chore(deps): update module github.com/twmb/franz-go/pkg/kmsg to v2#579
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Repository YAML (base), Central YAML (inherited) Review profile: CHILL Plan: Enterprise Run ID: 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
WalkthroughThe ChangesIndirect Dependency Upgrade
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes 🚥 Pre-merge checks | ✅ 15✅ Passed checks (15 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: red-hat-konflux[bot] The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@go.mod`:
- Line 117: The go.mod file has been updated to replace the indirect dependency
kmsg v1.13.1 with kmsg/v2 v2.0.1, but go.sum needs to be synchronized with this
change. Run go mod tidy to update go.sum and remove the old kmsg v1.13.1 entries
while adding the new kmsg/v2 v2.0.1 entries. Additionally, verify and document
in the commit message or pull request why this major version bump upgrade is
necessary, such as whether it is required by another dependency upgrade,
addresses a security concern, or provides needed functionality. If this is a
routine automated dependency update without clear functional benefits, consider
whether the maintenance burden justifies upgrading a transitive dependency.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Central YAML (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: e21eff83-24b7-4d09-8c56-76429d716ac2
📒 Files selected for processing (1)
go.mod
| github.com/spf13/pflag v1.0.10 // indirect | ||
| github.com/twmb/franz-go v1.21.2 // indirect | ||
| github.com/twmb/franz-go/pkg/kmsg v1.13.1 // indirect | ||
| github.com/twmb/franz-go/pkg/kmsg/v2 v2.0.1 // indirect |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟡 Minor
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify: (1) Direct kmsg imports in codebase, (2) franz-go v1.21.2 changelog for kmsg v2 support
# Check for direct imports of kmsg in Go source files
echo "=== Checking for direct kmsg imports in codebase ==="
rg -l 'kmsg' --type=go | head -20
# Check imports within Go files to understand usage pattern
echo "=== Searching for kmsg package imports ==="
rg '^\s*import.*kmsg' --type=go -A 2 -B 2 | head -30
# Check if go.sum has entries for both v1 and v2 (would indicate version conflict)
echo "=== Checking go.sum for kmsg entries ==="
grep 'twmb/franz-go.*kmsg' go.sum || echo "No kmsg entries in go.sum yet"
# Try to find franz-go's go.mod or vendored kmsg to see its actual dependency
echo "=== Searching for franz-go module files or vendored dependencies ==="
fd -e go.mod | xargs grep -l 'franz-go\|kmsg' 2>/dev/null | head -5Repository: openshift/configure-alertmanager-operator
Length of output: 240
🏁 Script executed:
# Read go.mod to see kmsg and franz-go entries
echo "=== go.mod entries for franz-go and kmsg ==="
grep -E "franz-go|kmsg" go.mod | head -20
echo ""
echo "=== go.sum entries for kmsg (all versions) ==="
grep 'twmb/franz-go.*kmsg' go.sum 2>/dev/null || echo "Checking all kmsg entries..."
grep 'kmsg' go.sum 2>/dev/null | head -10
echo ""
echo "=== Verify no direct kmsg imports in source ==="
find . -name "*.go" -type f ! -path "./vendor/*" ! -path "./.git/*" -exec grep -l "import.*kmsg" {} \; | head -5
echo ""
echo "=== Check for any franz-go vendored module or replace directive ==="
grep -i "replace\|require.*franz" go.modRepository: openshift/configure-alertmanager-operator
Length of output: 925
🌐 Web query:
franz-go v1.21.2 kmsg v2 compatibility changelog
💡 Result:
The franz-go v1.21.2 release is a patch version that includes minor bug fixes and one feature, as detailed in the project's official changelog [1]. Regarding compatibility, franz-go is structured as a modular library where packages like kmsg (the raw-protocol package) are released independently [2][3]. The library supports kmsg v2 as a distinct module (github.com/twmb/franz-go/pkg/kmsg/v2) [3]. Users typically manage these dependencies separately within their go.mod files [2]. Changelog for v1.21.2: - Fixed an issue where PurgeTopicsFromConsuming did not correctly persist deleted topics when specific partitions were paused [1]. - Removed a spurious UNSTABLE_OFFSET_COMMIT fetch error in PollFetches that occurred when OffsetFetch retries were canceled [1]. - Added support for custom AWS MSK DNS names in the MSK IAM SASL mechanism [1]. - Updated dependencies to include a fix for a stack-splitting bug in klauspost/compress [1]. There are no documented breaking changes related to kmsg v2 compatibility in the v1.21.2 release notes [1]. Users should refer to their go.mod requirements to ensure appropriate versions of the kmsg or kmsg/v2 modules are linked [2].
Citations:
- 1: https://github.com/twmb/franz-go/blob/master/CHANGELOG.md
- 2: https://pkg.go.dev/github.com/twmb/franz-go/pkg
- 3: https://deps.dev/project/github/twmb%2Ffranz-go
🌐 Web query:
kmsg v2.0.1 CVE security vulnerabilities osv.dev
💡 Result:
There is no evidence of a specific security vulnerability associated with a software package named kmsg version 2.0.1 in the Open Source Vulnerability (OSV.dev) database or general CVE records. The term "kmsg" typically refers to the Linux kernel ring buffer device (/dev/kmsg) rather than a standalone software product versioned at 2.0.1 [1]. While there is a Go language library named kmsg-parser that has had 2.0.x versions (e.g., 2.0.1) [1][2], it is not a primary target for security vulnerabilities under that specific name in major databases. It is possible the query stems from confusion with: 1. Linux Kernel security issues: The /dev/kmsg interface is part of the Linux kernel [1]. Security bulletins often mention "kmsg" in the context of kernel vulnerabilities (e.g., potential kernel crashes or log pollution) [3][4], but these are tracked under Linux Kernel CVEs, not as a standalone "kmsg 2.0.1" vulnerability. 2. Tooling confusion: The OSV.dev database and the OSV-Scanner tool (now at V2) [5] are used to track vulnerabilities in various ecosystems. Users sometimes conflate the name of a security tool (like OSV-Scanner) with the software being scanned [5]. If you are investigating a specific dependency, you can search for the package's specific ecosystem identifier (e.g., its PURL or GitHub repository path) on the official OSV.dev website to get definitive, version-specific vulnerability information [6][7].
Citations:
- 1: https://fedora.pkgs.org/rawhide/fedora-aarch64/golang-github-euank-kmsg-parser-devel-2.0.1-23.fc44.noarch.rpm.html
- 2: https://www.cisco.com/c/dam/en/us/td/docs/net_mgmt/cisco_workflow/WorkflowManagerSoftware-12-1727188765.pdf
- 3: https://edelivery.windriver.com/release/ols/cms/1771369824/wrlinux-security-bulletin-2026-02-17.pdf
- 4: https://ftp.software.ibm.com/storage/spplus/10.1.8/OS/repodata/9f0053f969e9c3dee88d78d2f4eda0f006f5ea504cab7d44bbfabb458b06880c-other.xml.gz
- 5: https://blog.google/security/announcing-osv-scanner-v2-vulnerability/
- 6: https://openssf.org/blog/2026/05/20/detecting-malicious-packages-using-the-osv-api/
- 7: https://static.sched.com/hosted_files/openssfdayeu2023/fa/OSV%20and%20the%20Life%20of%20an%20Open%20Source%20Vulnerability.pdf
Verify go.sum is updated with kmsg/v2 v2.0.1 and confirm upgrade necessity.
The change replaces an indirect dependency on kmsg v1.13.1 with kmsg/v2 v2.0.1. While this is a major version bump, the evidence shows:
- franz-go v1.21.2 explicitly supports kmsg/v2: franz-go is structured as a modular library where kmsg is released independently; v1.21.2 has no documented breaking changes related to kmsg v2 compatibility.
- No known CVEs found for kmsg v2.0.1.
- Indirect label is correct: No direct kmsg imports in the codebase.
Minor items to verify:
- go.sum sync: go.sum currently still shows kmsg v1.13.1 entries. Ensure
go mod tidyis run to sync go.sum with the go.mod change. - Upgrade justification: Confirm this is necessary (e.g., required by a dependent package upgrade) or beneficial (e.g., security fix, feature needed). If it's a routine Renovate bump with no functional benefit, consider whether upgrading a transitive dependency adds maintenance burden.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@go.mod` at line 117, The go.mod file has been updated to replace the indirect
dependency kmsg v1.13.1 with kmsg/v2 v2.0.1, but go.sum needs to be synchronized
with this change. Run go mod tidy to update go.sum and remove the old kmsg
v1.13.1 entries while adding the new kmsg/v2 v2.0.1 entries. Additionally,
verify and document in the commit message or pull request why this major version
bump upgrade is necessary, such as whether it is required by another dependency
upgrade, addresses a security concern, or provides needed functionality. If this
is a routine automated dependency update without clear functional benefits,
consider whether the maintenance burden justifies upgrading a transitive
dependency.
Source: Path instructions
Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
6b386b9 to
a111ef5
Compare
|
@red-hat-konflux[bot]: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
This PR contains the following updates:
v1.13.1→v2.0.1Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Configuration
📅 Schedule: (in timezone UTC)
* 2-4 * * 1-5)🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
To execute skipped test pipelines write comment
/ok-to-test.Documentation
Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.