chore: update grpc in demo and router-plugin

[pepol]

Summary by CodeRabbit

• Chores
  • Updated dependency versions across the demo and plugins: OpenTelemetry, gRPC, protobuf/genproto, and multiple golang.org/x modules.
  • Added and refreshed indirect dependencies (including a new internal utility); removed an obsolete telemetry SDK indirect.
  • Introduced replace/pinning rules to stabilize several OpenTelemetry/OTLP modules.
  • No public API or behavior changes introduced.

Checklist

• I have discussed my proposed changes in an issue and have received approval to proceed.
• I have followed the coding standards of the project.
• Tests or benchmarks have been added or updated.
• Documentation has been updated on https://github.com/wundergraph/docs-website.
• I have read the Contributors Guide.

Open Source AI Manifesto

This project follows the principles of the Open Source AI Manifesto. Please ensure your contribution aligns with its principles.

[coderabbitai]

Walkthrough

Bumps and pins of Go module dependencies across demo and router modules: OpenTelemetry, gRPC/protobuf/genproto, golang.org/x/*, plus added/removed indirects and new replace blocks that pin various OpenTelemetry/OTLP modules to specific versions. No exported/public Go APIs changed.

Changes

Cohort / File(s)	Summary
Demo root demo/go.mod	Updated OpenTelemetry core/sdk/metric/trace to v1.40.0, advanced github.com/wundergraph/cosmo/router pseudo-version, refreshed multiple golang.org/x/* and gRPC/protobuf indirects, added github.com/rogpeppe/go-internal (indirect), removed go.opentelemetry.io/auto/sdk, and introduced a replace block pinning several OpenTelemetry/OTLP modules.
Demo subgraph demo/pkg/subgraphs/projects/go.mod	Bumped github.com/stretchr/testify, google.golang.org/grpc, google.golang.org/protobuf; moved OpenTelemetry requires to v1.40.0 but added a replace block that pins many go.opentelemetry.io/* packages to older/specific versions; refreshed golang.org/x/* and genproto revisions; added indirect github.com/rogpeppe/go-internal.
Router plugin router-plugin/go.mod	Upgraded OpenTelemetry core/sdk/trace/metric to v1.40.0 and google.golang.org/grpc; updated several indirects and golang.org/x/*; added a replace block that pins multiple OpenTelemetry/OTLP modules to specific versions (overriding some of the bumped requirements).
Router tests router-tests/go.mod	Advanced github.com/wundergraph/cosmo/router pseudo-version and bumped OpenTelemetry modules from v1.39.0 to v1.40.0; updated golang.org/x/sys. No source/API changes.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• chore(router): fix CVE-2026-33186, update go-grpc #2668: Modifies Go module files to update gRPC and add/adjust go.opentelemetry.io/* replace directives — closely related to the OTEL/gRPC pinning here.
• chore(demo): update demo module router dependencies #2364: Updates demo/go.mod and cosmo/router pseudo-version pins, overlapping the demo/router version changes in this PR.
• chore: update demo router dependency #2504: Changes demo and router-tests go.mod entries for github.com/wundergraph/cosmo/router and related dependency bumps — directly related.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'chore: update grpc in demo and router-plugin' is partially accurate but incomplete and potentially misleading.	The PR makes extensive updates to OpenTelemetry dependencies (v1.28.0/v1.36.0 → v1.40.0), adds replace directives, and updates gRPC as a secondary change. Revise the title to reflect the primary scope, such as: 'chore: update OpenTelemetry to v1.40.0 and gRPC dependencies'.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Router-nonroot image scan passed

✅ No security vulnerabilities found in image:

ghcr.io/wundergraph/cosmo/router:sha-890872be36900797175f446b840ab4716decea17-nonroot

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@demo/pkg/subgraphs/projects/go.mod`:
- Line 38: Update the pinned module go.opentelemetry.io/otel/sdk from v1.39.0 to
v1.40.0 (or later) in the go.mod entry for go.opentelemetry.io/otel/sdk, then
run a module update (for example: go get go.opentelemetry.io/otel/sdk@v1.40.0)
and go mod tidy to refresh the go.sum; finally run the test/build to ensure no
breakages after the upgrade.

In `@router-plugin/go.mod`:
- Line 15: The go.mod entry for the OpenTelemetry SDK
(go.opentelemetry.io/otel/sdk) is pinned to the vulnerable v1.39.0; update that
module version to v1.40.0 or later (e.g., v1.40.0+) in the go.mod, then run the
Go module tooling (go get or go mod tidy) to refresh go.sum and vendor artifacts
and ensure builds/tests pass; look for the module identifier
"go.opentelemetry.io/otel/sdk" to locate and change the version.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c2583eed-adbc-444d-8bd1-b2640794e89a

📥 Commits

Reviewing files that changed from the base of the PR and between ebd25e1 and bbd3a62.

⛔ Files ignored due to path filters (3)

• demo/go.sum is excluded by !**/*.sum
• demo/pkg/subgraphs/projects/go.sum is excluded by !**/*.sum
• router-plugin/go.sum is excluded by !**/*.sum

📒 Files selected for processing (3)

• demo/go.mod
• demo/pkg/subgraphs/projects/go.mod
• router-plugin/go.mod

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 62.89%. Comparing base (9a303d1) to head (4348c13).
⚠️ Report is 80 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2684      +/-   ##
==========================================
- Coverage   63.10%   62.89%   -0.22%     
==========================================
  Files         245      245              
  Lines       26273    26273              
==========================================
- Hits        16580    16524      -56     
- Misses       8352     8393      +41     
- Partials     1341     1356      +15     

see 12 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@demo/go.mod`:
- Around line 191-208: The replace block currently pins multiple OpenTelemetry
modules (notably go.opentelemetry.io/otel/sdk) to v1.28.0 which is vulnerable;
remove or modify the replace directives so go.opentelemetry.io/otel/sdk can
resolve to v1.40.0+ and eliminate the security downgrade. Update code
referencing renamed attributes (the comment "Do not upgrade, it renames
attributes we rely on") to the newer API surface in the modules that actually
changed, and if any specific module must remain pinned due to breaking changes,
only keep replace entries for those exact packages (not
go.opentelemetry.io/otel/sdk) so the SDK resolves to >= v1.40.0; ensure the
replace block and module declarations reflect these selective pins and run go
mod tidy / go test to verify compatibility.

In `@demo/pkg/subgraphs/projects/go.mod`:
- Around line 48-65: The replace block is forcing go.opentelemetry.io/otel/sdk
(and other otel modules) down to v1.28.0 which reinstates a vulnerable version;
update the replace directives so go.opentelemetry.io/otel/sdk is pinned to
v1.40.0 or later (or remove the sdk replace entirely) and only keep replace
entries for modules that truly require older versions (e.g., keep replaces for
go.opentelemetry.io/contrib/* if needed), ensuring go.opentelemetry.io/otel/sdk
remains >= v1.40.0 to avoid GHSA-9h8m-3fm2-qjrq/CVE-2026-24051.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f1a4cf36-3a2c-4567-a899-817c70d6518e

📥 Commits

Reviewing files that changed from the base of the PR and between b57d279 and 4348c13.

⛔ Files ignored due to path filters (3)

• demo/go.sum is excluded by !**/*.sum
• demo/pkg/subgraphs/projects/go.sum is excluded by !**/*.sum
• router-plugin/go.sum is excluded by !**/*.sum

📒 Files selected for processing (3)

• demo/go.mod
• demo/pkg/subgraphs/projects/go.mod
• router-plugin/go.mod

🚧 Files skipped from review as they are similar to previous changes (1)

• router-plugin/go.mod

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify which OpenTelemetry SDK version is actually resolved after the replace directives

cd demo
go list -m go.opentelemetry.io/otel/sdk
go list -m go.opentelemetry.io/otel
go list -m go.opentelemetry.io/otel/metric
go list -m go.opentelemetry.io/otel/trace

Repository: wundergraph/cosmo

Length of output: 370

---

🏁 Script executed:

#!/bin/bash

# Check the demo/go.mod file structure and key lines
echo "=== Checking demo/go.mod file size and content ==="
wc -l demo/go.mod

echo -e "\n=== Lines 1-30 (checking for require declarations) ==="
head -30 demo/go.mod

echo -e "\n=== Lines 160-170 (checking context around line 165-167) ==="
sed -n '160,170p' demo/go.mod

echo -e "\n=== Lines 15-20 (checking lines 17, 19) ==="
sed -n '15,20p' demo/go.mod

echo -e "\n=== Lines 185-210 (checking replace block around 191-208) ==="
sed -n '185,210p' demo/go.mod

Repository: wundergraph/cosmo

Length of output: 4335

---

Critical security issue: replace directives downgrade to vulnerable v1.28.0.

The replace block forces resolution to go.opentelemetry.io/otel/sdk v1.28.0 (line 211), which is vulnerable to GHSA-9h8m-3fm2-qjrq (CVE-2026-24051, PATH hijacking on macOS/Darwin). This overrides the declared requirements for go.opentelemetry.io/otel v1.40.0 (line 18) and go.opentelemetry.io/otel/sdk v1.40.0 (line 20).

The comment "Do not upgrade, it renames attributes we rely on" indicates breaking API changes in newer OpenTelemetry versions. You must update the codebase to handle the renamed attributes in v1.40.0+ and remove the vulnerable replace directives, or selectively pin only the modules with genuine breaking changes while allowing go.opentelemetry.io/otel/sdk to resolve to v1.40.0 or later.

Per project guidelines, every go.mod must ensure go.opentelemetry.io/otel/sdk resolves to v1.40.0 or later. This module was deferred from the prior security fix and requires resolution.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@demo/go.mod` around lines 191 - 208, The replace block currently pins
multiple OpenTelemetry modules (notably go.opentelemetry.io/otel/sdk) to v1.28.0
which is vulnerable; remove or modify the replace directives so
go.opentelemetry.io/otel/sdk can resolve to v1.40.0+ and eliminate the security
downgrade. Update code referencing renamed attributes (the comment "Do not
upgrade, it renames attributes we rely on") to the newer API surface in the
modules that actually changed, and if any specific module must remain pinned due
to breaking changes, only keep replace entries for those exact packages (not
go.opentelemetry.io/otel/sdk) so the SDK resolves to >= v1.40.0; ensure the
replace block and module declarations reflect these selective pins and run go
mod tidy / go test to verify compatibility.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify which OpenTelemetry SDK version is actually resolved after the replace directives

cd demo/pkg/subgraphs/projects
go list -m go.opentelemetry.io/otel/sdk
go list -m go.opentelemetry.io/otel
go list -m go.opentelemetry.io/otel/metric
go list -m go.opentelemetry.io/otel/trace

Repository: wundergraph/cosmo

Length of output: 370

---

Pin go.opentelemetry.io/otel/sdk to v1.40.0 or later; the replace directives are downgrading to the vulnerable v1.28.0.

The replace block at lines 48–65 forces all OpenTelemetry modules to v1.28.0, overriding the v1.40.0 declarations in lines 32–38. This downgrades go.opentelemetry.io/otel/sdk to a version vulnerable to GHSA-9h8m-3fm2-qjrq (CVE-2026-24051, PATH hijacking on macOS/Darwin).

The comment "Do not upgrade, it renames attributes we rely on" suggests breaking changes in newer versions. Either update the codebase to work with v1.40.0+ or selectively pin only the modules with breaking changes while keeping go.opentelemetry.io/otel/sdk at v1.40.0 or later.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@demo/pkg/subgraphs/projects/go.mod` around lines 48 - 65, The replace block
is forcing go.opentelemetry.io/otel/sdk (and other otel modules) down to v1.28.0
which reinstates a vulnerable version; update the replace directives so
go.opentelemetry.io/otel/sdk is pinned to v1.40.0 or later (or remove the sdk
replace entirely) and only keep replace entries for modules that truly require
older versions (e.g., keep replaces for go.opentelemetry.io/contrib/* if
needed), ensuring go.opentelemetry.io/otel/sdk remains >= v1.40.0 to avoid
GHSA-9h8m-3fm2-qjrq/CVE-2026-24051.

[github-actions]

This PR was marked stale due to lack of activity. It will be closed in 14 days.

[github-actions]

Closed as inactive. Feel free to reopen if this PR is still being worked on.