Skip to content

chore(deps): bump deps #557

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 12, 2025
Merged

chore(deps): bump deps #557

merged 1 commit into from
Aug 12, 2025

Conversation

rhamzeh
Copy link
Member

@rhamzeh rhamzeh commented Aug 12, 2025
edited by coderabbitai bot
Loading

Description

What problem is being solved?

How is it being solved?

What changes are made to solve it?

References

Review Checklist

  • I have clicked on "allow edits by maintainers".
  • I have added documentation for new/changed functionality in this PR or in a PR to openfga.dev [Provide a link to any relevant PRs in the references section above]
  • The correct base branch is being used, if not main
  • I have added tests to validate that the change in functionality is working as expected

Summary by CodeRabbit

  • Chores
    • Upgraded Go toolchain and refreshed numerous dependencies to current versions.
    • Improves overall stability, performance, and compatibility across environments.
    • Enhances observability stack (metrics and tracing) for more reliable monitoring.
    • No changes to user-facing features or APIs.

@rhamzeh rhamzeh requested a review from a team as a code owner August 12, 2025 03:49
@coderabbitai coderabbitai
Copy link
Contributor

coderabbitai bot commented Aug 12, 2025
edited
Loading

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

Updated Go toolchain directives and bumped multiple dependencies in go.mod, including OpenFGA modules, protobuf/GRPC/genproto, CEL stack, backoff, mapstructure, cpuid, Prometheus, OpenTelemetry, and golang.org/x packages.

Changes

Cohort / File(s) Summary of Changes
Toolchain
go.mod		 go directive set to 1.24.0; added toolchain go1.24.6.
OpenFGA modules
go.mod		 Updated openfga/api/proto, openfga/language/pkg/go, and openfga/openfga (e.g., openfga to v1.9.3; proto and language to 2025-08/20250812 revisions).
Protobuf/GRPC/Genproto
go.mod		 Upgraded google.golang.org/protobuf to v1.36.7; google.golang.org/grpc to v1.74.2; genproto/api and genproto/rpc to latest 20250811230008-style revisions.
CEL stack
go.mod		 Updated cel.dev/expr to v0.24.0; google/cel-go to v0.26.0 and related CEL deps.
Backoff
go.mod		 Bumped backoff from v4 to v5.
Mapstructure
go.mod		 Updated github.com/mitchellh/mapstructure to v2.4.0.
CPU ID
go.mod		 Updated github.com/klauspost/cpuid/v2 to v2.3.0.
Prometheus stack
go.mod		 Upgraded client_golang to v1.23.0; common to v0.65.0; procfs to v0.17.0.
OpenTelemetry
go.mod		 Updated to v1.37.x for otel core, OTLP exporters, and OTLP proto.
golang.org/x
go.mod		 Updated x/exp, x/net, x/sync, x/sys, x/term, x/text to newer revisions.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

✨ Finishing Touches
🧪 Generate unit tests
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch chore/bump-deps

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share
🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>, please review it.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

  • Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
  • Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
  • Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

  • You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
  • Please see the configuration documentation for more information.
  • If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

  • Visit our Status Page to check the current availability of CodeRabbit.
  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

@socket-security Socket Security
Copy link

socket-security bot commented Aug 12, 2025
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedgoogle.golang.org/​protobuf@​v1.36.6 ⏵ v1.36.775 +1100100100100
Updatedgithub.com/​openfga/​openfga@​v1.9.2 ⏵ v1.9.38210010010070
Updatedgithub.com/​openfga/​api/​proto@​v0.0.0-20250127102726-f9709139a369 ⏵ v0.0.0-20250806222926-60b2b183a74998 +1100100100100
Updatedgithub.com/​openfga/​language/​pkg/​go@​v0.2.0-beta.2.0.20250428093642-7aeebe78bbfe ⏵ v0.2.0-beta.2.0.20250812011519-a7cd7602df5d100 +1100100100100

View full report

@socket-security Socket Security
Copy link

socket-security bot commented Aug 12, 2025
edited
Loading

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
github.com/openfga/openfga@v1.9.3 has a License Policy Violation.

License: CC-BY-SA-4.0 (NOTICE)

License: MPL-2.0 (NOTICE)

License: MPL-2.0 (NOTICE)

License: CC-BY-4.0 (NOTICE)

License: CC-BY-SA-4.0 (NOTICE)

License: GPL-2.0-only (NOTICE)

License: GPL-2.0-or-later (NOTICE)

License: MPL-2.0 (NOTICE)

From: go.modgolang/github.com/openfga/openfga@v1.9.3

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/github.com/openfga/openfga@v1.9.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
modernc.org/libc@v1.66.3 has a License Policy Violation.

License: GPL-2.0+ (testdata/nsz.repo.hu/libc-test/src/math/crlibm/COPYING)

License: LGPL-2.1-or-later (grp/grp_linux_386.go)

License: LGPL-2.1-or-later (utime/utime_linux_riscv64.go)

License: LGPL-2.1-or-later (utime/utime_linux_arm.go)

License: LGPL-2.1-or-later (wctype/wctype_linux_386.go)

License: LGPL-2.1-or-later (wctype/wctype_linux_riscv64.go)

License: LGPL-2.1-or-later (grp/grp_linux_arm.go)

License: LGPL-2.1-or-later (sys/vfs/vfs_linux_386.go)

License: LGPL-2.1-or-later (utime/utime_linux_386.go)

License: LGPL-2.1-or-later (wctype/wctype_linux_arm64.go)

License: LGPL-2.1-or-later (utime/utime_linux_arm64.go)

License: LGPL-2.1-or-later (wctype/wctype_linux_arm.go)

License: LGPL-2.1-or-later (utime/utime_linux_s390x.go)

License: LGPL-2.1-or-later (wctype/wctype_linux_s390x.go)

License: LGPL-2.1-or-later (sys/vfs/vfs_linux_arm.go)

License: LGPL-2.1-or-later (langinfo/langinfo_linux_386.go)

License: LGPL-2.1-or-later (poll/poll_linux_arm.go)

License: LGPL-2.1-or-later (langinfo/langinfo_linux_arm.go)

License: LGPL-2.1-or-later (langinfo/langinfo_linux_riscv64.go)

License: LGPL-2.1-or-later (poll/poll_linux_386.go)

License: LGPL-2.1-or-later (pwd/pwd_linux_386.go)

License: LGPL-2.1-or-later (langinfo/langinfo_linux_arm64.go)

License: LGPL-2.1-or-later (langinfo/langinfo_linux_s390x.go)

License: LGPL-2.1-or-later (pwd/pwd_linux_arm.go)

License: GPL-2.0-or-later (poll/poll_linux_s390x.go)

License: GPL-2.0-or-later (sys/vfs/vfs_linux_s390x.go)

License: GPL-2.0-or-later (poll/poll_linux_riscv64.go)

License: GPL-2.0-or-later (sys/vfs/vfs_linux_riscv64.go)

License: GPL-2.0-or-later (langinfo/langinfo_linux_amd64.go)

License: GPL-2.0-or-later (poll/poll_linux_arm64.go)

License: GPL-2.0-or-later (langinfo/langinfo_linux_mips64le.go)

From: ?golang/github.com/openfga/openfga@v1.9.3golang/modernc.org/libc@v1.66.3

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/modernc.org/libc@v1.66.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

coderabbitai[bot]
coderabbitai bot reviewed Aug 12, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🔭 Outside diff range comments (1)
go.mod (1)

1-94: Audit dependencies: tidy, prune unused, and scan for vulnerabilities

  • Run go mod tidy -compat=1.24 to normalize module metadata and refresh go.sum.
  • Identify and remove any unused direct requirements, for example: 
    go list -m -f '{{if not .Indirect}}{{.Path}}@{{.Version}}{{end}}' all
  • Perform a vulnerability sweep. We recommend installing and using Go’s vulnerability checker: 
    go install golang.org/x/vuln/cmd/govulncheck@latest
govulncheck ./...
  • Commit any updates to go.mod and go.sum.

Let me know if you’d like a follow-up PR to align the CI Go version, run tidy, and prune unused deps.

🧹 Nitpick comments (2)
go.mod (2)

67-68: Prefer stable tags over pseudo-versions when possible

sagikazarmark/locafero and sourcegraph/conc are on pseudo-versions. If feasible, pin to the nearest stable tag to improve reproducibility. If they’re transient-only, it’s fine.

15-19: Retain github.com/openfga/openfga require; verify version compatibility

Confirmed via go mod why -m github.com/openfga/openfga that the CLI module imports it directly in:

  • github.com/openfga/cli/internal/storetest
  • github.com/openfga/openfga/pkg/server

Do not drop the direct require. Instead, please ensure that the following pinned versions work together in the CLI:

  • github.com/openfga/api/proto v0.0.0-20250806222926-60b2b183a749
  • github.com/openfga/go-sdk v0.7.1
  • github.com/openfga/language/pkg/go v0.2.0-beta.2.0.20250812011519-a7cd7602df5d
  • github.com/openfga/openfga v1.9.3

Run your full test suite and smoke–test any language or proto-driven commands to confirm compatibility.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 35d9cb1 and 7c1c652.

⛔ Files ignored due to path filters (1)
  • go.sum is excluded by !**/*.sum
📒 Files selected for processing (1)
  • go.mod (5 hunks)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)
  • GitHub Check: Test Release Process
  • GitHub Check: Tests
  • GitHub Check: Analyze (go)
🔇 Additional comments (5)
go.mod (5)

1-94: Overall: deps bump looks coherent; main blocker is the go directive format

Aside from the go 1.24.0 issue, the upgrades are generally consistent and modernize the stack. Once the directive is fixed and basic verifications pass, this should be good to merge.

62-66: No direct Prometheus imports found—indirect upgrade only
Ran a repository-wide search for “prometheus” outside vendor/ and only saw references in go.mod/go.sum. There are no direct imports of Prometheus client APIs, so this indirect-only version bump does not require any code changes or deprecation checks.

36-36: No direct backoff/v4 imports found
The backoff/v4 entries in go.sum are from transitive dependencies. Your go.mod only requires v5, and there are no import "github.com/cenkalti/backoff/v4" usages in the code. No changes needed.

32-32: No direct imports of CEL packages found

A search across all Go files shows neither cel.dev/expr nor github.com/google/cel-go is imported directly. Both entries in go.mod are indirect transitive dependencies. No changes are needed at this time—if you later add direct CEL usage, pick a single stack to avoid mixing.

75-81: No direct OpenTelemetry usage found; v1.37 bump is safe

I searched all Go files for any imports or calls against the upgraded Otel modules (go.opentelemetry.io/otel/..., SDK metric/trace, provider setup functions) and found none. Since your code doesn’t directly reference tracer/meter providers or metric instruments, the indirect version bump to v1.37.0 requires no changes.

@rhamzeh rhamzeh added this pull request to the merge queue Aug 12, 2025
Merged via the queue into main with commit 283e52b Aug 12, 2025
22 checks passed
@rhamzeh rhamzeh deleted the chore/bump-deps branch August 12, 2025 05:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@evansims evansims evansims approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@rhamzeh @evansims