Skip to content

cve fixes#2607

Merged
akshaydeo merged 1 commit intov1.5.0from
04-10-cve_fixes
Apr 9, 2026
Merged

cve fixes#2607
akshaydeo merged 1 commit intov1.5.0from
04-10-cve_fixes

Conversation

@akshaydeo
Copy link
Copy Markdown
Contributor

@akshaydeo akshaydeo commented Apr 9, 2026
edited
Loading

Summary

Upgrade Go version from 1.26.1 to 1.26.2 across all modules and CI workflows, and update various dependencies to their latest versions.

Changes

  • Updated Go version from 1.26.1 to 1.26.2 in all go.mod files and GitHub Actions workflows
  • Updated AWS SDK eventstream dependency from v1.7.6 to v1.7.8
  • Updated OpenTelemetry dependencies from v1.40.0 to v1.43.0
  • Updated gRPC dependencies from v1.79.3 to v1.80.0
  • Updated Google genproto dependencies to latest versions
  • Updated gonum from v0.16.0 to v0.17.0
  • Updated grpc-gateway from v2.27.7 to v2.28.0
  • Updated OpenTelemetry proto from v1.9.0 to v1.10.0
  • Added zlib=1.3.2-r0 security fix to Docker images

Type of change

  • Chore/CI

Affected areas

  • Core (Go)
  • Transports (HTTP)
  • Providers/Integrations
  • Plugins

How to test

Verify the Go version upgrade and dependency updates work correctly:

# Verify Go version
go version

# Test all modules
go test ./...

# Verify builds succeed
go build ./...

# Test CLI module
cd cli
go test ./...
go build

# Test core module
cd ../core
go test ./...

# Test framework module
cd ../framework
go test ./...

# Test plugins
cd ../plugins
for plugin in */; do
  cd "$plugin"
  go test ./...
  cd ..
done

# Test transports
cd ../transports
go test ./...
go build

Breaking changes

  • Yes
  • No

Security considerations

The zlib security update in Docker images addresses potential vulnerabilities in the compression library.

Checklist

  • I read docs/contributing/README.md and followed the guidelines
  • I added/updated tests where appropriate
  • I updated documentation where needed
  • I verified builds succeed (Go and UI)
  • I verified the CI pipeline passes locally if applicable

@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai Bot commented Apr 9, 2026
edited
Loading

📝 Walkthrough

Summary by CodeRabbit

Release Notes

  • Chores
    • Updated Go toolchain to version 1.26.2 across all modules and CI/CD workflows.
    • Updated dependencies including OpenTelemetry, gRPC, and AWS SDK libraries to their latest compatible versions.
    • Updated Docker base images to use Go 1.26.2 and added zlib runtime dependency.

Walkthrough

This PR updates the Go toolchain version from 1.26.1 to 1.26.2 across all GitHub Actions workflows, go.mod files, and Docker builder images. Several indirect dependencies are also upgraded, including AWS SDK eventstream, OpenTelemetry libraries, and Google gRPC/genproto modules. A zlib runtime package is added to Docker images.

Changes

Cohort / File(s) Summary
Workflow Go Version Updates
.github/workflows/e2e-tests.yml, .github/workflows/pr-tests.yml, .github/workflows/release-cli.yml, .github/workflows/release-pipeline.yml, .github/workflows/snyk.yml		 Updated actions/setup-go go-version from 1.26.1 to 1.26.2 across E2E, PR testing, release, and security scanning jobs.
Simple go.mod Updates
cli/go.mod, plugins/jsonparser/go.mod, plugins/mocker/go.mod, plugins/prompts/go.mod		 Updated Go toolchain directive from go 1.26.1 to go 1.26.2 and bumped AWS eventstream dependency from v1.7.6 to v1.7.8.
Extended go.mod Dependency Updates
core/go.mod, framework/go.mod, plugins/governance/go.mod, plugins/litellmcompat/go.mod, plugins/logging/go.mod, plugins/maxim/go.mod, plugins/otel/go.mod, plugins/semanticcache/go.mod, plugins/telemetry/go.mod, transports/go.mod		 Updated Go version to 1.26.2 alongside bumped AWS eventstream (v1.7.6v1.7.8), OpenTelemetry libraries (v1.40.0v1.43.0 with new SDK modules), gRPC (v1.79.3v1.80.0), grpc-gateway (v2.27.7v2.28.0), and Google genproto revisions.
Docker Build Image Updates
transports/Dockerfile, transports/Dockerfile.local		 Updated Go builder base image from golang:1.26.1-alpine3.23 to golang:1.26.2-alpine3.23 and added explicit zlib=1.3.2-r0 package installation to runtime stage.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

Suggested reviewers

  • danpiths
  • standaell1234-maker

Poem

🐰 Versions hop and bundles bump,
From 1.26.1 to .2 we jump!
Workflows race, modules dance,
zlib zips in its new prance,
Grpc, Otel, all in a row,
Dependence flows, let's GO! 🚀

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name Status Explanation Resolution
Title check ❓ Inconclusive The title 'cve fixes' is vague and generic, using a non-descriptive term that does not convey meaningful information about the actual primary changes (Go version upgrade and dependency updates). Revise the title to be more specific and descriptive, such as 'Upgrade Go version to 1.26.2 and update dependencies' to clearly communicate the main changes.
✅ Passed checks (2 passed)
Check name Status Explanation
Description check ✅ Passed The PR description covers all major required sections from the template (Summary, Changes, Type of change, Affected areas, Testing instructions, Breaking changes, Security considerations, and Checklist), though some template sections are not directly applicable.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch 04-10-cve_fixes

Comment @coderabbitai help to get the list of available commands and usage tips.

@CLAassistant
Copy link
Copy Markdown

CLAassistant commented Apr 9, 2026

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

@akshaydeo Graphite App
Copy link
Copy Markdown
Contributor Author

akshaydeo commented Apr 9, 2026

This stack of pull requests is managed by Graphite. Learn more about stacking.

@akshaydeo akshaydeo marked this pull request as ready for review April 9, 2026 20:13
@akshaydeo akshaydeo requested a review from a team as a code owner April 9, 2026 20:13
@greptile-apps
Copy link
Copy Markdown
Contributor

greptile-apps Bot commented Apr 9, 2026

Confidence Score: 5/5

Safe to merge — all changes are routine dependency bumps and a Go patch upgrade with no logic modifications.

All findings are P2 style suggestions (the exact APK pin). There are no logic changes, no new code paths, and the dependency updates are straightforward version bumps applied consistently across the monorepo. The zlib pin concern is a future-proofing issue, not a current defect.

transports/Dockerfile and transports/Dockerfile.local — minor APK pin style concern, not a blocker.

Vulnerabilities
  • zlib=1.3.2-r0 is pinned with an exact-version APK constraint in both transports/Dockerfile and transports/Dockerfile.local. If Alpine's 3.23 repository replaces this with a newer revision (e.g., r1) and drops r0, Docker builds will fail. Using >=1.3.2-r0 or dropping the version pin while keeping the package ensures the CVE fix is always applied without risking build breakage.
  • No credentials, secrets, or injection vectors were introduced by the dependency bumps or Dockerfile changes.

Important Files Changed

Filename Overview
transports/Dockerfile Updated Go builder image from 1.26.1 to 1.26.2 (pinned with digest); added zlib=1.3.2-r0 to runtime apk install — exact-version pin may cause future build failures if Alpine drops the r0 revision
transports/Dockerfile.local Updated Go builder image from 1.26.1 to 1.26.2 (not digest-pinned); same zlib=1.3.2-r0 exact-version pin concern as production Dockerfile
core/go.mod Go directive bumped to 1.26.2; AWS eventstream bumped to v1.7.8 — consistent with other modules
transports/go.mod Go directive bumped to 1.26.2; gRPC bumped to v1.80.0, OTel to v1.43.0, grpc-gateway to v2.28.0, genproto to 20260401 — all consistent dependency bumps
framework/go.mod Go directive bumped to 1.26.2; OTel, gRPC, grpc-gateway, genproto all updated consistently
cli/go.mod Go directive bumped to 1.26.2; no OTel/gRPC dependencies in this module, no other notable changes
.github/workflows/e2e-tests.yml Go version updated to 1.26.2; no other logic changes
.github/workflows/pr-tests.yml Go version updated to 1.26.2; no other logic changes
.github/workflows/release-pipeline.yml Go version updated to 1.26.2 consistently across all jobs
.github/workflows/release-cli.yml Go version updated to 1.26.2; no other logic changes
.github/workflows/snyk.yml Go version updated to 1.26.2; no other logic changes

Reviews (1): Last reviewed commit: "cve fixes" | Re-trigger Greptile

greptile-apps[bot]
greptile-apps Bot reviewed Apr 9, 2026
View reviewed changes
Comment thread transports/Dockerfile
Comment thread transports/Dockerfile.local
coderabbitai[bot]
coderabbitai Bot reviewed Apr 9, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
.github/workflows/release-pipeline.yml (1)

99-99: Consider centralizing the Go version in one workflow variable.

This reduces drift risk when stacked PRs update patch versions again.
As per coding guidelines "**: always check the stack if there is one for the current PR. do not give localized reviews for the PR, always see all changes in the light of the whole stack of PRs."

♻️ Suggested refactor 
+env:
+  GO_VERSION: "1.26.2"
...
       - name: Set up Go
         uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
         with:
-          go-version: "1.26.2"
+          go-version: ${{ env.GO_VERSION }}

Also applies to: 195-195, 271-271, 342-342, 392-392, 439-439, 496-496, 571-571, 661-661, 752-752, 856-856, 962-962, 1006-1006, 1062-1062

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release-pipeline.yml at line 99, Centralize the Go version
by adding a single workflow-level environment variable (e.g., GO_VERSION:
"1.26.2") and replace each hard-coded go-version: "1.26.2" in the
actions/setup-go steps with go-version: ${{ env.GO_VERSION }}; update all
occurrences referenced in the diff (the go-version keys used by
actions/setup-go) so they read from the single GO_VERSION env variable to
prevent patch-version drift across the workflow.
🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/release-pipeline.yml:
- Line 99: Centralize the Go version by adding a single workflow-level
environment variable (e.g., GO_VERSION: "1.26.2") and replace each hard-coded
go-version: "1.26.2" in the actions/setup-go steps with go-version: ${{
env.GO_VERSION }}; update all occurrences referenced in the diff (the go-version
keys used by actions/setup-go) so they read from the single GO_VERSION env
variable to prevent patch-version drift across the workflow.
ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 43be3e88-59a4-4b62-ae2b-c1553db98ef0

📥 Commits

Reviewing files that changed from the base of the PR and between 4371d4c and 3912eb4.

⛔ Files ignored due to path filters (13)
  • core/go.sum is excluded by !**/*.sum
  • framework/go.sum is excluded by !**/*.sum
  • plugins/governance/go.sum is excluded by !**/*.sum
  • plugins/jsonparser/go.sum is excluded by !**/*.sum
  • plugins/litellmcompat/go.sum is excluded by !**/*.sum
  • plugins/logging/go.sum is excluded by !**/*.sum
  • plugins/maxim/go.sum is excluded by !**/*.sum
  • plugins/mocker/go.sum is excluded by !**/*.sum
  • plugins/otel/go.sum is excluded by !**/*.sum
  • plugins/prompts/go.sum is excluded by !**/*.sum
  • plugins/semanticcache/go.sum is excluded by !**/*.sum
  • plugins/telemetry/go.sum is excluded by !**/*.sum
  • transports/go.sum is excluded by !**/*.sum
📒 Files selected for processing (21)
  • .github/workflows/e2e-tests.yml
  • .github/workflows/pr-tests.yml
  • .github/workflows/release-cli.yml
  • .github/workflows/release-pipeline.yml
  • .github/workflows/snyk.yml
  • cli/go.mod
  • core/go.mod
  • framework/go.mod
  • plugins/governance/go.mod
  • plugins/jsonparser/go.mod
  • plugins/litellmcompat/go.mod
  • plugins/logging/go.mod
  • plugins/maxim/go.mod
  • plugins/mocker/go.mod
  • plugins/otel/go.mod
  • plugins/prompts/go.mod
  • plugins/semanticcache/go.mod
  • plugins/telemetry/go.mod
  • transports/Dockerfile
  • transports/Dockerfile.local
  • transports/go.mod

@akshaydeo Graphite App
Copy link
Copy Markdown
Contributor Author

akshaydeo commented Apr 9, 2026
edited
Loading

Merge activity

  • Apr 9, 8:53 PM UTC: A user started a stack merge that includes this pull request via Graphite.
  • Apr 9, 8:53 PM UTC: @akshaydeo merged this pull request with Graphite.

@akshaydeo akshaydeo merged commit fa2920e into v1.5.0 Apr 9, 2026
16 of 18 checks passed
@akshaydeo akshaydeo deleted the 04-10-cve_fixes branch April 9, 2026 20:53
This was referenced Apr 9, 2026
Merged
Open
Merged
@coderabbitai coderabbitai Bot mentioned this pull request Apr 19, 2026
Merged
18 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

@coderabbitai coderabbitai[bot] coderabbitai[bot] approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@akshaydeo @CLAassistant