Update go module minor/patch updates#193
Update go module minor/patch updates#193red-hat-konflux-kflux-prd-rh02[bot] wants to merge 1 commit into
Conversation
Signed-off-by: red-hat-konflux-kflux-prd-rh02 <190377777+red-hat-konflux-kflux-prd-rh02[bot]@users.noreply.github.com>
ℹ️ Artifact update noticeFile name: go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
|
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
Hi @red-hat-konflux-kflux-prd-rh02[bot]. Thanks for your PR. I'm waiting for a openshift-hyperfleet member to verify that this patch is reasonable to test. If it is, they should reply with Regular contributors should join the org to skip this step. Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
📝 WalkthroughSummary by CodeRabbit
Walkthrough
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Supply chain surface — verify each pin (CWE-829, CWE-1395):
🚥 Pre-merge checks | ✅ 11✅ Passed checks (11 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
✨ Simplify code
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@go.mod`:
- Around line 176-177: The protobuf dependency at line 177 is pinned to a
prerelease version (v1.36.12-0.20260120151049-...) while the pinned
hyperfleet-broker v1.1.1 depends on stable v1.36.11, creating version skew at
the adapter↔broker RPC boundary where the adapter serializes with prerelease
protobuf and the broker deserializes with stable protobuf, risking silent
message corruption. Replace the prerelease protobuf version with stable v1.36.11
to match the broker's current dependency, ensuring wire format compatibility
across the service boundary. If a stable v1.36.12 is available and preferred,
coordinate with the broker team to also update broker's go.mod accordingly. The
gRPC v1.81.1 upgrade at line 176 requires no change as it contains only security
fixes.
- Around line 23-28: The OpenTelemetry version at lines 23-28 (v1.44.0)
conflicts with the transitive v1.41.0 version pulled from hyperfleet-broker
v1.1.1 (line 12). This version mismatch can cause runtime incompatibility due to
API changes between v1.41 and v1.44. Either coordinate updating
hyperfleet-broker to a version that pins OTel v1.44.0 before merging, or add
replace directives in go.mod to force all OTel modules to v1.44.0 and align
transitive dependencies. The replace approach should map all
go.opentelemetry.io/otel modules and related exporters to their v1.44.0 versions
to ensure a consistent dependency graph across both the adapter and broker.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Central YAML (base), Organization UI (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: 71253029-9e9d-4282-88b6-b40a0f3186ed
⛔ Files ignored due to path filters (1)
go.sumis excluded by!**/*.sum,!**/go.sum
📒 Files selected for processing (1)
go.mod
🔗 Linked repositories identified
CodeRabbit considers these linked repositories for cross-repo context during reviews:
openshift-hyperfleet/architecture(manual)openshift-hyperfleet/hyperfleet-api(manual)openshift-hyperfleet/hyperfleet-sentinel(manual)openshift-hyperfleet/hyperfleet-adapter(manual)openshift-hyperfleet/hyperfleet-broker(manual)
| go.opentelemetry.io/otel v1.44.0 | ||
| go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.44.0 | ||
| go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.44.0 | ||
| go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.44.0 | ||
| go.opentelemetry.io/otel/sdk v1.44.0 | ||
| go.opentelemetry.io/otel/trace v1.44.0 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify hyperfleet-broker's current otel version requirement
cd /tmp && git clone --depth 1 https://github.com/openshift-hyperfleet/hyperfleet-broker.git && cd hyperfleet-broker && grep 'go.opentelemetry.io/otel' go.mod | head -5Repository: openshift-hyperfleet/hyperfleet-adapter
Length of output: 350
🏁 Script executed:
#!/bin/bash
# Check hyperfleet-adapter's go.mod for broker version and any replace directives
head -40 go.modRepository: openshift-hyperfleet/hyperfleet-adapter
Length of output: 1548
🏁 Script executed:
#!/bin/bash
# Check if broker's version is being updated in this PR or if there are replace directives
grep -E 'hyperfleet-broker|replace|retract' go.modRepository: openshift-hyperfleet/hyperfleet-adapter
Length of output: 141
🏁 Script executed:
#!/bin/bash
# Check hyperfleet-broker's current go.mod to see if OTel is being updated
grep 'go.opentelemetry.io/otel' go.mod | head -10Repository: openshift-hyperfleet/hyperfleet-broker
Length of output: 233
🏁 Script executed:
#!/bin/bash
# Check K8s and controller-runtime versions in this PR's go.mod
grep -E 'k8s.io|sigs.k8s.io/controller-runtime' go.modRepository: openshift-hyperfleet/hyperfleet-adapter
Length of output: 564
🏁 Script executed:
#!/bin/bash
# Check gRPC and protobuf versions
grep -E 'google.golang.org/grpc|google.golang.org/protobuf' go.modRepository: openshift-hyperfleet/hyperfleet-adapter
Length of output: 303
🏁 Script executed:
#!/bin/bash
# Check git history to find the previous K8s and controller-runtime versions
git log --oneline -10Repository: openshift-hyperfleet/hyperfleet-adapter
Length of output: 128
🏁 Script executed:
#!/bin/bash
# Look at the diff to see what versions changed FROM and TO
git show HEAD:go.mod 2>/dev/null | grep -E 'k8s.io|sigs.k8s.io/controller-runtime' || echo "No previous version in HEAD"Repository: openshift-hyperfleet/hyperfleet-adapter
Length of output: 564
🏁 Script executed:
#!/bin/bash
# Find previous go.mod state in git
git diff HEAD -- go.mod | grep -E 'k8s.io|sigs.k8s.io/controller-runtime' | head -20Repository: openshift-hyperfleet/hyperfleet-adapter
Length of output: 65
🌐 Web query:
Kubernetes v0.36 breaking changes client-go apimachinery API stability
💡 Result:
In Kubernetes v1.36, the Go module versions for client-go, apimachinery, and related components were released as v0.36.0 [1][2][3]. While Kubernetes continues to maintain strict API stability guarantees for its external REST APIs, it has also introduced improved formal tracking for Go-level breaking changes in these libraries starting with this release [4]. Key points regarding Go API stability and breaking changes in v0.36: 1. Mandatory Go API Change Tracking: As of v1.36, the Kubernetes project has implemented mandatory tracking of breaking Go API changes for client-go and apimachinery [4]. These changes are now documented in Go-API/CHANGELOG.md files located within their respective repositories, providing developers with a clearer record of incompatible changes and required adaptations [4]. 2. General Stability Policy: Kubernetes maintains a strong backward compatibility policy for its stable REST APIs [5]. However, for Go library consumers (client-go, apimachinery), developers are advised that alpha APIs and internal structures may still evolve or change between releases [3]. The new tracking mechanism specifically addresses the challenge of identifying and managing breaking Go-level changes that previously required manual discovery through source code diffs or non-blocking CI jobs [4]. 3. Release Context: The v1.36 release (codenamed "Haru") included several significant deprecations and removals, such as the removal of the gitRepo volume driver and the deprecation of Service.spec.externalIPs [5]. While these are cluster-level changes, consumers of client-go should review their implementation to ensure compatibility with updated API schemas [5][3]. For specific technical migration requirements, you should consult the Go-API/CHANGELOG.md file within the k8s.io/client-go and k8s.io/apimachinery repositories on GitHub, which now serve as the primary authoritative source for identifying breaking Go API changes introduced in v0.36 [4].
Citations:
- 1: https://pkg.go.dev/k8s.io/apimachinery@v0.36.0
- 2: https://pkg.go.dev/k8s.io/api@v0.36.0
- 3: https://pkg.go.dev/k8s.io/client-go@v0.36.0
- 4: optional tracking and documentation of breaking Go API changes in client-go kubernetes/kubernetes#138351
- 5: https://kubernetes.io/blog/2026/04/22/kubernetes-v1-36-release/
🌐 Web query:
gRPC v1.81.0 breaking changes API
💡 Result:
gRPC v1.81.0 includes several breaking changes across its various language implementations. Below are the key breaking changes identified for this release: Go (grpc-go) - The minimum supported Go version has been increased to 1.25 [1][2]. Java (grpc-java) - Support for Android API levels 21 and 22 (Lollipop) has been dropped, requiring a minimum of API level 23 (Android 6.0 Marshmallow) [3][4]. - The method LoadBalancer.handleResolvedAddresses has been deprecated [3]. Developers are required to transition to LoadBalancer.acceptResolvedAddresses, which returns a Status object to allow explicit success reporting or rejection of updates [3]. Python (grpcio) - Support for Python 3.9 has been dropped [5][6][7]. - Python 2 backward compatibility syntax, specifically inheritance from (object), has been removed [5][6][7]. Ruby - Support for Ruby 3.1 has been dropped [5][6][7]. In addition to these breaking changes, the v1.81.0 release includes various refinements, bug fixes, and new features across gRPC Core and other language-specific stacks, such as improved metrics emission in Go [1][2] and new observability support for AsyncIO in Python [5][6]. Users are encouraged to review the full release notes for their specific language stack to ensure a smooth upgrade [3][6].
Citations:
- 1: https://github.com/grpc/grpc-go/releases/tag/v1.81.0
- 2: 🌱 Bump google.golang.org/grpc from 1.80.0 to 1.81.0 operator-framework/operator-lifecycle-manager#3822
- 3: https://github.com/grpc/grpc-java/releases/tag/v1.81.0
- 4: grpc/grpc-java@v1.80.0...v1.81.0
- 5: https://newreleases.io/project/github/grpc/grpc/release/v1.81.0
- 6: https://github.com/grpc/grpc/releases/tag/v1.81.0
- 7: https://newreleases.io/project/pypi/grpcio/release/1.81.0
🏁 Script executed:
#!/bin/bash
# Show the previous commit's go.mod to see the actual version jump
git show HEAD~1:go.mod 2>/dev/null | grep -E 'k8s.io|sigs.k8s.io/controller-runtime|go.opentelemetry.io/otel v' | head -20Repository: openshift-hyperfleet/hyperfleet-adapter
Length of output: 65
🏁 Script executed:
#!/bin/bash
# Check what Go version requirement gRPC v1.81.1 has
# Also verify adapter's current Go version compatibility
head -3 go.modRepository: openshift-hyperfleet/hyperfleet-adapter
Length of output: 152
🏁 Script executed:
#!/bin/bash
# Check broker's gRPC and protobuf versions to assess compatibility with adapter
grep -E 'google.golang.org/grpc|google.golang.org/protobuf' go.modRepository: openshift-hyperfleet/hyperfleet-broker
Length of output: 248
OpenTelemetry version mismatch with transitive dependency from hyperfleet-broker creates runtime incompatibility.
Lines 23–28 update OTel core to v1.44.0. However, hyperfleet-broker v1.1.1 (line 12) currently pins v1.41.0 (confirmed in broker's go.mod). When this adapter imports broker, it will pull OTel v1.41.0 transitively while also depending on v1.44.0 directly. This creates a version conflict across the service stack:
- Adapter: otel v1.44.0 (this PR)
- Broker: otel v1.41.0 (transitive, not yet updated)
OTel trace/context propagation APIs changed between v1.41 and v1.44. Conflicting versions can cause trace initialization failures or context loss at runtime (CWE-1104: use of unmaintained/incompatible dependency). Broker's go.mod must be updated to OTel v1.44.0 before merging, or this PR must include a replace directive to align versions.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@go.mod` around lines 23 - 28, The OpenTelemetry version at lines 23-28
(v1.44.0) conflicts with the transitive v1.41.0 version pulled from
hyperfleet-broker v1.1.1 (line 12). This version mismatch can cause runtime
incompatibility due to API changes between v1.41 and v1.44. Either coordinate
updating hyperfleet-broker to a version that pins OTel v1.44.0 before merging,
or add replace directives in go.mod to force all OTel modules to v1.44.0 and
align transitive dependencies. The replace approach should map all
go.opentelemetry.io/otel modules and related exporters to their v1.44.0 versions
to ensure a consistent dependency graph across both the adapter and broker.
| google.golang.org/grpc v1.81.1 // indirect | ||
| google.golang.org/protobuf v1.36.12-0.20260120151049-f2248ac996af // indirect |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
Is google.golang.org/protobuf v1.36.12-0.20260120151049-f2248ac996af a stable or prerelease version? What are the breaking changes in google.golang.org/grpc v1.81.1?
💡 Result:
The version google.golang.org/protobuf v1.36.12-0.20260120151049-f2248ac996af is a prerelease version [1][2][3]. In the Go module system, versions following the vX.Y.Z-yyyymmddhhmmss-abcdefabcdef format are considered pseudo-versions, which are typically used for development or testing builds and are treated as prereleases compared to tagged, stable releases [3][4]. Regarding google.golang.org/grpc v1.81.1, this is a patch release focused on security and bug fixes [5][6]. It does not introduce breaking changes; instead, it includes the following updates: 1. Security Fix: Resolved a potential authorization bypass in xds/rbac where URI/DNS SANs could incorrectly fall through to the Subject Distinguished Name (DN) when matching authenticated principal names [5][6]. The fix ensures only the first non-empty identity source is used [5][6]. 2. Bug Fix: Fixed an issue in otel (OpenTelemetry) where client and server RPC information were incorrectly mixed, potentially causing one to overwrite the other [5][6]. Breaking changes were not a component of the v1.81.1 release [5][7]. Users should be aware that significant changes, such as increasing the minimum supported Go version to 1.25, were introduced in the preceding v1.81.0 release [8].
Citations:
- 1: https://pkg.go.dev/google.golang.org/protobuf@v1.36.12-0.20260120151049-f2248ac996af
- 2: https://deps.dev/go/google.golang.org%2Fprotobuf/v0.0.0-20200206185827-4eefd7788631/versions
- 3: https://pkg.go.dev/google.golang.org/protobuf@v0.0.0-20260120151049-f2248ac996af
- 4: https://github.com/protocolbuffers/protobuf-go/
- 5: https://github.com/grpc/grpc-go/releases/tag/v1.81.1
- 6: https://newreleases.io/project/github/grpc/grpc-go/release/v1.81.1
- 7: grpc/grpc-go@v1.81.0...v1.81.1
- 8: https://github.com/grpc/grpc-go/releases/tag/v1.81.0
🏁 Script executed:
#!/bin/bash
# Check if broker's go.mod is being modified in this PR, and compare gRPC/protobuf versions
echo "=== Adapter's go.mod (lines 176-177) ==="
sed -n '175,178p' go.mod
echo -e "\n=== Searching for any broker version updates ==="
grep "hyperfleet-broker" go.mod
echo -e "\n=== Checking git diff for go.mod changes (if available) ==="
if git diff HEAD^ HEAD -- go.mod 2>/dev/null | grep -E "(grpc|protobuf|broker)" | head -20; then
echo "Found changes"
else
echo "No git history available"
fiRepository: openshift-hyperfleet/hyperfleet-adapter
Length of output: 572
🏁 Script executed:
#!/bin/bash
# Check broker's current gRPC and protobuf versions
echo "=== Broker's gRPC and protobuf versions ==="
grep -E "(grpc|protobuf)" go.mod | grep -v "^//" || echo "Not found in broker's go.mod"Repository: openshift-hyperfleet/hyperfleet-broker
Length of output: 292
Prerelease protobuf poses supply chain and compatibility risk across adapter↔broker boundary.
Lines 176–177 update to gRPC v1.81.1 and protobuf v1.36.12-0.20260120151049-... (prerelease). The pinned hyperfleet-broker v1.1.1 currently depends on gRPC v1.79.3 and protobuf v1.36.11 (stable releases).
Risks:
- CWE-829 (Untrusted Input): Prerelease protobuf version uses a pseudo-version timestamp, not a tagged stable release. While Google-official, this version bypasses semantic versioning guarantees and introduces supply chain uncertainty in production code.
- Version Skew at RPC Boundary: Adapter serializes protobuf messages with v1.36.12-prerelease; broker deserializes with v1.36.11-stable. Wire format changes in prerelease builds can silently break RPC communication (missing fields, incompatible encoding, etc.).
- No Corresponding Broker Update: Broker's go.mod is not updated in this PR. Broker will receive messages from adapter that may use prerelease protobuf encoding assumptions.
gRPC v1.81.1 itself introduces no breaking changes (only security fixes including xds/rbac authorization fix and otel bug fix), but prerelease protobuf across the service boundary is unacceptable.
Action: Replace prerelease protobuf with stable v1.36.11 or update broker's go.mod to also use v1.36.12 (stable) if available.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@go.mod` around lines 176 - 177, The protobuf dependency at line 177 is pinned
to a prerelease version (v1.36.12-0.20260120151049-...) while the pinned
hyperfleet-broker v1.1.1 depends on stable v1.36.11, creating version skew at
the adapter↔broker RPC boundary where the adapter serializes with prerelease
protobuf and the broker deserializes with stable protobuf, risking silent
message corruption. Replace the prerelease protobuf version with stable v1.36.11
to match the broker's current dependency, ensuring wire format compatibility
across the service boundary. If a stable v1.36.12 is available and preferred,
coordinate with the broker team to also update broker's go.mod accordingly. The
gRPC v1.81.1 upgrade at line 176 requires no change as it contains only security
fixes.
This PR contains the following updates:
v0.25.1→v0.25.2v0.18.2→v0.20.0v2.5.1→v2.6.0v3.4.0→v3.5.0v1.5.1→v1.5.2v3.0.2→v3.1.0v2.0.0→v2.0.1v4.13.0→v4.13.1v0.6.0→v0.7.0v0.10.0→v0.10.1v1.0.4→v1.1.0v1.9.0→v1.10.1v2.9.0→v2.9.2v1.4.12→v1.4.13v0.20.0→v0.46.2v0.21.1→v0.23.1v0.21.0→v0.21.6v0.25.4→v0.26.1v0.25.4→v0.26.1v0.25.4→v0.26.1v0.25.4→v0.26.1v0.25.4→v0.26.1v0.25.4→v0.26.1v0.25.4→v0.26.1v0.25.4→v0.26.1v0.25.4→v0.26.1v0.25.4→v0.26.1v0.25.4→v0.26.1v0.25.4→v0.26.1v10.30.1→v10.30.3v0.26.1→v0.28.1v0.7.0→v0.7.1v0.3.14→v0.3.16v2.21.0→v2.22.0v2.28.0→v2.29.0v1.18.5→v1.18.6v1.54.1→v1.54.2v0.4.0→v0.4.1v0.6.0→v0.7.0v1.1.0→v1.1.1v0.1.493→v0.1.503v2.2.4→v2.3.1v0.67.4→v0.68.1v0.19.2→v0.20.1v1.10.0→v1.11.0v4.26.3→v4.26.5v0.3.16→v0.4.0v0.11.0→v0.12.0v0.65.0→v0.69.0v0.65.0→v0.69.0v0.68.0→v0.69.0v1.43.0→v1.44.0v1.43.0→v1.44.0v1.43.0→v1.44.0v1.43.0→v1.44.0v1.43.0→v1.44.0v1.43.0→v1.44.0v1.43.0→v1.44.0v1.43.0→v1.44.0v1.43.0→v1.44.0v1.43.0→v1.44.0v1.43.0→v1.44.0v1.43.0→v1.44.0v1.27.1→v1.28.0v2.4.3→v2.4.4v0.49.0→v0.53.0v0.52.0→v0.56.0v0.20.0→v0.21.0v0.42.0→v0.46.0v0.41.0→v0.44.0v0.35.0→v0.38.0v0.274.0→v0.284.0v1.80.0→v1.81.1v4.12.0→v4.13.0v0.34.3→v0.36.2v0.34.3→v0.36.2v0.34.3→v0.36.2v1.2.0→v1.3.0v1.2.0→v1.3.0v0.22.4→v0.24.1v6.3.2→v6.4.0Release Notes
google/cel-spec (cel.dev/expr)
v0.25.2Compare Source
What's Changed
New Contributors
Full Changelog: google/cel-spec@v0.25.1...v0.25.2
googleapis/google-cloud-go (cloud.google.com/go/auth)
v0.20.0Compare Source
bigquery: Support SchemaUpdateOptions for load jobs.
bigtable:
datastore: Add OpenCensus tracing.
firestore:
logging: Add a WriteTimeout option.
spanner: Support Batch API.
storage: Add OpenCensus tracing.
v0.19.0bigquery:
bigtable:
datastore:
firestore:
logging:
profiler:
pubsub:
callback returns).
storage:
Masterminds/semver (github.com/Masterminds/semver/v3)
v3.5.0Compare Source
What's Changed
New Contributors
Full Changelog: Masterminds/semver@v3.4.0...v3.5.0
ThreeDotsLabs/watermill (github.com/ThreeDotsLabs/watermill)
v1.5.2Compare Source
What's Changed
New Contributors
Full Changelog: ThreeDotsLabs/watermill@v1.5.1...v1.5.2
ThreeDotsLabs/watermill-amqp (github.com/ThreeDotsLabs/watermill-amqp/v3)
v3.1.0Compare Source
What's Changed
New Contributors
Full Changelog: ThreeDotsLabs/watermill-amqp@v3.0.2...v3.1.0
ThreeDotsLabs/watermill-googlecloud (github.com/ThreeDotsLabs/watermill-googlecloud/v2)
v2.0.1Compare Source
What's Changed
Full Changelog: ThreeDotsLabs/watermill-googlecloud@v2.0.0...v2.0.1
antlr4-go/antlr (github.com/antlr4-go/antlr/v4)
v4.13.1: Release 4.13.1Compare Source
The 4.13.1 release has:
using mutexes, when the user knows they will not use it with multiple
go routines. (Note, somewhat experimental)
Note that I did not remove the sort.Slices calls. They will not be experimental for long
and are implemented efficently. Please make a fork if you must use it without this
dependency. Maybe review whether you need to do so for the sake of one call.
docker/go-connections (github.com/docker/go-connections)
v0.7.0Compare Source
ebitengine/purego (github.com/ebitengine/purego)
v0.10.1Compare Source
felixge/httpsnoop (github.com/felixge/httpsnoop)
v1.1.0Compare Source
fsnotify/fsnotify (github.com/fsnotify/fsnotify)
v1.10.1Compare Source
Changes and fixes
inotify: don't remove sibling watches sharing a path prefix (#754)
inotify, windows: don't rename sibling watches sharing a path prefix
(#755)
v1.10.0Compare Source
This version of fsnotify needs Go 1.23.
Changes and fixes
inotify: improve initialization error message (#731)
inotify: send Rename event if recursive watch is renamed (#696)
inotify: avoid copying event buffers when reading names (#741)
kqueue: skip dangling symlinks (ENOENT) in watchDirectoryFiles, so a bad entry no longer aborts Watcher.Add for the whole directory (#748)
kqueue: drop watches directly in Close() to fix a file descriptor leak when recycling watchers (#740)
windows: fix nil pointer dereference in remWatch (#736)
windows: lock watch field updates against concurrent WatchList to fix a race introduced in v1.9.0 (#709, #749)
fxamacker/cbor (github.com/fxamacker/cbor/v2)
v2.9.2Compare Source
This release refactors and hardens the streaming encoder by adding stricter checks for encoding CBOR indefinite-length data. Other changes include minor bugfixes, defensive checks, and more tests.
Projects that don't use CBOR indefinite-length data may also want to upgrade (summary of prior releases).
The stricter checks in the encoder prevent improper use of the library and bad inputs from producing malformed CBOR indefinite-length data that would be rejected by the decoder.
This release passed fuzz tests (billions of execs) and it is production quality.
What's Changed
CI / GitHub Actions and Docs
🔎 Details...
Full Changelog: fxamacker/cbor@v2.9.1...v2.9.2
v2.9.1Compare Source
This release includes important bugfixes, defensive checks, improved code quality, and more tests. Although not public, the fuzzer was also improved by adding more fuzz tests.
🐞 Bug fixes related to the
keyasintfeatureThese changes only affect Go struct fields tagged with
keyasint:math.MaxInt64when decoding CBOR map to a struct withkeyasintfield (PR #757)keyasinttag values (PR #757)🐞 Other bug fixes and defensive checks
Some of the bugs fixed are related to decoding extreme values that cannot be encoded with this library. For example, the decoder checks if epoch time encoded as CBOR float value representing hundreds of billions of years overflows int64(seconds).
NOTE: It is generally good practice to avoid using floating point to store epoch time (even when not using CBOR).
RawMessagefromRawMessage.MarshalCBOR(PR #753)U+FFFDreplacement character (PR #753)What's Changed
TimeRFC3339NanoUTCby @fxamacker in #688CI / GitHub Actions and Docs
🔎 Details...
Configuration
📅 Schedule: Branch creation - "on monday" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
To execute skipped test pipelines write comment
/ok-to-test.Documentation
Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.