Update to Cadence v1.10.3

[turbolent]

Description

Automatically update to:

• onflow/cadence v1.10.3
• onflow/flow-go-sdk v1.10.3
• onflow/flow-go 5b9fa9c8352e

Summary by CodeRabbit

• Chores
  • Updated Go toolchain to a newer patch version and upgraded multiple core dependencies including blockchain libraries, cryptography utilities, observability tools, and networking frameworks. Both direct and indirect dependencies were refreshed to improve system stability, incorporate security patches, and enhance performance.

[coderabbitai]

📝 Walkthrough

Walkthrough

Go toolchain and module dependencies are systematically updated: toolchain bumped to 1.25.1, primary Flow/Ethereum/OpenTelemetry/gRPC/protobuf packages upgraded, with widespread indirect dependency version changes across cloud infrastructure, contract libraries, and utility packages.

Changes

Dependency Updates

Layer / File(s)	Summary
Go toolchain and core Flow/Ethereum dependencies go.mod	Go toolchain upgraded from 1.25.0 to 1.25.1; direct dependencies updated for go-ethereum, onflow/cadence, onflow/crypto, onflow/flow-go, Flow protobuf, OpenTelemetry core/exporters/SDK, golang.org/x/crypto, google.golang.org/grpc, and google.golang.org/protobuf.
Flow ecosystem: contract libraries and SDKs go.mod	onflow NFT, contract template, and state artifact indirect dependencies updated, including onflow/atree, flow-core-contracts, flow-ft, flow-go-sdk, and flow-nft libraries, plus Ethereum ecosystem utility libraries.
Google Cloud/gRPC/protobuf infrastructure go.mod	Indirect dependencies updated for spiffe-go, OpenTelemetry auto SDK and GCP detectors, Google Cloud APIs (genproto, enterprise-certificate-proxy, gax-go), gRPC-gateway/v2, AWS SDK v2 config/credentials, and golang.org/x/* modules plus google.golang.org/api and genproto API/RPC versions.
Utility and miscellaneous library updates go.mod	Patch version bumps for consensys/gnark-crypto, fxamacker/cbor/v2, prometheus/client_model, and rogpeppe/go-internal; no behavioral changes in this module.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• onflow/rosetta#91: Both PRs modify the same go.mod dependency set—updating Flow/onflow packages and shared ecosystem libraries—overlapping directly at the module-version level.
• onflow/rosetta#94: Both PRs update go.mod dependencies for the Flow stack including onflow/cadence and related Flow/flow-go/protobuf modules, overlapping at the module version level.
• onflow/rosetta#93: Both PRs modify go.mod dependency versions for onflow libraries—specifically github.com/onflow/flow-go and related onflow contract/template packages.

Suggested reviewers

• jordanschalm
• briandoyle81
• peterargue

Poem

🐰 Dependencies dance, versions align,
Toolchain climbs from .0 to .1 so fine,
Flow and Google and gRPC agree,
A library waltz of harmony!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Update to Cadence v1.10.3' clearly and directly matches the primary objective of the PR, which is to update the onflow/cadence dependency to v1.10.3 along with related dependencies.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch auto-update-onflow-cadence-v1.10.3

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 10: Update the pinned dependency for the Ethereum client in go.mod from
github.com/ethereum/go-ethereum v1.16.8 to v1.16.9 (or any later patched
release) to address the reported p2p/ECIES vulnerabilities; after changing the
version string for module github.com/ethereum/go-ethereum, run the module update
commands (eg. go get github.com/ethereum/go-ethereum@v1.16.9 and go mod tidy)
and re-run CI/build to ensure transitive updates and compilation succeed.
- Line 20: Update the OpenTelemetry modules to a safe version by bumping the
go.opentelemetry.io/otel and go.opentelemetry.io/otel/sdk entries from v1.39.0
to v1.41.0 (or later) in go.mod to remediate GHSA-mh2q-q3fh-2475 and
GO-2026-4394; after editing the go.mod, run the module tooling (e.g., go get
go.opentelemetry.io/otel@v1.41.0 and go get
go.opentelemetry.io/otel/sdk@v1.41.0, then go mod tidy) to update dependencies
and verify builds/tests pass.
- Line 64: Update the indirect dependency github.com/go-jose/go-jose/v4 from
v4.1.3 to v4.1.4 in go.mod to patch CVE-2026-34986; after changing the version
entry for github.com/go-jose/go-jose/v4 to v4.1.4 run go mod tidy and go list -m
all to ensure the new version is resolved, and audit any code paths that parse
JWE (look for uses of go-jose types and functions) to confirm key-wrapping
algorithms and empty encrypted_key fields are not accepted from untrusted input
if the update cannot be applied.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 18499959-a5b2-45fc-82b7-167bf6d4c37e

📥 Commits

Reviewing files that changed from the base of the PR and between 29938cf and 95b0751.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

What is the first patched go-ethereum version for GO-2026-4507, GO-2026-4508, GO-2026-4511, GHSA-2gjw-fg97-vg3r, GHSA-689v-6xwf-5jf3, and GHSA-m6j8-rg6r-7mv8?

💡 Result:

The first patched go-ethereum version for the specified vulnerabilities is v1.16.9 [1][2]. These vulnerabilities were addressed in the security hot-fix release v1.16.9, published on February 17, 2026 [1][3]. The specific vulnerabilities covered by this release include: - GO-2026-4507 (GHSA-2gjw-fg97-vg3r / CVE-2026-26314): Denial of Service via malicious p2p message [4][5][6]. - GO-2026-4508 (GHSA-689v-6xwf-5jf3 / CVE-2026-26313): Denial of Service via malicious p2p message [7][8]. - GO-2026-4511 (GHSA-m6j8-rg6r-7mv8 / CVE-2026-26315): Improper validation of the ECIES public key in the RLPx handshake [9][10]. All three vulnerabilities were resolved in v1.16.9, and they are also included in the subsequent feature release, v1.17.0 [1][2]. Users are strongly recommended to upgrade to at least v1.16.9 to mitigate these issues [1][2].

Citations:

• 1: https://github.com/ethereum/go-ethereum/releases/tag/v1.16.9
• 2: https://github.com/ethereum/go-ethereum/releases/tag/v1.17.0
• 3: https://newreleases.io/project/github/ethereum/go-ethereum/release/v1.16.9
• 4: x/vulndb: potential Go vuln in github.com/ethereum/go-ethereum: GHSA-2gjw-fg97-vg3r golang/vulndb#4507
• 5: https://nvd.nist.gov/vuln/detail/CVE-2026-26314
• 6: https://pkg.go.dev/vuln/GO-2026-4507
• 7: https://pkg.go.dev/vuln/GO-2026-4508
• 8: GHSA-689v-6xwf-5jf3
• 9: https://pkg.go.dev/vuln/GO-2026-4511
• 10: https://osv.dev/vulnerability/GO-2026-4511

---

Upgrade go-ethereum to v1.16.9 or later before merge.

Line 10 pins github.com/ethereum/go-ethereum v1.16.8, which contains three HIGH severity vulnerabilities in the p2p protocol: GO-2026-4507, GO-2026-4508 (both DoS via malicious p2p messages), and GO-2026-4511 (improper ECIES public key validation in RLPx handshake). These are patched in v1.16.9 (released February 17, 2026) and must be fixed for network-facing components.

🧰 Tools

🪛 OSV Scanner (2.3.8)

[HIGH] 10-10: github.com/ethereum/go-ethereum 1.16.8: Go Ethereum affected by crash via malicious p2p message in github.com/ethereum/go-ethereum

(GO-2026-4507)

---

[HIGH] 10-10: github.com/ethereum/go-ethereum 1.16.8: Go Ethereum affected by DoS via malicious p2p message in github.com/ethereum/go-ethereum

(GO-2026-4508)

---

[HIGH] 10-10: github.com/ethereum/go-ethereum 1.16.8: Go Ethereum Improperly Validates the ECIES Public Key in RLPx Handshake in github.com/ethereum/go-ethereum

(GO-2026-4511)

---

[HIGH] 10-10: github.com/ethereum/go-ethereum 1.16.8: Go Ethereum affected by DoS via malicious p2p message

(GHSA-2gjw-fg97-vg3r)

---

[HIGH] 10-10: github.com/ethereum/go-ethereum 1.16.8: Go Ethereum affected by DoS via malicious p2p message

(GHSA-689v-6xwf-5jf3)

---

[HIGH] 10-10: github.com/ethereum/go-ethereum 1.16.8: Go Ethereum Improperly Validates the ECIES Public Key in RLPx Handshake

(GHSA-m6j8-rg6r-7mv8)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 10, Update the pinned dependency for the Ethereum client in
go.mod from github.com/ethereum/go-ethereum v1.16.8 to v1.16.9 (or any later
patched release) to address the reported p2p/ECIES vulnerabilities; after
changing the version string for module github.com/ethereum/go-ethereum, run the
module update commands (eg. go get github.com/ethereum/go-ethereum@v1.16.9 and
go mod tidy) and re-run CI/build to ensure transitive updates and compilation
succeed.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

What are the first fixed versions for GHSA-mh2q-q3fh-2475 and GO-2026-4394 (including GHSA-9h8m-3fm2-qjrq / GHSA-hfvc-g4fc-pqhx) in go.opentelemetry.io/otel and go.opentelemetry.io/otel/sdk?

💡 Result:

The first fixed versions for the specified vulnerabilities in the OpenTelemetry Go SDK are as follows: For GHSA-mh2q-q3fh-2475 (also tracked as CVE-2026-29181), which concerns excessive allocations during multi-value baggage header extraction, the first fixed version is v1.41.0 [1]. For GO-2026-4394 (also tracked as GHSA-9h8m-3fm2-qjrq and CVE-2026-24051), which concerns arbitrary code execution via PATH hijacking on macOS/Darwin, the first fixed version is v1.40.0 [2][3][4]. These vulnerabilities affect the go.opentelemetry.io/otel/sdk module [1][2][3]. GHSA-mh2q-q3fh-2475 also affects the go.opentelemetry.io/otel/propagation module [1].

Citations:

• 1: GHSA-mh2q-q3fh-2475
• 2: https://pkg.go.dev/vuln/GO-2026-4394
• 3: GHSA-9h8m-3fm2-qjrq
• 4: https://osv.dev/vulnerability/GHSA-9h8m-3fm2-qjrq

---

Upgrade otel and otel/sdk to v1.41.0 or later to address critical vulnerabilities.

Both modules at v1.39.0 are vulnerable to GHSA-mh2q-q3fh-2475 (excessive allocations during baggage header extraction) and GO-2026-4394 (PATH-hijacking RCE on macOS/Darwin). Upgrade to at least v1.41.0 to fix both issues.

🧰 Tools

🪛 OSV Scanner (2.3.8)

[HIGH] 20-20: go.opentelemetry.io/otel 1.39.0: OpenTelemetry-Go: multi-value baggage header extraction causes excessive allocations (remote dos amplification)

(GHSA-mh2q-q3fh-2475)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 20, Update the OpenTelemetry modules to a safe version by
bumping the go.opentelemetry.io/otel and go.opentelemetry.io/otel/sdk entries
from v1.39.0 to v1.41.0 (or later) in go.mod to remediate GHSA-mh2q-q3fh-2475
and GO-2026-4394; after editing the go.mod, run the module tooling (e.g., go get
go.opentelemetry.io/otel@v1.41.0 and go get
go.opentelemetry.io/otel/sdk@v1.41.0, then go mod tidy) to update dependencies
and verify builds/tests pass.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Find direct imports/usages in repository =="
rg -n --type=go -C2 'go-jose|jose\.'

echo
echo "== Show dependency pin in go.mod =="
rg -n 'github.com/go-jose/go-jose/v4' go.mod

Repository: onflow/rosetta

Length of output: 105

---

🏁 Script executed:

cat -n go.mod | head -100

Repository: onflow/rosetta

Length of output: 5744

---

🏁 Script executed:

wc -l go.mod

Repository: onflow/rosetta

Length of output: 69

---

🏁 Script executed:

rg -i 'go-jose|jose' --type=go --type=mod

Repository: onflow/rosetta

Length of output: 86

---

🏁 Script executed:

# Check go.mod to see which dependencies are direct
rg -n 'require \(' go.mod -A 30

# Search more broadly for any JWE/JWT operations
rg -n --type=go 'jwe|jwt|jose' -i

Repository: onflow/rosetta

Length of output: 5323

---

🌐 Web query:

go-jose v4.1.3 JWE decrypt panic security advisory CVE

💡 Result:

The security vulnerability affecting go-jose v4.1.3 is tracked as CVE-2026-34986 (also identified by GHSA-78h2-9frx-2jm8) [1][2][3]. This vulnerability involves a panic during the decryption of a JSON Web Encryption (JWE) object, which can lead to a denial-of-service (DoS) condition [1][4][5]. The panic is triggered when the JWE 'alg' field specifies a key wrapping algorithm (specifically those ending in 'KW', excluding 'A128GCMKW', 'A192GCMKW', and 'A256GCMKW') and the 'encrypted_key' field is empty [1][2][3]. The issue occurs because the 'cipher.KeyUnwrap' function attempts to allocate a slice with a zero or negative length based on the empty 'encrypted_key' [1][5][6]. The vulnerability is fixed in go-jose version 4.1.4 (and v3.0.5 for the v3 branch) [1][2][7]. Applications are unaffected if they do not include key wrapping algorithms in the list of accepted key algorithms passed to 'ParseEncrypted', 'ParseEncryptedJSON', or 'ParseEncryptedCompact' [1][8][3]. As a mitigation, developers can pre-validate JWE objects to ensure the 'encrypted_key' field is non-empty before attempting decryption [1].

Citations:

• 1: GHSA-78h2-9frx-2jm8
• 2: https://cvefeed.io/vuln/detail/CVE-2026-34986
• 3: https://nvd.nist.gov/vuln/detail/CVE-2026-34986
• 4: https://advisories.gitlab.com/golang/github.com/go-jose/go-jose/v4/CVE-2026-34986/
• 5: https://vulert.com/vuln-db/CVE-2026-34986
• 6: https://cve.imfht.com/detail/CVE-2026-34986
• 7: https://github.com/go-jose/go-jose/releases
• 8: [Security] Multiple CVEs in Temporal Docker Images - Base Image Dependencies temporalio/temporal#9682

---

Bump go-jose/v4 to v4.1.4 to resolve JWE decryption panic (CVE-2026-34986).

go-jose/v4 v4.1.3 contains a critical DoS vulnerability (CVE-2026-34986) triggered by malformed JWE objects with key wrapping algorithms and empty encrypted_key fields. Upgrade to v4.1.4, or confirm that your dependency chain does not accept key-wrapping algorithms in JWE operations. This is an indirect dependency—verify it's only reachable through safe codepaths that reject untrusted payloads.

🧰 Tools

🪛 OSV Scanner (2.3.8)

[HIGH] 64-64: github.com/go-jose/go-jose/v4 4.1.3: Go JOSE Panics in JWE decryption

(GHSA-78h2-9frx-2jm8)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 64, Update the indirect dependency
github.com/go-jose/go-jose/v4 from v4.1.3 to v4.1.4 in go.mod to patch
CVE-2026-34986; after changing the version entry for
github.com/go-jose/go-jose/v4 to v4.1.4 run go mod tidy and go list -m all to
ensure the new version is resolved, and audit any code paths that parse JWE
(look for uses of go-jose types and functions) to confirm key-wrapping
algorithms and empty encrypted_key fields are not accepted from untrusted input
if the update cannot be applied.