[TT-13741] [release-5.7] exp/modcheck: Update go.mod dependencies

[buger]

User description

TT-13741

Summary	CVE checks for 5.3.9 and 5.7.1
Type	Task
Status	In Dev
Points	N/A
Labels	-

---

Triggered by: titpetric
JIRA: https://tyktech.atlassian.net/browse/TT-13741

IMPORT	VERSION	LATEST	WARNINGS	CVES
getkin/kin-openapi	v0.115.0	v0.128.0	Held back from upgrade
pires/go-proxyproto	v0.7.0	v0.8.0		0 of 1
robertkrimen/otto	v0.4.0	v0.5.1
stretchr/testify	v1.9.0	v1.10.0
valyala/fasthttp	v1.55.0	v1.58.0		0 of 1
golang.org/x/crypto	v0.29.0	v0.31.0		0 of 11
golang.org/x/net	v0.31.0	v0.33.0		0 of 17
golang.org/x/sync	v0.9.0	v0.10.0
google.golang.org/grpc	v1.67.1	v1.69.2		0 of 2
google.golang.org/protobuf	v1.35.1	v1.36.0		0 of 2
redis/go-redis/v9	v9.6.1	v9.7.0
IBM/sarama	v1.43.1	v1.43.3
goccy/go-json	v0.10.3	v0.10.4
nats-io/nats.go	v1.37.0	v1.38.0
newrelic/go-agent	v2.13.0 +incompatible	v3.35.1+incompatible	Held back from upgrade
testcontainers/testcontainers-go	v0.33.0	v0.34.0
testcontainers/testcontainers-go/modules/kafka	v0.33.0	v0.34.0
testcontainers/testcontainers-go/modules/nats	v0.33.0	v0.34.0
go.opentelemetry.io/otel	v1.32.0	v1.33.0	Held back from upgrade
go.opentelemetry.io/otel/trace	v1.32.0	v1.33.0	Held back from upgrade
go.uber.org/mock	v0.4.0	v0.5.0
golang.org/x/oauth2	v0.23.0	v0.24.0

Steps performed

+ go get github.com/pires/[email protected]
go: upgraded github.com/pires/go-proxyproto v0.7.0 => v0.8.0
+ go get github.com/robertkrimen/[email protected]
go: upgraded github.com/robertkrimen/otto v0.4.0 => v0.5.1
+ go get github.com/stretchr/[email protected]
go: upgraded github.com/stretchr/testify v1.9.0 => v1.10.0
+ go get github.com/valyala/[email protected]
go: upgraded github.com/valyala/fasthttp v1.55.0 => v1.58.0
+ go get golang.org/x/[email protected]
go: upgraded golang.org/x/crypto v0.29.0 => v0.31.0
go: upgraded golang.org/x/sync v0.9.0 => v0.10.0
go: upgraded golang.org/x/sys v0.27.0 => v0.28.0
go: upgraded golang.org/x/text v0.20.0 => v0.21.0
+ go get golang.org/x/[email protected]
go: upgraded golang.org/x/net v0.31.0 => v0.33.0
+ go get golang.org/x/[email protected]
+ go get google.golang.org/[email protected]
go: upgraded google.golang.org/grpc v1.67.1 => v1.69.2
+ go get google.golang.org/[email protected]
go: upgraded google.golang.org/protobuf v1.35.1 => v1.36.0
+ go get github.com/redis/go-redis/[email protected]
go: upgraded github.com/redis/go-redis/v9 v9.6.1 => v9.7.0
+ go get github.com/IBM/[email protected]
go: upgraded github.com/IBM/sarama v1.43.1 => v1.43.3
go: upgraded github.com/eapache/go-resiliency v1.6.0 => v1.7.0
+ go get github.com/goccy/[email protected]
go: upgraded github.com/goccy/go-json v0.10.3 => v0.10.4
+ go get github.com/nats-io/[email protected]
go: upgraded github.com/nats-io/nats.go v1.37.0 => v1.38.0
go: upgraded github.com/nats-io/nkeys v0.4.7 => v0.4.9
+ go get github.com/testcontainers/[email protected]
go: upgraded github.com/cpuguy83/dockercfg v0.3.1 => v0.3.2
go: upgraded github.com/testcontainers/testcontainers-go v0.33.0 => v0.34.0
+ go get github.com/testcontainers/testcontainers-go/modules/[email protected]
go: module github.com/testcontainers/[email protected] found, but does not contain package github.com/testcontainers/testcontainers-go/modules/kafka
+ go get github.com/testcontainers/testcontainers-go/modules/[email protected]
go: module github.com/testcontainers/[email protected] found, but does not contain package github.com/testcontainers/testcontainers-go/modules/nats
+ go get go.uber.org/[email protected]
go: upgraded go.uber.org/mock v0.4.0 => v0.5.0
+ go get golang.org/x/[email protected]
go: upgraded golang.org/x/oauth2 v0.23.0 => v0.24.0

go mod tidy output

---

PR Type

dependencies

---

Description

• Updated go.mod to upgrade multiple dependencies to their latest versions, improving compatibility, security, and functionality.
• Updated go.sum to reflect the checksum changes corresponding to the updated dependencies in go.mod.
• Key dependency upgrades include:
  • github.com/pires/go-proxyproto from v0.7.0 to v0.8.0.
  • github.com/robertkrimen/otto from v0.4.0 to v0.5.1.
  • github.com/stretchr/testify from v1.9.0 to v1.10.0.
  • golang.org/x/crypto from v0.29.0 to v0.31.0.
  • google.golang.org/grpc from v1.67.1 to v1.69.2.
  • golang.org/x/net from v0.31.0 to v0.33.0.
  • golang.org/x/sync from v0.9.0 to v0.10.0.
  • golang.org/x/text from v0.20.0 to v0.21.0.

---

Changes walkthrough 📝

Relevant files

Dependencies

go.mod Update dependencies in go.mod to latest versions                  go.mod Updated multiple dependencies to newer versions. Improved compatibility and security by upgrading libraries. Adjusted indirect dependencies to align with direct dependency updates. +21/-21  go.sum Update go.sum checksums for dependency updates                      go.sum Updated checksums for dependencies in line with go.mod changes. Ensured integrity and consistency of dependency versions. +46/-44

---

💡 PR-Agent usage: Comment /help "your question" on any pull request to receive relevant information

[buger]

Knock Knock! 🔍

Just thought I'd let you know that your PR title and story title look quite different. PR titles that closely resemble the story title make it easier for reviewers to understand the context of the PR.

An easy-to-understand PR title a day makes the reviewer review away! 😛⚡️

Story Title	CVE checks for 5.3.9 and 5.7.1
PR Title	[TT-13741] [release-5.7] exp/modcheck: Update go.mod dependencies

Check out this guide to learn more about PR best-practices.

[github-actions]

API Changes

no api changes detected

[github-actions]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 3 🔵🔵🔵⚪⚪

🧪 No relevant tests

🔒 No security concerns identified

⚡ Recommended focus areas for review Dependency Updates Several dependencies have been updated to newer versions. Ensure that these updates do not introduce breaking changes or incompatibilities with the existing codebase. Dependency Integrity Verify the integrity and compatibility of the updated dependencies listed in go.sum to ensure they align with the changes in go.mod.

[github-actions]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Score
General	Verify compatibility of updated dependencies with the existing codebase to prevent runtime issues Ensure that all updated dependencies are compatible with the existing codebase and do not introduce breaking changes, especially for critical libraries like golang.org/x/crypto, google.golang.org/grpc, and github.com/stretchr/testify. go.mod [67-72] ++ golang.org/x/crypto v0.31.0 ++ google.golang.org/grpc v1.69.2 ++ github.com/stretchr/testify v1.10.0 // test - Suggestion importance[1-10]: 6 Why: The suggestion to verify compatibility of updated dependencies is valid and important to prevent runtime issues. However, it is not actionable as it does not provide specific steps or insights into potential compatibility concerns.	6
	Test for regressions or unexpected behavior due to dependency updates Test the application thoroughly to ensure that updates to dependencies like github.com/nats-io/nkeys and golang.org/x/sys do not introduce regressions or unexpected behavior. go.mod [230-290] ++ github.com/nats-io/nkeys v0.4.9 // indirect ++ golang.org/x/sys v0.28.0 // indirect - Suggestion importance[1-10]: 6 Why: Testing for regressions or unexpected behavior is a valid and necessary step after updating dependencies. However, the suggestion lacks specificity and does not provide actionable steps for testing.	6
	Ensure updated dependencies do not introduce breaking changes or deprecations Review the changes to ensure that the updated versions of dependencies like github.com/pires/go-proxyproto and github.com/robertkrimen/otto do not introduce breaking API changes or deprecations. go.mod [56-58] ++ github.com/pires/go-proxyproto v0.8.0 ++ github.com/robertkrimen/otto v0.5.1 - Suggestion importance[1-10]: 6 Why: The suggestion to review updated dependencies for breaking changes or deprecations is valid and important. However, it is not actionable and does not provide specific details or methods for performing the review.	6
Security	Validate the necessity and security of newly added indirect dependencies Confirm that the new indirect dependencies, such as github.com/cpuguy83/dockercfg and github.com/eapache/go-resiliency, are necessary and do not introduce unnecessary bloat or security vulnerabilities. go.mod [136-145] ++ github.com/cpuguy83/dockercfg v0.3.2 // indirect ++ github.com/eapache/go-resiliency v1.7.0 // indirect - Suggestion importance[1-10]: 5 Why: While the suggestion to confirm the necessity and security of new indirect dependencies is relevant, it is not actionable and does not provide specific guidance on how to validate these aspects.	5

[sonarqubecloud]

Quality Gate failed

Failed conditions
0.0% Coverage on New Code (required ≥ 80%)

See analysis details on SonarQube Cloud

[titpetric]

/release to release-5.7.1

[tykbot]

Working on it! Note that it can take a few minutes.

[tykbot]

@titpetric Seems like there is conflict and it require manual merge.