Update go modules (main) (patch)#3130
Conversation
ℹ️ Artifact update noticeFile name: acceptance/go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
File name: go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
File name: tools/go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
|
renovate
Bot
force-pushed
the
renovate/main-patch-go-modules
branch
14 times, most recently
from
2a265d3 to
a650df7
Compare
renovate
Bot
force-pushed
the
renovate/main-patch-go-modules
branch
4 times, most recently
from
5fde2e2 to
0d4d965
Compare
renovate
Bot
force-pushed
the
renovate/main-patch-go-modules
branch
5 times, most recently
from
afe86d8 to
9a0b95c
Compare
![fullsend-ai-review[bot]](https://avatars.githubusercontent.com/in/3478501?s=60&v=4){kind=small}
| gopkg.in/go-jose/go-jose.v2 v2.6.3 | ||
| k8s.io/api v0.35.4 | ||
| k8s.io/api v0.35.5 | ||
| k8s.io/apimachinery v0.35.4 |
There was a problem hiding this comment.
[low] version consistency
After this PR, the acceptance module will have k8s.io/api at v0.35.5 and k8s.io/client-go at v0.35.5, but k8s.io/apimachinery remains at v0.35.4. The k8s.io libraries are released in lockstep and are generally expected to be at the same patch version. Go's MVS will resolve the correct minimum version at build time, so this is unlikely to cause a build failure, but the go.mod will be misleading about the actual resolved version.
| github.com/sigstore/cosign/v3 v3.0.4 | ||
| github.com/sigstore/rekor v1.5.0 | ||
| github.com/sigstore/sigstore v1.10.5 | ||
| github.com/secure-systems-lab/go-securesystemslib v0.11.0 |
There was a problem hiding this comment.
[info] semantic versioning
go-securesystemslib is bumped from v0.10.0 to v0.11.0, which is a minor (not patch) version increase. Under Go's v0.x convention, minor bumps do not carry backward-compatibility guarantees. CI should verify API compatibility.
|
🤖 Finished Review · ✅ Success · Started 7:08 PM UTC · Completed 7:15 PM UTC |
|
🤖 Finished Review · ❌ Failure · Started 3:04 PM UTC · Completed 3:11 PM UTC |
|
🤖 Finished Review · ✅ Success · Started 9:16 PM UTC · Completed 9:22 PM UTC |
|
🤖 Finished Review · ✅ Success · Started 3:09 AM UTC · Completed 3:16 AM UTC |
|
🤖 Finished Review · ✅ Success · Started 5:17 PM UTC · Completed 5:23 PM UTC |
|
🤖 Finished Review · ✅ Success · Started 9:09 PM UTC · Completed 9:16 PM UTC |
| github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5 | ||
| github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e | ||
| github.com/pkg/errors v0.9.1 | ||
| github.com/secure-systems-lab/go-securesystemslib v0.10.0 |
There was a problem hiding this comment.
[low] version-skew
The PR bumps github.com/secure-systems-lab/go-securesystemslib from v0.10.0 to v0.11.0 in the root go.mod, but acceptance/go.mod retains v0.10.0. While the two modules use different sub-packages of this library (reducing immediate risk), keeping a security-sensitive library in sync across modules is good practice.
Suggested fix: Bump acceptance/go.mod to also use go-securesystemslib v0.11.0 and run go mod tidy in the acceptance directory.
|
🤖 Finished Review · ✅ Success · Started 9:19 PM UTC · Completed 9:25 PM UTC |
|
🤖 Finished Review · ✅ Success · Started 1:15 PM UTC · Completed 1:23 PM UTC |
|
🤖 Finished Review · ✅ Success · Started 6:54 PM UTC · Completed 7:03 PM UTC |
| github.com/go-openapi/strfmt v0.26.3 | ||
| github.com/google/go-cmp v0.7.0 | ||
| github.com/google/go-containerregistry v0.21.5 | ||
| github.com/google/go-containerregistry v0.21.6 |
There was a problem hiding this comment.
[low] api-contract
The require for github.com/google/go-containerregistry is bumped from v0.21.5 to v0.21.6, but the replace directive on line 63 pins it to a fork based on v0.20.7. The replace fully overrides the require, so this is cosmetic. Consider aligning the require version with the fork base to reduce confusion.
Suggested fix: Either rebase the fork onto upstream v0.21.6 or freeze the require version to match the fork base (v0.20.7).
| github.com/go-openapi/strfmt v0.26.1 | ||
| github.com/google/go-containerregistry v0.21.5 | ||
| github.com/go-openapi/strfmt v0.26.3 | ||
| github.com/google/go-containerregistry v0.21.6 |
There was a problem hiding this comment.
[low] api-contract
The acceptance/go.mod uses a different fork commit (v0.20.7-0.20250703195040-6f40a3734728) than the main module (v0.20.7-0.20251103083939-3459088e4bae) for go-containerregistry. The two modules may use different fork patches.
| github.com/sigstore/cosign/v3 v3.0.4 | ||
| github.com/sigstore/rekor v1.5.0 | ||
| github.com/sigstore/sigstore v1.10.5 | ||
| github.com/secure-systems-lab/go-securesystemslib v0.11.0 |
There was a problem hiding this comment.
[info] api-contract
The secure-systems-lab/go-securesystemslib bump from v0.10.0 to v0.11.0 is a minor version increment for a pre-v1 module. Verify CI passes with the new version.
|
🤖 Finished Review · ✅ Success · Started 12:58 AM UTC · Completed 1:05 AM UTC |
| github.com/sigstore/cosign/v3 v3.0.4 | ||
| github.com/sigstore/rekor v1.5.0 | ||
| github.com/sigstore/sigstore v1.10.5 | ||
| github.com/secure-systems-lab/go-securesystemslib v0.11.0 |
There was a problem hiding this comment.
[info] scope mismatch
github.com/secure-systems-lab/go-securesystemslib is bumped from v0.10.0 to v0.11.0, a minor version bump in a v0.x module, in a PR labeled as patch updates. CI/tests should confirm compatibility.
| github.com/open-policy-agent/conftest v0.68.2 | ||
| github.com/open-policy-agent/opa v1.15.2 | ||
| github.com/package-url/packageurl-go v0.1.3 | ||
| github.com/package-url/packageurl-go v0.1.6 |
There was a problem hiding this comment.
[info] scope mismatch
github.com/package-url/packageurl-go is bumped from v0.1.3 to v0.1.6, skipping multiple patch versions within the 0.1.x line. This is a direct production dependency used in internal/rego/purl/purl.go.
|
🤖 Finished Review · ✅ Success · Started 12:50 PM UTC · Completed 12:57 PM UTC |
| gopkg.in/go-jose/go-jose.v2 v2.6.3 | ||
| k8s.io/api v0.35.4 | ||
| k8s.io/api v0.35.6 | ||
| k8s.io/apimachinery v0.35.4 |
There was a problem hiding this comment.
[low] dependency version consistency
In acceptance/go.mod, k8s.io/apimachinery stays at v0.35.4 while k8s.io/api and k8s.io/client-go bump to v0.35.6. The main go.mod bumps all k8s.io modules consistently to v0.35.6. Patch-level skew within the same minor version is unlikely to cause build failures due to Go's minimum version selection, but it is unusual and may indicate the dependency resolver could not upgrade apimachinery for some reason.
Suggested fix: Bump k8s.io/apimachinery to v0.35.6 in acceptance/go.mod to match k8s.io/api and k8s.io/client-go.
| github.com/tektoncd/cli v0.44.1 | ||
| github.com/tektoncd/pipeline v1.12.0 | ||
| github.com/testcontainers/testcontainers-go v0.34.0 | ||
| github.com/testcontainers/testcontainers-go v0.34.1 |
There was a problem hiding this comment.
[info] dependency version consistency
The acceptance/go.mod bumps testcontainers-go from v0.34.0 to v0.34.1, while the main go.mod retains an unreleased commit pin (v0.34.1-0.20241204123437-72be13940122) with a comment explaining it contains a specific fix. This divergence is intentional.
| ) | ||
|
|
||
| // use forked version until we can get the fixes merged see https://github.com/conforma/go-containerregistry/blob/main/hack/ec-patches.sh for a list of patches we carry | ||
| replace github.com/google/go-containerregistry => github.com/conforma/go-containerregistry v0.20.7-0.20251103083939-3459088e4bae |
There was a problem hiding this comment.
[info] dependency version consistency
The main go.mod has a replace directive pinning google/go-containerregistry to a conforma fork. The PR bumps the require version from v0.21.5 to v0.21.7 but the replace directive overrides this, making the version bump cosmetic with no runtime behavior change.
|
🤖 Finished Review · ✅ Success · Started 5:13 PM UTC · Completed 5:18 PM UTC |
|
🤖 Finished Review · ✅ Success · Started 2:45 PM UTC · Completed 2:52 PM UTC |
|
🤖 Finished Review · ✅ Success · Started 8:56 AM UTC · Completed 9:05 AM UTC |
|
🤖 Finished Review · ✅ Success · Started 2:13 PM UTC · Completed 2:20 PM UTC |
This PR contains the following updates:
v0.16.0→v0.16.1v0.1.7→v0.1.11v0.15.0→v0.15.1v0.5.19→v0.5.22v0.29.2→v0.29.5v0.26.1→v0.26.3v0.21.5→v0.21.7v0.0.20→v0.0.22v1.14.0→v1.14.1v0.1.3→v0.1.6v3.0.4→v3.0.6v1.5.0→v1.5.2v1.10.5→v1.10.8v0.26.2→v0.26.4v0.44.1→v0.44.2v0.34.0→v0.34.1v1.12.1→v1.12.3v0.35.4→v0.35.6v0.35.4→v0.35.6v0.35.4→v0.35.6v0.35.4→v0.35.6v1.34.2→v1.34.9v2.6.0→v2.6.1Warning
Some dependencies could not be looked up. Check the warning logs for more information.
Release Notes
cue-lang/cue (cuelang.org/go)
v0.16.1Compare Source
Language
The
fallbackkeyword in thealiasv2experiment is replaced byotherwise, which is clearer.cue fmtorcue fixcan be used to rewrite existing code.Evaluator
Fix a regression where the compiler could add comments to the input AST value, which could lead to increased memory usage.
Fix a bug where exporting certain schemas could result in "cannot have both alias and field in same scope" errors.
cmd/cueFix a panic which could occur when using non-label expressions in the
--pathflag.Teach
cue loginto give helpful errors when used with OCI registries which don't support the OAuth2 device flow.Go API
Fix a regression where
cue.Context.Encodecould panic on custom marshaler types with pointer receivers.Full list of changes since v0.16.0
6d609d7cedf4c8b4efeeff8138118e47027a5e0ef5c169605d7c882a2613edfe4b05161e464091654f66eae9aaf8e39aec5a55849682c663cucumber/godog (github.com/cucumber/godog)
v0.15.1Compare Source
Added
Changed
::set-output- (681 - nodeg)Fixed
context.Context(679 - tigh-latte)gkampitakis/go-snaps (github.com/gkampitakis/go-snaps)
v0.5.22Compare Source
What's Changed
New Contributors
Full Changelog: gkampitakis/go-snaps@v0.5.21...v0.5.22
v0.5.21Compare Source
What's Changed
Full Changelog: gkampitakis/go-snaps@v0.5.20...v0.5.21
v0.5.20Compare Source
What's Changed
Full Changelog: gkampitakis/go-snaps@v0.5.19...v0.5.20
go-openapi/runtime (github.com/go-openapi/runtime)
v0.29.5Compare Source
0.29.5 - 2026-05-04
Full Changelog: go-openapi/runtime@v0.29.4...v0.29.5
10 commits in this release.
Implemented enhancements
Fixed bugs
Documentation
Miscellaneous tasks
Updates
People who contributed to this release
New Contributors
in #422
runtime license terms
Per-module changes
client-middleware/opentracing (0.29.5)
Fixed bugs
Miscellaneous tasks
Updates
v0.29.4Compare Source
0.29.4 - 2026-04-18
Security update
Full Changelog: go-openapi/runtime@v0.29.3...v0.29.4
16 commits in this release.
Documentation
Testing
Miscellaneous tasks
Updates
People who contributed to this release
runtime license terms
Per-module changes
client-middleware/opentracing (0.29.4)
Miscellaneous tasks
Updates
v0.29.3Compare Source
0.29.3 - 2026-03-08
Full Changelog: go-openapi/runtime@v0.29.2...v0.29.3
27 commits in this release.
Fixed bugs
Documentation
Code quality
Miscellaneous tasks
Updates
People who contributed to this release
New Contributors
in #373
runtime license terms
Per-module changes
client-middleware/opentracing (0.29.3)
Documentation
Code quality
Miscellaneous tasks
go-openapi/strfmt (github.com/go-openapi/strfmt)
v0.26.3Compare Source
0.26.3 - 2026-05-31
Full Changelog: go-openapi/strfmt@v0.26.2...v0.26.3
15 commits in this release.
Documentation
Miscellaneous tasks
Updates
People who contributed to this release
strfmt license terms
Per-module changes
enable/mongodb (0.26.3)
Miscellaneous tasks
Updates
internal/testintegration (0.26.3)
Miscellaneous tasks
Updates
v0.26.2Compare Source
0.26.2 - 2026-04-29
Full Changelog: go-openapi/strfmt@v0.26.1...v0.26.2
13 commits in this release.
Documentation
Performance
Miscellaneous tasks
Configuration
📅 Schedule: (UTC)
* 0-3 * * *)🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.