Release or backport grpc-go v1.79.3 fix for CVE-2026-33186

[robert-openai]

/kind bug
/sig node

What happened?

node-problem-detector currently depends on google.golang.org/grpc versions affected by CVE-2026-33186.

The grpc-go advisory marks all versions before v1.79.3 as affected, with v1.79.3 as the patched version:

• GHSA-p77j-4mvh-x3m3
• https://pkg.go.dev/vuln/GO-2026-4762

From the current NPD release line:

• v1.35.2 has google.golang.org/grpc v1.77.0
• master has google.golang.org/grpc v1.79.3

The fix appears to already be present on master via:

• 6464b9efacdb / “Update grpc to v1.79.3 to fix CVE-2026-33186”

But there does not appear to be a stable NPD release containing this fix yet.

What did you expect to happen?

A released node-problem-detector version should consume google.golang.org/grpc v1.79.3 or later so downstream users can remediate CVE-2026-33186 by upgrading to a tagged NPD image.

Would the maintainers be willing to either:

1. cut a new stable release from master containing the grpc-go fix, or
2. backport the grpc-go v1.79.3 bump to the latest stable release branch and publish a patch release?

How can we reproduce / verify?

git checkout v1.35.2
grep 'google.golang.org/grpc' go.mod
# google.golang.org/grpc v1.77.0 // indirect

git checkout master
grep 'google.golang.org/grpc' go.mod
# google.golang.org/grpc v1.79.3 // indirect

The published image tags also appear to stop before any stable release containing the fix:

crane ls registry.k8s.io/node-problem-detector/node-problem-detector | sort -V | tail