chore(deps): update module github.com/tidwall/gjson to v1.19.0

[red-hat-konflux]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/tidwall/gjson	v1.18.0 → v1.19.0

---

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

---

Release Notes

tidwall/gjson (github.com/tidwall/gjson)

v1.19.0

Compare Source

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: red-hat-konflux[bot]
Once this PR has been reviewed and has the lgtm label, please assign vedantmahabaleshwarkar for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @red-hat-konflux[bot]. Thanks for your PR.

I'm waiting for a opendatahub-io member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[github-actions]

Cannot approve the pull request: Error: openshift-ci[bot] is not included in the approvers role in the OWNERS file

[red-hat-konflux]

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.

[mwaykole]

PR Review: chore(deps): update module github.com/tidwall/gjson to v1.19.0

Reviewed by: @mwaykole (Dev Engineer — Autonomous RHOAI Agent)
Risk Level: 🟡 LOW-MEDIUM (safe change with two process-level observations)

---

📋 Summary

This is an automated MintMaker (Renovate) dependency update bumping github.com/tidwall/gjson from v1.18.0 → v1.19.0 on the dockerfile-test branch. The changes are limited to go.mod and go.sum. I've performed a full diff review, security scan, cross-repo impact analysis, and dependency chain trace. Here's the detailed breakdown.

---

✅ What's Changing

File	Change
go.mod	github.com/tidwall/gjson v1.18.0 → v1.19.0 (indirect)
go.sum	Hash entries updated for v1.19.0

gjson v1.19.0 adds (per commit log + source diff):

• Result.All() → iter.Seq2[Result, Result] — range-loop iterator over JSON objects
• Result.Keys() → iter.Seq[Result] — iterate only keys
• Result.Values() → iter.Seq[Result] — iterate only values
• These are purely additive — no existing API was modified or removed
• The new iter package import in gjson requires Go ≥ 1.23 at build time (met: this repo uses go 1.25.7)

---

🔍 Dependency Chain Analysis

gjson is a purely transitive dependency in this repo — it is not directly imported by any .go source file. The chain is:

llm-d-inference-scheduler
  └── github.com/tidwall/sjson v1.2.5 (// indirect)
        └── github.com/tidwall/gjson v1.14.2 (sjson's go.mod)
              → resolved to v1.18.0 → now v1.19.0 by MVS

sjson itself is pulled in transitively via k8s.io/kube-openapi. Neither gjson nor sjson is called directly from application code in this scheduler. The runtime behavior of the scheduler is not affected.

---

🔐 Security Assessment

• CVE scan (OSV database): No known vulnerabilities affect gjson >= 1.6.6. The historical CVE (CVE-2020-36067, GHSA panic via crafted GET call) was fixed in v1.6.6 — both v1.18.0 and v1.19.0 are fully clear.
• New iter package: Uses Go standard library iter (Go 1.23+), no third-party additions.
• go.sum hash integrity: Verified against sum.golang.org:

  github.com/tidwall/gjson v1.19.0 h1:xwxm7n691Uf3u5OFjzngavjGTh55KX5q/9w9xHW88JU=
  github.com/tidwall/gjson v1.19.0/go.mod h1:V37/opeE/JbLUOfH0QTXiNez2l0RUjYUhpT4szFQAfc=
  

  ✅ Both hashes in go.sum match the sum.golang.org transparent log exactly.
• No hardcoded secrets, no RBAC changes, no webhook modifications. Risk surface is zero for the scheduler itself.

---

🏗️ Architecture & Cross-Repo Impact

• Scope is isolated to dockerfile-test branch — the default main branch also pins gjson v1.18.0 and is currently 755 commits ahead of dockerfile-test. This branch is a Konflux build-testing fork focused on Dockerfile.Konflux and .tekton PAC pipeline configuration.
• No cross-repo API contract changes. gjson is not a CRD type, controller-runtime extension, or shared API type consumed by other repositories.
• No pod template mutation, no env var injection, no reconciliation logic change. Zero upgrade impact.

---

⚠️ Observations (Non-Blocking)

1. Target Branch Staleness

The PR targets dockerfile-test, which is 755 commits behind main. This means:

• This dependency update will not flow to main unless the branch is rebased or main is also updated.
• MintMaker is generating separate PRs for dockerfile-test and konflux-poc-1 branches, which creates duplicated churn without a clear merge path.

💡 Suggestion: Consider whether dockerfile-test should be rebased on main or whether MintMaker should be configured to only target main (or a designated integration branch) to avoid drift accumulation. The renovate.json / MintMaker config does not appear to be present in this repo — you may want to add one to constrain target branches.

2. Related tidwall/match Update (PR #235)

There is a companion MintMaker PR #235 updating github.com/tidwall/match to v1.2.0 (also targeting dockerfile-test). gjson depends on tidwall/match. These two updates should ideally be evaluated and merged together to avoid a transitive version mismatch window, even though both are indirect dependencies and MVS handles this correctly at build time.

💡 Suggestion: Consider batching the tidwall/* family updates (gjson, match, pretty, sjson) into a single PR to reduce noise and make the dependency graph consistent atomically.

---

🧪 Test Coverage

• CI status on PR branch: ✅ typos and Red Hat Konflux / llm-d-scheduler-odh-test-on-pull-request both passed.
• No new source code was changed — no new tests required.
• Since gjson is not directly called, existing test suite adequately covers this change.

---

✅ Verdict

Safe to merge. The change is purely additive, hash-verified, security-clean, and has no runtime impact on the scheduler. The two observations above are process improvements, not blockers.

/lgtm

---

Review generated by the Autonomous RHOAI Dev Engineer Agent | mwaykole

[github-actions]

This PR is marked as stale after 21d of inactivity. After an additional 14d of inactivity (7d to become rotten, then 7d more), it will be closed. To prevent this PR from being closed, add a comment or remove the lifecycle/stale label.