Update to Cadence v1.8.3

[turbolent]

Description

Automatically update to:

• onflow/cadence v1.8.3
• onflow/flow-go-sdk v1.9.2
• onflow/flow-go d4f875155987

Summary by CodeRabbit

Release Notes

• Chores
  • Updated multiple core and ancillary dependencies to newer versions for enhanced stability, security improvements, and better system compatibility. Includes Ethereum Go client, Flow-related modules, gRPC, Protocol Buffers, AWS SDK components, and various other essential libraries.

[coderabbitai]

Walkthrough

This pull request updates dependencies in go.mod across the Flow ecosystem and related libraries. Updates include ethereum/go-ethereum, onflow/cadence, flow-go, flow protobuf libraries, AWS SDK v2 components, Google tooling (gRPC, protobuf), and various indirect dependencies.

Changes

Cohort / File(s)

Summary

Dependency Version Updates go.mod

Updated ethereum/go-ethereum (v1.16.3 → v1.16.5), onflow/cadence (v1.7.0 → v1.8.3), flow-go and flow-protobuf with new versioning, flow-go-sdk and flow-core-contracts to newer versions. Updated Google tooling: grpc (v1.75.0 → v1.75.1), protobuf (v1.36.7 → v1.36.9), golang.org/x/sys (v0.35.0 → v0.36.0). Updated AWS SDK v2 components (config, credentials, endpoints, sts, sso/ssooidc, etc.). Updated cryptography/protocol dependencies: crate-crypto/go-eth-kzg (v1.3.0 → v1.4.0), c-kzg-4844/v2 (v2.1.0 → v2.1.3), supranational/blst (v0.3.14 → v0.3.16-0.20250831170142-f48500c1fdbe). Added pierrec/lz4/v4 and fxamacker/golang-lru/v2. Updated various indirect and transitive dependencies.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10–15 minutes

• Review should focus on validating compatibility of major dependency updates (flow-go, cadence, grpc, AWS SDK components)
• Verify that the flow-go version replacement with the timestamp-based reference is intentional and properly resolved
• Cross-check cryptography library updates (blst, kzg) for any breaking changes
• Ensure indirect dependency additions (lz4, golang-lru) don't introduce conflicts

Possibly related PRs

• Update to flow-go v0.43.0 #93: Updates onflow/flow-go dependency; this PR further updates flow-go to a newer versioned reference
• Update to Cadence v1.7.0 #91: Also modifies onflow/cadence and other Flow-related modules in go.mod, with overlapping dependency updates

Suggested reviewers

• jordanschalm
• tim-barry
• zhangchiqing

Poem

🐰 Dependencies dance in go.mod's embrace,
Versions pirouette with newfound grace,
Flow and gRPC, AWS in line,
Ethereum and Cadence align divine,
Forward we hop, with libs so fine! 🚀

Pre-merge checks and finishing touches

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Update to Cadence v1.8.3' accurately reflects the primary change mentioned in the PR objectives and summary, though the changeset includes broader dependency updates beyond just Cadence.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch auto-update-onflow-cadence-v1.8.3

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

go.mod (1)

352-353: Replace directive can likely be removed by upgrading flow-go.

The upstream issue (ipfs/boxo PR #526) was actually resolved and merged on Jan 26, 2024. The flow-go issue #5338 remains open only because flow-go has not switched back to the upstream version yet. Check if a newer version of flow-go is available that includes the upstream fix—if so, this replace directive can be removed.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c7a4a0c and 22feef5.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod (10 hunks)

🧰 Additional context used

🧠 Learnings (1)

📓 Common learnings

Learnt from: franklywatson
Repo: onflow/rosetta PR: 63
File: script/cadence/scripts/get-key-index.cdc:1-4
Timestamp: 2024-10-08T17:04:37.869Z
Learning: User: franklywatson
PR: onflow/rosetta#63
File: script/cadence/scripts/get-key-index.cdc:1-4
Timestamp: 2024-06-27T00:56:13.121Z
Learning: Ensure that all support and suggestions provided for Cadence are specifically tailored to Cadence 1.0, referencing the latest standards and documentation as shared by the user.

Learnt from: franklywatson
Repo: onflow/rosetta PR: 63
File: script/cadence/scripts/get-key-index.cdc:1-4
Timestamp: 2024-06-27T01:02:04.949Z
Learning: User: franklywatson
PR: onflow/rosetta#63
File: script/cadence/scripts/get-key-index.cdc:1-4
Timestamp: 2024-06-27T00:56:13.121Z
Learning: Ensure that all support and suggestions provided for Cadence are specifically tailored to Cadence 1.0, referencing the latest standards and documentation as shared by the user.

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: test

🔇 Additional comments (3)

go.mod (3)

1-33: Core dependency updates align with PR objectives pending version verification.

The main require section reflects the PR's stated objectives (Cadence v1.8.3, flow-go-sdk v1.9.2, flow-go with specific commit). The changes follow a consistent pattern of minor/patch version bumps to Flow ecosystem dependencies and related tooling. However, the flow-go dependency uses a pseudo-version format, which requires confirmation that this matches the intended release state.

Once you verify that:

1. The flow-go commit hash d4f875155987 is a valid, published commit
2. All dependency versions are official releases or intentionally development versions
3. No breaking changes exist between v1.7.0 → v1.8.3 for Cadence

The changes appear sound for this automated dependency update.

---

30-31: No public reports or upstream release notes document a compatibility problem between google.golang.org/grpc v1.75.1 and onflow/cadence v1.8.3. The updates are routine patch-level increments with no known breaking changes. The versions should remain compatible with the Flow packages.

---

14-14: Verify the pinned flow-go commit reference—the commit hash cannot be validated.

While cadence v1.8.3 exists as a valid release and flow-go-sdk v1.9.2 exists as a valid release, the flow-go dependency on line 16 uses a pseudo-version that pins to commit d4f875155987, which cannot be verified to exist in the public repository (GitHub API returns 404).

Additionally, the flow-go v0.43.3 tag exists, but the commit hash in the pseudo-version does not match the v0.43.3 tag commit. Please confirm:

1. Whether the commit hash d4f875155987 is correct or if it's a typo
2. Why a pseudo-version is used instead of the direct v0.43.3 tag release
3. That this commit is intentional for the PR objectives

Applies to: lines 16, 271

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

Confirm intentionality of pseudo-versions for golang-lru and blst.

Lines 61 and 310 use pseudo-version timestamps rather than released versions:

• fxamacker/golang-lru/v2 v2.0.0-20250716153046-22c8d17dc4ee
• supranational/blst v0.3.16-0.20250831170142-f48500c1fdbe

These appear to be development/patched versions rather than official releases. Verify that this is intentional and necessary for Flow's requirements, particularly since these are cryptographic libraries.

Also applies to: 310-310

---

🌐 Web query:

What is the latest released version of supranational/blst and fxamacker/golang-lru/v2?

💡 Result:

• supranational/blst — v0.3.16 (released 19 Sep 2025). [1]
• golang-lru (v2) — v2.0.7 (released 29 Sep 2025). [2]

Sources:
[1] supranational/blst releases.
[2] hashicorp/golang-lru releases.

---

---

Update cryptographic dependencies to stable releases instead of pseudo-versions.

The latest official release of supranational/blst is v0.3.16 (released 19 Sep 2025), but go.mod pins a pseudo-version from 31 Aug 2025. The latest official release of fxamacker/golang-lru/v2 is v2.0.7 (released 29 Sep 2025), but go.mod pins a pseudo-version from 16 Jul 2025.

Using pseudo-versions for cryptographic libraries introduces maintenance and security risks. Update both dependencies to their stable releases:

• Line 61: Change to v2.0.7
• Line 310: Change to v0.3.16

If pseudo-versions are intentional due to incompatibilities with stable releases, document the reason.

🤖 Prompt for AI Agents

In go.mod around lines 61 and 310, the file pins pseudo-versions for
fxamacker/golang-lru/v2 and supranational/blst; update the entries to the stable
releases: change the fxamacker line (around 61) to v2.0.7 and the
supranational/blst line (around 310) to v0.3.16, then run the Go toolchain (eg.
go get github.com/fxamacker/golang-lru/v2@v2.0.7 && go get
github.com/supranational/blst@v0.3.16 or go mod tidy) to update go.sum, run
tests/build, and if the pseudo-versions were intentional add a short comment in
go.mod or project docs explaining why the pseudo-version is required and linking
any issue/compatibility notes.