Batch dependabot updates by wesm · Pull Request #186 · wesm/msgvault

wesm · 2026-03-09T20:58:01Z

Summary

Bump docker/setup-buildx-action from 3.12.0 to 4.0.0 (Bump docker/setup-buildx-action from 3.12.0 to 4.0.0 #180)
Bump docker/login-action from 3.7.0 to 4.0.0 (Bump docker/login-action from 3.7.0 to 4.0.0 #181)
Bump docker/metadata-action from 5.10.0 to 6.0.0 (Bump docker/metadata-action from 5.10.0 to 6.0.0 #182)
Bump docker/setup-qemu-action from 3.7.0 to 4.0.0 (Bump docker/setup-qemu-action from 3.7.0 to 4.0.0 #183)
Bump docker/build-push-action from 6.19.2 to 7.0.0 (Bump docker/build-push-action from 6.19.2 to 7.0.0 #184)
Bump the minor-and-patch Go module group with 6 updates (Bump the minor-and-patch group with 6 updates #185)
Bump Go toolchain from 1.25.7 to 1.25.8 (fixes GO-2026-4602, GO-2026-4601 govulncheck failures)
Update Dockerfile builder image digest for Go 1.25.8

Test plan

CI passes (lint, test, govulncheck)
Docker build succeeds with updated action versions and Go image

🤖 Generated with Claude Code

Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 3.12.0 to 4.0.0. - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](docker/setup-buildx-action@8d2750c...4d04d5d) --- updated-dependencies: - dependency-name: docker/setup-buildx-action dependency-version: 4.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps [docker/login-action](https://github.com/docker/login-action) from 3.7.0 to 4.0.0. - [Release notes](https://github.com/docker/login-action/releases) - [Commits](docker/login-action@c94ce9f...b45d80f) --- updated-dependencies: - dependency-name: docker/login-action dependency-version: 4.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps [docker/metadata-action](https://github.com/docker/metadata-action) from 5.10.0 to 6.0.0. - [Release notes](https://github.com/docker/metadata-action/releases) - [Commits](docker/metadata-action@c299e40...030e881) --- updated-dependencies: - dependency-name: docker/metadata-action dependency-version: 6.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps [docker/setup-qemu-action](https://github.com/docker/setup-qemu-action) from 3.7.0 to 4.0.0. - [Release notes](https://github.com/docker/setup-qemu-action/releases) - [Commits](docker/setup-qemu-action@c7c5346...ce36039) --- updated-dependencies: - dependency-name: docker/setup-qemu-action dependency-version: 4.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 6.19.2 to 7.0.0. - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](docker/build-push-action@10e90e3...d08e5c3) --- updated-dependencies: - dependency-name: docker/build-push-action dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps the minor-and-patch group with 6 updates: | Package | From | To | | --- | --- | --- | | [github.com/mark3labs/mcp-go](https://github.com/mark3labs/mcp-go) | `0.44.1` | `0.45.0` | | [github.com/mattn/go-runewidth](https://github.com/mattn/go-runewidth) | `0.0.20` | `0.0.21` | | [golang.org/x/oauth2](https://github.com/golang/oauth2) | `0.35.0` | `0.36.0` | | [golang.org/x/sync](https://github.com/golang/sync) | `0.19.0` | `0.20.0` | | [golang.org/x/sys](https://github.com/golang/sys) | `0.41.0` | `0.42.0` | | [golang.org/x/time](https://github.com/golang/time) | `0.14.0` | `0.15.0` | Updates `github.com/mark3labs/mcp-go` from 0.44.1 to 0.45.0 - [Release notes](https://github.com/mark3labs/mcp-go/releases) - [Commits](mark3labs/mcp-go@v0.44.1...v0.45.0) Updates `github.com/mattn/go-runewidth` from 0.0.20 to 0.0.21 - [Commits](mattn/go-runewidth@v0.0.20...v0.0.21) Updates `golang.org/x/oauth2` from 0.35.0 to 0.36.0 - [Commits](golang/oauth2@v0.35.0...v0.36.0) Updates `golang.org/x/sync` from 0.19.0 to 0.20.0 - [Commits](golang/sync@v0.19.0...v0.20.0) Updates `golang.org/x/sys` from 0.41.0 to 0.42.0 - [Commits](golang/sys@v0.41.0...v0.42.0) Updates `golang.org/x/time` from 0.14.0 to 0.15.0 - [Commits](golang/time@v0.14.0...v0.15.0) --- updated-dependencies: - dependency-name: github.com/mark3labs/mcp-go dependency-version: 0.45.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: minor-and-patch - dependency-name: github.com/mattn/go-runewidth dependency-version: 0.0.21 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: minor-and-patch - dependency-name: golang.org/x/oauth2 dependency-version: 0.36.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: minor-and-patch - dependency-name: golang.org/x/sync dependency-version: 0.20.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: minor-and-patch - dependency-name: golang.org/x/sys dependency-version: 0.42.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: minor-and-patch - dependency-name: golang.org/x/time dependency-version: 0.15.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: minor-and-patch ... Signed-off-by: dependabot[bot] <support@github.com>

Fixes GO-2026-4602 (os.ReadDir FileInfo escape from Root) and GO-2026-4601 (incorrect IPv6 host literal parsing in net/url). Updates Dockerfile builder image digest to match. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

roborev-ci · 2026-03-09T20:59:42Z

roborev: Combined Review (`69c93fc`)

Verdict: All reviewers agree the code is clean and these dependency/CI updates introduce no direct security or functional issues.

No issues found.

Residual Risk Note
: As these are major-version GitHub Action updates and toolchain/dependency bumps, ensure CI (specifically the Docker build/push job) and a clean-module-cache go test ./... pass to confirm no unexpected upstream behavior changes.

Synthesized from 3 reviews (agents: codex, gemini | types: default, security)

Sets vendorHash to a placeholder so CI reports the correct hash. Will be updated in a follow-up commit. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

roborev-ci · 2026-03-09T21:11:07Z

roborev: Combined Review (`48c364e`)

Summary Verdict: This PR consists of routine dependency and toolchain updates, but introduces a build-breaking issue in the Nix configuration.

High

Fake vendorHash will break Nix builds
- Location: flake. nix:32
- Description: The vendorHash is set to a placeholder hash (sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=). This causes deterministic hash mismatch failures, breaking the Nix build when attempting to fetch the
  updated Go modules.
- Suggested Fix: Replace the placeholder with the actual computed vendorHash for the updated go.mod/go.sum (run a Nix build once to obtain the expected hash from the failure output, then commit that value).

Synthesized from 3 reviews (agents: codex, gemini | types: default, security)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

roborev-ci · 2026-03-09T21:16:40Z

roborev: Combined Review (`6d4b705`)

Verdict: All reviewers agree this PR is clean and contains no medium, high, or critical issues.

This commit range consists of routine infrastructure and toolchain updates, including bumping Go to 1.25.8, updating GitHub Actions, and refreshing Nix and Docker configurations.
No security or functional issues were identified.

Synthesized from 3 reviews (agents: codex, gemini | types: default, security)

dependabot bot and others added 7 commits March 9, 2026 15:56

Update flake.nix Go pin to 1.25.8 with fake vendorHash

48c364e

Sets vendorHash to a placeholder so CI reports the correct hash. Will be updated in a follow-up commit. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Fix flake.nix vendorHash for updated Go modules

6d4b705

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

wesm merged commit 21d4633 into main Mar 9, 2026
4 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Batch dependabot updates#186

Batch dependabot updates#186
wesm merged 9 commits intomainfrom
batch-dep-updates-20260309

wesm commented Mar 9, 2026

Uh oh!

roborev-ci bot commented Mar 9, 2026

Uh oh!

roborev-ci bot commented Mar 9, 2026

Uh oh!

roborev-ci bot commented Mar 9, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

wesm commented Mar 9, 2026

Summary

Test plan

Uh oh!

roborev-ci bot commented Mar 9, 2026

roborev: Combined Review (69c93fc)

Uh oh!

roborev-ci bot commented Mar 9, 2026

roborev: Combined Review (48c364e)

High

Uh oh!

roborev-ci bot commented Mar 9, 2026

roborev: Combined Review (6d4b705)

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

roborev: Combined Review (`69c93fc`)

roborev: Combined Review (`48c364e`)

roborev: Combined Review (`6d4b705`)