Update contract dependencies: flow-core-contracts v1.10.1, nft-storefront, flow-evm-bridge v0.2.1#8541
Merged
janezpodhostnik merged 6 commits intomasterfrom Apr 17, 2026
Merged
Conversation
…w-evm-bridge to v0.2.1
Contributor
Dependency ReviewThe following issues were found:
License Issuesgo.mod
insecure/go.mod
integration/go.mod
OpenSSF ScorecardScorecard details
Scanned Files
|
Contributor
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughAdds two EVM-bridge contract paths, reorders a VM-bridge bootstrap step, extends bridge environment with two new addresses and an NFTStorefrontV2 constructor arg, updates several hardcoded genesis/state-commitment test values and one test numeric, adjusts FT type argument construction, and bumps multiple Go module versions. Changes
Sequence Diagram(s)(Skipped — changes are configuration, test constants, dependency bumps and a small bootstrap call reorder; no new multi-component sequential flow requiring visualization.) Estimated code review effort🎯 4 (Complex) | ⏱️ ~45 minutes Possibly related PRs
Suggested labels
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 1 | ❌ 2❌ Failed checks (1 warning, 1 inconclusive)
✅ Passed checks (1 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Codecov Report❌ Patch coverage is
📢 Thoughts on this report? Let us know! |
This comment has been minimized.
This comment has been minimized.
Contributor
Author
|
Y'all are going to need to get this passing without me. 😢 This has the latest versions of all the contracts deployed in bootstrapping |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
go.mod (1)
278-348:⚠️ Potential issue | 🟠 MajorUpgrade
quic-goto v0.57.0 or later across all module manifests.
github.com/quic-go/quic-go v0.48.2is vulnerable to GO-2025-4017 and GO-2025-4233 (panic/DoS severity). Upgrade to v0.57.0 minimum in:
go.mod(line 315)integration/go.mod(line 314)insecure/go.mod(line 269)No companion upgrades needed for
qpack(v0.5.1 remains compatible).🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@go.mod` around lines 278 - 348, The go.mod currently pins github.com/quic-go/quic-go at v0.48.2 (see the module entry "github.com/quic-go/quic-go v0.48.2"); update that dependency to at least v0.57.0 in this file and the other module manifests noted (integration/go.mod and insecure/go.mod) so the quic-go upgrade addresses GO-2025-4017/4233; keep github.com/quic-go/qpack v0.5.1 as-is since no qpack upgrade is required.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Outside diff comments:
In `@go.mod`:
- Around line 278-348: The go.mod currently pins github.com/quic-go/quic-go at
v0.48.2 (see the module entry "github.com/quic-go/quic-go v0.48.2"); update that
dependency to at least v0.57.0 in this file and the other module manifests noted
(integration/go.mod and insecure/go.mod) so the quic-go upgrade addresses
GO-2025-4017/4233; keep github.com/quic-go/qpack v0.5.1 as-is since no qpack
upgrade is required.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 40c92a18-9e53-4022-b5bf-d7300429158d
⛔ Files ignored due to path filters (3)
go.sumis excluded by!**/*.suminsecure/go.sumis excluded by!**/*.sumintegration/go.sumis excluded by!**/*.sum
📒 Files selected for processing (7)
engine/execution/state/bootstrap/bootstrap_test.gofvm/blueprints/bridge.gofvm/bootstrap.gogo.modinsecure/go.modintegration/go.modutils/unittest/execution_state.go
5 tasks
Contributor
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (2)
fvm/fvm_test.go (1)
3827-3834:⚠️ Potential issue | 🟠 MajorNarrow the event filter before reading NFT
id.Line 3827 matches any event containing
"Deposited", which is overly broad. That makes Line 3831’sidcast fragile if a non-NFT deposited event is encountered. Match the specific NFT deposited event type (or guard field existence) before extractingid.💡 Suggested patch
- for _, event := range output.Events { - if strings.Contains(string(event.Type), "Deposited") { + expectedNFTDepositEvent := fmt.Sprintf("A.%s.%s.Deposited", accounts[0], nftContractName) + for _, event := range output.Events { + if string(event.Type) != expectedNFTDepositEvent { + continue + } // decode the event payload data, _ := ccf.Decode(nil, event.Payload) // get the id field from the event id = cadence.SearchFieldByName( data.(cadence.Event), "id", ).(cadence.UInt64) } }🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@fvm/fvm_test.go` around lines 3827 - 3834, The code currently treats any event whose event.Type contains "Deposited" as an NFT deposit and directly casts the decoded payload to cadence.Event and its "id" field to cadence.UInt64; change this to first narrow the filter to the exact NFT deposited event type (e.g. compare event.Type string equality to the NFT deposit event identifier) or, if the exact type string may vary, decode safely and check that cadence.SearchFieldByName(data.(cadence.Event), "id") exists and that the returned value type-asserts to cadence.UInt64 before assigning to id; reference the decoding call ccf.Decode(nil, event.Payload), the event.Type check, and cadence.SearchFieldByName usage when making the fix.insecure/go.mod (1)
269-269:⚠️ Potential issue | 🟠 MajorUpdate quic-go to address HIGH severity security vulnerabilities.
This dependency contains 2 confirmed HIGH severity vulnerabilities affecting v0.48.2:
- GO-2025-4017 / GHSA-47m2-4cr7-mhcw (CVE-2025-59530): Client assertion failure when a misbehaving server sends a premature HANDSHAKE_DONE during handshake, leading to DoS. Patched in v0.49.1+.
- GO-2025-4233 / GHSA-g754-hx8w-x2g6 (CVE-2025-64702): HTTP/3 QPACK header expansion DoS. Patched in v0.57.0+.
Upgrade quic-go to v0.57.0 or later to address both vulnerabilities. Since this is pulled in directly by the insecure module and indirectly through libp2p, updating the direct dependency or adding a replace directive in go.mod will resolve this.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@insecure/go.mod` at line 269, The go.mod currently pins github.com/quic-go/quic-go at v0.48.2 which contains two HIGH severity vulnerabilities; update the dependency to v0.57.0 or later by changing the module version reference for github.com/quic-go/quic-go to >= v0.57.0 or, if the transitive libp2p import prevents a direct bump, add a go.mod replace directive that forces github.com/quic-go/quic-go => github.com/quic-go/quic-go v0.57.0 (or newer) so any import of quic-go uses the fixed release; ensure you run go mod tidy and verify with go list -m all or your CI to confirm the new version is used.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Outside diff comments:
In `@fvm/fvm_test.go`:
- Around line 3827-3834: The code currently treats any event whose event.Type
contains "Deposited" as an NFT deposit and directly casts the decoded payload to
cadence.Event and its "id" field to cadence.UInt64; change this to first narrow
the filter to the exact NFT deposited event type (e.g. compare event.Type string
equality to the NFT deposit event identifier) or, if the exact type string may
vary, decode safely and check that
cadence.SearchFieldByName(data.(cadence.Event), "id") exists and that the
returned value type-asserts to cadence.UInt64 before assigning to id; reference
the decoding call ccf.Decode(nil, event.Payload), the event.Type check, and
cadence.SearchFieldByName usage when making the fix.
In `@insecure/go.mod`:
- Line 269: The go.mod currently pins github.com/quic-go/quic-go at v0.48.2
which contains two HIGH severity vulnerabilities; update the dependency to
v0.57.0 or later by changing the module version reference for
github.com/quic-go/quic-go to >= v0.57.0 or, if the transitive libp2p import
prevents a direct bump, add a go.mod replace directive that forces
github.com/quic-go/quic-go => github.com/quic-go/quic-go v0.57.0 (or newer) so
any import of quic-go uses the fixed release; ensure you run go mod tidy and
verify with go list -m all or your CI to confirm the new version is used.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 66f0879f-8813-4c69-937d-19761a6d871b
⛔ Files ignored due to path filters (3)
go.sumis excluded by!**/*.suminsecure/go.sumis excluded by!**/*.sumintegration/go.sumis excluded by!**/*.sum
📒 Files selected for processing (8)
engine/execution/computation/execution_verification_test.gofvm/blueprints/token.gofvm/bootstrap.gofvm/fvm_test.gogo.modinsecure/go.modintegration/go.modutils/unittest/execution_state.go
🚧 Files skipped from review as they are similar to previous changes (4)
- fvm/bootstrap.go
- utils/unittest/execution_state.go
- go.mod
- integration/go.mod
janezpodhostnik
force-pushed
the
josh/update-core-contracts-1.9.4
branch
from
e744a79 to
5bb0e89
Compare
Contributor
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (2)
fvm/fvm_test.go (2)
3827-3834: Match the exact deposited event before reading the NFT ID.
strings.Contains(string(event.Type), "Deposited")will accept any deposited event emitted by the transaction. Filtering on the concrete NFT deposit event and asserting a single match would make the bridged-ID lookup deterministic.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@fvm/fvm_test.go` around lines 3827 - 3834, Replace the lenient strings.Contains check on event.Type with a strict equality check against the concrete deposit event identifier (do not accept any "Deposited" substring) and ensure you only process when exactly one matching event exists; locate the code that currently uses strings.Contains(string(event.Type), "Deposited"), use the exact event type comparison instead, validate there is a single matched event before calling ccf.Decode and cadence.SearchFieldByName on the decoded cadence.Event, and return or fail fast if zero or multiple matches are found so the extracted id (cadence.UInt64 assigned to id) is deterministic.
3372-3399: Extract this repeated bridge-address fixture.The same service-account-only address map is duplicated in both VM-bridge subtests. A small helper would make the next bridge contract addition much harder to miss.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@fvm/fvm_test.go` around lines 3372 - 3399, The repeated bridge.Environment literal (assigned to bridgeEnv) used in both VM-bridge subtests should be extracted into a small helper to avoid duplication and future omissions: add a function like makeServiceAccountBridgeEnv(envAddress string) or defaultBridgeEnv(env) that returns a bridge.Environment with every field set to env.ServiceAccountAddress, then replace the inlined bridgeEnv constructions in the two VM-bridge subtests with calls to that helper (referencing the bridge.Environment type and the bridgeEnv variable name to locate the spots to change).
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@insecure/go.mod`:
- Around line 309-315: The test module references a vulnerable dependency
github.com/quic-go/quic-go at v0.48.2; update the require line for
github.com/quic-go/quic-go to a patched release (at least v0.57.0 to cover the
QPACK DoS and earlier fixes) and then run your Go module update (eg. go get
github.com/quic-go/quic-go@v0.57.0 && go mod tidy) to refresh go.mod/go.sum and
ensure compatibility with go-libp2p and the test matrix, then run the test suite
to verify nothing breaks.
---
Nitpick comments:
In `@fvm/fvm_test.go`:
- Around line 3827-3834: Replace the lenient strings.Contains check on
event.Type with a strict equality check against the concrete deposit event
identifier (do not accept any "Deposited" substring) and ensure you only process
when exactly one matching event exists; locate the code that currently uses
strings.Contains(string(event.Type), "Deposited"), use the exact event type
comparison instead, validate there is a single matched event before calling
ccf.Decode and cadence.SearchFieldByName on the decoded cadence.Event, and
return or fail fast if zero or multiple matches are found so the extracted id
(cadence.UInt64 assigned to id) is deterministic.
- Around line 3372-3399: The repeated bridge.Environment literal (assigned to
bridgeEnv) used in both VM-bridge subtests should be extracted into a small
helper to avoid duplication and future omissions: add a function like
makeServiceAccountBridgeEnv(envAddress string) or defaultBridgeEnv(env) that
returns a bridge.Environment with every field set to env.ServiceAccountAddress,
then replace the inlined bridgeEnv constructions in the two VM-bridge subtests
with calls to that helper (referencing the bridge.Environment type and the
bridgeEnv variable name to locate the spots to change).
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 1b93ed33-6ec0-4a0e-8bbe-83dfce2737a5
⛔ Files ignored due to path filters (3)
go.sumis excluded by!**/*.suminsecure/go.sumis excluded by!**/*.sumintegration/go.sumis excluded by!**/*.sum
📒 Files selected for processing (8)
engine/execution/computation/execution_verification_test.gofvm/blueprints/token.gofvm/bootstrap.gofvm/fvm_test.gogo.modinsecure/go.modintegration/go.modutils/unittest/execution_state.go
✅ Files skipped from review due to trivial changes (1)
- integration/go.mod
🚧 Files skipped from review as they are similar to previous changes (4)
- engine/execution/computation/execution_verification_test.go
- fvm/blueprints/token.go
- utils/unittest/execution_state.go
- go.mod
Comment on lines
+309
to
+315
| go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.39.0 // indirect | ||
| go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.31.0 // indirect | ||
| go.opentelemetry.io/otel/metric v1.39.0 // indirect | ||
| go.opentelemetry.io/otel/sdk v1.39.0 // indirect | ||
| go.opentelemetry.io/otel/sdk/metric v1.39.0 // indirect | ||
| go.opentelemetry.io/otel/trace v1.39.0 // indirect | ||
| go.opentelemetry.io/proto/otlp v1.7.1 // indirect | ||
| go.opentelemetry.io/proto/otlp v1.9.0 // indirect |
Contributor
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "Current quic-go in insecure/go.mod:"
rg -n 'github.com/quic-go/quic-go\s+v' insecure/go.mod
echo
echo "Querying OSV for known vulns on v0.48.2..."
curl -s https://api.osv.dev/v1/query \
-H 'Content-Type: application/json' \
-d '{"package":{"ecosystem":"Go","name":"github.com/quic-go/quic-go"},"version":"v0.48.2"}' \
| jq '.vulns[] | {id: .id, summary: .summary, fixed: .affected[0].ranges[0].events}'Repository: onflow/flow-go
Length of output: 1113
🏁 Script executed:
fd -n 'insecure' --type f | head -20Repository: onflow/flow-go
Length of output: 288
🏁 Script executed:
cat -n insecure/go.mod | head -20Repository: onflow/flow-go
Length of output: 853
🏁 Script executed:
git log --oneline -n 5 -- insecure/go.modRepository: onflow/flow-go
Length of output: 78
🏁 Script executed:
find . -name "*.go" -path "*/insecure/*" | head -10Repository: onflow/flow-go
Length of output: 403
🏁 Script executed:
cat insecure/README.md 2>/dev/null || echo "No README in insecure/"Repository: onflow/flow-go
Length of output: 80
🏁 Script executed:
rg "insecure/go.mod" . --type md --type txt 2>/dev/null | head -20Repository: onflow/flow-go
Length of output: 40
🏁 Script executed:
cat -n go.mod | head -30Repository: onflow/flow-go
Length of output: 1410
🏁 Script executed:
rg "insecure" go.mod | head -5Repository: onflow/flow-go
Length of output: 40
🏁 Script executed:
grep -r "require.*insecure" . --include="*.go" --include="*.mod" | head -10Repository: onflow/flow-go
Length of output: 729
🏁 Script executed:
cat -n go.work 2>/dev/null || echo "No go.work file"Repository: onflow/flow-go
Length of output: 73
🏁 Script executed:
ls -la | grep -E "go\.|go\$"Repository: onflow/flow-go
Length of output: 175
🏁 Script executed:
rg "github.com/onflow/flow-go/insecure" . --type mod | head -20Repository: onflow/flow-go
Length of output: 85
🏁 Script executed:
rg "insecure" --type go . -i | grep -i "build\|test\|release" | head -10Repository: onflow/flow-go
Length of output: 928
🏁 Script executed:
ls -la insecure/cmd/Repository: onflow/flow-go
Length of output: 555
🏁 Script executed:
cat insecure/go.mod | grep "require"Repository: onflow/flow-go
Length of output: 77
Fix vulnerable quic-go in test module.
The insecure/go.mod test fixture references github.com/quic-go/quic-go v0.48.2, which has confirmed security vulnerabilities:
- GHSA-47m2-4cr7-mhcw / GO-2025-4017: Panic on undecryptable packets (fixed in v0.49.1, v0.54.1+)
- GHSA-g754-hx8w-x2g6 / GO-2025-4233: HTTP/3 QPACK header expansion DoS (fixed in v0.57.0)
Bump to a patched version compatible with go-libp2p. Since this code runs in the test matrix, it should be updated to prevent security tooling from flagging the module.
🧰 Tools
🪛 OSV Scanner (2.3.5)
[HIGH] 315-315: github.com/quic-go/quic-go 0.48.2: Panic occurs when queuing undecryptable packets after handshake completion in github.com/quic-go/quic-go
(GO-2025-4017)
[HIGH] 315-315: github.com/quic-go/quic-go 0.48.2: HTTP/3 QPACK Header Expansion DoS in github.com/quic-go/quic-go
(GO-2025-4233)
[HIGH] 315-315: github.com/quic-go/quic-go 0.48.2: quic-go: Panic occurs when queuing undecryptable packets after handshake completion
[HIGH] 315-315: github.com/quic-go/quic-go 0.48.2: quic-go HTTP/3 QPACK Header Expansion DoS
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@insecure/go.mod` around lines 309 - 315, The test module references a
vulnerable dependency github.com/quic-go/quic-go at v0.48.2; update the require
line for github.com/quic-go/quic-go to a patched release (at least v0.57.0 to
cover the QPACK DoS and earlier fixes) and then run your Go module update (eg.
go get github.com/quic-go/quic-go@v0.57.0 && go mod tidy) to refresh
go.mod/go.sum and ensure compatibility with go-libp2p and the test matrix, then
run the test suite to verify nothing breaks.
turbolent
approved these changes
Apr 14, 2026
janezpodhostnik
requested review from
SupunS,
holyfuchs,
peterargue and
zhangchiqing
peterargue
approved these changes
Apr 15, 2026
Contributor
There was a problem hiding this comment.
♻️ Duplicate comments (1)
insecure/go.mod (1)
269-269:⚠️ Potential issue | 🟠 Major
quic-go v0.48.2vulnerability remains unresolved.The vulnerable version is still present in this module; if not blocked by compatibility constraints, it should be upgraded to a patched release.
#!/bin/bash set -euo pipefail echo "Current quic-go pin in insecure/go.mod:" rg -n 'github.com/quic-go/quic-go\s+v' insecure/go.mod echo echo "Check libp2p pin that may constrain quic-go:" rg -n 'github.com/libp2p/go-libp2p\s+v' insecure/go.mod echo echo "Find quic-go requirements in all go.mod files (for consistency checks):" fd -i 'go.mod' | xargs rg -n 'github.com/quic-go/quic-go\s+v'
🧹 Nitpick comments (1)
insecure/go.mod (1)
309-310: Confirm OpenTelemetry exporter version skew is intentional.The version skew between
otlptrace v1.39.0andotlptracegrpc v1.31.0(Lines 309–310) is consistent across multiple go.mod files and appears to be controlled by the explicitv1.31.0requirement in the main go.mod. If this constraint is necessary for your build, no action is required. Otherwise, consider aligning versions to reduce maintenance complexity.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@insecure/go.mod` around lines 309 - 310, The go.mod shows otel exporter version skew between module go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.39.0 and go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.31.0; either confirm the v1.31.0 constraint in the main go.mod is intentional or align the versions by updating the otlptracegrpc requirement to a matching v1.39.0 (or downgrade otlptrace to v1.31.0) so both go.opentelemetry.io/otel/exporters/otlp/otlptrace and .../otlptrace/otlptracegrpc share the same major/minor version to avoid maintenance and compatibility issues.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In `@insecure/go.mod`:
- Around line 309-310: The go.mod shows otel exporter version skew between
module go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.39.0 and
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.31.0; either
confirm the v1.31.0 constraint in the main go.mod is intentional or align the
versions by updating the otlptracegrpc requirement to a matching v1.39.0 (or
downgrade otlptrace to v1.31.0) so both
go.opentelemetry.io/otel/exporters/otlp/otlptrace and
.../otlptrace/otlptracegrpc share the same major/minor version to avoid
maintenance and compatibility issues.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: d47c3053-60f3-4ea4-8f12-5cf6392afad6
⛔ Files ignored due to path filters (3)
go.sumis excluded by!**/*.suminsecure/go.sumis excluded by!**/*.sumintegration/go.sumis excluded by!**/*.sum
📒 Files selected for processing (3)
go.modinsecure/go.modintegration/go.mod
✅ Files skipped from review due to trivial changes (1)
- integration/go.mod
🚧 Files skipped from review as they are similar to previous changes (1)
- go.mod
Contributor
There was a problem hiding this comment.
♻️ Duplicate comments (1)
insecure/go.mod (1)
269-269:⚠️ Potential issue | 🟠 MajorVulnerable
quic-go v0.48.2still present (duplicate of prior review).OSV still flags
github.com/quic-go/quic-go v0.48.2for GHSA-47m2-4cr7-mhcw (GO-2025-4017, panic on undecryptable packets; fixed in v0.49.1/v0.54.1+) and GHSA-g754-hx8w-x2g6 (GO-2025-4233, HTTP/3 QPACK expansion DoS; fixed in v0.57.0). Sinceinsecureusesreplace github.com/onflow/flow-go => ../, this indirect pin is driven by the rootgo.mod; bumping there (e.g.,go get github.com/quic-go/quic-go@v0.57.0 && go mod tidyin root +insecure+integration) should propagate.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@insecure/go.mod` at line 269, The go.mod currently pins the indirect dependency github.com/quic-go/quic-go at v0.48.2 which is vulnerable; update it to at least v0.57.0 by running a module upgrade in the workspace root (e.g., run go get github.com/quic-go/quic-go@v0.57.0 && go mod tidy) and then run go mod tidy in the insecure and integration modules so the indirect pin is propagated (note the replace github.com/onflow/flow-go => ../ causes the root to drive this indirect). Ensure the final go.mod entries reflect github.com/quic-go/quic-go v0.57.0 or newer and commit the updated go.mod/go.sum files.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Duplicate comments:
In `@insecure/go.mod`:
- Line 269: The go.mod currently pins the indirect dependency
github.com/quic-go/quic-go at v0.48.2 which is vulnerable; update it to at least
v0.57.0 by running a module upgrade in the workspace root (e.g., run go get
github.com/quic-go/quic-go@v0.57.0 && go mod tidy) and then run go mod tidy in
the insecure and integration modules so the indirect pin is propagated (note the
replace github.com/onflow/flow-go => ../ causes the root to drive this
indirect). Ensure the final go.mod entries reflect github.com/quic-go/quic-go
v0.57.0 or newer and commit the updated go.mod/go.sum files.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: a8626e73-8391-4a17-817e-33c212e6f987
⛔ Files ignored due to path filters (3)
go.sumis excluded by!**/*.suminsecure/go.sumis excluded by!**/*.sumintegration/go.sumis excluded by!**/*.sum
📒 Files selected for processing (5)
engine/execution/state/bootstrap/bootstrap_test.gogo.modinsecure/go.modintegration/go.modutils/unittest/execution_state.go
✅ Files skipped from review due to trivial changes (2)
- integration/go.mod
- go.mod
🚧 Files skipped from review as they are similar to previous changes (1)
- engine/execution/state/bootstrap/bootstrap_test.go
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
flow-core-contracts/lib/go/{contracts,templates}: v1.9.3 → v1.10.1nft-storefront/lib/go/contracts: v1.1.0 → v1.1.1-0...cddb825 (fixes missing Burner address substitution in NFTStorefrontV2)flow-evm-bridge: v0.2.0 → v0.2.1go-ethereumpinned atv1.16.8to avoid a breaking removal oftrie/utilsin v1.17.xBootstrap changes (
fvm/bootstrap.go,fvm/blueprints/bridge.go)env.BurnerAddresstostorefront.NFTStorefrontV2()— required by nft-storefront cddb825 which now substitutes the Burner import addressFlowEVMBridgeCustomAssociationTypes,FlowEVMBridgeCustomAssociations) toBridgeContractsdeployment list, ordered beforeFlowEVMBridgeConfigwhich depends on themFlowEVMBridgeCustomAssociationTypesAddressandFlowEVMBridgeCustomAssociationsAddresstobridgeEnvdeployCrossVMMetadataViewsbeforesetupVMBridge— the new bridge contracts importCrossVMMetadataViews, so it must be deployed and its address set inenvbefore the bridge contracts are builtUpdated genesis state commitments
utils/unittest/execution_state.goandengine/execution/state/bootstrap/bootstrap_test.goupdated with new hashes reflecting the changed contract bytecode.Known issue
TestVMBridgeis still failing due to a bug inflow-ft v1.1.0:GenerateTransferGenericVaultWithAddressScriptsubstitutes theMetadataViewsimport with theFungibleTokenMetadataViewsaddress instead of the actualMetadataViewsaddress. This needs a fix in theflow-ftrepo.Summary by CodeRabbit
New Features
Chores
Tests