Skip to content

🚨 Update go modules (main) (major) #3133

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
renovate wants to merge 1 commit into
base: main
Choose a base branch
from
+7 −3
Open

🚨 Update go modules (main) (major) #3133

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion acceptance/go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ require (
github.com/yudai/gojsondiff v1.0.0
golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f
golang.org/x/sync v0.21.0
gopkg.in/go-jose/go-jose.v2 v2.6.3
gopkg.in/go-jose/go-jose.v4 v4.1.4

@fullsend-ai-review fullsend-ai-review Bot Jun 26, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[critical] api-contract

The PR replaces gopkg.in/go-jose/go-jose.v2 with v4 in acceptance/go.mod, but acceptance/image/image.go (line 60) still imports gopkg.in/go-jose/go-jose.v2/json. In Go, v2 and v4 are distinct module paths. The acceptance module will not compile.

Suggested fix: Update the import in acceptance/image/image.go to the v4 equivalent (github.com/go-jose/go-jose/v4), or keep v2 alongside v4.

@fullsend-ai-review fullsend-ai-review Bot Jun 26, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[high] incomplete-security-fix

The go-jose upgrade from v2 to v4 addresses GHSA-78h2-9frx-2jm8 and GHSA-c6gw-w398-hv78, but acceptance/image/image.go still imports v2. Security fixes in v4 will not apply to code importing the v2 module path.

Suggested fix: Update the import in acceptance/image/image.go to the v4 module path, adapt to API changes, and run go mod tidy to remove v2 from the dependency graph.

k8s.io/api v0.36.0
k8s.io/apimachinery v0.36.0
k8s.io/client-go v0.36.0
Expand Down
6 changes: 4 additions & 2 deletions go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ go 1.26.3
require (
cuelang.org/go v0.16.0
github.com/CycloneDX/cyclonedx-go v0.10.0
github.com/MakeNowJust/heredoc v1.0.0
github.com/MakeNowJust/heredoc/v2 v2.0.1

@fullsend-ai-review fullsend-ai-review Bot Jun 26, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[medium] logic-error

github.com/MakeNowJust/heredoc/v2 v2.0.1 is added as a direct dependency but no source file imports the v2 path. All 19 files import v1. The v2 dependency is unused.

Suggested fix: Either update all 19 source files to import heredoc/v2 or remove the v2 entry from go.mod.

github.com/Maldris/go-billy-afero v0.0.0-20200815120323-e9d3de59c99a
github.com/conforma/crds/api v0.1.7
github.com/conforma/go-gather v1.2.0
Expand All @@ -29,7 +29,7 @@ require (
github.com/open-policy-agent/opa v1.15.2
github.com/package-url/packageurl-go v0.1.3
github.com/qri-io/jsonpointer v0.1.1
github.com/santhosh-tekuri/jsonschema/v5 v5.3.1
github.com/santhosh-tekuri/jsonschema/v6 v6.0.2

@fullsend-ai-review fullsend-ai-review Bot Jun 26, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[medium] logic-error

github.com/santhosh-tekuri/jsonschema/v6 v6.0.2 is added as a direct dependency but no source file imports v6. All 3 files import v5. The v6 dependency is unused.

Suggested fix: Either update the 3 source files to import jsonschema/v6 and adapt to the new API, or remove the v6 entry from go.mod.

github.com/secure-systems-lab/go-securesystemslib v0.10.0
github.com/sigstore/cosign/v3 v3.0.4
github.com/sigstore/rekor v1.5.0
Expand Down Expand Up @@ -63,8 +63,10 @@ require (
replace github.com/google/go-containerregistry => github.com/conforma/go-containerregistry v0.21.8-0.20260626175242-ae5f0ae7a0b0

require (
github.com/MakeNowJust/heredoc v1.0.0
github.com/go-openapi/runtime v0.29.2
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2
github.com/santhosh-tekuri/jsonschema/v5 v5.3.1
golang.org/x/text v0.38.0
gopkg.in/yaml.v3 v3.0.1
k8s.io/api v0.36.0
Expand Down
2 changes: 2 additions & 0 deletions go.sum
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -133,6 +133,7 @@ github.com/KeisukeYamashita/go-vcl v0.4.0 h1:dFxZq2yVeaCWBJAT7Oh9Z+Pp8y32i7b11QH
github.com/KeisukeYamashita/go-vcl v0.4.0/go.mod h1:af2qGlXbsHDQN5abN7hyGNKtGhcFSaDdbLl4sfud+AU=
github.com/MakeNowJust/heredoc v1.0.0 h1:cXCdzVdstXyiTqTvfqk9SDHpKNjxuom+DOlyEeQ4pzQ=
github.com/MakeNowJust/heredoc v1.0.0/go.mod h1:mG5amYoWBHf8vpLOuehzbGGw0EHxpZZ6lCpQ4fNJ8LE=
github.com/MakeNowJust/heredoc/v2 v2.0.1/go.mod h1:6/2Abh5s+hc3g9nbWLe9ObDIOhaRrqsyY9MWy+4JdRM=
github.com/Maldris/go-billy-afero v0.0.0-20200815120323-e9d3de59c99a h1:U//wWgvWVegUHd9m3aL6K+W9WUrXdaM/aVNxHuOmRw4=
github.com/Maldris/go-billy-afero v0.0.0-20200815120323-e9d3de59c99a/go.mod h1:mUDfRDWWpXdfuyUtpCgApCxsgqKppYtPi35Q222DRB8=
github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY=
Expand Down Expand Up @@ -1028,6 +1029,7 @@ github.com/sagikazarmark/locafero v0.11.0 h1:1iurJgmM9G3PA/I+wWYIOw/5SyBtxapeHDc
github.com/sagikazarmark/locafero v0.11.0/go.mod h1:nVIGvgyzw595SUSUE6tvCp3YYTeHs15MvlmU87WwIik=
github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 h1:lZUw3E0/J3roVtGQ+SCrUrg3ON6NgVqpn3+iol9aGu4=
github.com/santhosh-tekuri/jsonschema/v5 v5.3.1/go.mod h1:uToXkOrWAZ6/Oc07xWQrPOhJotwFIyu2bBVN41fcDUY=
github.com/santhosh-tekuri/jsonschema/v6 v6.0.2/go.mod h1:JXeL+ps8p7/KNMjDQk3TCwPpBy0wYklyWTfbkIzdIFU=
github.com/sassoftware/relic v7.2.1+incompatible h1:Pwyh1F3I0r4clFJXkSI8bOyJINGqpgjJU3DYAZeI05A=
github.com/sassoftware/relic v7.2.1+incompatible/go.mod h1:CWfAxv73/iLZ17rbyhIEq3K9hs5w6FpNMdUT//qR+zk=
github.com/sassoftware/relic/v7 v7.6.2 h1:rS44Lbv9G9eXsukknS4mSjIAuuX+lMq/FnStgmZlUv4=
Expand Down
Loading