Skip to content
Closed
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ require (
github.com/antlr4-go/antlr/v4 v4.13.1 // indirect
github.com/blang/semver/v4 v4.0.0 // indirect
github.com/bradleyfalzon/ghinstallation/v2 v2.19.0 // indirect
github.com/cenkalti/backoff/v5 v5.0.3 // indirect
github.com/cenkalti/backoff/v6 v6.0.1 // indirect

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[high] api-contract

The PR changes backoff/v5 to backoff/v6 in go.mod without updating go.sum. In Go modules, v5 and v6 are distinct module paths. Since backoff is an indirect dependency, its version is dictated by whichever direct dependency transitively requires it. Without evidence that the upstream dependency has migrated to backoff/v6, this change will likely cause build failures or be reverted by go mod tidy.

Suggested fix: Run go mod tidy to verify whether backoff/v6 is actually required by the dependency graph. If go mod tidy reverts to v5, do not merge this PR. If v6 is valid, include the regenerated go.sum.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[high] missing-artifact

The PR modifies go.mod but does not update go.sum. The go.sum file contains checksums only for backoff/v5 and has no entries for backoff/v6. Without matching go.sum updates, the build will fail with checksum verification errors.

Suggested fix: Run go mod tidy to regenerate go.sum and include the updated go.sum in the PR.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[low] major-version-upgrade

This is a major version upgrade (v5 -> v6) of an indirect dependency. While major version changes can introduce breaking API changes, this package is not directly imported by this codebase, so the risk is limited to transitive compatibility.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[critical] broken module graph

go.mod is updated to require github.com/cenkalti/backoff/v6 v6.0.1, but go.sum is not included in this PR. go.sum currently contains only checksums for github.com/cenkalti/backoff/v5 v5.0.3. In Go modules, v5 and v6 are entirely different module paths, so go.sum must contain the v6 checksums for the module to resolve. Without an updated go.sum, go build, go test, and go mod verify will all fail.

Suggested fix: Run go mod tidy to regenerate go.sum with the correct checksums for backoff/v6 (and remove the stale v5 entries), then include the updated go.sum in this PR. Alternatively, verify that an upstream direct dependency actually requires backoff/v6 -- if none does, the go.mod change itself may be incorrect and go mod tidy will revert it back to v5.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[low] indirect dependency compatibility

Major version bump (v5 to v6) on an indirect dependency. No Go source files in this repository directly import cenkalti/backoff, so the transitive dependency that pulls it in must itself have been updated to import backoff/v6. None of the direct dependencies in go.mod appear to have been updated in this PR.

Suggested fix: Run go mod graph | grep backoff to verify which direct dependency transitively requires backoff/v6.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[low] incomplete dependency update

The PR updates cenkalti/backoff from v5 to v6 in go.mod. Since this is a major version bump of an indirect dependency, go.sum must also be updated with the new v6 checksums. The provided diff only shows go.mod. If go.sum is truly missing from the PR, the build will fail at CI.

Suggested fix: Verify that go.sum is included in the actual PR commits. If missing, run go mod tidy.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[low] transitive dependency compatibility

This is a major version bump of an indirect dependency (backoff v5 -> v6). No Go source files in this repository directly import cenkalti/backoff, so there is no direct code impact. However, whichever direct dependency transitively pulls in backoff must itself be compatible with v6. If the transitive graph still expects v5, go mod tidy would revert this change.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[high] API contract violation

go.mod changes cenkalti/backoff from v5 to v6 (a major-version bump with a new Go module path github.com/cenkalti/backoff/v6), but go.sum is not updated in this PR. The go.sum file currently contains only checksums for backoff/v5 and has no entries for backoff/v6. Without the corresponding go.sum update, go mod verify and go build will fail due to a missing checksum. Additionally, since this is an indirect dependency (no .go files in this repo import backoff directly), some transitive dependency must have been updated to require v6; however, no other dependency version changes appear in this diff, raising a question about whether go mod tidy would actually retain this v6 entry.

Suggested fix: Run go mod tidy followed by go mod verify to regenerate go.mod and go.sum consistently. Include the updated go.sum in the PR. If go mod tidy reverts the backoff/v6 line back to v5 (or removes it entirely), that indicates no transitive dependency actually requires v6 yet and this change is premature.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[low] API contract / module compatibility

Major version bump of indirect dependency cenkalti/backoff from v5 to v6. Since no .go files in this repository directly import this package, the risk is limited to transitive compatibility. The go.sum file must also be updated to reflect the new module path. This is a Renovate bot PR, which typically runs go mod tidy and includes go.sum changes automatically; CI will immediately catch any mismatch.

Suggested fix: Verify CI passes (go build / go mod tidy). If go.sum was not updated, run go mod tidy to regenerate it.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[high] incomplete dependency update

The PR updates go.mod to reference github.com/cenkalti/backoff/v6 v6.0.1 but does not include the corresponding go.sum update. go.sum currently only contains hash entries for backoff/v5 and has no entries for v6. A build or go mod verify will fail because the checksum for the new module version is missing from go.sum.

Suggested fix: Run go mod tidy to regenerate go.sum with the correct v6 checksum entries and remove the now-unused v5 entries. Include the updated go.sum in this PR.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[low] error handling gaps

The PR diff only modifies go.mod (changing cenkalti/backoff from v5 to v6) without an accompanying go.sum update. The current go.sum contains only v5 checksums. If go.sum is truly missing from the PR, builds will fail until it is regenerated.

Suggested fix: Run go mod tidy to regenerate go.sum with v6 checksums.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[critical] build breakage

The PR changes go.mod to reference cenkalti/backoff/v6 v6.0.1 but go.sum is not included in the changed files. go.sum still only contains entries for cenkalti/backoff/v5 v5.0.3 and has no entries for backoff/v6. Without the corresponding go.sum entries, builds and go mod verify will fail. The stale v5 entries in go.sum also need to be removed. This indicates go mod tidy was not run after modifying go.mod.

Suggested fix: Run go mod tidy after changing go.mod so that go.sum is updated with the correct hashes for cenkalti/backoff/v6 v6.0.1 and the stale cenkalti/backoff/v5 entries are removed. Include the updated go.sum in the PR.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[medium] dependency validity

In Go modules, cenkalti/backoff/v5 and cenkalti/backoff/v6 are different module paths due to major-version-suffix convention. Since backoff is an indirect dependency, the change is only valid if a transitive dependency has actually migrated to importing backoff/v6. If no dependency in the graph requires v6, go mod tidy would revert this change, suggesting the PR may be invalid.

Suggested fix: Run go mod tidy to let Go resolve the actual transitive dependency graph. If the result retains v6, the update is valid; if it reverts to v5, the PR should be closed.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[medium] API contract violation

The PR changes the indirect dependency from cenkalti/backoff/v5 to cenkalti/backoff/v6. In Go modules, v5 and v6 are distinct module paths, so the transitive dependency that pulls in backoff must itself have migrated to v6 for this change to be valid. Since backoff is purely indirect (no .go files in this repo import it), the change depends entirely on upstream dependencies having adopted v6. The go.sum file is also not updated, which means the PR as-is will fail go mod verify.

Suggested fix: Run go mod tidy and include the updated go.sum. If go mod tidy reintroduces backoff/v5, the upstream dependencies have not migrated and this PR is premature.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[high] api-contract

The PR updates go.mod to require github.com/cenkalti/backoff/v6 v6.0.1 (replacing v5) but go.sum is not included in the changed files and still contains only v5 checksum entries. This go.mod/go.sum mismatch will cause build failures (go build, go mod verify). Since cenkalti/backoff is an indirect dependency (no Go source files in this repo import it directly), the correctness of this major-version bump also depends on whether the direct dependency that transitively requires backoff has itself migrated to the v6 module path.

Suggested fix: Run go mod tidy so that go.sum is regenerated with v6 checksums. Verify the transitive dependency graph is consistent by running go mod graph | grep backoff.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[high] build breakage

The PR changes the module path from cenkalti/backoff/v5 to cenkalti/backoff/v6 in go.mod but does not update go.sum. In Go modules, v5 and v6 are entirely different module paths. The go.sum file only contains checksums for cenkalti/backoff/v5, so any build or go mod verify will fail because go.sum has no entry for cenkalti/backoff/v6 v6.0.1. Additionally, go mod why reports the main module does not need this package at all and go mod graph shows no dependency chain leading to it — the dependency is orphaned.

Suggested fix: Run go mod tidy to regenerate both go.mod and go.sum. Since go mod why reports the main module does not need this package, go mod tidy will likely remove the dependency entirely rather than upgrading it.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[low] incomplete dependency update

The diff updates cenkalti/backoff from v5 to v6 in go.mod, but go.sum does not include v6 entries. Since v5 and v6 are distinct Go module paths (major version change), both go.mod and go.sum must be updated together.

Suggested fix: Run go mod tidy to synchronize go.mod and go.sum. If the change reverts, no transitive dependency requires v6 yet.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[low] api-contract

The PR only modifies go.mod (changing cenkalti/backoff/v5 to v6) but go.sum is not updated in this PR. In Go modules, v5 and v6 are distinct module paths requiring different checksums. If go.sum is not regenerated, the build will fail.

Suggested fix: Run go mod tidy to update both go.mod and go.sum consistently, then commit the updated go.sum.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[low] api-contract

This is a major version bump (v5 -> v6) of an indirect dependency. The transitive consumer must itself require backoff/v6 for this change to be valid. If no dependency in the module graph imports v6, go mod tidy would revert back to v5.

Suggested fix: Run go mod tidy and verify the result. If go mod tidy reverts the change back to v5, it means no direct dependency in the module graph actually requires v6.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[medium] Incomplete dependency update

The PR bumps cenkalti/backoff from v5 to v6 in go.mod but does not include corresponding go.sum updates. Since go.sum currently only contains entries for backoff/v5, the module graph will be incomplete until go mod tidy is run. No Go source files in this repo import cenkalti/backoff directly (it is purely indirect), so there is no risk of broken import paths in application code. The build will fail at dependency resolution (not compilation), and CI will catch this immediately.

Suggested fix: Run go mod tidy and include the resulting go.sum changes in the PR.

github.com/cloudflare/circl v1.6.4 // indirect
github.com/cyphar/filepath-securejoin v0.7.0 // indirect
github.com/emicklei/go-restful/v3 v3.13.0 // indirect
Expand Down
Loading