Update to Cadence v1.10.3

[turbolent]

Description

Automatically update to:

• onflow/cadence v1.10.3
• onflow/flow-go-sdk v1.10.3
• onflow/flow-go 5b9fa9c8352e
• onflow/flow-emulator v1.21.0

Summary by CodeRabbit

• Chores
  • Updated core and indirect dependencies across the Flow ecosystem and supporting libraries, integrating recent security, performance, and compatibility improvements (including OpenTelemetry and cryptography-related packages).
• Tests
  • Adjusted test expectations for fee history results to match updated runtime behavior.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ef624725-03f6-41aa-a163-0a52a3903625

📥 Commits

Reviewing files that changed from the base of the PR and between 8720038 and f2522dd.

📒 Files selected for processing (2)

• storage/register_delta.go
• tests/web3js/eth_non_interactive_test.js

---

📝 Walkthrough

Walkthrough

Bumps multiple Go module versions in go.mod and tests/go.mod; switches RegisterDelta to implement fvm/evm/backends.BackendStorage; updates a web3js test expectation for getFeeHistory gasUsedRatio.

Changes

Dependency Version Updates

Layer / File(s)	Summary
Primary onflow runtime dependencies go.mod, tests/go.mod	Bumped github.com/onflow/cadence, github.com/onflow/flow-go, and github.com/onflow/flow-go-sdk in go.mod; tests also bump flow-emulator, flow-evm-gateway, and github.com/onflow/crypto.
Flow ecosystem contract modules go.mod, tests/go.mod	Upgraded indirect contract/template modules: flow-core-contracts, flow-evm-bridge, flow-ft, flow-nft across both files; tests also bump onflow/flow/protobuf, onflow/go-ethereum, and onflow/nft-storefront.
Infrastructure and observability dependencies go.mod, tests/go.mod	Bumped github.com/consensys/gnark-crypto (v0.18.0→v0.18.1), github.com/grpc-ecosystem/grpc-gateway/v2 (v2.27.1→v2.27.3), and OpenTelemetry OTLP/proto packages (otlptrace→v1.39.0, go.opentelemetry.io/proto/otlp v1.7.1→v1.9.0).

Wiring & Test Expectation Changes

Layer / File(s)	Summary
RegisterDelta backend interface wiring storage/register_delta.go	Switched the compile-time assertion and helper parameter types from types.BackendStorage to backends.BackendStorage.
Web3js fee-history assertion tests/web3js/eth_non_interactive_test.js	Updated expected gasUsedRatio array values for web3.eth.getFeeHistory in the should get fee history test.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• onflow/flow-evm-gateway#301: Also bumps core onflow module versions (cadence, flow-go, flow-go-sdk) in go.mod/tests/go.mod.
• onflow/flow-evm-gateway#957: Overlaps in updating go.mod/tests/go.mod pins for onflow packages.
• onflow/flow-evm-gateway#612: Related go.mod dependency bumps for flow-go and cadence.

Suggested reviewers

• janezpodhostnik
• peterargue
• m-Peter

Poem

🐰 I hopped through modules, versions aglow,
I nudged a backend, then watched tests grow,
Dependencies pruned, small fixes in tow,
A tiny patch-hop, and off I go! 🥕

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Update to Cadence v1.10.3' directly matches the PR's primary objective and is fully reflected in the changeset, which updates Cadence and related onflow dependencies to specified versions.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch auto-update-onflow-cadence-v1.10.3

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Around line 204-209: The go.opentelemetry.io/otel/sdk module is pinned at
v1.39.0 which is vulnerable to PATH-hijacking CVEs; update the go.mod entry for
the module (go.opentelemetry.io/otel/sdk) to at least v1.43.0 and align the
related OTEL indirect modules (e.g.,
go.opentelemetry.io/otel/exporters/otlp/otlptrace,
go.opentelemetry.io/otel/trace, go.opentelemetry.io/otel/metric,
go.opentelemetry.io/proto/otlp) to compatible, up-to-date versions, then run `go
mod tidy` and `go mod vendor` (if used) to ensure the module graph is consistent
before committing.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f264f188-9d52-4538-b7e9-7af08e9707f3

📥 Commits

Reviewing files that changed from the base of the PR and between 8e60e61 and 8720038.

⛔ Files ignored due to path filters (2)

• go.sum is excluded by !**/*.sum
• tests/go.sum is excluded by !**/*.sum

📒 Files selected for processing (2)

• go.mod
• tests/go.mod

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify whether go.opentelemetry.io/otel/sdk@v1.39.0 is affected by published advisories
# and identify fixed ranges using OSV API (read-only).

set -euo pipefail

cat <<'JSON' > /tmp/osv-query.json
{
  "package": {
    "ecosystem": "Go",
    "name": "go.opentelemetry.io/otel/sdk"
  },
  "version": "1.39.0"
}
JSON

curl -sS https://api.osv.dev/v1/query -d `@/tmp/osv-query.json` | jq .

Repository: onflow/flow-evm-gateway

Length of output: 8530

---

🌐 Web query:

CVE-2026-24051 CVE-2026-39883 opentelemetry go sdk fix versions

💡 Result:

Fix versions (OpenTelemetry Go SDK): 1) CVE-2026-24051 (Path Hijacking / macOS/Darwin ioreg) Update go.opentelemetry.io/otel/sdk to v1.40.0 or later. The advisory states affected versions are >= 1.21.0 and <= 1.39.0, and the patched version is 1.40.0.[1] 2) CVE-2026-39883 (Follow-on to incomplete fix; BSD/Solaris kenv still left unqualified) Update go.opentelemetry.io/otel/sdk to v1.43.0 or later. NVD states the incomplete fix affects versions 1.15.0 to 1.42.0 and that this vulnerability is fixed in 1.43.0.[2] Practical guidance: If you’re running any 1.42.x releases, update at least to 1.43.0 to cover both the original ioreg path qualification and the remaining kenv issue.[2]

Citations:

• 1: GHSA-9h8m-3fm2-qjrq
• 2: https://advisories.gitlab.com/golang/go.opentelemetry.io/otel/sdk/CVE-2026-24051/

---

Upgrade go.opentelemetry.io/otel/sdk to v1.43.0 or later to address HIGH-severity PATH hijacking vulnerabilities.

go.opentelemetry.io/otel/sdk v1.39.0 (Line 207) is affected by two published HIGH-severity CVEs enabling arbitrary code execution via PATH hijacking:

• CVE-2026-24051 (GHSA-9h8m-3fm2-qjrq): Affects v1.21.0–1.39.0; fixed in v1.40.0. Exploits Darwin ioreg command.
• CVE-2026-39883 (GHSA-hfvc-g4fc-pqhx): Affects v1.15.0–1.42.0; fixed in v1.43.0. Exploits BSD/Solaris kenv command.

To address both vulnerabilities, upgrade the SDK to v1.43.0 and realign other OTEL modules before merge.

🧰 Tools

🪛 OSV Scanner (2.3.8)

[HIGH] 207-207: go.opentelemetry.io/otel/sdk 1.39.0: OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking in go.opentelemetry.io/otel/sdk

(GO-2026-4394)

---

[HIGH] 207-207: go.opentelemetry.io/otel/sdk 1.39.0: OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking

(GHSA-9h8m-3fm2-qjrq)

---

[HIGH] 207-207: go.opentelemetry.io/otel/sdk 1.39.0: opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking

(GHSA-hfvc-g4fc-pqhx)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` around lines 204 - 209, The go.opentelemetry.io/otel/sdk module is
pinned at v1.39.0 which is vulnerable to PATH-hijacking CVEs; update the go.mod
entry for the module (go.opentelemetry.io/otel/sdk) to at least v1.43.0 and
align the related OTEL indirect modules (e.g.,
go.opentelemetry.io/otel/exporters/otlp/otlptrace,
go.opentelemetry.io/otel/trace, go.opentelemetry.io/otel/metric,
go.opentelemetry.io/proto/otlp) to compatible, up-to-date versions, then run `go
mod tidy` and `go mod vendor` (if used) to ensure the module graph is consistent
before committing.

[m-Peter]

LGTM!

[m-Peter]

@turbolent The CI failure came from the following version bump:

- github.com/onflow/flow-evm-bridge v0.1.0 // indirect
+ github.com/onflow/flow-evm-bridge v0.2.1 // indirect

This was updated in flow-go (see onflow/flow-go@dd41ae5), and it resulted in higher gas usage, because some Solidity contracts had additional changes. This caused the transactions from the Cross-VM bridge bootstrap in flow-go, to increase the total gas used in the 1st EVM block.

CI updated in f2522dd .
The changes are safe for merging & releasing 🙏

[turbolent]

@m-Peter Thank you for the fixes 🙏