Update go modules (main) (minor)#3131
Conversation
ℹ️ Artifact update noticeFile name: acceptance/go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
File name: go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
File name: tools/go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
File name: tools/kubectl/go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
|
renovate
Bot
force-pushed
the
renovate/main-go-modules
branch
10 times, most recently
from
b7bbfdc to
02074a5
Compare
renovate
Bot
force-pushed
the
renovate/main-go-modules
branch
13 times, most recently
from
ae12a07 to
b6bcb99
Compare
renovate
Bot
force-pushed
the
renovate/main-go-modules
branch
2 times, most recently
from
eb3bd95 to
50d854b
Compare
|
🤖 Finished Review · ✅ Success · Started 5:19 PM UTC · Completed 5:36 PM UTC |
![fullsend-ai-review[bot]](https://avatars.githubusercontent.com/in/3478501?s=60&v=4){kind=small}
|
🤖 Finished Review · ✅ Success · Started 9:11 PM UTC · Completed 9:18 PM UTC |
|
🤖 Finished Review · ✅ Success · Started 6:56 PM UTC · Completed 7:05 PM UTC |
| @@ -3,17 +3,17 @@ module github.com/conforma/cli/tools | |||
| go 1.25.8 | |||
There was a problem hiding this comment.
[low] version-skew
tools/go.mod keeps go 1.25.8 while the other three go.mod files are updated to go 1.26.0. While these are separate Go modules and unlikely to cause immediate issues, it is a hygiene concern.
|
🤖 Finished Review · ✅ Success · Started 11:01 PM UTC · Completed 11:10 PM UTC |
|
🤖 Finished Review · ✅ Success · Started 2:41 AM UTC · Completed 2:49 AM UTC |
|
🤖 Finished Review · ✅ Success · Started 12:53 PM UTC · Completed 1:03 PM UTC |
|
🤖 Finished Review · ✅ Success · Started 5:14 PM UTC · Completed 5:25 PM UTC |
|
🤖 Finished Review · ✅ Success · Started 6:17 AM UTC · Completed 6:28 AM UTC |
| k8s.io/client-go v0.35.4 | ||
| k8s.io/klog/v2 v2.130.1 | ||
| k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 | ||
| github.com/testcontainers/testcontainers-go v0.43.0 // using unreleased version that contains the fix in https://github.com/testcontainers/testcontainers-go/pull/2899 |
There was a problem hiding this comment.
[critical] API contract violation
testcontainers-go updated from v0.34 to v0.43.0. WithConfigModifier and WithHostConfigModifier were removed in v0.37.0. benchmark/offliner/offliner.go (lines 87, 90) and benchmark/internal/registry/registry.go (lines 131, 154) use these functions, causing compilation failures.
Suggested fix: Either keep testcontainers-go at a version < v0.37.0, or update the benchmark code to use testcontainers.CustomizeRequest instead of the removed modifier functions.
| github.com/tektoncd/cli v0.45.0 | ||
| github.com/tektoncd/pipeline v1.12.0 | ||
| github.com/testcontainers/testcontainers-go v0.34.0 | ||
| github.com/testcontainers/testcontainers-go v0.43.0 |
There was a problem hiding this comment.
[critical] API contract violation
testcontainers-go in acceptance module updated from v0.34.0 to v0.43.0. GenericContainer and GenericContainerRequest removed in v0.37.0. Used in acceptance/git/git.go:183, acceptance/registry/registry.go:112, acceptance/wiremock/wiremock.go:220.
Suggested fix: Either keep testcontainers-go at a version < v0.37.0, or update all acceptance test code to use testcontainers.Run() and the new request builder pattern.
| github.com/google/safearchive v0.0.0-20241025131057-f7ce9d7b6f9c | ||
| github.com/hako/durafmt v0.0.0-20210608085754-5c1018a4e16b | ||
| github.com/in-toto/in-toto-golang v0.10.0 | ||
| github.com/in-toto/in-toto-golang v0.11.0 |
There was a problem hiding this comment.
[medium] API contract violation
in-toto-golang updated from v0.10.0 to v0.11.0. For v0.x libraries, minor bumps can contain breaking changes. Codebase directly imports in_toto types across 17+ files including ProvenanceStatementSLSA02, ProvenanceStatementSLSA1, and Statement.
Suggested fix: Review in-toto-golang v0.11.0 changelog. Run go build ./... to confirm compilation succeeds.
|
🤖 Finished Review · ✅ Success · Started 9:59 AM UTC · Completed 10:09 AM UTC |
|
🤖 Finished Review · ✅ Success · Started 8:58 AM UTC · Completed 9:07 AM UTC |
| golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f | ||
| golang.org/x/net v0.53.0 // indirect | ||
| golang.org/x/sync v0.20.0 | ||
| github.com/testcontainers/testcontainers-go v0.43.0 // using unreleased version that contains the fix in https://github.com/testcontainers/testcontainers-go/pull/2899 |
There was a problem hiding this comment.
[medium] stale-reference
The comment on the testcontainers-go dependency says using unreleased version but v0.43.0 is a released version, making the comment misleading.
Suggested fix: Remove or update the comment to reflect that v0.43.0 is a released version that includes the fix from PR #2899.
|
|
||
| // Maybe less important in acceptance, but it seems sensible to use the fork here too | ||
| replace github.com/google/go-containerregistry => github.com/conforma/go-containerregistry v0.20.7-0.20250703195040-6f40a3734728 | ||
| replace github.com/google/go-containerregistry => github.com/conforma/go-containerregistry v0.20.7-0.20251103083939-3459088e4bae |
There was a problem hiding this comment.
[low] api-contract
The go-containerregistry fork replace directive is updated to a new digest. Verify the new digest still carries all patches.
Suggested fix: Verify that the new fork digest still includes all patches from hack/ec-patches.sh.
|
🤖 Finished Review · ✅ Success · Started 2:15 PM UTC · Completed 2:26 PM UTC |
|
🤖 Finished Review · ✅ Success · Started 11:23 AM UTC · Completed 11:33 AM UTC |
|
🤖 Finished Review · ✅ Success · Started 1:49 PM UTC · Completed 1:59 PM UTC |
| github.com/tektoncd/pipeline v1.12.0 | ||
| github.com/testcontainers/testcontainers-go v0.34.0 | ||
| github.com/testcontainers/testcontainers-go v0.43.0 | ||
| github.com/transparency-dev/merkle v0.0.2 |
There was a problem hiding this comment.
[medium] API contract violation
The PR updates testcontainers-go from v0.34.0 to v0.43.0 (9-minor-version jump). Acceptance test code uses GenericContainer and Binds field in ContainerRequest, both deprecated in intermediate versions. While Go libraries typically retain deprecated APIs, compatibility should be verified.
Suggested fix: Verify testcontainers-go v0.43.0 still includes GenericContainer and the Binds field. Consider migrating from deprecated APIs in a follow-up.
| @@ -63,22 +63,22 @@ require ( | |||
| replace github.com/google/go-containerregistry => github.com/conforma/go-containerregistry v0.20.7-0.20251103083939-3459088e4bae | |||
There was a problem hiding this comment.
[medium] Version consistency
The replace directive for go-containerregistry points to a fork based on v0.20.7, but the required module version is v0.21.6. If the fork lacks APIs added between v0.20.7 and v0.21.6, compile or runtime errors could occur.
Suggested fix: Verify the updated fork commit is compatible with go-containerregistry v0.21.6 APIs used by the codebase.
| sigs.k8s.io/kind v0.26.0 | ||
| sigs.k8s.io/kustomize/api v0.20.1 | ||
| sigs.k8s.io/kustomize/kyaml v0.20.1 | ||
| sigs.k8s.io/kind v0.32.0 |
There was a problem hiding this comment.
[low] Version consistency
sigs.k8s.io/kind updated from v0.26.0 to v0.32.0 -- a large jump. The acceptance tests use versioned v1alpha4 API which is typically stable, but the jump warrants verification.
|
🤖 Finished Review · ✅ Success · Started 5:50 AM UTC · Completed 6:01 AM UTC |
|
🤖 Finished Review · ✅ Success · Started 6:20 AM UTC · Completed 6:30 AM UTC |
| github.com/tektoncd/pipeline v1.12.0 | ||
| github.com/testcontainers/testcontainers-go v0.34.0 | ||
| github.com/testcontainers/testcontainers-go v0.43.0 | ||
| github.com/transparency-dev/merkle v0.0.2 |
There was a problem hiding this comment.
[critical] API contract violation
The PR updates testcontainers-go from v0.34.0 to v0.43.0 in the acceptance module, a 9-minor-version jump. The acceptance module uses testcontainers.GenericContainer in three files: acceptance/git/git.go:183, acceptance/registry/registry.go:112, and acceptance/wiremock/wiremock.go:220. If GenericContainer was removed between v0.35.0 and v0.43.0, these call sites will fail to compile.
Suggested fix: Either (a) pin testcontainers-go to the last version supporting GenericContainer, or (b) migrate all three call sites to use the replacement API (e.g., testcontainers.Run) before merging.
| k8s.io/klog/v2 v2.130.1 | ||
| k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 | ||
| github.com/testcontainers/testcontainers-go v0.43.0 // using unreleased version that contains the fix in https://github.com/testcontainers/testcontainers-go/pull/2899 | ||
| github.com/testcontainers/testcontainers-go/modules/registry v0.43.0 |
There was a problem hiding this comment.
[high] version skew
The main module depends on testcontainers-go/modules/registry at v0.34.0 (line 48), but the PR updates the parent testcontainers-go to v0.43.0. The modules/registry sub-module is versioned in lockstep with the parent module. A v0.34.0 sub-module paired with a v0.43.0 parent will likely cause type incompatibilities at compile time.
Suggested fix: Update github.com/testcontainers/testcontainers-go/modules/registry to v0.43.0 (or the corresponding version that matches the parent module) in go.mod.
| k8s.io/client-go v0.35.4 | ||
| k8s.io/klog/v2 v2.130.1 | ||
| k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 | ||
| github.com/testcontainers/testcontainers-go v0.43.0 // using unreleased version that contains the fix in https://github.com/testcontainers/testcontainers-go/pull/2899 |
There was a problem hiding this comment.
[medium] API contract violation
The main module uses a pinned pseudo-version of testcontainers-go with a comment referencing an unreleased fix (PR #2899). The PR updates this to v0.43.0. The stale comment needs cleanup and the fix inclusion should be verified.
Suggested fix: Verify that the fix from PR #2899 is included in v0.43.0, and remove the stale comment about the unreleased version.
|
🤖 Finished Review · ✅ Success · Started 1:13 PM UTC · Completed 1:20 PM UTC |
|
🤖 Finished Review · ❌ Failure · Started 9:14 PM UTC · Completed 9:26 PM UTC |
|
🤖 Finished Review · ✅ Success · Started 5:24 PM UTC · Completed 5:34 PM UTC |
| k8s.io/klog/v2 v2.130.1 | ||
| k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 | ||
| oras.land/oras-go/v2 v2.6.0 | ||
| github.com/testcontainers/testcontainers-go v0.43.0 // using unreleased version that contains the fix in https://github.com/testcontainers/testcontainers-go/pull/2899 |
There was a problem hiding this comment.
[low] stale comment
The PR bumps testcontainers-go from a pre-release pseudo-version (v0.34.1-0.20241204123437-72be13940122) to v0.43.0, a proper release. The inline comment '// using unreleased version that contains the fix in testcontainers/testcontainers-go#2899' becomes factually incorrect and should be removed.
| @@ -3,17 +3,17 @@ module github.com/conforma/cli/tools | |||
| go 1.25.8 | |||
There was a problem hiding this comment.
[low] version inconsistency
The Go toolchain version is bumped from 1.25.8 to 1.26.0 in acceptance/go.mod, go.mod, and tools/kubectl/go.mod, but NOT in tools/go.mod which stays at 1.25.8. This may be intentional (separate module with independent constraints), but could lead to inconsistencies.
Suggested fix: Either bump tools/go.mod to go 1.26.0 for consistency, or confirm this divergence is intentional.
|
🤖 Finished Review · ✅ Success · Started 8:34 PM UTC · Completed 8:43 PM UTC |
| golang.org/x/benchmarks v0.0.0-20241115175113-a2b48b605b42 | ||
| golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f | ||
| golang.org/x/net v0.55.0 // indirect | ||
| github.com/testcontainers/testcontainers-go v0.43.0 // using unreleased version that contains the fix in https://github.com/testcontainers/testcontainers-go/pull/2899 |
There was a problem hiding this comment.
[low] stale comment
The comment on the testcontainers-go dependency line reads "// using unreleased version that contains the fix in testcontainers/testcontainers-go#2899" but the version is being changed from a pseudo-version (v0.34.1-0.20241204123437-72be13940122) to a proper release (v0.43.0). The comment is now factually incorrect -- v0.43.0 is not an unreleased version.
Suggested fix: Remove or update the comment. If the fix from PR #2899 is confirmed to be in v0.43.0, the comment should be removed entirely.
This PR contains the following updates:
v0.10.0→v0.11.0v0.13.7→v0.14.0v0.29.2→v0.32.4v2.11.4→v2.12.2e7eb2ec→dd8c9b1v1.15.2→v1.18.020ebb0f→4e6772av0.10.0→v0.11.0v3.0.4→v3.1.1v1.1.4→v1.2.1v0.26.2→v0.27.1v0.44.1→v0.45.0v0.34.0→v0.43.0v0.34.0→v0.43.0v1.11.0→v1.16.0a2b48b6→3558132746e56f→c48552fv1.12.1→v1.13.05883c5e→8f3fa49v1.34.2→v1.36.2v0.26.0→v0.32.0v0.20.1→v0.21.1v0.20.1→v0.21.1Release Notes
CycloneDX/cyclonedx-go (github.com/CycloneDX/cyclonedx-go)
v0.11.0Compare Source
Changelog
Building and Packaging
32221d4: build(deps): bump actions/setup-go from 6.2.0 to 6.4.0 (#261) (@dependabot[bot])a42a4dd: build(deps): bump gitpod/workspace-go from08a7c68to00059ff(#255) (@dependabot[bot])9810ab9: build(deps): bump goreleaser/goreleaser-action from 6.4.0 to 7.2.1 (#263) (@dependabot[bot])Others
2cef056: Add comprehensive support for CycloneDX 1.7 specification (#257) (@alistair-mclean)3ed34da: Added 5 missing fields to match CycloneDX 1.6 spec: (#256) (@alistair-mclean)daixiang0/gci (github.com/daixiang0/gci)
v0.14.0Compare Source
AST Support is Coming!
See details in #241
Other Changes
New Contributors
Full Changelog: daixiang0/gci@v0.13.7...v0.14.0
go-openapi/runtime (github.com/go-openapi/runtime)
v0.32.4Compare Source
0.32.4 - 2026-06-19
Full Changelog: go-openapi/runtime@v0.32.3...v0.32.4
10 commits in this release.
Fixed bugs
Documentation
Miscellaneous tasks
Updates
People who contributed to this release
runtime license terms
Per-module changes
client-middleware/opentracing (0.32.4)
Miscellaneous tasks
Updates
docs/examples (0.32.4)
Updates
v0.32.3Compare Source
0.32.3 - 2026-06-02
Full Changelog: go-openapi/runtime@v0.32.2...v0.32.3
6 commits in this release.
Implemented enhancements
Documentation
Miscellaneous tasks
Updates
People who contributed to this release
runtime license terms
Per-module changes
client-middleware/opentracing (0.32.3)
Miscellaneous tasks
Updates
docs/examples (0.32.3)
Miscellaneous tasks
Updates
v0.32.2Compare Source
0.32.2 - 2026-05-27
Full Changelog: go-openapi/runtime@v0.32.1...v0.32.2
2 commits in this release.
Fixed bugs
Miscellaneous tasks
People who contributed to this release
runtime license terms
Per-module changes
client-middleware/opentracing (0.32.2)
Miscellaneous tasks
v0.32.1Compare Source
0.32.1 - 2026-05-25
Full Changelog: go-openapi/runtime@v0.32.0...v0.32.1
3 commits in this release.
Documentation
Code quality
Miscellaneous tasks
People who contributed to this release
runtime license terms
Per-module changes
client-middleware/opentracing (0.32.1)
Miscellaneous tasks
v0.32.0Compare Source
0.32.0 - 2026-05-25
Full Changelog: go-openapi/runtime@v0.31.0...v0.32.0
8 commits in this release.
Fixed bugs
Documentation
Code quality
Miscellaneous tasks
Updates
Other (technical)
People who contributed to this release
runtime license terms
Per-module changes
client-middleware/opentracing (0.32.0)
Miscellaneous tasks
Updates
docs/examples (0.32.0)
Miscellaneous tasks
Updates
server-middleware (0.32.0)
Updates
v0.31.0Compare Source
0.31.0 - 2026-05-17
Full Changelog: go-openapi/runtime@v0.30.0...v0.31.0
33 commits in this release.
Implemented enhancements
Fixed bugs
Ed25519key support by @fredbi in #452 ...Documentation
Code quality
Testing
Miscellaneous tasks
Security
Updates
Other (technical)
People who contributed to this release
New Contributors
in #451
runtime license terms
Per-module changes
client-middleware/opentracing (0.31.0)
Code quality
Miscellaneous tasks
docs/examples (0.31.0)
Documentation
Code quality
Miscellaneous tasks
Security
server-middleware (0.31.0)
Documentation
Code quality
Security
Other (technical)
v0.30.0Compare Source
0.30.0 - 2026-05-13
Long awaited fixes and additions
Fixed most long standing issues.
Added standalone middleware module (swagger UI, serve spec).
Improved content negotiation.
Context-aware request submission
Full Changelog: go-openapi/runtime@v0.29.5...v0.30.0
33 commits in this release.
Implemented enhancements
Fixed bugs
Configuration
📅 Schedule: (UTC)
* 0-3 * * *)🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.