Update go modules (main) (minor)#3131
Conversation
ℹ️ Artifact update noticeFile name: acceptance/go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
File name: go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
File name: tools/go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
File name: tools/kubectl/go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
|
renovate
Bot
force-pushed
the
renovate/main-go-modules
branch
10 times, most recently
from
b7bbfdc to
02074a5
Compare
renovate
Bot
force-pushed
the
renovate/main-go-modules
branch
13 times, most recently
from
ae12a07 to
b6bcb99
Compare
renovate
Bot
force-pushed
the
renovate/main-go-modules
branch
2 times, most recently
from
eb3bd95 to
50d854b
Compare
|
🤖 Finished Review · ✅ Success · Started 10:00 PM UTC · Completed 10:10 PM UTC |
![fullsend-ai-review[bot]](https://avatars.githubusercontent.com/in/3478501?s=60&v=4){kind=small}
| k8s.io/client-go v0.35.4 | ||
| k8s.io/klog/v2 v2.130.1 | ||
| k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 | ||
| github.com/testcontainers/testcontainers-go v0.42.0 // using unreleased version that contains the fix in https://github.com/testcontainers/testcontainers-go/pull/2899 |
There was a problem hiding this comment.
[high] API contract violation
The testcontainers-go update from v0.34.x to v0.42.0 is a major version jump. Source code confirms WithConfigModifier is used in benchmark/offliner/offliner.go (line 87) and benchmark/internal/registry/registry.go (line 154), and WithHostConfigModifier is used in benchmark/offliner/offliner.go (line 90) and benchmark/internal/registry/registry.go (line 131). GenericContainer is used in acceptance/registry/registry.go (line 112), acceptance/wiremock/wiremock.go (line 220), and acceptance/git/git.go (line 183). If these APIs were removed or changed in the v0.35-v0.42 range, compilation will fail.
Suggested fix: Verify that WithConfigModifier, WithHostConfigModifier, and GenericContainer still exist in testcontainers-go v0.42.0. Update or remove the stale 'unreleased version' comment. If these APIs were removed, update the Go source files to use the v0.42.0 replacements.
| require ( | ||
| cuelang.org/go v0.16.0 | ||
| github.com/CycloneDX/cyclonedx-go v0.10.0 | ||
| cuelang.org/go v0.16.1 |
There was a problem hiding this comment.
[low] API contract violation
CycloneDX/cyclonedx-go update from v0.10.0 to v0.11.0. Source code in benchmark/offliner/base_images.go uses cyclonedx.BOM, cyclonedx.NewBOMDecoder, cyclonedx.BOMFileFormatJSON, cyclonedx.ComponentTypeContainer, bom.Formulation, and property Name/Value access. Verify compatibility with v0.11.0.
| k8s.io/client-go v0.35.4 | ||
| k8s.io/klog/v2 v2.130.1 | ||
| k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 | ||
| github.com/testcontainers/testcontainers-go v0.42.0 // using unreleased version that contains the fix in https://github.com/testcontainers/testcontainers-go/pull/2899 |
There was a problem hiding this comment.
[low] stale reference
The comment on the testcontainers-go line reads 'using unreleased version that contains the fix' but v0.42.0 is a proper release. The comment should be removed.
| sigs.k8s.io/structured-merge-diff/v6 v6.3.2 // indirect | ||
| ) | ||
|
|
||
| // Force moby/go-archive to v0.1.0 for compatibility with docker/docker v28.5.2 |
There was a problem hiding this comment.
[low] stale reference
The replace directive forces moby/go-archive v0.2.0 to v0.1.0 with a comment about compatibility with docker/docker v28.5.2. If docker/docker is removed, this replace directive may be stale.
|
🤖 Finished Review · ✅ Success · Started 10:00 PM UTC · Completed 10:08 PM UTC |
|
🤖 Finished Review · ✅ Success · Started 9:18 PM UTC · Completed 9:26 PM UTC |
| k8s.io/client-go v0.35.4 | ||
| k8s.io/klog/v2 v2.130.1 | ||
| k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 | ||
| github.com/testcontainers/testcontainers-go v0.42.0 // using unreleased version that contains the fix in https://github.com/testcontainers/testcontainers-go/pull/2899 |
There was a problem hiding this comment.
[low] stale comment
The comment on testcontainers-go says 'using unreleased version that contains the fix' but the PR updates the version to v0.42.0, which is a proper release. The comment would be misleading after this update.
Suggested fix: Remove the comment or update it to note which release fixed the issue (e.g., '// fix for #2899 landed in v0.35+').
| @@ -3,17 +3,17 @@ module github.com/conforma/cli/tools | |||
| go 1.25.8 | |||
There was a problem hiding this comment.
[low] go version inconsistency
The PR updates the go directive from 1.25.8 to 1.26.0 in acceptance, main, and tools/kubectl modules, but tools/go.mod stays at go 1.25.8. This creates a minor inconsistency across modules.
Suggested fix: Verify that tools/go.mod can remain at go 1.25.8 with its updated dependencies. If k8s.io/kubernetes v1.36.1 requires go 1.26.0, update tools/go.mod accordingly.
|
🤖 Finished Review · ✅ Success · Started 5:19 PM UTC · Completed 5:36 PM UTC |
|
🤖 Finished Review · ✅ Success · Started 9:11 PM UTC · Completed 9:18 PM UTC |
|
🤖 Finished Review · ✅ Success · Started 6:56 PM UTC · Completed 7:05 PM UTC |
| @@ -3,17 +3,17 @@ module github.com/conforma/cli/tools | |||
| go 1.25.8 | |||
There was a problem hiding this comment.
[low] version-skew
tools/go.mod keeps go 1.25.8 while the other three go.mod files are updated to go 1.26.0. While these are separate Go modules and unlikely to cause immediate issues, it is a hygiene concern.
|
🤖 Finished Review · ✅ Success · Started 11:01 PM UTC · Completed 11:10 PM UTC |
|
🤖 Finished Review · ✅ Success · Started 2:41 AM UTC · Completed 2:49 AM UTC |
|
🤖 Finished Review · ✅ Success · Started 12:53 PM UTC · Completed 1:03 PM UTC |
|
🤖 Finished Review · ✅ Success · Started 5:14 PM UTC · Completed 5:25 PM UTC |
|
🤖 Finished Review · ✅ Success · Started 6:17 AM UTC · Completed 6:28 AM UTC |
| k8s.io/client-go v0.35.4 | ||
| k8s.io/klog/v2 v2.130.1 | ||
| k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 | ||
| github.com/testcontainers/testcontainers-go v0.43.0 // using unreleased version that contains the fix in https://github.com/testcontainers/testcontainers-go/pull/2899 |
There was a problem hiding this comment.
[critical] API contract violation
testcontainers-go updated from v0.34 to v0.43.0. WithConfigModifier and WithHostConfigModifier were removed in v0.37.0. benchmark/offliner/offliner.go (lines 87, 90) and benchmark/internal/registry/registry.go (lines 131, 154) use these functions, causing compilation failures.
Suggested fix: Either keep testcontainers-go at a version < v0.37.0, or update the benchmark code to use testcontainers.CustomizeRequest instead of the removed modifier functions.
| github.com/tektoncd/cli v0.45.0 | ||
| github.com/tektoncd/pipeline v1.12.0 | ||
| github.com/testcontainers/testcontainers-go v0.34.0 | ||
| github.com/testcontainers/testcontainers-go v0.43.0 |
There was a problem hiding this comment.
[critical] API contract violation
testcontainers-go in acceptance module updated from v0.34.0 to v0.43.0. GenericContainer and GenericContainerRequest removed in v0.37.0. Used in acceptance/git/git.go:183, acceptance/registry/registry.go:112, acceptance/wiremock/wiremock.go:220.
Suggested fix: Either keep testcontainers-go at a version < v0.37.0, or update all acceptance test code to use testcontainers.Run() and the new request builder pattern.
| github.com/google/safearchive v0.0.0-20241025131057-f7ce9d7b6f9c | ||
| github.com/hako/durafmt v0.0.0-20210608085754-5c1018a4e16b | ||
| github.com/in-toto/in-toto-golang v0.10.0 | ||
| github.com/in-toto/in-toto-golang v0.11.0 |
There was a problem hiding this comment.
[medium] API contract violation
in-toto-golang updated from v0.10.0 to v0.11.0. For v0.x libraries, minor bumps can contain breaking changes. Codebase directly imports in_toto types across 17+ files including ProvenanceStatementSLSA02, ProvenanceStatementSLSA1, and Statement.
Suggested fix: Review in-toto-golang v0.11.0 changelog. Run go build ./... to confirm compilation succeeds.
|
🤖 Finished Review · ✅ Success · Started 9:59 AM UTC · Completed 10:09 AM UTC |
|
🤖 Finished Review · ✅ Success · Started 8:58 AM UTC · Completed 9:07 AM UTC |
| golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f | ||
| golang.org/x/net v0.53.0 // indirect | ||
| golang.org/x/sync v0.20.0 | ||
| github.com/testcontainers/testcontainers-go v0.43.0 // using unreleased version that contains the fix in https://github.com/testcontainers/testcontainers-go/pull/2899 |
There was a problem hiding this comment.
[medium] stale-reference
The comment on the testcontainers-go dependency says using unreleased version but v0.43.0 is a released version, making the comment misleading.
Suggested fix: Remove or update the comment to reflect that v0.43.0 is a released version that includes the fix from PR #2899.
|
|
||
| // Maybe less important in acceptance, but it seems sensible to use the fork here too | ||
| replace github.com/google/go-containerregistry => github.com/conforma/go-containerregistry v0.20.7-0.20250703195040-6f40a3734728 | ||
| replace github.com/google/go-containerregistry => github.com/conforma/go-containerregistry v0.20.7-0.20251103083939-3459088e4bae |
There was a problem hiding this comment.
[low] api-contract
The go-containerregistry fork replace directive is updated to a new digest. Verify the new digest still carries all patches.
Suggested fix: Verify that the new fork digest still includes all patches from hack/ec-patches.sh.
|
🤖 Finished Review · ✅ Success · Started 2:15 PM UTC · Completed 2:26 PM UTC |
|
🤖 Finished Review · ✅ Success · Started 11:23 AM UTC · Completed 11:33 AM UTC |
|
🤖 Finished Review · ✅ Success · Started 1:49 PM UTC · Completed 1:59 PM UTC |
| github.com/tektoncd/pipeline v1.12.0 | ||
| github.com/testcontainers/testcontainers-go v0.34.0 | ||
| github.com/testcontainers/testcontainers-go v0.43.0 | ||
| github.com/transparency-dev/merkle v0.0.2 |
There was a problem hiding this comment.
[medium] API contract violation
The PR updates testcontainers-go from v0.34.0 to v0.43.0 (9-minor-version jump). Acceptance test code uses GenericContainer and Binds field in ContainerRequest, both deprecated in intermediate versions. While Go libraries typically retain deprecated APIs, compatibility should be verified.
Suggested fix: Verify testcontainers-go v0.43.0 still includes GenericContainer and the Binds field. Consider migrating from deprecated APIs in a follow-up.
| @@ -63,22 +63,22 @@ require ( | |||
| replace github.com/google/go-containerregistry => github.com/conforma/go-containerregistry v0.20.7-0.20251103083939-3459088e4bae | |||
There was a problem hiding this comment.
[medium] Version consistency
The replace directive for go-containerregistry points to a fork based on v0.20.7, but the required module version is v0.21.6. If the fork lacks APIs added between v0.20.7 and v0.21.6, compile or runtime errors could occur.
Suggested fix: Verify the updated fork commit is compatible with go-containerregistry v0.21.6 APIs used by the codebase.
| sigs.k8s.io/kind v0.26.0 | ||
| sigs.k8s.io/kustomize/api v0.20.1 | ||
| sigs.k8s.io/kustomize/kyaml v0.20.1 | ||
| sigs.k8s.io/kind v0.32.0 |
There was a problem hiding this comment.
[low] Version consistency
sigs.k8s.io/kind updated from v0.26.0 to v0.32.0 -- a large jump. The acceptance tests use versioned v1alpha4 API which is typically stable, but the jump warrants verification.
|
🤖 Finished Review · ✅ Success · Started 5:50 AM UTC · Completed 6:01 AM UTC |
|
🤖 Finished Review · ✅ Success · Started 6:20 AM UTC · Completed 6:30 AM UTC |
| github.com/tektoncd/pipeline v1.12.0 | ||
| github.com/testcontainers/testcontainers-go v0.34.0 | ||
| github.com/testcontainers/testcontainers-go v0.43.0 | ||
| github.com/transparency-dev/merkle v0.0.2 |
There was a problem hiding this comment.
[critical] API contract violation
The PR updates testcontainers-go from v0.34.0 to v0.43.0 in the acceptance module, a 9-minor-version jump. The acceptance module uses testcontainers.GenericContainer in three files: acceptance/git/git.go:183, acceptance/registry/registry.go:112, and acceptance/wiremock/wiremock.go:220. If GenericContainer was removed between v0.35.0 and v0.43.0, these call sites will fail to compile.
Suggested fix: Either (a) pin testcontainers-go to the last version supporting GenericContainer, or (b) migrate all three call sites to use the replacement API (e.g., testcontainers.Run) before merging.
| k8s.io/klog/v2 v2.130.1 | ||
| k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 | ||
| github.com/testcontainers/testcontainers-go v0.43.0 // using unreleased version that contains the fix in https://github.com/testcontainers/testcontainers-go/pull/2899 | ||
| github.com/testcontainers/testcontainers-go/modules/registry v0.43.0 |
There was a problem hiding this comment.
[high] version skew
The main module depends on testcontainers-go/modules/registry at v0.34.0 (line 48), but the PR updates the parent testcontainers-go to v0.43.0. The modules/registry sub-module is versioned in lockstep with the parent module. A v0.34.0 sub-module paired with a v0.43.0 parent will likely cause type incompatibilities at compile time.
Suggested fix: Update github.com/testcontainers/testcontainers-go/modules/registry to v0.43.0 (or the corresponding version that matches the parent module) in go.mod.
| k8s.io/client-go v0.35.4 | ||
| k8s.io/klog/v2 v2.130.1 | ||
| k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 | ||
| github.com/testcontainers/testcontainers-go v0.43.0 // using unreleased version that contains the fix in https://github.com/testcontainers/testcontainers-go/pull/2899 |
There was a problem hiding this comment.
[medium] API contract violation
The main module uses a pinned pseudo-version of testcontainers-go with a comment referencing an unreleased fix (PR #2899). The PR updates this to v0.43.0. The stale comment needs cleanup and the fix inclusion should be verified.
Suggested fix: Verify that the fix from PR #2899 is included in v0.43.0, and remove the stale comment about the unreleased version.
|
🤖 Finished Review · ✅ Success · Started 1:13 PM UTC · Completed 1:20 PM UTC |
This PR contains the following updates:
v0.10.0→v0.11.03459088→b7524796f40a37→b752479v0.13.7→v0.14.0v0.29.2→v0.32.4v2.11.4→v2.12.2e7eb2ec→dd8c9b1v1.15.2→v1.17.120ebb0f→4e6772av0.10.0→v0.11.0v3.0.4→v3.1.1v1.1.4→v1.2.1v0.26.2→v0.27.1v0.44.1→v0.45.0v0.34.0→v0.43.0v0.34.0→v0.43.0v1.11.0→v1.16.0a2b48b6→3558132746e56f→c48552fv0.20.0→v0.21.0v0.36.0→v0.38.0v1.12.1→v1.13.0v0.35.4→v0.36.2v0.35.4→v0.36.2v0.35.4→v0.36.2v0.35.4→v0.36.2v2.130.1→v2.140.0589584f→8f3fa49v1.34.2→v1.36.2v0.26.0→v0.32.0v0.20.1→v0.21.1v5.7.1→v5.8.1v0.20.1→v0.21.1Release Notes
CycloneDX/cyclonedx-go (github.com/CycloneDX/cyclonedx-go)
v0.11.0Compare Source
Changelog
Building and Packaging
32221d4: build(deps): bump actions/setup-go from 6.2.0 to 6.4.0 (#261) (@dependabot[bot])a42a4dd: build(deps): bump gitpod/workspace-go from08a7c68to00059ff(#255) (@dependabot[bot])9810ab9: build(deps): bump goreleaser/goreleaser-action from 6.4.0 to 7.2.1 (#263) (@dependabot[bot])Others
2cef056: Add comprehensive support for CycloneDX 1.7 specification (#257) (@alistair-mclean)3ed34da: Added 5 missing fields to match CycloneDX 1.6 spec: (#256) (@alistair-mclean)daixiang0/gci (github.com/daixiang0/gci)
v0.14.0Compare Source
AST Support is Coming!
See details in #241
Other Changes
New Contributors
Full Changelog: daixiang0/gci@v0.13.7...v0.14.0
go-openapi/runtime (github.com/go-openapi/runtime)
v0.32.4Compare Source
0.32.4 - 2026-06-19
Full Changelog: go-openapi/runtime@v0.32.3...v0.32.4
10 commits in this release.
Fixed bugs
Documentation
Miscellaneous tasks
Updates
People who contributed to this release
runtime license terms
Per-module changes
client-middleware/opentracing (0.32.4)
Miscellaneous tasks
Updates
docs/examples (0.32.4)
Updates
v0.32.3Compare Source
0.32.3 - 2026-06-02
Full Changelog: go-openapi/runtime@v0.32.2...v0.32.3
6 commits in this release.
Implemented enhancements
Documentation
Miscellaneous tasks
Updates
People who contributed to this release
runtime license terms
Per-module changes
client-middleware/opentracing (0.32.3)
Miscellaneous tasks
Updates
docs/examples (0.32.3)
Miscellaneous tasks
Updates
v0.32.2Compare Source
0.32.2 - 2026-05-27
Full Changelog: go-openapi/runtime@v0.32.1...v0.32.2
2 commits in this release.
Fixed bugs
Miscellaneous tasks
People who contributed to this release
runtime license terms
Per-module changes
client-middleware/opentracing (0.32.2)
Miscellaneous tasks
v0.32.1Compare Source
0.32.1 - 2026-05-25
Full Changelog: go-openapi/runtime@v0.32.0...v0.32.1
3 commits in this release.
Documentation
Code quality
Miscellaneous tasks
People who contributed to this release
runtime license terms
Per-module changes
client-middleware/opentracing (0.32.1)
Miscellaneous tasks
v0.32.0Compare Source
0.32.0 - 2026-05-25
Full Changelog: go-openapi/runtime@v0.31.0...v0.32.0
8 commits in this release.
Fixed bugs
Documentation
Code quality
Miscellaneous tasks
Updates
Other (technical)
People who contributed to this release
runtime license terms
Per-module changes
client-middleware/opentracing (0.32.0)
Miscellaneous tasks
Updates
docs/examples (0.32.0)
Miscellaneous tasks
Updates
server-middleware (0.32.0)
Updates
v0.31.0Compare Source
0.31.0 - 2026-05-17
Full Changelog: go-openapi/runtime@v0.30.0...v0.31.0
33 commits in this release.
Implemented enhancements
Fixed bugs
Ed25519key support by @fredbi in #452 ...Documentation
Code quality
Testing
Miscellaneous tasks
Security
Updates
Other (technical)
People who contributed to this release
New Contributors
in #451
runtime license terms
Per-module changes
client-middleware/opentracing (0.31.0)
Code quality
Miscellaneous tasks
docs/examples (0.31.0)
Documentation
<
Configuration
📅 Schedule: (UTC)
* 0-3 * * *)🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.