build(deps): consolidate all dependabot dependency updates#2571
Draft
build(deps): consolidate all dependabot dependency updates#2571
Conversation
Merges all open dependabot PRs (#2555, #2556, #2563, #2566, #2568, #2569) into a single update: Go modules: - ariga.io/atlas 0.38.0 → 1.1.0 - entgo.io/ent 0.14.5 → 0.14.6 - github.com/DataDog/dd-trace-go/v2 2.5.0 → 2.7.0 - github.com/fatih/color 1.18.0 → 1.19.0 - github.com/go-jose/go-jose/v3 3.0.4 → 3.0.5 (security) - github.com/go-jose/go-jose/v4 4.1.3 → 4.1.4 (security) - github.com/go-resty/resty/v2 2.17.1 → 2.17.2 - github.com/keboola/go-utils 1.4.0 → 1.4.1 - github.com/klauspost/compress 1.18.4 → 1.18.5 - github.com/mattn/go-sqlite3 1.14.33 → 1.14.38 - github.com/rs/zerolog 1.34.0 → 1.35.0 - github.com/schollz/progressbar/v3 3.18.0 → 3.19.0 - github.com/valyala/fastjson 1.6.7 → 1.6.10 - github.com/xtaci/kcp-go/v5 5.6.67 → 5.6.72 - go.etcd.io/etcd/{api,client,tests}/v3 3.6.7 → 3.6.9 - go.opentelemetry.io/contrib/instrumentation/grpc/otelgrpc 0.65.0 → 0.67.0 - go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp 0.65.0 → 0.67.0 - go.opentelemetry.io/contrib/propagators/b3 1.40.0 → 1.42.0 - go.opentelemetry.io/otel/* 1.40.0 → 1.42.0 - goa.design/plugins/v3 3.24.3 → 3.25.3 (also pulls goa.design/goa/v3) - golang.org/x/{crypto,image,mod,net,sync,term,text,tools} various → latest - google.golang.org/grpc 1.78.0 → 1.79.3 (security: auth bypass fix) - k8s.io/client-go 0.33.3 → 0.35.3 GitHub Actions: - actions/upload-artifact v6 → v7 - actions/download-artifact v7 → v8 - docker/setup-buildx-action v3 → v4 - docker/login-action v3 → v4 - docker/build-push-action v6 → v7 - hashicorp/setup-terraform v3 → v4 - microsoft/setup-msbuild v2.0.0 → v3.0.0 - lycheeverse/lychee-action v2.7.0 → v2.8.0 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Contributor
Author
|
@claude review |
v1.4.1 causes build failures; reverting to the last known-good version. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The dependabot consolidation upgraded tablewriter from v0.0.5 to v1.1.3, which is a breaking API change. The etcdctl v3.6.9 package uses the removed v0.0.5 API (SetHeader, SetAlignment, ALIGN_RIGHT) in printer_table.go, causing golangci-lint typecheck to fail when importing go.etcd.io/etcd/tests/v3. Since ent v0.14.6 requires tablewriter v1.1.3, we cannot downgrade. Instead, a local fork of etcdctl is added to third_party/ with printer_table.go migrated to the v1.1.3 API, and a go.mod replace directive points to it. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The third_party/etcd-etcdctl/ fork contains etcd's own README files with relative file links (../api/etcdserverpb/rpc.proto, ../LICENSE) pointing to siblings in the etcd monorepo that don't exist here, and a stale 404 link in etcd's docs. These are upstream issues unrelated to our code. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Release Notes
google.golang.org/grpcfrom 1.78.0 to 1.79.3 — security fix: authorization bypass in path-based deny rules (#8981)github.com/go-jose/go-jose/v33.0.4 → 3.0.5 and/v44.1.3 → 4.1.4 — security patch releasesdocker/*,actions/upload-artifact,actions/download-artifact,hashicorp/setup-terraform,microsoft/setup-msbuild,lycheeverse/lychee-actionto latest major versionsPlans for customer communication
None.
Impact analysis
go.mod/go.sum: dependency version bumps only — no API or behaviour changes in this repo's codecel.dev/expr,google.golang.org/genproto, various DataDog agent packagesChange type
Chore — Consolidate 6 open dependabot PRs (#2555, #2556, #2563, #2566, #2568, #2569) into one
Justification
Six separate dependabot PRs were open simultaneously. Merging them individually creates CI overhead and review noise. This PR consolidates all of them — including two security fixes (
grpcauth bypass,go-josepatches) — into a single reviewable change. Closes #2555, #2556, #2563, #2566, #2568, #2569.Deployment
Merge & automatic deploy.
Rollback plan
Revert of this PR.
Post release support plan
None.