chore(deps): update security updates (major) by NumaryBot · Pull Request #132 · formancehq/auth

NumaryBot · 2026-03-20T03:10:37Z

This PR contains the following updates:

Package	Type	Update	Change
github.com/cenkalti/backoff/v4	indirect	major	`v4.3.0` -> `v5.0.3`
github.com/docker/cli	indirect	major	`v27.3.1+incompatible` -> `v29.3.0+incompatible`
github.com/formancehq/go-libs/v3	require	major	`v3.6.1` -> `v4.1.1`
github.com/lestrrat-go/jwx	indirect	major	`v1.2.31` -> `v3.0.13`
github.com/lestrrat-go/option	indirect	major	`v1.0.1` -> `v2.0.0`
github.com/lithammer/shortuuid/v3	indirect	major	`v3.0.7` -> `v4.2.0`
github.com/oklog/ulid	indirect	major	`v1.3.1` -> `v2.1.1`
github.com/puzpuzpuz/xsync/v3	indirect	major	`v3.5.1` -> `v4.4.0`
github.com/zitadel/oidc/v2	require	major	`v2.12.2` -> `v3.45.5`
gopkg.in/go-jose/go-jose.v2	require	major	`v2.6.3` -> `v4.1.3`
gopkg.in/yaml.v2	indirect	major	`v2.4.0` -> `v3.0.1`

Release Notes

docker/cli (github.com/docker/cli)

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

Summary by CodeRabbit

Chores
- Updated multiple core authentication, JWT, and OIDC-related libraries to newer versions along with transitive dependencies for improved compatibility.

NumaryBot · 2026-03-20T03:10:41Z

⚠️ Artifact update problem

Renovate failed to update artifacts related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

any of the package files in this branch needs updating, or
the branch becomes conflicted, or
you click the rebase/retry checkbox if found above, or
you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: go.sum

Command failed: go get -d -t ./...
go: -d flag is deprecated. -d=true is a no-op
go: gopkg.in/go-jose/go-jose.v4@v4.1.3: parsing go.mod:
	module declares its path as: github.com/go-jose/go-jose/v4
	        but was required as: gopkg.in/go-jose/go-jose.v4

File name: undefined

Command failed: just pre-commit
go: updates to go.mod needed; to update it:
	go mod tidy
error: Recipe `generate` failed on line 16 with exit code 1

coderabbitai · 2026-03-20T03:10:54Z

📝 Walkthrough

Walkthrough

Updated go.mod dependencies to newer major versions for core libraries including formancehq/go-libs (v3→v4), zitadel/oidc (v2→v3), go-jose (v2→v4), and several transitive dependencies like cenkalti/backoff, lestrrat-go/jwx, yaml, and others. Eleven lines modified in total.

Changes

Cohort / File(s)	Summary
Dependency Version Upgrades `go.mod`	Updated 11 dependency versions across auth/JWT/OIDC libraries and transitive packages to newer major versions, including formancehq/go-libs, zitadel/oidc, go-jose, cenkalti/backoff, lestrrat-go/jwx, lithammer/shortuuid, oklog/ulid, puzpuzpuz/xsync, and yaml modules.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 Hopping through versions with glee and delight,
Major bumps bouncing through go.mod tonight,
From v2 to v4, the libraries soar,
Dependencies dance like never before! 🎉

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'chore(deps): update security updates (major)' is vague and redundant—it says 'update security updates' without specifying which dependencies were updated or why, and lacks clarity about the scope of changes.	Revise the title to be more specific and non-redundant, such as 'chore(deps): update auth/JWT/OIDC libraries to major versions' or 'chore(deps): bump go-libs, zitadel/oidc, and go-jose to v4' to clearly communicate the primary dependency changes.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests
Commit unit tests in branch renovate/major-security

📝 Coding Plan

Generate coding plan for human review comments

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

coderabbitai

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@go.mod`:
- Line 180: Remove the redundant indirect entry for the module gopkg.in/yaml.v3
v3.0.1 from go.mod (the duplicate entry added later) so only the primary direct
requirement remains (the one already required earlier in the file); after
removing the duplicate line, run go mod tidy to update go.sum and ensure module
graph consistency.
- Around line 67-68: The go.mod lists github.com/cenkalti/backoff/v5 v5.0.3
twice; remove the duplicate entry so the module appears only once (keep a single
line referencing github.com/cenkalti/backoff/v5 v5.0.3) and then run go mod tidy
to ensure the go.mod and go.sum are normalized; target the duplicate module line
"github.com/cenkalti/backoff/v5 v5.0.3" when making the change.
- Line 30: Remove the invalid duplicate module entry
"gopkg.in/go-jose/go-jose.v4" from go.mod (it conflicts with the canonical
"github.com/go-jose/go-jose/v4" already required); delete the gopkg.in line, run
"go mod tidy" to reconcile dependencies, and ensure no code imports the gopkg.in
path (update any imports to "github.com/go-jose/go-jose/v4" if found).

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 8fca4615-5be2-4b13-88d7-3323cb3ebae1

📥 Commits

Reviewing files that changed from the base of the PR and between afc242b and 0017ef1.

📒 Files selected for processing (1)

go.mod

coderabbitai · 2026-03-20T03:14:31Z

go.mod

 	golang.org/x/oauth2 v0.34.0
 	golang.org/x/text v0.32.0
-	gopkg.in/go-jose/go-jose.v2 v2.6.3
+	gopkg.in/go-jose/go-jose.v4 v4.1.3


⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash # Verify both module paths are present (should end with only github.com/go-jose/go-jose/v4). rg -n 'go-jose' go.mod go.sum

Repository: formancehq/auth

Length of output: 795

Remove the invalid go-jose v4 module path.

gopkg.in/go-jose/go-jose.v4 is not the canonical import path for v4 and duplicates the correct github.com/go-jose/go-jose/v4 already required at line 13. Remove line 30 entirely.

Proposed fix

- gopkg.in/go-jose/go-jose.v4 v4.1.3

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

gopkg.in/go-jose/go-jose.v4 v4.1.3

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed. In `@go.mod` at line 30, Remove the invalid duplicate module entry "gopkg.in/go-jose/go-jose.v4" from go.mod (it conflicts with the canonical "github.com/go-jose/go-jose/v4" already required); delete the gopkg.in line, run "go mod tidy" to reconcile dependencies, and ensure no code imports the gopkg.in path (update any imports to "github.com/go-jose/go-jose/v4" if found).

coderabbitai · 2026-03-20T03:14:31Z

go.mod

+	github.com/cenkalti/backoff/v5 v5.0.3 // indirect
 	github.com/cenkalti/backoff/v5 v5.0.3 // indirect


⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash # Verify duplicate require lines in go.mod. rg -n 'github.com/cenkalti/backoff/v5' go.mod

Repository: formancehq/auth

Length of output: 166

Remove duplicated backoff/v5 requirement.

The same module/version is listed twice; keep one entry to prevent persistent go.mod drift.

Proposed fix

github.com/cenkalti/backoff/v5 v5.0.3 // indirect - github.com/cenkalti/backoff/v5 v5.0.3 // indirect

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

github.com/cenkalti/backoff/v5 v5.0.3 // indirect

github.com/cenkalti/backoff/v5 v5.0.3 // indirect

github.com/cenkalti/backoff/v5 v5.0.3 // indirect

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed. In `@go.mod` around lines 67 - 68, The go.mod lists github.com/cenkalti/backoff/v5 v5.0.3 twice; remove the duplicate entry so the module appears only once (keep a single line referencing github.com/cenkalti/backoff/v5 v5.0.3) and then run go mod tidy to ensure the go.mod and go.sum are normalized; target the duplicate module line "github.com/cenkalti/backoff/v5 v5.0.3" when making the change.

coderabbitai · 2026-03-20T03:14:31Z

go.mod

 	google.golang.org/protobuf v1.36.10 // indirect
 	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
-	gopkg.in/yaml.v2 v2.4.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect


⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash # Confirm yaml.v3 appears only once after cleanup. rg -n 'gopkg.in/yaml.v3' go.mod

Repository: formancehq/auth

Length of output: 127

Remove duplicate gopkg.in/yaml.v3 indirect entry.

The module is already required directly at line 31. Line 180's indirect entry is redundant and should be removed.

Fix

- gopkg.in/yaml.v3 v3.0.1 // indirect

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

gopkg.in/yaml.v3 v3.0.1 // indirect

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed. In `@go.mod` at line 180, Remove the redundant indirect entry for the module gopkg.in/yaml.v3 v3.0.1 from go.mod (the duplicate entry added later) so only the primary direct requirement remains (the one already required earlier in the file); after removing the duplicate line, run go mod tidy to update go.sum and ensure module graph consistency.

This reverts commit b3c774a.

chore(deps): update security updates

0017ef1

NumaryBot added the security label Mar 20, 2026

NumaryBot requested a review from a team March 20, 2026 03:10

coderabbitai bot reviewed Mar 20, 2026

View reviewed changes

flemzord approved these changes Mar 20, 2026

View reviewed changes

flemzord merged commit b3c774a into main Mar 20, 2026
5 of 12 checks passed

flemzord deleted the renovate/major-security branch March 20, 2026 06:47

flemzord added a commit that referenced this pull request Mar 20, 2026

Revert "chore(deps): update security updates (#132)"

2d75571

This reverts commit b3c774a.

flemzord mentioned this pull request Mar 20, 2026

Revert "chore(deps): update security updates (major)" #134

Merged

NumaryBot pushed a commit that referenced this pull request Mar 20, 2026

Revert "chore(deps): update security updates (#132)" (#134)

d05f946

This reverts commit b3c774a.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): update security updates (major)#132

chore(deps): update security updates (major)#132
flemzord merged 1 commit intomainfrom
renovate/major-security

NumaryBot commented Mar 20, 2026 •

edited by coderabbitai bot

Loading

Uh oh!

NumaryBot commented Mar 20, 2026

Uh oh!

coderabbitai bot commented Mar 20, 2026 •

edited

Loading

Walkthrough

Changes

Estimated code review effort

Poem

❌ Failed checks (1 inconclusive)

Uh oh!

coderabbitai bot left a comment

Uh oh!

coderabbitai bot Mar 20, 2026

Uh oh!

coderabbitai bot Mar 20, 2026

Uh oh!

coderabbitai bot Mar 20, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

		github.com/cenkalti/backoff/v5 v5.0.3 // indirect
		github.com/cenkalti/backoff/v5 v5.0.3 // indirect

Conversation

NumaryBot commented Mar 20, 2026 • edited by coderabbitai bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Release Notes

Configuration

Summary by CodeRabbit

Uh oh!

NumaryBot commented Mar 20, 2026

⚠️ Artifact update problem

File name: go.sum

File name: undefined

Uh oh!

coderabbitai bot commented Mar 20, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Walkthrough

Changes

Estimated code review effort

Poem

❌ Failed checks (1 inconclusive)

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Mar 20, 2026

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Mar 20, 2026

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Mar 20, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

NumaryBot commented Mar 20, 2026 •

edited by coderabbitai bot

Loading

coderabbitai bot commented Mar 20, 2026 •

edited

Loading