Update go modules (release-v0.7) (minor)#3157
Conversation
ℹ️ Artifact update noticeFile name: acceptance/go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
File name: go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
File name: tools/go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
File name: tools/kubectl/go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
|
f2bee15 to
c044cf2
Compare
d0b5daa to
d7e1ae6
Compare
edc3061 to
0e0416e
Compare
|
🤖 Finished Review · ✅ Success · Started 2:44 AM UTC · Completed 2:53 AM UTC |
| k8s.io/client-go v0.35.4 | ||
| k8s.io/klog/v2 v2.130.1 | ||
| k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 | ||
| github.com/testcontainers/testcontainers-go v0.42.0 // using unreleased version that contains the fix in https://github.com/testcontainers/testcontainers-go/pull/2899 |
There was a problem hiding this comment.
[low] stale-comment
The PR bumps testcontainers-go from a pseudo-version to v0.42.0 and aligns modules/registry to v0.42.0, but retains the comment about using unreleased version which is now misleading since v0.42.0 is a released version.
Suggested fix: Remove the stale comment from the testcontainers-go dependency line.
|
🤖 Finished Review · ✅ Success · Started 12:56 PM UTC · Completed 1:07 PM UTC |
|
🤖 Finished Review · ✅ Success · Started 5:17 PM UTC · Completed 5:28 PM UTC |
| // Force moby/go-archive to v0.1.0 for compatibility with docker/docker v28.5.2 | ||
| // v0.2.0 removed archive.Compression type which docker still uses | ||
| replace github.com/moby/go-archive => github.com/moby/go-archive v0.1.0 | ||
| replace github.com/moby/go-archive => github.com/moby/go-archive v0.2.0 |
There was a problem hiding this comment.
[critical] api-contract
The moby/go-archive replace directive was changed from pinning to v0.1.0 to pinning to v0.2.0, directly contradicting the comment on lines 65-66 which states that v0.2.0 removed archive.Compression type which docker/docker v28.5.2 still uses. docker/docker v28.5.2+incompatible remains a direct dependency. Additionally, acceptance/go.mod still correctly pins to v0.1.0, creating an inconsistency between modules.
Suggested fix: Either revert the replace to point to v0.1.0, or verify that docker/docker v28.5.2 no longer needs archive.Compression and update/remove the stale comment.
| @@ -3,17 +3,17 @@ module github.com/conforma/cli/tools | |||
| go 1.25.9 | |||
There was a problem hiding this comment.
[medium] version-inconsistency
tools/go.mod Go version stays at 1.25.9 while go.mod, acceptance/go.mod, and tools/kubectl/go.mod are all bumped to 1.26.0. A Go version mismatch across modules in a monorepo can cause subtle build issues.
Suggested fix: Bump tools/go.mod to go 1.26.0 consistently with the other modules, or document why it must remain on an older version.
| k8s.io/client-go v0.35.4 | ||
| k8s.io/klog/v2 v2.130.1 | ||
| k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 | ||
| github.com/testcontainers/testcontainers-go v0.43.0 // using unreleased version that contains the fix in https://github.com/testcontainers/testcontainers-go/pull/2899 |
There was a problem hiding this comment.
[low] stale-reference
The comment on testcontainers-go says using unreleased version but the version is now v0.43.0, which is a released version. The comment is stale and misleading.
Suggested fix: Remove the trailing comment or update it to note which released version first included the fix.
|
🤖 Finished Review · ✅ Success · Started 6:19 AM UTC · Completed 6:28 AM UTC |
| @@ -3,17 +3,17 @@ module github.com/conforma/cli/tools | |||
| go 1.25.9 | |||
There was a problem hiding this comment.
[low] version inconsistency
The PR bumps the Go directive to 1.26.0 in go.mod, acceptance/go.mod, and tools/kubectl/go.mod, but tools/go.mod stays at 1.25.9. The inconsistency suggests Renovate did not process all go.mod files uniformly, though tools/go.mod is an independent module and may function correctly at the older version.
Suggested fix: Verify whether tools/go.mod should also be bumped to go 1.26.0 for consistency. If it must stay at an older version, document why.
| k8s.io/client-go v0.35.4 | ||
| k8s.io/klog/v2 v2.130.1 | ||
| k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 | ||
| github.com/testcontainers/testcontainers-go v0.43.0 // using unreleased version that contains the fix in https://github.com/testcontainers/testcontainers-go/pull/2899 |
There was a problem hiding this comment.
[low] stale comment
The PR updates testcontainers-go from the pre-release pseudo-version v0.34.1-0.20241204123437-72be13940122 to the released version v0.43.0, but the inline comment still reads using unreleased version that contains the fix in testcontainers/testcontainers-go#2899. Since v0.43.0 is an official release well past v0.34, this comment is now misleading.
Suggested fix: Remove or update the comment to reflect that v0.43.0 is a released version.
|
🤖 Finished Review · ✅ Success · Started 9:01 AM UTC · Completed 9:09 AM UTC |
|
🤖 Finished Review · ✅ Success · Started 2:18 PM UTC · Completed 2:28 PM UTC |
|
🤖 Finished Review · ✅ Success · Started 3:37 PM UTC · Completed 3:47 PM UTC |
|
🤖 Finished Review · ✅ Success · Started 8:10 PM UTC · Completed 8:21 PM UTC |
|
🤖 Finished Review · ✅ Success · Started 5:52 AM UTC · Completed 6:09 AM UTC |
| github.com/conforma/go-gather v1.0.2 | ||
| github.com/conforma/go-gather v1.2.0 | ||
| github.com/docker/docker v28.5.2+incompatible | ||
| github.com/enterprise-contract/enterprise-contract-controller/api v0.1.257 |
There was a problem hiding this comment.
[medium] api-contract
Inconsistency between root go.mod and acceptance/go.mod: acceptance removes docker/docker in favor of moby/moby packages, but the root module retains docker/docker alongside the new moby packages. This partial migration is fragile for future updates.
|
🤖 Finished Review · ✅ Success · Started 6:22 AM UTC · Completed 6:32 AM UTC |
| gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect | ||
| gopkg.in/inf.v0 v0.9.1 // indirect | ||
| gopkg.in/ini.v1 v1.67.1 // indirect | ||
| gopkg.in/ini.v1 v1.67.2 // indirect |
There was a problem hiding this comment.
[medium] pre-release-dependency
google.golang.org/protobuf changes from stable v1.36.11 to pre-release pseudo-version v1.36.12-0.20260120151049-f2248ac996af. Pseudo-versions reduce build reproducibility for this foundational library.
Suggested fix: Pin to the latest stable release of google.golang.org/protobuf. If a specific unreleased fix is needed, document the reason.
| k8s.io/client-go v0.35.4 | ||
| k8s.io/klog/v2 v2.130.1 | ||
| k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 | ||
| github.com/testcontainers/testcontainers-go v0.43.0 // using unreleased version that contains the fix in https://github.com/testcontainers/testcontainers-go/pull/2899 |
There was a problem hiding this comment.
[low] stale-reference
The testcontainers-go comment says using unreleased version but v0.43.0 is a released version. The comment becomes misleading.
Suggested fix: Remove or update the comment to reflect that v0.43.0 is released.
|
🤖 Finished Review · ✅ Success · Started 1:15 PM UTC · Completed 1:35 PM UTC |
| k8s.io/client-go v0.35.4 | ||
| k8s.io/klog/v2 v2.130.1 | ||
| k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 | ||
| github.com/testcontainers/testcontainers-go v0.43.0 // using unreleased version that contains the fix in https://github.com/testcontainers/testcontainers-go/pull/2899 |
There was a problem hiding this comment.
[high] API contract violation
The PR updates testcontainers-go from a pseudo-version based on v0.34.1 to v0.43.0, a jump of ~9 minor versions. The codebase uses testcontainers.GenericContainer in three files (acceptance/git/git.go:183, acceptance/registry/registry.go:112, acceptance/wiremock/wiremock.go:220) and testcontainers.GenericContainerRequest. Between v0.34 and v0.43, testcontainers-go deprecated and may have removed GenericContainer. If the code is not updated, it may fail to compile.
Suggested fix: Either confirm the testcontainers-go v0.43.0 API is still compatible (GenericContainer was not yet removed), or include Go source code changes to adapt to the new testcontainers-go API.
| // Force moby/go-archive to v0.1.0 for compatibility with docker/docker v28.5.2 | ||
| // v0.2.0 removed archive.Compression type which docker still uses | ||
| replace github.com/moby/go-archive => github.com/moby/go-archive v0.1.0 | ||
| replace github.com/moby/go-archive => github.com/moby/go-archive v0.2.0 |
There was a problem hiding this comment.
[medium] stale-reference
The moby/go-archive replace directive is being changed from v0.1.0 to v0.2.0, but the comments explicitly state: Force moby/go-archive to v0.1.0 for compatibility with docker/docker v28.5.2 and v0.2.0 removed archive.Compression type which docker still uses. docker/docker v28.5.2 remains a direct dependency. The replace directive now points to the exact version the comment warns against.
Suggested fix: Either revert the replace directive to keep v0.1.0, or verify that docker/docker v28.5.2 no longer uses archive.Compression in the code paths exercised by this project, and update the comment accordingly.
| k8s.io/client-go v0.35.4 | ||
| k8s.io/klog/v2 v2.130.1 | ||
| k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 | ||
| github.com/testcontainers/testcontainers-go v0.43.0 // using unreleased version that contains the fix in https://github.com/testcontainers/testcontainers-go/pull/2899 |
There was a problem hiding this comment.
[low] Edge case
The root go.mod updates testcontainers-go to v0.43.0 (a released version) but retains the stale comment: using unreleased version that contains the fix. v0.43.0 is a released version.
Suggested fix: Remove or update the stale comment.
| sigs.k8s.io/kind v0.32.0 | ||
| sigs.k8s.io/kustomize/api v0.21.1 | ||
| sigs.k8s.io/kustomize/kyaml v0.21.1 | ||
| sigs.k8s.io/yaml v1.6.0 |
There was a problem hiding this comment.
[low] API contract violation
sigs.k8s.io/kind is being updated from v0.26.0 to v0.32.0, a jump of 6 minor versions. The acceptance tests use kind programmatically (acceptance/kubernetes/kind/kind.go). This is a significant version jump that warrants verification.
Suggested fix: Verify that the kind Go API usage in acceptance tests is compatible with v0.32.0.
|
🤖 Finished Review · ❌ Failure · Started 9:16 PM UTC · Completed 9:27 PM UTC |
|
🤖 Review · |
|
🤖 Finished Review · ✅ Success · Started 1:52 AM UTC · Completed 2:02 AM UTC |
|
🤖 Finished Review · ✅ Success · Started 5:29 PM UTC · Completed 5:40 PM UTC |
|
|
||
| // use forked version until we can get the fixes merged see https://github.com/conforma/go-containerregistry/blob/main/hack/ec-patches.sh for a list of patches we carry | ||
| replace github.com/google/go-containerregistry => github.com/conforma/go-containerregistry v0.20.7-0.20250703195040-6f40a3734728 | ||
| replace github.com/google/go-containerregistry => github.com/conforma/go-containerregistry v0.21.7 |
There was a problem hiding this comment.
[low] API contract violation
The conforma go-containerregistry fork changes from a v0.20.x pseudo-version to v0.21.7. 49 Go files import go-containerregistry packages. While the team controls the fork, the major version change should be verified.
Suggested fix: Verify the PR compiles and passes tests with the updated fork version.
|
🤖 Finished Review · ✅ Success · Started 11:06 AM UTC · Completed 11:15 AM UTC |
|
🤖 Finished Review · ❌ Failure · Started 11:20 AM UTC · Completed 11:31 AM UTC |
|
🤖 Finished Review · ✅ Success · Started 3:44 PM UTC · Completed 3:54 PM UTC |
| // v0.2.0 removed archive.Compression type which docker still uses | ||
| replace github.com/moby/go-archive => github.com/moby/go-archive v0.1.0 | ||
| replace github.com/moby/go-archive => github.com/moby/go-archive v0.2.0 | ||
|
|
There was a problem hiding this comment.
[critical] logic-error
The replace directive for moby/go-archive changed from pinning to v0.1.0 to pointing at v0.2.0. The comment directly above explicitly warns that v0.2.0 removed archive.Compression type which docker/docker v28.5.2 still uses. docker/docker remains at v28.5.2+incompatible. acceptance/go.mod still correctly pins to v0.1.0, making the two modules inconsistent. This is likely a Renovate bot oversight.
Suggested fix: Revert the right-hand side of the replace directive back to v0.1.0: replace github.com/moby/go-archive => github.com/moby/go-archive v0.1.0. If docker/docker no longer needs archive.Compression, update or remove the comment and the acceptance/go.mod pin as well.
| k8s.io/klog/v2 v2.130.1 | ||
| k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 | ||
| oras.land/oras-go/v2 v2.6.0 | ||
| github.com/testcontainers/testcontainers-go v0.43.0 // using unreleased version that contains the fix in https://github.com/testcontainers/testcontainers-go/pull/2899 |
There was a problem hiding this comment.
[low] stale-reference
The inline comment on testcontainers-go says 'using unreleased version' but v0.43.0 is a released version (previously it was a pre-release pseudo-version). The comment is now factually incorrect.
Suggested fix: Remove or update the inline comment to reflect that the fix is included in the released v0.43.0.
This PR contains the following updates:
v0.16.0→v0.17.0v0.15.1→v0.17.0v0.10.0→v0.11.0v0.20.7-0.20250703195040-6f40a3734728→v0.21.7v1.0.2→v1.2.0v0.13.7→v0.14.0v5.8.0→v5.9.0v5.17.1→v5.19.1v0.25.0→v0.26.3e7eb2ec→dd8c9b1v0.1.0→v0.2.0v0.66.0→v0.68.2v1.15.2→v1.18.120ebb0f→4e6772av0.10.0→v0.11.0v2.4.1→v2.6.3v0.26.2→v0.27.1v0.44.1→v0.45.0v0.44.0→v0.45.0v0.34.1→v0.43.0v0.34.0→v0.43.0v1.11.0→v1.16.0a2b48b6→35581327ab1446→c48552fv0.53.0→v0.56.0v0.20.0→v0.21.0v1.12.3→v1.13.0v3.20.2→v3.21.2v0.35.4→v0.36.2v0.35.4→v0.36.2v0.35.4→v0.36.2v0.35.4→v0.36.2v2.130.1→v2.140.0589584f→8f3fa49v1.34.3→v1.36.2v0.26.0→v0.32.0v0.20.1→v0.21.1v5.7.1→v5.8.1v0.20.1→v0.21.1Release Notes
cue-lang/cue (cuelang.org/go)
v0.17.0Compare Source
Changes which may break some users are marked below with:⚠️
Language
The active
tryexperiment renames the newfallbackkeyword, used withforcomprehensions, tootherwise.fallbackcontinues to be accepted for now, but is rewritten to the new form.The active
aliasv2experiment now allows~(X)as an alternative to~Xfor the single postfix alias form.~Xis also rewritten as~(X)for the sake of consistency and clarity.Language versions
v0.17.0and later allow omitting commas in multi-line lists. Just like a newline after a struct field implies a comma, a newline after a list element now implies a comma as well.Language versions
v0.17.0and later allow a newline or a comma before the closing bracket of an index expression, matching how lists and func arguments allow omitting trailing commas.The language spec is tweaked to make
$a valid identifier, which was already allowed by the parser and evaluator.div,mod,quo, andremoperators has been removed. Since late 2020, these infix forms have been undocumented and rewritten bycue fixto the new function calls.The new
shortcircuitexperimentThis release introduces the
shortcircuitexperiment, which changes the&&and||operators to not evaluate the right operand if the left operand alone determines the result.This matches the behavior already documented in the CUE spec and is consistent with most mainstream languages, but for the sake of a smooth transition for end users, we are rolling out this change via an experiment.
You can try this experiment via the
@experiment(shortcircuit)file attribute. To mimic the old behavior with the experiment, you can use a hidden field:Evaluator
Comprehensions
The comprehension algorithm now waits to run a comprehension's body until the fields it reads have a concrete value, rather than trying to produce its fields up front. This resolves a number of long-standing bugs, most notably the last known regressions from
evalv2, where a comprehension that should have resolved instead failed as an incomplete value or a cycle.This design also greatly simplifies upcoming evaluator work, such as introducing new builtins to replace comparing values to bottom, as well as the design of
evalv4.Other changes
The evaluator no longer deduplicates errors just by position, which was causing some useful errors from disjunctions or standard library calls to be dropped incorrectly.
Several long-standing cycle-detection bugs have been fixed, such as self-referential uses of
matchNandmatchIf, self-feeding disjunctions, and comprehensions that read aletbinding which refers back to the comprehension's own fields.Fixed a bug where the same package imported via different qualified import paths (e.g.
foo.com/bar@v0orfoo.com/bar:baz) did not share the same hidden field namespace.Resolving an unversioned import from a dependency module now respects that module's own default major version, instead of always using the main module's default.
Fix a number of issues where
cue defcould produce invalid CUE output, such as due to name conflicts.Fix an evaluator regression where embedded disjunctions across packages may not correctly apply closedness.
Fix an evaluator bug where
cue.Context.BuildExprofclose({})did not actually result in a closed struct.Fix a bug where some calls to standard library functions or validators did not include the "error in call to pkg.Func" error context, or included it twice.
A few changes to the evaluator should reduce allocated objects by up to 16%, reducing GC overhead and memory usage.
To ease the transition into the new formatter we plan to release with v0.18,
CUE_EXPERIMENT=formatv2=0is now allowed as a no-op.A number of other bugs, panics, and hangs have been resolved as well.
cmd/cueModule replaces
CUE now supports substituting a module dependency with a local directory or a different remote module during development - for example while testing a fix to a dependency before it is published, or to replace a dependency with a fork including improvements.
This configuration lives in
cue.mod/local-module.cue, which is excluded when publishing to registries.cue mod editandcue mod tidygain support for maintaining this file.We have also published a how-to guide on replacing a dependency with a local module.
Read the full design doc in the proposal, or read the
cue.mod/local-module.cuereference docs.Other changes
The new global
-Cor--chdirflag runscuefrom the given working directory.Command input parsing is improved so that CUE packages can come after data files, such as
cue vet -c data.yaml ./schema.cue import --with-contextnow ensures thatdatarepresents the original raw input data, and not its interpretation like JSON Schema.cue import --pathnow skips over null values in an input stream, such as empty documents in a YAML file.Fix a bug where the flag
cue export --pathwas ignored when the inputs were pure CUE.The new
cue exp gengotypes --outfileflag controls the output file path when generating a single package.cue vet -d/--schemanow supports hidden fields, and correctly reports an error when the command inputs are CUE only.cue fixandcue trimno longer change file modification times when no changes are necessary.A
$CUE_CACHE_DIRdirectory is no longer required when loading CUE without external dependencies.The "filetypes" lookup tables now use a more compact encoding, saving about 150KiB in binary size for
cmd/cueas well as Go API users.LSP server
Add an initial version of organize-imports, which sorts the existing imports and removes unneeded imports. It is not yet capable of suggesting missing imports.
Wait for a short period of inactivity before sending diagnostics to the editor. This "debounce" means that a user typing incomplete CUE syntax will not be distracted with syntax errors as much.
The
aliasv2experiment is now fully supported.The
renamefunction is fixed to distinguish between field names and aliases.Improve field name analysis in general so that fields with multiple aliases (e.g.
v=[k=string]: _) are properly supported.Improve attribute handling for file-level embedded attributes, and to attach attributes within expressions to the correct struct.
Treat conjunctions (
&) and disjunctions (|) the same way for goto-definition. With the cursor on a path, it returns all results that the path MAY resolve to. With the cursor on a field declaration name, it returns all results that the path constructed from the field's name, and its field's name (and so on) MAY resolve to.Special-case
closefunction calls so that paths can resolve through fields within the argument toclose.Encodings
#character, shortening names and ensuring compatibility with the wider JSON Schema ecosystem. This required deprecatingencoding/jsonschema.GenerateConfig.NameFuncin favor ofNamesFunc.The JSON Schema encoder is improved to support
list.UniqueItemsand standalone validators, to usemaxItemsandminItemsinstead ofmaxLengthandminLengthfor lists with prefix elements, and to generatedescriptionkeywords for doc comments.Several closedness bugs in the JSON Schema encoder have been fixed, ensuring that the generated JSON Schema behaves the same way as the original CUE definition.
The JSON Schema decoder is improved to better handle the
prefixItemskeyword.The ProtoBuf decoder now resolves relative references following the usual scoping rules, instead of always resolving them against the top-level scope.
Standard library
Add
time.ToUnixandtime.ToUnixNano, which convert anRFC3339Nanotime value into seconds or nanoseconds since the Unix epoch, complementing the existingUnixbuiltin.strconv.FormatFloatnow accepts a string format parameter, likeFormatFloat(3.14, "e", 4, 64).list.MatchNnow shows what expected value it's matching against when it fails.The
netIP APIs now consistently return an error on invalid input types.Go API
Using
cue.Values concurrently is now fully supported, which required deprecatingcue.Value.Context. If you encounter any races or bugs, please report them via the issue tracker.cue/loadnow supports loading from anio/fs.FS, as outlined in proposal #4285. Loading file embeds throughConfig.OverlayandConfig.FSis supported now as well.cue/ast/astutildeprecatesSanitizein favor of the newSanitizeFilesAPI, given thatSanitizeon a single file cannot know if another file in the same package shadows builtin names likeself.Add
Path.CompareandSelector.Compare, providing allocation-free total ordering suitable forslices.SortFunc.Clarify that
cue/formatindents with a tab width of 4 by default.A new fuzzer has been introduced in the
cuepackage, checking that the parser doesn't crash and that its results are consistent with the rest of the Go APIs likecue/literal. So far, it has already resulted in seventeen bug fixes.The
cue.Interpreteroption API has been deprecated in favor ofcue.WithInjection, which is a better name going forward.cue/ast.File.Imports, deprecated in mid 2025 in favor ofcue/ast.File.ImportSpecs, is now removed.cue.InstancemethodsLookup,LookupDef,LookupField, andFillare now removed.modconfig.Registryinterface is changed to report default major versions, which is required for resolving unversioned imports against each dependency module's own defaults. Clients that implement or wrap the interface will need to update. The new interface is future-proofed for upcoming modules changes.Full list of changes since v0.16.0
0fc639be73658dc3f08a160e1bb73f7aafee2eb7f50fa6c091e07f1671908428d2db9dac083b5bc31ef80f15eed4bec06b9916719376a328b32aca761bcbc901907a9906c3e97d77fe74d73286a4372d35a0f4f7772d1d3b7d162569bf7d7dd80111ed3622b489b24991a3f185b8ba6eeb8ac73092c281a361a5b9984dae5adf7f512ecd2774d78c1b159ed139d5c4e71c13d28507be6d5a3fb70abb86e14d7d4d40ad26fb24b39c7392c8e72ff12bb0a41258b9f8be9bb021f44f24f1445c76df33b9deb682521fa683ed32244d103748aaafa5272684e35486eb4f1230bbbb964c01232e6da5139794b8c8c47cf7a59daf6d7894c60ba8143d216fe7d512100df6ebec1313cd1a65400b61fdfa0353335cf0e587c6d8ae7935fe8c2a8155223cfa7ef3e0eed47493840961bb9a6d76d0adb8dd6aa4a115651def1a0c02c81f9d1b5310062ffb2fbde9f02ca774942dConfiguration
📅 Schedule: (UTC)
* 0-3 * * *)🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.