Skip to content

fix(deps): update go-dependencies#1297

Merged
emoskito merged 13 commits intomainfrom
renovate/go-dependencies
Apr 17, 2026
Merged

fix(deps): update go-dependencies#1297
emoskito merged 13 commits intomainfrom
renovate/go-dependencies

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Jan 22, 2026
edited by emoskito
Loading

This PR updates Go dependencies, aligning critical runtime deps with Zarf v0.75.0 and keeping build-tooling libraries at their latest versions.

Alignment Report — uds-cli deps vs Zarf v0.75.0

Dependency Before After Zarf v0.75.0 Zarf-aligned? Status
github.com/zarf-dev/zarf v0.74.2 v0.75.0 v0.75.0 ✅ Yes Aligned
helm.sh/helm/v4 v4.1.3 v4.1.4 v4.1.4 ✅ Yes Aligned
k8s.io/api v0.35.3 v0.35.3 v0.35.3 ✅ Yes Aligned
k8s.io/apimachinery v0.35.3 v0.35.3 v0.35.3 ✅ Yes Aligned
k8s.io/client-go v0.35.3 v0.35.3 v0.35.3 ✅ Yes Aligned
github.com/docker/cli (indirect) v29.3.1 v29.4.0 v29.4.0 ✅ Yes Aligned
github.com/fluxcd/source-controller/api (indirect) v1.8.1 v1.8.2 v1.8.2 ✅ Yes Aligned
golang.org/x/exp 20251219-944ab1f2 20260410-746e56fc 20251023-a4bb9ffd ❌ No Ahead — kept at latest
golang.org/x/mod v0.35.0 v0.35.0 v0.34.0 ❌ No Ahead — kept at latest
golang.org/x/tools (indirect) v0.44.0 v0.44.0 v0.43.0 ❌ No Ahead — kept at latest

7 of 10 dependencies are fully aligned with Zarf v0.75.0. The remaining 3 (golang.org/x/exp, golang.org/x/mod, golang.org/x/tools) are intentionally ahead at their latest versions. All three are build-tooling/utility libraries with no runtime behavior divergence risk.

Breaking changes addressed

  • zoci.AssembleLayers — removed isSkeleton parameter and zoci.AllLayers constant; updated call site in boci/oci.go
  • layout.PackageLayoutOptions.PublicKeyPath — deprecated in favor of VerifyBlobOptions; migrated all 5 call sites and 2 consumers in utils/utils.go

Security fix

CVE Package Before After Severity
CVE-2026-33816 github.com/jackc/pgx/v5 (indirect) v5.8.0 v5.9.0 Critical

Transitive dep via sigstore/cosign → Zarf. Bumped directly to unblock the grype-scan CI gate (fail-on-severity: critical).

Note

This PR was originally opened by Renovate for golang.org/x/*, Helm, and k8s patches. It has since been extended to include the Zarf v0.75.0 upgrade with full dependency alignment.

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot requested a review from a team as a code owner January 22, 2026 17:36
@renovate renovate Bot force-pushed the renovate/go-dependencies branch 2 times, most recently from d54fcfd to eda2f1d Compare January 27, 2026 23:04
@renovate renovate Bot force-pushed the renovate/go-dependencies branch 2 times, most recently from 335a38e to bd6f42c Compare February 6, 2026 19:02
@renovate renovate Bot force-pushed the renovate/go-dependencies branch 4 times, most recently from 9806877 to 73520ce Compare February 12, 2026 22:49
@renovate renovate Bot force-pushed the renovate/go-dependencies branch 4 times, most recently from bdeba76 to 287eb14 Compare February 24, 2026 17:03
@renovate renovate Bot force-pushed the renovate/go-dependencies branch 4 times, most recently from 5e8460e to 6d563bb Compare March 4, 2026 13:57
@renovate renovate Bot force-pushed the renovate/go-dependencies branch 4 times, most recently from 78c978c to 4e8df71 Compare March 12, 2026 02:36
@renovate renovate Bot force-pushed the renovate/go-dependencies branch 2 times, most recently from 1d98b78 to ecbd452 Compare March 19, 2026 10:56
@renovate renovate Bot force-pushed the renovate/go-dependencies branch 2 times, most recently from 9d46005 to 6673844 Compare March 20, 2026 22:21
@renovate renovate Bot force-pushed the renovate/go-dependencies branch 2 times, most recently from 59a478a to c3e693e Compare April 2, 2026 18:35
@renovate renovate Bot changed the title fix(deps): update go-dependencies fix(deps): update go dependencies to 7ab1446 Apr 3, 2026
@renovate renovate Bot force-pushed the renovate/go-dependencies branch 2 times, most recently from 7e1622a to e95e01f Compare April 3, 2026 16:25
slaskawi added 2 commits April 16, 2026 19:18
@slaskawi
Zarf dep alignment
f4499b6
@slaskawi
Zarf dep alignment
aeddd5e 
Align go.mod dependencies to match Zarf v0.74.2 versions.
@renovate
Copy link
Copy Markdown
Contributor Author

renovate Bot commented Apr 16, 2026

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

slaskawi added 3 commits April 16, 2026 19:28
@slaskawi
Align golang.org/x/tools and golang.org/x/mod to Zarf v0.74.2
390d0dc 
Downgrade golang.org/x/tools v0.44.0 → v0.43.0 and
golang.org/x/mod v0.35.0 → v0.34.0 to match Zarf v0.74.2.
@slaskawi
Bump golang.org/x/tools to v0.44.0
a3fb93c 
Upgrade golang.org/x/tools to latest (v0.44.0), which transitively
pulls golang.org/x/mod from v0.34.0 to v0.35.0.
@slaskawi
Bump golang.org/x/exp to latest (20260410-746e56fc)
ce5a49a
@slaskawi
Copy link
Copy Markdown
Contributor

slaskawi commented Apr 16, 2026
edited by emoskito
Loading

After having a chat in Slack, I aligned critical deps to Zarf and left less related one set to the latest.

Alignment Report — uds-cli deps vs Zarf v0.74.2

Dependency Before After Zarf v0.74.2 Status
golang.org/x/exp 20251219-944ab1f2 20260410-746e56fc 20251023-a4bb9ffd Ahead — bumped to latest
golang.org/x/mod v0.35.0 v0.35.0 v0.34.0 Ahead — pulled up by x/tools@v0.44.0
golang.org/x/tools (indirect) v0.44.0 v0.44.0 v0.43.0 Ahead — bumped to latest
helm.sh/helm/v4 v4.1.4 v4.1.3 v4.1.3 Aligned
k8s.io/api v0.35.4 v0.35.3 v0.35.3 Aligned
k8s.io/apimachinery v0.35.4 v0.35.3 v0.35.3 Aligned
k8s.io/client-go v0.35.4 v0.35.3 v0.35.3 Aligned

4 of 7 dependencies are fully aligned with Zarf v0.74.2. The remaining 3 (golang.org/x/exp, golang.org/x/mod, golang.org/x/tools) are intentionally ahead at their latest versions. All three are build-tooling/utility libraries with no runtime behavior divergence risk.

@slaskawi
Copy link
Copy Markdown
Contributor

slaskawi commented Apr 17, 2026
edited by emoskito
Loading

Updated Zarf to v0.75.0 and addressed the following breaking API changes:

  • src/pkg/utils/boci/oci.go - zoci.AssembleLayers removed isSkeleton param and zoci.AllLayers; updated to new variadic signature
  • src/pkg/utils/utils.go - Migrated from deprecated PublicKeyPath to VerifyBlobOptions
  • Updated 5 callers (fetcher/remote.go, fetcher/local.go, sources/tarball.go, sources/remote.go, bundle/inspect.go) to use VerifyBlobOptions

Below is the full report of the upgrades

Dependency Before After Zarf v0.75.0 Status
github.com/zarf-dev/zarf v0.74.2 v0.75.0 v0.75.0 Aligned
helm.sh/helm/v4 v4.1.3 v4.1.4 v4.1.4 Aligned
k8s.io/api v0.35.3 v0.35.3 v0.35.3 Aligned
k8s.io/apimachinery v0.35.3 v0.35.3 v0.35.3 Aligned
k8s.io/client-go v0.35.3 v0.35.3 v0.35.3 Aligned
github.com/docker/cli (indirect) v29.3.1 v29.4.0 v29.4.0 Aligned
github.com/fluxcd/source-controller/api (indirect) v1.8.1 v1.8.2 v1.8.2 Aligned
golang.org/x/exp 20251219-944ab1f2 20260410-746e56fc 20251023-a4bb9ffd Ahead — kept at latest
golang.org/x/mod v0.35.0 v0.35.0 v0.34.0 Ahead — kept at latest
golang.org/x/tools (indirect) v0.44.0 v0.44.0 v0.43.0 Ahead — kept at latest

7 of 10 dependencies are fully aligned with Zarf v0.75.0. The remaining 3 (golang.org/x/exp, golang.org/x/mod, golang.org/x/tools) are intentionally ahead at their latest versions. All three are build-tooling/utility libraries with no runtime behavior divergence risk.

@slaskawi slaskawi mentioned this pull request Apr 17, 2026
Closed
1 task
@slaskawi
Copy link
Copy Markdown
Contributor

slaskawi commented Apr 17, 2026
edited by emoskito
Loading

The final dependency upgrade report:

Alignment Report — uds-cli deps vs Zarf v0.75.0

Dependency Before After Zarf v0.75.0 Status
github.com/zarf-dev/zarf v0.74.2 v0.75.0 v0.75.0 Aligned
helm.sh/helm/v4 v4.1.3 v4.1.4 v4.1.4 Aligned
k8s.io/api v0.35.3 v0.35.3 v0.35.3 Aligned
k8s.io/apimachinery v0.35.3 v0.35.3 v0.35.3 Aligned
k8s.io/client-go v0.35.3 v0.35.3 v0.35.3 Aligned
github.com/docker/cli (indirect) v29.3.1 v29.4.0 v29.4.0 Aligned
github.com/fluxcd/source-controller/api (indirect) v1.8.1 v1.8.2 v1.8.2 Aligned
golang.org/x/exp 20251219-944ab1f2 20260410-746e56fc 20251023-a4bb9ffd Ahead — kept at latest
golang.org/x/mod v0.35.0 v0.35.0 v0.34.0 Ahead — kept at latest
golang.org/x/tools (indirect) v0.44.0 v0.44.0 v0.43.0 Ahead — kept at latest

7 of 10 dependencies are fully aligned with Zarf v0.75.0. The remaining 3 (golang.org/x/exp, golang.org/x/mod, golang.org/x/tools) are intentionally ahead at their latest versions. All three are build-tooling/utility libraries with no runtime behavior divergence risk.

Breaking changes addressed

  • zoci.AssembleLayers — removed isSkeleton parameter and zoci.AllLayers constant; updated call site in boci/oci.go
  • layout.PackageLayoutOptions.PublicKeyPath — deprecated in favor of VerifyBlobOptions; migrated all 5 call sites and 2 consumers in utils/utils.go

Security fix

CVE Package Before After Severity
CVE-2026-33816 github.com/jackc/pgx/v5 (indirect) v5.8.0 v5.9.0 Critical

Transitive dep via sigstore/cosign → Zarf. Bumped directly to unblock the grype-scan CI gate (fail-on-severity: critical).

emoskito
emoskito reviewed Apr 17, 2026
View reviewed changes
Comment thread src/pkg/utils/boci/oci.go Outdated
@emoskito emoskito requested a review from brandtkeller April 17, 2026 10:23
@joelmccoy joelmccoy requested a review from Copilot April 17, 2026 18:49
Copilot AI reviewed Apr 17, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates Go module dependencies (notably Zarf and Helm) to align uds-cli with Zarf v0.75.0, and adjusts uds-cli code to account for Zarf SDK API changes around OCI layer assembly and package signature verification options.

Changes:

  • Bump core/runtime deps (e.g., github.com/zarf-dev/zarf to v0.75.0, helm.sh/helm/v4 to v4.1.4) and refresh transitive modules (including a pgx CVE-related bump).
  • Migrate signature verification configuration from deprecated PublicKeyPath to VerifyBlobOptions across load/layout call sites.
  • Update OCI layer selection logic to match the new zoci.AssembleLayers API and handle skeleton packages by excluding image layers.

Reviewed changes

Copilot reviewed 11 out of 12 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
src/test/bundles/14-optional-components/uds-bundle.yaml Updates referenced Zarf init package version to v0.75.0 for tests.
src/test/bundles/04-init/uds-bundle.yaml Updates referenced Zarf init package version to v0.75.0 for tests.
src/pkg/utils/utils.go Introduces helpers for VerifyBlobOptions and updates package signature verification path.
src/pkg/utils/boci/oci.go Updates layer assembly call to new Zarf OCI API; excludes image layers for skeleton packages.
src/pkg/sources/tarball.go Switches layout options to use VerifyBlobOptions derived from the public key path.
src/pkg/sources/remote.go Switches layout options to use VerifyBlobOptions derived from the public key path.
src/pkg/bundler/fetcher/remote.go Switches package load options to use VerifyBlobOptions derived from the public key path.
src/pkg/bundler/fetcher/local.go Switches package load options to use VerifyBlobOptions derived from the public key path.
src/pkg/bundle/inspect.go Switches package load options to use VerifyBlobOptions derived from the public key path.
hack/generate-schema.sh Updates Zarf schema download URL to v0.75.0.
go.mod Bumps direct/indirect dependencies (Zarf, Helm, x/*, pgx pin, etc.).
go.sum Updates checksums for bumped dependencies.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread go.mod
Comment thread src/pkg/utils/utils.go
mjnagel
mjnagel previously approved these changes Apr 17, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@mjnagel mjnagel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM overall.

joelmccoy
joelmccoy previously approved these changes Apr 17, 2026
View reviewed changes
Copy link
Copy Markdown

@joelmccoy joelmccoy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Generally LGTM - but would recommend adding some very basic unit tests for the util function we added. See this copilot comment.

@emoskito emoskito dismissed stale reviews from joelmccoy and mjnagel via 5227a8b April 17, 2026 19:30
joelmccoy
joelmccoy previously approved these changes Apr 17, 2026
View reviewed changes
@emoskito emoskito merged commit 9e0eac9 into main Apr 17, 2026
20 checks passed
@emoskito emoskito deleted the renovate/go-dependencies branch April 17, 2026 20:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@emoskito emoskito emoskito left review comments

Copilot code review Copilot Copilot left review comments

@mjnagel mjnagel mjnagel approved these changes

@slaskawi slaskawi slaskawi left review comments

@joelmccoy joelmccoy joelmccoy left review comments

@brandtkeller brandtkeller Awaiting requested review from brandtkeller

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@slaskawi @joelmccoy @mjnagel @brandtkeller @emoskito