chore: update dependencies

[snprajwal]

Just bumps up a bunch of deps to the newer versions.

[codecov-commenter]

Codecov Report

Patch and project coverage have no change.

Comparison is base (f2a5886) 78.20% compared to head (75b10f0) 78.20%.

Additional details and impacted files

```diff @@ Coverage Diff @@ ## main #57 +/- ## ======================================= Coverage 78.20% 78.20% ======================================= Files 3 3 Lines 312 312 ======================================= Hits 244 244 Misses 53 53 Partials 15 15 ```

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Do you have feedback about the report comment? Let us know in this issue.

[github-actions[bot]]

Test Results

19 tests  ±0   19 :heavy_check_mark: ±0   0s :stopwatch: ±0s   1 suites ±0     0 :zzz: ±0    1 files   ±0     0 :x: ±0 

Results for commit 75b10f0f. ± Comparison against base commit f2a58864.

[adrianreber]

How did you change those version dependencies?

Don't we have dependabot to do these changes.

Should we really change indirect dependencies?

[adrianreber]

Do we have something like make vendor to verify that the dependencies are correct during CI?

[snprajwal]

I updated the dependencies by running go get -u, and then vendored it with go mod tidy + go mod vendor. I don't think Dependabot tracks indirect dependencies.

[snprajwal]

Do we have something like make vendor to verify that the dependencies are correct during CI?

Doesn't look like it, let me add it. Would you want it in this PR itself, or a different PR?

[adrianreber]

I updated the dependencies by running go get -u, and then vendored it with go mod tidy + go mod vendor. I don't think Dependabot tracks indirect dependencies.

Should we really change indirect dependencies? I am not yet convinced. We have those because other projects pull them in and I am not sure it is correct to update those if the vendored in projects use something else.

[adrianreber]

Do we have something like make vendor to verify that the dependencies are correct during CI?

Doesn't look like it, let me add it. Would you want it in this PR itself, or a different PR?

Separate PR sounds good.

Something like go mod tidy vendor verify and then maybe a git diff to verify nothing changed.

Please have a look at other go projects how they verify stable dependencies in CI.

[snprajwal]

We have those because other projects pull them in and I am not sure it is correct to update those if the vendored in projects use something else.

AFAIK, doing go get -u updates the indirect dependencies to the version that the direct dependencies themselves use. So they are changed only if one of our direct deps has bumped them up in the respective go.mod.

[rst0git]

Should we configure dependbot with dependency-type: "all"?

    allow:
      # Allow both direct and indirect updates for all packages
      - dependency-type: "all"

[adrianreber]

I am still skeptical about updating indirect dependencies. That sounds unnecessary.

[rst0git]

We have those because other projects pull them in and I am not sure it is correct to update those if the vendored in projects use something else.

AFAIK, doing go get -u updates the indirect dependencies to the version that the direct dependencies themselves use. So they are changed only if one of our direct deps has bumped them up in the respective go.mod.

From the documentation it looks like go get -u attempts to upgrade all direct and indirect (transitive) dependencies^1, and indirect dependencies can be updated beyond what is required by the direct dependencies.

[adrianreber]

@rst0git so, are in favour of upgrading indirect dependencies or not? :wink:

[rst0git]

so, are in favour of upgrading indirect dependencies or not?

I also think it may be unnecessary to upgrade the indirect dependencies unless we have a specific reason to do so.

[snprajwal]

Alright, in that case we can close this