Update module github.com/cenkalti/backoff/v3 to v7#226
Update module github.com/cenkalti/backoff/v3 to v7#226red-hat-konflux-kflux-prd-rh02[bot] wants to merge 1 commit into
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
Hi @red-hat-konflux-kflux-prd-rh02[bot]. Thanks for your PR. I'm waiting for a openshift-hyperfleet member to verify that this patch is reasonable to test. If it is, they should reply with Regular contributors should join the org to skip this step. Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
📝 WalkthroughWalkthroughSupply chain finding: indirect dependency github.com/cenkalti/backoff bumped from major v3.2.2 to v7.0.0 in go.mod. Major version jump (v3→v7) implies module path change (semantic import versioning), not a simple patch/minor bump — full transitive dependency tree, license, and provenance must be re-verified. No source review possible from this diff alone; verify go.sum hash integrity and upstream module signing before merge. Estimated code review effort: 2 (Simple) | ~10 minutes Related Issues: None referenced. Related PRs: None referenced. Suggested labels: dependencies, go.mod, supply-chain-review Suggested reviewers: Assign whoever owns dependency/supply-chain review for this Go-only K8s platform (API, Sentinel, Adapter, Broker) given the module major-version bump. Security notes:
🚥 Pre-merge checks | ✅ 11✅ Passed checks (11 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
✨ Simplify code
Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@go.mod`:
- Line 56: The module graph is missing the go.sum checksum for
github.com/cenkalti/backoff/v7 at v7.0.0, so update the dependency checksums in
go.sum to include that version. Regenerate the sums by running go mod download
or go mod tidy against github.com/cenkalti/backoff/v7@v7.0.0, and make sure the
resulting go.sum entry is committed so go list -m all works on a clean checkout.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Central YAML (base), Organization UI (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: 5d33d128-c006-4c64-8431-0f911bc9833c
📒 Files selected for processing (1)
go.mod
🔗 Linked repositories identified
CodeRabbit considers these linked repositories for cross-repo context during reviews:
openshift-hyperfleet/architecture(manual)openshift-hyperfleet/hyperfleet-api(manual)openshift-hyperfleet/hyperfleet-sentinel(manual)openshift-hyperfleet/hyperfleet-adapter(manual)openshift-hyperfleet/hyperfleet-broker(manual)
| github.com/beorn7/perks v1.0.1 // indirect | ||
| github.com/bwmarrin/snowflake v0.3.0 // indirect | ||
| github.com/cenkalti/backoff/v3 v3.2.2 // indirect | ||
| github.com/cenkalti/backoff/v7 v7.0.0 // indirect |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
go mod verify
go list -m all | rg 'github.com/cenkalti/backoff'
go mod graph | rg 'github.com/cenkalti/backoff'
rg -n 'github.com/cenkalti/backoff(/v[0-9]+)?' .Repository: openshift-hyperfleet/hyperfleet-adapter
Length of output: 338
🏁 Script executed:
#!/bin/bash
set -euo pipefail
printf '\n== go.mod excerpt ==\n'
nl -ba go.mod | sed -n '45,70p'
printf '\n== go.sum backoff entries ==\n'
rg -n '^github.com/cenkalti/backoff/' go.sum || true
printf '\n== repository references ==\n'
rg -n 'github.com/cenkalti/backoff(/v[0-9]+)?' .
printf '\n== module graph subset ==\n'
go list -m -json all 2>/tmp/go-list.err | python3 - <<'PY'
import json, sys
mods=[]
for line in sys.stdin:
if line.strip():
mods.append(json.loads(line))
for m in mods:
if 'cenkalti/backoff' in m.get('Path',''):
print(json.dumps(m, indent=2))
PY
status=$?
printf '\n== go list stderr ==\n'
cat /tmp/go-list.err || true
exit 0Repository: openshift-hyperfleet/hyperfleet-adapter
Length of output: 239
🏁 Script executed:
#!/bin/bash
set -euo pipefail
printf '\n== go.mod excerpt ==\n'
nl -ba go.mod | sed -n '45,70p'
printf '\n== go.sum backoff entries ==\n'
rg -n '^github.com/cenkalti/backoff/' go.sum || true
printf '\n== repository references ==\n'
rg -n 'github.com/cenkalti/backoff(/v[0-9]+)?' .
printf '\n== module graph subset ==\n'
go list -m -json all 2>/tmp/go-list.err | python3 - <<'PY'
import json, sys
mods=[]
for raw in sys.stdin:
raw = raw.strip()
if raw:
mods.append(json.loads(raw))
for m in mods:
if 'cenkalti/backoff' in m.get('Path',''):
print(json.dumps(m, indent=2))
PY
printf '\n== go list stderr ==\n'
cat /tmp/go-list.err || trueRepository: openshift-hyperfleet/hyperfleet-adapter
Length of output: 239
🏁 Script executed:
#!/bin/bash
set -euo pipefail
printf '\n== go.mod excerpt ==\n'
awk 'NR>=45 && NR<=70 { printf "%4d %s\n", NR, $0 }' go.mod
printf '\n== go.sum backoff entries ==\n'
rg -n '^github.com/cenkalti/backoff/' go.sum || true
printf '\n== repo references ==\n'
rg -n 'github.com/cenkalti/backoff(/v[0-9]+)?' .
printf '\n== module download metadata ==\n'
go mod download -json github.com/cenkalti/backoff/v7@v7.0.0 2>/tmp/backoff-download.err || true
cat /tmp/backoff-download.err || trueRepository: openshift-hyperfleet/hyperfleet-adapter
Length of output: 3898
Add the missing go.sum entry for github.com/cenkalti/backoff/v7 (CWE-829). go.mod requires v7.0.0, but go.sum has no v7 checksum, so go list -m all fails on a clean module graph. Regenerate the sums (go mod download github.com/cenkalti/backoff/v7@v7.0.0 or go mod tidy) before merging.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@go.mod` at line 56, The module graph is missing the go.sum checksum for
github.com/cenkalti/backoff/v7 at v7.0.0, so update the dependency checksums in
go.sum to include that version. Regenerate the sums by running go mod download
or go mod tidy against github.com/cenkalti/backoff/v7@v7.0.0, and make sure the
resulting go.sum entry is committed so go list -m all works on a clean checkout.
Sources: Path instructions, Linked repositories
|
/ok-to-test |
Risk Score: 0 —
|
| Signal | Detail | Points |
|---|---|---|
| PR size | 2 lines | +0 |
| Sensitive paths | none | +0 |
Computed by hyperfleet-risk-scorer
|
Closing — backoff v7 is a major version bump with breaking API changes (lint fails). Needs a dedicated ticket with code changes. |
|
/ok-to-test |
Signed-off-by: red-hat-konflux-kflux-prd-rh02 <190377777+red-hat-konflux-kflux-prd-rh02[bot]@users.noreply.github.com>
344d1cb to
d75d5cf
Compare
|
@red-hat-konflux-kflux-prd-rh02[bot]: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
This PR contains the following updates:
v3.2.2→v7.0.0Release Notes
cenkalti/backoff (github.com/cenkalti/backoff/v3)
v7.0.0Compare Source
v6.0.1Compare Source
v6.0.0Compare Source
v5.0.3Compare Source
v5.0.2Compare Source
v5.0.1Compare Source
v5.0.0Compare Source
v4.3.0Compare Source
v4.2.1Compare Source
v4.2.0Compare Source
v4.1.3Compare Source
v4.1.2Compare Source
v4.1.1Compare Source
v4.1.0Compare Source
v4.0.2Compare Source
v4.0.1Compare Source
v4.0.0Compare Source
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
To execute skipped test pipelines write comment
/ok-to-test.Documentation
Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.