chore(deps): bump GoCodeAlone/modular to latest + docker CVE risk-acceptance by intel352 · Pull Request #793 · GoCodeAlone/workflow

intel352 · 2026-05-29T11:43:54Z

Updates all GoCodeAlone/modular dependencies to the freshly-released versions:

module	from	to
modular	v1.13.0	v1.13.4
modules/auth	v1.15.0	v1.17.0
modules/cache	v1.15.0	v1.17.0
modules/eventbus/v2	v2.8.0	v2.10.0 (incl. #112 timer-drain + observability fix)
modules/jsonschema	v1.15.0	v1.17.0
modules/reverseproxy/v2	v2.8.0	v2.10.0

(fsnotify v1.9.0→v1.10.1 transitive.) go build ./... passes; broad test suite passes locally (only env-dependent wfctl CLI/CI tooling tests fail locally, unrelated to this bump — CI is the arbiter).

Also records ADR 0015 accepting the 29 github.com/docker/docker Dependabot alerts as tolerable_risk: v28.5.2 is the latest go-importable version (the 29.3.1 fix is not published as a Go module) and all five advisories are moby daemon-side CVEs not reachable through this project's client-only usage. The alerts have been dismissed.

Updates all modular dependencies to the freshly-released versions: modular v1.13.0 -> v1.13.4 modules/auth v1.15.0 -> v1.17.0 modules/cache v1.15.0 -> v1.17.0 modules/eventbus/v2 v2.8.0 -> v2.10.0 (includes #112 eventbus timer-drain + observability fix) modules/jsonschema v1.15.0 -> v1.17.0 modules/reverseproxy/v2 v2.8.0 -> v2.10.0 (fsnotify v1.9.0 -> v1.10.1 pulled transitively.) Also records ADR 0015 accepting the 29 github.com/docker/docker Dependabot alerts as tolerable_risk: v28.5.2 is the latest go-importable version (the 29.3.1 fix is not published as a Go module), and all five advisories are moby daemon-side CVEs not reachable through this project's client-only usage. The alerts have been dismissed; the ADR documents the reasoning and follow-up. go build ./... passes; the broad test suite passes (the only local failures are the environment-dependent wfctl CLI/CI tooling tests, unrelated to this bump).

github-actions · 2026-05-29T11:54:50Z

⏱ Benchmark Results

✅ No significant performance regressions detected.

benchstat comparison (baseline → PR)

## benchstat: baseline → PR
baseline-bench.txt:298: parsing iteration count: invalid syntax
baseline-bench.txt:358211: parsing iteration count: invalid syntax
baseline-bench.txt:622758: parsing iteration count: invalid syntax
baseline-bench.txt:915577: parsing iteration count: invalid syntax
baseline-bench.txt:1205843: parsing iteration count: invalid syntax
baseline-bench.txt:1485411: parsing iteration count: invalid syntax
benchmark-results.txt:298: parsing iteration count: invalid syntax
benchmark-results.txt:320351: parsing iteration count: invalid syntax
benchmark-results.txt:648201: parsing iteration count: invalid syntax
benchmark-results.txt:981025: parsing iteration count: invalid syntax
benchmark-results.txt:1311977: parsing iteration count: invalid syntax
benchmark-results.txt:1653447: parsing iteration count: invalid syntax
goos: linux
goarch: amd64
pkg: github.com/GoCodeAlone/workflow/dynamic
cpu: AMD EPYC 9V74 80-Core Processor                
                            │ baseline-bench.txt │       benchmark-results.txt        │
                            │       sec/op       │    sec/op     vs base              │
InterpreterCreation-4               9.424m ± 67%   9.507m ± 65%       ~ (p=0.937 n=6)
ComponentLoad-4                     3.484m ± 13%   3.486m ±  1%       ~ (p=0.937 n=6)
ComponentExecute-4                  1.814µ ±  3%   1.818µ ±  1%       ~ (p=0.524 n=6)
PoolContention/workers-1-4          1.004µ ±  7%   1.015µ ±  3%       ~ (p=0.325 n=6)
PoolContention/workers-2-4          1.034µ ±  1%   1.014µ ±  5%       ~ (p=0.093 n=6)
PoolContention/workers-4-4          1.026µ ±  2%   1.013µ ±  3%       ~ (p=0.368 n=6)
PoolContention/workers-8-4          1.003µ ±  6%   1.013µ ±  1%       ~ (p=0.067 n=6)
PoolContention/workers-16-4         1.018µ ±  4%   1.022µ ±  5%       ~ (p=0.816 n=6)
ComponentLifecycle-4                3.524m ±  2%   3.592m ±  1%  +1.91% (p=0.004 n=6)
SourceValidation-4                  2.097µ ±  0%   2.190µ ±  1%  +4.39% (p=0.002 n=6)
RegistryConcurrent-4                739.4n ±  3%   803.4n ±  4%  +8.65% (p=0.002 n=6)
LoaderLoadFromString-4              3.542m ±  1%   3.677m ±  8%  +3.80% (p=0.002 n=6)
geomean                             18.12µ         18.40µ        +1.55%

                            │ baseline-bench.txt │        benchmark-results.txt         │
                            │        B/op        │     B/op      vs base                │
InterpreterCreation-4               2.027Mi ± 0%   2.027Mi ± 0%       ~ (p=0.974 n=6)
ComponentLoad-4                     2.180Mi ± 0%   2.180Mi ± 0%       ~ (p=0.818 n=6)
ComponentExecute-4                  1.203Ki ± 0%   1.203Ki ± 0%       ~ (p=1.000 n=6) ¹
PoolContention/workers-1-4          1.203Ki ± 0%   1.203Ki ± 0%       ~ (p=1.000 n=6) ¹
PoolContention/workers-2-4          1.203Ki ± 0%   1.203Ki ± 0%       ~ (p=1.000 n=6) ¹
PoolContention/workers-4-4          1.203Ki ± 0%   1.203Ki ± 0%       ~ (p=1.000 n=6) ¹
PoolContention/workers-8-4          1.203Ki ± 0%   1.203Ki ± 0%       ~ (p=1.000 n=6) ¹
PoolContention/workers-16-4         1.203Ki ± 0%   1.203Ki ± 0%       ~ (p=1.000 n=6) ¹
ComponentLifecycle-4                2.183Mi ± 0%   2.183Mi ± 0%       ~ (p=0.857 n=6)
SourceValidation-4                  1.984Ki ± 0%   1.984Ki ± 0%       ~ (p=1.000 n=6) ¹
RegistryConcurrent-4                1.133Ki ± 0%   1.133Ki ± 0%       ~ (p=1.000 n=6) ¹
LoaderLoadFromString-4              2.182Mi ± 0%   2.182Mi ± 0%       ~ (p=0.859 n=6)
geomean                             15.25Ki        15.25Ki       -0.00%
¹ all samples are equal

                            │ baseline-bench.txt │        benchmark-results.txt        │
                            │     allocs/op      │  allocs/op   vs base                │
InterpreterCreation-4                15.68k ± 0%   15.68k ± 0%       ~ (p=1.000 n=6)
ComponentLoad-4                      18.02k ± 0%   18.02k ± 0%       ~ (p=1.000 n=6)
ComponentExecute-4                    25.00 ± 0%    25.00 ± 0%       ~ (p=1.000 n=6) ¹
PoolContention/workers-1-4            25.00 ± 0%    25.00 ± 0%       ~ (p=1.000 n=6) ¹
PoolContention/workers-2-4            25.00 ± 0%    25.00 ± 0%       ~ (p=1.000 n=6) ¹
PoolContention/workers-4-4            25.00 ± 0%    25.00 ± 0%       ~ (p=1.000 n=6) ¹
PoolContention/workers-8-4            25.00 ± 0%    25.00 ± 0%       ~ (p=1.000 n=6) ¹
PoolContention/workers-16-4           25.00 ± 0%    25.00 ± 0%       ~ (p=1.000 n=6) ¹
ComponentLifecycle-4                 18.07k ± 0%   18.07k ± 0%       ~ (p=1.000 n=6) ¹
SourceValidation-4                    32.00 ± 0%    32.00 ± 0%       ~ (p=1.000 n=6) ¹
RegistryConcurrent-4                  2.000 ± 0%    2.000 ± 0%       ~ (p=1.000 n=6) ¹
LoaderLoadFromString-4               18.06k ± 0%   18.06k ± 0%       ~ (p=1.000 n=6) ¹
geomean                               183.3         183.3       +0.00%
¹ all samples are equal

pkg: github.com/GoCodeAlone/workflow/middleware
                                  │ baseline-bench.txt │       benchmark-results.txt       │
                                  │       sec/op       │   sec/op     vs base              │
CircuitBreakerDetection-4                  296.8n ± 5%   298.0n ± 5%       ~ (p=0.333 n=6)
CircuitBreakerExecution_Success-4          22.66n ± 0%   22.68n ± 0%       ~ (p=0.197 n=6)
CircuitBreakerExecution_Failure-4          70.95n ± 0%   71.02n ± 0%       ~ (p=0.177 n=6)
geomean                                    78.14n        78.31n       +0.22%

                                  │ baseline-bench.txt │       benchmark-results.txt        │
                                  │        B/op        │    B/op     vs base                │
CircuitBreakerDetection-4                 144.0 ± 0%     144.0 ± 0%       ~ (p=1.000 n=6) ¹
CircuitBreakerExecution_Success-4         0.000 ± 0%     0.000 ± 0%       ~ (p=1.000 n=6) ¹
CircuitBreakerExecution_Failure-4         0.000 ± 0%     0.000 ± 0%       ~ (p=1.000 n=6) ¹
geomean                                              ²               +0.00%               ²
¹ all samples are equal
² summaries must be >0 to compute geomean

                                  │ baseline-bench.txt │       benchmark-results.txt        │
                                  │     allocs/op      │ allocs/op   vs base                │
CircuitBreakerDetection-4                 1.000 ± 0%     1.000 ± 0%       ~ (p=1.000 n=6) ¹
CircuitBreakerExecution_Success-4         0.000 ± 0%     0.000 ± 0%       ~ (p=1.000 n=6) ¹
CircuitBreakerExecution_Failure-4         0.000 ± 0%     0.000 ± 0%       ~ (p=1.000 n=6) ¹
geomean                                              ²               +0.00%               ²
¹ all samples are equal
² summaries must be >0 to compute geomean

pkg: github.com/GoCodeAlone/workflow/module
                                 │ baseline-bench.txt │       benchmark-results.txt        │
                                 │       sec/op       │    sec/op     vs base              │
IaCStateBackend_InProcess-4              291.3n ± 29%   295.2n ± 27%       ~ (p=0.240 n=6)
IaCStateBackend_GRPC-4                   10.47m ± 11%   10.20m ± 11%       ~ (p=0.699 n=6)
JQTransform_Simple-4                     665.4n ± 37%   654.6n ± 25%       ~ (p=0.699 n=6)
JQTransform_ObjectConstruction-4         1.502µ ±  1%   1.378µ ±  3%  -8.23% (p=0.002 n=6)
JQTransform_ArraySelect-4                3.605µ ±  2%   3.375µ ±  1%  -6.37% (p=0.002 n=6)
JQTransform_Complex-4                    43.34µ ±  1%   41.46µ ±  2%  -4.34% (p=0.002 n=6)
JQTransform_Throughput-4                 1.827µ ±  1%   1.721µ ±  2%  -5.83% (p=0.002 n=6)
SSEPublishDelivery-4                     65.14n ±  1%   65.29n ±  1%       ~ (p=0.461 n=6)
geomean                                  3.928µ         3.791µ        -3.47%

                                 │ baseline-bench.txt │        benchmark-results.txt         │
                                 │        B/op        │     B/op      vs base                │
IaCStateBackend_InProcess-4              416.0 ± 0%       416.0 ± 0%       ~ (p=1.000 n=6) ¹
IaCStateBackend_GRPC-4                 5.885Mi ± 9%     5.773Mi ± 4%       ~ (p=0.699 n=6)
JQTransform_Simple-4                   1.273Ki ± 0%     1.273Ki ± 0%       ~ (p=1.000 n=6) ¹
JQTransform_ObjectConstruction-4       1.773Ki ± 0%     1.773Ki ± 0%       ~ (p=1.000 n=6) ¹
JQTransform_ArraySelect-4              2.625Ki ± 0%     2.625Ki ± 0%       ~ (p=1.000 n=6) ¹
JQTransform_Complex-4                  16.31Ki ± 0%     16.31Ki ± 0%       ~ (p=1.000 n=6) ¹
JQTransform_Throughput-4               1.984Ki ± 0%     1.984Ki ± 0%       ~ (p=1.000 n=6) ¹
SSEPublishDelivery-4                     0.000 ± 0%       0.000 ± 0%       ~ (p=1.000 n=6) ¹
geomean                                             ²                 -0.24%               ²
¹ all samples are equal
² summaries must be >0 to compute geomean

                                 │ baseline-bench.txt │        benchmark-results.txt        │
                                 │     allocs/op      │  allocs/op   vs base                │
IaCStateBackend_InProcess-4              2.000 ± 0%      2.000 ± 0%       ~ (p=1.000 n=6) ¹
IaCStateBackend_GRPC-4                  6.851k ± 0%     6.859k ± 0%       ~ (p=0.119 n=6)
JQTransform_Simple-4                     10.00 ± 0%      10.00 ± 0%       ~ (p=1.000 n=6) ¹
JQTransform_ObjectConstruction-4         15.00 ± 0%      15.00 ± 0%       ~ (p=1.000 n=6) ¹
JQTransform_ArraySelect-4                30.00 ± 0%      30.00 ± 0%       ~ (p=1.000 n=6) ¹
JQTransform_Complex-4                    328.0 ± 0%      328.0 ± 0%       ~ (p=1.000 n=6) ¹
JQTransform_Throughput-4                 17.00 ± 0%      17.00 ± 0%       ~ (p=1.000 n=6) ¹
SSEPublishDelivery-4                     0.000 ± 0%      0.000 ± 0%       ~ (p=1.000 n=6) ¹
geomean                                             ²                +0.02%               ²
¹ all samples are equal
² summaries must be >0 to compute geomean

pkg: github.com/GoCodeAlone/workflow/schema
                                    │ baseline-bench.txt │       benchmark-results.txt       │
                                    │       sec/op       │   sec/op     vs base              │
SchemaValidation_Simple-4                    1.107µ ± 3%   1.062µ ± 4%  -4.11% (p=0.004 n=6)
SchemaValidation_AllFields-4                 1.625µ ± 1%   1.627µ ± 4%       ~ (p=1.000 n=6)
SchemaValidation_FormatValidation-4          1.587µ ± 1%   1.561µ ± 3%       ~ (p=0.087 n=6)
SchemaValidation_ManySchemas-4               1.588µ ± 2%   1.596µ ± 2%       ~ (p=0.732 n=6)
geomean                                      1.459µ        1.440µ       -1.30%

                                    │ baseline-bench.txt │       benchmark-results.txt        │
                                    │        B/op        │    B/op     vs base                │
SchemaValidation_Simple-4                   0.000 ± 0%     0.000 ± 0%       ~ (p=1.000 n=6) ¹
SchemaValidation_AllFields-4                0.000 ± 0%     0.000 ± 0%       ~ (p=1.000 n=6) ¹
SchemaValidation_FormatValidation-4         0.000 ± 0%     0.000 ± 0%       ~ (p=1.000 n=6) ¹
SchemaValidation_ManySchemas-4              0.000 ± 0%     0.000 ± 0%       ~ (p=1.000 n=6) ¹
geomean                                                ²               +0.00%               ²
¹ all samples are equal
² summaries must be >0 to compute geomean

                                    │ baseline-bench.txt │       benchmark-results.txt        │
                                    │     allocs/op      │ allocs/op   vs base                │
SchemaValidation_Simple-4                   0.000 ± 0%     0.000 ± 0%       ~ (p=1.000 n=6) ¹
SchemaValidation_AllFields-4                0.000 ± 0%     0.000 ± 0%       ~ (p=1.000 n=6) ¹
SchemaValidation_FormatValidation-4         0.000 ± 0%     0.000 ± 0%       ~ (p=1.000 n=6) ¹
SchemaValidation_ManySchemas-4              0.000 ± 0%     0.000 ± 0%       ~ (p=1.000 n=6) ¹
geomean                                                ²               +0.00%               ²
¹ all samples are equal
² summaries must be >0 to compute geomean

pkg: github.com/GoCodeAlone/workflow/store
                                   │ baseline-bench.txt │        benchmark-results.txt        │
                                   │       sec/op       │    sec/op     vs base               │
EventStoreAppend_InMemory-4                1.095µ ± 15%   1.038µ ±  8%        ~ (p=0.485 n=6)
EventStoreAppend_SQLite-4                  1.080m ±  6%   1.074m ± 11%        ~ (p=0.818 n=6)
GetTimeline_InMemory/events-10-4           12.84µ ±  4%   12.84µ ±  3%        ~ (p=0.818 n=6)
GetTimeline_InMemory/events-50-4           64.09µ ± 16%   72.86µ ±  4%        ~ (p=0.132 n=6)
GetTimeline_InMemory/events-100-4          111.4µ ±  1%   144.2µ ±  2%  +29.48% (p=0.002 n=6)
GetTimeline_InMemory/events-500-4          566.7µ ±  1%   562.4µ ± 26%        ~ (p=0.065 n=6)
GetTimeline_InMemory/events-1000-4         1.147m ±  1%   1.146m ±  5%        ~ (p=0.937 n=6)
GetTimeline_SQLite/events-10-4             83.37µ ±  4%   85.90µ ±  1%        ~ (p=0.065 n=6)
GetTimeline_SQLite/events-50-4             219.9µ ±  1%   224.3µ ±  1%   +2.03% (p=0.004 n=6)
GetTimeline_SQLite/events-100-4            384.4µ ±  3%   393.8µ ±  2%   +2.43% (p=0.041 n=6)
GetTimeline_SQLite/events-500-4            1.683m ±  2%   1.715m ±  0%   +1.92% (p=0.041 n=6)
GetTimeline_SQLite/events-1000-4           3.266m ±  7%   3.327m ±  1%        ~ (p=0.093 n=6)
geomean                                    193.3µ         200.4µ         +3.66%

                                   │ baseline-bench.txt │        benchmark-results.txt         │
                                   │        B/op        │     B/op      vs base                │
EventStoreAppend_InMemory-4                  756.0 ± 5%     747.5 ± 4%       ~ (p=0.327 n=6)
EventStoreAppend_SQLite-4                  1.985Ki ± 1%   1.984Ki ± 1%       ~ (p=0.706 n=6)
GetTimeline_InMemory/events-10-4           7.953Ki ± 0%   7.953Ki ± 0%       ~ (p=1.000 n=6) ¹
GetTimeline_InMemory/events-50-4           46.62Ki ± 0%   46.62Ki ± 0%       ~ (p=1.000 n=6) ¹
GetTimeline_InMemory/events-100-4          94.48Ki ± 0%   94.48Ki ± 0%       ~ (p=1.000 n=6) ¹
GetTimeline_InMemory/events-500-4          472.8Ki ± 0%   472.8Ki ± 0%       ~ (p=1.000 n=6)
GetTimeline_InMemory/events-1000-4         944.3Ki ± 0%   944.3Ki ± 0%       ~ (p=1.000 n=6)
GetTimeline_SQLite/events-10-4             16.74Ki ± 0%   16.74Ki ± 0%       ~ (p=1.000 n=6) ¹
GetTimeline_SQLite/events-50-4             87.14Ki ± 0%   87.14Ki ± 0%       ~ (p=1.000 n=6) ¹
GetTimeline_SQLite/events-100-4            175.4Ki ± 0%   175.4Ki ± 0%       ~ (p=1.000 n=6)
GetTimeline_SQLite/events-500-4            846.1Ki ± 0%   846.1Ki ± 0%       ~ (p=0.545 n=6)
GetTimeline_SQLite/events-1000-4           1.639Mi ± 0%   1.639Mi ± 0%       ~ (p=0.113 n=6)
geomean                                    67.10Ki        67.03Ki       -0.10%
¹ all samples are equal

                                   │ baseline-bench.txt │        benchmark-results.txt        │
                                   │     allocs/op      │  allocs/op   vs base                │
EventStoreAppend_InMemory-4                  7.000 ± 0%    7.000 ± 0%       ~ (p=1.000 n=6) ¹
EventStoreAppend_SQLite-4                    53.00 ± 0%    53.00 ± 0%       ~ (p=1.000 n=6) ¹
GetTimeline_InMemory/events-10-4             125.0 ± 0%    125.0 ± 0%       ~ (p=1.000 n=6) ¹
GetTimeline_InMemory/events-50-4             653.0 ± 0%    653.0 ± 0%       ~ (p=1.000 n=6) ¹
GetTimeline_InMemory/events-100-4           1.306k ± 0%   1.306k ± 0%       ~ (p=1.000 n=6) ¹
GetTimeline_InMemory/events-500-4           6.514k ± 0%   6.514k ± 0%       ~ (p=1.000 n=6) ¹
GetTimeline_InMemory/events-1000-4          13.02k ± 0%   13.02k ± 0%       ~ (p=1.000 n=6) ¹
GetTimeline_SQLite/events-10-4               382.0 ± 0%    382.0 ± 0%       ~ (p=1.000 n=6) ¹
GetTimeline_SQLite/events-50-4              1.852k ± 0%   1.852k ± 0%       ~ (p=1.000 n=6) ¹
GetTimeline_SQLite/events-100-4             3.681k ± 0%   3.681k ± 0%       ~ (p=1.000 n=6) ¹
GetTimeline_SQLite/events-500-4             18.54k ± 0%   18.54k ± 0%       ~ (p=1.000 n=6) ¹
GetTimeline_SQLite/events-1000-4            37.29k ± 0%   37.29k ± 0%       ~ (p=1.000 n=6) ¹
geomean                                     1.162k        1.162k       +0.00%
¹ all samples are equal

Benchmarks run with go test -bench=. -benchmem -count=6.
Regressions ≥ 20% are flagged. Results compared via benchstat.

The CI go-mod-tidy job runs 'go mod tidy' in example/ (which uses replace github.com/GoCodeAlone/workflow => ../) and fails on any diff. After bumping the root module's modular deps, example/go.mod must be re-tidied to v1.13.4 + the matching module versions.

codecov · 2026-05-29T12:05:45Z

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

The verify_capabilities/* and conformance/* testdata plugin fixtures use 'replace github.com/GoCodeAlone/workflow => ../../../../..', so bumping the root module's modular deps to v1.13.4 made their go.mod/go.sum inconsistent. Under the test's 'go build -mod=readonly' this surfaced as 'updates to go.mod needed' and failed TestVerifyCapabilities_*/TestFallbackRuns. go mod tidy across all 10 fixtures realigns them to v1.13.4; cmd/wfctl tests pass locally (ok, 56s).

intel352 merged commit 417cc0c into main May 29, 2026
28 checks passed

intel352 deleted the chore/bump-modular-v1.13.4-20260529 branch May 29, 2026 12:57

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): bump GoCodeAlone/modular to latest + docker CVE risk-acceptance#793

chore(deps): bump GoCodeAlone/modular to latest + docker CVE risk-acceptance#793
intel352 merged 3 commits into
mainfrom
chore/bump-modular-v1.13.4-20260529

intel352 commented May 29, 2026

Uh oh!

github-actions Bot commented May 29, 2026 •

edited

Loading

Uh oh!

codecov Bot commented May 29, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

intel352 commented May 29, 2026

Uh oh!

github-actions Bot commented May 29, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

⏱ Benchmark Results

Uh oh!

codecov Bot commented May 29, 2026

Codecov Report

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

github-actions Bot commented May 29, 2026 •

edited

Loading