Skip to content

Update go modules (main) (minor)#3131

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/main-go-modules
Open

Update go modules (main) (minor)#3131
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/main-go-modules

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Feb 27, 2026
edited
Loading

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Adoption Passing Confidence Type Update
github.com/CycloneDX/cyclonedx-go v0.10.0v0.11.0 age adoption passing confidence require minor
github.com/conforma/go-containerregistry 6f40a373459088 replace digest
github.com/daixiang0/gci v0.13.7v0.14.0 age adoption passing confidence require minor
github.com/go-openapi/runtime v0.29.2v0.32.3 age adoption passing confidence require minor
github.com/golangci/golangci-lint/v2 v2.11.4v2.12.2 age adoption passing confidence require minor
github.com/konflux-ci/application-api e7eb2ecdd8c9b1 age adoption passing confidence require digest
github.com/open-policy-agent/opa v1.15.2v1.17.0 age adoption passing confidence require minor
github.com/pkg/diff 20ebb0f4e6772a age adoption passing confidence require digest
github.com/secure-systems-lab/go-securesystemslib v0.10.0v0.11.0 age adoption passing confidence require minor
github.com/sigstore/sigstore-go v1.1.4v1.2.0 age adoption passing confidence require minor
github.com/tektoncd/chains v0.26.2v0.27.0 age adoption passing confidence require minor
github.com/tektoncd/cli v0.44.1v0.45.0 age adoption passing confidence require minor
github.com/testcontainers/testcontainers-go v0.34.0v0.42.0 age adoption passing confidence require minor
github.com/testcontainers/testcontainers-go/modules/registry v0.34.0v0.42.0 age adoption passing confidence require minor
github.com/wiremock/go-wiremock v1.11.0v1.16.0 age adoption passing confidence require minor
golang.org/x/benchmarks a2b48b6063a89b age adoption passing confidence require digest
golang.org/x/exp df92998c761662 age adoption passing confidence require digest
golang.org/x/text v0.36.0v0.37.0 age adoption passing confidence require minor
gotest.tools/gotestsum v1.12.1v1.13.0 age adoption passing confidence require minor
k8s.io/api v0.35.4v0.36.1 age adoption passing confidence require minor
k8s.io/apiextensions-apiserver v0.35.4v0.36.1 age adoption passing confidence require minor
k8s.io/apimachinery v0.35.4v0.36.1 age adoption passing confidence require minor
k8s.io/client-go v0.35.4v0.36.1 age adoption passing confidence require minor
k8s.io/klog/v2 v2.130.1v2.140.0 age adoption passing confidence require minor
k8s.io/kube-openapi 589584faa012df age adoption passing confidence require digest
k8s.io/kubernetes v1.34.2v1.36.1 age adoption passing confidence require minor
sigs.k8s.io/kind v0.26.0v0.32.0 age adoption passing confidence require minor
sigs.k8s.io/kustomize/api v0.20.1v0.21.1 age adoption passing confidence require minor
sigs.k8s.io/kustomize/kustomize/v5 v5.7.1v5.8.1 age adoption passing confidence require minor
sigs.k8s.io/kustomize/kyaml v0.20.1v0.21.1 age adoption passing confidence require minor

Release Notes

CycloneDX/cyclonedx-go (github.com/CycloneDX/cyclonedx-go)

v0.11.0

Compare Source

Changelog

Building and Packaging
Others
daixiang0/gci (github.com/daixiang0/gci)

v0.14.0

Compare Source

AST Support is Coming!

See details in #​241

Other Changes

New Contributors

Full Changelog: daixiang0/gci@v0.13.7...v0.14.0

go-openapi/runtime (github.com/go-openapi/runtime)

v0.32.3

Compare Source

0.32.3 - 2026-06-02

Full Changelog: go-openapi/runtime@v0.32.2...v0.32.3

6 commits in this release.

Implemented enhancements
  • feat(ci): added shared workflow for bot-pr monitoring by @​fredbi ...
Documentation
Miscellaneous tasks
Updates
People who contributed to this release

runtime license terms

License

Per-module changes

client-middleware/opentracing (0.32.3)

Miscellaneous tasks
Updates

docs/examples (0.32.3)

Miscellaneous tasks
Updates

v0.32.2

Compare Source

0.32.2 - 2026-05-27

Full Changelog: go-openapi/runtime@v0.32.1...v0.32.2

2 commits in this release.

Fixed bugs
Miscellaneous tasks
People who contributed to this release

runtime license terms

License

Per-module changes

client-middleware/opentracing (0.32.2)

Miscellaneous tasks

v0.32.1

Compare Source

0.32.1 - 2026-05-25

Full Changelog: go-openapi/runtime@v0.32.0...v0.32.1

3 commits in this release.

Documentation
Code quality
Miscellaneous tasks
People who contributed to this release

runtime license terms

License

Per-module changes

client-middleware/opentracing (0.32.1)

Miscellaneous tasks

v0.32.0

Compare Source

0.32.0 - 2026-05-25

Full Changelog: go-openapi/runtime@v0.31.0...v0.32.0

8 commits in this release.

Fixed bugs
  • refactor(client/otel): pivot OpenTelemetry transport to SubmitContext by @​fredbi ...
  • fix(middleware): bind formData file params from urlencoded bodies by @​fredbi ...
Documentation
Code quality
  • ci: add unsafe-skipauth tagged-build workflow with coverage by @​fredbi ...
  • feat(middleware): build-tag-gated SetSkipAuth for dev-mode auth bypass by @​fredbi ...
Miscellaneous tasks
Updates
Other (technical)
People who contributed to this release

runtime license terms

License

Per-module changes
client-middleware/opentracing (0.32.0)
Miscellaneous tasks
Updates
docs/examples (0.32.0)
Miscellaneous tasks
Updates
server-middleware (0.32.0)
Updates

v0.31.0

Compare Source

0.31.0 - 2026-05-17

Full Changelog: go-openapi/runtime@v0.30.0...v0.31.0

33 commits in this release.

Implemented enhancements
  • feat(client): TLS diagnostic mode for Runtime.Trace by @​fredbi ...
  • feat(client): add Runtime.Trace for connection-level diagnostics by @​fredbi ...
Fixed bugs
Documentation
Code quality
Testing
Miscellaneous tasks
Security
  • test(security): fuzz targets for BindForm parse + filename cap by @​fredbi ...
  • test(security): fuzz targets for header-parsing surface by @​fredbi ...
  • fix(negotiate/header): reject q-values greater than 1 by @​fredbi ...
  • docs(security): document constant-time-comparison contract for auth callbacks by @​fredbi in #​457 ...
  • feat(runtime): BindForm helper for multipart/urlencoded body binding by @​fredbi in #​446 ...
Updates
Other (technical)
People who contributed to this release
New Contributors

runtime license terms

License

Per-module changes

client-middleware/opentracing (0.31.0)

Code quality
Miscellaneous tasks

docs/examples (0.31.0)

Documentation
Code quality
Miscellaneous tasks
Security
  • docs(security): document constant-time-comparison contract for auth callbacks by @​fredbi in #​457 ...

server-middleware (0.31.0)

Documentation
Code quality
Security
  • test(security): fuzz targets for header-parsing surface by @​fredbi ...
  • fix(negotiate/header): reject q-values greater than 1 by @​fredbi ...
Other (technical)

v0.30.0

Compare Source

0.30.0 - 2026-05-13

Long awaited fixes and additions

  • Fixed most long standing issues.

  • Added standalone middleware module (swagger UI, serve spec).

  • Improved content negotiation.

  • Context-aware request submission

Full Changelog: go-openapi/runtime@v0.29.5...v0.30.0

33 commits in this release.

Implemented enhancements
  • feat(client): honor context cancellation in multipart upload goroutine by @​fredbi ...
  • feat(client): introduce SubmitContext by @​fredbi ...
  • feat: extract media type match validation to separate package by @​fredbi ...
  • feat(mediatype): typed media-type and symmetric Accept negotiation by @​fredbi ...
Fixed bugs
  • fix(client): preserve trailing slash on bare-root path pattern by @​fredbi in #​441 ...
  • fix(client): close streaming body on buildHTTP error paths by @​fredbi ...
  • fix(client): fix content type selection in the runtime client. by @​fredbi in #​435 ...
  • fix: validateContentType distinguishes 400 vs 415 by @​fredbi ...
Refactor
  • refactor(mediatype): extract findByCanonical from Lookup by @​fredbi in #​443 ...
  • Fix/140 json dialects by @​fredbi in #​442 ...
  • refactor(client)!: pivot to context-only request building by @​fredbi ...
  • refactor(client): thread context through BuildHTTP and SubmitContext by @​fredbi ...
  • refactor(client): moved request to its own internal package. by @​fredbi ...
  • refactor(client): split buildHTTP into two end-to-end flows (2) by @​fredbi ...
  • refactor(negotiate): extract negotiate package to server-middleware by @​fredbi ...
  • refactor(middleware): extract docui handlers to a stdlib-only module by @​fredbi ...
Documentation

Note

PR body was truncated to here.

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • Between 12:00 AM and 03:59 AM (* 0-3 * * *)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate
Copy link
Copy Markdown
Contributor Author

renovate Bot commented Feb 27, 2026
edited
Loading

ℹ️ Artifact update notice

File name: acceptance/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 15 additional dependencies were updated
  • The go directive was updated for compatibility reasons

Details:

Package Change
go 1.25.8 -> 1.26.0
github.com/cyphar/filepath-securejoin v0.6.0 -> v0.6.1
github.com/docker/go-connections v0.5.0 -> v0.6.0
github.com/lufia/plan9stats v0.0.0-20240819163618-b1d8f4d146e7 -> v0.0.0-20251013123823-9fd1530e3ec3
github.com/tklauser/go-sysconf v0.3.14 -> v0.3.16
github.com/tklauser/numcpus v0.8.0 -> v0.11.0
golang.org/x/crypto v0.49.0 -> v0.50.0
golang.org/x/mod v0.33.0 -> v0.36.0
golang.org/x/net v0.52.0 -> v0.53.0
golang.org/x/sys v0.42.0 -> v0.43.0
golang.org/x/term v0.41.0 -> v0.42.0
golang.org/x/text v0.35.0 -> v0.36.0
google.golang.org/protobuf v1.36.11 -> v1.36.12-0.20260120151049-f2248ac996af
k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 -> v0.0.0-20260317180543-43fb72c5454a
k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 -> v0.0.0-20260210185600-b8788abfbbc2
sigs.k8s.io/structured-merge-diff/v6 v6.3.0 -> v6.3.2
File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 35 additional dependencies were updated
  • The go directive was updated for compatibility reasons

Details:

Package Change
go 1.25.8 -> 1.26.0
golang.org/x/net v0.52.0 -> v0.54.1-0.20260508232935-23ee2efe81a3
github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.30.0 -> v1.31.0
github.com/containerd/containerd/v2 v2.2.2 -> v2.2.3
github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 -> v4.4.1
github.com/docker/go-connections v0.5.0 -> v0.6.0
github.com/goccy/go-json v0.10.5 -> v0.10.6
github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.7 -> v2.28.0
github.com/huandu/go-sqlbuilder v1.39.1 -> v1.40.2
github.com/lestrrat-go/dsig v1.0.0 -> v1.2.1
github.com/lestrrat-go/httprc/v3 v3.0.2 -> v3.0.5
github.com/lestrrat-go/jwx/v3 v3.0.13 -> v3.1.0
github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c -> v0.0.0-20240221224432-82ca36839d55
github.com/prometheus/common v0.67.4 -> v0.67.5
github.com/prometheus/procfs v0.17.0 -> v0.20.1
github.com/stretchr/objx v0.5.2 -> v0.5.3
github.com/tklauser/go-sysconf v0.3.12 -> v0.3.16
github.com/tklauser/numcpus v0.6.1 -> v0.11.0
github.com/valyala/fastjson v1.6.7 -> v1.6.10
github.com/yusufpapurcu/wmi v1.2.3 -> v1.2.4
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.63.0 -> v0.65.0
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.65.0 -> v0.68.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.40.0 -> v1.43.0
go.opentelemetry.io/proto/otlp v1.9.0 -> v1.10.0
go.yaml.in/yaml/v2 v2.4.3 -> v2.4.4
golang.org/x/crypto v0.49.0 -> v0.51.0
golang.org/x/mod v0.33.0 -> v0.36.0
golang.org/x/sys v0.42.0 -> v0.44.0
golang.org/x/term v0.41.0 -> v0.43.0
golang.org/x/tools v0.42.0 -> v0.45.0
google.golang.org/genproto/googleapis/api v0.0.0-20260203192932-546029d2fa20 -> v0.0.0-20260401024825-9d38bb4040a9
google.golang.org/genproto/googleapis/rpc v0.0.0-20260226221140-a57be14db171 -> v0.0.0-20260401024825-9d38bb4040a9
google.golang.org/grpc v1.79.3 -> v1.80.0
google.golang.org/protobuf v1.36.11 -> v1.36.12-0.20260120151049-f2248ac996af
k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 -> v0.0.0-20260210185600-b8788abfbbc2
sigs.k8s.io/structured-merge-diff/v6 v6.3.0 -> v6.3.2
File name: tools/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 48 additional dependencies were updated
  • The go directive was updated for compatibility reasons

Details:

Package Change
go 1.25.8 -> 1.26.0
github.com/Masterminds/semver/v3 v3.4.0 -> v3.5.0
github.com/alecthomas/chroma/v2 v2.23.1 -> v2.24.1
github.com/ashanbrown/forbidigo/v2 v2.3.0 -> v2.3.1
github.com/ashanbrown/makezero/v2 v2.1.0 -> v2.2.1
github.com/bombsimon/wsl/v5 v5.6.0 -> v5.8.0
github.com/butuzov/ireturn v0.4.0 -> v0.4.1
github.com/charmbracelet/colorprofile v0.3.1 -> v0.4.3
github.com/charmbracelet/x/ansi v0.10.1 -> v0.11.7
github.com/charmbracelet/x/term v0.2.1 -> v0.2.2
github.com/clipperhouse/displaywidth v0.6.0 -> v0.11.0
github.com/clipperhouse/uax29/v2 v2.3.0 -> v2.7.0
github.com/cyphar/filepath-securejoin v0.6.0 -> v0.6.1
github.com/dlclark/regexp2 v1.11.5 -> v1.12.0
github.com/golangci/dupl v0.0.0-20250308024227-f665c8d69b32 -> v0.0.0-20260401084720-c99c5cf5c202
github.com/hashicorp/go-version v1.8.0 -> v1.9.0
github.com/jgautheron/goconst v1.8.2 -> v1.10.0
github.com/lib/pq v1.11.2 -> v1.12.3
github.com/lucasb-eyer/go-colorful v1.3.0 -> v1.4.0
github.com/manuelarte/funcorder v0.5.0 -> v0.6.0
github.com/mattn/go-runewidth v0.0.19 -> v0.0.23
github.com/moby/spdystream v0.5.0 -> v0.5.1
github.com/pelletier/go-toml/v2 v2.2.4 -> v2.3.1
github.com/prometheus/procfs v0.17.0 -> v0.19.2
github.com/securego/gosec/v2 v2.24.8-0.20260309165252-619ce2117e08 -> v2.26.1
github.com/sourcegraph/go-diff v0.7.0 -> v0.8.0
github.com/tetafro/godot v1.5.4 -> v1.5.6
github.com/timakin/bodyclose v0.0.0-20241222091800-1db5c5ca4d67 -> v0.0.0-20260129054331-73d1f95b84b4
github.com/uudashr/iface v1.4.1 -> v1.4.2
go-simpler.org/sloglint v0.11.1 -> v0.12.0
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.63.0 -> v0.65.0
golang.org/x/crypto v0.49.0 -> v0.50.0
golang.org/x/exp v0.0.0-20250911091902-df9299821621 -> v0.0.0-20251219203646-944ab1f22d93
golang.org/x/mod v0.34.0 -> v0.35.0
golang.org/x/net v0.52.0 -> v0.53.0
golang.org/x/sys v0.42.0 -> v0.43.0
golang.org/x/term v0.41.0 -> v0.42.0
golang.org/x/text v0.35.0 -> v0.36.0
golang.org/x/tools v0.43.0 -> v0.44.0
google.golang.org/protobuf v1.36.11 -> v1.36.12-0.20260120151049-f2248ac996af
gopkg.in/evanphx/json-patch.v4 v4.12.0 -> v4.13.0
k8s.io/klog/v2 v2.130.1 -> v2.140.0
k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b -> v0.0.0-20260317180543-43fb72c5454a
k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d -> v0.0.0-20260210185600-b8788abfbbc2
sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 -> v0.0.0-20250730193827-2d320260d730
sigs.k8s.io/kustomize/api v0.20.1 -> v0.21.1
sigs.k8s.io/kustomize/cmd/config v0.20.1 -> v0.21.1
sigs.k8s.io/kustomize/kyaml v0.20.1 -> v0.21.1
sigs.k8s.io/structured-merge-diff/v6 v6.3.0 -> v6.3.2
File name: tools/kubectl/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 21 additional dependencies were updated
  • The go directive was updated for compatibility reasons

Details:

Package Change
go 1.25.8 -> 1.26.0
github.com/moby/spdystream v0.5.0 -> v0.5.1
github.com/prometheus/common v0.66.1 -> v0.67.5
github.com/prometheus/procfs v0.16.1 -> v0.19.2
github.com/spf13/cobra v1.9.1 -> v1.10.2
github.com/spf13/pflag v1.0.6 -> v1.0.9
go.yaml.in/yaml/v2 v2.4.2 -> v2.4.3
golang.org/x/net v0.43.0 -> v0.49.0
golang.org/x/oauth2 v0.30.0 -> v0.34.0
golang.org/x/sync v0.17.0 -> v0.19.0
golang.org/x/term v0.34.0 -> v0.39.0
golang.org/x/text v0.28.0 -> v0.33.0
google.golang.org/protobuf v1.36.10 -> v1.36.12-0.20260120151049-f2248ac996af
gopkg.in/evanphx/json-patch.v4 v4.12.0 -> v4.13.0
k8s.io/klog/v2 v2.130.1 -> v2.140.0
k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b -> v0.0.0-20260317180543-43fb72c5454a
k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 -> v0.0.0-20260210185600-b8788abfbbc2
sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 -> v0.0.0-20250730193827-2d320260d730
sigs.k8s.io/kustomize/api v0.20.1 -> v0.21.1
sigs.k8s.io/kustomize/kustomize/v5 v5.7.1 -> v5.8.1
sigs.k8s.io/kustomize/kyaml v0.20.1 -> v0.21.1
sigs.k8s.io/structured-merge-diff/v6 v6.3.0 -> v6.3.2

@renovate renovate Bot added the main label Feb 27, 2026
@renovate renovate Bot force-pushed the renovate/main-go-modules branch 10 times, most recently from b7bbfdc to 02074a5 Compare March 6, 2026 09:52
@renovate renovate Bot force-pushed the renovate/main-go-modules branch 13 times, most recently from ae12a07 to b6bcb99 Compare March 12, 2026 19:21
@renovate renovate Bot force-pushed the renovate/main-go-modules branch 2 times, most recently from eb3bd95 to 50d854b Compare March 15, 2026 12:52
@renovate renovate Bot force-pushed the renovate/main-go-modules branch 6 times, most recently from 676093d to d25d458 Compare April 3, 2026 18:05
@renovate renovate Bot force-pushed the renovate/main-go-modules branch 15 times, most recently from eeb2d9c to 9c9a612 Compare April 13, 2026 13:21
@renovate renovate Bot force-pushed the renovate/main-go-modules branch 3 times, most recently from 9f4d6ea to 6a3d6d6 Compare April 15, 2026 10:34
@renovate
Copy link
Copy Markdown
Contributor Author

renovate Bot commented May 12, 2026
edited
Loading

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: tools/go.sum
Command failed: go get -t ./...
go: module github.com/tektoncd/chains@v0.27.0 requires go >= 1.26.1; switching to go1.26.4
go: github.com/tektoncd/hub@v1.24.0: reading github.com/tektoncd/hub/go.mod at revision v1.24.0: unknown revision v1.24.0

@fullsend-ai-review
Copy link
Copy Markdown

fullsend-ai-review Bot commented Jun 3, 2026
edited
Loading

Review

Findings

Medium

  • [api-contract] go.mod — The testcontainers-go jump from v0.34 to v0.42 spans 8 minor versions and is a notably large leap. The codebase extensively uses testcontainers.GenericContainer, testcontainers.ContainerRequest, and testcontainers.GenericContainerRequest in acceptance tests (acceptance/git/git.go, acceptance/registry/registry.go, acceptance/wiremock/wiremock.go, acceptance/testenv/testenv.go) and benchmarks (benchmark/offliner/offliner.go, benchmark/internal/registry/registry.go). These APIs were deprecated in later testcontainers-go releases in favor of testcontainers.Run / testcontainers.Request. While they may still compile (deprecated ≠ removed), verify that CI builds and all acceptance/benchmark tests pass before merging. The transitive removal of docker/docker from acceptance/go.mod (replaced by moby/moby/api + moby/moby/client) is safe since no acceptance Go files directly import docker/docker.

Low

  • [pattern-inconsistency] go.mod:47 — The inline comment // using unreleased version that contains the fix in https://github.com/testcontainers/testcontainers-go/pull/2899 is now stale. The dependency was updated from a pseudo-version (v0.34.1-0.20241204123437-72be13940122) to the released v0.42.0. The comment should be removed since v0.42.0 is a proper tagged release, not an unreleased version.
  • [pattern-inconsistency] tools/go.mod — The go directive remains at 1.25.8 while go.mod, acceptance/go.mod, and tools/kubectl/go.mod were all updated to 1.26.0. This may be intentional (Renovate may manage these separately), but the inconsistency is worth noting.
Previous run

Review

Findings

Low

  • [pattern-inconsistency] go.mod:47 — The testcontainers-go dependency is updated to v0.42.0 (a released version), but the inline comment still reads // using unreleased version that contains the fix in .... The comment is now stale and misleading.
    Remediation: Remove or update the comment to reflect that v0.42.0 is a released version.

  • [pattern-inconsistency] tools/go.mod:3 — The Go version directive stays at go 1.25.8 while the other three go.mod files (go.mod, acceptance/go.mod, tools/kubectl/go.mod) are bumped to go 1.26.0. This breaks the codebase's convention of keeping all modules at the same Go version.
    Remediation: Bump tools/go.mod to go 1.26.0 for consistency, or add a comment explaining why it must stay at the older version.

  • [api-contract] go.modgoogle.golang.org/protobuf is updated to a pre-release pseudo-version (v1.36.12-0.20260120151049-f2248ac996af) rather than a tagged release. Pre-release versions bypass normal release processes and may be superseded by a tagged version with different behavior.
    Remediation: Confirm this is the only resolvable version; prefer a tagged release when available.

Info

  • [api-contract] go.mod — Several dependencies have large version jumps: testcontainers-go spans 8 minor versions (v0.34→v0.42), go-openapi/runtime spans 3 minor versions (v0.29→v0.32). Verify CI passes to confirm API compatibility.

  • [api-contract] go.mod — Transitive dependencies include major version changes: gopsutil/v3gopsutil/v4, wasmtime-go/v39wasmtime-go/v44. These are indirect and lower risk but should be validated by CI.

Previous run (2)

Review

Findings

Low

  • [pattern-inconsistency] go.mod:47 — The testcontainers-go dependency is updated from a pseudo-version to v0.42.0 (a released version), but the inline comment // using unreleased version that contains the fix in https://github.com/testcontainers/testcontainers-go/pull/2899 is preserved. This comment is now misleading since v0.42.0 is a proper release that includes the referenced fix.
    Remediation: Remove or update the stale comment to reflect that v0.42.0 is a released version.

Info

  • [sub-agent-failure] N/A — The style-conventions sub-agent did not return findings: model unavailable on deployment. Manual style review was performed by the orchestrator; the only style finding (stale comment) is captured above.
  • [supply-chain] go.mod — The docker/docker → moby/moby migration (api + client sub-modules) is a legitimate upstream restructuring. No supply chain concern.
  • [dependency-integrity] go.mod — google.golang.org/protobuf updated to a pre-release version (v1.36.12-0.20260120151049-f2248ac996af). Go's checksum database provides integrity verification; risk is limited to potential bugs, not supply chain compromise.
Previous run (3)

Review

Findings

Low

  • [api-contract] go.mod:47 — testcontainers-go jumps from v0.34 (pseudo-version) to v0.42.0 — a large leap for a pre-1.0 library. The codebase uses GenericContainer, GenericContainerRequest, and AutoRemove in acceptance tests (acceptance/git/git.go, acceptance/registry/registry.go, acceptance/wiremock/wiremock.go, acceptance/testenv/testenv.go), all of which were deprecated in testcontainers-go v0.36+. These deprecated APIs may still compile in v0.42.0 but are at risk of removal. CI build and acceptance test results are the key verification gate.

  • [pattern-inconsistency] go.mod:47 — The inline comment on testcontainers-go still reads // using unreleased version that contains the fix in ... but v0.42.0 is a standard released version. The comment is now misleading. Other version-pinning comments in the same file (e.g., the moby/go-archive force comment at line 421) accurately describe their rationale. This comment should be removed or updated.

  • [api-contract] go.mod:29 — OPA bumps from v1.15.2 to v1.17.0. The codebase uses some less-stable OPA internals (v1/ast/json.SetOptions, v1/ast/json.Options, json.MarshalOptions) in internal/opa/inspect.go. These are stable within OPA v1 but worth verifying via CI.

Info

  • [api-contract] go.mod:66go-openapi/runtime jumps from v0.29.2 to v0.32.3. Usage is limited to the stable runtime.ClientTransport interface in test mocks. No risk identified.

  • [api-contract] go.mod:6CycloneDX/cyclonedx-go bumps from v0.10.0 to v0.11.0. Usage is limited to core decoder/BOM types. No risk identified.

fullsend-ai-review[bot]
fullsend-ai-review Bot approved these changes Jun 3, 2026
View reviewed changes
Comment thread go.mod
golang.org/x/benchmarks v0.0.0-20241115175113-a2b48b605b42
golang.org/x/exp v0.0.0-20250911091902-df9299821621
golang.org/x/net v0.53.0 // indirect
github.com/testcontainers/testcontainers-go v0.42.0 // using unreleased version that contains the fix in https://github.com/testcontainers/testcontainers-go/pull/2899
Copy link
Copy Markdown

@fullsend-ai-review fullsend-ai-review Bot Jun 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[low] api-contract

testcontainers-go jumps from v0.34 (pseudo-version) to v0.42.0. The codebase uses deprecated patterns (GenericContainer, AutoRemove) in acceptance tests that were deprecated in v0.36+. CI verification is essential.

Comment thread go.mod
golang.org/x/benchmarks v0.0.0-20241115175113-a2b48b605b42
golang.org/x/exp v0.0.0-20250911091902-df9299821621
golang.org/x/net v0.53.0 // indirect
github.com/testcontainers/testcontainers-go v0.42.0 // using unreleased version that contains the fix in https://github.com/testcontainers/testcontainers-go/pull/2899
Copy link
Copy Markdown

@fullsend-ai-review fullsend-ai-review Bot Jun 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[low] pattern-inconsistency

The inline comment on testcontainers-go still says "using unreleased version" but v0.42.0 is a standard release. The comment should be removed or updated.

Comment thread go.mod
github.com/mitchellh/go-wordwrap v1.0.1
github.com/open-policy-agent/conftest v0.68.2
github.com/open-policy-agent/opa v1.15.2
github.com/open-policy-agent/opa v1.17.0
Copy link
Copy Markdown

@fullsend-ai-review fullsend-ai-review Bot Jun 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[low] api-contract

OPA bumps from v1.15.2 to v1.17.0. The codebase uses some less-stable OPA internals (v1/ast/json) in internal/opa/inspect.go. Worth verifying via CI.

fullsend-ai-review[bot]
fullsend-ai-review Bot approved these changes Jun 3, 2026
View reviewed changes
Comment thread go.mod
golang.org/x/benchmarks v0.0.0-20241115175113-a2b48b605b42
golang.org/x/exp v0.0.0-20250911091902-df9299821621
golang.org/x/net v0.53.0 // indirect
github.com/testcontainers/testcontainers-go v0.42.0 // using unreleased version that contains the fix in https://github.com/testcontainers/testcontainers-go/pull/2899
Copy link
Copy Markdown

@fullsend-ai-review fullsend-ai-review Bot Jun 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[low] pattern-inconsistency

The testcontainers-go dependency is updated from a pseudo-version to v0.42.0 (a released version), but the inline comment "// using unreleased version that contains the fix in testcontainers/testcontainers-go#2899" is preserved. This comment is now misleading since v0.42.0 is a proper release that includes the referenced fix.

Suggested fix: Remove or update the stale comment to reflect that v0.42.0 is a released version.

fullsend-ai-review[bot]
fullsend-ai-review Bot approved these changes Jun 3, 2026
View reviewed changes
Comment thread go.mod
golang.org/x/benchmarks v0.0.0-20241115175113-a2b48b605b42
golang.org/x/exp v0.0.0-20250911091902-df9299821621
golang.org/x/net v0.53.0 // indirect
github.com/testcontainers/testcontainers-go v0.42.0 // using unreleased version that contains the fix in https://github.com/testcontainers/testcontainers-go/pull/2899
Copy link
Copy Markdown

@fullsend-ai-review fullsend-ai-review Bot Jun 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[low] pattern-inconsistency

The testcontainers-go dependency is updated to v0.42.0 (a released version), but the inline comment still reads '// using unreleased version that contains the fix in ...'. The comment is now stale and misleading.

Suggested fix: Remove or update the comment to reflect that v0.42.0 is a released version.

Comment thread tools/go.mod
@@ -3,17 +3,17 @@ module github.com/conforma/cli/tools
go 1.25.8
Copy link
Copy Markdown

@fullsend-ai-review fullsend-ai-review Bot Jun 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[low] pattern-inconsistency

The Go version directive stays at go 1.25.8 while the other three go.mod files are bumped to go 1.26.0, breaking the codebase convention of keeping all modules at the same Go version.

Suggested fix: Bump tools/go.mod to go 1.26.0 for consistency, or add a comment explaining why it must stay at the older version.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@fullsend-ai-review fullsend-ai-review[bot] fullsend-ai-review[bot] approved these changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

main renovate requires-manual-review Review requires human judgment size: XXL

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants