-
Notifications
You must be signed in to change notification settings - Fork 57
fix(deps): update module go.yaml.in/yaml/v2 to v3 #1462
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -14,7 +14,7 @@ require ( | |
| github.com/onsi/gomega v1.42.1 | ||
| github.com/operator-framework/operator-lib v0.19.0 | ||
| github.com/tektoncd/pipeline v1.13.1 | ||
| go.yaml.in/yaml/v2 v2.4.4 | ||
| go.yaml.in/yaml/v3 v3.0.4 | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [low] missing-authorization This PR upgrades go.yaml.in/yaml from v2 to v3, a major version change. The PR is authored by red-hat-konflux[bot], an automated dependency management bot. While major version upgrades can introduce behavioral differences, the yaml library is used in exactly one location (e2e test error logging via yaml.Marshal), and the yaml.Marshal API is compatible between v2 and v3 for this use case. Suggested fix: Verify that the yaml.Marshal call at final_pipeline_finalizer_removed.go:237 produces acceptable output with v3. |
||
| k8s.io/api v0.35.6 | ||
| k8s.io/apimachinery v0.36.2 | ||
| k8s.io/client-go v11.0.0+incompatible | ||
|
|
@@ -101,7 +101,7 @@ require ( | |
| go.opentelemetry.io/otel/sdk/metric v1.44.0 // indirect | ||
| go.opentelemetry.io/otel/trace v1.44.0 // indirect | ||
| go.opentelemetry.io/proto/otlp v1.10.0 // indirect | ||
| go.yaml.in/yaml/v3 v3.0.4 // indirect | ||
| go.yaml.in/yaml/v2 v2.4.4 // indirect | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [low] architectural-alignment After the upgrade, both yaml/v2 (indirect) and yaml/v3 (direct) will coexist in the dependency tree. This dual-version state suggests a transitive dependency still requires v2. The upgrade path appears intentional: the project is migrating its direct usage to v3 while accommodating dependencies that have not yet migrated from v2. Suggested fix: Verify via go mod why go.yaml.in/yaml/v2 which dependency requires v2, and track whether that dependency has a v3-compatible version available for future cleanup. |
||
| golang.org/x/crypto v0.53.0 // indirect | ||
| golang.org/x/exp v0.0.0-20260611194520-c48552f49976 // indirect | ||
| golang.org/x/mod v0.37.0 // indirect | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[low] Dependency Management & API Consistency
The upgrade from go.yaml.in/yaml/v2 to v3 is a major version change. The yaml package is used only once in the codebase (line 237, debug output in a failure handler). While yaml.Marshal has the same function signature in both v2 and v3, this is the sole consumer of the yaml dependency.
Suggested fix: If desired, replace yaml.Marshal with json.Marshal to eliminate the yaml dependency entirely from this test file. However, the current change is functionally safe since yaml.Marshal has an identical signature in v3 and is only used for non-functional debug output.