search

TykTechnologies / tyk

Tyk Open Source API Gateway written in Go, supporting REST, GraphQL, TCP and gRPC protocols
Other
9.51k stars 1.07k forks source link

[TT-12234] exp/modcheck: Update go.mod dependencies #6382

Closed buger closed 1 month ago

buger commented 1 month ago

User description

Triggered by: jeffy-mathew

IMPORT VERSION LATEST WARNINGS CVES
cenkalti/backoff/v4 v4.2.1 v4.3.0
getkin/kin-openapi v0.115.0 v0.125.0 Held back from upgrade
golang/protobuf v1.5.3 v1.5.4
gorilla/websocket v1.5.1 v1.5.3 0 of 1
hashicorp/consul/api v1.26.1 v1.29.1
hashicorp/go-version v1.6.0 v1.7.0
hashicorp/vault/api v1.12.1 v1.14.0
miekg/dns v1.1.57 v1.1.61 0 of 3
openzipkin/zipkin-go v0.4.2 v0.4.3
oschwald/maxminddb-golang v1.12.0 v1.13.1
robertkrimen/otto v0.3.0 v0.4.0
rs/cors v1.10.1 v1.11.0 0 of 1
stretchr/testify v1.8.4 v1.9.0
valyala/fasthttp v1.51.0 v1.55.0 0 of 1
golang.org/x/crypto v0.21.0 v0.24.0 0 of 9
golang.org/x/net v0.21.0 v0.26.0 0 of 16
golang.org/x/sync v0.6.0 v0.7.0
google.golang.org/grpc v1.62.1 v1.64.0 0 of 1
google.golang.org/protobuf v1.33.0 v1.34.2 0 of 2
go-redsync/redsync/v4 v4.11.0 v4.13.0 Held back from upgrade
redis/go-redis/v9 v9.4.0 v9.5.3
newrelic/go-agent v2.13.0 +incompatible v3.33.0+incompatible Held back from upgrade
go.opentelemetry.io/otel v1.19.0 v1.27.0 Held back from upgrade
go.opentelemetry.io/otel/trace v1.19.0 v1.27.0 Held back from upgrade
Steps performed ~~~ + go get github.com/cenkalti/backoff/v4@v4.3.0 go: downloading github.com/cenkalti/backoff/v4 v4.3.0 go: upgraded github.com/cenkalti/backoff/v4 v4.2.1 => v4.3.0 + go get github.com/golang/protobuf@v1.5.4 go: downloading github.com/golang/protobuf v1.5.4 go: module github.com/golang/protobuf is deprecated: Use the "google.golang.org/protobuf" module instead. go: upgraded github.com/golang/protobuf v1.5.3 => v1.5.4 + go get github.com/gorilla/websocket@v1.5.3 go: downloading github.com/gorilla/websocket v1.5.3 go: upgraded github.com/gorilla/websocket v1.5.1 => v1.5.3 + go get github.com/hashicorp/consul/api@v1.29.1 go: downloading github.com/hashicorp/consul/api v1.29.1 go: downloading golang.org/x/sys v0.19.0 go: downloading github.com/hashicorp/consul/sdk v0.16.1 go: downloading golang.org/x/crypto v0.22.0 go: downloading golang.org/x/net v0.24.0 go: upgraded github.com/hashicorp/consul/api v1.26.1 => v1.29.1 go: upgraded golang.org/x/crypto v0.21.0 => v0.22.0 go: upgraded golang.org/x/net v0.21.0 => v0.24.0 go: upgraded golang.org/x/sys v0.18.0 => v0.19.0 + go get github.com/hashicorp/go-version@v1.7.0 go: downloading github.com/hashicorp/go-version v1.7.0 go: upgraded github.com/hashicorp/go-version v1.6.0 => v1.7.0 + go get github.com/hashicorp/vault/api@v1.14.0 go: downloading github.com/hashicorp/vault/api v1.14.0 go: downloading github.com/hashicorp/vault v1.14.0 go: downloading github.com/go-jose/go-jose/v4 v4.0.1 go: downloading github.com/hashicorp/go-retryablehttp v0.7.6 go: downloading golang.org/x/net v0.25.0 go: downloading golang.org/x/crypto v0.23.0 go: downloading golang.org/x/text v0.15.0 go: downloading github.com/hashicorp/go-hclog v1.6.3 go: downloading golang.org/x/sys v0.20.0 go: added github.com/go-jose/go-jose/v4 v4.0.1 go: upgraded github.com/hashicorp/go-hclog v1.5.0 => v1.6.3 go: upgraded github.com/hashicorp/go-retryablehttp v0.6.6 => v0.7.6 go: upgraded github.com/hashicorp/vault/api v1.12.1 => v1.14.0 go: upgraded golang.org/x/crypto v0.22.0 => v0.23.0 go: upgraded golang.org/x/net v0.24.0 => v0.25.0 go: upgraded golang.org/x/sys v0.19.0 => v0.20.0 go: upgraded golang.org/x/text v0.14.0 => v0.15.0 + go get github.com/miekg/dns@v1.1.61 go: downloading github.com/miekg/dns v1.1.61 go: downloading golang.org/x/net v0.26.0 go: downloading golang.org/x/sys v0.21.0 go: downloading golang.org/x/tools v0.22.0 go: downloading golang.org/x/sync v0.7.0 go: downloading golang.org/x/mod v0.18.0 go: downloading golang.org/x/crypto v0.24.0 go: downloading golang.org/x/text v0.16.0 go: upgraded github.com/miekg/dns v1.1.57 => v1.1.61 go: upgraded golang.org/x/crypto v0.23.0 => v0.24.0 go: upgraded golang.org/x/mod v0.14.0 => v0.18.0 go: upgraded golang.org/x/net v0.25.0 => v0.26.0 go: upgraded golang.org/x/sync v0.6.0 => v0.7.0 go: upgraded golang.org/x/sys v0.20.0 => v0.21.0 go: upgraded golang.org/x/text v0.15.0 => v0.16.0 go: upgraded golang.org/x/tools v0.17.0 => v0.22.0 + go get github.com/openzipkin/zipkin-go@v0.4.3 go: downloading github.com/openzipkin/zipkin-go v0.4.3 go: downloading github.com/IBM/sarama v1.43.1 go: downloading github.com/eapache/go-resiliency v1.6.0 go: downloading github.com/klauspost/compress v1.17.8 go: downloading github.com/pierrec/lz4/v4 v4.1.21 go: downloading github.com/stretchr/objx v0.5.2 go: downloading github.com/stretchr/testify v1.9.0 go: downloading google.golang.org/genproto v0.0.0-20240227224415-6ceb2ff114de go: downloading google.golang.org/genproto/googleapis/api v0.0.0-20240227224415-6ceb2ff114de go: downloading google.golang.org/genproto/googleapis/rpc v0.0.0-20240415180920-8c6c420018be go: downloading google.golang.org/grpc v1.63.2 go: upgraded github.com/IBM/sarama v1.42.1 => v1.43.1 go: upgraded github.com/eapache/go-resiliency v1.4.0 => v1.6.0 go: upgraded github.com/klauspost/compress v1.17.0 => v1.17.8 go: upgraded github.com/openzipkin/zipkin-go v0.4.2 => v0.4.3 go: upgraded github.com/pierrec/lz4/v4 v4.1.18 => v4.1.21 go: upgraded github.com/stretchr/objx v0.5.0 => v0.5.2 go: upgraded github.com/stretchr/testify v1.8.4 => v1.9.0 go: upgraded google.golang.org/genproto/googleapis/api v0.0.0-20240123012728-ef4313101c80 => v0.0.0-20240227224415-6ceb2ff114de go: upgraded google.golang.org/genproto/googleapis/rpc v0.0.0-20240123012728-ef4313101c80 => v0.0.0-20240415180920-8c6c420018be go: upgraded google.golang.org/grpc v1.62.1 => v1.63.2 + go get github.com/oschwald/maxminddb-golang@v1.13.1 go: downloading github.com/oschwald/maxminddb-golang v1.13.1 go: upgraded github.com/oschwald/maxminddb-golang v1.12.0 => v1.13.1 + go get github.com/robertkrimen/otto@v0.4.0 go: downloading github.com/robertkrimen/otto v0.4.0 go: upgraded github.com/robertkrimen/otto v0.3.0 => v0.4.0 + go get github.com/rs/cors@v1.11.0 go: downloading github.com/rs/cors v1.11.0 go: upgraded github.com/rs/cors v1.10.1 => v1.11.0 + go get github.com/stretchr/testify@v1.9.0 + go get github.com/valyala/fasthttp@v1.55.0 go: downloading github.com/valyala/fasthttp v1.55.0 go: downloading github.com/klauspost/compress v1.17.9 go: upgraded github.com/klauspost/compress v1.17.8 => v1.17.9 go: upgraded github.com/valyala/fasthttp v1.51.0 => v1.55.0 + go get golang.org/x/crypto@v0.24.0 + go get golang.org/x/net@v0.26.0 + go get golang.org/x/sync@v0.7.0 + go get google.golang.org/grpc@v1.64.0 go: downloading google.golang.org/grpc v1.64.0 go: downloading google.golang.org/genproto v0.0.0-20231106174013-bbf56f31fb17 go: downloading google.golang.org/genproto/googleapis/api v0.0.0-20240318140521-94a12d6c2237 go: upgraded google.golang.org/genproto/googleapis/api v0.0.0-20240227224415-6ceb2ff114de => v0.0.0-20240318140521-94a12d6c2237 go: upgraded google.golang.org/grpc v1.63.2 => v1.64.0 + go get google.golang.org/protobuf@v1.34.2 go: downloading google.golang.org/protobuf v1.34.2 go: upgraded google.golang.org/protobuf v1.33.0 => v1.34.2 + go get github.com/redis/go-redis/v9@v9.5.3 go: downloading github.com/redis/go-redis/v9 v9.5.3 go: upgraded github.com/redis/go-redis/v9 v9.4.0 => v9.5.3 ~~~
go mod tidy output ``` go: downloading github.com/ory/dockertest/v3 v3.10.0 go: downloading github.com/sebdah/goldie v0.0.0-20180424091453-8784dd1ab561 go: downloading github.com/jensneuse/diffview v1.0.0 go: downloading github.com/evanphx/json-patch/v5 v5.1.0 go: downloading github.com/golang/mock v1.6.0 go: downloading github.com/onsi/gomega v1.27.10 go: downloading github.com/onsi/ginkgo v1.16.5 go: downloading gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c go: downloading github.com/bsm/ginkgo/v2 v2.12.0 go: downloading github.com/bsm/gomega v1.27.10 go: downloading github.com/hashicorp/consul/proto-public v0.6.1 go: downloading github.com/go-test/deep v1.0.8 go: downloading github.com/99designs/gqlgen v0.17.22 go: downloading github.com/vektah/gqlparser/v2 v2.5.1 go: downloading go.uber.org/goleak v1.2.1 go: downloading github.com/fortytw2/leaktest v1.3.0 go: downloading github.com/ugorji/go/codec v1.2.7 go: downloading github.com/Microsoft/go-winio v0.6.0 go: downloading github.com/docker/go-units v0.4.0 go: downloading github.com/kr/pretty v0.3.1 go: downloading github.com/go-redis/redis v6.15.9+incompatible go: downloading github.com/ugorji/go v1.2.7 go: downloading github.com/go-redis/redis/v7 v7.4.0 go: downloading github.com/gomodule/redigo v1.8.9 go: downloading github.com/redis/rueidis v1.0.19 go: downloading github.com/stvp/tempredis v0.0.0-20181119212430-b82af8480203 go: downloading github.com/hashicorp/go-msgpack v0.5.5 go: downloading github.com/hashicorp/memberlist v0.5.0 go: downloading github.com/frankban/quicktest v1.14.6 go: downloading github.com/sebdah/goldie/v2 v2.5.3 go: downloading github.com/benbjohnson/clock v1.1.0 go: downloading github.com/jcmturner/goidentity/v6 v6.0.1 go: downloading github.com/logrusorgru/aurora/v3 v3.0.0 go: downloading github.com/docker/cli v20.10.17+incompatible go: downloading github.com/opencontainers/runc v1.1.5 go: downloading github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 go: downloading github.com/moby/term v0.0.0-20201216013528-df9cb8a40635 go: downloading github.com/opencontainers/image-spec v1.0.2 go: downloading github.com/nxadm/tail v1.4.8 go: downloading github.com/kr/text v0.2.0 go: downloading github.com/rogpeppe/go-internal v1.11.0 go: downloading github.com/pascaldekloe/goe v0.1.0 go: downloading github.com/google/btree v1.0.1 go: downloading github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529 go: downloading github.com/sergi/go-diff v1.1.0 go: downloading github.com/agnivade/levenshtein v1.1.1 go: downloading github.com/docker/go-connections v0.4.0 go: downloading github.com/containerd/continuity v0.3.0 go: downloading github.com/opencontainers/go-digest v1.0.0 go: downloading gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 go: downloading github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 go: downloading github.com/golang/glog v1.2.0 go: downloading github.com/docker/docker v20.10.7+incompatible go: downloading github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 go: downloading github.com/gogo/protobuf v1.3.2 ```

JIRA: https://tyktech.atlassian.net/browse/TT-12234

PR Type

Enhancement

Description

This PR updates the dependencies in the go.mod and go.sum files to their latest versions. Key changes include:

Changes walkthrough ๐Ÿ“

Relevant files
Dependencies
go.mod
Update dependencies in `go.mod` to latest versions             
go.mod
  • Updated multiple dependencies to their latest versions.
  • Notable updates include github.com/cenkalti/backoff/v4,
    github.com/golang/protobuf, github.com/hashicorp/consul/api, and
    google.golang.org/grpc.
    		•  +33/-32 
    go.sum
    Update dependency checksums in `go.sum`                                   
    go.sum
  • Updated checksums for dependencies in go.sum.
  • Reflects the changes made in go.mod for dependency updates.
    		•  +70/-68 

    ๐Ÿ’ก PR-Agent usage: Comment /help on the PR to get a list of all available PR-Agent tools and their descriptions

    github-actions[bot] commented 1 month ago

    API Changes

    no api changes detected
    github-actions[bot] commented 1 month ago

    PR Reviewer Guide ๐Ÿ”

    โฑ๏ธ Estimated effort to review [1-5] 3
    ๐Ÿงช Relevant tests No
    ๐Ÿ”’ Security concerns No
    โšก Key issues to review Dependency Updates:
    The PR includes multiple updates to dependencies in the go.mod file. It's crucial to ensure that these updates do not introduce breaking changes or compatibility issues with the existing codebase.
    Version Pinning:
    Some dependencies have been updated to newer versions. It's important to verify that these versions are stable and do not introduce any new bugs or vulnerabilities.
    github-actions[bot] commented 1 month ago

    PR Code Suggestions โœจ

    CategorySuggestion                                                                                                                                    Score
    Possible issue
    Verify compatibility of major version updates to prevent breaking changes ___ **Consider verifying the compatibility of the updated dependency
    github.com/cenkalti/backoff/v4 v4.3.0 with your project. Major version updates can
    introduce breaking changes that might affect existing functionality.** [go.mod [27]](https://github.com/TykTechnologies/tyk/pull/6382/files#diff-33ef32bf6c23acb95f5902d7097b7a1d5128ca061167ec0716715b0b9eeaa5f6R27-R27) ```diff -github.com/cenkalti/backoff/v4 v4.3.0 +github.com/cenkalti/backoff/v4 v4.3.0 // Verify compatibility ```
    Suggestion importance[1-10]: 9 Why: Major version updates can introduce breaking changes, and verifying compatibility is crucial to ensure existing functionality is not affected.
    		9
    Ensure thorough testing of updated critical infrastructure libraries ___ **Ensure that the new version github.com/hashicorp/vault/api v1.14.0 is tested thoroughly,
    especially if it interacts with critical infrastructure, as updates in such libraries can
    lead to unexpected issues.** [go.mod [44]](https://github.com/TykTechnologies/tyk/pull/6382/files#diff-33ef32bf6c23acb95f5902d7097b7a1d5128ca061167ec0716715b0b9eeaa5f6R44-R44) ```diff -github.com/hashicorp/vault/api v1.14.0 +github.com/hashicorp/vault/api v1.14.0 // Ensure thorough testing ```
    Suggestion importance[1-10]: 8 Why: Testing updates to critical infrastructure libraries is important to prevent unexpected issues, especially if they interact with essential parts of the system.
    		8
    Check for platform-specific issues after updating system-level libraries ___ **Given the update to golang.org/x/sys v0.21.0, ensure that there are no platform-specific
    issues introduced by this update, particularly if your application targets multiple
    operating systems.** [go.mod [210]](https://github.com/TykTechnologies/tyk/pull/6382/files#diff-33ef32bf6c23acb95f5902d7097b7a1d5128ca061167ec0716715b0b9eeaa5f6R210-R210) ```diff -golang.org/x/sys v0.21.0 +golang.org/x/sys v0.21.0 // Check for platform-specific issues ```
    Suggestion importance[1-10]: 8 Why: System-level libraries can introduce platform-specific issues, and ensuring there are no such issues is important for applications targeting multiple operating systems.
    		8
    Verify compatibility of the new library version to prevent potential integration issues ___ **Consider verifying the compatibility and stability of the newly added version v1.43.1 of
    github.com/IBM/sarama. Major version updates can introduce breaking changes or require
    additional adjustments in your codebase.** [go.sum [13-14]](https://github.com/TykTechnologies/tyk/pull/6382/files#diff-3295df7234525439d778f1b282d146a4f1ff6b415248aaac074e8042d9f42d63R13-R14) ```diff +github.com/IBM/sarama v1.43.1 h1:Z5uz65Px7f4DhI/jQqEm/tV9t8aU+JUdTyW/K/fCXpA= +github.com/IBM/sarama v1.43.1/go.mod h1:GG5q1RURtDNPz8xxJs3mgX6Ytak8Z9eLhAkJPObe2xE= - ```
    Suggestion importance[1-10]: 8 Why: The suggestion is valid as major version updates can introduce breaking changes. Verifying compatibility is crucial to ensure stability and prevent potential integration issues.
    		8
    Verify compatibility and stability of the updated library version ___ **Confirm that the update to github.com/hashicorp/consul/api v1.29.1 is compatible with the
    current system configuration and other integrated services, as major updates can lead to
    unexpected behavior changes.** [go.sum [306-307]](https://github.com/TykTechnologies/tyk/pull/6382/files#diff-3295df7234525439d778f1b282d146a4f1ff6b415248aaac074e8042d9f42d63R306-R307) ```diff +github.com/hashicorp/consul/api v1.29.1 h1:UEwOjYJrd3lG1x5w7HxDRMGiAUPrb3f103EoeKuuEcc= +github.com/hashicorp/consul/api v1.29.1/go.mod h1:lumfRkY/coLuqMICkI7Fh3ylMG31mQSRZyef2c5YvJI= - ```
    Suggestion importance[1-10]: 8 Why: The suggestion is valid and highlights the need to verify compatibility with the current system configuration and other integrated services, which is crucial for preventing unexpected behavior changes.
    		8
    Test updates thoroughly to ensure no adverse effects on application behavior ___ **Ensure that the update to github.com/cenkalti/backoff/v4 v4.3.0 is tested thoroughly,
    especially if it's used in critical sections of the code, as minor version updates might
    introduce subtle changes that could affect application behavior.** [go.sum [116-117]](https://github.com/TykTechnologies/tyk/pull/6382/files#diff-3295df7234525439d778f1b282d146a4f1ff6b415248aaac074e8042d9f42d63R116-R117) ```diff +github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8= +github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= - ```
    Suggestion importance[1-10]: 7 Why: The suggestion is correct and emphasizes the importance of thorough testing for minor version updates, which can introduce subtle changes affecting application behavior.
    		7
    Ensure the updated version of the library does not introduce conflicts or instability ___ **Review the necessity of updating github.com/golang/protobuf to v1.5.4 as frequent updates
    may introduce instability. Ensure that this version does not conflict with other
    dependencies.** [go.sum [266-267]](https://github.com/TykTechnologies/tyk/pull/6382/files#diff-3295df7234525439d778f1b282d146a4f1ff6b415248aaac074e8042d9f42d63R266-R267) ```diff +github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= +github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= - ```
    Suggestion importance[1-10]: 7 Why: The suggestion is appropriate as frequent updates can introduce instability. Ensuring no conflicts with other dependencies is important for maintaining system stability.
    		7
    Maintainability
    Review and potentially remove unnecessary indirect dependencies ___ **Review the necessity of adding github.com/IBM/sarama v1.43.1 as an indirect dependency. If
    it's not essential, consider removing it to keep the dependency tree minimal.** [go.mod [103]](https://github.com/TykTechnologies/tyk/pull/6382/files#diff-33ef32bf6c23acb95f5902d7097b7a1d5128ca061167ec0716715b0b9eeaa5f6R103-R103) ```diff -github.com/IBM/sarama v1.43.1 // indirect +// Consider if necessary ```
    Suggestion importance[1-10]: 7 Why: Keeping the dependency tree minimal improves maintainability and reduces potential security risks. Reviewing the necessity of indirect dependencies is a good practice.
    		7
    github-actions[bot] commented 1 month ago

    :boom: CI tests failed :see_no_evil:

    git-state

    all ok

    Please look at the run or in the Checks tab.