Update Go dependencies to clear plugin validator CVEs

[sleekmountaincat]

The v0.1.6 tag's release run (27441590101) failed Grafana's plugin validator — osv-scanner flags:

• google.golang.org/grpc 1.78.0 — CVE-2026-33186 (critical)
• go.opentelemetry.io/otel 1.39.0 — CVE-2026-29181 (high)
• go.opentelemetry.io/otel/sdk 1.39.0 — CVE-2026-24051 / GO-2026-4394, CVE-2026-39883 (high)

Changes

• grafana-plugin-sdk-go 0.285.0 → 0.292.1, grpc → 1.81.1, otel/otel/sdk → 1.44.0 (go get + go mod tidy)
• Workflow go-version 1.25 → 1.26: required by the new SDK (go.mod is now go 1.26.3), and Go ≥1.26.4 also fixes the crypto/x509 stdlib vulns govulncheck reports in the shipped binary

Verification

• go build ./... and go test ./... pass
• govulncheck: the three flagged module CVEs are gone; remaining findings were stdlib-only, addressed by the toolchain bump

After merge, the v0.1.6 tag needs to be moved to the new merge commit and re-pushed to retry the release.

🤖 Generated with Claude Code

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	golang/​github.com/​grafana/​grafana-plugin-sdk-go@​v0.285.0 ⏵ v0.292.1	+1

View full report

[gemini-code-assist]

Code Review

This pull request updates the Go runtime version to 1.26.3 and upgrades the github.com/grafana/grafana-plugin-sdk-go dependency to v0.292.1. Additionally, it updates various indirect dependencies in go.mod and go.sum. I have no feedback to provide.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		License policy violation: golang github.com/apache/arrow-go/v18 License: Apache-2.0 WITH LLVM-exception - The applicable license policy does not permit this license (5) (LICENSE.txt) From: ? → golang/github.com/grafana/grafana-plugin-sdk-go@v0.292.1 → golang/github.com/apache/arrow-go/v18@v18.6.0 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/github.com/apache/arrow-go/v18@v18.6.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: golang github.com/google/flatbuffers is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: ? → golang/github.com/grafana/grafana-plugin-sdk-go@v0.292.1 → golang/github.com/google/flatbuffers@v25.12.19+incompatible ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/github.com/google/flatbuffers@v25.12.19+incompatible. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: golang github.com/olekukonko/ll is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: ? → golang/github.com/grafana/grafana-plugin-sdk-go@v0.292.1 → golang/github.com/olekukonko/ll@v0.1.6 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/github.com/olekukonko/ll@v0.1.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report