Merging to release-5.7.1: [TT-13741] [release-5.7] exp/modcheck: Update go.mod dependencies (#6796) #6800

buger · 2024-12-20T09:04:09Z

User description

TT-13741 [release-5.7] exp/modcheck: Update go.mod dependencies (#6796)

User description

Summary	CVE checks for 5.3.9 and 5.7.1
Type	Task
Status	In Dev
Points	N/A
Labels	-

Triggered by: titpetric
JIRA: https://tyktech.atlassian.net/browse/TT-13741

IMPORT	VERSION	LATEST	WARNINGS	CVES
getkin/kin-openapi	v0.115.0	v0.128.0	Held back from upgrade
pires/go-proxyproto	v0.7.0	v0.8.0		0 of 1
robertkrimen/otto	v0.4.0	v0.5.1
stretchr/testify	v1.9.0	v1.10.0
valyala/fasthttp	v1.55.0	v1.58.0		0 of 1
golang.org/x/crypto	v0.29.0	v0.31.0		0 of 11
golang.org/x/net	v0.31.0	v0.33.0		0 of 17
golang.org/x/sync	v0.9.0	v0.10.0
google.golang.org/grpc	v1.67.1	v1.69.2		0 of 2
google.golang.org/protobuf	v1.35.1	v1.36.0		0 of 2
redis/go-redis/v9	v9.6.1	v9.7.0
IBM/sarama	v1.43.1	v1.43.3
goccy/go-json	v0.10.3	v0.10.4
nats-io/nats.go	v1.37.0	v1.38.0
newrelic/go-agent	v2.13.0 +incompatible	v3.35.1+incompatible
Held back from upgrade
testcontainers/testcontainers-go	v0.33.0	v0.34.0
testcontainers/testcontainers-go/modules/kafka	v0.33.0	v0.34.0

|
| testcontainers/testcontainers-go/modules/nats | v0.33.0 | v0.34.0 | |
|
| go.opentelemetry.io/otel | v1.32.0 | v1.33.0 | Held back from upgrade
| |
| go.opentelemetry.io/otel/trace | v1.32.0 | v1.33.0 | Held back from
upgrade | |
| go.uber.org/mock | v0.4.0 | v0.5.0 | | |
| golang.org/x/oauth2 | v0.23.0 | v0.24.0 | | |

Steps performed

+ go get github.com/pires/[email protected]
go: upgraded github.com/pires/go-proxyproto v0.7.0 => v0.8.0
+ go get github.com/robertkrimen/[email protected]
go: upgraded github.com/robertkrimen/otto v0.4.0 => v0.5.1
+ go get github.com/stretchr/[email protected]
go: upgraded github.com/stretchr/testify v1.9.0 => v1.10.0
+ go get github.com/valyala/[email protected]
go: upgraded github.com/valyala/fasthttp v1.55.0 => v1.58.0
+ go get golang.org/x/[email protected]
go: upgraded golang.org/x/crypto v0.29.0 => v0.31.0
go: upgraded golang.org/x/sync v0.9.0 => v0.10.0
go: upgraded golang.org/x/sys v0.27.0 => v0.28.0
go: upgraded golang.org/x/text v0.20.0 => v0.21.0
+ go get golang.org/x/[email protected]
go: upgraded golang.org/x/net v0.31.0 => v0.33.0
+ go get golang.org/x/[email protected]
+ go get google.golang.org/[email protected]
go: upgraded google.golang.org/grpc v1.67.1 => v1.69.2
+ go get google.golang.org/[email protected]
go: upgraded google.golang.org/protobuf v1.35.1 => v1.36.0
+ go get github.com/redis/go-redis/[email protected]
go: upgraded github.com/redis/go-redis/v9 v9.6.1 => v9.7.0
+ go get github.com/IBM/[email protected]
go: upgraded github.com/IBM/sarama v1.43.1 => v1.43.3
go: upgraded github.com/eapache/go-resiliency v1.6.0 => v1.7.0
+ go get github.com/goccy/[email protected]
go: upgraded github.com/goccy/go-json v0.10.3 => v0.10.4
+ go get github.com/nats-io/[email protected]
go: upgraded github.com/nats-io/nats.go v1.37.0 => v1.38.0
go: upgraded github.com/nats-io/nkeys v0.4.7 => v0.4.9
+ go get github.com/testcontainers/[email protected]
go: upgraded github.com/cpuguy83/dockercfg v0.3.1 => v0.3.2
go: upgraded github.com/testcontainers/testcontainers-go v0.33.0 =>
v0.34.0
+ go get
github.com/testcontainers/testcontainers-go/modules/[email protected]
go: module github.com/testcontainers/[email protected] found,
but does not contain package
github.com/testcontainers/testcontainers-go/modules/kafka
+ go get
github.com/testcontainers/testcontainers-go/modules/[email protected]
go: module github.com/testcontainers/[email protected] found,
but does not contain package
github.com/testcontainers/testcontainers-go/modules/nats
+ go get go.uber.org/[email protected]
go: upgraded go.uber.org/mock v0.4.0 => v0.5.0
+ go get golang.org/x/[email protected]
go: upgraded golang.org/x/oauth2 v0.23.0 => v0.24.0

go mod tidy output

PR Type

dependencies

Description

Updated go.mod to upgrade multiple dependencies to their latest
versions, improving compatibility, security, and functionality.
Updated go.sum to reflect the checksum changes corresponding to the
updated dependencies in go.mod.
Key dependency upgrades include:
- github.com/pires/go-proxyproto from v0.7.0 to v0.8.0.
- github.com/robertkrimen/otto from v0.4.0 to v0.5.1.
- github.com/stretchr/testify from v1.9.0 to v1.10.0.
- golang.org/x/crypto from v0.29.0 to v0.31.0.
- google.golang.org/grpc from v1.67.1 to v1.69.2.
- golang.org/x/net from v0.31.0 to v0.33.0.
- golang.org/x/sync from v0.9.0 to v0.10.0.
- golang.org/x/text from v0.20.0 to v0.21.0.

Changes walkthrough 📝

Relevant files

Dependencies

go.mod `Update dependencies in go.mod to latest versions` go.mod Updated multiple dependencies to newer versions. Improved compatibility and security by upgrading libraries. Adjusted indirect dependencies to align with direct dependency updates.	+21/-21
go.sum `Update go.sum checksums for dependency updates` go.sum Updated checksums for dependencies in line with go.mod changes. Ensured integrity and consistency of dependency versions.	+46/-44

💡 PR-Agent usage: Comment /help "your question" on any pull
request to receive relevant information

Co-authored-by: titpetric [email protected]

PR Type

dependencies

Description

Updated go.mod to upgrade multiple dependencies to their latest versions, improving compatibility, security, and functionality.
Updated go.sum to reflect the checksum changes corresponding to the updated dependencies in go.mod.
Key dependency upgrades include:
- github.com/pires/go-proxyproto from v0.7.0 to v0.8.0.
- github.com/robertkrimen/otto from v0.4.0 to v0.5.1.
- github.com/stretchr/testify from v1.9.0 to v1.10.0.
- golang.org/x/crypto from v0.29.0 to v0.31.0.
- google.golang.org/grpc from v1.67.1 to v1.69.2.
- golang.org/x/net from v0.31.0 to v0.33.0.
- golang.org/x/sync from v0.9.0 to v0.10.0.
- golang.org/x/text from v0.20.0 to v0.21.0.

Changes walkthrough 📝

Relevant files

Dependencies

go.mod `Update dependencies in go.mod to latest versions` go.mod Updated multiple dependencies to their latest versions. Improved compatibility, security, and functionality by upgrading libraries. Adjusted indirect dependencies to align with direct dependency updates.	+21/-21
go.sum `Update go.sum checksums for dependency updates` go.sum Updated checksums for dependencies in line with go.mod changes. Ensured integrity and consistency of dependency versions.	+46/-44

💡 PR-Agent usage: Comment /help "your question" on any pull request to receive relevant information

) ### **User description** <details open> <summary><a href="https://tyktech.atlassian.net/browse/TT-13741" title="TT-13741" target="_blank">TT-13741</a></summary> <br /> <table> <tr> <th>Summary</th> <td>CVE checks for 5.3.9 and 5.7.1</td> </tr> <tr> <th>Type</th> <td> <img alt="Task" src="https://tyktech.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10318?size=medium" /> Task </td> </tr> <tr> <th>Status</th> <td>In Dev</td> </tr> <tr> <th>Points</th> <td>N/A</td> </tr> <tr> <th>Labels</th> <td>-</td> </tr> </table> </details>  --- Triggered by: titpetric JIRA: https://tyktech.atlassian.net/browse/TT-13741 | IMPORT | VERSION | LATEST | WARNINGS | CVES | |:---|:---|:---|:---|:---| | getkin/kin-openapi | v0.115.0 | v0.128.0 | Held back from upgrade | | | pires/go-proxyproto | v0.7.0 | v0.8.0 | | 0 of 1 | | robertkrimen/otto | v0.4.0 | v0.5.1 | | | | stretchr/testify | v1.9.0 | v1.10.0 | | | | valyala/fasthttp | v1.55.0 | v1.58.0 | | 0 of 1 | | golang.org/x/crypto | v0.29.0 | v0.31.0 | | 0 of 11 | | golang.org/x/net | v0.31.0 | v0.33.0 | | 0 of 17 | | golang.org/x/sync | v0.9.0 | v0.10.0 | | | | google.golang.org/grpc | v1.67.1 | v1.69.2 | | 0 of 2 | | google.golang.org/protobuf | v1.35.1 | v1.36.0 | | 0 of 2 | | redis/go-redis/v9 | v9.6.1 | v9.7.0 | | | | IBM/sarama | v1.43.1 | v1.43.3 | | | | goccy/go-json | v0.10.3 | v0.10.4 | | | | nats-io/nats.go | v1.37.0 | v1.38.0 | | | | newrelic/go-agent | v2.13.0 +incompatible | v3.35.1+incompatible | Held back from upgrade | | | testcontainers/testcontainers-go | v0.33.0 | v0.34.0 | | | | testcontainers/testcontainers-go/modules/kafka | v0.33.0 | v0.34.0 | | | | testcontainers/testcontainers-go/modules/nats | v0.33.0 | v0.34.0 | | | | go.opentelemetry.io/otel | v1.32.0 | v1.33.0 | Held back from upgrade | | | go.opentelemetry.io/otel/trace | v1.32.0 | v1.33.0 | Held back from upgrade | | | go.uber.org/mock | v0.4.0 | v0.5.0 | | | | golang.org/x/oauth2 | v0.23.0 | v0.24.0 | | | <details> <summary>Steps performed</summary> ~~~ + go get github.com/pires/[email protected] go: upgraded github.com/pires/go-proxyproto v0.7.0 => v0.8.0 + go get github.com/robertkrimen/[email protected] go: upgraded github.com/robertkrimen/otto v0.4.0 => v0.5.1 + go get github.com/stretchr/[email protected] go: upgraded github.com/stretchr/testify v1.9.0 => v1.10.0 + go get github.com/valyala/[email protected] go: upgraded github.com/valyala/fasthttp v1.55.0 => v1.58.0 + go get golang.org/x/[email protected] go: upgraded golang.org/x/crypto v0.29.0 => v0.31.0 go: upgraded golang.org/x/sync v0.9.0 => v0.10.0 go: upgraded golang.org/x/sys v0.27.0 => v0.28.0 go: upgraded golang.org/x/text v0.20.0 => v0.21.0 + go get golang.org/x/[email protected] go: upgraded golang.org/x/net v0.31.0 => v0.33.0 + go get golang.org/x/[email protected] + go get google.golang.org/[email protected] go: upgraded google.golang.org/grpc v1.67.1 => v1.69.2 + go get google.golang.org/[email protected] go: upgraded google.golang.org/protobuf v1.35.1 => v1.36.0 + go get github.com/redis/go-redis/[email protected] go: upgraded github.com/redis/go-redis/v9 v9.6.1 => v9.7.0 + go get github.com/IBM/[email protected] go: upgraded github.com/IBM/sarama v1.43.1 => v1.43.3 go: upgraded github.com/eapache/go-resiliency v1.6.0 => v1.7.0 + go get github.com/goccy/[email protected] go: upgraded github.com/goccy/go-json v0.10.3 => v0.10.4 + go get github.com/nats-io/[email protected] go: upgraded github.com/nats-io/nats.go v1.37.0 => v1.38.0 go: upgraded github.com/nats-io/nkeys v0.4.7 => v0.4.9 + go get github.com/testcontainers/[email protected] go: upgraded github.com/cpuguy83/dockercfg v0.3.1 => v0.3.2 go: upgraded github.com/testcontainers/testcontainers-go v0.33.0 => v0.34.0 + go get github.com/testcontainers/testcontainers-go/modules/[email protected] go: module github.com/testcontainers/[email protected] found, but does not contain package github.com/testcontainers/testcontainers-go/modules/kafka + go get github.com/testcontainers/testcontainers-go/modules/[email protected] go: module github.com/testcontainers/[email protected] found, but does not contain package github.com/testcontainers/testcontainers-go/modules/nats + go get go.uber.org/[email protected] go: upgraded go.uber.org/mock v0.4.0 => v0.5.0 + go get golang.org/x/[email protected] go: upgraded golang.org/x/oauth2 v0.23.0 => v0.24.0 ~~~ </details> <details> <summary>go mod tidy output</summary> ``` ``` </details> ___ ### **PR Type** dependencies ___ ### **Description** - Updated `go.mod` to upgrade multiple dependencies to their latest versions, improving compatibility, security, and functionality. - Updated `go.sum` to reflect the checksum changes corresponding to the updated dependencies in `go.mod`. - Key dependency upgrades include: - `github.com/pires/go-proxyproto` from v0.7.0 to v0.8.0. - `github.com/robertkrimen/otto` from v0.4.0 to v0.5.1. - `github.com/stretchr/testify` from v1.9.0 to v1.10.0. - `golang.org/x/crypto` from v0.29.0 to v0.31.0. - `google.golang.org/grpc` from v1.67.1 to v1.69.2. - `golang.org/x/net` from v0.31.0 to v0.33.0. - `golang.org/x/sync` from v0.9.0 to v0.10.0. - `golang.org/x/text` from v0.20.0 to v0.21.0. ___ ### **Changes walkthrough** 📝 <table><thead><tr><th></th><th align="left">Relevant files</th></tr></thead><tbody><tr><td><strong>Dependencies</strong></td><td><table> <tr> <td> <details> <summary><strong>go.mod</strong><dd><code>Update dependencies in go.mod to latest versions</code>                  </dd></summary> <hr> go.mod <li>Updated multiple dependencies to newer versions.<br> <li> Improved compatibility and security by upgrading libraries.<br> <li> Adjusted indirect dependencies to align with direct dependency <br>updates.<br> </details> </td> <td><a href="https://github.com/TykTechnologies/tyk/pull/6796/files#diff-33ef32bf6c23acb95f5902d7097b7a1d5128ca061167ec0716715b0b9eeaa5f6">+21/-21</a>  </td> </tr> <tr> <td> <details> <summary><strong>go.sum</strong><dd><code>Update go.sum checksums for dependency updates</code>                      </dd></summary> <hr> go.sum <li>Updated checksums for dependencies in line with go.mod changes.<br> <li> Ensured integrity and consistency of dependency versions.<br> </details> </td> <td><a href="https://github.com/TykTechnologies/tyk/pull/6796/files#diff-3295df7234525439d778f1b282d146a4f1ff6b415248aaac074e8042d9f42d63">+46/-44</a>  </td> </tr> </table></td></tr></tr></tbody></table> ___ > 💡 **PR-Agent usage**: Comment `/help "your question"` on any pull request to receive relevant information Co-authored-by: titpetric <[email protected]> (cherry picked from commit 178b853)

github-actions · 2024-12-20T09:05:01Z

API Changes

no api changes detected

github-actions · 2024-12-20T09:05:09Z

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

🎫 Ticket compliance analysis 🔶 6796 - Partially compliant Fully compliant requirements: Update `go.mod` dependencies to their latest versions. Update `go.sum` to reflect checksum changes for updated dependencies. Not compliant requirements: Ensure compatibility, security, and functionality improvements through dependency upgrades.
⏱️ Estimated effort to review: 3 🔵🔵🔵⚪⚪
🧪 No relevant tests
🔒 No security concerns identified
⚡ Recommended focus areas for review Dependency Compatibility Verify that the updated dependencies in `go.mod` are compatible with the existing codebase and do not introduce breaking changes. Dependency Integrity Ensure that the updated checksums in `go.sum` accurately reflect the changes in `go.mod` and maintain dependency integrity.

github-actions · 2024-12-20T09:05:29Z

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Score
General	Ensure compatibility of the updated `go-proxyproto` dependency with the current codebase to avoid potential breaking changes Verify compatibility of the updated `github.com/pires/go-proxyproto` dependency (v0.8.0) with the existing codebase, as breaking changes might have been introduced since v0.7.0. go.mod [56] -github.com/pires/go-proxyproto v0.8.0 +github.com/pires/go-proxyproto v0.7.0 Suggestion importance[1-10]: 8 Why: The suggestion to verify compatibility of the updated `github.com/pires/go-proxyproto` dependency is valid and important, as breaking changes could impact the functionality of the codebase. However, the improved code suggests reverting to the older version, which is not actionable without further context or testing.	8
	Check the updated `nkeys` dependency for compatibility and stability with existing integrations Test the integration of the updated `github.com/nats-io/nkeys` dependency (v0.4.9) to ensure it does not introduce unexpected behavior compared to v0.4.7. go.mod [230] -github.com/nats-io/nkeys v0.4.9 // indirect +github.com/nats-io/nkeys v0.4.7 // indirect Suggestion importance[1-10]: 8 Why: The suggestion to test the integration of the updated `github.com/nats-io/nkeys` dependency is valid and crucial for ensuring stability, as dependency updates can introduce unexpected behavior. The improved code suggests reverting to the older version, which is not directly actionable without further testing.	8
	Verify the updated `x/sys` dependency for compatibility with system-level operations Ensure that the updated `golang.org/x/sys` dependency (v0.28.0) does not introduce breaking changes or deprecations that could affect system-level functionality. go.mod [290] -golang.org/x/sys v0.28.0 // indirect +golang.org/x/sys v0.27.0 // indirect Suggestion importance[1-10]: 8 Why: The suggestion to ensure compatibility of the updated `golang.org/x/sys` dependency is important, as system-level functionality could be affected by breaking changes or deprecations. However, the improved code suggests reverting to the older version, which is not actionable without further analysis or testing.	8
	Validate the updated `testify` dependency to ensure it does not impact test outcomes Confirm that the updated `github.com/stretchr/testify` dependency (v1.10.0) does not introduce changes that could affect test behavior or results. go.mod [62] -github.com/stretchr/testify v1.10.0 // test +github.com/stretchr/testify v1.9.0 // test Suggestion importance[1-10]: 7 Why: The suggestion to confirm the updated `github.com/stretchr/testify` dependency's impact on test behavior is reasonable, as changes in testing libraries can affect test results. However, the improved code suggests reverting to the older version, which is not directly actionable.	7

sonarqubecloud · 2024-12-20T09:22:52Z

Quality Gate failed

Failed conditions
0.0% Coverage on New Code (required ≥ 80%)

See analysis details on SonarQube Cloud

github-actions bot added the Review effort [1-5]: 3 label Dec 20, 2024

titpetric merged commit 4dc625c into release-5.7.1 Dec 20, 2024
37 of 39 checks passed

titpetric deleted the merge/release-5.7.1/178b853603778e89666b6f054e2b3b02192d4d38 branch December 20, 2024 09:42

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Merging to release-5.7.1: [TT-13741] [release-5.7] exp/modcheck: Update go.mod dependencies (#6796) #6800

Merging to release-5.7.1: [TT-13741] [release-5.7] exp/modcheck: Update go.mod dependencies (#6796) #6800

buger commented Dec 20, 2024 •

edited by github-actions bot

Loading

github-actions bot commented Dec 20, 2024

github-actions bot commented Dec 20, 2024

github-actions bot commented Dec 20, 2024

sonarqubecloud bot commented Dec 20, 2024

Merging to release-5.7.1: [TT-13741] [release-5.7] exp/modcheck: Update go.mod dependencies (#6796) #6800

Merging to release-5.7.1: [TT-13741] [release-5.7] exp/modcheck: Update go.mod dependencies (#6796) #6800

Conversation

buger commented Dec 20, 2024 • edited by github-actions bot Loading

User description

User description

PR Type

Description

Changes walkthrough 📝

PR Type

Description

Changes walkthrough 📝

github-actions bot commented Dec 20, 2024

github-actions bot commented Dec 20, 2024

PR Reviewer Guide 🔍

github-actions bot commented Dec 20, 2024

PR Code Suggestions ✨

sonarqubecloud bot commented Dec 20, 2024

Quality Gate failed

buger commented Dec 20, 2024 •

edited by github-actions bot

Loading