Update to Cadence v1.9.10

[jribbink]

Description

Automatically update to:

• onflow/cadence v1.9.10
• onflow/flow-go-sdk v1.9.16
• onflow/flow-go 7770192048a9
• onflow/flow-emulator v1.17.0

Summary by CodeRabbit

Release Notes

• Chores
  • Updated multiple dependencies across production and test environments to newer stable versions. Updated components include flow-related SDKs and tools, Google Cloud services, gRPC framework and gateway, OpenTelemetry instrumentation libraries, cryptography utilities, networking protocols, and authentication packages to enhance system compatibility, security, and stability.

[coderabbitai]

📝 Walkthrough

Walkthrough

Updates dependency versions across go.mod and tests/go.mod for Flow ecosystem components (cadence, flow-go, flow-go-sdk), Google Cloud libraries, gRPC, OpenTelemetry, and standard library extensions. No functional code changes included.

Changes

Cohort / File(s)	Summary
Dependency Manifest Files go.mod, tests/go.mod	Multiple version bumps across Flow ecosystem (cadence v1.9.8→v1.9.10, flow-go v0.46.0→v0.47.0-ledger-service, flow-go-sdk v1.9.13→v1.9.16), Google Cloud (cloud/go v0.121→v0.123, kms v1.24.0→v1.25.0, longrunning v0.7.0→v0.8.0), gRPC (v1.78.0→v1.79.1, gateway v2.26.3→v2.27.1), OpenTelemetry (v1.38.0→v1.39.0+), and golang.org/x packages (crypto, net, oauth2, sys, text) to newer patch/minor versions.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• Update to Cadence v1.9.4 #948: Updates same onflow-related dependencies (cadence, flow-go, flow-go-sdk) in go.mod with different target versions.
• Update flow-go #612: Modifies github.com/onflow/flow-go version in go.mod dependency declaration.
• Update to Cadence v1.0.0-preview.51 #502: Performs dependency version bumps on cadence, flow-go, and flow-go-sdk in go.mod.

Suggested reviewers

• peterargue
• zhangchiqing
• m-Peter

Poem

🐰 Dependencies dance in the springtime air,
New versions hop in without a care,
Flow updates flow, and gRPC sings,
OpenTelemetry spreads its wings! 🌱✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title mentions only Cadence v1.9.10, but the PR updates multiple dependencies including flow-go, flow-go-sdk, flow-emulator, and numerous other libraries across both go.mod and tests/go.mod.	Consider a more comprehensive title that reflects the broader scope of dependency updates, such as 'Update multiple dependencies including Cadence v1.9.10, flow-go, and related libraries' or 'Dependency updates: Cadence, flow-go, and ecosystem components'.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch auto-update-onflow-cadence-v1.9.10-919881

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@go.mod`:
- Around line 203-209: Update the vulnerable OpenTelemetry modules in go.mod by
bumping go.opentelemetry.io/otel, go.opentelemetry.io/otel/metric,
go.opentelemetry.io/otel/sdk, and go.opentelemetry.io/otel/trace from v1.39.0 to
v1.40.0 (or a later patched release) so they remain in sync; run `go get`/`go
mod tidy` to refresh indirect dependencies (the entries to change are the lines
containing go.opentelemetry.io/otel, go.opentelemetry.io/otel/metric,
go.opentelemetry.io/otel/sdk, and go.opentelemetry.io/otel/trace).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: caf452f7-a88e-44c7-b308-c5597f814855

📥 Commits

Reviewing files that changed from the base of the PR and between 8db2bd2 and e7daf99.

⛔ Files ignored due to path filters (2)

• go.sum is excluded by !**/*.sum
• tests/go.sum is excluded by !**/*.sum

📒 Files selected for processing (2)

• go.mod
• tests/go.mod

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

What is the first patched version of go.opentelemetry.io/otel/sdk for GHSA-9h8m-3fm2-qjrq / GO-2026-4394, and should go.opentelemetry.io/otel, go.opentelemetry.io/otel/metric, go.opentelemetry.io/otel/sdk, and go.opentelemetry.io/otel/trace stay on the same version?

💡 Result:

• First patched version for go.opentelemetry.io/otel/sdk (GHSA-9h8m-3fm2-qjrq / GO-2026-4394): v1.40.0 (affected v1.21.0 up to v1.39.0). [1][2]

• Should go.opentelemetry.io/otel, /metric, /sdk, and /trace stay on the same version?
  Yes—keep them on the same stable-v1 release version. In the OpenTelemetry-Go repo, these modules are released as a single “module set” (stable-v1) with one shared version, and are intended to be updated together (e.g., currently shown as stable-v1: v1.42.0 including otel, otel/metric, otel/sdk, otel/trace). [3][4]

Sources
[1] Go vuln report (pkg.go.dev) for GO-2026-4394 (affected range and fixed-before version)
[2] GitHub Security Advisory GHSA-9h8m-3fm2-qjrq (patched version)
[3] OpenTelemetry-Go versions.yaml (module-set stable-v1 includes otel, otel/metric, otel/sdk, otel/trace at one version)
[4] AWS Open Source Blog on Go MultiMod / module sets (shared-version releases across grouped modules)

---

Upgrade the root OpenTelemetry SDK to v1.40.0 or later to patch GHSA-9h8m-3fm2-qjrq / GO-2026-4394.

Static analysis is flagging go.opentelemetry.io/otel/sdk v1.39.0 for the vulnerability GHSA-9h8m-3fm2-qjrq / GO-2026-4394. The patched version is v1.40.0. Update go.opentelemetry.io/otel, go.opentelemetry.io/otel/metric, go.opentelemetry.io/otel/sdk, and go.opentelemetry.io/otel/trace together to the same version, as these modules are released as a single module set.

🧰 Tools

🪛 OSV Scanner (2.3.3)

[HIGH] 207-207: go.opentelemetry.io/otel/sdk 1.39.0: OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking in go.opentelemetry.io/otel/sdk

(GO-2026-4394)

---

[HIGH] 207-207: go.opentelemetry.io/otel/sdk 1.39.0: OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking

(GHSA-9h8m-3fm2-qjrq)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@go.mod` around lines 203 - 209, Update the vulnerable OpenTelemetry modules
in go.mod by bumping go.opentelemetry.io/otel, go.opentelemetry.io/otel/metric,
go.opentelemetry.io/otel/sdk, and go.opentelemetry.io/otel/trace from v1.39.0 to
v1.40.0 (or a later patched release) so they remain in sync; run `go get`/`go
mod tidy` to refresh indirect dependencies (the entries to change are the lines
containing go.opentelemetry.io/otel, go.opentelemetry.io/otel/metric,
go.opentelemetry.io/otel/sdk, and go.opentelemetry.io/otel/trace).

[m-Peter]

LGTM!