This will push our users past CVE-2024-24786 and also mean that users don't have to think about whether the next release is affected by the CVE when they do go install connectrpc.com/cmd/protoc-gen-connect-go@v1.16.0.
However it does mean users may be confronted with the compatibility issue (which, luckily, is easily fixed by users also updating their dependency for github.com/golang/protobuf).
gRPC recently took this step, too. And since we're expecting another release soon (this week?), now seems like the right time.
This will push our users past CVE-2024-24786 and also mean that users don't have to think about whether the next release is affected by the CVE when they do
go install connectrpc.com/cmd/protoc-gen-connect-go@v1.16.0
.However it does mean users may be confronted with the compatibility issue (which, luckily, is easily fixed by users also updating their dependency for
github.com/golang/protobuf
).gRPC recently took this step, too. And since we're expecting another release soon (this week?), now seems like the right time.