Skip to content

package updates#2608

Merged
akshaydeo merged 1 commit intomainfrom
04-10-cve_fixes_main
Apr 9, 2026
Merged

package updates#2608
akshaydeo merged 1 commit intomainfrom
04-10-cve_fixes_main

Conversation

@akshaydeo
Copy link
Copy Markdown
Contributor

@akshaydeo akshaydeo commented Apr 9, 2026
edited
Loading

Summary

Upgrade Go version from 1.26.1 to 1.26.2 across all modules and CI workflows, and update various dependencies to their latest versions.

Changes

  • Updated Go version from 1.26.1 to 1.26.2 in all go.mod files and GitHub Actions workflows
  • Upgraded AWS SDK eventstream dependency from v1.7.6 to v1.7.8
  • Updated OpenTelemetry dependencies from v1.40.0 to v1.43.0
  • Upgraded gRPC from v1.79.3 to v1.80.0
  • Updated Google genproto dependencies to latest versions
  • Added zlib security fix (v1.3.2-r0) to Docker images
  • Updated gonum from v0.16.0 to v0.17.0

Type of change

  • Chore/CI

Affected areas

  • Core (Go)
  • Transports (HTTP)
  • Providers/Integrations
  • Plugins

How to test

Verify the Go version upgrade and dependency updates work correctly:

# Verify Go version
go version

# Test all modules
go test ./...

# Verify builds succeed
make build

# Check dependency versions
go list -m all | grep -E "(aws-sdk-go|otel|grpc|genproto)"

Breaking changes

  • Yes
  • No

Security considerations

This update includes a security fix for zlib in the Docker images (pinned to v1.3.2-r0) and updates various dependencies to their latest secure versions.

Checklist

  • I read docs/contributing/README.md and followed the guidelines
  • I added/updated tests where appropriate
  • I updated documentation where needed
  • I verified builds succeed (Go and UI)
  • I verified the CI pipeline passes locally if applicable

@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai Bot commented Apr 9, 2026
edited
Loading

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f61e7f46-188a-4e30-8d20-6a2bef76b8d5

📥 Commits

Reviewing files that changed from the base of the PR and between 533641d and 0df3136.

⛔ Files ignored due to path filters (12)
  • core/go.sum is excluded by !**/*.sum
  • framework/go.sum is excluded by !**/*.sum
  • plugins/governance/go.sum is excluded by !**/*.sum
  • plugins/jsonparser/go.sum is excluded by !**/*.sum
  • plugins/litellmcompat/go.sum is excluded by !**/*.sum
  • plugins/logging/go.sum is excluded by !**/*.sum
  • plugins/maxim/go.sum is excluded by !**/*.sum
  • plugins/mocker/go.sum is excluded by !**/*.sum
  • plugins/otel/go.sum is excluded by !**/*.sum
  • plugins/semanticcache/go.sum is excluded by !**/*.sum
  • plugins/telemetry/go.sum is excluded by !**/*.sum
  • transports/go.sum is excluded by !**/*.sum
📒 Files selected for processing (20)
  • .github/workflows/e2e-tests.yml
  • .github/workflows/pr-tests.yml
  • .github/workflows/release-cli.yml
  • .github/workflows/release-pipeline.yml
  • .github/workflows/snyk.yml
  • cli/go.mod
  • core/go.mod
  • framework/go.mod
  • plugins/governance/go.mod
  • plugins/jsonparser/go.mod
  • plugins/litellmcompat/go.mod
  • plugins/logging/go.mod
  • plugins/maxim/go.mod
  • plugins/mocker/go.mod
  • plugins/otel/go.mod
  • plugins/semanticcache/go.mod
  • plugins/telemetry/go.mod
  • transports/Dockerfile
  • transports/Dockerfile.local
  • transports/go.mod
📝 Walkthrough

Summary by CodeRabbit

  • Chores
    • Updated Go toolchain from 1.26.1 to 1.26.2 across all modules and CI/CD workflows.
    • Upgraded OpenTelemetry dependencies from v1.40.0 to v1.43.0.
    • Updated gRPC from v1.79.3 to v1.80.0.
    • Bumped AWS SDK and Google genproto API dependencies to latest compatible versions.
    • Updated Docker base images to Go 1.26.2 with added zlib security pinning.

Walkthrough

Go toolchain version bumped from 1.26.1 to 1.26.2 across GitHub Actions workflows, go.mod files, and Docker images. Transitive dependencies including AWS SDK eventstream, OpenTelemetry (v1.43.0), gRPC (v1.80.0), and genproto packages updated systematically. Docker runtime includes explicit zlib version pin.

Changes

Cohort / File(s) Summary
GitHub Actions Workflows
.github/workflows/e2e-tests.yml, .github/workflows/pr-tests.yml, .github/workflows/release-cli.yml, .github/workflows/release-pipeline.yml, .github/workflows/snyk.yml		 Updated Go toolchain from 1.26.1 to 1.26.2 in all actions/setup-go steps.
Core & Framework Modules
cli/go.mod, core/go.mod, framework/go.mod		 Updated Go toolchain to 1.26.2; bumped AWS eventstream v1.7.6→v1.7.8, OpenTelemetry to v1.43.0 (with added SDK packages), and gRPC v1.79.3→v1.80.0.
Plugin Modules
plugins/governance/go.mod, plugins/jsonparser/go.mod, plugins/litellmcompat/go.mod, plugins/logging/go.mod, plugins/maxim/go.mod, plugins/mocker/go.mod, plugins/otel/go.mod, plugins/semanticcache/go.mod, plugins/telemetry/go.mod		 Updated Go toolchain to 1.26.2 and synchronized transitive dependency versions (AWS eventstream, OpenTelemetry, gRPC, genproto) across all plugins.
Transports Configuration
transports/Dockerfile, transports/Dockerfile.local, transports/go.mod		 Updated Go base image from golang:1.26.1-alpine3.23 to golang:1.26.2-alpine3.23; added explicit zlib\=1.3.2-r0 package pin in Docker runtime stage; synchronized go.mod dependencies.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

  • cve fixes #2607: Both PRs make identical code-level changes—updating Go toolchain versions in workflows and bumping the same transitive dependencies across go.mod and Docker configurations.
  • bifrost moves to go1.26 #1651: Both PRs modify repository-wide Go toolchain declarations in workflows, go.mod files, and Dockerfiles to bump the Go version.
  • codex websocket responses support #2261: Both PRs update Go module dependency pins (AWS SDK eventstream, OpenTelemetry, gRPC) across core, framework, plugins, and transports modules.

Suggested reviewers

  • danpiths
  • standaell1234-maker

Poem

🐰 Hops of joy through version lanes,
One-two-six to two ascends with gains,
Dependencies refresh and gRPC soars,
OpenTelemetry opens newer doors,
A toolchain polished, clean and bright!

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch 04-10-cve_fixes_main

Comment @coderabbitai help to get the list of available commands and usage tips.

@CLAassistant
Copy link
Copy Markdown

CLAassistant commented Apr 9, 2026

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

@akshaydeo Graphite App
Copy link
Copy Markdown
Contributor Author

akshaydeo commented Apr 9, 2026

This stack of pull requests is managed by Graphite. Learn more about stacking.

@akshaydeo akshaydeo marked this pull request as ready for review April 9, 2026 21:39
@akshaydeo akshaydeo requested a review from a team as a code owner April 9, 2026 21:39
@akshaydeo Graphite App
Copy link
Copy Markdown
Contributor Author

akshaydeo commented Apr 9, 2026
edited
Loading

Merge activity

  • Apr 9, 9:39 PM UTC: A user started a stack merge that includes this pull request via Graphite.
  • Apr 9, 9:39 PM UTC: @akshaydeo merged this pull request with Graphite.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 9, 2026

🧪 Test Suite Available

This PR can be tested by a repository admin.

Run tests for PR #2608

@akshaydeo akshaydeo merged commit 3606281 into main Apr 9, 2026
12 of 17 checks passed
@akshaydeo akshaydeo deleted the 04-10-cve_fixes_main branch April 9, 2026 21:39
@greptile-apps
Copy link
Copy Markdown
Contributor

greptile-apps Bot commented Apr 9, 2026

Confidence Score: 5/5

Safe to merge — purely mechanical version bumps with no logic changes.

All changes are routine dependency and toolchain upgrades consistently applied across every module and workflow. The zlib pin is a net security improvement. No logic, API, or behavioral changes were introduced.

No files require special attention.

Vulnerabilities
  • Zlib pinned to 1.3.2-r0 in both Dockerfile and Dockerfile.local runtime stages to address a known vulnerability — positive security fix.
  • No secrets, injection vectors, or auth boundary changes introduced.

Important Files Changed

Filename Overview
.github/workflows/release-pipeline.yml Go version bumped from 1.26.1 to 1.26.2 across all 10 job steps; no other changes.
transports/Dockerfile Builder image updated to golang:1.26.2-alpine3.23 with a new digest; zlib pinned to 1.3.2-r0 in the runtime stage as a security fix.
transports/Dockerfile.local Builder tag updated to golang:1.26.2-alpine3.23; zlib pinned to 1.3.2-r0; no digest pins (existing intentional behavior for local dev).
core/go.mod Go directive bumped to 1.26.2; eventstream updated to v1.7.8 (direct dep).
plugins/otel/go.mod OTel bumped to v1.43.0; new otel/sdk and otel/sdk/metric packages added; gRPC and genproto updated.
plugins/litellmcompat/go.mod Go bumped to 1.26.2; eventstream, OTel (with new sdk packages), gRPC, and genproto all updated.
transports/go.mod Go bumped to 1.26.2; gonum updated from v0.16.0 to v0.17.0; OTel, gRPC, genproto, and eventstream updated.
.github/workflows/e2e-tests.yml Go version bumped to 1.26.2; no other changes.
.github/workflows/pr-tests.yml Go version bumped to 1.26.2; no other changes.
.github/workflows/snyk.yml Go version bumped to 1.26.2 in both snyk-open-source and snyk-code jobs.

Reviews (1): Last reviewed commit: "package updates" | Re-trigger Greptile

Vaibhav701161 pushed a commit to Vaibhav701161/bifrost that referenced this pull request Apr 11, 2026
@akshaydeo @Vaibhav701161
package updates (maximhq#2608)
8fa2524 
## Summary

Upgrade Go version from 1.26.1 to 1.26.2 across all modules and CI workflows, and update various dependencies to their latest versions.

## Changes

- Updated Go version from 1.26.1 to 1.26.2 in all go.mod files and GitHub Actions workflows
- Upgraded AWS SDK eventstream dependency from v1.7.6 to v1.7.8
- Updated OpenTelemetry dependencies from v1.40.0 to v1.43.0
- Upgraded gRPC from v1.79.3 to v1.80.0
- Updated Google genproto dependencies to latest versions
- Added zlib security fix (v1.3.2-r0) to Docker images
- Updated gonum from v0.16.0 to v0.17.0

## Type of change

- [x] Chore/CI

## Affected areas

- [x] Core (Go)
- [x] Transports (HTTP)
- [x] Providers/Integrations
- [x] Plugins

## How to test

Verify the Go version upgrade and dependency updates work correctly:

```sh
# Verify Go version
go version

# Test all modules
go test ./...

# Verify builds succeed
make build

# Check dependency versions
go list -m all | grep -E "(aws-sdk-go|otel|grpc|genproto)"
```

## Breaking changes

- [ ] Yes
- [x] No

## Security considerations

This update includes a security fix for zlib in the Docker images (pinned to v1.3.2-r0) and updates various dependencies to their latest secure versions.

## Checklist

- [x] I read `docs/contributing/README.md` and followed the guidelines
- [x] I added/updated tests where appropriate
- [x] I updated documentation where needed
- [x] I verified builds succeed (Go and UI)
- [x] I verified the CI pipeline passes locally if applicable
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@akshaydeo @CLAassistant