Update gomod dependencies#4399
Conversation
ℹ️ Artifact update noticeFile name: flow/go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
File name: flow/pkg/go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
|
4fdfff2 to
044fb40
Compare
Dependency Bump ReviewReviewed all upstream changelogs for the bumped range. Summary of findings: Packages reviewed
Notable behavioral change: OpenTelemetry v1.43.0 → v1.44.0OTel v1.44.0 introduces a default cardinality limit of 2000 per metric instrument (previously unlimited). PeerDB does not explicitly configure Risk assessment: Low. PeerDB's metric cardinality is driven by unique combinations of flow name, source/destination peer, status, and operation — per instrument, this is very unlikely to approach 2000 for typical deployments. However, large-scale deployments with many concurrent mirrors should be aware. If needed, Other OTel v1.44.0 changes: Security check
Verdict: No regressions found. Looks clean to merge. 🤖 Generated with Claude Code |
|
Renovate dependency bump reviewed. Checked upstream release notes for all bumped packages. AWS SDK Go v2 (v1.41.7 to v1.41.9) - patch. Bug fix for smithy-go (v1.25.1 to v1.26.0) - minor. Dependency update only. No regressions. cockroachdb/pebble (v2.1.5 to v2.1.6) - patch. Single correctness fix for OpenTelemetry Go (v1.43.0 to v1.44.0) - behavioral changes worth noting:
OpenTelemetry Go Contrib / otelgrpc (v0.68.0 to v0.69.0) - Temporal SDK (v1.44.0 to v1.44.1) + API (v1.62.12 to v1.62.13) - patch. Improved graceful worker shutdown (opt-in, requires server flag). No breaking changes. google.golang.org/genproto - routine digest update. No regressions. No PII/secret logging concerns — diff is limited to |
Code reviewUpstream behavioral changes in OTel SDK v1.44.0 (REVIEW.md compliance — dependency regression check) Two notable behavioral changes in this version bump: 1. Default cardinality limit of 2000 (high impact) — PeerDB's MeterProvider in Consider either verifying that no instrument exceeds 2000 attribute sets in your deployments, or explicitly setting 2. 64 MiB default OTLP request size cap (moderate impact) — |
Code review1 issue found. Checked for bugs and CLAUDE.md compliance. Breaking change: OTel SDK v1.44.0 default cardinality limit File: flow/go.mod, line 71 (go.opentelemetry.io/otel/sdk/metric v1.44.0) go.opentelemetry.io/otel/sdk/metric v1.44.0 introduces a default cardinality limit of 2000 per metric instrument (upstream changelog). Previously, the default was unlimited. When the limit is exceeded, new attribute sets are silently dropped and merged into an overflow bucket with otel.metric.overflow=true. PeerDB NewMeterProvider does not set a cardinality limit: peerdb/flow/otel_metrics/otel_manager.go Lines 709 to 715 in e78178c PeerDB emits metrics with high-cardinality attributes - per-flow, per-table, per-peer combinations (e.g. RecordsSyncedPerTableGauge). A deployment with 10 flows each replicating 100 tables x 3 operation types = 3,000 unique attribute sets per instrument, exceeding the new default. This would cause silent metric data loss with no errors. Suggested fix: Add sdkmetric.WithCardinalityLimit(0) to the NewMeterProvider call in otel_manager.go to restore unlimited cardinality, or set it to a sufficiently high value for your deployments. Flagged per REVIEW.md - upstream regression check for dependency bumps. |
|
The 2000 limit would need a check, how we're doing across production |
044fb40 to
9d3fb32
Compare
Code reviewNo issues found. Checked for bugs and CLAUDE.md compliance. |
| go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.44.0 | ||
| go.opentelemetry.io/otel/metric v1.44.0 | ||
| go.opentelemetry.io/otel/sdk v1.44.0 | ||
| go.opentelemetry.io/otel/sdk/metric v1.44.0 |
There was a problem hiding this comment.
Informational — OTel v1.44.0 introduces a default cardinality limit of 2000 per metric instrument.
Previously unlimited, new attribute sets beyond 2000 unique combinations per instrument are now dropped and aggregated under otel.metric.overflow=true. PeerDB uses attributes like DestinationTableName, FlowName, PeerName, and SlotName on its metrics. For typical deployments this should be well under 2000 per instrument, but deployments with a very large number of mirrors/tables could hit this.
To restore the old unlimited behavior if needed: metric.WithCardinalityLimit(0) or env OTEL_GO_X_CARDINALITY_LIMIT=0.
Also: OTLP exporters now cap request size at 64 MiB (configurable via WithMaxRequestSize). Oversized requests fail as non-retryable errors.
Dependency Bump Review — Upstream Changelog AnalysisReviewed all upstream release notes for the bumped range of each dependency. No regressions or breaking changes that affect PeerDB were found. Summary of notable upstream changes below. golang.org/x/net v0.54.0 → v0.55.0 — Security fixes Fixes multiple CVEs in the OpenTelemetry Go v1.43.0 → v1.44.0 — Behavioral changes (see inline comment)
AWS SDK Go v2 (multiple packages) — Patch-level, safe All patch/minor bumps. Notable: credential cache files now created with cockroachdb/pebble v2.1.5 → v2.1.6 — Single bug fix Fixes Temporal SDK v1.44.0 → v1.44.1 — Graceful shutdown improvement Worker shutdown now drains already-polled tasks when the server supports it. No breaking changes. Temporal API v1.62.13 is infrastructure-only. Other
PII / Secret Logging Check No source code changes — only |
9d3fb32 to
62505bb
Compare
Dependency Bump ReviewReviewed upstream release notes for all bumped packages. Summary of findings: OpenTelemetry v1.43.0 -> v1.44.0 -- Breaking change: default cardinality limit (see inline comment)
Positive: this release also includes two security fixes (GHSA-995v-fvrw-c78m, GHSA-5wrp-cwcj-q835) and several race condition fixes in the metric SDK. otelgrpc v0.68.0 -> v0.69.0 -- Removed WithSpanOptions The deprecated cockroachdb/pebble v2.1.5 -> v2.1.6 -- Bug fix Fixes Temporal SDK v1.44.0 -> v1.44.1 -- Graceful shutdown improvement Workers now drain already-polled tasks during shutdown (when server supports it). Backward-compatible, no breaking changes. Temporal API v1.62.12 -> v1.62.13 -- Maintenance Bug fixes and generated Nexus service definitions. No breaking changes. AWS SDK Go v2 (multiple packages) -- Patch bumps Bug fix for smithy-go v1.25.1 -> v1.26.0 Added New transitive dependencies
PII / Secrets check: |
| go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.44.0 | ||
| go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.44.0 | ||
| go.opentelemetry.io/otel/metric v1.44.0 | ||
| go.opentelemetry.io/otel/sdk v1.44.0 |
There was a problem hiding this comment.
Warning: go.opentelemetry.io/otel/sdk/metric v1.44.0 introduces a default cardinality limit of 2000 per instrument. When the limit is reached, new attribute sets are silently dropped into an overflow bucket. PeerDB defines 40+ metric instruments in flow/otel_metrics/otel_manager.go, some keyed by dynamic attributes (per-table, per-flow). If any single instrument exceeds 2000 unique attribute combinations, metrics will be silently lost. For most deployments this is probably fine (2000 is generous), but worth verifying for large multi-tenant deployments. If needed, override with sdkmetric.WithCardinalityLimit(0) in setupMetricsAndProvider().
62505bb to
42ddc96
Compare
There was a problem hiding this comment.
Reviewed this Renovate dependency bump. Upstream release notes checked for all bumped packages. Two findings noted as separate PR comments below.
Summary of bumps reviewed:
- AWS SDK Go v2 (core v1.41.7 to v1.41.9, smithy-go v1.25.1 to v1.27.0, S3/KMS/SES/SNS/STS patches): No breaking changes. Includes a smithy-go LRU cache memory leak fix (good).
- CockroachDB Pebble (v2.1.5 to v2.1.6): Single correctness bug fix in row-block iterator IsLowerBound. No API changes. Safe.
- OpenTelemetry (v1.43.0 to v1.44.0): New default cardinality limit of 2000 per instrument. This is the main finding -- see follow-up comment.
- Temporal SDK (v1.44.0 to v1.44.1, api v1.62.12 to v1.62.13): Patch release improving graceful shutdown drain. New nexus-proto-annotations indirect dep is expected. No breaking changes.
- golang.org/x/net (v0.54.0 to v0.55.0), google.golang.org/genproto updates: Routine. No breaking changes.
|
[medium] Previously there was no limit. New attribute-set combinations beyond 2000 are silently dropped and aggregated into an overflow bucket tagged PeerDB uses high-cardinality attributes like No existing Suggested action: Either (a) confirm 2000 is acceptable for all expected deployments, or (b) add Ref: https://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.44.0 |
|
[info] This version introduced schema-based serialization and CBOR max-nesting-depth enforcement. Subsequent patches v1.27.1 and v1.27.2 fix CBOR/JSON union deserialization bugs (including a panic). PeerDB AWS usage (S3, KMS, SES, SNS, STS) primarily uses JSON/XML, so risk is very low, but worth noting in case CBOR-related issues surface -- those patches exist upstream. |
42ddc96 to
9ed75a6
Compare
|
Re-reviewed this Renovate bump. Upstream changelogs checked for all packages — confirming prior findings and adding a note on Confirmed safe (no regressions found):
Security-positive —
Previously flagged (still valid): OTel v1.44.0 default cardinality limit of 2000 per instrument + 64 MiB OTLP request size cap — see earlier comments on this PR. No new concerns found beyond what was already flagged. |
9ed75a6 to
e1a3ff8
Compare
Dependency Bump Review — PR #4399Reviewed upstream release notes for all bumped packages. No PII/secret logging concerns (changes are go.mod/go.sum only). Findings1. OpenTelemetry v1.43.0 → v1.44.0 — New default cardinality limit (medium severity) OTel v1.44.0 introduces a default 2000-attribute cardinality limit in the metric SDK. Exceeding this drops new attribute sets into an overflow bucket ( Other OTel changes: 2. smithy-go v1.25.1 → v1.27.0 — Known post-release fixes (low severity) smithy-go v1.27.0 adds schema-based serialization and enforces max CBOR nesting depth of 128. However, v1.27.1 (panic in nested union deserialization for JSON/CBOR) and v1.27.2 (improper CBOR union serialization) fixed issues introduced in v1.27.0. PeerDB primarily uses AWS services with restxml/awsquery/awsjson protocols (S3, KMS, SES, SNS, STS), so impact is likely low, but worth being aware of. Also includes a memory leak fix in LRU cache (v1.25.2) and file permission hardening (aws-sdk-go-v2 v1.41.8). 3. Temporal SDK v1.44.0 → v1.44.1 — Graceful shutdown improvement (no action needed) Workers now drain already-polled tasks on shutdown when the server supports it (requires server flag 4. New transitive dependency: Pulled in by 5. cockroachdb/pebble v2.1.5 → v2.1.6 — Correctness fix (no action needed) Single bug fix: 6. Other bumps (no concerns)
SummaryThe OTel cardinality limit (finding #1) is the most actionable item — recommend verifying PeerDB's metric attribute cardinality won't exceed 2000 combinations per instrument, or explicitly configuring limits. All other changes are low-risk. 🤖 Generated with Claude Code |
e1a3ff8 to
1efd967
Compare
Dependency Bump ReviewReviewed all upstream changelogs for the dependency bumps in this PR. Here are the findings: Security Fixes (positive reasons to merge)
Notable Behavioral Changes
Regressions Check
Breaking Changes Affecting PeerDBNone found. Verified that PeerDB does not use any removed/deprecated APIs ( New Dependencies
VerdictNo regressions or breaking changes affecting PeerDB. Multiple security fixes make this a beneficial upgrade. The OTel cardinality limit (2000 default) is the only behavioral change worth monitoring in production, but PeerDB's metric cardinality appears well within bounds. 🤖 Generated with Claude Code |
1efd967 to
3c76c27
Compare
| go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.44.0 | ||
| go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.44.0 | ||
| go.opentelemetry.io/otel/metric v1.44.0 | ||
| go.opentelemetry.io/otel/sdk v1.44.0 |
| go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.44.0 | ||
| go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.44.0 | ||
| go.opentelemetry.io/otel/metric v1.44.0 | ||
| go.opentelemetry.io/otel/sdk v1.44.0 |
There was a problem hiding this comment.
Note (informational, non-blocking): OpenTelemetry SDK v1.44.0 introduces a default cardinality limit of 2000 for the metrics SDK. When more than 2000 unique attribute sets are recorded for a single metric instrument, new attribute sets are dropped and aggregated into an overflow bucket. Previously there was no limit. If PeerDB has any high-cardinality metrics (e.g. metrics tagged per-table, per-peer, or per-flow), this could silently truncate metric data. To restore old behavior use WithCardinalityLimit(0). Also: attribute.Value.Emit() is deprecated in favor of Value.String(); security fixes for schema file handle leak and baggage extraction DoS; new default 64 MiB OTLP request size limit. All other bumps are clean - see review summary comment for details.
Dependency Bump Review ✅Reviewed all dependency bumps in this PR. Checked upstream release notes and changelogs for regressions, breaking changes, and security concerns. Direct dependency bumps reviewed:
Other observations:
Verdict: No regressions identified. All bumps look safe to merge. 🤖 Generated with Claude Code |
There was a problem hiding this comment.
Dependency bump review
Reviewed upstream release notes for all bumped packages. Summary of findings:
Safe bumps (no issues found)
- azidentity v1.13.1 → v1.14.0: No breaking changes for stable users. Improved error messages, requires Go 1.25+.
- AWS SDK Go v2 (multiple packages): Breaking change in
rdsdataArrayValue (pointer-slice elements), but PeerDB does not importrdsdata. Security improvement: credential files now written with0600permissions. - smithy-go v1.25.1 → v1.27.2: CBOR union serialization fixes, max nesting depth of 128 enforced. No breaking changes.
- gosnowflake v2.0.2 → v2.1.0: No breaking changes. Context cancellation now properly interrupts stalled Arrow chunk downloads.
- mongo-driver v2.6.0 → v2.7.0: No breaking changes. Causally consistent session writes now send
afterClusterTime(correctness fix). - ch-go v0.72.0 → v0.73.0: Tagged
[breaking-change]for nested exception removal, but PeerDB only accesseschproto.Errorconstants andclickhouse.Exception.Code/.Message— does not use.Nested. - otelgrpc v0.68.0 → v0.69.0:
WithSpanOptionsremoved, but PeerDB doesn't use it. - franz-go v1.21.2 → v1.21.3, pebble v2.1.5 → v2.1.6, temporal v1.62.12 → v1.62.14: Patch bumps, safe.
Security improvements (beneficial)
- golang.org/x/crypto v0.52.0 → v0.53.0: Multiple SSH hardening fixes (RSA key size cap, bcrypt KDF rounds cap, ECDSA curve validation, panic fixes). PeerDB uses
x/crypto/ssh— these are beneficial. - golang.org/x/net v0.54.0 → v0.56.0: Multiple CVEs fixed — CVE-2026-27136 (duplicate HTML attributes), CVE-2026-42506 / CVE-2026-42502 (XSS via HTML parser), CVE-2026-25680 / CVE-2026-25681 (DoS / sanitizer bypass), CVE-2026-46600 (dns/dnsmessage panic).
Noteworthy behavioral change (see inline comment)
- OTel SDK v1.43.0 → v1.44.0: New default metric cardinality limit of 2000, and 64 MiB OTLP export request size limit.
PII / Secret logging
No code changes in this PR — only go.mod / go.sum files. No risk.
| go.temporal.io/sdk v1.44.0 | ||
| go.mongodb.org/mongo-driver/v2 v2.7.0 | ||
| go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.69.0 | ||
| go.opentelemetry.io/otel v1.44.0 |
There was a problem hiding this comment.
OTel v1.44.0 introduces a default metric cardinality limit of 2000.
Previously unlimited, sdk/metric now drops new attribute sets beyond 2000 unique combinations per instrument, aggregating overflow under otel.metric.overflow=true. PeerDB's metrics use per-flow attributes (flow name, source/destination peer name/type/hostname, status, pipe name, operation, activity type, workflow type) — deployments with many concurrent flows could exceed this limit and silently lose metric granularity.
Additionally, OTLP exporters now impose a 64 MiB default request size limit (before compression); oversized requests become non-retryable errors.
Recommendation: This is likely fine for most deployments, but worth being aware of. If metric cardinality issues surface post-upgrade, the limit can be raised via WithCardinalityLimit() or set to 0 (unlimited).
Dependency Bump ReviewReviewed all upstream release notes for the bumped range. Only Key findings by package
New transitive dependencies
VerdictNo regressions or blocking issues identified. The Temporal SDK behavior flag changes are the most notable but are protected by Temporal versioning system (only affect newly started workflows). All other breaking changes in upstream libraries do not affect PeerDB usage patterns. |
There was a problem hiding this comment.
Reviewed this Renovate dependency bump PR. Checked upstream release notes for all bumped packages. Key findings are posted as inline comments below.
Summary of upstream changes checked:
- gosnowflake v2.0.2→v2.1.0: No breaking changes. Beneficial fixes for context-cancellation hangs and OCSP cache locking.
- ch-go v0.72.0→v0.73.0: Nested exception support removed (breaking), but PeerDB does not access
.Nestedon exceptions — safe. - franz-go v1.21.2→v1.21.3: Bug fixes including a
PollRecords/PollFetcheshang fix (regression from v1.21.0). Beneficial. - slack-go v0.24.0→v0.26.0:
TableBlock.Rowstype changed in v0.25.0 (breaking), but PeerDB does not use slack-go'sTableBlock— safe. - aws-sdk-go-v2 v1.41.7→v1.42.0 / smithy-go v1.25.1→v1.27.2: No breaking changes. Fixes memory leak in LRU cache and union deserialization panics.
- pebble v2.1.5→v2.1.6: Narrow fix for synthetic suffix handling, not relevant to PeerDB.
- testcontainers-go v0.42.0→v0.43.0:
ForSQLcallback signature changed andImageProviderinterface expanded, but PeerDB uses neither — safe. - urfave/cli v3.9.0→v3.10.0: No breaking changes, help-related bug fixes only.
- OTel v1.43.0→v1.44.0: See inline comment — new default cardinality limit and security fixes.
No PII/secret logging concerns — only go.mod/go.sum files changed.
| go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.44.0 | ||
| go.opentelemetry.io/otel/metric v1.44.0 | ||
| go.opentelemetry.io/otel/sdk v1.44.0 | ||
| go.opentelemetry.io/otel/sdk/metric v1.44.0 |
There was a problem hiding this comment.
[info] OTel SDK metric v1.44.0 introduces a default cardinality limit of 2000 per metric instrument. When exceeded, new attribute sets are dropped and aggregated into an otel.metric.overflow=true bucket.
PeerDB's RecordsSyncedPerTableGauge and RecordsSyncedPerTableCounter metrics emit per-table attributes (destinationTableName × recordOperationType × flow-level context attributes). For large deployments with many flows and tables, the number of unique attribute combinations could approach this limit.
Workaround if needed: Set env var OTEL_GO_X_CARDINALITY_LIMIT=0 to disable the limit, or call sdkmetric.WithCardinalityLimit(0) in the meter provider setup.
Also notable in this release:
- Two security fixes: GHSA-995v-fvrw-c78m (schema file descriptor leak in
ParseFile) and GHSA-5wrp-cwcj-q835 (baggage header flooding — extraction now enforces 8192-byte spec limit). - OTLP exporters now enforce a 64 MiB request size limit by default (oversized requests become non-retryable errors).
Value.Emitdeprecated in favor ofValue.String.- Fixed race condition in
FixedSizeReservoirexemplar and Prometheus exporter concurrentCollectdata race.
Dependency Bump ReviewReviewed upstream release notes for all 35 bumped Go dependencies. Summary of findings: Temporal SDK v1.44.0 to v1.45.0 (flow/go.mod:84) -- Worth Monitoring This bump enables two SDK behavior flags by default that were previously opt-in:
These are correctness fixes, but they alter deterministic replay behavior. If in-flight CDC/QRep workflows replay history under the new flags, there is a small risk of Recommendation: Monitor worker logs for non-determinism errors after deployment. If any surface, the flags can be explicitly disabled via worker options as a short-term mitigation while affected workflows complete. Other Bumps -- No Regressions Found
|
Dependency Bump ReviewReviewed upstream release notes and changelogs for all bumped packages. No regressions or breaking changes that affect PeerDB were found. Key findings per package:
PII/Secret checkOnly 🤖 Generated with Claude Code |
❌ Test FailureAnalysis: The "run tests" step fails at compile time with many "missing go.sum entry" errors, meaning go.sum is out of sync with go.mod (needs |
❌ Test FailureAnalysis: The build aborted before tests ran with dozens of deterministic "missing go.sum entry" errors, indicating a go.mod change without a corresponding updated go.sum — a real dependency/build bug, not flakiness. |
Renovate Go Dependency Bump — ReviewedReviewed all 35 dependency bumps in this PR. Only Upstream release notes reviewChecked the upstream changelogs for the most impactful bumps:
Verdict: No regressions identified. Safe to merge. |
Dependency Bump ReviewThis PR updates Go module dependencies across gosnowflake/v2: v2.0.2 → v2.1.0No breaking API changes (confirmed from upstream PR #1803). Notable bug fixes relevant to PeerDB:
These are fixes for real operational issues; the upgrade is beneficial. github.com/ClickHouse/ch-go: v0.72.0 → v0.73.0Release notes could not be fetched in this environment. Maintainers should verify at https://github.com/ClickHouse/ch-go/releases/tag/v0.73.0 for any behavioral changes affecting column type handling or protocol encoding. go.mongodb.org/mongo-driver/v2: v2.6.0 → v2.7.0Release notes could not be fetched in this environment. Maintainers should verify at https://github.com/mongodb/mongo-go-driver/releases/tag/v2.7.0 for BSON marshaling or change stream behavior changes. go.temporal.io/sdk: v1.44.0 → v1.45.0Release notes could not be fetched in this environment. Verify at https://github.com/temporalio/sdk-go/releases/tag/v1.45.0. Note that this bump also pulls in a new transitive dependency: go.opentelemetry.io/otel: v1.43.0 → v1.44.0 (partial)
slack-go/slack: v0.24.0 → v0.26.0 (two minor versions)Release notes could not be fetched in this environment. PeerDB uses a narrow surface ( Other bumps
Summary
|
Code review1 issue found. Checked for bugs and CLAUDE.md compliance.
|
🔄 Flaky Test DetectedAnalysis: TestRunPipeline_FilterStripsLines failed with "src failed: signal: killed" — a trivial printf subprocess was SIGKILLed by the CI runner under resource pressure, an environmental flake unrelated to the gomod dependency bump. ✅ Automatically retrying the workflow |
Dependency Bump ReviewReviewed all 18 direct dependency bumps. Checked upstream release notes and changelogs for regressions, breaking changes, security issues, and PII/secret leakage risks. No regressions or concerns found. All bumps are safe for PeerDB. Notable positive changes in this upgrade
Verified non-issues
PII/Secret checkNo new logging of passwords, tokens, or credentials introduced in any bumped dependency. The 🤖 Generated with Claude Code |
🔄 Flaky Test DetectedAnalysis: The unit test TestRunPipeline_FilterStripsLines failed with "src failed: signal: killed" — a trivial printf subprocess killed by an external SIGKILL (OOM/resource pressure under heavy -p 32 parallelism), not a deterministic logic error, on an unrelated Renovate dependency-bump PR. ✅ Automatically retrying the workflow |
🔄 Flaky Test DetectedAnalysis: Test_MySQL_BinlogIncident failed at setup with a transient MySQL handshake EOF ("connection was bad") while connecting to a just-started throwaway debug container gated only by a port-listening check — a container-readiness race unrelated to the gomod bump, with only one matrix leg affected. ✅ Automatically retrying the workflow |
Dependency Bump ReviewReviewed all 35+ Go dependency bumps. Checked upstream release notes and changelogs for the notable packages: Key Findings
Security & PII Check
Verdict: No regressions found. All bumps look clean. 🤖 Reviewed by Claude |
❌ Test FailureAnalysis: Deterministic build failure from missing go.sum entries (go.mod changed without running |
Dependency Bump Review — Go ModulesReviewed all 36 direct dependency bumps for regressions per REVIEW.md. Files changed: Key findings by package
VerdictAll bumps are safe. Three packages ( 🤖 Reviewed with Claude Code |
Dependency Bump ReviewReviewed all 36 dependency bumps in this PR. No inline findings — posting a summary of the upstream release analysis. PII / Secret Logging RiskNone — this PR only modifies Upstream Release Notes Analysisch-go v0.72.0 → v0.73.0 — Contains a labeled gosnowflake v2.0.2 → v2.1.0 — No breaking API changes. Includes beneficial bug fixes: context cancellation now properly interrupts stalled chunk downloads (previously could cause hung goroutines in long-running queries), and OCSP cache lock fix prevents connection issues on long-lived processes. Both are net positives for ETL workloads. No risk. mongo-driver v2.6.0 → v2.7.0 — No breaking API changes. Includes a change streams fix for batch size handling when cursor is nil (GODRIVER-3962), and a temporal sdk v1.44.0 → v1.45.0 — Most notable bump. Behavioral changes to be aware of:
slack-go v0.24.0 → v0.26.0 — v0.25.0 changed AWS SDK, OTel, pebble, k8s, golang.org/x/*, and other packages — Standard minor/patch bumps with no notable breaking changes or regressions. AWS SDK v1.42.0 includes a clock skew persistence fix. OTel v1.44.0 is a routine minor bump. VerdictNo regressions found. The temporal SDK v1.45.0 behavioral changes are the most notable items — they apply to new workflow executions and fix prior bugs, so they should be safe but worth awareness during rollout. |
Dependency Bump Review — PR #4399Reviewed all 35+ Go module bumps. Checked upstream release notes, changelogs, and commit logs for regressions and breaking changes. Also verified no PII/secret logging risk (PR only touches Key findings (all safe):
VerdictNo regressions found. All upstream breaking changes confirmed to not affect PeerDB. The franz-go and gosnowflake fixes are actively beneficial. Safe to merge. 🤖 Generated with Claude Code |
Renovate Dependency Bump ReviewReviewed all 35 Go dependency bumps in this PR. Changes are confined to Upstream release notes check (per REVIEW.md)
VerdictNo regressions or breaking changes affect PeerDB. All upstream breaking changes were verified against actual PeerDB usage and confirmed to be in unused API surfaces. Clean to merge. 🤖 Generated with Claude Code |
|
Reviewed this Renovate dependency bump. All changes are confined to Upstream release notes checked for all bumped packages. Key findings:
PII/secret logging check: No source code changes, only version bumps — no concern. No regressions identified. Bump looks clean. |
🔄 Flaky Test DetectedAnalysis: The unrelated Renovate gomod PR failed on Test_MySQL_BinlogIncident with an EOF during MySQL initial handshake—a startup race where the throwaway MySQL debug container's port is listening (wait.ForListeningPort) but mysqld isn't yet ready to accept connections, while all other MySQL tests passed. ✅ Automatically retrying the workflow |
…OTEL 1.43.0 -> 1.44.0) update
…L 1.43.0 -> 1.44.0) update
🔄 Flaky Test DetectedAnalysis: The sole real failure (Test_MySQL_BinlogIncident) is a MySQL initial-handshake EOF/"connection was bad" error when connecting to a freshly-started MySQL testcontainer during test setup — a container-readiness race/network flake, on an unrelated Renovate gomod dependency-update PR. ✅ Automatically retrying the workflow |
This PR contains the following updates:
v1.13.1→v1.14.0v0.72.0→v0.73.0v1.41.7→v1.42.0v1.42.1v1.32.18→v1.32.25v1.32.27(+1)v1.19.17→v1.19.24v1.19.26(+1)v1.6.23→v1.6.29v1.6.30v1.52.0→v1.53.4v1.53.6(+1)v1.101.0→v1.104.0v1.104.2(+1)v1.34.24→v1.35.2v1.35.4(+1)v1.42.1→v1.43.3v1.43.5(+1)v1.25.1→v1.27.2v1.27.3v2.1.5→v2.1.660bfbfe→35ca5c6v3.0.5→v3.0.6v0.24.0→v0.26.0v0.27.0v2.0.2→v2.1.0v0.42.0→v0.43.0v1.21.2→v1.21.4v1.21.5v3.9.0→v3.10.0v3.10.1v2.6.0→v2.7.0v0.68.0→v0.69.0v1.43.0→v1.44.0v1.43.0→v1.44.0v1.43.0→v1.44.0v1.43.0→v1.44.0v1.43.0→v1.44.0v1.43.0→v1.44.0v1.43.0→v1.44.0v1.43.0→v1.44.0v1.62.12→v1.63.0v1.63.1v1.44.0→v1.45.0v0.52.0→v0.53.074f9aab→c48552fv0.36.0→v0.37.0v0.20.0→v0.21.0v0.37.0→v0.38.0v0.45.0→v0.46.0v0.47.0v0.36.1→v0.36.2Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Release Notes
ClickHouse/ch-go (github.com/ClickHouse/ch-go)
v0.73.0Compare Source
What's Changed
Enhancements 🚀
Bug fixes 🐛
Misc
New Contributors
Full Changelog: ClickHouse/ch-go@v0.72.0...v0.73.0
aws/aws-sdk-go-v2 (github.com/aws/aws-sdk-go-v2)
v1.42.0Compare Source
General Highlights
Module Highlights
github.com/aws/aws-sdk-go-v2/service/cleanrooms: v1.43.0github.com/aws/aws-sdk-go-v2/service/connect: v1.171.0github.com/aws/aws-sdk-go-v2/service/connectcampaignsv2: v1.12.0github.com/aws/aws-sdk-go-v2/service/groundstation: v1.41.0github.com/aws/aws-sdk-go-v2/service/imagebuilder: v1.53.0github.com/aws/aws-sdk-go-v2/service/neptune: v1.44.4github.com/aws/aws-sdk-go-v2/service/quicksight: v1.107.0github.com/aws/aws-sdk-go-v2/service/sagemaker: v1.241.0github.com/aws/aws-sdk-go-v2/service/sts: v1.42.0v1.41.12Compare Source
General Highlights
Module Highlights
github.com/aws/aws-sdk-go-v2: v1.41.5github.com/aws/aws-sdk-go-v2/service/accessanalyzer: v1.45.12github.com/aws/aws-sdk-go-v2/service/account: v1.30.5github.com/aws/aws-sdk-go-v2/service/acm: v1.37.23github.com/aws/aws-sdk-go-v2/service/acmpca: v1.46.12github.com/aws/aws-sdk-go-v2/service/aiops: v1.6.21github.com/aws/aws-sdk-go-v2/service/amp: v1.42.9github.com/aws/aws-sdk-go-v2/service/amplify: v1.38.14github.com/aws/aws-sdk-go-v2/service/amplifybackend: v1.32.20github.com/aws/aws-sdk-go-v2/service/amplifyuibuilder: v1.28.20github.com/aws/aws-sdk-go-v2/service/apigateway: v1.39.1github.com/aws/aws-sdk-go-v2/service/apigatewaymanagementapi: v1.29.14github.com/aws/aws-sdk-go-v2/service/apigatewayv2: v1.34.1github.com/aws/aws-sdk-go-v2/service/appconfig: v1.43.13github.com/aws/aws-sdk-go-v2/service/appconfigdata: v1.23.22github.com/aws/aws-sdk-go-v2/service/appfabric: v1.16.21github.com/aws/aws-sdk-go-v2/service/appflow: v1.51.12github.com/aws/aws-sdk-go-v2/service/appintegrations: v1.37.7github.com/aws/aws-sdk-go-v2/service/applicationautoscaling: v1.41.14github.com/aws/aws-sdk-go-v2/service/applicationcostprofiler: v1.27.12github.com/aws/aws-sdk-go-v2/service/applicationdiscoveryservice: v1.35.13github.com/aws/aws-sdk-go-v2/service/applicationinsights: v1.34.20github.com/aws/aws-sdk-go-v2/service/applicationsignals: v1.19.1github.com/aws/aws-sdk-go-v2/service/appmesh: v1.35.12github.com/aws/aws-sdk-go-v2/service/apprunner: v1.39.14github.com/aws/aws-sdk-go-v2/service/appstream: v1.54.4github.com/aws/aws-sdk-go-v2/service/appsync: v1.53.5github.com/aws/aws-sdk-go-v2/service/arcregionswitch: v1.6.3github.com/aws/aws-sdk-go-v2/service/arczonalshift: v1.22.23github.com/aws/aws-sdk-go-v2/service/artifact: v1.15.5github.com/aws/aws-sdk-go-v2/service/athena: v1.57.4github.com/aws/aws-sdk-go-v2/service/auditmanager: v1.46.12github.com/aws/aws-sdk-go-v2/service/autoscaling: v1.64.4github.com/aws/aws-sdk-go-v2/service/autoscalingplans: v1.30.14github.com/aws/aws-sdk-go-v2/service/b2bi: v1.0.0-preview.100github.com/aws/aws-sdk-go-v2/service/backup: v1.54.11github.com/aws/aws-sdk-go-v2/service/backupgateway: v1.26.3github.com/aws/aws-sdk-go-v2/service/backupsearch: v1.6.23github.com/aws/aws-sdk-go-v2/service/batch: v1.63.2github.com/aws/aws-sdk-go-v2/service/bcmdashboards: v1.1.4github.com/aws/aws-sdk-go-v2/service/bcmdataexports: v1.14.0github.com/aws/aws-sdk-go-v2/service/bcmpricingcalculator: v1.10.9github.com/aws/aws-sdk-go-v2/service/bcmrecommendedactions: v1.1.5github.com/aws/aws-sdk-go-v2/service/bedrock: v1.57.1github.com/aws/aws-sdk-go-v2/service/bedrockagent: v1.52.7github.com/aws/aws-sdk-go-v2/service/bedrockagentcore: v1.15.2github.com/aws/aws-sdk-go-v2/service/bedrockagentcorecontrol: v1.25.1github.com/aws/aws-sdk-go-v2/service/bedrockagentruntime: v1.51.8github.com/aws/aws-sdk-go-v2/service/bedrockdataautomation: v1.13.5github.com/aws/aws-sdk-go-v2/service/bedrockdataautomationruntime: v1.10.4github.com/aws/aws-sdk-go-v2/service/bedrockruntime: v1.50.4github.com/aws/aws-sdk-go-v2/service/billing: v1.10.4github.com/aws/aws-sdk-go-v2/service/billingconductor: v1.28.5github.com/aws/aws-sdk-go-v2/service/braket: v1.39.8github.com/aws/aws-sdk-go-v2/service/budgets: v1.43.4github.com/aws/aws-sdk-go-v2/service/chatbot: v1.14.21github.com/aws/aws-sdk-go-v2/service/chime: v1.41.12github.com/aws/aws-sdk-go-v2/service/chimesdkidentity: v1.27.20github.com/aws/aws-sdk-go-v2/service/chimesdkmediapipelines: v1.26.21github.com/aws/aws-sdk-go-v2/service/chimesdkmeetings: v1.33.15github.com/aws/aws-sdk-go-v2/service/chimesdkmessaging: v1.32.17github.com/aws/aws-sdk-go-v2/service/chimesdkvoice: v1.28.13github.com/aws/aws-sdk-go-v2/service/cleanrooms: v1.42.4github.com/aws/aws-sdk-go-v2/service/cleanroomsml: v1.22.5github.com/aws/aws-sdk-go-v2/service/cloud9: v1.33.20github.com/aws/aws-sdk-go-v2/service/cloudcontrol: v1.29.13github.com/aws/aws-sdk-go-v2/service/clouddirectory: v1.30.12github.com/aws/aws-sdk-go-v2/service/cloudformation: v1.71.9github.com/aws/aws-sdk-go-v2/service/cloudfront: v1.60.4github.com/aws/aws-sdk-go-v2/service/cloudfrontkeyvaluestore: v1.12.24github.com/aws/aws-sdk-go-v2/service/cloudhsm: v1.29.21github.com/aws/aws-sdk-go-v2/service/cloudhsmv2: v1.34.21github.com/aws/aws-sdk-go-v2/service/cloudsearch: v1.32.12github.com/aws/aws-sdk-go-v2/service/cloudsearchdomain: v1.28.20github.com/aws/aws-sdk-go-v2/service/cloudtrail: v1.55.9github.com/aws/aws-sdk-go-v2/service/cloudtraildata: v1.17.13github.com/aws/aws-sdk-go-v2/service/cloudwatch: v1.55.3github.com/aws/aws-sdk-go-v2/service/cloudwatchevents: v1.32.23github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs: v1.65.0github.com/aws/aws-sdk-go-v2/service/codeartifact: v1.38.21github.com/aws/aws-sdk-go-v2/service/codebuild: v1.68.13github.com/aws/aws-sdk-go-v2/service/codecatalyst: v1.21.12github.com/aws/aws-sdk-go-v2/service/codecommit: v1.33.12github.com/aws/aws-sdk-go-v2/service/codeconnections: v1.10.20github.com/aws/aws-sdk-go-v2/service/codedeploy: v1.35.13github.com/aws/aws-sdk-go-v2/service/codeguruprofiler: v1.29.20github.com/aws/aws-sdk-go-v2/service/codegurureviewer: v1.34.20github.com/aws/aws-sdk-go-v2/service/codegurusecurity: v1.16.24github.com/aws/aws-sdk-go-v2/service/codepipeline: v1.46.21github.com/aws/aws-sdk-go-v2/service/codestarconnections: v1.35.13github.com/aws/aws-sdk-go-v2/service/codestarnotifications: v1.31.21github.com/aws/aws-sdk-go-v2/service/cognitoidentity: v1.33.22github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider: v1.59.3github.com/aws/aws-sdk-go-v2/service/cognitosync: v1.29.12github.com/aws/aws-sdk-go-v2/service/comprehend: v1.40.21github.com/aws/aws-sdk-go-v2/service/comprehendmedical: v1.31.21github.com/aws/aws-sdk-go-v2/service/computeoptimizer: v1.49.8github.com/aws/aws-sdk-go-v2/service/computeoptimizerautomation: v1.0.8github.com/aws/aws-sdk-go-v2/service/configservice: v1.62.1github.com/aws/aws-sdk-go-v2/service/connect: v1.166.1github.com/aws/aws-sdk-go-v2/service/connectcampaigns: v1.20.20github.com/aws/aws-sdk-go-v2/service/connectcampaignsv2: v1.11.4github.com/aws/aws-sdk-go-v2/service/connectcases: v1.39.1github.com/aws/aws-sdk-go-v2/service/connectcontactlens: v1.33.13github.com/aws/aws-sdk-go-v2/service/connecthealth: v1.0.3github.com/aws/aws-sdk-go-v2/service/connectparticipant: v1.36.7github.com/aws/aws-sdk-go-v2/service/controlcatalog: v1.14.9github.com/aws/aws-sdk-go-v2/service/controltower: v1.28.9github.com/aws/aws-sdk-go-v2/service/costandusagereportservice: v1.34.13github.com/aws/aws-sdk-go-v2/service/costexplorer: v1.63.6github.com/aws/aws-sdk-go-v2/service/costoptimizationhub: v1.22.8github.com/aws/aws-sdk-go-v2/service/customerprofiles: v1.57.2github.com/aws/aws-sdk-go-v2/service/databasemigrationservice: v1.61.10github.com/aws/aws-sdk-go-v2/service/databrew: v1.39.14github.com/aws/aws-sdk-go-v2/service/dataexchange: v1.40.14github.com/aws/aws-sdk-go-v2/service/datapipeline: v1.30.20github.com/aws/aws-sdk-go-v2/service/datasync: v1.58.2github.com/aws/aws-sdk-go-v2/service/datazone: v1.54.2github.com/aws/aws-sdk-go-v2/service/dax: v1.29.16github.com/aws/aws-sdk-go-v2/service/deadline: v1.26.2github.com/aws/aws-sdk-go-v2/service/detective: v1.38.13github.com/aws/aws-sdk-go-v2/service/devicefarm: v1.38.8github.com/aws/aws-sdk-go-v2/service/devopsguru: v1.40.12github.com/aws/aws-sdk-go-v2/service/directconnect: v1.38.15github.com/aws/aws-sdk-go-v2/service/directoryservice: v1.38.16github.com/aws/aws-sdk-go-v2/service/directoryservicedata: v1.7.21github.com/aws/aws-sdk-go-v2/service/dlm: v1.35.16github.com/aws/aws-sdk-go-v2/service/docdb: v1.48.13github.com/aws/aws-sdk-go-v2/service/docdbelastic: v1.20.13github.com/aws/aws-sdk-go-v2/service/drs: v1.36.13Configuration
📅 Schedule: (in timezone Etc/UTC)
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.