fix(router): fix gRPC nested fields mapping inside inline fragments

[dkorittki]

Summary by CodeRabbit

• Chores

  • Updated an internal dependency to a newer pre-release for compatibility.
  • Added a security ignore entry for a Windows-only CVE that does not affect Linux deployments; will be revisited once the runtime toolchain is updated.

• Tests

  • Expanded test coverage with new cases validating complex inline-fragment scenarios for project resources, covering nested Milestone and Task structures.

Checklist

• I have discussed my proposed changes in an issue and have received approval to proceed.
• I have followed the coding standards of the project.
• Tests or benchmarks have been added or updated.
• Documentation has been updated on https://github.com/wundergraph/cosmo-docs.
• I have read the Contributors Guide.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Bumps github.com/wundergraph/graphql-go-tools/v2 from v2.0.0-rc.257 → v2.0.0-rc.258 in two go.mod files, adds duplicated tests named "query project resources with complex types inside inline fragments" to router test suites, and appends CVE-2025-15558 to .trivyignore.yaml.

Changes

Cohort / File(s)	Summary
Go module files router-tests/go.mod, router/go.mod	Updated dependency github.com/wundergraph/graphql-go-tools/v2 from v2.0.0-rc.257 → v2.0.0-rc.258.
Router test additions router-tests/grpc_subgraph_test.go, router-tests/router_plugin_test.go	Added test case "query project resources with complex types inside inline fragments" (appears duplicated) validating inline fragments for Milestone and Task with nested fields and expected JSON assertions.
Security ignore .trivyignore.yaml	Added CVE CVE-2025-15558 to the ignore list with Windows-only impact rationale and notes about Go/toolchain constraints.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• chore(deps): update graphql-go-tools to v2.0.0-rc.254 #2539: Dependency bump of github.com/wundergraph/graphql-go-tools/v2 in router and router-tests go.mod files.
• feat: support nullable types and composite types #2047: Adds/updates the same inline-fragment test cases in grpc_subgraph_test.go and router_plugin_test.go.
• fix: fix merging inline fragment and field selections together #2073: Changes related to inline-fragment handling and query selection logic relevant to the new tests.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: it fixes gRPC nested fields mapping inside inline fragments, which is directly reflected in the test additions and dependency updates.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Router image scan passed

✅ No security vulnerabilities found in image:

ghcr.io/wundergraph/cosmo/router:sha-d9415e63e105c819b4ecc098cf9da6416f32b4ca

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 61.35%. Comparing base (dc6dc2d) to head (e53c0ee).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@             Coverage Diff             @@
##             main    #2584       +/-   ##
===========================================
+ Coverage   38.19%   61.35%   +23.15%     
===========================================
  Files         778      244      -534     
  Lines      116297    25757    -90540     
  Branches     8176        0     -8176     
===========================================
- Hits        44417    15802    -28615     
+ Misses      71518     8571    -62947     
- Partials      362     1384     +1022     

see 1022 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.trivyignore.yaml:
- Around line 8-9: Update the wording in .trivyignore.yaml where you mention
reevaluation should occur at Go 1.26: change it to trigger reevaluation at Go
1.25.6 (since upstream go-containerregistry/main and docker/cli v29.2.1 require
1.25.6), and clarify that the CVE-2025-15558 is Windows-only and the router runs
on Linux, so the ignore is acceptable until Go 1.25.6 is adopted.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: b849e60d-70eb-4a68-8cb2-27d10bd17dcb

📥 Commits

Reviewing files that changed from the base of the PR and between 4f3fcb5 and 3e3b7b6.

📒 Files selected for processing (1)

• .trivyignore.yaml

[dkorittki]

fyi the failing test is not because of this change. It is removed here https://github.com/wundergraph/cosmo/pull/2597/changes. Will merge this one as everything else is successful.