-
Notifications
You must be signed in to change notification settings - Fork 13
fix(deps): update golang.org/x/exp digest to c48552f #172
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,6 +1,6 @@ | ||
| module github.com/konflux-ci/qe-tools | ||
|
|
||
| go 1.23.0 | ||
| go 1.25.0 | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [critical] unauthorized-change Go toolchain version updated from 1.22.0 to 1.25.0 without authorization. The PR title claims to update only golang.org/x/exp digest, but this change upgrades the entire Go language version to a nonexistent version. CLAUDE.md documents Go version mismatch as a known pitfall. Suggested fix: Revert go.mod line 3 to go 1.22.0. Go toolchain upgrades require a separate, authorized PR. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [high] API contract violation The go directive is bumped from 1.23.0 to 1.25.0. Multiple CI workflows specify incompatible Go versions: slack-message.yml uses Go 1.22, lint.yml uses Go 1.23, pre-commit.yml uses Go 1.23, and test.yml uses Go 1.23.x. Modules with a go 1.25 directive require Go 1.25+ to build, so this will cause immediate CI failures. Suggested fix: Either keep the go directive at 1.23.0 if the dependency updates do not require Go 1.25, or update all CI workflow files to use Go >= 1.25. |
||
|
|
||
| require ( | ||
| cloud.google.com/go/storage v1.38.0 | ||
|
|
@@ -19,9 +19,9 @@ require ( | |
| github.com/spf13/cobra v1.8.0 | ||
| github.com/spf13/viper v1.18.2 | ||
| github.com/sqs/goreturns v0.0.0-20231030191505-16fc3d8edd91 | ||
| golang.org/x/exp v0.0.0-20230905200255-921286631fa9 | ||
| golang.org/x/exp v0.0.0-20260611194520-c48552f49976 | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [medium] scope-creep PR title claims update golang.org/x/exp digest but the diff includes 10+ additional dependency updates including golang.org/x/tools (v0.30.0 to v0.46.0) and adds new dependency golang.org/x/telemetry. |
||
| golang.org/x/lint v0.0.0-20241112194109-818c5a804067 | ||
| golang.org/x/tools v0.30.0 | ||
| golang.org/x/tools v0.46.0 | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [low] API contract violation Bumping golang.org/x/tools from v0.30.0 to v0.46.0 is a very large jump. Linter dependencies may fail to compile against this version. Suggested fix: Verify all linter dependencies compile against x/tools v0.46.0. |
||
| google.golang.org/api v0.164.0 | ||
| honnef.co/go/tools v0.4.7 | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [high] API contract violation honnef.co/go/tools v0.4.7 (staticcheck) is a direct dependency with tight internal coupling to golang.org/x/tools via go/analysis. Bumping golang.org/x/tools from v0.30.0 to v0.46.0 (16 minor versions) risks binary incompatibility. Go MVS will select v0.46.0, which may break staticcheck compilation. The pinned golang.org/x/exp/typeparams at its old version adds further mismatch risk. Suggested fix: Either bump honnef.co/go/tools to a version compatible with golang.org/x/tools v0.46.0 (e.g., v0.6.x+), or verify the full build and linter suite passes with go build ./... before merging. |
||
| k8s.io/api v0.27.4 | ||
|
|
@@ -143,15 +143,16 @@ require ( | |
| go.uber.org/multierr v1.9.0 // indirect | ||
| go.uber.org/zap v1.24.0 // indirect | ||
| go4.org v0.0.0-20201209231011-d4a079459e60 // indirect | ||
| golang.org/x/crypto v0.33.0 // indirect | ||
| golang.org/x/crypto v0.53.0 // indirect | ||
| golang.org/x/exp/typeparams v0.0.0-20240213143201-ec583247a57a // indirect | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [medium] API contract violation golang.org/x/exp/typeparams remains pinned at a 2024-02-13 snapshot while golang.org/x/exp is bumped to a 2026-06-11 snapshot. The ~2-year version skew may cause compilation errors or interface mismatches. Suggested fix: Run go mod tidy with the target Go version to resolve consistent versions, or remove typeparams if no longer needed. |
||
| golang.org/x/mod v0.23.0 // indirect | ||
| golang.org/x/net v0.35.0 // indirect | ||
| golang.org/x/mod v0.37.0 // indirect | ||
| golang.org/x/net v0.56.0 // indirect | ||
| golang.org/x/oauth2 v0.17.0 // indirect | ||
| golang.org/x/sync v0.11.0 // indirect | ||
| golang.org/x/sys v0.30.0 // indirect | ||
| golang.org/x/term v0.29.0 // indirect | ||
| golang.org/x/text v0.22.0 // indirect | ||
| golang.org/x/sync v0.21.0 // indirect | ||
| golang.org/x/sys v0.46.0 // indirect | ||
| golang.org/x/telemetry v0.0.0-20260610154732-fb80ec83bdd9 // indirect | ||
| golang.org/x/term v0.44.0 // indirect | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [medium] architecture-misalignment Introduces new indirect dependency golang.org/x/telemetry (Go team opt-in crash/usage reporting) without documentation. May have privacy or compliance implications for a QE pipeline tool. Suggested fix: Investigate why golang.org/x/telemetry was introduced and document telemetry policy, or pin golang.org/x/tools to a version without it. |
||
| golang.org/x/text v0.38.0 // indirect | ||
| golang.org/x/time v0.5.0 // indirect | ||
| gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect | ||
| google.golang.org/appengine v1.6.8 // indirect | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[critical] API contract violation
The PR bumps the go directive from 1.22.0 to 1.25.0. Starting with Go 1.21, the go directive acts as a minimum required Go version. All CI workflows pin Go 1.22.x and the Dockerfile uses ubi9/go-toolset:9.8 which ships Go 1.22. After this PR merges, every CI job and container build will fail. Go 1.25 has not been released yet.
Suggested fix: Keep the go directive at 1.22.0 and only update the dependency digests, or bump Go version in all CI workflows and Dockerfile to match an existing Go release.