Skip to content

chore(deps): update module github.com/cenkalti/backoff/v5 to v6 - autoclosed#1710

Closed
red-hat-konflux[bot] wants to merge 1 commit into
mainfrom
konflux/mintmaker/main/github.com-cenkalti-backoff-v5-6.x
Closed

chore(deps): update module github.com/cenkalti/backoff/v5 to v6 - autoclosed#1710
red-hat-konflux[bot] wants to merge 1 commit into
mainfrom
konflux/mintmaker/main/github.com-cenkalti-backoff-v5-6.x

Conversation

@red-hat-konflux

@red-hat-konflux red-hat-konflux Bot commented Jun 19, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
github.com/cenkalti/backoff/v5 v5.0.3v6.0.1 age confidence

Warning

Some dependencies could not be looked up. Check the warning logs for more information.


Release Notes

cenkalti/backoff (github.com/cenkalti/backoff/v5)

v6.0.1

Compare Source

v6.0.0

Compare Source


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

To execute skipped test pipelines write comment /ok-to-test.


Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

@fullsend-ai-review

fullsend-ai-review Bot commented Jun 19, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 10:34 PM UTC · Completed 10:40 PM UTC
Commit: 218f229 · View workflow run →

@fullsend-ai-review

fullsend-ai-review Bot commented Jun 19, 2026

Copy link
Copy Markdown

Review

Findings

Medium

  • [dependency update completeness] go.mod:34 — The PR changes only go.mod but does not include a corresponding go.sum update. The major version bump from cenkalti/backoff/v5 to v6 changes the Go module path, so go.sum must be regenerated. The current go.sum contains only v5 entries. Without the updated go.sum, builds and go mod verify will fail.
    Remediation: Run go mod tidy and include the updated go.sum in the PR.
Previous run

Review

Findings

Medium

  • [Incomplete dependency update] go.mod:34 — The PR bumps cenkalti/backoff from v5 to v6 in go.mod but does not include corresponding go.sum updates. Since go.sum currently only contains entries for backoff/v5, the module graph will be incomplete until go mod tidy is run. No Go source files in this repo import cenkalti/backoff directly (it is purely indirect), so there is no risk of broken import paths in application code. The build will fail at dependency resolution (not compilation), and CI will catch this immediately.
    Remediation: Run go mod tidy and include the resulting go.sum changes in the PR.
Previous run (2)

Review

Findings

Low

  • [api-contract] go.mod:34 — The PR only modifies go.mod (changing cenkalti/backoff/v5 to v6) but go.sum is not updated in this PR. In Go modules, v5 and v6 are distinct module paths requiring different checksums. If go.sum is not regenerated, the build will fail. Verify by running go mod tidy.

  • [api-contract] go.mod:34 — This is a major version bump of an indirect dependency. The transitive consumer (likely go-github or ghinstallation) must itself require backoff/v6 for this change to be valid. If no dependency in the module graph imports v6, go mod tidy would revert back to v5.

Previous run (3)

Looks good to me

Low

  • [incomplete dependency update] go.mod:34 — The diff updates cenkalti/backoff from v5 to v6 in go.mod, but go.sum does not include v6 entries. Since v5 and v6 are distinct Go module paths (major version change), both go.mod and go.sum must be updated together.
    Remediation: Run go mod tidy to synchronize go.mod and go.sum. If the change reverts, no transitive dependency requires v6 yet.
Previous run (4)

Review

Findings

High

  • [build breakage] go.mod:34 — The PR changes the module path from cenkalti/backoff/v5 to cenkalti/backoff/v6 in go.mod but does not update go.sum. In Go modules, v5 and v6 are entirely different module paths. The go.sum file only contains checksums for cenkalti/backoff/v5, so any build or go mod verify will fail because go.sum has no entry for cenkalti/backoff/v6 v6.0.1. Additionally, go mod why reports the main module does not need this package at all and go mod graph shows no dependency chain leading to it — the dependency is orphaned.
    Remediation: Run go mod tidy to regenerate both go.mod and go.sum. Since go mod why reports the main module does not need this package, go mod tidy will likely remove the dependency entirely rather than upgrading it.
Previous run (5)

Review

Findings

High

  • [api-contract] go.mod:34 — The PR updates go.mod to require github.com/cenkalti/backoff/v6 v6.0.1 (replacing v5) but go.sum is not included in the changed files and still contains only v5 checksum entries. This go.mod/go.sum mismatch will cause build failures (go build, go mod verify). Since cenkalti/backoff is an indirect dependency (no Go source files in this repo import it directly), the correctness of this major-version bump also depends on whether the direct dependency that transitively requires backoff has itself migrated to the v6 module path.
    Remediation: Run go mod tidy so that go.sum is regenerated with v6 checksums. Verify the transitive dependency graph is consistent by running go mod graph | grep backoff.
Previous run (6)

Review

Findings

Medium

  • [API contract violation] go.mod:34 — The PR changes the indirect dependency from cenkalti/backoff/v5 to cenkalti/backoff/v6. In Go modules, v5 and v6 are distinct module paths, so the transitive dependency that pulls in backoff must itself have migrated to v6 for this change to be valid. Since backoff is purely indirect (no .go files in this repo import it), the change depends entirely on upstream dependencies having adopted v6. The go.sum file is also not updated, which means the PR as-is will fail go mod verify.
    Remediation: Run go mod tidy and include the updated go.sum. If go mod tidy reintroduces backoff/v5, the upstream dependencies have not migrated and this PR is premature.
Previous run (7)

Review

Findings

Medium

  • [Build configuration] go.mod:34 — The PR updates cenkalti/backoff from v5 to v6 in go.mod but does not include a corresponding go.sum update. In Go modules, a major version bump changes the module import path, and go.sum must contain the new module's checksum. Without the go.sum update, the build will fail deterministically.
    Remediation: Run go mod tidy to resolve the dependency graph and update go.sum. Include the updated go.sum in the PR.

Labels: Go dependency update in go.mod

Previous run (8)

Review

Findings

Critical

  • [build breakage] go.mod:34 — The PR changes go.mod to reference cenkalti/backoff/v6 v6.0.1 but go.sum is not included in the changed files. go.sum still only contains entries for cenkalti/backoff/v5 v5.0.3 and has no entries for backoff/v6. Without the corresponding go.sum entries, builds and go mod verify will fail. The stale v5 entries in go.sum also need to be removed. This indicates go mod tidy was not run after modifying go.mod.
    Remediation: Run go mod tidy after changing go.mod so that go.sum is updated with the correct hashes for cenkalti/backoff/v6 v6.0.1 and the stale cenkalti/backoff/v5 entries are removed. Include the updated go.sum in the PR.

Medium

  • [dependency validity] go.mod:34 — In Go modules, cenkalti/backoff/v5 and cenkalti/backoff/v6 are different module paths due to major-version-suffix convention. Since backoff is an indirect dependency, the change is only valid if a transitive dependency has actually migrated to importing backoff/v6. If no dependency in the graph requires v6, go mod tidy would revert this change, suggesting the PR may be invalid.
    Remediation: Run go mod tidy to let Go resolve the actual transitive dependency graph. If the result retains v6, the update is valid; if it reverts to v5, the PR should be closed.
Previous run (9)

Review

Findings

Low

  • [error handling gaps] go.mod:34 — The PR diff only modifies go.mod (changing cenkalti/backoff from v5 to v6) without an accompanying go.sum update. The current go.sum contains only v5 checksums. If go.sum is truly missing from the PR, builds will fail until it is regenerated.
    Remediation: Run go mod tidy to regenerate go.sum with v6 checksums.

Labels: PR updates a Go indirect dependency

Previous run (10)

Review

Findings

High

  • [incomplete dependency update] go.mod:34 — The PR updates go.mod to reference github.com/cenkalti/backoff/v6 v6.0.1 but does not include the corresponding go.sum update. go.sum currently only contains hash entries for backoff/v5 and has no entries for v6. In Go, v5 and v6 are distinct module paths under semantic import versioning, so the build and go mod verify will fail because the checksum for the new module version is missing from go.sum.
    Remediation: Run go mod tidy to regenerate go.sum with the correct v6 checksum entries and remove the now-unused v5 entries. Include the updated go.sum in this PR.
Previous run (11)

Review

Findings

Low

  • [API contract / module compatibility] go.mod:34 — Major version bump of indirect dependency cenkalti/backoff from v5 to v6. Since no .go files in this repository directly import this package, the risk is limited to transitive compatibility. The go.sum file must also be updated to reflect the new module path. This is a Renovate bot PR, which typically runs go mod tidy and includes go.sum changes automatically; CI will immediately catch any mismatch.
    Remediation: Verify CI passes (go build / go mod tidy). If go.sum was not updated, run go mod tidy to regenerate it.
Previous run (12)

Review

Findings

High

  • [API contract violation] go.mod:34 — go.mod changes cenkalti/backoff from v5 to v6 (a major-version bump with a new Go module path github.com/cenkalti/backoff/v6), but go.sum is not updated in this PR. The go.sum file currently contains only checksums for backoff/v5 and has no entries for backoff/v6. Without the corresponding go.sum update, go mod verify and go build will fail due to a missing checksum. Additionally, since this is an indirect dependency (no .go files in this repo import backoff directly), some transitive dependency must have been updated to require v6; however, no other dependency version changes appear in this diff, raising a question about whether go mod tidy would actually retain this v6 entry.
    Remediation: Run go mod tidy followed by go mod verify to regenerate go.mod and go.sum consistently. Include the updated go.sum in the PR. If go mod tidy reverts the backoff/v6 line back to v5 (or removes it entirely), that indicates no transitive dependency actually requires v6 yet and this change is premature.
Previous run (13)

Review

Findings

Low

  • [incomplete dependency update] go.mod:34 — The PR updates cenkalti/backoff from v5 to v6 in go.mod. Since this is a major version bump of an indirect dependency, go.sum must also be updated with the new v6 checksums. The provided diff only shows go.mod. This is likely a Renovate bot PR where go.sum changes are present but omitted from the summary. If go.sum is truly missing, CI will catch it — the build will not compile.
    Remediation: Verify that go.sum is included in the actual PR commits. If missing, run go mod tidy.

  • [transitive dependency compatibility] go.mod:34 — This is a major version bump of an indirect dependency (backoff v5 → v6). No Go source files in this repository directly import cenkalti/backoff, so there is no direct code impact. However, whichever direct dependency transitively pulls in backoff must itself be compatible with v6. If the transitive graph still expects v5, go mod tidy would revert this change.

Previous run (14)

Review

Findings

Critical

  • [broken module graph] go.mod:34go.mod is updated to require github.com/cenkalti/backoff/v6 v6.0.1, but go.sum is not included in this PR. go.sum currently contains only checksums for github.com/cenkalti/backoff/v5 v5.0.3. In Go modules, v5 and v6 are entirely different module paths, so go.sum must contain the v6 checksums for the module to resolve. Without an updated go.sum, go build, go test, and go mod verify will all fail.
    Remediation: Run go mod tidy to regenerate go.sum with the correct checksums for backoff/v6 (and remove the stale v5 entries), then include the updated go.sum in this PR. Alternatively, verify that an upstream direct dependency actually requires backoff/v6 — if none does, the go.mod change itself may be incorrect and go mod tidy will revert it back to v5.

Low

  • [indirect dependency compatibility] go.mod:34 — This is a major version bump (v5 → v6) on an indirect dependency. No Go source files in this repository directly import cenkalti/backoff, so the transitive dependency that pulls it in must itself have been updated to import backoff/v6. None of the direct dependencies in go.mod appear to have been updated in this PR.
    Remediation: Run go mod graph | grep backoff to verify which direct dependency transitively requires backoff/v6.
Previous run (15)

Review

Findings

High

  • [api-contract] go.mod:34 — The PR changes backoff/v5 to backoff/v6 in go.mod without updating go.sum. In Go modules, v5 and v6 are distinct module paths. Since backoff is an indirect dependency, its version is dictated by whichever direct dependency transitively requires it. Without evidence that the upstream dependency has migrated to backoff/v6, this change will likely cause build failures or be reverted by go mod tidy.
    Remediation: Run go mod tidy to verify whether backoff/v6 is actually required by the dependency graph. If go mod tidy reverts to v5, do not merge this PR. If v6 is valid, include the regenerated go.sum.

  • [missing-artifact] go.mod:34 — The PR modifies go.mod but does not update go.sum. The go.sum file contains checksums only for backoff/v5 and has no entries for backoff/v6. Without matching go.sum updates, the build will fail with checksum verification errors.
    Remediation: Run go mod tidy to regenerate go.sum and include the updated go.sum in the PR.

Low

  • [major-version-upgrade] go.mod:34 — This is a major version upgrade (v5 → v6) of an indirect dependency. While major version changes can introduce breaking API changes, this package is not directly imported by this codebase, so the risk is limited to transitive compatibility. Verify that all direct dependencies that transitively depend on backoff are compatible with v6.

fullsend-ai-review[bot]

This comment was marked as outdated.

@seanconroy2021

Copy link
Copy Markdown
Member

Go Test on Pull Requests / Check docker build (pull_request)
Go Test on Pull Requests / Check docker build (pull_request)Failing after 29s
Required
Go Test on Pull Requests / Check sources (pull_request)
Go Test on Pull Requests / Check sources (pull_request)Failing after 52s

@seanconroy2021 seanconroy2021 marked this pull request as draft June 22, 2026 08:35
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main/github.com-cenkalti-backoff-v5-6.x branch from 4352403 to 911ef53 Compare June 22, 2026 10:35
@fullsend-ai-review

fullsend-ai-review Bot commented Jun 22, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 10:37 AM UTC · Completed 10:42 AM UTC
Commit: 218f229 · View workflow run →

fullsend-ai-review[bot]

This comment was marked as outdated.

@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main/github.com-cenkalti-backoff-v5-6.x branch from 911ef53 to 6af51fe Compare June 22, 2026 14:46
@fullsend-ai-review

fullsend-ai-review Bot commented Jun 22, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 2:48 PM UTC · Completed 2:54 PM UTC
Commit: 7acff03 · View workflow run →

fullsend-ai-review[bot]

This comment was marked as outdated.

@fullsend-ai-review fullsend-ai-review Bot added the ready-for-merge All reviewers approved — ready to merge label Jun 22, 2026
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main/github.com-cenkalti-backoff-v5-6.x branch from 6af51fe to 81ea797 Compare June 22, 2026 20:08
@fullsend-ai-review

fullsend-ai-review Bot commented Jun 22, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 8:11 PM UTC · Completed 8:17 PM UTC
Commit: 0d0162a · View workflow run →

fullsend-ai-review[bot]

This comment was marked as outdated.

@fullsend-ai-review fullsend-ai-review Bot removed the ready-for-merge All reviewers approved — ready to merge label Jun 22, 2026
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main/github.com-cenkalti-backoff-v5-6.x branch from 81ea797 to dd63db6 Compare June 23, 2026 13:18
@fullsend-ai-review

fullsend-ai-review Bot commented Jun 23, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 1:20 PM UTC · Completed 1:26 PM UTC
Commit: ec21706 · View workflow run →

fullsend-ai-review[bot]

This comment was marked as outdated.

@fullsend-ai-review fullsend-ai-review Bot added the ready-for-merge All reviewers approved — ready to merge label Jun 23, 2026
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main/github.com-cenkalti-backoff-v5-6.x branch from dd63db6 to c65ae6c Compare June 23, 2026 21:00
@fullsend-ai-review

fullsend-ai-review Bot commented Jun 23, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 9:02 PM UTC · Completed 9:07 PM UTC
Commit: ec21706 · View workflow run →

fullsend-ai-review[bot]

This comment was marked as outdated.

@fullsend-ai-review fullsend-ai-review Bot removed the ready-for-merge All reviewers approved — ready to merge label Jun 23, 2026
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main/github.com-cenkalti-backoff-v5-6.x branch from c65ae6c to 1ded175 Compare June 24, 2026 20:31
@fullsend-ai-review

fullsend-ai-review Bot commented Jun 24, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 8:34 PM UTC · Completed 8:40 PM UTC
Commit: ec21706 · View workflow run →

fullsend-ai-review[bot]

This comment was marked as outdated.

@fullsend-ai-review fullsend-ai-review Bot added the ready-for-merge All reviewers approved — ready to merge label Jun 24, 2026
@fullsend-ai-review fullsend-ai-review Bot dismissed stale reviews from themself July 1, 2026 14:42

Superseded by updated review

fullsend-ai-review[bot]

This comment was marked as outdated.

@fullsend-ai-review fullsend-ai-review Bot added ready-for-merge All reviewers approved — ready to merge and removed ready-for-merge All reviewers approved — ready to merge labels Jul 1, 2026
@red-hat-konflux red-hat-konflux Bot changed the title chore(deps): update module github.com/cenkalti/backoff/v5 to v6 chore(deps): update module github.com/cenkalti/backoff/v5 to v6 - autoclosed Jul 2, 2026
@red-hat-konflux red-hat-konflux Bot closed this Jul 2, 2026
@fullsend-ai-retro

fullsend-ai-retro Bot commented Jul 2, 2026

Copy link
Copy Markdown

🤖 Finished Retro · ✅ Success · Started 1:39 AM UTC · Completed 1:44 AM UTC
Commit: ec21706 · View workflow run →

@fullsend-ai-retro

Copy link
Copy Markdown

Retro: PR #1710 (second run) — Renovate dependency bump (autoclosed)

This is the second retro on this PR. The first retro ran on Jun 28 when the PR was first autoclosed, and correctly identified all improvement opportunities. The PR was then reopened by MintMaker on Jun 29, reviewed 7 more times (bringing the total to 15 reviews), and closed again on Jul 2 — triggering this duplicate retro.

What happened

PR #1710 was a MintMaker bot PR bumping cenkalti/backoff from v5 to v6 in go.mod without updating go.sum, making it broken from the start. Over 13 days, the review agent reviewed it 15 times, oscillating between APPROVED and CHANGES_REQUESTED on the same unchanged commit. The ready-for-merge label was toggled 4 times. No human ever fixed the PR. It was autoclosed, reopened, then closed again.

No new proposals

Every pattern observed here is covered by existing open issues in fullsend-ai/fullsend:

  • This duplicate retro run: #2401 (deduplicate retro runs on same PR), #2461 (skip retro on autoclosed bot PRs)
  • Verdict oscillation on unchanged code: #947, #1389
  • Redundant re-reviews on rebased bot PRs: #1355, #1356, #1013
  • No per-PR review budget/cap: #2599, #2587
  • Should recommend closing unfixable bot PRs: #2586
  • Lightweight review path for bot dep bumps: #1358, #2639

Resolving the existing issues — particularly #2587/#2599 (review caps), #2401 (retro dedup), and #2461 (skip retro on autoclosed bot PRs) — would have prevented the compounding waste observed here.

@red-hat-konflux red-hat-konflux Bot changed the title chore(deps): update module github.com/cenkalti/backoff/v5 to v6 - autoclosed chore(deps): update module github.com/cenkalti/backoff/v5 to v6 Jul 2, 2026
@red-hat-konflux red-hat-konflux Bot reopened this Jul 2, 2026
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main/github.com-cenkalti-backoff-v5-6.x branch 2 times, most recently from e96348a to 4c62751 Compare July 2, 2026 06:05
@fullsend-ai-review

fullsend-ai-review Bot commented Jul 2, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 6:08 AM UTC · Completed 6:15 AM UTC
Commit: ec21706 · View workflow run →

fullsend-ai-review[bot]

This comment was marked as outdated.

@fullsend-ai-review fullsend-ai-review Bot added requires-manual-review Review requires human judgment and removed ready-for-merge All reviewers approved — ready to merge labels Jul 2, 2026
Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main/github.com-cenkalti-backoff-v5-6.x branch from 4c62751 to b8d3cc3 Compare July 2, 2026 14:41
@fullsend-ai-review

fullsend-ai-review Bot commented Jul 2, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 2:43 PM UTC · Completed 2:50 PM UTC
Commit: ec21706 · View workflow run →

@fullsend-ai-review fullsend-ai-review Bot added requires-manual-review Review requires human judgment and removed requires-manual-review Review requires human judgment labels Jul 2, 2026
@red-hat-konflux red-hat-konflux Bot changed the title chore(deps): update module github.com/cenkalti/backoff/v5 to v6 chore(deps): update module github.com/cenkalti/backoff/v5 to v6 - autoclosed Jul 3, 2026
@red-hat-konflux red-hat-konflux Bot closed this Jul 3, 2026
@fullsend-ai-retro

fullsend-ai-retro Bot commented Jul 3, 2026

Copy link
Copy Markdown

🤖 Finished Retro · ✅ Success · Started 5:36 PM UTC · Completed 5:42 PM UTC
Commit: ec21706 · View workflow run →

@fullsend-ai-retro

Copy link
Copy Markdown

Retro: PR #1710 — Bot dependency bump with 17 reviews and 71 workflow runs

This PR was a 1-line go.mod change by MintMaker/Renovate bumping cenkalti/backoff from v5 to v6. It was fundamentally broken from creationgo.sum was never updated, so CI failed all 19 times. Despite this, the review agent reviewed it 17 times over 14 days, oscillating between APPROVE (5×) and DISMISS/COMMENT (12×) on identical code. The ready-for-merge label was toggled at least 8 times. The bot kept force-pushing rebases and reopening after autoclosures, each triggering new review cycles. Only one human ever looked at it. Three retro runs were also triggered (one per close event).

Total waste: 71 workflow runs, 17 reviews, 3 retros — all for a PR that was never buildable.

All issues are already tracked

Both prior retro runs (#1 on Jun 28, #2 on Jul 2) thoroughly identified the problems and confirmed they map to existing open issues in fullsend-ai/fullsend:

Problem Existing Issues
Verdict oscillation on unchanged code #1389
Review agent approves without checking CI #369, #2667, #1424
Review agent should attempt Go compilation #1345
No per-PR review budget/cap #2599, #2992
Stale bot PR auto-close #2863
Redundant retro runs on same PR #2401
Skip retro for autoclosed bot PRs #2461
Cheaper model for trivial bot PRs #2842

This PR is a high-severity instance of known problems. Fixing #2992 (circuit breaker) and #369 (CI-aware reviews) alone would have prevented ~90% of the waste. No new proposals needed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file go Pull requests that update Go code requires-manual-review Review requires human judgment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants