Skip to content

chore(deps): update module github.com/twmb/franz-go/pkg/kmsg to v2#579

Open
red-hat-konflux[bot] wants to merge 1 commit into
masterfrom
konflux/mintmaker/master/github.com-twmb-franz-go-pkg-kmsg-2.x
Open

chore(deps): update module github.com/twmb/franz-go/pkg/kmsg to v2#579
red-hat-konflux[bot] wants to merge 1 commit into
masterfrom
konflux/mintmaker/master/github.com-twmb-franz-go-pkg-kmsg-2.x

Conversation

@red-hat-konflux

@red-hat-konflux red-hat-konflux Bot commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
github.com/twmb/franz-go/pkg/kmsg v1.13.1v2.0.1 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.


Configuration

📅 Schedule: (in timezone UTC)

  • Branch creation
    • Between 02:00 AM and 04:59 AM, Monday through Friday (* 2-4 * * 1-5)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

To execute skipped test pipelines write comment /ok-to-test.


Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

@red-hat-konflux red-hat-konflux Bot added area/dependency Issues or PRs related to dependency changes major-update manual-review-required ok-to-test Indicates a non-member PR verified by an org member that is safe to test. labels Jun 24, 2026
@coderabbitai

coderabbitai Bot commented Jun 24, 2026

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 99fac32e-661e-4779-8b89-5f7a16226f19

📥 Commits

Reviewing files that changed from the base of the PR and between 6b386b9 and a111ef5.

📒 Files selected for processing (1)
  • go.mod
🚧 Files skipped from review as they are similar to previous changes (1)
  • go.mod

Walkthrough

The go.mod file is updated to replace the indirect dependency github.com/twmb/franz-go/pkg/kmsg at v1.13.1 with the major-version module path github.com/twmb/franz-go/pkg/kmsg/v2 at v2.0.1.

Changes

Indirect Dependency Upgrade

Layer / File(s) Summary
Replace kmsg indirect dependency with v2 module
go.mod
Line 117 swaps github.com/twmb/franz-go/pkg/kmsg v1.13.1 for github.com/twmb/franz-go/pkg/kmsg/v2 v2.0.1 as an indirect dependency.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 15
✅ Passed checks (15 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the dependency major version upgrade to github.com/twmb/franz-go/pkg/kmsg v2.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed All Ginkgo titles found are static string literals; no dynamic suffixes, timestamps, UUIDs, node/namespace/IP values, or variable-based titles appear.
Test Structure And Quality ✅ Passed Only a go.mod dependency bump changed; no Ginkgo test files or test logic were modified, so the test-quality check is not applicable.
Microshift Test Compatibility ✅ Passed PR only updates go.mod dependency; no new or modified Ginkgo e2e tests were added to audit for MicroShift incompatibilities.
Single Node Openshift (Sno) Test Compatibility ✅ Passed Only go.mod changed (franz-go/kmsg v1→v2); no new Ginkgo/e2e tests or SNO-sensitive code were added, so this check is not applicable.
Topology-Aware Scheduling Compatibility ✅ Passed Only go.mod changed for a kmsg dependency update; no manifests, controllers, or scheduling constraints were modified.
Ote Binary Stdout Contract ✅ Passed Only go.mod changed; no process-level code or stdout writes were added by this PR.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed Only go.mod changed (franz-go kmsg v1→v2); no Ginkgo/e2e test files or network-related test code were added.
No-Weak-Crypto ✅ Passed PR only bumps an indirect Go module; no added MD5/SHA1/DES/RC4/ECB, custom crypto, or unsafe secret/token comparisons were found.
Container-Privileges ✅ Passed Only go.mod changed; no manifest files were modified, and no privileged container settings appear in the diff.
No-Sensitive-Data-In-Logs ✅ Passed PASS: The PR only changes go.mod to bump a dependency; no logging code or sensitive-data strings were added.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch konflux/mintmaker/master/github.com-twmb-franz-go-pkg-kmsg-2.x

Comment @coderabbitai help to get the list of available commands.

@openshift-ci openshift-ci Bot requested review from clcollins and typeid June 24, 2026 04:21
@openshift-ci

openshift-ci Bot commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: red-hat-konflux[bot]
Once this PR has been reviewed and has the lgtm label, please assign xiaoyu74 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 117: The go.mod file has been updated to replace the indirect dependency
kmsg v1.13.1 with kmsg/v2 v2.0.1, but go.sum needs to be synchronized with this
change. Run go mod tidy to update go.sum and remove the old kmsg v1.13.1 entries
while adding the new kmsg/v2 v2.0.1 entries. Additionally, verify and document
in the commit message or pull request why this major version bump upgrade is
necessary, such as whether it is required by another dependency upgrade,
addresses a security concern, or provides needed functionality. If this is a
routine automated dependency update without clear functional benefits, consider
whether the maintenance burden justifies upgrading a transitive dependency.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: e21eff83-24b7-4d09-8c56-76429d716ac2

📥 Commits

Reviewing files that changed from the base of the PR and between 2b34c8e and 6b386b9.

📒 Files selected for processing (1)
  • go.mod

Comment thread go.mod
github.com/spf13/pflag v1.0.10 // indirect
github.com/twmb/franz-go v1.21.2 // indirect
github.com/twmb/franz-go/pkg/kmsg v1.13.1 // indirect
github.com/twmb/franz-go/pkg/kmsg/v2 v2.0.1 // indirect

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify: (1) Direct kmsg imports in codebase, (2) franz-go v1.21.2 changelog for kmsg v2 support

# Check for direct imports of kmsg in Go source files
echo "=== Checking for direct kmsg imports in codebase ==="
rg -l 'kmsg' --type=go | head -20

# Check imports within Go files to understand usage pattern
echo "=== Searching for kmsg package imports ==="
rg '^\s*import.*kmsg' --type=go -A 2 -B 2 | head -30

# Check if go.sum has entries for both v1 and v2 (would indicate version conflict)
echo "=== Checking go.sum for kmsg entries ==="
grep 'twmb/franz-go.*kmsg' go.sum || echo "No kmsg entries in go.sum yet"

# Try to find franz-go's go.mod or vendored kmsg to see its actual dependency
echo "=== Searching for franz-go module files or vendored dependencies ==="
fd -e go.mod | xargs grep -l 'franz-go\|kmsg' 2>/dev/null | head -5

Repository: openshift/configure-alertmanager-operator

Length of output: 240


🏁 Script executed:

# Read go.mod to see kmsg and franz-go entries
echo "=== go.mod entries for franz-go and kmsg ==="
grep -E "franz-go|kmsg" go.mod | head -20

echo ""
echo "=== go.sum entries for kmsg (all versions) ==="
grep 'twmb/franz-go.*kmsg' go.sum 2>/dev/null || echo "Checking all kmsg entries..."
grep 'kmsg' go.sum 2>/dev/null | head -10

echo ""
echo "=== Verify no direct kmsg imports in source ==="
find . -name "*.go" -type f ! -path "./vendor/*" ! -path "./.git/*" -exec grep -l "import.*kmsg" {} \; | head -5

echo ""
echo "=== Check for any franz-go vendored module or replace directive ==="
grep -i "replace\|require.*franz" go.mod

Repository: openshift/configure-alertmanager-operator

Length of output: 925


🌐 Web query:

franz-go v1.21.2 kmsg v2 compatibility changelog

💡 Result:

The franz-go v1.21.2 release is a patch version that includes minor bug fixes and one feature, as detailed in the project's official changelog [1]. Regarding compatibility, franz-go is structured as a modular library where packages like kmsg (the raw-protocol package) are released independently [2][3]. The library supports kmsg v2 as a distinct module (github.com/twmb/franz-go/pkg/kmsg/v2) [3]. Users typically manage these dependencies separately within their go.mod files [2]. Changelog for v1.21.2: - Fixed an issue where PurgeTopicsFromConsuming did not correctly persist deleted topics when specific partitions were paused [1]. - Removed a spurious UNSTABLE_OFFSET_COMMIT fetch error in PollFetches that occurred when OffsetFetch retries were canceled [1]. - Added support for custom AWS MSK DNS names in the MSK IAM SASL mechanism [1]. - Updated dependencies to include a fix for a stack-splitting bug in klauspost/compress [1]. There are no documented breaking changes related to kmsg v2 compatibility in the v1.21.2 release notes [1]. Users should refer to their go.mod requirements to ensure appropriate versions of the kmsg or kmsg/v2 modules are linked [2].

Citations:


🌐 Web query:

kmsg v2.0.1 CVE security vulnerabilities osv.dev

💡 Result:

There is no evidence of a specific security vulnerability associated with a software package named kmsg version 2.0.1 in the Open Source Vulnerability (OSV.dev) database or general CVE records. The term "kmsg" typically refers to the Linux kernel ring buffer device (/dev/kmsg) rather than a standalone software product versioned at 2.0.1 [1]. While there is a Go language library named kmsg-parser that has had 2.0.x versions (e.g., 2.0.1) [1][2], it is not a primary target for security vulnerabilities under that specific name in major databases. It is possible the query stems from confusion with: 1. Linux Kernel security issues: The /dev/kmsg interface is part of the Linux kernel [1]. Security bulletins often mention "kmsg" in the context of kernel vulnerabilities (e.g., potential kernel crashes or log pollution) [3][4], but these are tracked under Linux Kernel CVEs, not as a standalone "kmsg 2.0.1" vulnerability. 2. Tooling confusion: The OSV.dev database and the OSV-Scanner tool (now at V2) [5] are used to track vulnerabilities in various ecosystems. Users sometimes conflate the name of a security tool (like OSV-Scanner) with the software being scanned [5]. If you are investigating a specific dependency, you can search for the package's specific ecosystem identifier (e.g., its PURL or GitHub repository path) on the official OSV.dev website to get definitive, version-specific vulnerability information [6][7].

Citations:


Verify go.sum is updated with kmsg/v2 v2.0.1 and confirm upgrade necessity.

The change replaces an indirect dependency on kmsg v1.13.1 with kmsg/v2 v2.0.1. While this is a major version bump, the evidence shows:

  • franz-go v1.21.2 explicitly supports kmsg/v2: franz-go is structured as a modular library where kmsg is released independently; v1.21.2 has no documented breaking changes related to kmsg v2 compatibility.
  • No known CVEs found for kmsg v2.0.1.
  • Indirect label is correct: No direct kmsg imports in the codebase.

Minor items to verify:

  • go.sum sync: go.sum currently still shows kmsg v1.13.1 entries. Ensure go mod tidy is run to sync go.sum with the go.mod change.
  • Upgrade justification: Confirm this is necessary (e.g., required by a dependent package upgrade) or beneficial (e.g., security fix, feature needed). If it's a routine Renovate bump with no functional benefit, consider whether upgrading a transitive dependency adds maintenance burden.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 117, The go.mod file has been updated to replace the indirect
dependency kmsg v1.13.1 with kmsg/v2 v2.0.1, but go.sum needs to be synchronized
with this change. Run go mod tidy to update go.sum and remove the old kmsg
v1.13.1 entries while adding the new kmsg/v2 v2.0.1 entries. Additionally,
verify and document in the commit message or pull request why this major version
bump upgrade is necessary, such as whether it is required by another dependency
upgrade, addresses a security concern, or provides needed functionality. If this
is a routine automated dependency update without clear functional benefits,
consider whether the maintenance burden justifies upgrading a transitive
dependency.

Source: Path instructions

Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/master/github.com-twmb-franz-go-pkg-kmsg-2.x branch from 6b386b9 to a111ef5 Compare June 26, 2026 04:18
@openshift-ci

openshift-ci Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

@red-hat-konflux[bot]: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/images a111ef5 link true /test images
ci/prow/coverage a111ef5 link true /test coverage
ci/prow/test a111ef5 link true /test test
ci/prow/lint a111ef5 link true /test lint
ci/prow/validate a111ef5 link true /test validate

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area/dependency Issues or PRs related to dependency changes major-update manual-review-required ok-to-test Indicates a non-member PR verified by an org member that is safe to test.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants