Skip to content

Update module github.com/cenkalti/backoff/v3 to v7#226

Open
red-hat-konflux-kflux-prd-rh02[bot] wants to merge 1 commit into
mainfrom
konflux/mintmaker/main/github.com-cenkalti-backoff-v3-7.x
Open

Update module github.com/cenkalti/backoff/v3 to v7#226
red-hat-konflux-kflux-prd-rh02[bot] wants to merge 1 commit into
mainfrom
konflux/mintmaker/main/github.com-cenkalti-backoff-v3-7.x

Conversation

@red-hat-konflux-kflux-prd-rh02

@red-hat-konflux-kflux-prd-rh02 red-hat-konflux-kflux-prd-rh02 Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
github.com/cenkalti/backoff/v3 v3.2.2v7.0.0 age confidence

Release Notes

cenkalti/backoff (github.com/cenkalti/backoff/v3)

v7.0.0

Compare Source

v6.0.1

Compare Source

v6.0.0

Compare Source

v5.0.3

Compare Source

v5.0.2

Compare Source

v5.0.1

Compare Source

v5.0.0

Compare Source

v4.3.0

Compare Source

v4.2.1

Compare Source

v4.2.0

Compare Source

v4.1.3

Compare Source

v4.1.2

Compare Source

v4.1.1

Compare Source

v4.1.0

Compare Source

v4.0.2

Compare Source

v4.0.1

Compare Source

v4.0.0

Compare Source


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • "on monday"
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

To execute skipped test pipelines write comment /ok-to-test.


Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

@openshift-ci openshift-ci Bot requested review from Mischulee and crizzo71 July 6, 2026 04:08
@openshift-ci

openshift-ci Bot commented Jul 6, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign sherine-k for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci

openshift-ci Bot commented Jul 6, 2026

Copy link
Copy Markdown

Hi @red-hat-konflux-kflux-prd-rh02[bot]. Thanks for your PR.

I'm waiting for a openshift-hyperfleet member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@coderabbitai

coderabbitai Bot commented Jul 6, 2026

Copy link
Copy Markdown
📝 Walkthrough

Walkthrough

Supply chain finding: indirect dependency github.com/cenkalti/backoff bumped from major v3.2.2 to v7.0.0 in go.mod. Major version jump (v3→v7) implies module path change (semantic import versioning), not a simple patch/minor bump — full transitive dependency tree, license, and provenance must be re-verified. No source review possible from this diff alone; verify go.sum hash integrity and upstream module signing before merge.

Estimated code review effort: 2 (Simple) | ~10 minutes

Related Issues: None referenced.

Related PRs: None referenced.

Suggested labels: dependencies, go.mod, supply-chain-review

Suggested reviewers: Assign whoever owns dependency/supply-chain review for this Go-only K8s platform (API, Sentinel, Adapter, Broker) given the module major-version bump.

Security notes:

  • CWE-1104 (Use of Unmaintained Third-Party Components) — verify v7.0.0 is actively maintained and this isn't a yanked/malicious release.
  • CWE-829 (Inclusion of Functionality from Untrusted Control Sphere) — confirm module provenance via go.sum checksum and GOPROXY/GONOSUMCHECK settings; check for typosquat risk on module path change (v3 → v7).
  • No CVEs currently known against cenkalti/backoff; still, major version bumps altering API surface should be diffed against changelog for behavioral/security-relevant changes (e.g., retry/backoff timing used in auth or rate-limit paths).
  • go.sum diff not included in this summary — flag as incomplete review artifact; require go.sum hash verification before approval.
🚥 Pre-merge checks | ✅ 11
✅ Passed checks (11 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Sec-02: Secrets In Log Output ✅ Passed No non-test/example log calls include token/password/credential/secret; only config/error text in maestroclient, so no CWE-532 issue found.
No Hardcoded Secrets ✅ Passed Only a backoff module version bump in go.mod; no hardcoded secrets, embedded creds, or secret-like literals in the changed hunk (CWE-798/CWE-321).
No Weak Cryptography ✅ Passed PASS: Diff only swaps go.mod backoff version; no Go sources reference banned primitives, ECB, custom crypto, or secret comparisons (CWE-327/328).
No Injection Vectors ✅ Passed PASS: PR only changes go.mod to bump backoff v3→v7; no code paths, query strings, exec.Command, template.HTML, or yaml.Unmarshal added (CWE-89/78/79/502).
No Privileged Containers ✅ Passed PASS: PR diff only updates go.mod; no Kubernetes/OpenShift manifests, Helm templates, or Dockerfiles changed, so no privileged container settings to assess (CWE-250).
No Pii Or Sensitive Data In Logs ✅ Passed PASS: the commit only changes go.mod dependency version; no logging code or data paths were touched, so no CWE-532 exposure is present.
Title check ✅ Passed The title clearly states the dependency upgrade from backoff v3 to v7.
Description check ✅ Passed The description directly documents the same backoff module version update and release notes.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch konflux/mintmaker/main/github.com-cenkalti-backoff-v3-7.x
✨ Simplify code
  • Create PR with simplified code
  • Commit simplified code in branch konflux/mintmaker/main/github.com-cenkalti-backoff-v3-7.x

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 56: The module graph is missing the go.sum checksum for
github.com/cenkalti/backoff/v7 at v7.0.0, so update the dependency checksums in
go.sum to include that version. Regenerate the sums by running go mod download
or go mod tidy against github.com/cenkalti/backoff/v7@v7.0.0, and make sure the
resulting go.sum entry is committed so go list -m all works on a clean checkout.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 5d33d128-c006-4c64-8431-0f911bc9833c

📥 Commits

Reviewing files that changed from the base of the PR and between a32ec8a and 344d1cb.

📒 Files selected for processing (1)
  • go.mod
🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

  • openshift-hyperfleet/architecture (manual)
  • openshift-hyperfleet/hyperfleet-api (manual)
  • openshift-hyperfleet/hyperfleet-sentinel (manual)
  • openshift-hyperfleet/hyperfleet-adapter (manual)
  • openshift-hyperfleet/hyperfleet-broker (manual)

Comment thread go.mod
github.com/beorn7/perks v1.0.1 // indirect
github.com/bwmarrin/snowflake v0.3.0 // indirect
github.com/cenkalti/backoff/v3 v3.2.2 // indirect
github.com/cenkalti/backoff/v7 v7.0.0 // indirect

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

go mod verify
go list -m all | rg 'github.com/cenkalti/backoff'
go mod graph | rg 'github.com/cenkalti/backoff'
rg -n 'github.com/cenkalti/backoff(/v[0-9]+)?' .

Repository: openshift-hyperfleet/hyperfleet-adapter

Length of output: 338


🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf '\n== go.mod excerpt ==\n'
nl -ba go.mod | sed -n '45,70p'

printf '\n== go.sum backoff entries ==\n'
rg -n '^github.com/cenkalti/backoff/' go.sum || true

printf '\n== repository references ==\n'
rg -n 'github.com/cenkalti/backoff(/v[0-9]+)?' .

printf '\n== module graph subset ==\n'
go list -m -json all 2>/tmp/go-list.err | python3 - <<'PY'
import json, sys
mods=[]
for line in sys.stdin:
    if line.strip():
        mods.append(json.loads(line))
for m in mods:
    if 'cenkalti/backoff' in m.get('Path',''):
        print(json.dumps(m, indent=2))
PY
status=$?
printf '\n== go list stderr ==\n'
cat /tmp/go-list.err || true
exit 0

Repository: openshift-hyperfleet/hyperfleet-adapter

Length of output: 239


🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf '\n== go.mod excerpt ==\n'
nl -ba go.mod | sed -n '45,70p'

printf '\n== go.sum backoff entries ==\n'
rg -n '^github.com/cenkalti/backoff/' go.sum || true

printf '\n== repository references ==\n'
rg -n 'github.com/cenkalti/backoff(/v[0-9]+)?' .

printf '\n== module graph subset ==\n'
go list -m -json all 2>/tmp/go-list.err | python3 - <<'PY'
import json, sys
mods=[]
for raw in sys.stdin:
    raw = raw.strip()
    if raw:
        mods.append(json.loads(raw))
for m in mods:
    if 'cenkalti/backoff' in m.get('Path',''):
        print(json.dumps(m, indent=2))
PY
printf '\n== go list stderr ==\n'
cat /tmp/go-list.err || true

Repository: openshift-hyperfleet/hyperfleet-adapter

Length of output: 239


🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf '\n== go.mod excerpt ==\n'
awk 'NR>=45 && NR<=70 { printf "%4d  %s\n", NR, $0 }' go.mod

printf '\n== go.sum backoff entries ==\n'
rg -n '^github.com/cenkalti/backoff/' go.sum || true

printf '\n== repo references ==\n'
rg -n 'github.com/cenkalti/backoff(/v[0-9]+)?' .

printf '\n== module download metadata ==\n'
go mod download -json github.com/cenkalti/backoff/v7@v7.0.0 2>/tmp/backoff-download.err || true
cat /tmp/backoff-download.err || true

Repository: openshift-hyperfleet/hyperfleet-adapter

Length of output: 3898


Add the missing go.sum entry for github.com/cenkalti/backoff/v7 (CWE-829). go.mod requires v7.0.0, but go.sum has no v7 checksum, so go list -m all fails on a clean module graph. Regenerate the sums (go mod download github.com/cenkalti/backoff/v7@v7.0.0 or go mod tidy) before merging.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 56, The module graph is missing the go.sum checksum for
github.com/cenkalti/backoff/v7 at v7.0.0, so update the dependency checksums in
go.sum to include that version. Regenerate the sums by running go mod download
or go mod tidy against github.com/cenkalti/backoff/v7@v7.0.0, and make sure the
resulting go.sum entry is committed so go list -m all works on a clean checkout.

Sources: Path instructions, Linked repositories

@rafabene

rafabene commented Jul 6, 2026

Copy link
Copy Markdown
Member

/ok-to-test

@hyperfleet-ci-bot

Copy link
Copy Markdown

Risk Score: 0 — risk/low

Signal Detail Points
PR size 2 lines +0
Sensitive paths none +0

Computed by hyperfleet-risk-scorer

@rafabene

rafabene commented Jul 6, 2026

Copy link
Copy Markdown
Member

Closing — backoff v7 is a major version bump with breaking API changes (lint fails). Needs a dedicated ticket with code changes.

@rafabene rafabene closed this Jul 6, 2026
@rafabene rafabene reopened this Jul 6, 2026
@rafabene

rafabene commented Jul 6, 2026

Copy link
Copy Markdown
Member

/ok-to-test

Signed-off-by: red-hat-konflux-kflux-prd-rh02 <190377777+red-hat-konflux-kflux-prd-rh02[bot]@users.noreply.github.com>
@red-hat-konflux-kflux-prd-rh02 red-hat-konflux-kflux-prd-rh02 Bot force-pushed the konflux/mintmaker/main/github.com-cenkalti-backoff-v3-7.x branch from 344d1cb to d75d5cf Compare July 6, 2026 20:08
@openshift-ci

openshift-ci Bot commented Jul 6, 2026

Copy link
Copy Markdown

@red-hat-konflux-kflux-prd-rh02[bot]: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/lint d75d5cf link true /test lint

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant