Skip to content

chore(deps): bump otel/grpc/protobuf/golang.org/x to latest#4888

Draft
raullenchai wants to merge 1 commit into
masterfrom
chore/deps-bump-latest
Draft

chore(deps): bump otel/grpc/protobuf/golang.org/x to latest#4888
raullenchai wants to merge 1 commit into
masterfrom
chore/deps-bump-latest

Conversation

@raullenchai

Copy link
Copy Markdown
Member

Summary

Bumps a group of direct Go dependencies to their latest released versions. Supersedes #4849 (dependabot), which bumped the same group but to versions that are now behind latest.

Direct dependency bumps (old → new)

Module Old New
go.opentelemetry.io/otel v1.34.0 v1.44.0
go.opentelemetry.io/otel/sdk v1.31.0 v1.44.0
go.opentelemetry.io/otel/trace v1.34.0 v1.44.0
google.golang.org/grpc v1.69.4 v1.82.0
google.golang.org/protobuf v1.36.6 v1.36.11
golang.org/x/crypto v0.44.0 v0.54.0
golang.org/x/net v0.47.0 v0.56.0
golang.org/x/text v0.31.0 v0.40.0
golang.org/x/sync v0.18.0 v0.22.0

Notable transitive bumps (via go mod tidy + explicit)

Module Old New
go.opentelemetry.io/otel/metric v1.34.0 v1.44.0
go.opentelemetry.io/auto/sdk v1.1.0 v1.2.1
github.com/ipfs/go-cid v0.5.0 v0.6.2
github.com/ipld/go-ipld-prime v0.21.0 v0.24.0
golang.org/x/sys v0.38.0 v0.47.0
golang.org/x/mod v0.29.0 v0.37.0
golang.org/x/tools v0.38.0 v0.47.0
gonum.org/v1/gonum v0.15.1 v0.17.0

Bumping go-ipld-prime to v0.24.0 incidentally clears an old go-ipld-prime CVE. The go directive moved 1.24.6 → 1.25.7 (minimum required by the bumped modules; matches #4849's intent).

No hardfork required

None of these dependencies change consensus output:

  • otel / grpc: observability and RPC transport only — never on the block-execution / hashing path.
  • protobuf v1.36.6 → v1.36.11: wire format is stable and deterministic across these patch releases; marshaling of the same message produces identical bytes.
  • golang.org/x/crypto (Keccak): the Keccak/sha3 implementation is spec-fixed; hashing outputs are unchanged across these versions.
  • std / x/ / gonum / ipld*: non-consensus.

No source changes were needed for the bumps — only go.mod / go.sum. No API breakage.

Verification

  • go build ./... — passes
  • go vet ./... — clean
  • gofmt — clean (no .go files changed)
  • go mod verify — all modules verified
  • Consensus-path test suite (hashing / protobuf serialization / EVM / state):
    go test ./action/... ./state/... ./blockchain/... ./actpool/... -count=1
    All consensus-relevant packages pass: action/..., state/..., blockchain/block, blockchain/integrity, blockchain/filedao, blockchain/genesis, actpool/.... Passing = serialization/hashing/execution outputs unchanged.
    The only failures were in blockchain/blockdao mock-based tests (Test_blockDAO_checkIndexers, Test_blockDAO_Stop, TestBlockIndexerChecker_CheckIndexer) — verified identical on clean origin/master: a pre-existing issue from the Go 1.26 toolchain's panic(nil) handling + a stale test error-string, unrelated to this dep bump.

Adversarial review (codex): CONVERGED — no API misuse, no dangling symbols, go.mod/go.sum consistent, no consensus-output risk.

🤖 Generated with Claude Code

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@sonarqubecloud

sonarqubecloud Bot commented Jul 8, 2026

Copy link
Copy Markdown

@envestcc

Copy link
Copy Markdown
Member

Fix the image build error

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants