-
Notifications
You must be signed in to change notification settings - Fork 59
🚨 Update go modules (main) (major) #3133
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -35,7 +35,7 @@ require ( | |
| github.com/yudai/gojsondiff v1.0.0 | ||
| golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f | ||
| golang.org/x/sync v0.21.0 | ||
| gopkg.in/go-jose/go-jose.v2 v2.6.3 | ||
| gopkg.in/go-jose/go-jose.v4 v4.1.4 | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [high] incomplete-security-fix The go-jose upgrade from v2 to v4 addresses GHSA-78h2-9frx-2jm8 and GHSA-c6gw-w398-hv78, but acceptance/image/image.go still imports v2. Security fixes in v4 will not apply to code importing the v2 module path. Suggested fix: Update the import in acceptance/image/image.go to the v4 module path, adapt to API changes, and run go mod tidy to remove v2 from the dependency graph. |
||
| k8s.io/api v0.36.0 | ||
| k8s.io/apimachinery v0.36.0 | ||
| k8s.io/client-go v0.36.0 | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -5,7 +5,7 @@ go 1.26.3 | |
| require ( | ||
| cuelang.org/go v0.16.0 | ||
| github.com/CycloneDX/cyclonedx-go v0.10.0 | ||
| github.com/MakeNowJust/heredoc v1.0.0 | ||
| github.com/MakeNowJust/heredoc/v2 v2.0.1 | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [medium] logic-error github.com/MakeNowJust/heredoc/v2 v2.0.1 is added as a direct dependency but no source file imports the v2 path. All 19 files import v1. The v2 dependency is unused. Suggested fix: Either update all 19 source files to import heredoc/v2 or remove the v2 entry from go.mod. |
||
| github.com/Maldris/go-billy-afero v0.0.0-20200815120323-e9d3de59c99a | ||
| github.com/conforma/crds/api v0.1.7 | ||
| github.com/conforma/go-gather v1.2.0 | ||
|
|
@@ -29,7 +29,7 @@ require ( | |
| github.com/open-policy-agent/opa v1.15.2 | ||
| github.com/package-url/packageurl-go v0.1.3 | ||
| github.com/qri-io/jsonpointer v0.1.1 | ||
| github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 | ||
| github.com/santhosh-tekuri/jsonschema/v6 v6.0.2 | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [medium] logic-error github.com/santhosh-tekuri/jsonschema/v6 v6.0.2 is added as a direct dependency but no source file imports v6. All 3 files import v5. The v6 dependency is unused. Suggested fix: Either update the 3 source files to import jsonschema/v6 and adapt to the new API, or remove the v6 entry from go.mod. |
||
| github.com/secure-systems-lab/go-securesystemslib v0.10.0 | ||
| github.com/sigstore/cosign/v3 v3.0.4 | ||
| github.com/sigstore/rekor v1.5.0 | ||
|
|
@@ -63,8 +63,10 @@ require ( | |
| replace github.com/google/go-containerregistry => github.com/conforma/go-containerregistry v0.21.8-0.20260626175242-ae5f0ae7a0b0 | ||
|
|
||
| require ( | ||
| github.com/MakeNowJust/heredoc v1.0.0 | ||
| github.com/go-openapi/runtime v0.29.2 | ||
| github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 | ||
| github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 | ||
| golang.org/x/text v0.38.0 | ||
| gopkg.in/yaml.v3 v3.0.1 | ||
| k8s.io/api v0.36.0 | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[critical] api-contract
The PR replaces gopkg.in/go-jose/go-jose.v2 with v4 in acceptance/go.mod, but acceptance/image/image.go (line 60) still imports gopkg.in/go-jose/go-jose.v2/json. In Go, v2 and v4 are distinct module paths. The acceptance module will not compile.
Suggested fix: Update the import in acceptance/image/image.go to the v4 equivalent (github.com/go-jose/go-jose/v4), or keep v2 alongside v4.