package updates

[akshaydeo]

Summary

Upgrade Go version from 1.26.1 to 1.26.2 across all modules and CI workflows, and update various dependencies to their latest versions.

Changes

• Updated Go version from 1.26.1 to 1.26.2 in all go.mod files and GitHub Actions workflows
• Upgraded AWS SDK eventstream dependency from v1.7.6 to v1.7.8
• Updated OpenTelemetry dependencies from v1.40.0 to v1.43.0
• Upgraded gRPC from v1.79.3 to v1.80.0
• Updated Google genproto dependencies to latest versions
• Added zlib security fix (v1.3.2-r0) to Docker images
• Updated gonum from v0.16.0 to v0.17.0

Type of change

• Chore/CI

Affected areas

• Core (Go)
• Transports (HTTP)
• Providers/Integrations
• Plugins

How to test

Verify the Go version upgrade and dependency updates work correctly:

# Verify Go version
go version

# Test all modules
go test ./...

# Verify builds succeed
make build

# Check dependency versions
go list -m all | grep -E "(aws-sdk-go|otel|grpc|genproto)"

Breaking changes

• Yes
• No

Security considerations

This update includes a security fix for zlib in the Docker images (pinned to v1.3.2-r0) and updates various dependencies to their latest secure versions.

Checklist

• I read docs/contributing/README.md and followed the guidelines
• I added/updated tests where appropriate
• I updated documentation where needed
• I verified builds succeed (Go and UI)
• I verified the CI pipeline passes locally if applicable

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f61e7f46-188a-4e30-8d20-6a2bef76b8d5

📥 Commits

Reviewing files that changed from the base of the PR and between 533641d and 0df3136.

⛔ Files ignored due to path filters (12)

• core/go.sum is excluded by !**/*.sum
• framework/go.sum is excluded by !**/*.sum
• plugins/governance/go.sum is excluded by !**/*.sum
• plugins/jsonparser/go.sum is excluded by !**/*.sum
• plugins/litellmcompat/go.sum is excluded by !**/*.sum
• plugins/logging/go.sum is excluded by !**/*.sum
• plugins/maxim/go.sum is excluded by !**/*.sum
• plugins/mocker/go.sum is excluded by !**/*.sum
• plugins/otel/go.sum is excluded by !**/*.sum
• plugins/semanticcache/go.sum is excluded by !**/*.sum
• plugins/telemetry/go.sum is excluded by !**/*.sum
• transports/go.sum is excluded by !**/*.sum

📒 Files selected for processing (20)

• .github/workflows/e2e-tests.yml
• .github/workflows/pr-tests.yml
• .github/workflows/release-cli.yml
• .github/workflows/release-pipeline.yml
• .github/workflows/snyk.yml
• cli/go.mod
• core/go.mod
• framework/go.mod
• plugins/governance/go.mod
• plugins/jsonparser/go.mod
• plugins/litellmcompat/go.mod
• plugins/logging/go.mod
• plugins/maxim/go.mod
• plugins/mocker/go.mod
• plugins/otel/go.mod
• plugins/semanticcache/go.mod
• plugins/telemetry/go.mod
• transports/Dockerfile
• transports/Dockerfile.local
• transports/go.mod

---

📝 Walkthrough

Summary by CodeRabbit

• Chores
  • Updated Go toolchain from 1.26.1 to 1.26.2 across all modules and CI/CD workflows.
  • Upgraded OpenTelemetry dependencies from v1.40.0 to v1.43.0.
  • Updated gRPC from v1.79.3 to v1.80.0.
  • Bumped AWS SDK and Google genproto API dependencies to latest compatible versions.
  • Updated Docker base images to Go 1.26.2 with added zlib security pinning.

Walkthrough

Go toolchain version bumped from 1.26.1 to 1.26.2 across GitHub Actions workflows, go.mod files, and Docker images. Transitive dependencies including AWS SDK eventstream, OpenTelemetry (v1.43.0), gRPC (v1.80.0), and genproto packages updated systematically. Docker runtime includes explicit zlib version pin.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflows .github/workflows/e2e-tests.yml, .github/workflows/pr-tests.yml, .github/workflows/release-cli.yml, .github/workflows/release-pipeline.yml, .github/workflows/snyk.yml	Updated Go toolchain from 1.26.1 to 1.26.2 in all actions/setup-go steps.
Core & Framework Modules cli/go.mod, core/go.mod, framework/go.mod	Updated Go toolchain to 1.26.2; bumped AWS eventstream v1.7.6→v1.7.8, OpenTelemetry to v1.43.0 (with added SDK packages), and gRPC v1.79.3→v1.80.0.
Plugin Modules plugins/governance/go.mod, plugins/jsonparser/go.mod, plugins/litellmcompat/go.mod, plugins/logging/go.mod, plugins/maxim/go.mod, plugins/mocker/go.mod, plugins/otel/go.mod, plugins/semanticcache/go.mod, plugins/telemetry/go.mod	Updated Go toolchain to 1.26.2 and synchronized transitive dependency versions (AWS eventstream, OpenTelemetry, gRPC, genproto) across all plugins.
Transports Configuration transports/Dockerfile, transports/Dockerfile.local, transports/go.mod	Updated Go base image from golang:1.26.1-alpine3.23 to golang:1.26.2-alpine3.23; added explicit zlib\=1.3.2-r0 package pin in Docker runtime stage; synchronized go.mod dependencies.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• cve fixes #2607: Both PRs make identical code-level changes—updating Go toolchain versions in workflows and bumping the same transitive dependencies across go.mod and Docker configurations.
• bifrost moves to go1.26 #1651: Both PRs modify repository-wide Go toolchain declarations in workflows, go.mod files, and Dockerfiles to bump the Go version.
• codex websocket responses support #2261: Both PRs update Go module dependency pins (AWS SDK eventstream, OpenTelemetry, gRPC) across core, framework, plugins, and transports modules.

Suggested reviewers

• danpiths
• standaell1234-maker

Poem

🐰 Hops of joy through version lanes,
One-two-six to two ascends with gains,
Dependencies refresh and gRPC soars,
OpenTelemetry opens newer doors,
A toolchain polished, clean and bright! ✨

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch 04-10-cve_fixes_main

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[akshaydeo]

• package updates #2608 👈 (View in Graphite)
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[akshaydeo]

Merge activity

• Apr 9, 9:39 PM UTC: A user started a stack merge that includes this pull request via Graphite.
• Apr 9, 9:39 PM UTC: @akshaydeo merged this pull request with Graphite.

[github-actions]

🧪 Test Suite Available

This PR can be tested by a repository admin.

Run tests for PR #2608

[greptile-apps]

Confidence Score: 5/5

Safe to merge — purely mechanical version bumps with no logic changes.

All changes are routine dependency and toolchain upgrades consistently applied across every module and workflow. The zlib pin is a net security improvement. No logic, API, or behavioral changes were introduced.

No files require special attention.

Vulnerabilities

• Zlib pinned to 1.3.2-r0 in both Dockerfile and Dockerfile.local runtime stages to address a known vulnerability — positive security fix.
• No secrets, injection vectors, or auth boundary changes introduced.

Important Files Changed

Filename	Overview
.github/workflows/release-pipeline.yml	Go version bumped from 1.26.1 to 1.26.2 across all 10 job steps; no other changes.
transports/Dockerfile	Builder image updated to golang:1.26.2-alpine3.23 with a new digest; zlib pinned to 1.3.2-r0 in the runtime stage as a security fix.
transports/Dockerfile.local	Builder tag updated to golang:1.26.2-alpine3.23; zlib pinned to 1.3.2-r0; no digest pins (existing intentional behavior for local dev).
core/go.mod	Go directive bumped to 1.26.2; eventstream updated to v1.7.8 (direct dep).
plugins/otel/go.mod	OTel bumped to v1.43.0; new otel/sdk and otel/sdk/metric packages added; gRPC and genproto updated.
plugins/litellmcompat/go.mod	Go bumped to 1.26.2; eventstream, OTel (with new sdk packages), gRPC, and genproto all updated.
transports/go.mod	Go bumped to 1.26.2; gonum updated from v0.16.0 to v0.17.0; OTel, gRPC, genproto, and eventstream updated.
.github/workflows/e2e-tests.yml	Go version bumped to 1.26.2; no other changes.
.github/workflows/pr-tests.yml	Go version bumped to 1.26.2; no other changes.
.github/workflows/snyk.yml	Go version bumped to 1.26.2 in both snyk-open-source and snyk-code jobs.

_{Reviews (1): Last reviewed commit: "package updates" | Re-trigger Greptile}