Skip to content

Fix dependency manager handling of block heights outside of query range#2281

Merged
jribbink merged 1 commit intomasterfrom
jribbink/fix-dep-mgr
Feb 26, 2026
Merged

Fix dependency manager handling of block heights outside of query range#2281
jribbink merged 1 commit intomasterfrom
jribbink/fix-dep-mgr

Conversation

@jribbink
Copy link
Contributor

@jribbink jribbink commented Feb 25, 2026

Closes #2280


For contributor use:

  • Targeted PR against master branch
  • Linked to Github issue with discussion and accepted design OR link to spec that describes this work
  • Code follows the standards mentioned here
  • Updated relevant documentation
  • Re-reviewed Files changed in the Github PR explorer
  • Added appropriate labels

@github-actions
Copy link

github-actions bot commented Feb 25, 2026

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

PackageVersionScoreDetails
gomod/github.com/onflow/flowkit/v2 2.11.0 UnknownUnknown
gomod/go.opentelemetry.io/otel 1.39.0 🟢 9.3
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Packaging⚠️ -1packaging workflow not detected
Dependency-Update-Tool🟢 10update tool detected
Maintained🟢 1030 commit(s) and 12 issue activity found in the last 90 days -- score normalized to 10
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies🟢 10all dependencies are pinned
CII-Best-Practices🟢 5badge detected: Passing
SAST🟢 10SAST tool is run on all commits
License🟢 10license file detected
Vulnerabilities🟢 100 existing vulnerabilities detected
Signed-Releases🟢 85 out of the last 5 releases have a total of 5 signed artifacts.
Branch-Protection🟢 5branch protection is not maximal on development and all release branches
Fuzzing🟢 10project is fuzzed
Security-Policy🟢 10security policy file detected
CI-Tests🟢 1030 out of 30 merged PRs checked by a CI test -- score normalized to 10
Contributors🟢 10project has 38 contributing companies or organizations
gomod/go.opentelemetry.io/otel/metric 1.39.0 🟢 9.3
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Packaging⚠️ -1packaging workflow not detected
Dependency-Update-Tool🟢 10update tool detected
Maintained🟢 1030 commit(s) and 12 issue activity found in the last 90 days -- score normalized to 10
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies🟢 10all dependencies are pinned
CII-Best-Practices🟢 5badge detected: Passing
SAST🟢 10SAST tool is run on all commits
License🟢 10license file detected
Vulnerabilities🟢 100 existing vulnerabilities detected
Signed-Releases🟢 85 out of the last 5 releases have a total of 5 signed artifacts.
Branch-Protection🟢 5branch protection is not maximal on development and all release branches
Fuzzing🟢 10project is fuzzed
Security-Policy🟢 10security policy file detected
CI-Tests🟢 1030 out of 30 merged PRs checked by a CI test -- score normalized to 10
Contributors🟢 10project has 38 contributing companies or organizations
gomod/go.opentelemetry.io/otel/sdk 1.39.0 🟢 9.3
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Packaging⚠️ -1packaging workflow not detected
Dependency-Update-Tool🟢 10update tool detected
Maintained🟢 1030 commit(s) and 12 issue activity found in the last 90 days -- score normalized to 10
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies🟢 10all dependencies are pinned
CII-Best-Practices🟢 5badge detected: Passing
SAST🟢 10SAST tool is run on all commits
License🟢 10license file detected
Vulnerabilities🟢 100 existing vulnerabilities detected
Signed-Releases🟢 85 out of the last 5 releases have a total of 5 signed artifacts.
Branch-Protection🟢 5branch protection is not maximal on development and all release branches
Fuzzing🟢 10project is fuzzed
Security-Policy🟢 10security policy file detected
CI-Tests🟢 1030 out of 30 merged PRs checked by a CI test -- score normalized to 10
Contributors🟢 10project has 38 contributing companies or organizations
gomod/go.opentelemetry.io/otel/trace 1.39.0 🟢 9.3
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Packaging⚠️ -1packaging workflow not detected
Dependency-Update-Tool🟢 10update tool detected
Maintained🟢 1030 commit(s) and 12 issue activity found in the last 90 days -- score normalized to 10
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies🟢 10all dependencies are pinned
CII-Best-Practices🟢 5badge detected: Passing
SAST🟢 10SAST tool is run on all commits
License🟢 10license file detected
Vulnerabilities🟢 100 existing vulnerabilities detected
Signed-Releases🟢 85 out of the last 5 releases have a total of 5 signed artifacts.
Branch-Protection🟢 5branch protection is not maximal on development and all release branches
Fuzzing🟢 10project is fuzzed
Security-Policy🟢 10security policy file detected
CI-Tests🟢 1030 out of 30 merged PRs checked by a CI test -- score normalized to 10
Contributors🟢 10project has 38 contributing companies or organizations
gomod/google.golang.org/grpc 1.79.1 🟢 7.7
Details
CheckScoreReason
Maintained🟢 1030 commit(s) and 9 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Packaging⚠️ -1packaging workflow not detected
Security-Policy🟢 9security policy file detected
Code-Review🟢 10all changesets reviewed
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
License🟢 10license file detected
Binary-Artifacts🟢 10no binaries found in the repo
Fuzzing🟢 10project is fuzzed
Signed-Releases⚠️ 0Project has not signed or included provenance with any releases.
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
SAST🟢 7SAST tool detected but not run on all commits

Scanned Files

  • go.mod

@codecov-commenter
Copy link

codecov-commenter commented Feb 25, 2026

Codecov Report

❌ Patch coverage is 72.09302% with 12 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
internal/dependencymanager/dependencyinstaller.go 72.09% 6 Missing and 6 partials ⚠️

📢 Thoughts on this report? Let us know!

Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses dependency installation failures when flow.json contains pinned block heights that are no longer queryable (e.g., outside the node’s compatible historical query range), by proactively checking the node’s reported compatible range before attempting historical account queries.

Changes:

  • Add a per-network “minimum queryable height” cache and use GetNodeVersionInfo().CompatibleRange to decide when to fall back to latest block height.
  • Update dependency-installer tests to mock GetNodeVersionInfo and add/rename cases around “before compatible range” pinned heights.
  • Bump Go module dependencies (notably flowkit, grpc, and otel), updating go.mod and go.sum accordingly.

Reviewed changes

Copilot reviewed 3 out of 4 changed files in this pull request and generated 2 comments.

File Description
internal/dependencymanager/dependencyinstaller.go Adds compatible-range querying + caching and changes the frozen/pinned height selection logic to avoid out-of-range queries.
internal/dependencymanager/dependencyinstaller_test.go Updates mocks to include GetNodeVersionInfo and adjusts block-height pinning tests for the new compatible-range behavior.
go.mod Updates module versions (including github.com/onflow/flowkit/v2).
go.sum Updates dependency checksums corresponding to go.mod bumps.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +478 to +488
if err != nil {
return 0, fmt.Errorf("failed to get node version info for %s: %w", network, err)
}

if nodeVersionInfo == nil {
return 0, fmt.Errorf("node version info is nil for %s", network)
}

// Get the minimum queryable block height from the compatible range
var minHeight uint64
if nodeVersionInfo.CompatibleRange != nil {
Copy link

Copilot AI Feb 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

getMinQueryableBlockHeight treats GetNodeVersionInfo failures (or a nil response) as fatal and aborts dependency installation. Since this check is only needed to avoid out-of-range historical queries, it should be best-effort: if node version info can’t be fetched, proceed without the compatible-range optimization (e.g., return minHeight=0) rather than failing installs that would otherwise succeed at the pinned height.

Suggested change
if err != nil {
return 0, fmt.Errorf("failed to get node version info for %s: %w", network, err)
}
if nodeVersionInfo == nil {
return 0, fmt.Errorf("node version info is nil for %s", network)
}
// Get the minimum queryable block height from the compatible range
var minHeight uint64
if nodeVersionInfo.CompatibleRange != nil {
// Default to 0 if we can't get node version info or compatible range.
// This makes the check best-effort: dependency installation can proceed
// even if version info is unavailable.
var minHeight uint64
if err == nil && nodeVersionInfo != nil && nodeVersionInfo.CompatibleRange != nil {

Copilot uses AI. Check for mistakes.
Comment on lines +648 to +668
// Proactively check if this block height is within the node's compatible range
minQueryableHeight, err := di.getMinQueryableBlockHeight(networkName)
if err != nil {
return fmt.Errorf("failed to check compatible block height range: %w", err)
}

if blockHeight < minQueryableHeight {
// Block height is before the minimum queryable height, need to use latest
hadSporkRecovery = true
// Get the current block height (will be cached from above for new deps)
latestHeight, err := di.getLatestBlockHeight(networkName)
if err != nil {
return fmt.Errorf("failed to get latest block height: %w", err)
}
// Fetch at that specific block height
accountContracts, err = di.getContractsAtBlockHeight(networkName, address, latestHeight)
if err != nil {
return fmt.Errorf("error fetching contracts: %w", err)
}
// Update blockHeight so it's used consistently for this dependency
blockHeight = latestHeight
} else {
return fmt.Errorf("error fetching contracts: %w", err)
}
}

accountContracts, err := di.getContractsAtBlockHeight(networkName, address, blockHeight)
if err != nil {
return fmt.Errorf("error fetching contracts: %w", err)
}
Copy link

Copilot AI Feb 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The previous implementation recovered from out-of-range historical queries by falling back to latest when getContractsAtBlockHeight returned spork/pruning-related errors. The new logic only checks CompatibleRange.StartHeight; if CompatibleRange is nil/zero (or inaccurate), the installer will now return the fetch error instead of recovering. Consider keeping a fallback-to-latest path when the historical fetch fails due to an out-of-range/pruned height, so old flow.json files still install successfully even when compatible-range data isn’t available.

Copilot uses AI. Check for mistakes.
@jribbink jribbink merged commit 984d444 into master Feb 26, 2026
13 checks passed
@jribbink jribbink deleted the jribbink/fix-dep-mgr branch February 26, 2026 06:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Dependency manager not working with out-of-range heights

4 participants