Skip to content

Update module github.com/cenkalti/backoff/v4 to v6#259

Open
red-hat-konflux-kflux-prd-rh02[bot] wants to merge 1 commit into
mainfrom
konflux/mintmaker/main/github.com-cenkalti-backoff-v4-6.x
Open

Update module github.com/cenkalti/backoff/v4 to v6#259
red-hat-konflux-kflux-prd-rh02[bot] wants to merge 1 commit into
mainfrom
konflux/mintmaker/main/github.com-cenkalti-backoff-v4-6.x

Conversation

@red-hat-konflux-kflux-prd-rh02

@red-hat-konflux-kflux-prd-rh02 red-hat-konflux-kflux-prd-rh02 Bot commented Jun 29, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
github.com/cenkalti/backoff/v4 v4.3.0v6.0.1 age confidence

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

Release Notes

cenkalti/backoff (github.com/cenkalti/backoff/v4)

v6.0.1

Compare Source

v6.0.0

Compare Source

v5.0.3

Compare Source

v5.0.2

Compare Source

v5.0.1

Compare Source

v5.0.0

Compare Source

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • "on monday"
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

To execute skipped test pipelines write comment /ok-to-test.

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

@red-hat-konflux-kflux-prd-rh02
Update module github.com/cenkalti/backoff/v4 to v6
93eba33 
Signed-off-by: red-hat-konflux-kflux-prd-rh02 <190377777+red-hat-konflux-kflux-prd-rh02[bot]@users.noreply.github.com>
@red-hat-konflux-kflux-prd-rh02

red-hat-konflux-kflux-prd-rh02 Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor Author

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: go.sum
Command failed: go get -t ./...
go: downloading github.com/onsi/gomega v1.42.0
go: downloading go.opentelemetry.io/otel/sdk v1.43.0
go: downloading go.opentelemetry.io/otel v1.43.0
go: downloading github.com/prometheus/client_golang v1.16.0
go: downloading github.com/prometheus/client_model v0.3.0
go: downloading gorm.io/gorm v1.31.1
go: downloading github.com/testcontainers/testcontainers-go v0.42.0
go: downloading github.com/testcontainers/testcontainers-go/modules/postgres v0.42.0
go: downloading go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0
go: downloading go.opentelemetry.io/otel/trace v1.43.0
go: downloading go.opentelemetry.io/contrib/propagators/autoprop v0.68.0
go: downloading go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.43.0
go: downloading go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.43.0
go: downloading go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.43.0
go: downloading go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.43.0
go: downloading github.com/getkin/kin-openapi v0.133.0
go: downloading github.com/bxcodec/faker/v3 v3.2.0
go: downloading github.com/felixge/httpsnoop v1.0.4
go: downloading github.com/prometheus/common v0.42.0
go: downloading golang.org/x/sys v0.45.0
go: downloading github.com/prometheus/procfs v0.10.1
go: downloading github.com/golang/protobuf v1.5.4
go: downloading gorm.io/driver/mysql v1.5.6
go: downloading golang.org/x/crypto v0.52.0
go: downloading golang.org/x/text v0.37.0
go: downloading golang.org/x/time v0.14.0
go: downloading github.com/fsnotify/fsnotify v1.9.0
go: downloading github.com/go-viper/mapstructure/v2 v2.4.0
go: downloading github.com/sagikazarmark/locafero v0.11.0
go: downloading github.com/moby/moby/api v1.54.1
go: downloading github.com/moby/moby/client v0.4.0
go: downloading github.com/jackc/pgx/v5 v5.6.0
go: downloading go.opentelemetry.io/otel/metric v1.43.0
go: downloading go.opentelemetry.io/contrib/propagators/aws v1.43.0
go: downloading go.opentelemetry.io/contrib/propagators/b3 v1.43.0
go: downloading go.opentelemetry.io/contrib/propagators/jaeger v1.43.0
go: downloading go.opentelemetry.io/contrib/propagators/ot v1.43.0
go: downloading google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9
go: downloading google.golang.org/grpc v1.80.0
go: downloading golang.org/x/net v0.54.0
go: downloading github.com/go-openapi/jsonpointer v0.21.0
go: downloading github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826
go: downloading github.com/oasdiff/yaml v0.0.0-20250309154309-f31be36b4037
go: downloading github.com/perimeterx/marshmallow v1.1.5
go: downloading github.com/woodsbury/decimal128 v1.3.0
go: downloading github.com/matttproud/golang_protobuf_extensions v1.0.4
go: downloading github.com/go-sql-driver/mysql v1.8.1
go: downloading github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8
go: downloading github.com/pelletier/go-toml/v2 v2.2.4
go: downloading github.com/moby/sys/sequential v0.6.0
go: downloading github.com/moby/sys/user v0.4.0
go: downloading github.com/docker/go-connections v0.6.0
go: downloading github.com/shirou/gopsutil/v4 v4.26.3
go: downloading github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0
go: downloading github.com/go-openapi/swag v0.23.0
go: downloading github.com/oasdiff/yaml3 v0.0.0-20250309153720-d2182401db90
go: downloading github.com/mailru/easyjson v0.7.7
go: downloading filippo.io/edwards25519 v1.1.0
go: downloading github.com/klauspost/compress v1.18.5
go: downloading github.com/tklauser/go-sysconf v0.3.16
go: downloading google.golang.org/genproto/googleapis/api v0.0.0-20260401024825-9d38bb4040a9
go: downloading github.com/josharian/intern v1.0.0
go: downloading golang.org/x/sync v0.20.0
go: downloading github.com/ebitengine/purego v0.10.0
go: downloading github.com/tklauser/numcpus v0.11.0
go: downloading github.com/go-ole/go-ole v1.2.6
go: github.com/openshift-hyperfleet/hyperfleet-api/pkg/api imports
	github.com/openshift-hyperfleet/hyperfleet-api/pkg/api/openapi: cannot find module providing package github.com/openshift-hyperfleet/hyperfleet-api/pkg/api/openapi
go: module github.com/bxcodec/faker/v3 is deprecated: use github.com/go-faker/faker/v4 instead.

@openshift-ci openshift-ci Bot requested review from rh-amarin and sherine-k June 29, 2026 04:04
@openshift-ci

openshift-ci Bot commented Jun 29, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign mliptak0 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci

openshift-ci Bot commented Jun 29, 2026

Copy link
Copy Markdown

Hi @red-hat-konflux-kflux-prd-rh02[bot]. Thanks for your PR.

I'm waiting for a openshift-hyperfleet member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@coderabbitai

coderabbitai Bot commented Jun 29, 2026
edited
Loading

Copy link
Copy Markdown
📝 Walkthrough

Walkthrough

go.mod updates the indirect dependency github.com/cenkalti/backoff from major version 4 (v4.3.0) to major version 6 (v6.0.1). No exported or public entities are altered.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Supply chain surface (CWE-1357, CWE-506): Major version jump (v4→v6) on an indirect dependency. Verify:

  1. go.sum entry for github.com/cenkalti/backoff/v6 v6.0.1 is present and its hash matches the upstream module proxy checksum.
  2. No intermediate versions (v5) exist that were skipped — skipped majors can indicate a module path hijack or abandoned module republished under a new path.
  3. Confirm which direct dependency pulled this in (go mod why github.com/cenkalti/backoff/v6) — an unexpected introducer is a supply chain red flag.
  4. Review the v4→v6 changelog for removed/changed retry semantics that could silently affect Sentinel or Adapter retry loops even as an indirect dep.
🚥 Pre-merge checks | ✅ 11
✅ Passed checks (11 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly identifies the dependency version bump, which matches the change set.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Sec-02: Secrets In Log Output ✅ Passed PASS: Only go.mod changed (backoff v4→v6); no log statements added, so no CWE-532 secret leakage surface.
No Hardcoded Secrets ✅ Passed No hardcoded credentials found (CWE-798/CWE-321); the PR only bumps a Go module version and adds no secret-like literals.
No Weak Cryptography ✅ Passed No CWE-327/CWE-916 issue: the PR only bumps backoff in go.mod, and repo search found no md5/des/rc4/sha1, ECB, or non-constant-time secret compares.
No Injection Vectors ✅ Passed No CWE-89/78/79/502 sink on untrusted input; only trusted enum/UUID/hardcoded SQL fragments remain.
No Privileged Containers ✅ Passed Only go.mod changed in this PR; no manifests, Helm templates, or Dockerfiles were touched, so no privileged-container settings were introduced.
No Pii Or Sensitive Data In Logs ✅ Passed Only go.mod changed; no slog/log/zap/fmt logging code was touched, so no CWE-532 log-PII exposure risk in this PR.
Description check ✅ Passed The description matches the changeset: it documents the backoff Go module version bump reflected in go.mod.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch konflux/mintmaker/main/github.com-cenkalti-backoff-v4-6.x
✨ Simplify code
  • Create PR with simplified code
  • Commit simplified code in branch konflux/mintmaker/main/github.com-cenkalti-backoff-v4-6.x

Comment @coderabbitai help to get the list of available commands.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rh-amarin rh-amarin Awaiting requested review from rh-amarin
@sherine-k sherine-k Awaiting requested review from sherine-k

Assignees

No one assigned

Labels

needs-ok-to-test

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants