Fix dependency manager handling of block heights outside of query range

[jribbink]

Closes #2280

---

For contributor use:

• Targeted PR against master branch
• Linked to Github issue with discussion and accepted design OR link to spec that describes this work
• Code follows the standards mentioned here
• Updated relevant documentation
• Re-reviewed Files changed in the Github PR explorer
• Added appropriate labels

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
gomod/github.com/onflow/flowkit/v2	2.11.0	Unknown	Unknown
gomod/go.opentelemetry.io/otel	1.39.0	🟢 9.3	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 12 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 10 all dependencies are pinned CII-Best-Practices 🟢 5 badge detected: Passing SAST 🟢 10 SAST tool is run on all commits License 🟢 10 license file detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Signed-Releases 🟢 8 5 out of the last 5 releases have a total of 5 signed artifacts. Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Fuzzing 🟢 10 project is fuzzed Security-Policy 🟢 10 security policy file detected CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 38 contributing companies or organizations
gomod/go.opentelemetry.io/otel/metric	1.39.0	🟢 9.3	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 12 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 10 all dependencies are pinned CII-Best-Practices 🟢 5 badge detected: Passing SAST 🟢 10 SAST tool is run on all commits License 🟢 10 license file detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Signed-Releases 🟢 8 5 out of the last 5 releases have a total of 5 signed artifacts. Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Fuzzing 🟢 10 project is fuzzed Security-Policy 🟢 10 security policy file detected CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 38 contributing companies or organizations
gomod/go.opentelemetry.io/otel/sdk	1.39.0	🟢 9.3	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 12 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 10 all dependencies are pinned CII-Best-Practices 🟢 5 badge detected: Passing SAST 🟢 10 SAST tool is run on all commits License 🟢 10 license file detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Signed-Releases 🟢 8 5 out of the last 5 releases have a total of 5 signed artifacts. Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Fuzzing 🟢 10 project is fuzzed Security-Policy 🟢 10 security policy file detected CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 38 contributing companies or organizations
gomod/go.opentelemetry.io/otel/trace	1.39.0	🟢 9.3	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 12 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 10 all dependencies are pinned CII-Best-Practices 🟢 5 badge detected: Passing SAST 🟢 10 SAST tool is run on all commits License 🟢 10 license file detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Signed-Releases 🟢 8 5 out of the last 5 releases have a total of 5 signed artifacts. Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Fuzzing 🟢 10 project is fuzzed Security-Policy 🟢 10 security policy file detected CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 38 contributing companies or organizations
gomod/google.golang.org/grpc	1.79.1	🟢 7.7	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 9 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Security-Policy 🟢 9 security policy file detected Code-Review 🟢 10 all changesets reviewed CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege License 🟢 10 license file detected Binary-Artifacts 🟢 10 no binaries found in the repo Fuzzing 🟢 10 project is fuzzed Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST 🟢 7 SAST tool detected but not run on all commits

Scanned Files

• go.mod

[codecov-commenter]

Codecov Report

❌ Patch coverage is 72.09302% with 12 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
internal/dependencymanager/dependencyinstaller.go	72.09%	6 Missing and 6 partials ⚠️

📢 Thoughts on this report? Let us know!

[Copilot]

Pull request overview

This PR addresses dependency installation failures when flow.json contains pinned block heights that are no longer queryable (e.g., outside the node’s compatible historical query range), by proactively checking the node’s reported compatible range before attempting historical account queries.

Changes:

• Add a per-network “minimum queryable height” cache and use GetNodeVersionInfo().CompatibleRange to decide when to fall back to latest block height.
• Update dependency-installer tests to mock GetNodeVersionInfo and add/rename cases around “before compatible range” pinned heights.
• Bump Go module dependencies (notably flowkit, grpc, and otel), updating go.mod and go.sum accordingly.

Reviewed changes

Copilot reviewed 3 out of 4 changed files in this pull request and generated 2 comments.

File	Description
internal/dependencymanager/dependencyinstaller.go	Adds compatible-range querying + caching and changes the frozen/pinned height selection logic to avoid out-of-range queries.
internal/dependencymanager/dependencyinstaller_test.go	Updates mocks to include GetNodeVersionInfo and adjusts block-height pinning tests for the new compatible-range behavior.
go.mod	Updates module versions (including github.com/onflow/flowkit/v2).
go.sum	Updates dependency checksums corresponding to go.mod bumps.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

getMinQueryableBlockHeight treats GetNodeVersionInfo failures (or a nil response) as fatal and aborts dependency installation. Since this check is only needed to avoid out-of-range historical queries, it should be best-effort: if node version info can’t be fetched, proceed without the compatible-range optimization (e.g., return minHeight=0) rather than failing installs that would otherwise succeed at the pinned height.

Suggested change

	if err != nil {
	return 0, fmt.Errorf("failed to get node version info for %s: %w", network, err)
	}
	if nodeVersionInfo == nil {
	return 0, fmt.Errorf("node version info is nil for %s", network)
	}
	// Get the minimum queryable block height from the compatible range
	var minHeight uint64
	if nodeVersionInfo.CompatibleRange != nil {
	// Default to 0 if we can't get node version info or compatible range.
	// This makes the check best-effort: dependency installation can proceed
	// even if version info is unavailable.
	var minHeight uint64
	if err == nil && nodeVersionInfo != nil && nodeVersionInfo.CompatibleRange != nil {

[Copilot]

The previous implementation recovered from out-of-range historical queries by falling back to latest when getContractsAtBlockHeight returned spork/pruning-related errors. The new logic only checks CompatibleRange.StartHeight; if CompatibleRange is nil/zero (or inaccurate), the installer will now return the fetch error instead of recovering. Consider keeping a fallback-to-latest path when the historical fetch fails due to an out-of-range/pruned height, so old flow.json files still install successfully even when compatible-range data isn’t available.