chore(deps): update module github.com/oklog/ulid to v2#1492
chore(deps): update module github.com/oklog/ulid to v2#1492red-hat-konflux[bot] wants to merge 1 commit into
Conversation
|
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
681374e to
e8179a7
Compare
e8179a7 to
c754824
Compare
efcbf85 to
c754824
Compare
90e245f to
e66979a
Compare
e66979a to
5853bcf
Compare
a6d5f2f to
5853bcf
Compare
ReviewFindingsCritical
Previous runReviewFindingsCritical
Previous run (2)ReviewFindingsCritical
Medium
Previous run (3)ReviewFindingsCritical
|
| github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect | ||
| github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect | ||
| github.com/oklog/ulid v1.3.1 // indirect | ||
| github.com/oklog/ulid/v2 v2.1.1 // indirect |
There was a problem hiding this comment.
[critical] build-breakage
The PR replaces github.com/oklog/ulid v1.3.1 with github.com/oklog/ulid/v2 v2.1.1, but the vendored consumer go-openapi/strfmt (vendor/github.com/go-openapi/strfmt/ulid.go line 14 and mongo.go line 12) imports the v1 path 'github.com/oklog/ulid' (without /v2). In Go modules, v1 and v2 are distinct module paths. This PR removes the v1 module that strfmt actually depends on, which will cause build failures.
Suggested fix: Either update go-openapi/strfmt to a version that imports github.com/oklog/ulid/v2, then run 'go mod tidy && go mod vendor', or revert this change and configure Renovate to skip this upgrade until the upstream dependency migrates to ulid v2.
| github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect | ||
| github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect | ||
| github.com/oklog/ulid v1.3.1 // indirect | ||
| github.com/oklog/ulid/v2 v2.1.1 // indirect |
There was a problem hiding this comment.
[critical] incomplete-change
go.sum contains no entries for github.com/oklog/ulid/v2 and vendor/modules.txt still references github.com/oklog/ulid v1.3.1. The PR only modifies go.mod without running 'go mod tidy' and 'go mod vendor', leaving go.mod, go.sum, and vendor/ mutually inconsistent.
Suggested fix: Run 'go mod tidy && go mod vendor' and include the resulting changes to go.sum, vendor/modules.txt, and vendor/ in the PR.
|
🤖 Finished Retro · ✅ Success · Started 2:46 PM UTC · Completed 2:53 PM UTC |
Retro: PR #1492 (Renovate dependency bump, closed without merge)What happenedRenovate ( On June 5, when Renovate reopened the PR, the fullsend review agent correctly identified two critical issues: (1) the v1→v2 module path incompatibility with vendored On June 21, the PR was closed for the final time. This triggered multiple concurrent workflow runs: 2 review dispatches and 5 retro dispatches, all burning tokens on a PR that was already closed and never mergeable. AssessmentReview quality: Good. The review agent's findings were accurate and well-reasoned. However, reviewing a PR that Renovate itself already flagged as broken adds limited value. Token cost: Poor. The Renovate close/reopen cycle triggered review agents on each reopen (with unchanged diffs). The final close triggered 5 concurrent retro runs and 2 review runs on an already-closed PR. Existing coverageAll improvement opportunities identified are already covered by open issues in
No new proposals are needed. Implementing the existing issues above (particularly #2461, #1870, #2401, and #1356) would have prevented most of the wasted compute on this PR. |
|
🤖 Finished Review · ✅ Success · Started 10:32 PM UTC · Completed 10:40 PM UTC |
| github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect | ||
| github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect | ||
| github.com/oklog/ulid v1.3.1 // indirect | ||
| github.com/oklog/ulid/v2 v2.1.1 // indirect |
There was a problem hiding this comment.
[critical] api-contract
The PR replaces github.com/oklog/ulid v1.3.1 with github.com/oklog/ulid/v2 v2.1.1, but in Go modules these are distinct modules with distinct import paths. The actual consumer -- go-openapi/strfmt v0.25.0 -- imports the v1 path in vendor/github.com/go-openapi/strfmt/ulid.go and mongo.go. Removing v1 without updating strfmt will break the module graph. Additionally, go.sum only contains v1 checksums, vendor/modules.txt references only v1, and the vendor directory contains only v1 code.
Suggested fix: Do not replace v1 with v2 unless go-openapi/strfmt is simultaneously bumped to a version that imports github.com/oklog/ulid/v2. Options: (1) close this PR since v1 is required transitively by strfmt v0.25.0; (2) bump strfmt to a version using ulid/v2, then run go mod tidy && go mod vendor; or (3) add v2 alongside v1 rather than replacing v1.
| github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect | ||
| github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect | ||
| github.com/oklog/ulid v1.3.1 // indirect | ||
| github.com/oklog/ulid/v2 v2.1.1 // indirect |
There was a problem hiding this comment.
[medium] dependency-management-consistency
The dependency github.com/oklog/ulid is an indirect transitive dependency not directly used by this project. Renovatebot is attempting to upgrade it to an incompatible major version, but the actual direct consumer (github.com/go-openapi/strfmt v0.25.0) still requires v1. Indirect dependency versions should be determined by direct dependencies requirements.
Suggested fix: Wait for the upstream dependency (github.com/go-openapi/strfmt) to migrate to ulid v2 before upgrading.
|
🤖 Finished Retro · ✅ Success · Started 5:44 AM UTC · Completed 5:48 AM UTC |
Retro: PR #1492 — Renovate bot dependency bump (oklog/ulid v1→v2)This was a Renovate-generated PR that was never mergeable (Go major version path incompatibility). Over 108 days, it was closed 11 times and reopened 10 times by the bot, with no human interaction. The review agent ran twice on an identical, fundamentally broken diff, and the retro agent ran at least twice (including a prior retro on June 21 that reached the same conclusions). Key waste
No new proposalsAll improvement opportunities identified are already covered by existing open issues in
This is the second retro run on this same PR (the first completed June 21 with identical conclusions), which itself exemplifies the deduplication gap tracked in #2401. |
|
🤖 Finished Review · ✅ Success · Started 1:29 PM UTC · Completed 1:34 PM UTC |
| github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect | ||
| github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect | ||
| github.com/oklog/ulid v1.3.1 // indirect | ||
| github.com/oklog/ulid/v2 v2.1.1 // indirect |
There was a problem hiding this comment.
[critical] logic-error
go.mod changes github.com/oklog/ulid v1.3.1 to github.com/oklog/ulid/v2 v2.1.1, but the only consumer of this dependency (go-openapi/strfmt v0.25.0) imports the v1 path github.com/oklog/ulid (confirmed in vendor/github.com/go-openapi/strfmt/ulid.go line 14 and vendor/github.com/go-openapi/strfmt/mongo.go line 12). In Go modules v1 and v2 are distinct module paths. The vendored source (vendor/github.com/oklog/ulid/) is v1 code, vendor/modules.txt lists github.com/oklog/ulid v1.3.1, go.sum only has v1.3.1 hashes, and no vendor/github.com/oklog/ulid/v2/ directory exists. This change will break go mod tidy, go mod verify, and vendored builds because the declared v2 requirement has no corresponding import or vendored code.
Suggested fix: Revert go.mod to github.com/oklog/ulid v1.3.1. The v2 bump is only valid once go-openapi/strfmt itself is updated to a version that imports the v2 module path. Alternatively, update go-openapi/strfmt first, then run go mod tidy && go mod vendor.
Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
|
🤖 Finished Review · ✅ Success · Started 10:32 PM UTC · Completed 10:40 PM UTC |
| github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect | ||
| github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect | ||
| github.com/oklog/ulid v1.3.1 // indirect | ||
| github.com/oklog/ulid/v2 v2.1.1 // indirect |
There was a problem hiding this comment.
[critical] API contract violation
The PR replaces github.com/oklog/ulid v1.3.1 with github.com/oklog/ulid/v2 v2.1.1 in go.mod, but the vendored consumer go-openapi/strfmt v0.25.0 imports the v1 module path (github.com/oklog/ulid) in both vendor/github.com/go-openapi/strfmt/ulid.go (line 14) and vendor/github.com/go-openapi/strfmt/mongo.go (line 12). The vendored source tree under vendor/github.com/oklog/ulid/ contains v1 code, vendor/modules.txt references github.com/oklog/ulid v1.3.1 (line 423), and go.sum only contains v1 checksums. Changing go.mod alone without updating these files makes the module graph inconsistent and will cause a build failure.
Suggested fix: Either (1) upgrade go-openapi/strfmt to a version that imports github.com/oklog/ulid/v2 before removing the v1 dependency, or (2) keep the v1 dependency since it is what the current strfmt v0.25.0 requires. After any go.mod change, run go mod tidy and go mod vendor to synchronize go.sum, vendor/modules.txt, and the vendored sources.
This PR contains the following updates:
v1.3.1→v2.1.1Warning
Some dependencies could not be looked up. Check the warning logs for more information.
Release Notes
oklog/ulid (github.com/oklog/ulid)
v2.1.1Compare Source
What's Changed
ulid.Niland.IsZero()method by @tonyhb in #112New Contributors
Full Changelog: oklog/ulid@v2.1.0...v2.1.1
v2.1.0Compare Source
Full release of v2.1.0, thanks to our testers.
What's Changed
alizain/ulidby @kachick in #67New Contributors
Full Changelog: oklog/ulid@v2.0.2...v2.1.0
v2.0.2Compare Source
Identical to v2.0.1, except uses the proper /v2 suffix on the ulid import in ulid_test.go. Without this change, anyone who imported oklog/ulid at e.g. v2.0.1 into their project would also get oklog/ulid at v0-something due to the inadvertent transitive dependency.
v2.0.1Compare Source
Identical to v2.0.0, but fixes a bug in the go.mod module path.
v2.0.0Compare Source
A new major version to go with support for Go modules. Also, improved support for safe monotonic readers.
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
To execute skipped test pipelines write comment
/ok-to-test.Documentation
Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.