Update go modules (main) (patch)#3130
Conversation
ℹ️ Artifact update noticeFile name: acceptance/go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
File name: go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
File name: tools/go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
|
renovate
Bot
force-pushed
the
renovate/main-patch-go-modules
branch
14 times, most recently
from
2a265d3 to
a650df7
Compare
renovate
Bot
force-pushed
the
renovate/main-patch-go-modules
branch
4 times, most recently
from
5fde2e2 to
0d4d965
Compare
renovate
Bot
force-pushed
the
renovate/main-patch-go-modules
branch
5 times, most recently
from
afe86d8 to
9a0b95c
Compare
![fullsend-ai-review[bot]](https://avatars.githubusercontent.com/in/3478501?s=60&v=4){kind=small}
| gopkg.in/go-jose/go-jose.v2 v2.6.3 | ||
| k8s.io/api v0.35.4 | ||
| k8s.io/api v0.35.5 | ||
| k8s.io/apimachinery v0.35.4 |
There was a problem hiding this comment.
[low] version consistency
After this update, k8s.io/api and k8s.io/client-go are bumped to v0.35.5 but k8s.io/apimachinery remains at v0.35.4. The k8s.io packages are designed to be used at consistent versions. Go's MVS resolves this safely, but the inconsistency is worth noting.
| github.com/sigstore/cosign/v3 v3.0.4 | ||
| github.com/sigstore/rekor v1.5.0 | ||
| github.com/sigstore/sigstore v1.10.5 | ||
| github.com/secure-systems-lab/go-securesystemslib v0.11.0 |
There was a problem hiding this comment.
[low] API compatibility
github.com/secure-systems-lab/go-securesystemslib is updated from v0.10.0 to v0.11.0, a minor version bump on a v0.x module which does not guarantee backward compatibility per Go semver. Verify CI passes before merging.
| github.com/gkampitakis/go-snaps v0.5.19 | ||
| github.com/gkampitakis/go-snaps v0.5.22 | ||
| github.com/go-git/go-billy/v5 v5.8.0 | ||
| github.com/go-git/go-git/v5 v5.17.1 |
There was a problem hiding this comment.
[low] data-exposure
acceptance/go.mod retains go-git/go-git/v5 v5.17.1 while go.mod bumps to v5.18.0. The go-gather v1.1.5 changelog explicitly tags the v5.18.0 update as a security fix. The acceptance module may run with a version that has known security issues. Mitigated by CI-only usage and separate module scope.
Suggested fix: Consider bumping go-git to v5.18.0 in acceptance/go.mod in a follow-up PR, or verify the security issue does not affect test-time usage patterns.
| github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5 | ||
| github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e | ||
| github.com/pkg/errors v0.9.1 | ||
| github.com/secure-systems-lab/go-securesystemslib v0.10.0 |
There was a problem hiding this comment.
[low] version skew
go-securesystemslib remains at v0.10.0 in the acceptance module while the main go.mod updates it to v0.11.0. The acceptance module directly imports the encrypted sub-package for key encryption/decryption. Since the encrypted sub-package is a stable utility, the practical risk is low, but it creates an inconsistency where acceptance tests may not exercise v0.11.0 code paths.
Suggested fix: Consider updating acceptance/go.mod to use go-securesystemslib v0.11.0 for consistency with the main module.
| github.com/sigstore/cosign/v3 v3.0.4 | ||
| github.com/sigstore/rekor v1.5.0 | ||
| github.com/sigstore/sigstore v1.10.5 | ||
| github.com/secure-systems-lab/go-securesystemslib v0.11.0 |
There was a problem hiding this comment.
[low] api-contract
The PR updates go-securesystemslib from v0.10.0 to v0.11.0 in go.mod but leaves it at v0.10.0 in acceptance/go.mod. For v0.x Go modules, a minor version bump can include breaking changes per semver. These are separate Go modules without a go.work file, so they resolve independently, but integration testing could surface subtle incompatibilities.
|
🤖 Finished Review · ✅ Success · Started 4:10 PM UTC · Completed 4:16 PM UTC |
| github.com/sigstore/cosign/v3 v3.0.4 | ||
| github.com/sigstore/rekor v1.5.0 | ||
| github.com/sigstore/sigstore v1.10.5 | ||
| github.com/secure-systems-lab/go-securesystemslib v0.11.0 |
There was a problem hiding this comment.
[low] version consistency
The PR updates go-securesystemslib from v0.10.0 to v0.11.0 in go.mod but leaves it at v0.10.0 in acceptance/go.mod. These are separate Go modules so this is technically valid, but since go-securesystemslib is pre-v1, a minor bump may include breaking API changes to the dsse package used extensively in internal/validate/vsa/ and related packages.
| github.com/go-openapi/strfmt v0.26.3 | ||
| github.com/google/go-cmp v0.7.0 | ||
| github.com/google/go-containerregistry v0.21.5 | ||
| github.com/google/go-containerregistry v0.21.6 |
There was a problem hiding this comment.
[info] version consistency
The PR bumps google/go-containerregistry from v0.21.5 to v0.21.6 in the require directive, but the replace directive still pins to conforma/go-containerregistry v0.20.7. The require change has no runtime effect in go.mod (fork is used), but tools/go.mod has no replace directive and will use upstream v0.21.6.
|
🤖 Finished Review · ✅ Success · Started 10:43 PM UTC · Completed 10:49 PM UTC |
|
🤖 Finished Review · ✅ Success · Started 1:41 PM UTC · Completed 1:49 PM UTC |
| gopkg.in/go-jose/go-jose.v2 v2.6.3 | ||
| k8s.io/api v0.35.4 | ||
| k8s.io/api v0.35.5 | ||
| k8s.io/apimachinery v0.35.4 |
There was a problem hiding this comment.
[low] version consistency
After this PR, the acceptance module will have k8s.io/api at v0.35.5 and k8s.io/client-go at v0.35.5, but k8s.io/apimachinery remains at v0.35.4. The k8s.io libraries are released in lockstep and are generally expected to be at the same patch version. Go's MVS will resolve the correct minimum version at build time, so this is unlikely to cause a build failure, but the go.mod will be misleading about the actual resolved version.
| github.com/sigstore/cosign/v3 v3.0.4 | ||
| github.com/sigstore/rekor v1.5.0 | ||
| github.com/sigstore/sigstore v1.10.5 | ||
| github.com/secure-systems-lab/go-securesystemslib v0.11.0 |
There was a problem hiding this comment.
[info] semantic versioning
go-securesystemslib is bumped from v0.10.0 to v0.11.0, which is a minor (not patch) version increase. Under Go's v0.x convention, minor bumps do not carry backward-compatibility guarantees. CI should verify API compatibility.
|
🤖 Finished Review · ✅ Success · Started 7:08 PM UTC · Completed 7:15 PM UTC |
|
🤖 Finished Review · ❌ Failure · Started 3:04 PM UTC · Completed 3:11 PM UTC |
|
🤖 Finished Review · ✅ Success · Started 9:16 PM UTC · Completed 9:22 PM UTC |
|
🤖 Finished Review · ✅ Success · Started 3:09 AM UTC · Completed 3:16 AM UTC |
|
🤖 Finished Review · ✅ Success · Started 5:17 PM UTC · Completed 5:23 PM UTC |
|
🤖 Finished Review · ✅ Success · Started 9:09 PM UTC · Completed 9:16 PM UTC |
| github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5 | ||
| github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e | ||
| github.com/pkg/errors v0.9.1 | ||
| github.com/secure-systems-lab/go-securesystemslib v0.10.0 |
There was a problem hiding this comment.
[low] version-skew
The PR bumps github.com/secure-systems-lab/go-securesystemslib from v0.10.0 to v0.11.0 in the root go.mod, but acceptance/go.mod retains v0.10.0. While the two modules use different sub-packages of this library (reducing immediate risk), keeping a security-sensitive library in sync across modules is good practice.
Suggested fix: Bump acceptance/go.mod to also use go-securesystemslib v0.11.0 and run go mod tidy in the acceptance directory.
|
🤖 Finished Review · ✅ Success · Started 9:19 PM UTC · Completed 9:25 PM UTC |
This PR contains the following updates:
v0.16.0→v0.16.1v0.1.7→v0.1.11v0.15.0→v0.15.1v0.5.19→v0.5.22v0.29.2→v0.29.5v0.26.1→v0.26.3v0.21.5→v0.21.6v0.0.20→v0.0.22v1.14.0→v1.14.1v0.1.3→v0.1.6v3.0.4→v3.0.6v1.5.0→v1.5.2v1.10.5→v1.10.8v0.26.2→v0.26.4v0.34.0→v0.34.1v1.12.1→v1.12.3v0.35.4→v0.35.6v0.35.4→v0.35.6v0.35.4→v0.35.6v0.35.4→v0.35.6v1.34.2→v1.34.9v2.6.0→v2.6.1Release Notes
cue-lang/cue (cuelang.org/go)
v0.16.1Compare Source
Language
The
fallbackkeyword in thealiasv2experiment is replaced byotherwise, which is clearer.cue fmtorcue fixcan be used to rewrite existing code.Evaluator
Fix a regression where the compiler could add comments to the input AST value, which could lead to increased memory usage.
Fix a bug where exporting certain schemas could result in "cannot have both alias and field in same scope" errors.
cmd/cueFix a panic which could occur when using non-label expressions in the
--pathflag.Teach
cue loginto give helpful errors when used with OCI registries which don't support the OAuth2 device flow.Go API
Fix a regression where
cue.Context.Encodecould panic on custom marshaler types with pointer receivers.Full list of changes since v0.16.0
6d609d7cedf4c8b4efeeff8138118e47027a5e0ef5c169605d7c882a2613edfe4b05161e464091654f66eae9aaf8e39aec5a55849682c663cucumber/godog (github.com/cucumber/godog)
v0.15.1Compare Source
Added
Changed
::set-output- (681 - nodeg)Fixed
context.Context(679 - tigh-latte)gkampitakis/go-snaps (github.com/gkampitakis/go-snaps)
v0.5.22Compare Source
What's Changed
New Contributors
Full Changelog: gkampitakis/go-snaps@v0.5.21...v0.5.22
v0.5.21Compare Source
What's Changed
Full Changelog: gkampitakis/go-snaps@v0.5.20...v0.5.21
v0.5.20Compare Source
What's Changed
Full Changelog: gkampitakis/go-snaps@v0.5.19...v0.5.20
go-openapi/runtime (github.com/go-openapi/runtime)
v0.29.5Compare Source
0.29.5 - 2026-05-04
Full Changelog: go-openapi/runtime@v0.29.4...v0.29.5
10 commits in this release.
Implemented enhancements
Fixed bugs
Documentation
Miscellaneous tasks
Updates
People who contributed to this release
New Contributors
in #422
runtime license terms
Per-module changes
client-middleware/opentracing (0.29.5)
Fixed bugs
Miscellaneous tasks
Updates
v0.29.4Compare Source
0.29.4 - 2026-04-18
Security update
Full Changelog: go-openapi/runtime@v0.29.3...v0.29.4
16 commits in this release.
Documentation
Testing
Miscellaneous tasks
Updates
People who contributed to this release
runtime license terms
Per-module changes
client-middleware/opentracing (0.29.4)
Miscellaneous tasks
Updates
v0.29.3Compare Source
0.29.3 - 2026-03-08
Full Changelog: go-openapi/runtime@v0.29.2...v0.29.3
27 commits in this release.
Fixed bugs
Documentation
Code quality
Miscellaneous tasks
Updates
People who contributed to this release
New Contributors
in #373
runtime license terms
Per-module changes
client-middleware/opentracing (0.29.3)
Documentation
Code quality
Miscellaneous tasks
go-openapi/strfmt (github.com/go-openapi/strfmt)
v0.26.3Compare Source
0.26.3 - 2026-05-31
Full Changelog: go-openapi/strfmt@v0.26.2...v0.26.3
15 commits in this release.
Documentation
Miscellaneous tasks
Updates
People who contributed to this release
strfmt license terms
Per-module changes
enable/mongodb (0.26.3)
Miscellaneous tasks
Updates
internal/testintegration (0.26.3)
Miscellaneous tasks
Updates
v0.26.2Compare Source
0.26.2 - 2026-04-29
Full Changelog: go-openapi/strfmt@v0.26.1...v0.26.2
13 commits in this release.
Documentation
Performance
Miscellaneous tasks
Updates
Configuration
📅 Schedule: (UTC)
* 0-3 * * *)🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.