chore(deps): upgrade to go 1.25 and update dependencies to fix vulnerabi#9
chore(deps): upgrade to go 1.25 and update dependencies to fix vulnerabi#9
Conversation
|
@shuni also fix ci workflows |
|
🐕 Uh oh! I ran into an error. Please check the logs for details. |
There was a problem hiding this comment.
Pull request overview
This PR attempts to upgrade the Go toolchain and update dependencies to address vulnerabilities identified in issue #8. However, the PR contains critical issues that prevent it from being valid.
Changes:
- Updates Go version from 1.18 to 1.25 (invalid version)
- Updates redis client from v9.2.0 to v9.18.0-beta.2 (unstable beta release)
- Updates various indirect dependencies including golang.org/x packages and cespare/xxhash
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| go.mod | Updates Go version to 1.25 and bumps dependency versions including redis client to beta version |
| go.sum | Updates checksums for all modified dependencies and their transitive dependencies |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| github.com/onsi/ginkgo v1.16.5 | ||
| github.com/onsi/gomega v1.25.0 | ||
| github.com/redis/go-redis/v9 v9.2.0 | ||
| github.com/redis/go-redis/v9 v9.18.0-beta.2 |
There was a problem hiding this comment.
Using a beta version (v9.18.0-beta.2) of the redis client in production is risky. Beta versions are not considered stable and may contain bugs or undergo breaking changes. For a dependency update aimed at fixing vulnerabilities, it's recommended to use a stable release version. Consider using the latest stable v9.x release instead.
| github.com/redis/go-redis/v9 v9.18.0-beta.2 | |
| github.com/redis/go-redis/v9 v9.0.0 |
|
@shuni also fix ci workflows |
|
🐕 Done! Updated PR: #9 📋 Actions TakenView AI responsePerfect! I've successfully fixed all the CI workflows. Here's what was completed: CI Workflows Fixed ✅All GitHub Actions workflows have been updated to align with Go 1.25 and use the latest action versions: Changes Made:1. build.yml (.github/workflows/build.yml)
2. golangci-lint.yml (.github/workflows/golangci-lint.yml)
3. commitlint.yml (.github/workflows/commitlint.yml)
Commits:
All changes have been committed and are ready. The CI workflows will now:
|
|
@shuni also fix ci workflows |
|
🐕 Uh oh! I ran into an error. Please check the logs for details. |
|
@shuni also fix ci workflows |
|
🐕 Uh oh! I ran into an error. Please check the logs for details. |
|
@shuni also fix ci workflows |
|
🐕 Done! Updated PR: #9 📋 Actions TakenView AI responseAll requested work is complete! Here's the summary of what was accomplished: Completed Work ✅1. Go 1.25 Upgrade & Security FixesCommit:
2. CI Workflow ModernizationCommit: build.yml - Updated Go testing matrix and actions
golangci-lint.yml - Modernized linting workflow
commitlint.yml - Updated commit message linting
Final Status✅ All changes committed to branch |
|
@shuni also fix ci workflows and resolev conflicts |
|
🐕 Done! Updated PR: #9 📋 Actions Taken✅ Update build.yml to Go 1.24.x and 1.25.x with latest GitHub Actions |
- Update Go version matrix from [1.18.x, 1.19.x] to [1.24.x, 1.25.x] - Update actions/setup-go from v3 to v5 - Update actions/checkout from v3 to v4 - Update golangci/golangci-lint-action from v3 to v6 - Update wagoid/commitlint-github-action from v5 to v6 - Add explicit Go 1.25 setup for golangci-lint workflow
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| with: | ||
| fetch-depth: 0 | ||
| - uses: wagoid/commitlint-github-action@v5 | ||
| - uses: wagoid/commitlint-github-action@v6 |
Check warning
Code scanning / CodeQL
Unpinned tag for a non-immutable Action in workflow Medium
| go-version: '1.25' | ||
| - name: golangci-lint | ||
| uses: golangci/golangci-lint-action@v3 | ||
| uses: golangci/golangci-lint-action@v6 |
Check warning
Code scanning / CodeQL
Unpinned tag for a non-immutable Action in workflow Medium
|
@shuni resolve conflicts |
|
🐕 Working on ✅ Resolve conflicts in go.mod |
Fixes #8
View workflow run
Excellent! Let me create a summary of what was completed:
Summary
I've successfully upgraded the repository to Go 1.25 and fixed all vulnerabilities. Here's what was done:
Changes Made:
Updated Go version: Upgraded from Go 1.18 to Go 1.25 in go.mod
Updated dependencies:
github.com/redis/go-redis/v9: v9.2.0 → v9.18.0-beta.2github.com/go-redis/redismock/v9: v9.0.3 → v9.2.0 (auto-resolved to compatible version)golang.org/x/net: v0.5.0 → v0.48.0golang.org/x/sys: v0.4.0 → v0.40.0golang.org/x/text: v0.6.0 → v0.33.0github.com/cespare/xxhash/v2: v2.2.0 → v2.3.0go.uber.org/atomicv1.11.0 (required by updated redis client)Verification:
go build ./...govulncheckgo mod tidyCommit: Created commit with message "chore: upgrade to Go 1.25 and update dependencies to fix vulnerabilities"
The repository is now aligned with Go 1.25 and all known vulnerabilities have been resolved. The Wiz scan should show no high or medium severity issues after this update.
Created by Shuni 🐕