracker / fix information for CVE-2024-24786.
4. Wiz / NVD summary for CVE-2023-24535.
5. protobuf-go v1.36.6 release / changelog references (GitHub / package update records).

If you want, I can fetch the exact links (NVD, GitHub CL/commit IDs, pkg.go.dev vuln entries) and attach them.

---

🌐 Web query:

github.com/tikv/pd/client v0.0.0-20260122075414 availability

💡 Result:

Short answer: I can't find evidence that the specific pseudo-version string "github.com/tikv/pd/client v0.0.0-20260122075414" is already served by the public Go proxy. To check for yourself, run the commands below; they query the module proxy or your Go tool directly.

How to check availability

• From a shell (fast):
  • List known versions from the proxy/directly:
    go list -m -versions github.com/tikv/pd/client
  • Ask the proxy for that exact version (returns JSON on success):
    curl -f https://proxy.golang.org/github.com/tikv/pd/client/@v/v0.0.0-20260122075414.info
  • Or ask the index for newly cached versions:
    curl 'https://index.golang.org/index?since=2026-01-22T00:00:00Z&limit=2000' | grep 'github.com/tikv/pd/client'

Notes

• Pseudo-versions follow the Go modules format v0.0.0-yyyymmddhhmmss- and refer to a specific commit; the Go docs explain this format. [2]
• proxy.golang.org may take up to ~1 minute to serve a newly tagged version after it’s requested, and in some cache situations up to ~30 minutes; if you recently pushed a tag/commit, explicitly run go get module@version to prime the proxy. See the proxy FAQ. [1]

Sources

• proxy.golang.org (mirror / FAQ / index). [1]
• Go modules reference (pseudo-version format). [2]
• pkg.go.dev page for github.com/tikv/pd/client (module exists; use commands above to check versions). [3]

References
[1] https://proxy.golang.org/
[2] https://tip.golang.org/ref/mod (Go modules — pseudo-versions)
[3] https://pkg.go.dev/github.com/tikv/pd/client

If you want, I can run the exact proxy query for you and report the live result.

---

🌐 Web query:

golang.org/x/text v0.26.0 security issues

💡 Result:

Short answer: There are no public CVEs reported that specifically target golang.org/x/text v0.26.0. The known high‑severity issues affect much older x/text releases (fixed in v0.3.7 / v0.3.8); update to a patched release (or the latest tag) if you depend on language parsing. [1][2][3]. (go.googlesource.com)

Sources

• golang.org/x/text tag v0.26.0. (go.googlesource.com)
• CVE‑2022‑32149 (ParseAcceptLanguage DoS) — affects versions before 0.3.8; fixed in 0.3.8. (cvedetails.com)
• CVE‑2021‑38561 (BCP‑47 parsing out‑of‑bounds read) — affects versions before 0.3.7; fixed in 0.3.7. (cvedetails.com)

If you want, I can:

• check your project's go.sum/go.mod to see whether you actually use v0.26.0 or a transitive version, or
• find the latest released x/text tag and recommend an exact upgrade command.

Citations:

• 1: https://go.googlesource.com/text/%2B/refs/tags/v0.26.0?utm_source=openai
• 2: https://go.googlesource.com/text/%2B/refs/tags/v0.26.0?utm_source=openai
• 3: https://www.cvedetails.com/cve/CVE-2022-32149?utm_source=openai
• 4: https://www.cvedetails.com/cve/CVE-2021-38561/?utm_source=openai

---

Address golang.org/x/net vulnerability and verify tikv/pd/client module availability.

• golang.org/x/net v0.41.0: May be vulnerable to CVE-2025-47911 and CVE-2025-58190 (HTML parser performance/infinite-loop issues) fixed in v0.45.0. Consider upgrading to v0.45.0 or later.
• github.com/tikv/pd/client v0.0.0-20260122075414: Verify this pseudo-version is available on the Go module proxy. Run go list -m -versions github.com/tikv/pd/client or curl -f https://proxy.golang.org/github.com/tikv/pd/client/@v/v0.0.0-20260122075414.info to confirm.
• Other versions (golang.org/x/sys v0.33.0, golang.org/x/sync v0.15.0, golang.org/x/text v0.26.0, google.golang.org/grpc v1.75.1, google.golang.org/protobuf v1.36.6) have no known CVEs affecting these versions.

🤖 Prompt for AI Agents

In `@examples/txnkv/async_commit/go.mod` around lines 34 - 49, Update the
vulnerable dependency golang.org/x/net to v0.45.0 or later in the module list
(replace the existing golang.org/x/net v0.41.0 entry), and verify the
availability of the pseudo-version for github.com/tikv/pd/client
v0.0.0-20260122075414 by querying the Go module proxy or listing available
versions (use go list -m -versions or fetch the proxy metadata) before
committing; adjust the tikv/pd/client version to a resolvable tag or commit if
the pseudo-version is not present.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🌐 Web query:

golang.org/x/net v0.41.0 release date security advisories

💡 Result:

• Release date: golang.org/x/net v0.41.0 — June 5, 2025. [1]

• Relevant security advisories (and fixed-in versions):

  • CVE-2024-45338 (non-linear/DoS in html.Parse) — affects < 0.33.0; fixed in 0.33.0. [4]
  • CVE-2025-22870 (NO_PROXY IPv6 zone‑ID host matching) — affects < 0.36.0; fixed in 0.36.0. [2]
  • CVE-2025-22872 / GHSA‑vvgc‑356p‑c3xw (tokenizer/XSS-related behavior) — affects < 0.38.0; fixed in 0.38.0. [3]

Conclusion: v0.41.0 (released June 5, 2025) is newer than the fixed-in versions above and therefore includes those fixes. References: [1][2][3][4].

Sources
[1] Release listing for golang.org/x/net (libraries.io).
[2] CVE-2025-22870 details.
[3] GitHub Advisory (GHSA‑vvgc‑356p‑c3xw / CVE-2025-22872).
[4] CVE-2024-45338 details.

---

🌐 Web query:

golang.org/x/sync v0.15.0 golang.org/x/sys v0.33.0 golang.org/x/text v0.26.0

💡 Result:

All three versions exist (tagged releases):

• golang.org/x/sync v0.15.0 — tagged. [1]
• golang.org/x/sys v0.33.0 — tagged. [2]
• golang.org/x/text v0.26.0 — tagged. [3]

Sources: official repos/tags.

References

1. go.googlesource.com/sync refs/tags/v0.15.0. (go.googlesource.com)
2. go.googlesource.com/sys refs/tags/v0.33.0. (go.googlesource.com)
3. go.googlesource.com/text refs/tags/v0.26.0. (go.googlesource.com)

Citations:

• 1: https://go.googlesource.com/sync/%2B/refs/tags/v0.15.0?utm_source=openai
• 2: https://go.googlesource.com/sys/%2B/refs/tags/v0.33.0?utm_source=openai
• 3: https://go.googlesource.com/text/%2B/refs/tags/v0.26.0?utm_source=openai

---

🌐 Web query:

google.golang.org/grpc v1.75.1 google.golang.org/protobuf v1.36.6 latest versions

💡 Result:

As of now (Jan 22, 2026):

• google.golang.org/grpc — latest stable: v1.76.0 (released Oct 20, 2025). [1]
• google.golang.org/protobuf — latest: v1.36.11 (released Dec 12, 2025). [2]

Sources:
[1] grpc releases (v1.76.0).
[2] protocolbuffers/protobuf-go releases (v1.36.11).

---

🌐 Web query:

github.com/tikv/pd/client v0.0.0-20260122075414-848dd85011e9

💡 Result:

That string is a Go pseudo-version for module github.com/tikv/pd/client: v0.0.0-20260122075414-848dd85011e9 encodes a UTC commit timestamp (2026-01-22 07:54:14) and the 12‑char commit prefix 848dd85011e9. Go generates/uses pseudo-versions when no semver tag exists for the commit. [1][2]

Commands to fetch or verify it locally:

• Fetch the module (Go will resolve the pseudo-version):
  go get github.com/tikv/pd/client@v0.0.0-20260122075414-848dd85011e9
• Show resolved info (JSON):
  go list -m -json github.com/tikv/pd/client@v0.0.0-20260122075414-848dd85011e9
• Alternatively give the commit hash and let Go generate the pseudo-version:
  go get github.com/tikv/pd/client@848dd85011e9

If you want to confirm the commit on GitHub, look up the repository and search that commit hash in the tikv/pd repo. [2][1]

Sources:
[1] Go modules — pseudo-version format and rules.
[2] tikv/pd repository on GitHub.

---

🌐 Web query:

google.golang.org/genproto v0.0.0-20250707201910-8d1bb00bc6a7 breaking changes

💡 Result:

Short answer: yes — that pseudo-version (v0.0.0-20250707201910-8d1bb00bc6a7) has caused breaking/build issues for users. Two classes of breaking changes reported:

• go.mod / toolchain requirement bumped Go minimum (was changed to require Go 1.22.11), which broke CI/builds for projects still targeting older Go versions. [1]
• The repo has previously introduced new submodules and package re-layout (aliases/back-refs) that can produce ambiguous-import problems unless consumers upgrade to a newer genproto that contains the submodule split. Users were warned to upgrade before the 2024-03-01 deadline; the submodule changes can break imports if not updated. [2][3]

Recommendations:

• If you see build errors after updating to that version, check go.mod for the required "go" version and either upgrade your Go toolchain to >= the required version or pin genproto to an earlier compatible version.
• Run go mod why / go list -m -json to inspect what requires the genproto pseudo-version and consider updating dependent modules (cloud.google.com/go / google.golang.org/protobuf) together to a consistent set to avoid ambiguous imports.

Sources: [1] Issue reporting go.mod patch forcing Go toolchain requirement. [2] Issue and README note about submodule/new-submodule ambiguous-import changes. [3] go-genproto repo README (warning about submodules).

---

Review google.golang.org/genproto version for Go toolchain compatibility.

The google.golang.org/genproto pseudo-version v0.0.0-20250707201910-8d1bb00bc6a7 bumps the go.mod toolchain requirement to Go 1.22.11 or later and introduces breaking submodule layout changes. Verify that your Go toolchain meets this requirement and that consuming code resolves imports correctly. Consider running go mod tidy and testing builds after this update.

Other dependency bumps (golang.org/x/*, google.golang.org/grpc, google.golang.org/protobuf, github.com/tikv/pd/client) are valid; grpc v1.75.1 and protobuf v1.36.6 have newer patch versions available (v1.76.0 and v1.36.11 respectively) if updates are desired.

🤖 Prompt for AI Agents

In `@examples/txnkv/delete_range/go.mod` around lines 34 - 49, The
google.golang.org/genproto pseudo-version listed
(v0.0.0-20250707201910-8d1bb00bc6a7) requires Go toolchain >= 1.22.11 and
changes submodule layout; verify your Go version and either upgrade the project
toolchain or pin genproto to a compatible release (or revert to the prior
genproto version) in go.mod, then run go mod tidy and build/test the code to
confirm imports resolve; also consider updating google.golang.org/grpc and
google.golang.org/protobuf to their newer patch releases (e.g., grpc v1.76.0,
protobuf v1.36.11) if you want the latest patches.