chore(deps): update security updates - autoclosed#131
Closed
Conversation
Contributor
Author
|
📝 WalkthroughWalkthroughUpdates Go module dependencies in Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Poem
🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 inconclusive)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
📝 Coding Plan
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
go.mod (1)
3-5:⚠️ Potential issue | 🔴 CriticalGo version floor is incompatible with updated OTel instrumentation.
go 1.24.4(Line 3) andtoolchain go1.24.11(Line 5) conflict withgo.opentelemetry.io/contrib/instrumentation/host v0.67.0(Line 150), which requires Go >= 1.25. This blocks module resolution and CI builds.Suggested fix
-go 1.24.4 +go 1.25.0 -toolchain go1.24.11 +toolchain go1.25.8(Alternative: pin
go.opentelemetry.io/contrib/instrumentation/hostand related contrib packages to a Go-1.24-compatible release.)Also applies to: 150-151
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@go.mod` around lines 3 - 5, The module's Go version floor is too low for the updated OpenTelemetry contrib package; update the go directive and the toolchain directive to at least Go 1.25 (e.g., set the go directive and toolchain to 1.25 or newer) so that go.opentelemetry.io/contrib/instrumentation/host v0.67.0 can be resolved, or alternatively pin the contrib packages (e.g., go.opentelemetry.io/contrib/instrumentation/host and related contrib modules) to a release compatible with Go 1.24 to avoid raising the toolchain requirement.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@go.mod`:
- Around line 127-128: go.mod and go.sum disagree on the runc version: go.mod
pins github.com/opencontainers/runc v1.4.1 but go.sum (and the build) expects
v1.2.8 which still contains libcontainer/user; fix by making module versions
consistent—either run `go mod tidy` to update go.sum and resolve compatible
transitive versions, or explicitly change the runc entry in go.mod to
github.com/opencontainers/runc v1.2.8 (or upgrade dockertest to a version
compatible with v1.4.1) so the runc version in go.mod matches go.sum and the
removed libcontainer/user package is not referenced.
---
Outside diff comments:
In `@go.mod`:
- Around line 3-5: The module's Go version floor is too low for the updated
OpenTelemetry contrib package; update the go directive and the toolchain
directive to at least Go 1.25 (e.g., set the go directive and toolchain to 1.25
or newer) so that go.opentelemetry.io/contrib/instrumentation/host v0.67.0 can
be resolved, or alternatively pin the contrib packages (e.g.,
go.opentelemetry.io/contrib/instrumentation/host and related contrib modules) to
a release compatible with Go 1.24 to avoid raising the toolchain requirement.
Comment on lines
+127
to
+128
| github.com/opencontainers/runc v1.4.1 // indirect | ||
| github.com/ory/dockertest/v3 v3.12.0 // indirect |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Find who imports the failing package path and where runc/dockertest are pinned.
rg -n 'github.com/opencontainers/runc/libcontainer/user'
rg -n 'github.com/opencontainers/runc|github.com/ory/dockertest/v3' go.mod go.sumRepository: formancehq/auth
Length of output: 581
🏁 Script executed:
# Find all Go files and search for runc or dockertest imports
fd -e go -type f | head -20
rg -n 'import.*runc|import.*dockertest' --type go
rg -n 'from.*runc|from.*dockertest' --type goRepository: formancehq/auth
Length of output: 229
🏁 Script executed:
# Search for runc and dockertest imports in Go files
rg 'opencontainers/runc|ory/dockertest' -g '*.go'
rg 'libcontainer' -g '*.go'
# Also list the Go files in the repository
fd -e go -type fRepository: formancehq/auth
Length of output: 229
🏁 Script executed:
# Search for runc and dockertest imports in Go files
rg 'opencontainers/runc|ory/dockertest' -g '*.go'
rg 'libcontainer' -g '*.go'
# Check what Go files exist
find . -name '*.go' -type f | head -20Repository: formancehq/auth
Length of output: 461
🏁 Script executed:
# Search for any runc or dockertest imports more broadly
rg 'runc|dockertest' -g '*.go'
# Check the full go.mod to understand dependencies
cat go.mod | grep -A 5 -B 5 'runc\|dockertest'Repository: formancehq/auth
Length of output: 699
🏁 Script executed:
# Search specifically in test files for dockertest
rg 'dockertest' -g '*_test.go'
# Check if there's a setup or integration test file
find . -name '*integration*' -o -name '*docker*' | grep -E '\.go$'
# Look for TestMain or Docker setup in test files
rg 'TestMain|docker|Docker' -g '*_test.go' | head -20Repository: formancehq/auth
Length of output: 988
🏁 Script executed:
# Check what version of go-libs is being used
rg 'formancehq/go-libs' go.mod
# Check the full go.sum for all runc and dockertest entries
rg '^github.com/(opencontainers/runc|ory/dockertest)' go.sumRepository: formancehq/auth
Length of output: 455
🌐 Web query:
runc v1.4.1 libcontainer/user package availability
💡 Result:
No, the libcontainer/user package is not available in runc v1.4.1. It was deprecated in runc v1.2.0 (PR #4017) and removed in the v1.4.0 release series (prior to v1.4.1), with users directed to use github.com/moby/sys/user instead. The v1.4.0-rc.1 release notes explicitly state: "The deprecated libcontainer/user package has been removed; use github.com/moby/sys/user instead. (#3999, #4617)". runc v1.4.1, as a patch release on the 1.4.z branch, inherits this removal. pkg.go.dev for v1.4.1 confirms dependency on github.com/moby/sys/user v0.4.0, and main branch libcontainer directory listing shows a 'user' directory that is an alias, not the original package.
Citations:
- 1: https://github.com/opencontainers/runc/blob/main/CHANGELOG.md
- 2: https://github.com/opencontainers/runc/releases
- 3: https://cos.googlesource.com/third_party/runc/+/refs/tags/v1.4.0-rc.1
- 4: https://pkg.go.dev/github.com/opencontainers/runc/libcontainer
- 5: Deprecate libcontainer/user, and migrate to github.com/moby/sys/user opencontainers/runc#4017
- 6: https://pkg.go.dev/github.com/opencontainers/runc
- 7: https://github.com/opencontainers/runc/tree/main/libcontainer
🌐 Web query:
dockertest v3.12.0 runc compatibility requirements
💡 Result:
Dockertest v3.12.0 is a Go library (github.com/ory/dockertest/v3) for running Docker containers in integration tests. It does not impose specific runc compatibility requirements itself, as it interacts with the host's Docker daemon via the Docker API. runc compatibility is determined by the underlying Docker Engine version installed on the test host: - Default runtime: runc (io.containerd.runc.v2) - Docker Engine bundles a compatible runc version (e.g., recent releases like v29.x bundle runc v1.3.x or later; v28 bundles v1.3.0+). - No explicit minimum runc version stated for dockertest; it relies on Docker's OCI runtime support. To ensure compatibility: - Use a recent Docker Engine (v27+ recommended, as per dockertest updates). - Dockertest v3.12.0 supports Docker up to v27.x (from changelog). - runc must match Docker's bundled version or be configured via daemon config (--default-runtime or runtimes section). Sources confirm dockertest depends on github.com/opencontainers/runc in go.mod (older versions like v3.9 bumped to runc 1.1.12-1.1.13), but runtime execution uses host Docker's runc.
Citations:
- 1: https://pkg.go.dev/github.com/ory/dockertest/v3
- 2: https://github.com/ory/dockertest/releases
- 3: https://github.com/ory/dockertest/tags
- 4: https://docs.docker.com/engine/reference/commandline/dockerd/
- 5: http://docs.docker.com/engine/release-notes
- 6: https://github.com/opencontainers/runc/releases
- 7: https://docs.docker.com/engine/release-notes/28
🏁 Script executed:
# Check if there are any build errors or test failures documented
find . -name '*.md' -o -name 'README*' | xargs grep -l 'error\|fail\|libcontainer' 2>/dev/null
# Check git status or recent commits that might indicate the issue
git log --oneline -10 2>/dev/null || echo "Git not available"
# Verify if something in the dependency tree imports libcontainer/user
# by checking if there's a go.mod mismatch that would cause issues
cat go.mod | head -50Repository: formancehq/auth
Length of output: 1952
Resolve go.mod/go.sum version mismatch: runc v1.4.1 removed the libcontainer/user package.
The libcontainer/user package was removed in runc v1.4.0-rc.1 and is not present in v1.4.1. However, go.mod specifies github.com/opencontainers/runc v1.4.1 while go.sum is locked to v1.2.8 (which still contains the package). This mismatch will cause build failures on a clean build or go mod tidy.
Either run go mod tidy to resolve to compatible versions, or manually downgrade runc in go.mod to v1.2.8 (matching go.sum) or upgrade to a dockertest version compatible with runc v1.4.1.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@go.mod` around lines 127 - 128, go.mod and go.sum disagree on the runc
version: go.mod pins github.com/opencontainers/runc v1.4.1 but go.sum (and the
build) expects v1.2.8 which still contains libcontainer/user; fix by making
module versions consistent—either run `go mod tidy` to update go.sum and resolve
compatible transitive versions, or explicitly change the runc entry in go.mod to
github.com/opencontainers/runc v1.2.8 (or upgrade dockertest to a version
compatible with v1.4.1) so the runc version in go.mod matches go.sum and the
removed libcontainer/user package is not referenced.
NumaryBot
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v1.1.1->v1.2.0306776e->faa5f7bv1.39.0->v1.41.4v1.31.7->v1.32.12v1.18.11->v1.19.12v1.18.7->v1.18.20v1.5.14->v1.6.20v1.4.7->v1.4.20v2.7.7->v2.7.20v1.8.3->v1.8.6v1.13.1->v1.13.7v1.13.7->v1.13.20v1.29.2->v1.30.13v1.34.3->v1.35.17v1.38.3->v1.41.9v1.23.0->v1.24.2v0.4.3->v0.4.5v4.4.0->v4.4.1v27.3.1+incompatible->v27.5.1+incompatiblev28.3.3+incompatible->v28.5.2+incompatiblev0.8.4->v0.10.0495c538->00de7cav5.2.4->v5.2.5v2.4.0->v2.5.0v0.10.5->v0.10.6v5.2.3->v5.3.127863c8->a15ffb7v2.27.1->v2.28.0v5.7.6->v5.8.0v1.0.2->v1.0.48bc96cf->b3301c5v0.9.0->v0.9.2v0.5.0->v0.5.2v2.23.4->v2.28.1v1.37.0->v1.39.1v1.2.8->v1.4.1v3.11.0->v3.12.0v4.25.5->v4.26.2v1.9.3->v1.9.4v1.9.1->v1.10.2v0.3.15->v0.3.16v0.10.0->v0.11.0v1.2.15->v1.2.18v1.2.15->v1.2.18v1.2.15->v1.2.18v0.23.8->v0.24.2v0.6.2->v0.7.0v3.45.0->v3.45.5v1.3.1->v1.3.2v0.62.0->v0.67.0v0.62.0->v0.67.0v0.62.0->v0.67.0v1.37.0->v1.42.0v1.40.0->v1.42.0v1.37.0->v1.42.0v1.37.0->v1.42.0v1.37.0->v1.42.0v1.37.0->v1.42.0v1.37.0->v1.42.0v1.37.0->v1.42.0v1.37.0->v1.42.0v0.11.0->v0.18.0v1.40.0->v1.42.0v1.40.0->v1.42.0v1.40.0->v1.42.0v1.40.0->v1.42.0v1.7.0->v1.10.0v1.27.0->v1.27.1v0.46.0->v0.49.0v0.48.0->v0.52.0v0.34.0->v0.36.0v0.19.0->v0.20.0v0.40.0->v0.42.0v0.32.0->v0.35.0v0.39.0->v0.43.0ff82c1b->d00831aff82c1b->d00831av1.36.10->v1.36.11Release Notes
FiloSottile/edwards25519 (filippo.io/edwards25519)
v1.2.0Compare Source
aws/aws-sdk-go-v2 (github.com/aws/aws-sdk-go-v2)
v1.41.4Compare Source
v1.41.3Compare Source
v1.41.2Compare Source
v1.41.1Compare Source
v1.41.0Compare Source
v1.40.1Compare Source
v1.40.0Compare Source
v1.39.6Compare Source
v1.39.5Compare Source
v1.39.4Compare Source
v1.39.3Compare Source
v1.39.2Compare Source
v1.39.1Compare Source
aws/smithy-go (github.com/aws/smithy-go)
v1.24.2: Release (2026-02-27)Compare Source
Release (2026-02-27)
General Highlights
v1.24.1: Release (2026-02-20)Compare Source
Release (2026-02-20)
General Highlights
Module Highlights
github.com/aws/smithy-go: v1.24.1v1.24.0Compare Source
v1.23.2Compare Source
v1.23.1Compare Source
containerd/continuity (github.com/containerd/continuity)
v0.4.5Compare Source
What's Changed
Full Changelog: containerd/continuity@v0.4.4...v0.4.5
v0.4.4Compare Source
What's Changed
New Contributors
Full Changelog: containerd/continuity@v0.4.3...v0.4.4
docker/cli (github.com/docker/cli)
v27.5.1+incompatibleCompare Source
v27.5.0+incompatibleCompare Source
v27.4.1+incompatibleCompare Source
v27.4.0+incompatibleCompare Source
uptrace/bun (github.com/uptrace/bun)
v1.2.18Bug Fixes
v1.2.17Bug Fixes
v1.2.16Bug Fixes
Features
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR has been generated by Renovate Bot.
Summary by CodeRabbit