Skip to content

chore: update grpc in demo and router-plugin #2684

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
pepol wants to merge 5 commits into from
Closed

chore: update grpc in demo and router-plugin #2684

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
d7d51a3
chore: update grpc in demo and router-plugin
pepol Mar 24, 2026
d77daa2
chore: fix go mod issues
pepol Mar 24, 2026
2449805
fix: otel vulnerability
pepol Mar 27, 2026
b57d279
chore: fix test gomod
pepol Mar 27, 2026
4348c13
chore: add proper replace directives
pepol Mar 27, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
57 changes: 38 additions & 19 deletions demo/go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,15 +11,15 @@ require (
github.com/rs/cors v1.11.0
github.com/vektah/gqlparser/v2 v2.5.30
github.com/wundergraph/cosmo/composition-go v0.0.0-20250820135159-bf8852195d3f
github.com/wundergraph/cosmo/router v0.0.0-20260318232543-0e5fa811a191
github.com/wundergraph/cosmo/router-tests v0.0.0-20260318232543-0e5fa811a191
github.com/wundergraph/cosmo/router v0.0.0-20260324114512-ebd25e1afe2c
github.com/wundergraph/cosmo/router-tests v0.0.0-20260324114512-ebd25e1afe2c
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0
go.opentelemetry.io/otel v1.36.0
go.opentelemetry.io/otel v1.40.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.33.0
go.opentelemetry.io/otel/sdk v1.36.0
go.opentelemetry.io/otel/sdk v1.40.0
go.uber.org/atomic v1.11.0
go.uber.org/zap v1.27.0
golang.org/x/sync v0.17.0
golang.org/x/sync v0.19.0
)

require (
Expand Down Expand Up @@ -123,6 +123,7 @@ require (
github.com/prometheus/procfs v0.15.1 // indirect
github.com/r3labs/sse/v2 v2.8.1 // indirect
github.com/redis/go-redis/v9 v9.7.3 // indirect
github.com/rogpeppe/go-internal v1.14.1 // indirect
github.com/rs/xid v1.5.0 // indirect
github.com/russross/blackfriday/v2 v2.1.0 // indirect
github.com/santhosh-tekuri/jsonschema/v6 v6.0.1 // indirect
Expand Down Expand Up @@ -153,7 +154,6 @@ require (
github.com/xrash/smetrics v0.0.0-20250705151800-55b8f293f342 // indirect
github.com/yosida95/uritemplate/v3 v3.0.2 // indirect
github.com/yusufpapurcu/wmi v1.2.4 // indirect
go.opentelemetry.io/auto/sdk v1.1.0 // indirect
go.opentelemetry.io/contrib v1.16.1 // indirect
go.opentelemetry.io/contrib/propagators/b3 v1.23.0 // indirect
go.opentelemetry.io/contrib/propagators/jaeger v1.23.0 // indirect
Expand All @@ -162,31 +162,50 @@ require (
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.33.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.23.1 // indirect
go.opentelemetry.io/otel/exporters/prometheus v0.50.0 // indirect
go.opentelemetry.io/otel/metric v1.36.0 // indirect
go.opentelemetry.io/otel/sdk/metric v1.36.0 // indirect
go.opentelemetry.io/otel/trace v1.36.0 // indirect
go.opentelemetry.io/otel/metric v1.40.0 // indirect
go.opentelemetry.io/otel/sdk/metric v1.40.0 // indirect
go.opentelemetry.io/otel/trace v1.40.0 // indirect
go.opentelemetry.io/proto/otlp v1.4.0 // indirect
go.uber.org/automaxprocs v1.5.3 // indirect
go.uber.org/multierr v1.11.0 // indirect
go.uber.org/ratelimit v0.3.1 // indirect
go.withmatt.com/connect-brotli v0.4.0 // indirect
golang.org/x/crypto v0.43.0 // indirect
golang.org/x/crypto v0.46.0 // indirect
golang.org/x/exp v0.0.0-20250813145105-42675adae3e6 // indirect
golang.org/x/mod v0.29.0 // indirect
golang.org/x/net v0.46.0 // indirect
golang.org/x/sys v0.37.0 // indirect
golang.org/x/text v0.30.0 // indirect
golang.org/x/mod v0.30.0 // indirect
golang.org/x/net v0.48.0 // indirect
golang.org/x/sys v0.40.0 // indirect
golang.org/x/text v0.32.0 // indirect
golang.org/x/time v0.9.0 // indirect
golang.org/x/tools v0.38.0 // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20250811230008-5f3141c8851a // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20250811230008-5f3141c8851a // indirect
google.golang.org/grpc v1.71.0 // indirect
google.golang.org/protobuf v1.36.9 // indirect
golang.org/x/tools v0.39.0 // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 // indirect
google.golang.org/grpc v1.79.3 // indirect
google.golang.org/protobuf v1.36.10 // indirect
gopkg.in/cenkalti/backoff.v1 v1.1.0 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
gotest.tools/v3 v3.5.1 // indirect
rogchap.com/v8go v0.9.0 // indirect
)

// Do not upgrade, it renames attributes we rely on
replace (
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp => go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.1
go.opentelemetry.io/contrib/propagators/b3 => go.opentelemetry.io/contrib/propagators/b3 v1.23.0
go.opentelemetry.io/contrib/propagators/jaeger => go.opentelemetry.io/contrib/propagators/jaeger v1.23.0
go.opentelemetry.io/otel => go.opentelemetry.io/otel v1.28.0
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc => go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v0.44.0
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp => go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v0.44.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace => go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.23.1
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc => go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.23.1
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp => go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.23.1
go.opentelemetry.io/otel/exporters/prometheus => go.opentelemetry.io/otel/exporters/prometheus v0.50.0
go.opentelemetry.io/otel/metric => go.opentelemetry.io/otel/metric v1.28.0
go.opentelemetry.io/otel/sdk => go.opentelemetry.io/otel/sdk v1.28.0
go.opentelemetry.io/otel/sdk/metric => go.opentelemetry.io/otel/sdk/metric v1.28.0
go.opentelemetry.io/otel/trace => go.opentelemetry.io/otel/trace v1.28.0
go.opentelemetry.io/proto/otlp => go.opentelemetry.io/proto/otlp v1.1.0
)
Comment on lines +191 to +208
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Mar 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify which OpenTelemetry SDK version is actually resolved after the replace directives

cd demo
go list -m go.opentelemetry.io/otel/sdk
go list -m go.opentelemetry.io/otel
go list -m go.opentelemetry.io/otel/metric
go list -m go.opentelemetry.io/otel/trace

Repository: wundergraph/cosmo

Length of output: 370

🏁 Script executed:

#!/bin/bash

# Check the demo/go.mod file structure and key lines
echo "=== Checking demo/go.mod file size and content ==="
wc -l demo/go.mod

echo -e "\n=== Lines 1-30 (checking for require declarations) ==="
head -30 demo/go.mod

echo -e "\n=== Lines 160-170 (checking context around line 165-167) ==="
sed -n '160,170p' demo/go.mod

echo -e "\n=== Lines 15-20 (checking lines 17, 19) ==="
sed -n '15,20p' demo/go.mod

echo -e "\n=== Lines 185-210 (checking replace block around 191-208) ==="
sed -n '185,210p' demo/go.mod

Repository: wundergraph/cosmo

Length of output: 4335

Critical security issue: replace directives downgrade to vulnerable v1.28.0.

The replace block forces resolution to go.opentelemetry.io/otel/sdk v1.28.0 (line 211), which is vulnerable to GHSA-9h8m-3fm2-qjrq (CVE-2026-24051, PATH hijacking on macOS/Darwin). This overrides the declared requirements for go.opentelemetry.io/otel v1.40.0 (line 18) and go.opentelemetry.io/otel/sdk v1.40.0 (line 20).

The comment "Do not upgrade, it renames attributes we rely on" indicates breaking API changes in newer OpenTelemetry versions. You must update the codebase to handle the renamed attributes in v1.40.0+ and remove the vulnerable replace directives, or selectively pin only the modules with genuine breaking changes while allowing go.opentelemetry.io/otel/sdk to resolve to v1.40.0 or later.

Per project guidelines, every go.mod must ensure go.opentelemetry.io/otel/sdk resolves to v1.40.0 or later. This module was deferred from the prior security fix and requires resolution.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@demo/go.mod` around lines 191 - 208, The replace block currently pins
multiple OpenTelemetry modules (notably go.opentelemetry.io/otel/sdk) to v1.28.0
which is vulnerable; remove or modify the replace directives so
go.opentelemetry.io/otel/sdk can resolve to v1.40.0+ and eliminate the security
downgrade. Update code referencing renamed attributes (the comment "Do not
upgrade, it renames attributes we rely on") to the newer API surface in the
modules that actually changed, and if any specific module must remain pinned due
to breaking changes, only keep replace entries for those exact packages (not
go.opentelemetry.io/otel/sdk) so the SDK resolves to >= v1.40.0; ensure the
replace block and module declarations reflect these selective pins and run go
mod tidy / go test to verify compatibility.


// if the below line is uncommented, it breaks 'make dc-subgraphs-demo'
// replace github.com/wundergraph/cosmo/router => ../router
Loading
Loading