Skip to content

fix(deps): update golang.org/x/exp digest to c48552f#172

Open
red-hat-konflux[bot] wants to merge 1 commit into
mainfrom
konflux/mintmaker/main/golang.org-x-exp-digest
Open

fix(deps): update golang.org/x/exp digest to c48552f#172
red-hat-konflux[bot] wants to merge 1 commit into
mainfrom
konflux/mintmaker/main/golang.org-x-exp-digest

Conversation

@red-hat-konflux

@red-hat-konflux red-hat-konflux Bot commented Nov 6, 2025

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Type Update Change
golang.org/x/exp require digest 9212866c48552f

Warning

Some dependencies could not be looked up. Check the warning logs for more information.


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

To execute skipped test pipelines write comment /ok-to-test.


Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

@red-hat-konflux

red-hat-konflux Bot commented Nov 6, 2025

Copy link
Copy Markdown
Contributor Author

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 8 additional dependencies were updated
  • The go directive was updated for compatibility reasons

Details:

Package Change
go 1.21 -> 1.25.0
golang.org/x/tools v0.21.0 -> v0.43.0
golang.org/x/crypto v0.23.0 -> v0.49.0
golang.org/x/mod v0.17.0 -> v0.34.0
golang.org/x/net v0.25.0 -> v0.52.0
golang.org/x/sync v0.7.0 -> v0.20.0
golang.org/x/sys v0.29.0 -> v0.42.0
golang.org/x/term v0.20.0 -> v0.41.0
golang.org/x/text v0.15.0 -> v0.35.0

@red-hat-konflux red-hat-konflux Bot changed the title fix(deps): update golang.org/x/exp digest to a4bb9ff fix(deps): update golang.org/x/exp digest to a4bb9ff - autoclosed Nov 6, 2025
@red-hat-konflux red-hat-konflux Bot closed this Nov 6, 2025
@red-hat-konflux red-hat-konflux Bot deleted the konflux/mintmaker/main/golang.org-x-exp-digest branch November 6, 2025 20:46
@red-hat-konflux red-hat-konflux Bot changed the title fix(deps): update golang.org/x/exp digest to a4bb9ff - autoclosed fix(deps): update golang.org/x/exp digest to a4bb9ff Nov 7, 2025
@red-hat-konflux red-hat-konflux Bot reopened this Nov 7, 2025
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main/golang.org-x-exp-digest branch from 59e5aad to 57aedad Compare November 7, 2025 00:26
@red-hat-konflux red-hat-konflux Bot changed the title fix(deps): update golang.org/x/exp digest to a4bb9ff fix(deps): update golang.org/x/exp digest to a4bb9ff - autoclosed Nov 12, 2025
@red-hat-konflux red-hat-konflux Bot closed this Nov 12, 2025
@red-hat-konflux red-hat-konflux Bot changed the title fix(deps): update golang.org/x/exp digest to a4bb9ff - autoclosed fix(deps): update golang.org/x/exp digest to a4bb9ff Nov 13, 2025
@red-hat-konflux red-hat-konflux Bot reopened this Nov 13, 2025
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main/golang.org-x-exp-digest branch from 20548b2 to 57aedad Compare November 13, 2025 00:56
@red-hat-konflux red-hat-konflux Bot changed the title fix(deps): update golang.org/x/exp digest to a4bb9ff fix(deps): update golang.org/x/exp digest to e25ba8c Nov 13, 2025
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main/golang.org-x-exp-digest branch from 57aedad to 7a1f4ed Compare November 13, 2025 21:05
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main/golang.org-x-exp-digest branch from 7a1f4ed to 8d1d03d Compare November 25, 2025 21:04
@red-hat-konflux red-hat-konflux Bot changed the title fix(deps): update golang.org/x/exp digest to e25ba8c fix(deps): update golang.org/x/exp digest to 87e1e73 Nov 25, 2025
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main/golang.org-x-exp-digest branch from 8d1d03d to 1182193 Compare November 26, 2025 17:18
@snyk-io

snyk-io Bot commented Nov 26, 2025

Copy link
Copy Markdown

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues
Code Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@red-hat-konflux red-hat-konflux Bot changed the title fix(deps): update golang.org/x/exp digest to 87e1e73 fix(deps): update golang.org/x/exp digest to 87e1e73 - autoclosed Dec 9, 2025
@red-hat-konflux red-hat-konflux Bot closed this Dec 9, 2025
@red-hat-konflux red-hat-konflux Bot changed the title fix(deps): update golang.org/x/exp digest to 87e1e73 - autoclosed fix(deps): update golang.org/x/exp digest to 87e1e73 Dec 9, 2025
@red-hat-konflux red-hat-konflux Bot reopened this Dec 9, 2025
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main/golang.org-x-exp-digest branch from 28c779b to 1182193 Compare December 9, 2025 05:03
@red-hat-konflux red-hat-konflux Bot changed the title fix(deps): update golang.org/x/exp digest to 87e1e73 fix(deps): update golang.org/x/exp digest to 8475f28 Dec 9, 2025
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main/golang.org-x-exp-digest branch from 1182193 to d4fe56e Compare December 9, 2025 17:03
@red-hat-konflux red-hat-konflux Bot changed the title fix(deps): update golang.org/x/exp digest to 8475f28 fix(deps): update golang.org/x/exp digest to 944ab1f Dec 20, 2025
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main/golang.org-x-exp-digest branch from d4fe56e to d4cf75c Compare December 20, 2025 01:03
@red-hat-konflux red-hat-konflux Bot changed the title fix(deps): update golang.org/x/exp digest to 944ab1f fix(deps): update golang.org/x/exp digest to 944ab1f - autoclosed Dec 21, 2025
@red-hat-konflux red-hat-konflux Bot closed this Dec 21, 2025
@red-hat-konflux red-hat-konflux Bot closed this Jan 4, 2026
@red-hat-konflux red-hat-konflux Bot changed the title fix(deps): update golang.org/x/exp digest to 944ab1f - autoclosed fix(deps): update golang.org/x/exp digest to 944ab1f Jan 4, 2026
@red-hat-konflux red-hat-konflux Bot reopened this Jan 4, 2026
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main/golang.org-x-exp-digest branch from 33dc139 to d4cf75c Compare January 4, 2026 17:10
@red-hat-konflux red-hat-konflux Bot changed the title fix(deps): update golang.org/x/exp digest to 944ab1f fix(deps): update golang.org/x/exp digest to 944ab1f - autoclosed Jan 5, 2026
@red-hat-konflux red-hat-konflux Bot closed this Jan 5, 2026
@red-hat-konflux red-hat-konflux Bot changed the title fix(deps): update golang.org/x/exp digest to 944ab1f - autoclosed fix(deps): update golang.org/x/exp digest to 944ab1f Jan 5, 2026
@red-hat-konflux red-hat-konflux Bot reopened this Jan 5, 2026
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main/golang.org-x-exp-digest branch from 9b816e5 to d4cf75c Compare January 5, 2026 13:04
@red-hat-konflux red-hat-konflux Bot changed the title fix(deps): update golang.org/x/exp digest to 944ab1f fix(deps): update golang.org/x/exp digest to 716be56 Jan 13, 2026
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main/golang.org-x-exp-digest branch from d4cf75c to 40ad7e5 Compare January 13, 2026 01:35
@red-hat-konflux red-hat-konflux Bot changed the title fix(deps): update golang.org/x/exp digest to 716be56 fix(deps): update golang.org/x/exp digest to 716be56 - autoclosed Jan 31, 2026
@red-hat-konflux red-hat-konflux Bot closed this Jan 31, 2026
@red-hat-konflux red-hat-konflux Bot changed the title fix(deps): update golang.org/x/exp digest to 716be56 - autoclosed fix(deps): update golang.org/x/exp digest to 716be56 Jan 31, 2026
@red-hat-konflux red-hat-konflux Bot reopened this Jan 31, 2026
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main/golang.org-x-exp-digest branch 2 times, most recently from 40ad7e5 to cbbd296 Compare January 31, 2026 21:10
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main/golang.org-x-exp-digest branch from cbbd296 to d57d195 Compare February 10, 2026 01:06
@red-hat-konflux red-hat-konflux Bot changed the title fix(deps): update golang.org/x/exp digest to 716be56 fix(deps): update golang.org/x/exp digest to 2842357 Feb 10, 2026
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main/golang.org-x-exp-digest branch from d57d195 to 0164536 Compare February 11, 2026 21:20
@red-hat-konflux red-hat-konflux Bot changed the title fix(deps): update golang.org/x/exp digest to 2842357 fix(deps): update golang.org/x/exp digest to 2735e65 Feb 11, 2026
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main/golang.org-x-exp-digest branch from 0164536 to 458096c Compare February 12, 2026 21:06
@red-hat-konflux red-hat-konflux Bot changed the title fix(deps): update golang.org/x/exp digest to 2735e65 fix(deps): update golang.org/x/exp digest to 81e46e3 Feb 12, 2026
@red-hat-konflux

red-hat-konflux Bot commented Apr 2, 2026

Copy link
Copy Markdown
Contributor Author

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 8 additional dependencies were updated
  • The go directive was updated for compatibility reasons

Details:

Package Change
go 1.23.0 -> 1.25.0
golang.org/x/tools v0.30.0 -> v0.46.0
golang.org/x/crypto v0.33.0 -> v0.53.0
golang.org/x/mod v0.23.0 -> v0.37.0
golang.org/x/net v0.35.0 -> v0.56.0
golang.org/x/sync v0.11.0 -> v0.21.0
golang.org/x/sys v0.30.0 -> v0.46.0
golang.org/x/term v0.29.0 -> v0.44.0
golang.org/x/text v0.22.0 -> v0.38.0

@fullsend-ai-review

fullsend-ai-review Bot commented Jun 25, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 9:50 PM UTC · Completed 9:59 PM UTC
Commit: ec21706 · View workflow run →

@fullsend-ai-review

fullsend-ai-review Bot commented Jun 25, 2026

Copy link
Copy Markdown

Review

Findings

High

  • [API contract violation] go.mod:3 — The go directive is bumped from 1.23.0 to 1.25.0. Multiple CI workflows specify incompatible Go versions: slack-message.yml uses Go 1.22, lint.yml uses Go 1.23, pre-commit.yml uses Go 1.23, and test.yml uses Go 1.23.x. Modules with a go 1.25 directive require Go 1.25+ to build, so this will cause immediate CI failures.
    Remediation: Either keep the go directive at 1.23.0 if the dependency updates do not require Go 1.25, or update all CI workflow files to use Go >= 1.25.

  • [API contract violation] go.mod:26honnef.co/go/tools v0.4.7 (staticcheck) is a direct dependency with tight internal coupling to golang.org/x/tools via go/analysis. Bumping golang.org/x/tools from v0.30.0 to v0.46.0 (16 minor versions) risks binary incompatibility — Go's MVS will select v0.46.0, which may break staticcheck's compilation. The pinned golang.org/x/exp/typeparams at its old version adds further mismatch risk.
    Remediation: Either bump honnef.co/go/tools to a version compatible with golang.org/x/tools v0.46.0 (e.g., v0.6.x+), or verify the full build and linter suite passes with go build ./... before merging.

Previous run

Review

Findings

Critical

  • [API contract violation] go.mod:3 — The PR bumps the go directive from 1.22.0 to 1.25.0. Starting with Go 1.21, the go directive acts as a minimum required Go version: any toolchain older than 1.25.0 will refuse to build the module. All four CI workflows (test.yml, lint.yml, pre-commit.yml, slack-message.yml) pin Go 1.22.x, and the Dockerfile uses ubi9/go-toolset:9.8 which ships Go 1.22. After this PR merges, every CI job and the container build will fail. Additionally, Go 1.25 has not been released yet, so this version cannot be installed anywhere.
    Remediation: Either (a) keep the go directive at 1.22.0 and only update the dependency digests, or (b) if a newer Go version is truly desired, bump the Go version in all CI workflows and the Dockerfile base image to match, and ensure the chosen Go version actually exists.

  • [unauthorized-change] go.mod:3 — Go toolchain version updated from 1.22.0 to 1.25.0 without authorization. The PR title claims to update only golang.org/x/exp digest, but this change upgrades the entire Go language version to a version that does not exist. CLAUDE.md documents "Go version mismatch" as a known pitfall.
    Remediation: Revert go.mod line 3 to go 1.22.0. Go toolchain upgrades require a separate, authorized PR that updates go.mod, CI workflows, and validates compatibility.

Medium

  • [API contract violation] go.mod:149 — The golang.org/x/exp/typeparams dependency remains pinned at a 2024-02-13 snapshot while the main golang.org/x/exp is bumped to a 2026-06-11 snapshot. Having a stale typeparams version alongside a much newer x/exp version may cause compilation errors or interface mismatches at build time.
    Remediation: Run go mod tidy with the target Go version to resolve consistent versions, or remove the typeparams dependency if no longer needed.

  • [scope-creep] go.mod:23 — PR title claims "update golang.org/x/exp digest" but the diff includes 10+ additional dependency updates: golang.org/x/tools (v0.30.0 → v0.46.0), golang.org/x/crypto, golang.org/x/mod, golang.org/x/net, golang.org/x/sync, golang.org/x/sys, golang.org/x/term, golang.org/x/text, and adds new dependency golang.org/x/telemetry.

  • [architecture-misalignment] go.mod:156 — Introduces new indirect dependency golang.org/x/telemetry without documentation or justification. This is the Go team's opt-in crash/usage reporting system — its introduction may have privacy or compliance implications for a QE pipeline tool running in CI environments.
    Remediation: Investigate why golang.org/x/telemetry was introduced (likely transitive from golang.org/x/tools v0.46.0). Document telemetry policy if acceptable, or pin golang.org/x/tools to a version that does not pull in telemetry.

Low

  • [API contract violation] go.mod:25 — Bumping golang.org/x/tools from v0.30.0 to v0.46.0 is a very large jump. Linter dependencies (go-critic, revive, gosec, honnef.co/go/tools) may fail to compile against this version.
    Remediation: Verify that all linter dependencies compile successfully against x/tools v0.46.0.

Labels: PR modifies go.mod and go.sum for dependency updates.

fullsend-ai-review[bot]

This comment was marked as outdated.

Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
@fullsend-ai-review

fullsend-ai-review Bot commented Jul 2, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 10:48 AM UTC · Completed 10:56 AM UTC
Commit: ec21706 · View workflow run →

@fullsend-ai-review fullsend-ai-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See the review comment for full details.

Comment thread go.mod
module github.com/konflux-ci/qe-tools

go 1.23.0
go 1.25.0

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[high] API contract violation

The go directive is bumped from 1.23.0 to 1.25.0. Multiple CI workflows specify incompatible Go versions: slack-message.yml uses Go 1.22, lint.yml uses Go 1.23, pre-commit.yml uses Go 1.23, and test.yml uses Go 1.23.x. Modules with a go 1.25 directive require Go 1.25+ to build, so this will cause immediate CI failures.

Suggested fix: Either keep the go directive at 1.23.0 if the dependency updates do not require Go 1.25, or update all CI workflow files to use Go >= 1.25.

Comment thread go.mod
golang.org/x/tools v0.30.0
golang.org/x/tools v0.46.0
google.golang.org/api v0.164.0
honnef.co/go/tools v0.4.7

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[high] API contract violation

honnef.co/go/tools v0.4.7 (staticcheck) is a direct dependency with tight internal coupling to golang.org/x/tools via go/analysis. Bumping golang.org/x/tools from v0.30.0 to v0.46.0 (16 minor versions) risks binary incompatibility. Go MVS will select v0.46.0, which may break staticcheck compilation. The pinned golang.org/x/exp/typeparams at its old version adds further mismatch risk.

Suggested fix: Either bump honnef.co/go/tools to a version compatible with golang.org/x/tools v0.46.0 (e.g., v0.6.x+), or verify the full build and linter suite passes with go build ./... before merging.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants