Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -171,7 +171,7 @@ require (
golang.org/x/text v0.36.0 // indirect
golang.org/x/time v0.14.0 // indirect
golang.org/x/tools v0.44.0 // indirect
gomodules.xyz/jsonpatch/v2 v2.5.0 // indirect
gomodules.xyz/jsonpatch/v3 v3.0.1 // indirect

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[critical] logic-error

This PR replaces gomodules.xyz/jsonpatch/v2 with gomodules.xyz/jsonpatch/v3 in go.mod, but in Go modules, v2 and v3 are distinct module paths. The direct dependencies that pull in this indirect dependency -- specifically sigs.k8s.io/controller-runtime v0.22.4 and knative.dev/pkg -- all import gomodules.xyz/jsonpatch/v2, not v3. Replacing v2 with v3 in go.mod removes the v2 module that these dependencies require, which will cause a build failure.

Suggested fix: Do not merge this PR. The gomodules.xyz/jsonpatch/v2 dependency cannot be replaced with v3 until the upstream consumers (controller-runtime, knative.dev/pkg) release versions that import gomodules.xyz/jsonpatch/v3. This is a Renovate/MintMaker bot error. Either close this PR, or if v3 is genuinely needed as an additional dependency, add it alongside v2 rather than replacing v2.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[low] missing-file-changes

The PR only modifies go.mod but does not include corresponding updates to go.sum or the vendor directory. This is a secondary symptom of the root logic error rather than an independent finding.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[critical] API contract violation

The PR replaces gomodules.xyz/jsonpatch/v2 v2.5.0 with gomodules.xyz/jsonpatch/v3 v3.0.1 in go.mod, but in Go modules v2 and v3 are distinct module paths. Vendored dependencies (sigs.k8s.io/controller-runtime and knative.dev/pkg) still import gomodules.xyz/jsonpatch/v2 (confirmed in vendor/sigs.k8s.io/controller-runtime/pkg/webhook/admission/webhook.go line 27, vendor/knative.dev/pkg/apis/duck/patch.go line 23, and four other vendored files). vendor/modules.txt at line 816 also records gomodules.xyz/jsonpatch/v2 v2.5.0 as an explicit dependency. Removing v2 from go.mod while these transitive imports still reference v2 will cause a build failure because the v2 import path becomes unresolved. Furthermore, go.sum, vendor/modules.txt, and vendored source files are not updated in this PR.

Suggested fix: The v2 dependency must remain in go.mod as long as transitive dependencies import it. If the intent is to adopt v3, the upstream dependencies (controller-runtime, knative/pkg) must first be updated to versions that import v3. Alternatively, both v2 and v3 can coexist in go.mod if a direct dependency on v3 is actually needed. Run go mod tidy and go mod vendor after any changes to validate consistency.

google.golang.org/api v0.264.0 // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20260128011058-8636f8732409 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20260128011058-8636f8732409 // indirect
Expand Down
Loading