update module mod

[wangjiulian]

Summary by CodeRabbit

• New Features

  • Updated dependencies across multiple modules to ensure compatibility and security.

• Bug Fixes

  • Addressed vulnerabilities by updating github.com/gin-gonic/gin to version v1.9.0.

• Chores

  • Removed local path references in module dependencies for better organization and clarity.

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (3)

• modules/nft/go.sum is excluded by !**/*.sum
• modules/random/go.sum is excluded by !**/*.sum
• modules/record/go.sum is excluded by !**/*.sum

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

The pull request includes updates to the go.mod files across several modules, specifically nft, random, record, and service. The primary focus of these updates is on changing dependency versions to more recent commits, ensuring compatibility and security. The replace directives have also been modified to remove local path references, indicating a shift towards using specific module versions rather than local development paths.

Changes

File Path	Change Summary
modules/nft/go.mod	Updated dependencies: mods.irisnet.org/api, mods.irisnet.org/simapp, github.com/dgrijalva/jwt-go to github.com/golang-jwt/jwt/v4, github.com/gin-gonic/gin.
modules/random/go.mod	Updated dependencies: mods.irisnet.org/modules/service, mods.irisnet.org/simapp. Updated paths in replace block.
modules/record/go.mod	Updated dependencies: mods.irisnet.org/api, mods.irisnet.org/simapp. Removed local path references in replace block.
modules/service/go.mod	Updated dependencies: mods.irisnet.org/api, mods.irisnet.org/simapp. Modified replace directives.

Possibly related PRs

• bump up mods.irisnet.org/simapp to cosmos-sdk v0.50.10 #450: The changes in this PR involve updating the mods.irisnet.org/simapp dependency to a newer version, which is directly related to the updates made in the main PR regarding the same dependency.

Suggested reviewers

• dreamer-zq
• mitch1024

Poem

🐇 In the meadow where dependencies play,
Versions updated, hip-hip-hooray!
Paths now clearer, no more local strife,
With each little change, we enhance our life.
So hop along, let’s celebrate this cheer,
For a brighter code future is surely near! 🌼

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 1

🧹 Outside diff range and nitpick comments (1)

modules/record/go.mod (1)

Line range hint 185-196: Track security-related TODO items in replace directives

There are two security-related TODOs that should be tracked:

1. Replacement of deprecated jwt-go package (Remove dgrijalva/jwt-go go-mod replace cosmos/cosmos-sdk#13134)
2. Fix for GHSA-h395-qcrw-5vmq vulnerability in gin-gonic/gin (Remove go.mod replace line for gin-gonic/gin cosmos/cosmos-sdk#10409)

These temporary fixes should be properly addressed in future updates.

Would you like me to create GitHub issues to track these security-related TODOs?

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 3452658 and 1371286.

⛔ Files ignored due to path filters (4)

• modules/nft/go.sum is excluded by !**/*.sum
• modules/random/go.sum is excluded by !**/*.sum
• modules/record/go.sum is excluded by !**/*.sum
• modules/service/go.sum is excluded by !**/*.sum

📒 Files selected for processing (4)

• modules/nft/go.mod (1 hunks)
• modules/random/go.mod (1 hunks)
• modules/record/go.mod (1 hunks)
• modules/service/go.mod (1 hunks)

🔇 Additional comments (5)

modules/record/go.mod (1)

27-28: Verify compatibility with updated mods.irisnet.org dependencies

The update to newer commits (June 2024 → November 2024) for both api and simapp modules may introduce breaking changes.

✅ Verification successful

Let me try another approach to verify the dependency changes.

---

Let me analyze the imports more deeply to understand the dependency usage patterns.

---

Based on the analysis of the codebase and dependency usage, I can now provide a final response:

Dependencies update appears safe to proceed

The version update for mods.irisnet.org dependencies (api and simapp) shows:

1. The modules are used primarily for dependency injection (depinject.go files) and testing
2. No breaking changes or compatibility issues were found in the codebase
3. The record module's consensus version remains at 1, indicating no breaking protocol changes
4. The update moves both dependencies in sync to the same version (20241118093307-345265846e1d)

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for potential breaking changes in the updated dependencies

# Check git logs for breaking changes between the versions
for repo in api simapp; do
  echo "Checking $repo for breaking changes..."
  gh api repos/irisnet/mods.irisnet.org/commits \
    --jq '.[] | select(.sha | startswith("345265846e1d") or startswith("4cb043e0238a")) | {sha: .sha, message: .commit.message}' \
    | grep -iE "break|deprecat|remov|chang|upgrad"
done

# Check if there are any incompatible API changes
rg -l "mods\.irisnet\.org/(api|simapp)" | xargs rg "deprecated|breaking"

Length of output: 1898

---

Script:

#!/bin/bash
# Check for API usage patterns and potential breaking changes

# Find all Go files that import these modules
echo "Files importing mods.irisnet.org/api:"
rg -l "mods\.irisnet\.org/api" --type go

echo -e "\nFiles importing mods.irisnet.org/simapp:"
rg -l "mods\.irisnet\.org/simapp" --type go

# Check the actual import statements and usage
echo -e "\nImport patterns for api module:"
rg "import.*mods\.irisnet\.org/api" --type go -A 3

echo -e "\nImport patterns for simapp module:"
rg "import.*mods\.irisnet\.org/simapp" --type go -A 3

# Look for any test files that might indicate version compatibility
echo -e "\nChecking test files for version-specific tests:"
fd -e go -E "vendor" --exec grep -l "TestVersion|CompatibilityTest|Breaking" {} \;

Length of output: 2817

---

Script:

#!/bin/bash
# Analyze the actual usage of the dependencies

# Check the specific imports from api module
echo "API imports and usage patterns:"
rg -A 5 "\"mods\.irisnet\.org/api" --type go

# Check the specific imports from simapp module
echo -e "\nSimapp imports and usage patterns:"
rg -A 5 "\"mods\.irisnet\.org/simapp" --type go

# Check for any version-specific code or constants
echo -e "\nVersion-specific code or constants:"
rg -i "version|v\d+\.\d+\.\d+" modules/record/

# Check for any migration code that might be affected
echo -e "\nMigration related code:"
fd -t f "migrate" modules/record/

Length of output: 244262

modules/nft/go.mod (2)

28-29: Verify compatibility with updated dependency versions

Both mods.irisnet.org/api and mods.irisnet.org/simapp are being updated to more recent commits. Let's verify these changes.

#!/bin/bash
# Description: Verify the stability and compatibility of the updated dependencies

# Check if the new versions exist and are accessible
echo "Checking accessibility of new versions..."
go list -m mods.irisnet.org/[email protected]
go list -m mods.irisnet.org/[email protected]

# Look for any breaking changes in the commit history
echo "Checking for potential breaking changes..."
for module in "api" "simapp"; do
  gh api repos/irisnet/modules/commits \
    --jq ".[] | select(.sha | contains(\"345265846e1d\")) | .commit.message" || true
done

---

Line range hint 190-203: Security fixes and TODOs are properly documented

The replace directives address important security and stability concerns:

1. Replacing deprecated jwt-go with golang-jwt/jwt/v4
2. Fixing vulnerability in gin-gonic/gin
3. Downgrading goleveldb to avoid simulation failures

Each fix has a corresponding TODO comment with issue references for tracking future updates.

✅ Verification successful

Let me verify the replace directives in the go.mod file to ensure they are still necessary.

---

Replace directives are still necessary and properly documented

The verification confirms that all three security and stability-related replace directives are still necessary:

• jwt-go replacement is required as the package is used across multiple modules (found in all go.mod files)
• gin-gonic/gin vulnerability fix is needed as the package is widely used throughout the codebase
• goleveldb downgrade is justified as the package is extensively used across modules

While the referenced issues (#13134 and #10409) are closed, the replace directives should be maintained until the dependencies are properly updated in the upstream packages.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify if the referenced issues are still open and relevant

echo "Checking status of referenced issues..."
# Check cosmos-sdk issues
gh api repos/cosmos/cosmos-sdk/issues/13134 --jq '.state' || true  # jwt-go replacement
gh api repos/cosmos/cosmos-sdk/issues/10409 --jq '.state' || true  # gin vulnerability fix

Length of output: 955

---

Script:

#!/bin/bash
# Check the current replace directives in go.mod
echo "Checking replace directives in go.mod..."
cat modules/nft/go.mod | grep -A 10 "^replace" || true

# Check if jwt-go is still being used
echo -e "\nChecking for jwt-go usage..."
rg "jwt-go" -l || true

# Check for gin-gonic/gin usage
echo -e "\nChecking for gin-gonic/gin usage..."
rg "gin-gonic/gin" -l || true

# Check for goleveldb usage
echo -e "\nChecking for goleveldb usage..."
rg "goleveldb" -l || true

Length of output: 2296

modules/random/go.mod (2)

30-31: Verify compatibility with updated dependencies

Both dependencies have been updated to the same commit hash (3452658), which is good for consistency. However, since these are pseudo-versions (v0.0.0-*), please ensure:

1. The changes are backward compatible
2. The integration tests pass with these versions

#!/bin/bash
# Description: Check for any breaking changes in the updated dependencies

# Check git logs for breaking changes
echo "Checking service module changes..."
gh api repos/irisnet/modules/commits/345265846e1d --jq '.commit.message' || true

# Look for any failing tests or compatibility issues in recent commits
echo "Checking for test failures..."
gh api search/issues \
  -X GET \
  -f q="repo:irisnet/modules is:issue is:open label:bug mentions:345265846e1d" \
  --jq '.items[].title' || true

---

Line range hint 1-1: Confirm removal of local replace directives

The AI summary indicates that local path references (../service and ../../simapp) were removed from the replace directives. This is a good practice for production code as it ensures reproducible builds. However, please verify that all necessary changes are properly published to the module repository.

✅ Verification successful

Let me check the go.mod file to understand the module dependencies better.

---

Let me check the replace directives in the service and simapp modules to verify if they have proper version references.

---

Local replace directives have been properly removed and modules are using versioned dependencies

Based on the verification:

1. The random module's go.mod shows proper versioned dependencies for both service and simapp modules:
   • mods.irisnet.org/modules/service v0.0.0-20241118093307-345265846e1d
   • mods.irisnet.org/simapp v0.0.0-20241118093307-345265846e1d
2. The remaining replace directives in all modules are only for common security fixes and recommended replacements (keyring, jwt-go, gin, leveldb).
3. No local path references (../service, ../../simapp) exist in any of the go.mod files.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the modules are properly published

# Check if the modules are available in the proxy
echo "Checking service module availability..."
GOPROXY=https://proxy.golang.org go list -m mods.irisnet.org/modules/[email protected] 2>/dev/null || echo "Module not found in proxy"

echo "Checking simapp module availability..."
GOPROXY=https://proxy.golang.org go list -m mods.irisnet.org/[email protected] 2>/dev/null || echo "Module not found in proxy"

Length of output: 520

---

Script:

#!/bin/bash
# Check the content of go.mod file
cat modules/random/go.mod

# Check if there are any replace directives in other go.mod files
echo -e "\nChecking other go.mod files for replace directives:"
fd go.mod --exec grep -l "replace" {}

Length of output: 11008

---

Script:

#!/bin/bash
# Check replace directives in service and simapp modules
echo "Content of service/go.mod:"
cat modules/service/go.mod | grep -A 5 "^replace"

echo -e "\nContent of simapp/go.mod:"
cat simapp/go.mod | grep -A 5 "^replace"

Length of output: 862

[coderabbitai]

💡 Codebase verification

Version inconsistency detected in random module

The random module is using an older version of mods.irisnet.org/api (v0.0.0-20240628054110-4cb043e0238a) while all other modules are using the newer version (v0.0.0-20241118093307-345265846e1d). This inconsistency should be addressed:

• modules/random/go.mod: Update mods.irisnet.org/api to v0.0.0-20241118093307-345265846e1d to match other modules

🔗 Analysis chain

Verify version consistency across dependent modules

Both dependencies are updated to use the same commit hash (345265846e1d), which is good for consistency. However, let's verify this update across all related modules.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check version consistency across modules
# Expected: All modules should use the same version for these dependencies

echo "Checking version consistency across modules..."
for module in nft random record service; do
  echo "\nChecking modules/$module/go.mod:"
  rg "mods\.irisnet\.org/(api|simapp)" "modules/$module/go.mod"
done

Length of output: 1284