Skip to content

Update gomod dependencies#4399

Merged
pfcoperez merged 3 commits into
mainfrom
renovate/gomod
Jul 2, 2026
Merged

Update gomod dependencies#4399
pfcoperez merged 3 commits into
mainfrom
renovate/gomod

Conversation

@renovate

@renovate renovate Bot commented Jun 8, 2026

Copy link
Copy Markdown
Contributor

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence Type Update Pending
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1v1.14.0 age confidence require minor
github.com/ClickHouse/ch-go v0.72.0v0.73.0 age confidence require minor
github.com/aws/aws-sdk-go-v2 v1.41.7v1.42.0 age confidence require minor v1.42.1
github.com/aws/aws-sdk-go-v2/config v1.32.18v1.32.25 age confidence require patch v1.32.27 (+1)
github.com/aws/aws-sdk-go-v2/credentials v1.19.17v1.19.24 age confidence require patch v1.19.26 (+1)
github.com/aws/aws-sdk-go-v2/feature/rds/auth v1.6.23v1.6.29 age confidence require patch v1.6.30
github.com/aws/aws-sdk-go-v2/service/kms v1.52.0v1.53.4 age confidence require minor v1.53.6 (+1)
github.com/aws/aws-sdk-go-v2/service/s3 v1.101.0v1.104.0 age confidence require minor v1.104.2 (+1)
github.com/aws/aws-sdk-go-v2/service/ses v1.34.24v1.35.2 age confidence require minor v1.35.4 (+1)
github.com/aws/aws-sdk-go-v2/service/sts v1.42.1v1.43.3 age confidence require minor v1.43.5 (+1)
github.com/aws/smithy-go v1.25.1v1.27.2 age confidence require minor v1.27.3
github.com/cockroachdb/pebble/v2 v2.1.5v2.1.6 age confidence require patch
github.com/go-mysql-org/go-mysql 60bfbfe35ca5c6 require digest
github.com/lestrrat-go/httprc/v3 v3.0.5v3.0.6 age confidence require patch
github.com/slack-go/slack v0.24.0v0.26.0 age confidence require minor v0.27.0
github.com/snowflakedb/gosnowflake/v2 v2.0.2v2.1.0 age confidence require minor
github.com/testcontainers/testcontainers-go v0.42.0v0.43.0 age confidence require minor
github.com/twmb/franz-go v1.21.2v1.21.4 age confidence require patch v1.21.5
github.com/urfave/cli/v3 v3.9.0v3.10.0 age confidence require minor v3.10.1
go.mongodb.org/mongo-driver/v2 v2.6.0v2.7.0 age confidence require minor
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.68.0v0.69.0 age confidence require minor
go.opentelemetry.io/otel v1.43.0v1.44.0 age confidence require minor
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.43.0v1.44.0 age confidence require minor
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.43.0v1.44.0 age confidence require minor
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.43.0v1.44.0 age confidence require minor
go.opentelemetry.io/otel/metric v1.43.0v1.44.0 age confidence require minor
go.opentelemetry.io/otel/sdk v1.43.0v1.44.0 age confidence require minor
go.opentelemetry.io/otel/sdk/metric v1.43.0v1.44.0 age confidence require minor
go.opentelemetry.io/otel/trace v1.43.0v1.44.0 age confidence require minor
go.temporal.io/api v1.62.12v1.63.0 age confidence require minor v1.63.1
go.temporal.io/sdk v1.44.0v1.45.0 age confidence require minor
golang.org/x/crypto v0.52.0v0.53.0 age confidence require minor
golang.org/x/exp 74f9aabc48552f age confidence require digest
golang.org/x/mod v0.36.0v0.37.0 age confidence require minor
golang.org/x/sync v0.20.0v0.21.0 age confidence require minor
golang.org/x/text v0.37.0v0.38.0 age confidence require minor
golang.org/x/tools v0.45.0v0.46.0 age confidence require minor v0.47.0
k8s.io/apimachinery v0.36.1v0.36.2 age confidence require patch

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.


Release Notes

ClickHouse/ch-go (github.com/ClickHouse/ch-go)

v0.73.0

Compare Source

What's Changed
Enhancements 🚀
Bug fixes 🐛
Misc
New Contributors

Full Changelog: ClickHouse/ch-go@v0.72.0...v0.73.0

aws/aws-sdk-go-v2 (github.com/aws/aws-sdk-go-v2)

v1.42.0

Compare Source

General Highlights

  • Dependency Update: Bump smithy-go to 1.25.0 to support endpointBdd trait
  • Dependency Update: Updated to the latest SDK module versions

Module Highlights

  • github.com/aws/aws-sdk-go-v2/service/cleanrooms: v1.43.0
    • Feature: This release adds support for configurable spark properties for Cleanrooms PySpark workloads.
  • github.com/aws/aws-sdk-go-v2/service/connect: v1.171.0
    • Feature: Fixes in SDK for customers using TestCase APIs
  • github.com/aws/aws-sdk-go-v2/service/connectcampaignsv2: v1.12.0
    • Feature: This release adds support for campaign entry limits configuration and hourly refresh frequency in Amazon Connect Outbound Campaigns.
  • github.com/aws/aws-sdk-go-v2/service/groundstation: v1.41.0
    • Feature: Adds support for updating contacts, listing antennas, and listing ground station reservations. New API operations - UpdateContact, ListContactVersions, DescribeContactVersion, ListAntennas, and ListGroundStationReservations.
  • github.com/aws/aws-sdk-go-v2/service/imagebuilder: v1.53.0
    • Feature: ImportDiskImage API adds registerImageOptions for Secure Boot control and custom UEFI data. It adds windowsConfiguration for selecting a specific edition from multi-image .wim files during ISO import.
  • github.com/aws/aws-sdk-go-v2/service/neptune: v1.44.4
    • Documentation: Improving Documentation for Neptune
  • github.com/aws/aws-sdk-go-v2/service/quicksight: v1.107.0
    • Feature: Public release of dashboard customization summary, S3 Tables data source type, Athena cross-account connector, custom sorting for controls, and AI-powered analysis generation.
  • github.com/aws/aws-sdk-go-v2/service/sagemaker: v1.241.0
    • Feature: Adds support for providing NetworkInterface for efa enabled instances and Simplified cluster creation for Slurm-orchestrated clusters with optional Lifecycle Script (LCS) configuration.
  • github.com/aws/aws-sdk-go-v2/service/sts: v1.42.0
    • Feature: The STS client now supports configuring SigV4a through the auth scheme preference setting. SigV4a uses asymmetric cryptography, enabling customers using long-term IAM credentials to continue making STS API calls even when a region is isolated from the partition leader.

v1.41.12

Compare Source

General Highlights

  • Dependency Update: Updated to the latest SDK module versions

Module Highlights

  • github.com/aws/aws-sdk-go-v2: v1.41.5
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/accessanalyzer: v1.45.12
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/account: v1.30.5
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/acm: v1.37.23
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/acmpca: v1.46.12
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/aiops: v1.6.21
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/amp: v1.42.9
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/amplify: v1.38.14
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/amplifybackend: v1.32.20
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/amplifyuibuilder: v1.28.20
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/apigateway: v1.39.1
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/apigatewaymanagementapi: v1.29.14
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/apigatewayv2: v1.34.1
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/appconfig: v1.43.13
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/appconfigdata: v1.23.22
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/appfabric: v1.16.21
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/appflow: v1.51.12
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/appintegrations: v1.37.7
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/applicationautoscaling: v1.41.14
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/applicationcostprofiler: v1.27.12
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/applicationdiscoveryservice: v1.35.13
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/applicationinsights: v1.34.20
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/applicationsignals: v1.19.1
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/appmesh: v1.35.12
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/apprunner: v1.39.14
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/appstream: v1.54.4
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/appsync: v1.53.5
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/arcregionswitch: v1.6.3
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/arczonalshift: v1.22.23
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/artifact: v1.15.5
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/athena: v1.57.4
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/auditmanager: v1.46.12
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/autoscaling: v1.64.4
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/autoscalingplans: v1.30.14
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/b2bi: v1.0.0-preview.100
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/backup: v1.54.11
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/backupgateway: v1.26.3
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/backupsearch: v1.6.23
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/batch: v1.63.2
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/bcmdashboards: v1.1.4
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/bcmdataexports: v1.14.0
    • Feature: With this release we are providing an option to accounts to have their export delivered to an S3 bucket that is not owned by the account.
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/bcmpricingcalculator: v1.10.9
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/bcmrecommendedactions: v1.1.5
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/bedrock: v1.57.1
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/bedrockagent: v1.52.7
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/bedrockagentcore: v1.15.2
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/bedrockagentcorecontrol: v1.25.1
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/bedrockagentruntime: v1.51.8
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/bedrockdataautomation: v1.13.5
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/bedrockdataautomationruntime: v1.10.4
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/bedrockruntime: v1.50.4
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/billing: v1.10.4
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/billingconductor: v1.28.5
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/braket: v1.39.8
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/budgets: v1.43.4
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/chatbot: v1.14.21
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/chime: v1.41.12
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/chimesdkidentity: v1.27.20
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/chimesdkmediapipelines: v1.26.21
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/chimesdkmeetings: v1.33.15
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/chimesdkmessaging: v1.32.17
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/chimesdkvoice: v1.28.13
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/cleanrooms: v1.42.4
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/cleanroomsml: v1.22.5
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/cloud9: v1.33.20
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/cloudcontrol: v1.29.13
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/clouddirectory: v1.30.12
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/cloudformation: v1.71.9
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/cloudfront: v1.60.4
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/cloudfrontkeyvaluestore: v1.12.24
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/cloudhsm: v1.29.21
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/cloudhsmv2: v1.34.21
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/cloudsearch: v1.32.12
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/cloudsearchdomain: v1.28.20
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/cloudtrail: v1.55.9
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/cloudtraildata: v1.17.13
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/cloudwatch: v1.55.3
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/cloudwatchevents: v1.32.23
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs: v1.65.0
    • Feature: This release adds parameter support to saved queries in CloudWatch Logs Insights. Define reusable query templates with named placeholders, invoke them using start query. Available in Console, CLI and SDK
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/codeartifact: v1.38.21
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/codebuild: v1.68.13
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/codecatalyst: v1.21.12
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/codecommit: v1.33.12
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/codeconnections: v1.10.20
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/codedeploy: v1.35.13
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/codeguruprofiler: v1.29.20
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/codegurureviewer: v1.34.20
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/codegurusecurity: v1.16.24
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/codepipeline: v1.46.21
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/codestarconnections: v1.35.13
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/codestarnotifications: v1.31.21
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/cognitoidentity: v1.33.22
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider: v1.59.3
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/cognitosync: v1.29.12
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/comprehend: v1.40.21
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/comprehendmedical: v1.31.21
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/computeoptimizer: v1.49.8
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/computeoptimizerautomation: v1.0.8
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/configservice: v1.62.1
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/connect: v1.166.1
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/connectcampaigns: v1.20.20
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/connectcampaignsv2: v1.11.4
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/connectcases: v1.39.1
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/connectcontactlens: v1.33.13
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/connecthealth: v1.0.3
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/connectparticipant: v1.36.7
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/controlcatalog: v1.14.9
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/controltower: v1.28.9
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/costandusagereportservice: v1.34.13
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/costexplorer: v1.63.6
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/costoptimizationhub: v1.22.8
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/customerprofiles: v1.57.2
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/databasemigrationservice: v1.61.10
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/databrew: v1.39.14
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/dataexchange: v1.40.14
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/datapipeline: v1.30.20
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/datasync: v1.58.2
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/datazone: v1.54.2
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/dax: v1.29.16
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/deadline: v1.26.2
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/detective: v1.38.13
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/devicefarm: v1.38.8
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/devopsguru: v1.40.12
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/directconnect: v1.38.15
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/directoryservice: v1.38.16
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/directoryservicedata: v1.7.21
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/dlm: v1.35.16
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/docdb: v1.48.13
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/docdbelastic: v1.20.13
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • github.com/aws/aws-sdk-go-v2/service/drs: v1.36.13
    • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
  • `

Note

PR body was truncated to here.


Configuration

📅 Schedule: (in timezone Etc/UTC)

  • Branch creation
    • "after 5pm on monday"
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate
renovate Bot requested a review from a team as a code owner June 8, 2026 19:22
@renovate renovate Bot added the dependencies Pull requests that update a dependency file label Jun 8, 2026
@renovate
renovate Bot enabled auto-merge (squash) June 8, 2026 19:22
@renovate

renovate Bot commented Jun 8, 2026

Copy link
Copy Markdown
Contributor Author

ℹ️ Artifact update notice

File name: flow/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 25 additional dependencies were updated

Details:

Package Change
google.golang.org/genproto/googleapis/api v0.0.0-20260414002931-afd174a4e478 -> v0.0.0-20260526163538-3dc84a4a5aaa
google.golang.org/genproto/googleapis/rpc v0.0.0-20260427160629-7cedc36a6bc4 -> v0.0.0-20260526163538-3dc84a4a5aaa
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.21.0 -> v1.22.0
github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 -> v1.12.0
github.com/AzureAD/microsoft-authentication-library-for-go v1.7.0 -> v1.7.2
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.10 -> v1.7.13
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.23 -> v1.18.29
github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.23 -> v1.4.29
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.23 -> v2.7.29
github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.24 -> v1.4.30
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.9 -> v1.13.12
github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.15 -> v1.9.22
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.23 -> v1.13.29
github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.23 -> v1.19.29
github.com/aws/aws-sdk-go-v2/service/signin v1.0.11 -> v1.2.0
github.com/aws/aws-sdk-go-v2/service/sso v1.30.17 -> v1.31.3
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.36.0 -> v1.36.6
github.com/moby/moby/api v1.54.1 -> v1.54.2
github.com/pierrec/lz4/v4 v4.1.26 -> v4.1.27
github.com/shirou/gopsutil/v4 v4.26.3 -> v4.26.5
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.43.0 -> v1.44.0
golang.org/x/net v0.54.0 -> v0.56.0
golang.org/x/sys v0.45.0 -> v0.46.0
golang.org/x/telemetry v0.0.0-20260508192327-42602be52be6 -> v0.0.0-20260610154732-fb80ec83bdd9
golang.org/x/term v0.43.0 -> v0.44.0
File name: flow/pkg/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 19 additional dependencies were updated

Details:

Package Change
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.10 -> v1.7.13
github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.23 -> v1.4.29
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.23 -> v2.7.29
github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.24 -> v1.4.30
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.9 -> v1.13.12
github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.15 -> v1.9.22
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.23 -> v1.13.29
github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.23 -> v1.19.29
github.com/aws/smithy-go v1.25.1 -> v1.27.1
github.com/pierrec/lz4/v4 v4.1.26 -> v4.1.27
go.opentelemetry.io/otel v1.43.0 -> v1.44.0
go.opentelemetry.io/otel/metric v1.43.0 -> v1.44.0
go.opentelemetry.io/otel/sdk v1.43.0 -> v1.44.0
go.opentelemetry.io/otel/sdk/metric v1.43.0 -> v1.44.0
go.opentelemetry.io/otel/trace v1.43.0 -> v1.44.0
golang.org/x/crypto v0.50.0 -> v0.52.0
golang.org/x/net v0.53.0 -> v0.54.0
golang.org/x/sys v0.43.0 -> v0.45.0
golang.org/x/text v0.36.0 -> v0.37.0

@renovate
renovate Bot force-pushed the renovate/gomod branch from 4fdfff2 to 044fb40 Compare June 8, 2026 19:25
@claude

claude Bot commented Jun 8, 2026

Copy link
Copy Markdown

Dependency Bump Review

Reviewed all upstream changelogs for the bumped range. Summary of findings:

Packages reviewed

Package Bump Notes
aws-sdk-go-v2 (core + services) v1.41.7 → v1.41.9 Routine service model updates, BDD endpoint rulesets, SHA-512 support for S3. No breaking changes relevant to PeerDB's usage. credentials v1.19.18 adds restricted file permissions (0600) for login cache — positive security improvement.
aws/smithy-go v1.25.1 → v1.26.0 Adds StringSlice to endpoint rules functions. Benign.
cockroachdb/pebble/v2 v2.1.5 → v2.1.6 Single bug fix: rowblk: fix IsLowerBound to account for synthetic suffix. Bug-fix-only patch.
go.temporal.io/sdk v1.44.0 → v1.44.1 Graceful worker shutdown now drains already-polled tasks when the server supports it (requires server flag frontend.enableCancelWorkerPollsOnShutdown=true). Backwards-compatible improvement.
go.temporal.io/api v1.62.12 → v1.62.13 Patch bump, no notable changes.
google.golang.org/genproto date bump Routine regeneration.

Notable behavioral change: OpenTelemetry v1.43.0 → v1.44.0

OTel v1.44.0 introduces a default cardinality limit of 2000 per metric instrument (previously unlimited). PeerDB does not explicitly configure WithCardinalityLimit on its metric views, so this new default will apply. Attribute sets exceeding the limit are dropped and aggregated into an overflow set with otel.metric.overflow=true.

Risk assessment: Low. PeerDB's metric cardinality is driven by unique combinations of flow name, source/destination peer, status, and operation — per instrument, this is very unlikely to approach 2000 for typical deployments. However, large-scale deployments with many concurrent mirrors should be aware. If needed, WithCardinalityLimit(0) can restore unlimited behavior.

Other OTel v1.44.0 changes: Value.Emit() deprecated (PeerDB does not use it), new BYTESLICE/SLICE attribute types, WithMaxRequestSize option for OTLP exporters (default 64 MiB), and various bug fixes (race condition in exemplar reservoir, gzip replay on HTTP redirects).

Security check

  • No PII or secret logging introduced — changes are limited to go.mod and go.sum.
  • No new stdout/stderr/log outputs added.

Verdict: No regressions found. Looks clean to merge.

🤖 Generated with Claude Code

@claude

claude Bot commented Jun 8, 2026

Copy link
Copy Markdown

Renovate dependency bump reviewed. Checked upstream release notes for all bumped packages.

AWS SDK Go v2 (v1.41.7 to v1.41.9) - patch. Bug fix for AWS_RESTRICT_FILE_PERMISSIONS and credential cache file permissions. No regressions.

smithy-go (v1.25.1 to v1.26.0) - minor. Dependency update only. No regressions.

cockroachdb/pebble (v2.1.5 to v2.1.6) - patch. Single correctness fix for IsLowerBound with synthetic suffix. No breaking changes.

OpenTelemetry Go (v1.43.0 to v1.44.0) - behavioral changes worth noting:

  • Default cardinality limit of 2000 now enforced on all metric instruments. Previously there was no limit. Attribute sets beyond 2000 unique combinations per instrument are dropped into an overflow bucket. PeerDB metrics are keyed by flow name, source/destination peer info, operation type, pipe name, and temporal activity info. The MeterProvider is shared across flows (created once in SetupPeerDBMetricsProvider), so cardinality accumulates across all mirrors. For deployments with many active mirrors, the 2000 default could be hit on some instruments. To restore the old unlimited behavior, pass sdkmetric.WithCardinalityLimit(0) to NewMeterProvider.
  • OTLP exporters now enforce a 64 MiB default max request size (pre-compression).
  • Baggage extraction enforces an 8192-byte size limit (PeerDB does not use baggage — no impact).
  • Value.Emit() deprecated in favor of Value.String() (PeerDB does not use it — no impact).

OpenTelemetry Go Contrib / otelgrpc (v0.68.0 to v0.69.0) - WithSpanOptions was removed, but PeerDB does not use it. Safe.

Temporal SDK (v1.44.0 to v1.44.1) + API (v1.62.12 to v1.62.13) - patch. Improved graceful worker shutdown (opt-in, requires server flag). No breaking changes.

google.golang.org/genproto - routine digest update. No regressions.

No PII/secret logging concerns — diff is limited to go.mod and go.sum.

@claude

claude Bot commented Jun 8, 2026

Copy link
Copy Markdown

Code review

Upstream behavioral changes in OTel SDK v1.44.0 (REVIEW.md compliance — dependency regression check)

Two notable behavioral changes in this version bump:

1. Default cardinality limit of 2000 (high impact)flow/go.mod:71
The metrics SDK now enforces a default cardinality limit of 2000 unique attribute sets per instrument (previously unlimited). When exceeded, new attribute sets are silently dropped and aggregated into an overflow bucket.

PeerDB's MeterProvider in flow/otel_metrics/otel_manager.go does not configure an explicit WithCardinalityLimit(). Metrics like RecordsSyncedPerTableGauge and RecordsSyncedPerTableCounter are emitted with {FlowName, DestinationTableName, RecordOperationType} plus ~12 contextual attributes from buildContextualAttributes. Deployments with many flows and tables could approach or exceed 2000 unique combinations per instrument, causing silent metric data loss.

Consider either verifying that no instrument exceeds 2000 attribute sets in your deployments, or explicitly setting WithCardinalityLimit(0) on the MeterProvider to restore the previous unlimited behavior.

2. 64 MiB default OTLP request size cap (moderate impact)flow/go.mod:66-68
All OTLP exporters now cap request payloads at 64 MiB (previously unlimited). Requests exceeding this are treated as non-retryable errors. PeerDB's exporters are created with default options (no WithMaxRequestSize override). The panicOnFailureExporter wrapper could escalate this to a process panic if enabled.

@claude

claude Bot commented Jun 8, 2026

Copy link
Copy Markdown

Code review

1 issue found. Checked for bugs and CLAUDE.md compliance.


Breaking change: OTel SDK v1.44.0 default cardinality limit

File: flow/go.mod, line 71 (go.opentelemetry.io/otel/sdk/metric v1.44.0)

go.opentelemetry.io/otel/sdk/metric v1.44.0 introduces a default cardinality limit of 2000 per metric instrument (upstream changelog). Previously, the default was unlimited. When the limit is exceeded, new attribute sets are silently dropped and merged into an overflow bucket with otel.metric.overflow=true.

PeerDB NewMeterProvider does not set a cardinality limit:

setupOtelHandlers(ctx)
meterProvider := sdkmetric.NewMeterProvider(
sdkmetric.WithReader(sdkmetric.NewPeriodicReader(metricExporter)),
sdkmetric.WithResource(otelResource),
sdkmetric.WithView(views...),
)
return meterProvider, nil

PeerDB emits metrics with high-cardinality attributes - per-flow, per-table, per-peer combinations (e.g. RecordsSyncedPerTableGauge). A deployment with 10 flows each replicating 100 tables x 3 operation types = 3,000 unique attribute sets per instrument, exceeding the new default. This would cause silent metric data loss with no errors.

Suggested fix: Add sdkmetric.WithCardinalityLimit(0) to the NewMeterProvider call in otel_manager.go to restore unlimited cardinality, or set it to a sufficiently high value for your deployments.

Flagged per REVIEW.md - upstream regression check for dependency bumps.

@ilidemi

ilidemi commented Jun 8, 2026

Copy link
Copy Markdown
Contributor

The 2000 limit would need a check, how we're doing across production

@renovate
renovate Bot force-pushed the renovate/gomod branch from 044fb40 to 9d3fb32 Compare June 9, 2026 02:37
@claude

claude Bot commented Jun 9, 2026

Copy link
Copy Markdown

Code review

No issues found. Checked for bugs and CLAUDE.md compliance.

Comment thread flow/go.mod
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.44.0
go.opentelemetry.io/otel/metric v1.44.0
go.opentelemetry.io/otel/sdk v1.44.0
go.opentelemetry.io/otel/sdk/metric v1.44.0

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Informational — OTel v1.44.0 introduces a default cardinality limit of 2000 per metric instrument.

Previously unlimited, new attribute sets beyond 2000 unique combinations per instrument are now dropped and aggregated under otel.metric.overflow=true. PeerDB uses attributes like DestinationTableName, FlowName, PeerName, and SlotName on its metrics. For typical deployments this should be well under 2000 per instrument, but deployments with a very large number of mirrors/tables could hit this.

To restore the old unlimited behavior if needed: metric.WithCardinalityLimit(0) or env OTEL_GO_X_CARDINALITY_LIMIT=0.

Also: OTLP exporters now cap request size at 64 MiB (configurable via WithMaxRequestSize). Oversized requests fail as non-retryable errors.

@claude

claude Bot commented Jun 9, 2026

Copy link
Copy Markdown

Dependency Bump Review — Upstream Changelog Analysis

Reviewed all upstream release notes for the bumped range of each dependency. No regressions or breaking changes that affect PeerDB were found. Summary of notable upstream changes below.

golang.org/x/net v0.54.0 → v0.55.0 — Security fixes

Fixes multiple CVEs in the x/net/html parser: XSS via namespace handling (CVE-2026-42506), XSS via duplicate attributes / sanitizer bypass (CVE-2026-27136), DoS via cubic-complexity tree construction (CVE-2026-25680), XSS via foreign content elements (CVE-2026-42502), and a DOCTYPE fix (CVE-2026-25681). Also includes IDNA and QUIC fixes. This bump is beneficial for security.

OpenTelemetry Go v1.43.0 → v1.44.0 — Behavioral changes (see inline comment)

  • Security: Fixes file descriptor leak in schema parsing and baggage log flooding.
  • Behavior: Default metric cardinality limit of 2000 per instrument (see inline comment). OTLP exporters cap request size at 64 MiB. Baggage 8192-byte limit now enforced during extraction.
  • Deprecation: Value.Emit deprecated in favor of Value.String — PeerDB does not use it.
  • otelgrpc v0.68.0 → v0.69.0: Removed WithSpanOptions — PeerDB does not use it. No compile-time impact.

AWS SDK Go v2 (multiple packages) — Patch-level, safe

All patch/minor bumps. Notable: credential cache files now created with 0600 permissions (security hardening), S3 outpost access point name validation enforced, KMS adds service principal grant parameters. smithy-go v1.26.0 fixes a memory leak in its LRU cache. No breaking changes.

cockroachdb/pebble v2.1.5 → v2.1.6 — Single bug fix

Fixes IsLowerBound correctness when synthetic suffix is active (PR cockroachdb/pebble#6082). Targeted fix with a new randomized test. Low risk.

Temporal SDK v1.44.0 → v1.44.1 — Graceful shutdown improvement

Worker shutdown now drains already-polled tasks when the server supports it. No breaking changes. Temporal API v1.62.13 is infrastructure-only.

Other

  • google.golang.org/genproto: Routine proto regeneration, no functional changes.
  • github.com/nexus-rpc/nexus-proto-annotations v0.1.0: New indirect dep via Temporal — protobuf annotations for the Nexus RPC protocol. Benign.

PII / Secret Logging Check

No source code changes — only go.mod and go.sum modified. No risk of PII or secret exposure.

@renovate
renovate Bot force-pushed the renovate/gomod branch from 9d3fb32 to 62505bb Compare June 9, 2026 11:34
@claude

claude Bot commented Jun 9, 2026

Copy link
Copy Markdown

Dependency Bump Review

Reviewed upstream release notes for all bumped packages. Summary of findings:

OpenTelemetry v1.43.0 -> v1.44.0 -- Breaking change: default cardinality limit (see inline comment)

go.opentelemetry.io/otel/sdk/metric now enforces a default cardinality limit of 2000 per instrument. When the limit is reached, new attribute sets are silently dropped into an overflow bucket (otel.metric.overflow=true). Previously the default was unlimited. PeerDB defines 40+ instruments, some keyed by dynamic attributes (per-table, per-flow). If any single instrument exceeds 2000 unique attribute sets in practice, metrics will be silently lost. See inline comment on flow/go.mod for details.

Positive: this release also includes two security fixes (GHSA-995v-fvrw-c78m, GHSA-5wrp-cwcj-q835) and several race condition fixes in the metric SDK.

otelgrpc v0.68.0 -> v0.69.0 -- Removed WithSpanOptions

The deprecated WithSpanOptions option was removed. PeerDB does not use it (only NewServerHandler + WithMeterProvider in flow/cmd/api.go), so no compilation issue.

cockroachdb/pebble v2.1.5 -> v2.1.6 -- Bug fix

Fixes IsLowerBound to account for synthetic suffix. A correctness fix -- beneficial to pick up.

Temporal SDK v1.44.0 -> v1.44.1 -- Graceful shutdown improvement

Workers now drain already-polled tasks during shutdown (when server supports it). Backward-compatible, no breaking changes.

Temporal API v1.62.12 -> v1.62.13 -- Maintenance

Bug fixes and generated Nexus service definitions. No breaking changes.

AWS SDK Go v2 (multiple packages) -- Patch bumps

Bug fix for AWS_RESTRICT_FILE_PERMISSIONS support, credential file permissions set to 0600, various service-specific features. No breaking changes for packages used by PeerDB.

smithy-go v1.25.1 -> v1.26.0

Added StringSlice to endpoint rulesfn. No breaking changes.

New transitive dependencies

  • github.com/nexus-rpc/nexus-proto-annotations v0.1.0 (from Temporal SDK)
  • go.opentelemetry.io/otel/metric/x v0.66.0 (from OTel)

PII / Secrets check:
No source code changes -- only go.mod and go.sum files modified. No PII or secret exposure concerns.

Comment thread flow/go.mod
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.44.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.44.0
go.opentelemetry.io/otel/metric v1.44.0
go.opentelemetry.io/otel/sdk v1.44.0

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Warning: go.opentelemetry.io/otel/sdk/metric v1.44.0 introduces a default cardinality limit of 2000 per instrument. When the limit is reached, new attribute sets are silently dropped into an overflow bucket. PeerDB defines 40+ metric instruments in flow/otel_metrics/otel_manager.go, some keyed by dynamic attributes (per-table, per-flow). If any single instrument exceeds 2000 unique attribute combinations, metrics will be silently lost. For most deployments this is probably fine (2000 is generous), but worth verifying for large multi-tenant deployments. If needed, override with sdkmetric.WithCardinalityLimit(0) in setupMetricsAndProvider().

@renovate
renovate Bot force-pushed the renovate/gomod branch from 62505bb to 42ddc96 Compare June 9, 2026 15:01

@claude claude Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed this Renovate dependency bump. Upstream release notes checked for all bumped packages. Two findings noted as separate PR comments below.

Summary of bumps reviewed:

  • AWS SDK Go v2 (core v1.41.7 to v1.41.9, smithy-go v1.25.1 to v1.27.0, S3/KMS/SES/SNS/STS patches): No breaking changes. Includes a smithy-go LRU cache memory leak fix (good).
  • CockroachDB Pebble (v2.1.5 to v2.1.6): Single correctness bug fix in row-block iterator IsLowerBound. No API changes. Safe.
  • OpenTelemetry (v1.43.0 to v1.44.0): New default cardinality limit of 2000 per instrument. This is the main finding -- see follow-up comment.
  • Temporal SDK (v1.44.0 to v1.44.1, api v1.62.12 to v1.62.13): Patch release improving graceful shutdown drain. New nexus-proto-annotations indirect dep is expected. No breaking changes.
  • golang.org/x/net (v0.54.0 to v0.55.0), google.golang.org/genproto updates: Routine. No breaking changes.

@claude

claude Bot commented Jun 9, 2026

Copy link
Copy Markdown

[medium] flow/go.mod:65 -- OTel v1.44.0 introduces a default metrics cardinality limit of 2000 per instrument.

Previously there was no limit. New attribute-set combinations beyond 2000 are silently dropped and aggregated into an overflow bucket tagged otel.metric.overflow=true.

PeerDB uses high-cardinality attributes like FlowNameKey and DestinationTableNameKey. The highest-risk instrument is RecordsSyncedPerTableCounter with cardinality O(mirrors x tables x 3). A deployment with ~100 mirrors averaging ~10 tables would exceed 2000 on that single instrument alone, silently losing per-table sync metrics.

No existing WithCardinalityLimit configuration was found in flow/otel_metrics/otel_manager.go.

Suggested action: Either (a) confirm 2000 is acceptable for all expected deployments, or (b) add sdkmetric.WithCardinalityLimit(0) (unlimited, restoring old behavior) or a higher bound to the sdkmetric.NewMeterProvider call in otel_manager.go.

Ref: https://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.44.0

@claude

claude Bot commented Jun 9, 2026

Copy link
Copy Markdown

[info] flow/go.mod:30 -- smithy-go v1.27.0 note:

This version introduced schema-based serialization and CBOR max-nesting-depth enforcement. Subsequent patches v1.27.1 and v1.27.2 fix CBOR/JSON union deserialization bugs (including a panic). PeerDB AWS usage (S3, KMS, SES, SNS, STS) primarily uses JSON/XML, so risk is very low, but worth noting in case CBOR-related issues surface -- those patches exist upstream.

@renovate
renovate Bot force-pushed the renovate/gomod branch from 42ddc96 to 9ed75a6 Compare June 9, 2026 20:47
@claude

claude Bot commented Jun 9, 2026

Copy link
Copy Markdown

Re-reviewed this Renovate bump. Upstream changelogs checked for all packages — confirming prior findings and adding a note on golang.org/x/net:

Confirmed safe (no regressions found):

  • AWS SDK Go v2 (core v1.41.7→v1.41.10, smithy-go v1.25.1→v1.27.0, S3 v1.101.0→v1.103.0, STS v1.42.1→v1.43.0): No breaking changes. Adds AWS_RESTRICT_FILE_PERMISSIONS env var, S3 SHA-512 checksum support, CBOR nesting depth hardening in smithy-go. io/ioutil deprecation cleanup.
  • Pebble v2.1.5→v2.1.6: Single correctness fix in rowblk.IsLowerBound for synthetic suffix replacement. No API changes.
  • Temporal SDK v1.44.0→v1.44.1, API v1.62.12→v1.62.13: Graceful worker shutdown now drains already-polled tasks. Additive proto fields. New nexus-proto-annotations transitive dep is expected.
  • google.golang.org/genproto: Routine generated proto update.

Security-positive — golang.org/x/net v0.54.0→v0.55.0 fixes 5 CVEs (all in HTML tokenizer/parser):

Previously flagged (still valid): OTel v1.44.0 default cardinality limit of 2000 per instrument + 64 MiB OTLP request size cap — see earlier comments on this PR.

No new concerns found beyond what was already flagged.

@renovate
renovate Bot force-pushed the renovate/gomod branch from 9ed75a6 to e1a3ff8 Compare June 9, 2026 22:26
@claude

claude Bot commented Jun 9, 2026

Copy link
Copy Markdown

Dependency Bump Review — PR #4399

Reviewed upstream release notes for all bumped packages. No PII/secret logging concerns (changes are go.mod/go.sum only).

Findings

1. OpenTelemetry v1.43.0 → v1.44.0 — New default cardinality limit (medium severity)

OTel v1.44.0 introduces a default 2000-attribute cardinality limit in the metric SDK. Exceeding this drops new attribute sets into an overflow bucket (otel.metric.overflow=true). PeerDB does not currently configure an explicit cardinality limit (WithCardinalityLimit). If any PeerDB metric has more than 2000 distinct attribute combinations (e.g. per-mirror or per-table metrics with many mirrors), some attribute sets will silently be dropped into the overflow bucket after this upgrade. Worth confirming whether any high-cardinality metrics exist, or explicitly setting a limit if needed.

Other OTel changes: attribute.INVALID deprecated (use EMPTY), Value.Emit() deprecated (use Value.String()), data race fixes in Prometheus exporter and exemplar reservoir.

2. smithy-go v1.25.1 → v1.27.0 — Known post-release fixes (low severity)

smithy-go v1.27.0 adds schema-based serialization and enforces max CBOR nesting depth of 128. However, v1.27.1 (panic in nested union deserialization for JSON/CBOR) and v1.27.2 (improper CBOR union serialization) fixed issues introduced in v1.27.0. PeerDB primarily uses AWS services with restxml/awsquery/awsjson protocols (S3, KMS, SES, SNS, STS), so impact is likely low, but worth being aware of. Also includes a memory leak fix in LRU cache (v1.25.2) and file permission hardening (aws-sdk-go-v2 v1.41.8).

3. Temporal SDK v1.44.0 → v1.44.1 — Graceful shutdown improvement (no action needed)

Workers now drain already-polled tasks on shutdown when the server supports it (requires server flag frontend.enableCancelWorkerPollsOnShutdown=true). Backward-compatible — without the flag, behavior is unchanged.

4. New transitive dependency: github.com/nexus-rpc/nexus-proto-annotations v0.1.0 (info)

Pulled in by temporalio/api-go v1.62.13 for Nexus service definition generation. Contains only protobuf annotation definitions — no runtime behavior. Very new package (v0.1.0, April 2026).

5. cockroachdb/pebble v2.1.5 → v2.1.6 — Correctness fix (no action needed)

Single bug fix: IsLowerBound now properly accounts for synthetic suffix in rowblk. Pure correctness improvement.

6. Other bumps (no concerns)

  • golang.org/x/net v0.54.0 → v0.55.0 — routine update
  • google.golang.org/genproto — routine regeneration

Summary

The OTel cardinality limit (finding #1) is the most actionable item — recommend verifying PeerDB's metric attribute cardinality won't exceed 2000 combinations per instrument, or explicitly configuring limits. All other changes are low-risk.

🤖 Generated with Claude Code

@renovate
renovate Bot force-pushed the renovate/gomod branch from e1a3ff8 to 1efd967 Compare June 10, 2026 01:42
@claude

claude Bot commented Jun 10, 2026

Copy link
Copy Markdown

Dependency Bump Review

Reviewed all upstream changelogs for the dependency bumps in this PR. Here are the findings:

Security Fixes (positive reasons to merge)

  • golang.org/x/net v0.55.0: 5 CVEs fixed (CVE-2026-27136, CVE-2026-42506, CVE-2026-42502, CVE-2026-25681, CVE-2026-25680) — all in the html package (sanitizer bypasses + DoS). PeerDB doesn't appear to use x/net/html directly, but transitive dependencies may benefit.
  • go.temporal.io/api v1.62.13: Vulnerability fix (VLN-1396, "missing-dependency-cooldown").
  • OpenTelemetry v1.44.0: Two security advisories fixed — GHSA-995v-fvrw-c78m (schema file descriptor leak, Low) and GHSA-5wrp-cwcj-q835 (unbounded baggage parsing causing CPU/memory exhaustion, Medium).
  • smithy-go v1.27.0: CBOR max nesting depth enforcement (128 levels) — hardening against resource exhaustion.

Notable Behavioral Changes

  • OpenTelemetry v1.44.0 — new default cardinality limit of 2000: The metrics SDK now caps unique attribute combinations at 2000 per instrument, aggregating overflow into otel.metric.overflow=true. PeerDB's metrics use flow-level attributes (flow name, peer names, activity types); verified this should be well within the 2000 limit for typical deployments. For very large deployments with many concurrent flows, the limit can be configured via WithCardinalityLimit() on the metric reader.
  • OpenTelemetry v1.44.0 — OTLP 64 MiB request size limit: OTLP exporters now enforce a 64 MiB max request size (configurable via WithMaxRequestSize). Unlikely to affect PeerDB but worth knowing.
  • Temporal SDK v1.44.1: Worker shutdown now drains already-polled tasks (two-stage shutdown). This is capability-gated behind a server flag (frontend.enableCancelWorkerPollsOnShutdown=true) — no behavioral change unless the server enables it.

Regressions Check

  • smithy-go v1.27.0 schema-serde rollout: AWS rolled out schema-based serialization on June 2 and then temporarily reverted it due to a P0 regression in CBOR-based services with tagged unions. However, this only affected lower-usage services (e.g., Interconnect). S3, KMS, STS, SES, SNS — all services PeerDB uses — were not part of the initial rollout and are unaffected.
  • OTel WithSpanOptions removed from otelgrpc: Verified PeerDB does not use this API — no impact.
  • cockroachdb/pebble v2.1.6: Single correctness fix for IsLowerBound with synthetic suffixes — safe, no regressions.

Breaking Changes Affecting PeerDB

None found. Verified that PeerDB does not use any removed/deprecated APIs (WithSpanOptions, Value.Emit, otelhttp).

New Dependencies

  • github.com/nexus-rpc/nexus-proto-annotations v0.1.0 (indirect) — pulled in by go.temporal.io/api v1.62.13 for Nexus service protobuf definitions. No runtime impact.

Verdict

No regressions or breaking changes affecting PeerDB. Multiple security fixes make this a beneficial upgrade. The OTel cardinality limit (2000 default) is the only behavioral change worth monitoring in production, but PeerDB's metric cardinality appears well within bounds.

🤖 Generated with Claude Code

@renovate
renovate Bot force-pushed the renovate/gomod branch from 1efd967 to 3c76c27 Compare June 10, 2026 01:57

@claude claude Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

test

Comment thread flow/go.mod
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.44.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.44.0
go.opentelemetry.io/otel/metric v1.44.0
go.opentelemetry.io/otel/sdk v1.44.0

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

test comment

@claude claude Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed upstream release notes for all bumped dependencies. One notable behavioral change flagged inline; everything else looks clean.

Comment thread flow/go.mod
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.44.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.44.0
go.opentelemetry.io/otel/metric v1.44.0
go.opentelemetry.io/otel/sdk v1.44.0

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note (informational, non-blocking): OpenTelemetry SDK v1.44.0 introduces a default cardinality limit of 2000 for the metrics SDK. When more than 2000 unique attribute sets are recorded for a single metric instrument, new attribute sets are dropped and aggregated into an overflow bucket. Previously there was no limit. If PeerDB has any high-cardinality metrics (e.g. metrics tagged per-table, per-peer, or per-flow), this could silently truncate metric data. To restore old behavior use WithCardinalityLimit(0). Also: attribute.Value.Emit() is deprecated in favor of Value.String(); security fixes for schema file handle leak and baggage extraction DoS; new default 64 MiB OTLP request size limit. All other bumps are clean - see review summary comment for details.

@claude

claude Bot commented Jun 26, 2026

Copy link
Copy Markdown

Dependency Bump Review ✅

Reviewed all dependency bumps in this PR. Checked upstream release notes and changelogs for regressions, breaking changes, and security concerns.

Direct dependency bumps reviewed:

Package Bump Risk Notes
gosnowflake/v2 2.0.2 → 2.1.0 Low Bug fixes + additive features only. Arrow stream cancellation fix is beneficial for ETL workloads. No breaking changes.
cockroachdb/pebble/v2 2.1.5 → 2.1.6 Low Single correctness fix for IsLowerBound with synthetic suffixes. Already running in CockroachDB 25.3.0 production.
twmb/franz-go 1.21.2 → 1.21.3 Low 5 bug fixes, no breaking changes. Fixes PollRecords hang, improves buffered records resilience during broker rolling restarts, fixes consumer group zombie issue. All net positive.
slack-go/slack 0.24.0 → 0.26.0 Low v0.25.0 has breaking change in TableBlock.Rows type, but PeerDB does not use this type — verified via grep.
azidentity 1.13.1 → 1.14.0 Low Removed EnableAzureProxy option — PeerDB does not use it (verified). Requires Go ≥1.25; project uses Go 1.26.
urfave/cli/v3 3.9.0 → 3.10.0 Low Help flag now takes precedence over parse errors; After hook skipped on help display for subcommands. Unlikely to affect PeerDB CLI behavior.
aws-sdk-go-v2 1.41.7 → 1.42.0 Low Standard semver minor bump. Service modules (S3 101→104, KMS 52→53, SES 34→35, STS 42→43) are routine updates.
aws/smithy-go 1.25.1 → 1.27.2 Low Supporting library for AWS SDK.
lestrrat-go/httprc/v3 3.0.5 → 3.0.6 Low Patch bump.

Other observations:

  • New indirect dependency nexus-rpc/nexus-proto-annotations v0.1.0 — transitive requirement from existing nexus-rpc/sdk-go. No concern.
  • Only go.mod and go.sum files changed — no source code modifications, no PII/secret logging risk.

Verdict: No regressions identified. All bumps look safe to merge.

🤖 Generated with Claude Code

@claude claude Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dependency bump review

Reviewed upstream release notes for all bumped packages. Summary of findings:

Safe bumps (no issues found)

  • azidentity v1.13.1 → v1.14.0: No breaking changes for stable users. Improved error messages, requires Go 1.25+.
  • AWS SDK Go v2 (multiple packages): Breaking change in rdsdata ArrayValue (pointer-slice elements), but PeerDB does not import rdsdata. Security improvement: credential files now written with 0600 permissions.
  • smithy-go v1.25.1 → v1.27.2: CBOR union serialization fixes, max nesting depth of 128 enforced. No breaking changes.
  • gosnowflake v2.0.2 → v2.1.0: No breaking changes. Context cancellation now properly interrupts stalled Arrow chunk downloads.
  • mongo-driver v2.6.0 → v2.7.0: No breaking changes. Causally consistent session writes now send afterClusterTime (correctness fix).
  • ch-go v0.72.0 → v0.73.0: Tagged [breaking-change] for nested exception removal, but PeerDB only accesses chproto.Error constants and clickhouse.Exception.Code/.Message — does not use .Nested.
  • otelgrpc v0.68.0 → v0.69.0: WithSpanOptions removed, but PeerDB doesn't use it.
  • franz-go v1.21.2 → v1.21.3, pebble v2.1.5 → v2.1.6, temporal v1.62.12 → v1.62.14: Patch bumps, safe.

Security improvements (beneficial)

  • golang.org/x/crypto v0.52.0 → v0.53.0: Multiple SSH hardening fixes (RSA key size cap, bcrypt KDF rounds cap, ECDSA curve validation, panic fixes). PeerDB uses x/crypto/ssh — these are beneficial.
  • golang.org/x/net v0.54.0 → v0.56.0: Multiple CVEs fixed — CVE-2026-27136 (duplicate HTML attributes), CVE-2026-42506 / CVE-2026-42502 (XSS via HTML parser), CVE-2026-25680 / CVE-2026-25681 (DoS / sanitizer bypass), CVE-2026-46600 (dns/dnsmessage panic).

Noteworthy behavioral change (see inline comment)

  • OTel SDK v1.43.0 → v1.44.0: New default metric cardinality limit of 2000, and 64 MiB OTLP export request size limit.

PII / Secret logging

No code changes in this PR — only go.mod / go.sum files. No risk.

Comment thread flow/go.mod
go.temporal.io/sdk v1.44.0
go.mongodb.org/mongo-driver/v2 v2.7.0
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.69.0
go.opentelemetry.io/otel v1.44.0

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OTel v1.44.0 introduces a default metric cardinality limit of 2000.

Previously unlimited, sdk/metric now drops new attribute sets beyond 2000 unique combinations per instrument, aggregating overflow under otel.metric.overflow=true. PeerDB's metrics use per-flow attributes (flow name, source/destination peer name/type/hostname, status, pipe name, operation, activity type, workflow type) — deployments with many concurrent flows could exceed this limit and silently lose metric granularity.

Additionally, OTLP exporters now impose a 64 MiB default request size limit (before compression); oversized requests become non-retryable errors.

Recommendation: This is likely fine for most deployments, but worth being aware of. If metric cardinality issues surface post-upgrade, the limit can be raised via WithCardinalityLimit() or set to 0 (unlimited).

@claude

claude Bot commented Jun 26, 2026

Copy link
Copy Markdown

Dependency Bump Review

Reviewed all upstream release notes for the bumped range. Only go.mod/go.sum files changed — no source code modifications, no PII/secrets risk.

Key findings by package

Package Bump Risk Notes
ch-go v0.72.0 -> v0.73.0 Low Has a tagged breaking change ("remove support for nested exceptions"), but PeerDB only uses chproto.Error codes — never accesses Exception.Next or nested exception chains. Safe.
gosnowflake/v2 v2.0.2 -> v2.1.0 Low No breaking changes. Bug fixes for PUT file handling, OCSP cache stale locks, and context cancellation on Arrow chunk reads. None affect PeerDB usage patterns (JWT auth, DSN, PUT file staging, query tags).
mongo-driver/v2 v2.6.0 -> v2.7.0 Low No breaking API changes. Improved change stream batch size handling for nil cursors (relevant since PeerDB uses SetBatchSize(0)), but this is a bug fix. Drops MongoDB 4.2 support (requires 4.4+).
temporal sdk v1.44.0 -> v1.45.0 Low-Medium Behavior flags SDKFlagBlockedSelectorSignalReceive and SDKFlagWorkflowNewChannelLostMessages now default-enabled (fixes edge cases with lost signals/messages). gRPC compression enabled by default. Search attributes filtering changed for unset attributes. These are versioned per workflow execution via Temporal SDK flag system, so existing in-flight workflows continue using old behavior — only newly started workflows pick up the changes.
slack-go v0.24.0 -> v0.26.0 Low Breaking change in v0.25.0 (TableBlock.Rows type changed), but PeerDB only uses SendMessageContext with header/section blocks — no TableBlock usage.
aws-sdk-go-v2 v1.41.7 -> v1.42.0 Low Clock skew persistence bug fix, new SigV4a support for STS. No breaking changes.
OpenTelemetry v1.43.0 -> v1.44.0 Low Minor bump, adds metric/x experimental package as a new transitive dep. No breaking changes.
Other (pebble, franz-go, httprc, urfave/cli, k8s, golang.org/x/*, etc.) patch/minor Low Standard maintenance bumps, no breaking changes or regressions found.

New transitive dependencies

  • github.com/nexus-rpc/nexus-proto-annotations v0.1.0 — pulled in by Temporal SDK v1.45.0
  • go.opentelemetry.io/otel/metric/x v0.66.0 — pulled in by OpenTelemetry v1.44.0

Verdict

No regressions or blocking issues identified. The Temporal SDK behavior flag changes are the most notable but are protected by Temporal versioning system (only affect newly started workflows). All other breaking changes in upstream libraries do not affect PeerDB usage patterns.

@claude claude Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed this Renovate dependency bump PR. Checked upstream release notes for all bumped packages. Key findings are posted as inline comments below.

Summary of upstream changes checked:

  • gosnowflake v2.0.2→v2.1.0: No breaking changes. Beneficial fixes for context-cancellation hangs and OCSP cache locking.
  • ch-go v0.72.0→v0.73.0: Nested exception support removed (breaking), but PeerDB does not access .Nested on exceptions — safe.
  • franz-go v1.21.2→v1.21.3: Bug fixes including a PollRecords/PollFetches hang fix (regression from v1.21.0). Beneficial.
  • slack-go v0.24.0→v0.26.0: TableBlock.Rows type changed in v0.25.0 (breaking), but PeerDB does not use slack-go's TableBlock — safe.
  • aws-sdk-go-v2 v1.41.7→v1.42.0 / smithy-go v1.25.1→v1.27.2: No breaking changes. Fixes memory leak in LRU cache and union deserialization panics.
  • pebble v2.1.5→v2.1.6: Narrow fix for synthetic suffix handling, not relevant to PeerDB.
  • testcontainers-go v0.42.0→v0.43.0: ForSQL callback signature changed and ImageProvider interface expanded, but PeerDB uses neither — safe.
  • urfave/cli v3.9.0→v3.10.0: No breaking changes, help-related bug fixes only.
  • OTel v1.43.0→v1.44.0: See inline comment — new default cardinality limit and security fixes.

No PII/secret logging concerns — only go.mod/go.sum files changed.

Comment thread flow/go.mod
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.44.0
go.opentelemetry.io/otel/metric v1.44.0
go.opentelemetry.io/otel/sdk v1.44.0
go.opentelemetry.io/otel/sdk/metric v1.44.0

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[info] OTel SDK metric v1.44.0 introduces a default cardinality limit of 2000 per metric instrument. When exceeded, new attribute sets are dropped and aggregated into an otel.metric.overflow=true bucket.

PeerDB's RecordsSyncedPerTableGauge and RecordsSyncedPerTableCounter metrics emit per-table attributes (destinationTableName × recordOperationType × flow-level context attributes). For large deployments with many flows and tables, the number of unique attribute combinations could approach this limit.

Workaround if needed: Set env var OTEL_GO_X_CARDINALITY_LIMIT=0 to disable the limit, or call sdkmetric.WithCardinalityLimit(0) in the meter provider setup.

Also notable in this release:

  • Two security fixes: GHSA-995v-fvrw-c78m (schema file descriptor leak in ParseFile) and GHSA-5wrp-cwcj-q835 (baggage header flooding — extraction now enforces 8192-byte spec limit).
  • OTLP exporters now enforce a 64 MiB request size limit by default (oversized requests become non-retryable errors).
  • Value.Emit deprecated in favor of Value.String.
  • Fixed race condition in FixedSizeReservoir exemplar and Prometheus exporter concurrent Collect data race.

@claude

claude Bot commented Jun 26, 2026

Copy link
Copy Markdown

Dependency Bump Review

Reviewed upstream release notes for all 35 bumped Go dependencies. Summary of findings:

Temporal SDK v1.44.0 to v1.45.0 (flow/go.mod:84) -- Worth Monitoring

This bump enables two SDK behavior flags by default that were previously opt-in:

  • SDKFlagBlockedSelectorSignalReceive -- fixes a selector/signal handling bug
  • SDKFlagWorkflowNewChannelLostMessages -- fixes a channel message-loss bug

These are correctness fixes, but they alter deterministic replay behavior. If in-flight CDC/QRep workflows replay history under the new flags, there is a small risk of workflow.ErrNonDeterministic errors during the first rolling deployment after this upgrade. Additionally, gRPC compression (gzip) is now enabled by default on all Temporal client connections.

Recommendation: Monitor worker logs for non-determinism errors after deployment. If any surface, the flags can be explicitly disabled via worker options as a short-term mitigation while affected workflows complete.

Other Bumps -- No Regressions Found

  • ch-go v0.72.0 to v0.73.0: Marked as breaking (removes nested exceptions support), but PeerDB only reads Code and Message from ClickHouse exceptions -- never used the removed Next/Nested fields. No impact.
  • gosnowflake/v2 v2.0.2 to v2.1.0: Additive features (Arrow stream cancellation fix, new auth methods). The Arrow fix is a correctness improvement for QRep streaming. No breaking changes.
  • mongo-driver/v2 v2.6.0 to v2.7.0: No breaking changes. Deprecates internal-only APIs not used by PeerDB. Bug fixes (BSON panic on zero-length docs, change stream batch size) are improvements.
  • slack-go/slack v0.24.0 to v0.26.0: Breaking change in v0.25.0 (TableBlock.Rows type changed), but PeerDB only uses HeaderBlock and SectionBlock. No impact.
  • urfave/cli/v3 v3.9.0 to v3.10.0: Purely additive (new helper methods, bug fixes). No breaking changes.
  • AWS SDK, OpenTelemetry, golang.org/x/*, k8s.io, pebble, franz-go, httprc: Routine minor/patch bumps with bug fixes and dependency updates. No breaking changes or regressions identified.
  • No PII/secret exposure: All changes are confined to go.mod and go.sum files.

@claude

claude Bot commented Jun 26, 2026

Copy link
Copy Markdown

Dependency Bump Review

Reviewed upstream release notes and changelogs for all bumped packages. No regressions or breaking changes that affect PeerDB were found.

Key findings per package:

Package Bump Risk Notes
gosnowflake/v2 v2.0.2 → v2.1.0 Low No breaking changes. Fixes context cancellation stalling chunk downloads, OCSP cache lock. New ArrowStreamBatch.Reset() API.
ch-go v0.72.0 → v0.73.0 Low Breaking: nested exceptions removed. PeerDB only uses ch-go/proto for error code constants and version utilities — does not inspect nested exception chains. Safe.
mongo-driver/v2 v2.6.0 → v2.7.0 Low (beneficial) Fixes change stream nil cursor panic (GODRIVER-3962), BSON null/undefined unmarshaling regression (GODRIVER-3924), and write batch size splitting (GODRIVER-3858). All beneficial for CDC workloads.
slack-go/slack v0.24.0 → v0.26.0 Low Breaking in v0.25.0: TableBlock.Rows type changed. PeerDB does not use TableBlock from slack-go. Safe.
aws-sdk-go-v2 suite various Low No breaking changes. New opt-in retry behavior (off by default). smithy-go v1.27.1/v1.27.2 fix union deserialization panics — net improvement.
pebble/v2 v2.1.5 → v2.1.6 Low Patch bump.
Other indirect deps various patches Low Azure SDK, lz4, gopsutil, testcontainers, urfave/cli, franz-go, httprc — all patch/minor with no breaking changes.

PII/Secret check

Only go.mod and go.sum files changed — no source code modifications. No risk of PII or secret exposure.

🤖 Generated with Claude Code

@github-actions

Copy link
Copy Markdown
Contributor

❌ Test Failure

Analysis: The "run tests" step fails at compile time with many "missing go.sum entry" errors, meaning go.sum is out of sync with go.mod (needs go mod tidy) — a deterministic build failure, not a flaky test.
Confidence: 0.98

⚠️ This appears to be a real bug - manual intervention needed

View workflow run

@github-actions

Copy link
Copy Markdown
Contributor

❌ Test Failure

Analysis: The build aborted before tests ran with dozens of deterministic "missing go.sum entry" errors, indicating a go.mod change without a corresponding updated go.sum — a real dependency/build bug, not flakiness.
Confidence: 0.98

⚠️ This appears to be a real bug - manual intervention needed

View workflow run

@claude

claude Bot commented Jun 27, 2026

Copy link
Copy Markdown

Renovate Go Dependency Bump — Reviewed

Reviewed all 35 dependency bumps in this PR. Only go.mod/go.sum files are changed (no source code modifications). No PII/secret logging concerns.

Upstream release notes review

Checked the upstream changelogs for the most impactful bumps:

Package Bump Findings
ch-go v0.72.0 → v0.73.0 Tagged [breaking-change]: removes proto.Exception.Nested field, Exception.Next field, and changes Unwrap() from []error to error. No impact on PeerDB — PeerDB uses clickhouse.Exception from clickhouse-go/v2 and only accesses .Code and .Message, never .Next or .Nested.
gosnowflake/v2 v2.0.2 → v2.1.0 No breaking changes. Additive features (SPCS token support, ArrowStreamBatch.Reset()). Beneficial bug fix: context cancellation now properly interrupts stalled chunk downloads.
mongo-driver/v2 v2.6.0 → v2.7.0 No breaking changes. Notable fix: nil cursor panic when calling SetBatchSize on a change stream (GODRIVER-3962) — beneficial for CDC.
temporal sdk v1.44.0 → v1.45.0 No breaking changes affecting PeerDB. gRPC gzip compression enabled by default (transparent). SDK flags for selector/signal fixes apply only to new workflow executions.
slack-go v0.24.0 → v0.26.0 v0.25.0 changed TableBlock.Rows type (breaking), but PeerDB only uses SendMessageContext, NewHeaderBlock, NewTextBlockObject, NewSectionBlock — none of the affected APIs.
AWS SDK modules various minor/patch Clock skew persistence bug fix across all modules, plus new SigV4a support in STS. No regressions.
OpenTelemetry v1.43.0 → v1.44.0 Standard minor bump, no breaking changes.
pebble/v2 v2.1.5 → v2.1.6 Patch release, bug fixes only.
urfave/cli/v3 v3.9.0 → v3.10.0 Minor feature additions, no breaking changes.
golang.org/x/* various minor Standard Go extended library bumps, no regressions.

Verdict: No regressions identified. Safe to merge.

@claude

claude Bot commented Jun 27, 2026

Copy link
Copy Markdown

Dependency Bump Review

This PR updates Go module dependencies across e2e_cleanup/, flow/, and flow/pkg/. All changed files are go.mod/go.sum — no source code changes. Notes by library:


gosnowflake/v2: v2.0.2 → v2.1.0

No breaking API changes (confirmed from upstream PR #1803). Notable bug fixes relevant to PeerDB:

These are fixes for real operational issues; the upgrade is beneficial.


github.com/ClickHouse/ch-go: v0.72.0 → v0.73.0

Release notes could not be fetched in this environment. Maintainers should verify at https://github.com/ClickHouse/ch-go/releases/tag/v0.73.0 for any behavioral changes affecting column type handling or protocol encoding.


go.mongodb.org/mongo-driver/v2: v2.6.0 → v2.7.0

Release notes could not be fetched in this environment. Maintainers should verify at https://github.com/mongodb/mongo-go-driver/releases/tag/v2.7.0 for BSON marshaling or change stream behavior changes.


go.temporal.io/sdk: v1.44.0 → v1.45.0

Release notes could not be fetched in this environment. Verify at https://github.com/temporalio/sdk-go/releases/tag/v1.45.0. Note that this bump also pulls in a new transitive dependency: github.com/nexus-rpc/nexus-proto-annotations v0.1.0 (added to flow/go.mod).


go.opentelemetry.io/otel: v1.43.0 → v1.44.0 (partial)

⚠️ Version mismatch: go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp remains pinned at v1.43.0 while all other OTel packages (otel, sdk, metric, trace, otlpmetricgrpc, otlptracegrpc, otlptrace) moved to v1.44.0. This exporter is actively used in flow/otel_metrics/otel_manager.go (otlpmetrichttp.New(ctx)). The opentelemetry-go project releases all sub-modules together with the same version tag, so v1.44.0 should exist for otlpmetrichttp. This appears to be a missed update in Renovate's sweep. Running with mismatched minor versions is safe at runtime (no API breakage), but it leaves a straggler and should be corrected.


slack-go/slack: v0.24.0 → v0.26.0 (two minor versions)

Release notes could not be fetched in this environment. PeerDB uses a narrow surface (SendMessageContext, Block Kit types) in flow/alerting/slack_alert_sender.go. Verify at https://github.com/slack-go/slack/releases for any changes to NewTextBlockObject, NewHeaderBlock, or NewSectionBlock between v0.24.0 and v0.26.0.


Other bumps

  • github.com/Azure/azure-sdk-for-go/sdk/azidentity: v1.13.1 → v1.44.0 — security-sensitive auth library; no CVEs flagged, minor release
  • github.com/aws/smithy-go: v1.25.1 → v1.27.2 in flow/, v1.27.1 in flow/pkg/ (minor patch mismatch across module roots, harmless with MVS)
  • golang.org/x/net: v0.54.0 → v0.56.0 (skips one minor, normal for independent Go sub-repos)
  • testcontainers-go: v0.42.0 → v0.43.0 — test infra only, low risk
  • cockroachdb/pebble/v2: v2.1.5 → v2.1.6 — patch release, low risk

Summary

  • The otlpmetrichttp version mismatch (stuck at v1.43.0) is the one item worth fixing before merge or tracking in a follow-up.
  • The gosnowflake bump fixes real hang-on-cancellation bugs and is beneficial.
  • Three libraries (ch-go, mongo-driver, temporal SDK) need manual release-note verification as external network access was unavailable during this review.

@claude

claude Bot commented Jun 27, 2026

Copy link
Copy Markdown

Code review

1 issue found. Checked for bugs and CLAUDE.md compliance.

flow/go.mod — Missed OpenTelemetry otlpmetrichttp bump (line 77)

Renovate bumped all other OpenTelemetry packages from v1.43.0 to v1.44.0 (including the sibling otlpmetricgrpc), but missed otlpmetrichttp. This package is a direct dependency used as the default metric exporter in flow/otel_metrics/otel_manager.go.

OTel packages within the same release family are designed to be used at matching versions. Per .claude/REVIEW.md, dependency bumps should be checked for regressions — this incomplete bump should be corrected for consistency.

Suggested fix: Bump go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp from v1.43.0 to v1.44.0 in flow/go.mod, then run go mod tidy to update flow/go.sum.

@github-actions

Copy link
Copy Markdown
Contributor

🔄 Flaky Test Detected

Analysis: TestRunPipeline_FilterStripsLines failed with "src failed: signal: killed" — a trivial printf subprocess was SIGKILLed by the CI runner under resource pressure, an environmental flake unrelated to the gomod dependency bump.
Confidence: 0.9

✅ Automatically retrying the workflow

View workflow run

@claude

claude Bot commented Jun 29, 2026

Copy link
Copy Markdown

Dependency Bump Review

Reviewed all 18 direct dependency bumps. Checked upstream release notes and changelogs for regressions, breaking changes, security issues, and PII/secret leakage risks.

No regressions or concerns found. All bumps are safe for PeerDB.

Notable positive changes in this upgrade

Package Version Highlight
franz-go v1.21.2 → v1.21.3 Fixes consumer hang regression (from v1.21.0) when fetches to >4 brokers are pending; fixes data race in metadata cache
smithy-go v1.25.1 → v1.27.2 Fixes panic during nested union deserialization in JSON/CBOR protocols
gosnowflake/v2 v2.0.2 → v2.1.0 Fixes context cancellation not interrupting chunk downloader reads (resolves HTTP body read hangs in long-running queries); fixes stale OCSP cache lock
testcontainers-go v0.42.0 → v0.43.0 Security fix: removes debug code that leaked Docker credentials into logs; fixes goroutine leaks

Verified non-issues

  • ch-go v0.73.0 removes nested ClickHouse exception support — verified PeerDB only inspects top-level Exception.Code in retry logic (flow/pkg/clickhouse/query_retry.go), so no impact.
  • slack-go v0.25.0 changed TableBlock.Rows type — verified PeerDB does not use Slack's TableBlock type (its "table block" references are unrelated PostgreSQL partition concepts).
  • testcontainers-go v0.43.0 has breaking API changes (wait.ForSQL, ImageProvider) — verified PeerDB uses neither.
  • azidentity v1.14.0 requires Go ≥1.25 — PeerDB uses Go 1.26.0 ✓
  • aws-sdk-go-v2 v1.42.0 new retry behavior preview is opt-in only (gated behind AWS_NEW_RETRIES_2026 env var), no default behavioral change.

PII/Secret check

No new logging of passwords, tokens, or credentials introduced in any bumped dependency. The ErrIncorrectData message redaction in query_retry.go:82-83 remains intact.

🤖 Generated with Claude Code

@github-actions

Copy link
Copy Markdown
Contributor

🔄 Flaky Test Detected

Analysis: The unit test TestRunPipeline_FilterStripsLines failed with "src failed: signal: killed" — a trivial printf subprocess killed by an external SIGKILL (OOM/resource pressure under heavy -p 32 parallelism), not a deterministic logic error, on an unrelated Renovate dependency-bump PR.
Confidence: 0.9

✅ Automatically retrying the workflow

View workflow run

@github-actions

Copy link
Copy Markdown
Contributor

🔄 Flaky Test Detected

Analysis: Test_MySQL_BinlogIncident failed at setup with a transient MySQL handshake EOF ("connection was bad") while connecting to a just-started throwaway debug container gated only by a port-listening check — a container-readiness race unrelated to the gomod bump, with only one matrix leg affected.
Confidence: 0.88

✅ Automatically retrying the workflow

View workflow run

@claude

claude Bot commented Jun 29, 2026

Copy link
Copy Markdown

Dependency Bump Review

Reviewed all 35+ Go dependency bumps. Checked upstream release notes and changelogs for the notable packages:

Key Findings

Package Bump Risk Notes
ch-go v0.72.0 → v0.73.0 None Breaking change (removed nested exceptions), but PeerDB only uses ch-go/proto error code constants — unaffected. PeerDB's clickhouse.Exception comes from clickhouse-go/v2, a separate type.
gosnowflake/v2 v2.0.2 → v2.1.0 None No breaking changes. Positive fixes: OCSP cache lock fix, context-cancellation hang fix.
mongo-driver/v2 v2.6.0 → v2.7.0 None No breaking changes. Deprecations are internal-only packages PeerDB doesn't use.
temporal sdk v1.44.0 → v1.45.0 Low gRPC gzip compression now on by default (standard Temporal servers handle this). Nil search attribute filtering won't affect PeerDB — all search attributes set string values.
slack-go v0.24.0 → v0.26.0 None Breaking change in v0.25.0 (TableBlock.Rows type changed), but PeerDB doesn't use TableBlock.
AWS SDK, OTel, Go stdlib, others various None Routine patch/minor bumps — bug fixes, dependency updates, no breaking changes.

Security & PII Check

  • Changes are confined to go.mod and go.sum files only — no code changes, no risk of PII/secret exposure.

Verdict: No regressions found. All bumps look clean.

🤖 Reviewed by Claude

@github-actions

Copy link
Copy Markdown
Contributor

❌ Test Failure

Analysis: Deterministic build failure from missing go.sum entries (go.mod changed without running go mod tidy), so the test binary never compiled — not a flaky test.
Confidence: 0.97

⚠️ This appears to be a real bug - manual intervention needed

View workflow run

@claude

claude Bot commented Jun 30, 2026

Copy link
Copy Markdown

Dependency Bump Review — Go Modules

Reviewed all 36 direct dependency bumps for regressions per REVIEW.md. Files changed: go.mod and go.sum only (no source code changes). No PII/secret exposure risks.

Key findings by package

Package Bump Notable upstream changes Risk to PeerDB
ch-go v0.72.0 → v0.73.0 Breaking: removed nested exception support (Exception.Next field, Nested bool). ClickHouse itself dropped nested exceptions in 2020. None — PeerDB imports ch-go/proto only for error code constants (chproto.Error*). It uses clickhouse-go/v2's Exception type, never accesses .Next or .Nested.
gosnowflake/v2 v2.0.2 → v2.1.0 New ArrowStreamBatch.Reset(), OCSP cache lock fix, context cancellation now interrupts stalled chunk downloads. No breaking changes. None — PeerDB uses Config, DSN(), WithQueryTag(), WithQueryIDChan(), all unchanged. Context cancellation fix is beneficial.
mongo-driver/v2 v2.6.0 → v2.7.0 Fix bson.Raw.Validate panic on zero-length docs, fix change stream SetBatchSize with nil cursor, AggregateOptions.Custom deprecated. No breaking changes. None — PeerDB doesn't use deprecated APIs. Bug fixes are beneficial for CDC change streams.
temporal/sdk v1.44.0 → v1.45.0 SearchAttributes nil-filtering on ContinueAsNew (breaking); gRPC gzip compression enabled by default; selector/signal behavior fixes. None — PeerDB always sets concrete TypedSearchAttributes values, never nil. Compression change is beneficial.
slack-go/slack v0.24.0 → v0.26.0 Breaking in v0.25.0: TableBlock.Rows type changed from [][]string to [][]TableCell. None — PeerDB only uses HeaderBlock, SectionBlock, TextBlockObject, SendMessageContext(). Never uses TableBlock.
aws-sdk-go-v2 v1.41.7 → v1.42.0 Clock-skew persistence bug fix, new service features (unrelated to PeerDB's S3/KMS/SES/STS usage). None
smithy-go v1.25.1 → v1.27.2 Internal AWS SDK plumbing update. None
urfave/cli/v3 v3.9.0 → v3.10.0 Additive CLI framework features. None
franz-go v1.21.2 → v1.21.3 Patch release, bug fixes only. None
pebble/v2 v2.1.5 → v2.1.6 Patch release. None
otel/* v1.43.0 → v1.44.0 Minor release, additive. None
testcontainers-go v0.42.0 → v0.43.0 Test-only dependency. None
Remaining (golang.org/x/*, k8s.io/apimachinery, genproto, httprc, azidentity) Patch/minor Standard maintenance bumps. None

Verdict

All bumps are safe. Three packages (ch-go, slack-go, temporal/sdk) had upstream breaking changes, but none affect PeerDB's usage patterns. Several bug fixes (gosnowflake context cancellation, mongo-driver change stream fix, aws-sdk clock-skew fix) are actively beneficial.

🤖 Reviewed with Claude Code

@claude

claude Bot commented Jun 30, 2026

Copy link
Copy Markdown

Dependency Bump Review

Reviewed all 36 dependency bumps in this PR. No inline findings — posting a summary of the upstream release analysis.

PII / Secret Logging Risk

None — this PR only modifies go.mod and go.sum files; no source code changes.

Upstream Release Notes Analysis

ch-go v0.72.0 → v0.73.0 — Contains a labeled [breaking-change]: removed Exception.Next field and proto.Exception.Nested, changed Unwrap() from []error to error. Verified PeerDB does not reference Exception.Next or Exception.Nested anywhere in the codebase, so no impact.

gosnowflake v2.0.2 → v2.1.0 — No breaking API changes. Includes beneficial bug fixes: context cancellation now properly interrupts stalled chunk downloads (previously could cause hung goroutines in long-running queries), and OCSP cache lock fix prevents connection issues on long-lived processes. Both are net positives for ETL workloads. No risk.

mongo-driver v2.6.0 → v2.7.0 — No breaking API changes. Includes a change streams fix for batch size handling when cursor is nil (GODRIVER-3962), and a bson.Raw.Validate panic fix for zero-length documents (GODRIVER-3931). Both are beneficial for CDC consumers. No risk.

temporal sdk v1.44.0 → v1.45.0 — Most notable bump. Behavioral changes to be aware of:

  • Search Attributes filtering: Workflow start, signal-with-start, and continue-as-new now exclude unset search attributes encoded as binary/null. Removed attributes no longer persist into new runs.
  • SDK flags on by default: SDKFlagBlockedSelectorSignalReceive and SDKFlagWorkflowNewChannelLostMessages are now enabled by default for new workflows, fixing selector/signal receive behavior and channel message loss bugs.
  • gRPC gzip compression enabled by default on client connections.
  • New transitive dependency added: github.com/nexus-rpc/nexus-proto-annotations v0.1.0.
  • No known regressions in release notes.

slack-go v0.24.0 → v0.26.0 — v0.25.0 changed TableBlock.Rows field type to [][]TableCell. PeerDB does not use the Slack TableBlock type. No impact.

AWS SDK, OTel, pebble, k8s, golang.org/x/*, and other packages — Standard minor/patch bumps with no notable breaking changes or regressions. AWS SDK v1.42.0 includes a clock skew persistence fix. OTel v1.44.0 is a routine minor bump.

Verdict

No regressions found. The temporal SDK v1.45.0 behavioral changes are the most notable items — they apply to new workflow executions and fix prior bugs, so they should be safe but worth awareness during rollout.

@claude

claude Bot commented Jul 2, 2026

Copy link
Copy Markdown

Dependency Bump Review — PR #4399

Reviewed all 35+ Go module bumps. Checked upstream release notes, changelogs, and commit logs for regressions and breaking changes. Also verified no PII/secret logging risk (PR only touches go.mod/go.sum).

Key findings (all safe):

Package Change Notes
ch-go v0.72.0 → v0.73.0 ⚠️ Upstream labels "remove nested exceptions" as breaking. PeerDB only uses Exception.Code/.Message, never .Next chains. No impact.
gosnowflake/v2 v2.0.2 → v2.1.0 No breaking changes. Arrow chunk cancellation fix (SNOW-3479780) is beneficial for PeerDB's streaming workloads.
mongo-driver/v2 v2.6.0 → v2.7.0 No breaking changes. Includes fix for nil cursor panic on change stream SetBatchSize and BSON validation panic on zero-length docs — both positive for PeerDB's CDC connector.
go-mysql 60bfbfe → 35ca5c6 Single commit adding server-side session tracking support. Additive only; PeerDB uses this as a replication client, not server.
temporal sdk v1.44.0 → v1.45.0 Two upstream breaking changes: (1) nil search attributes now omitted on continue-as-new — PeerDB always sets non-nil MirrorName, no impact; (2) poller autoscaling refactor — only affects PollerStartCounter metric. Also enables gRPC gzip compression by default on Temporal client connections (reduces bandwidth, slight CPU increase).
temporal api v1.62.12 → v1.63.0 Note: actual bump is to v1.63.0 (minor), not v1.62.14 (patch) as listed in PR description — pulled in by sdk v1.45.0. Adds nexus-rpc/nexus-proto-annotations as new indirect dep.
franz-go v1.21.2 → v1.21.4 Fixes KIP-320 leader-epoch bug during full broker bounces that could cause stale offset consumption. Actively beneficial.
slack-go v0.24.0 → v0.26.0 Breaking change in TableBlock.Rows type (v0.25.0), but PeerDB does not use TableBlock.
AWS SDK, OTel, golang.org/x/*, k8s.io, pebble, urfave/cli, Azure, testcontainers Various minor/patch Standard dependency updates, bug fixes, no breaking changes relevant to PeerDB.

Verdict

No regressions found. All upstream breaking changes confirmed to not affect PeerDB. The franz-go and gosnowflake fixes are actively beneficial. Safe to merge.

🤖 Generated with Claude Code

@claude

claude Bot commented Jul 2, 2026

Copy link
Copy Markdown

Renovate Dependency Bump Review

Reviewed all 35 Go dependency bumps in this PR. Changes are confined to go.mod/go.sum files only — no source code modifications. No PII/secret logging concerns.

Upstream release notes check (per REVIEW.md)

Package Bump Notable upstream changes PeerDB impact
ch-go v0.72.0 → v0.73.0 Breaking: removed Exception.Next field and multi-error Unwrap() for nested exceptions Not affected — PeerDB only reads .Code and .Message on ClickHouse exceptions
gosnowflake/v2 v2.0.2 → v2.1.0 Additive only (new env var, ArrowStreamBatch.Reset(), bug fixes) Safe
mongo-driver/v2 v2.6.0 → v2.7.0 x/mongo/driver/session deprecated (internal); AggregateOptions.Custom deprecated Not affected — PeerDB uses neither. bson.Raw.Validate panic fix is a net positive
temporal sdk-go v1.44.0 → v1.45.0 Nil SearchAttributes filtered; gRPC gzip compression on by default; new SDK behavior flags Not affected — PeerDB always sets non-nil MirrorName; compression is a benign improvement
go-mysql 60bfbfe → 35ca5c6 Single commit: additive session-tracking support + protocol bug fix Safe — PeerDB uses replication client, not server-side APIs
slack-go v0.24.0 → v0.26.0 Breaking in v0.25.0: TableBlock.Rows type changed from []TableCell to [][]TableCell Not affected — PeerDB only uses SendMessageContext, HeaderBlock, SectionBlock
aws-sdk-go-v2 v1.41.7 → v1.42.0 New retry behavior behind opt-in AWS_NEW_RETRIES_2026 flag Safe — opt-in only
smithy-go v1.25.1 → v1.27.2 Additive APIs, CBOR max nesting depth (128), union deserialization bug fixes Safe
pebble/v2 v2.1.5 → v2.1.6 Patch release Safe
OTel family v1.43.0 → v1.44.0 Minor bump Safe
golang.org/x/* various minor Standard library extensions Safe
Others (testcontainers, franz-go, urfave/cli, httprc, k8s apimachinery, azidentity) patch/minor No breaking changes Safe

Verdict

No regressions or breaking changes affect PeerDB. All upstream breaking changes were verified against actual PeerDB usage and confirmed to be in unused API surfaces. Clean to merge.

🤖 Generated with Claude Code

@claude

claude Bot commented Jul 2, 2026

Copy link
Copy Markdown

Reviewed this Renovate dependency bump. All changes are confined to go.mod/go.sum files — no source code changes.

Upstream release notes checked for all bumped packages. Key findings:

Package Bump Notes
gosnowflake/v2 v2.0.2 → v2.1.0 No breaking changes. Fixes context cancellation stalling chunk downloads, adds Arrow stream retry support.
ch-go v0.72.0 → v0.73.0 Removed nested exception support — no impact, PeerDB only imports ch-go for error code constants.
go-mysql-org/go-mysql commit bump Single commit: session tracking support + OK packet parsing correctness fix. No binlog/replication changes.
franz-go v1.21.2 → v1.21.4 Bug fixes: PollRecords hang, transactional exactly-once consuming fix, metadata cache data race, SASL re-auth race. All beneficial.
slack-go/slack v0.24.0 → v0.26.0 Breaking: TableBlock.Rows type changed — verified PeerDB does not use Slack's TableBlock.
pebble/v2 v2.1.5 → v2.1.6 Single IsLowerBound boundary fix.
testcontainers-go v0.42.0 → v0.43.0 Breaking: ForSQL signature + ImageProvider interface — verified PeerDB uses neither. Security fix: removed debug code leaking Docker credentials.
urfave/cli/v3 v3.9.0 → v3.10.0 No breaking changes. Additive features.
aws-sdk-go-v2 v1.41.7 → v1.42.0 New retry behavior behind AWS_NEW_RETRIES_2026 env var (opt-in, off by default).
azidentity v1.13.1 → v1.14.0 Removed EnableAzureProxy (beta) — verified PeerDB doesn't use it. Min Go → 1.25 (PeerDB uses 1.26).

PII/secret logging check: No source code changes, only version bumps — no concern.

No regressions identified. Bump looks clean.

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

🔄 Flaky Test Detected

Analysis: The unrelated Renovate gomod PR failed on Test_MySQL_BinlogIncident with an EOF during MySQL initial handshake—a startup race where the throwaway MySQL debug container's port is listening (wait.ForListeningPort) but mysqld isn't yet ready to accept connections, while all other MySQL tests passed.
Confidence: 0.85

✅ Automatically retrying the workflow

View workflow run

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

🔄 Flaky Test Detected

Analysis: The sole real failure (Test_MySQL_BinlogIncident) is a MySQL initial-handshake EOF/"connection was bad" error when connecting to a freshly-started MySQL testcontainer during test setup — a container-readiness race/network flake, on an unrelated Renovate gomod dependency-update PR.
Confidence: 0.92

✅ Automatically retrying the workflow

View workflow run

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file stop-updating

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants