Skip to content

fix(deps): update non-k8s-go-dependencies#209

Open
red-hat-konflux[bot] wants to merge 1 commit intomainfrom
konflux/mintmaker/main/non-k8s-go-dependencies
Open

fix(deps): update non-k8s-go-dependencies#209
red-hat-konflux[bot] wants to merge 1 commit intomainfrom
konflux/mintmaker/main/non-k8s-go-dependencies

Conversation

@red-hat-konflux
Copy link
Copy Markdown
Contributor

@red-hat-konflux red-hat-konflux bot commented Mar 17, 2026
edited
Loading

Note: This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence Type Update
github.com/emicklei/go-restful/v3 v3.12.2 -> v3.13.0 age confidence indirect minor
github.com/fatih/color v1.18.0 -> v1.19.0 age confidence indirect minor
github.com/fxamacker/cbor/v2 v2.9.0 -> v2.9.1 age confidence indirect patch
github.com/go-openapi/jsonpointer v0.21.1 -> v0.22.5 age confidence indirect minor
github.com/go-openapi/jsonreference v0.21.0 -> v0.21.5 age confidence indirect patch
github.com/go-openapi/swag v0.23.1 -> v0.25.5 age confidence indirect minor
github.com/google/gnostic-models v0.7.0 -> v0.7.1 age confidence indirect patch
github.com/hashicorp/go-hclog v0.14.1 -> v0.16.2 age confidence indirect minor
github.com/hashicorp/go-plugin v1.6.0 -> v1.7.0 age confidence indirect minor
github.com/hashicorp/yamux v0.1.1 -> v0.1.2 age confidence indirect patch
github.com/mailru/easyjson v0.9.0 -> v0.9.2 age confidence indirect patch
github.com/mitchellh/go-testing-interface v1.0.0 -> v1.14.1 age confidence indirect minor
github.com/oklog/run v1.0.0 -> v1.2.0 age confidence indirect minor
github.com/openshift/api 4c643a6 -> 2757d67 indirect digest
github.com/openshift/hive/apis 3f49f26 -> aec89c6 age confidence require digest
github.com/openshift/hypershift/api 8eaac17 -> 5ed3475 age confidence require digest
github.com/prometheus/procfs v0.16.1 -> v0.20.1 age confidence indirect minor
github.com/vmware-tanzu/velero v1.14.0 -> v1.18.0 age confidence require minor
go (source) 1.25.8 -> 1.26.1 age confidence toolchain minor
go.yaml.in/yaml/v2 v2.4.3 -> v2.4.4 age confidence indirect patch
golang.org/x/oauth2 v0.35.0 -> v0.36.0 age confidence indirect minor
golang.org/x/time v0.14.0 -> v0.15.0 age confidence indirect minor
google.golang.org/genproto/googleapis/rpc f26f940 -> 9d38bb4 age confidence indirect digest
google.golang.org/grpc v1.77.0 -> v1.80.0 age confidence indirect minor

Release Notes

emicklei/go-restful (github.com/emicklei/go-restful/v3)

v3.13.0

Compare Source

  • optimize performance of path matching in CurlyRouter ( thanks @​wenhuang, Wen Huang)
fatih/color (github.com/fatih/color)

v1.19.0

Compare Source

What's Changed

New Contributors

Full Changelog: fatih/color@v1.18.0...v1.19.0

fxamacker/cbor (github.com/fxamacker/cbor/v2)

v2.9.1

Compare Source

This release includes important bugfixes, defensive checks, improved code quality, and more tests. Although not public, the fuzzer was also improved by adding more fuzz tests.

🐞 Bug fixes related to the keyasint feature

These changes only affect Go struct fields tagged with keyasint:

  • [Decoding] Reject integer keys that exceed math.MaxInt64 when decoding CBOR map to a struct with keyasint field (PR #​757)
  • [Decoding] Prevent string representation of an integer key from matching the struct field tagged by keyasint (PR #​757)
  • [Encoding & Decoding] Deduplicate struct fields with the same normalized keyasint tag values (PR #​757)
🐞 Other bug fixes and defensive checks

Some of the bugs fixed are related to decoding extreme values that cannot be encoded with this library. For example, the decoder checks if epoch time encoded as CBOR float value representing hundreds of billions of years overflows int64(seconds).

NOTE: It is generally good practice to avoid using floating point to store epoch time (even when not using CBOR).

  • [Decoding] Reject decoding epoch time encoded as floats that overflow int64 (PR #​753)
  • [Encoding] Return a cloned slice for an empty RawMessage from RawMessage.MarshalCBOR (PR #​753)
  • [Encoding] Reject encoding nil inside indefinite-length strings (PR #​750)
  • [Diagnostic] Accept valid U+FFFD replacement character (PR #​753)
What's Changed
CI / GitHub Actions and Docs
🔎 Details...

New Contributors

Full Changelog: fxamacker/cbor@v2.9.0...v2.9.1

go-openapi/jsonpointer (github.com/go-openapi/jsonpointer)

v0.22.5

Compare Source

0.22.5 - 2026-03-02

Full Changelog: go-openapi/jsonpointer@v0.22.4...v0.22.5

15 commits in this release.

Documentation
Code quality
Miscellaneous tasks
Updates
People who contributed to this release
New Contributors

jsonpointer license terms

License

v0.22.4

Compare Source

0.22.4 - 2025-12-06

Full Changelog: go-openapi/jsonpointer@v0.22.3...v0.22.4

1 commits in this release.

Miscellaneous tasks
People who contributed to this release

jsonpointer license terms

License

v0.22.3

Compare Source

0.22.3 - 2025-11-17

Full Changelog: go-openapi/jsonpointer@v0.22.2...v0.22.3

8 commits in this release.

Documentation
Code quality
Miscellaneous tasks
People who contributed to this release
New Contributors

jsonpointer license terms

License

v0.22.2

Compare Source

0.22.2 - 2025-11-14

Full Changelog: go-openapi/jsonpointer@v0.22.1...v0.22.2

12 commits in this release.

Documentation
Code quality
Testing
Miscellaneous tasks
Security
Updates
People who contributed to this release

jsonpointer license terms

License

v0.22.1

Compare Source

v0.22.0

Compare Source

v0.21.2

Compare Source

go-openapi/jsonreference (github.com/go-openapi/jsonreference)

v0.21.5

Compare Source

0.21.5 - 2026-03-02

Full Changelog: go-openapi/jsonreference@v0.21.4...v0.21.5

14 commits in this release.

Documentation
Code quality
Testing
Miscellaneous tasks
Updates
People who contributed to this release

jsonreference license terms

License

v0.21.4

Compare Source

0.21.4 - 2025-12-08

Full Changelog: go-openapi/jsonreference@v0.21.3...v0.21.4

1 commits in this release.

Documentation
People who contributed to this release
New Contributors

jsonreference license terms

License

v0.21.3

Compare Source

v0.21.2

Compare Source

v0.21.1

Compare Source

go-openapi/swag (github.com/go-openapi/swag)

v0.25.5

Compare Source

0.25.5 - 2026-03-02

Full Changelog: go-openapi/swag@v0.25.4...v0.25.5

16 commits in this release.

Documentation
Code quality
Testing
Miscellaneous tasks
Updates
People who contributed to this release
New Contributors

swag license terms

License

Per-module changes

cmdutils (0.25.5)

Testing

conv (0.25.5)

Testing
Miscellaneous tasks
Updates

fileutils (0.25.5)

Testing
Updates

jsonname (0.25.5)

Testing
Updates

jsonutils/adapters/easyjson (0.25.5)

Testing
Miscellaneous tasks
Updates

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

To execute skipped test pipelines write comment /ok-to-test.

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

@red-hat-konflux red-hat-konflux bot added area/ci-tooling ok-to-test Indicates a non-member PR verified by an org member that is safe to test. labels Mar 17, 2026
@coderabbitai
Copy link
Copy Markdown

coderabbitai bot commented Mar 17, 2026
edited
Loading

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

Walkthrough

Updated go.mod: toolchain bumped to go1.26.1 and multiple direct and indirect module versions updated (Velero, gRPC, OpenShift/Hive pins, Logrus, golang.org/x/*, and various libraries). No exported/public API declarations were changed.

Changes

Cohort / File(s) Summary
Module & toolchain
go.mod		 Updated toolchain from go1.25.8go1.26.1. Bumped direct dependencies: github.com/kubernetes-csi/external-snapshotter/client/v8 (v8.2.0→v8.4.0), github.com/vmware-tanzu/velero (v1.14.0→v1.18.0), github.com/onsi/gomega (v1.39.0→v1.39.1), github.com/sirupsen/logrus (v1.9.3→v1.9.4), OpenShift Hive/Hypershift module refs updated to specific commits. Also upgraded many indirect deps: google.golang.org/grpc, golang.org/x/*, github.com/prometheus/procfs, go-openapi/*, HashiCorp libs, gopkg.in/evanphx/json-patch.v4, mailru/easyjson, and others. Replace directive unchanged.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch konflux/mintmaker/main/non-k8s-go-dependencies

Comment @coderabbitai help to get the list of available commands and usage tips.

@openshift-ci openshift-ci bot requested review from bryan-cox and enxebre March 17, 2026 17:41
@openshift-ci
Copy link
Copy Markdown

openshift-ci bot commented Mar 17, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: red-hat-konflux[bot]
Once this PR has been reviewed and has the lgtm label, please assign sjenning for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci
Copy link
Copy Markdown

openshift-ci bot commented Mar 17, 2026

Hi @red-hat-konflux[bot]. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

coderabbitai[bot]
coderabbitai bot reviewed Mar 17, 2026
View reviewed changes
Copy link
Copy Markdown

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@go.mod`:
- Around line 6-11: Update code and operators to accommodate the dependency
upgrades in go.mod: remove any separate CSI plugin installation/config code and
rely on the merged CSI behavior from github.com/vmware-tanzu/velero v1.18.0;
remove or guard any logic that installs or relies on restic fs-backup, and
ensure existing restic restore paths are still supported until v1.19; review and
adjust any namespace filtering logic that reads
includedNamespaces/excludedNamespaces and labelSelector to match Velero's new
semantics (search for references to includedNamespaces/excludedNamespaces and
labelSelector in backup/restore code); change repository maintenance
configuration from server flag parsing to reading the Velero maintenance
ConfigMap name/keys where maintenance jobs are configured; audit restore
handling for PersistentVolumes that may be Finalizing and update error/status
handling to accept PartiallyFailed states; and for snapshot code that imports
github.com/kubernetes-csi/external-snapshotter/client/v8, plan/migrate APIs from
VolumeGroupSnapshot v1beta1 to the new v1beta2 and avoid writing to fields that
are now immutable (search for VolumeGroupSnapshot types/usages to update).
ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f7489f76-4362-4643-8792-b9d417c9d918

📥 Commits

Reviewing files that changed from the base of the PR and between faa7cf8 and 6c55abc.

📒 Files selected for processing (1)
  • go.mod

@red-hat-konflux red-hat-konflux bot force-pushed the konflux/mintmaker/main/non-k8s-go-dependencies branch from 6c55abc to eaece54 Compare March 17, 2026 21:39
coderabbitai[bot]
coderabbitai bot reviewed Mar 17, 2026
View reviewed changes
Copy link
Copy Markdown

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@go.mod`:
- Line 80: Update and verify gRPC compatibility: ensure the project Go version
is bumped to at least 1.24 in go.mod and CI configs, then scan the codebase for
any custom types or implementations named Reader and MetricsRecorder (search for
type Reader, struct/interface declarations and any types implementing
MetricsRecorder); if Reader is implemented as an interface, migrate it to the
new struct-based usage or adapt call sites, and for any MetricsRecorder
implementations embed or compose UnimplementedMetricsRecorder into your
MetricsRecorder types so they satisfy the new API; also ensure you are not
targeting retracted v1.74.x versions and adjust the go.mod entry for
google.golang.org/grpc to a supported 1.76+ or 1.79.2 after these changes.
- Around line 50-52: The go-openapi updates (notably github.com/go-openapi/swag
v0.25.5 and github.com/go-openapi/jsonpointer v0.22.5) require action: confirm
the project Go toolchain is updated to Go 1.24 or pin swag to a
pre-1.24-compatible version; if you keep swag v0.25.5 register the easyjson
adapter at runtime or switch to the stdlib adapter if your code relied on
mailru/easyjson; add any now-removed transitive dependencies (e.g.,
mailru/easyjson, github.com/josharian/intern) explicitly to go.mod if your code
used them; and update imports that referenced deprecated root APIs from
github.com/go-openapi/swag to the new submodules (conv, jsonutils, yamlutils or
swag/jsonname) across the codebase (search for imports of
github.com/go-openapi/swag and github.com/go-openapi/jsonpointer/jsonname) and
adjust call sites to the modernized APIs.
ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 2b5becac-514f-4b37-8e7f-f4020df94966

📥 Commits

Reviewing files that changed from the base of the PR and between 6c55abc and eaece54.

📒 Files selected for processing (1)
  • go.mod

@red-hat-konflux red-hat-konflux bot force-pushed the konflux/mintmaker/main/non-k8s-go-dependencies branch from eaece54 to dc8b12f Compare March 18, 2026 01:29
coderabbitai[bot]
coderabbitai bot reviewed Mar 18, 2026
View reviewed changes
Copy link
Copy Markdown

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@go.mod`:
- Line 11: The go.mod currently declares github.com/vmware-tanzu/velero v1.14.0
but the replace directive redirects to an OpenShift fork at v0.10.2..., causing
an unsupported upgrade mismatch; update the replace directive or the declared
Velero version so both refer to compatible majors: either point the replace to
an openshift/velero fork that is v1.14.0-compatible (or upstream v1.14.0) or
downgrade the module declaration from v1.14.0 to the v0.10.x series and follow
Velero’s documented incremental upgrade path; edit the go.mod replace line and
the module version declaration consistently so the visited versions (declared
version and replaced target) share a supported upgrade path.
ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d801b51d-5a51-4c40-8ce0-c3f182bc8c06

📥 Commits

Reviewing files that changed from the base of the PR and between eaece54 and dc8b12f.

📒 Files selected for processing (1)
  • go.mod

@red-hat-konflux red-hat-konflux bot force-pushed the konflux/mintmaker/main/non-k8s-go-dependencies branch from dc8b12f to 4639995 Compare March 18, 2026 05:35
coderabbitai[bot]
coderabbitai bot reviewed Mar 18, 2026
View reviewed changes
Copy link
Copy Markdown

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

♻️ Duplicate comments (1)
go.mod (1)

11-11: ⚠️ Potential issue | 🟠 Major

Potential Velero compatibility skew between require and replace.

Line 11 requires github.com/vmware-tanzu/velero v1.18.0, but Line 93 replaces it with an OpenShift fork pseudo-version based on v0.10.2. That major skew can introduce API/runtime incompatibilities and makes upgrade intent ambiguous.

#!/bin/bash
set -euo pipefail

echo "=== Velero require/replace in go.mod ==="
rg -n 'github.com/vmware-tanzu/velero|replace github.com/vmware-tanzu/velero' go.mod

echo
echo "=== Compare replaced OpenShift fork commit against upstream Velero v1.18.0 ==="
FORK_SHA="8fbcf3a8da11"
gh api repos/openshift/velero/compare/v1.18.0...${FORK_SHA} --jq '{status, ahead_by, behind_by, total_commits}'

Expected: if this replace is intended for v1.18 compatibility, comparison should show a clearly documented alignment strategy; otherwise pin to a fork/version line that matches the required major.
As per coding guidelines, "**: -Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity."

Also applies to: 93-93

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@go.mod` at line 11, The go.mod shows a mismatch: require
github.com/vmware-tanzu/velero v1.18.0 but a replace maps
github.com/vmware-tanzu/velero to an OpenShift fork pseudo-version based on
v0.10.2, which can cause API/runtime incompatibilities; update go.mod so the
replace target aligns with the required major version or change the require to
the forked version and clearly document the reason. Locate the require line for
github.com/vmware-tanzu/velero and the replace directive in go.mod, then either
(a) adjust the replace target to an OpenShift commit/tag that is explicitly
compatible with v1.18.0 and add a short comment documenting the
compatibility/commit, or (b) change the require to the forked version (or remove
the replace) so major versions match, and add a comment explaining the
intentional fork and upgrade strategy.
🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@go.mod`:
- Line 8: Replace raw commit-hash references in the go.mod require blocks with
canonical pseudo-versions (or tagged releases); specifically update entries like
"github.com/openshift/hive/apis 366515c6aedd" (and the other hash-only entries
mentioned) to their pseudo-version form (e.g.,
v0.0.0-YYYYMMDDHHMMSS-366515c6aedd) by running go get -u
github.com/openshift/hive/apis@366515c6aedd (and similarly for the other
modules) or switching to an available semver tag, then tidy modules with go mod
tidy to persist the changes.

---

Duplicate comments:
In `@go.mod`:
- Line 11: The go.mod shows a mismatch: require github.com/vmware-tanzu/velero
v1.18.0 but a replace maps github.com/vmware-tanzu/velero to an OpenShift fork
pseudo-version based on v0.10.2, which can cause API/runtime incompatibilities;
update go.mod so the replace target aligns with the required major version or
change the require to the forked version and clearly document the reason. Locate
the require line for github.com/vmware-tanzu/velero and the replace directive in
go.mod, then either (a) adjust the replace target to an OpenShift commit/tag
that is explicitly compatible with v1.18.0 and add a short comment documenting
the compatibility/commit, or (b) change the require to the forked version (or
remove the replace) so major versions match, and add a comment explaining the
intentional fork and upgrade strategy.
ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 4a1111fb-8499-4a8c-a856-8f9c0eaa629b

📥 Commits

Reviewing files that changed from the base of the PR and between dc8b12f and 4639995.

📒 Files selected for processing (1)
  • go.mod

@red-hat-konflux red-hat-konflux bot force-pushed the konflux/mintmaker/main/non-k8s-go-dependencies branch 16 times, most recently from 2f7f833 to d4c14bc Compare March 24, 2026 09:30
@openshift-ci openshift-ci bot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Mar 27, 2026
@red-hat-konflux red-hat-konflux bot force-pushed the konflux/mintmaker/main/non-k8s-go-dependencies branch 26 times, most recently from 3f05fc2 to 73df7fd Compare April 1, 2026 21:36
@red-hat-konflux
fix(deps): update non-k8s-go-dependencies
88da7e7 
Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
@red-hat-konflux red-hat-konflux bot force-pushed the konflux/mintmaker/main/non-k8s-go-dependencies branch from 73df7fd to 88da7e7 Compare April 2, 2026 01:29
@openshift-ci
Copy link
Copy Markdown

openshift-ci bot commented Apr 2, 2026

@red-hat-konflux[bot]: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/security 88da7e7 link true /test security

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@bryan-cox bryan-cox Awaiting requested review from bryan-cox

@enxebre enxebre Awaiting requested review from enxebre

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

area/ci-tooling ok-to-test Indicates a non-member PR verified by an org member that is safe to test.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants