Skip to content

chore(deps): update module gomodules.xyz/jsonpatch/v2 to v3#1477

Open
red-hat-konflux[bot] wants to merge 1 commit into
mainfrom
konflux/mintmaker/main/gomodules.xyz-jsonpatch-v2-3.x
Open

chore(deps): update module gomodules.xyz/jsonpatch/v2 to v3#1477
red-hat-konflux[bot] wants to merge 1 commit into
mainfrom
konflux/mintmaker/main/gomodules.xyz-jsonpatch-v2-3.x

Conversation

@red-hat-konflux

@red-hat-konflux red-hat-konflux Bot commented Feb 25, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
gomodules.xyz/jsonpatch/v2 v2.5.0v3.0.1 age confidence

Warning

Some dependencies could not be looked up. Check the warning logs for more information.


Release Notes

gomodules/jsonpatch (gomodules.xyz/jsonpatch/v2)

v3.0.1

Compare Source

This release uses our forked gomodules/orderedmap library. Our forked version has 2 major changes:

  • Uses *OrderedMap instead of OrderedMap inside nested orderedmaps.
  • I ported unstructured helpers from Kubernetes to work with orderedmaps.

v3.0.0

Compare Source

This release uses iancoleman/orderedmap to generate predictable patch. This is very useful if the generated patch is checked into a VCS like git.


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

To execute skipped test pipelines write comment /ok-to-test.


Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

@red-hat-konflux

Copy link
Copy Markdown
Contributor Author

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: go.sum
Command failed: mod upgrade --mod-name=gomodules.xyz/jsonpatch/v2 -t=3
could not load package: err: exit status 1: stderr: go: inconsistent vendoring in /tmp/renovate/repos/github/konflux-ci/integration-service:
	gomodules.xyz/jsonpatch/v3@v3.0.1: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt

	To ignore the vendor directory, use -mod=readonly or -mod=mod.
	To sync the vendor directory, run:
		go mod vendor


@snyk-io

snyk-io Bot commented Feb 25, 2026

Copy link
Copy Markdown

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues
Code Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main/gomodules.xyz-jsonpatch-v2-3.x branch from 3e2d6fc to b868929 Compare February 26, 2026 06:07
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main/gomodules.xyz-jsonpatch-v2-3.x branch from b868929 to f1b7c39 Compare April 1, 2026 14:36
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main/gomodules.xyz-jsonpatch-v2-3.x branch 2 times, most recently from a71fb29 to 5652a61 Compare April 19, 2026 14:24
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main/gomodules.xyz-jsonpatch-v2-3.x branch from 5652a61 to 5cc6803 Compare April 29, 2026 15:10
@red-hat-konflux red-hat-konflux Bot changed the title chore(deps): update module gomodules.xyz/jsonpatch/v2 to v3 chore(deps): update module gomodules.xyz/jsonpatch/v2 to v3 - autoclosed May 2, 2026
@red-hat-konflux red-hat-konflux Bot closed this May 2, 2026
@red-hat-konflux red-hat-konflux Bot deleted the konflux/mintmaker/main/gomodules.xyz-jsonpatch-v2-3.x branch May 2, 2026 22:35
@red-hat-konflux red-hat-konflux Bot changed the title chore(deps): update module gomodules.xyz/jsonpatch/v2 to v3 - autoclosed chore(deps): update module gomodules.xyz/jsonpatch/v2 to v3 May 3, 2026
@red-hat-konflux red-hat-konflux Bot reopened this May 3, 2026
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main/gomodules.xyz-jsonpatch-v2-3.x branch 3 times, most recently from 703cfed to 4326eae Compare May 3, 2026 06:32
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main/gomodules.xyz-jsonpatch-v2-3.x branch from 4326eae to a3e0661 Compare June 25, 2026 22:29
@fullsend-ai-review

fullsend-ai-review Bot commented Jun 25, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 10:31 PM UTC · Completed 10:39 PM UTC
Commit: ec21706 · View workflow run →

@fullsend-ai-review

fullsend-ai-review Bot commented Jun 25, 2026

Copy link
Copy Markdown

Review

Findings

Critical

  • [API contract violation] go.mod:174 — The PR replaces gomodules.xyz/jsonpatch/v2 v2.5.0 with gomodules.xyz/jsonpatch/v3 v3.0.1 in go.mod, but in Go modules v2 and v3 are distinct module paths. Vendored dependencies (sigs.k8s.io/controller-runtime and knative.dev/pkg) still import gomodules.xyz/jsonpatch/v2 (confirmed in vendor/sigs.k8s.io/controller-runtime/pkg/webhook/admission/webhook.go line 27, vendor/knative.dev/pkg/apis/duck/patch.go line 23, and four other vendored files). vendor/modules.txt at line 816 also records gomodules.xyz/jsonpatch/v2 v2.5.0 as an explicit dependency. Removing v2 from go.mod while these transitive imports still reference v2 will cause a build failure because the v2 import path becomes unresolved. Furthermore, go.sum, vendor/modules.txt, and vendored source files are not updated in this PR.
    Remediation: The v2 dependency must remain in go.mod as long as transitive dependencies import it. If the intent is to adopt v3, the upstream dependencies (controller-runtime, knative/pkg) must first be updated to versions that import v3. Alternatively, both v2 and v3 can coexist in go.mod if a direct dependency on v3 is actually needed. Run go mod tidy and go mod vendor after any changes to validate consistency.

Labels: PR is blocked by controller-runtime dependency on jsonpatch/v2

Previous run

Review

Findings

Critical

  • [logic-error] go.mod:174 — This PR replaces gomodules.xyz/jsonpatch/v2 with gomodules.xyz/jsonpatch/v3 in go.mod, but in Go modules, v2 and v3 are distinct module paths. The direct dependencies that pull in this indirect dependency — specifically sigs.k8s.io/controller-runtime v0.22.4 and knative.dev/pkg — all import gomodules.xyz/jsonpatch/v2, not v3. Replacing v2 with v3 in go.mod removes the v2 module that these dependencies require, which will cause a build failure. The v2 module is still needed because no upstream dependency has migrated to v3.
    Remediation: Do not merge this PR. The gomodules.xyz/jsonpatch/v2 dependency cannot be replaced with v3 until the upstream consumers (controller-runtime, knative.dev/pkg) release versions that import gomodules.xyz/jsonpatch/v3. This is a Renovate/MintMaker bot error — it treated a Go major version bump as a simple version update, but Go major versions are separate module paths. Either close this PR, or if v3 is genuinely needed as an additional dependency, add it alongside v2 rather than replacing v2.

Low

  • [missing-file-changes] go.mod:174 — The PR only modifies go.mod but does not include corresponding updates to go.sum or the vendor directory. go.sum still lists gomodules.xyz/jsonpatch/v2 v2.5.0 with no v3 entries, and vendor/modules.txt still references v2. However, this is entirely a consequence of the root logic error (replacing v2 with v3), making this a secondary symptom rather than an independent finding.

Labels: Bot-generated Go dependency update PR modifying go.mod.

fullsend-ai-review[bot]

This comment was marked as outdated.

@fullsend-ai-review fullsend-ai-review Bot added the dependencies Pull requests that update a dependency file label Jun 25, 2026
@fullsend-ai-review fullsend-ai-review Bot added the go Pull requests that update Go code label Jun 25, 2026
@red-hat-konflux red-hat-konflux Bot changed the title chore(deps): update module gomodules.xyz/jsonpatch/v2 to v3 chore(deps): update module gomodules.xyz/jsonpatch/v2 to v3 - autoclosed Jul 2, 2026
@red-hat-konflux red-hat-konflux Bot closed this Jul 2, 2026
@fullsend-ai-retro

fullsend-ai-retro Bot commented Jul 2, 2026

Copy link
Copy Markdown

🤖 Finished Retro · ✅ Success · Started 1:34 AM UTC · Completed 1:41 AM UTC
Commit: ec21706 · View workflow run →

@fullsend-ai-retro

Copy link
Copy Markdown

Retro: PR #1477 — Renovate bot Go module v2→v3 upgrade (autoclosed)

Timeline

  1. 2026-02-25: Renovate bot opened PR to upgrade gomodules.xyz/jsonpatch/v2 to v3. Same day, Renovate reported an artifact update failure (vendoring inconsistency with the v3 module).
  2. 2026-02-25 → 2026-06-25: PR sat open for 4 months with no review.
  3. 2026-06-25: Review agent ran and correctly identified the critical issue — in Go modules, v2 and v3 are distinct module paths, and upstream dependencies (controller-runtime, knative.dev/pkg) still import v2. Requested changes.
  4. 2026-07-02: PR autoclosed without merge.

What went well

  • Review quality was strong. The agent correctly identified the Go module major-version path semantics issue as critical and recommended not merging. It also flagged the missing go.sum/vendor updates as a secondary symptom.
  • No false positives. Both findings were accurate and actionable.

Inefficiencies identified (all already tracked)

  • Reviewing a known-broken PR: Renovate reported the build failure on day 1, but the review agent ran a full review 4 months later without considering the existing failure comment. Tracked by #1406 (review agent should weigh bot warning comments) and #2586 (recommend closing unfixable dependency-bot PRs).
  • Retro on autoclosed bot PR: Running a retro on an autoclosed bot PR with no human interaction and no merge is low-value. Tracked by #2461.
  • Self-triggering risk: The pull_request_review event in the shim has no bot-author filter. Tracked by #1271.
  • Stale bot PR lifecycle: The PR should have been auto-closed much sooner. Tracked by #2863.

Proposals

No new proposals — all identified improvement areas are already covered by existing open issues in fullsend-ai/fullsend.

Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
@red-hat-konflux red-hat-konflux Bot changed the title chore(deps): update module gomodules.xyz/jsonpatch/v2 to v3 - autoclosed chore(deps): update module gomodules.xyz/jsonpatch/v2 to v3 Jul 2, 2026
@red-hat-konflux red-hat-konflux Bot reopened this Jul 2, 2026
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main/gomodules.xyz-jsonpatch-v2-3.x branch 2 times, most recently from a3e0661 to fe7e24d Compare July 2, 2026 06:01
@fullsend-ai-review

fullsend-ai-review Bot commented Jul 2, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 6:04 AM UTC · Completed 6:11 AM UTC
Commit: ec21706 · View workflow run →

@fullsend-ai-review fullsend-ai-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See the review comment for full details.

Comment thread go.mod
golang.org/x/time v0.14.0 // indirect
golang.org/x/tools v0.44.0 // indirect
gomodules.xyz/jsonpatch/v2 v2.5.0 // indirect
gomodules.xyz/jsonpatch/v3 v3.0.1 // indirect

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[critical] API contract violation

The PR replaces gomodules.xyz/jsonpatch/v2 v2.5.0 with gomodules.xyz/jsonpatch/v3 v3.0.1 in go.mod, but in Go modules v2 and v3 are distinct module paths. Vendored dependencies (sigs.k8s.io/controller-runtime and knative.dev/pkg) still import gomodules.xyz/jsonpatch/v2 (confirmed in vendor/sigs.k8s.io/controller-runtime/pkg/webhook/admission/webhook.go line 27, vendor/knative.dev/pkg/apis/duck/patch.go line 23, and four other vendored files). vendor/modules.txt at line 816 also records gomodules.xyz/jsonpatch/v2 v2.5.0 as an explicit dependency. Removing v2 from go.mod while these transitive imports still reference v2 will cause a build failure because the v2 import path becomes unresolved. Furthermore, go.sum, vendor/modules.txt, and vendored source files are not updated in this PR.

Suggested fix: The v2 dependency must remain in go.mod as long as transitive dependencies import it. If the intent is to adopt v3, the upstream dependencies (controller-runtime, knative/pkg) must first be updated to versions that import v3. Alternatively, both v2 and v3 can coexist in go.mod if a direct dependency on v3 is actually needed. Run go mod tidy and go mod vendor after any changes to validate consistency.

@fullsend-ai-review fullsend-ai-review Bot added the blocked-controller-runtime Change directly or indirectly requires an update of controller runtime 0.14->0.15 label Jul 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

blocked-controller-runtime Change directly or indirectly requires an update of controller runtime 0.14->0.15 dependencies Pull requests that update a dependency file go Pull requests that update Go code size: XS

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants