Skip to content

Comments

chore(deps): update dependencies#10893

Closed
reneleonhardt wants to merge 2 commits intocli:trunkfrom
reneleonhardt:chore/updates
Closed

chore(deps): update dependencies#10893
reneleonhardt wants to merge 2 commits intocli:trunkfrom
reneleonhardt:chore/updates

Conversation

@reneleonhardt
Copy link

@reneleonhardt reneleonhardt commented Apr 29, 2025
edited
Loading

Updated

  • Go toolchain to 1.23.8
  • Go dependencies (reducing 19 years of technical debt to 1 year)

Not Updated

  • github.com/microsoft/dev-tunnels v0.1.13 breaks tests # minor v0.0.25 (370 days)
    0.1.0 has been released 2023-10-11 (no changelog available, no releases, no release notes)

Suggestions

  • Consider allowing at least minor updates in Dependabot, as even patch releases can contain breaking changes sometimes, so your CI can inform you when migrations are needed
  • Please note that actions/setup-go go-version-file runs tests against 1.23.0, not 1.23.8
  • Please update your toolchain regularly, there have been 3 patch releases containing security fixes since 2025-01-16 1.23.5 (goreleaser respects the toolchain directive)
$ strings gh_2.71.2_macOS_arm64/bin/gh | grep 'go1\.' | head -3
go1.23.5
/Users/runner/go/pkg/mod/golang.org/toolchain@v0.0.1-go1.23.5.darwin-arm64
/Users/runner/go/pkg/mod/golang.org/toolchain@v0.0.1-go1.23.5.darwin-arm64/src/internal/cpu/cpu.go
Module Required Update Old New Debt Type
go get toolchain@go1.23.8 1.23.5🚫 1.23.8 2025-01-16 2025-04-01 75 days patch
github.com/briandowns/spinner v1.18.1 v1.23.2 2022-02-07 2025-01-20 1078 days minor
github.com/charmbracelet/glamour v0.9.2 -0.20250319212134 -549f544650e3 v0.10.0 2025-03-19 2025-04-16 28 days minor
github.com/cli/oauth v1.1.1 v1.2.0 2024-10-09 2024-10-14 5 days minor
github.com/cpuguy83/go-md2man/v2 v2.0.6 v2.0.7 2024-12-16 2025-04-24 129 days patch
github.com/gabriel-vasile/mimetype v1.4.8 v1.4.9 2025-01-04 2025-04-09 95 days patch
github.com/gdamore/tcell/v2 v2.5.4 v2.8.1 2022-12-31 2025-01-12 743 days minor
github.com/golang/snappy v0.0.4 v1.0.0 2021-06-08 2023-12-25 930 days major
github.com/hashicorp/go-version v1.3.0 v1.7.0 2021-03-31 2024-05-24 1150 days minor
github.com/hinshun/vt10x v0.0.0 -20220119200601 -820417d04eec v0.0.0 -20220301184237 -5011da428d02 2022-01-19 2022-03-01 41 days patch
github.com/microsoft/dev-tunnels v0.0.25 v0.1.13 2023-10-05 2024-10-09 370 days minor
github.com/muhammadmuzzammil1998/jsonc v0.0.0 -20201229145248 -615b0916ca38 v1.0.0 2020-12-29 2022-03-25 451 days major
github.com/rivo/tview v0.0.0 -20221029100920 -c4a7e501810d v0.0.0 -20250330220935 -949945f8d922 2022-10-29 2025-03-30 883 days patch
github.com/shurcooL/githubv4 v0.0.0 -20240120211514 -18a1ae0e79dc v0.0.0 -20240727222349 -48295856cce7 2024-01-20 2024-07-27 189 days patch
github.com/zalando/go-keyring v0.2.5 v0.2.6 2024-06-06 2024-10-25 141 days patch
google.golang.org/grpc v1.71.1 v1.72.0 2025-03-28 2025-04-21 24 days minor
Technical Debt (19 years) Patch 1,478 days (4 years) Minor 4,078 days (11 years) Major 1,381 days (4 years)
Shell update commands (click to expand)
go get toolchain@go1.23.8 # go env -w GOTOOLCHAIN=go1.23.8+auto # patch 1.23.5🚫 (75 days)
go get github.com/briandowns/spinner@v1.23.2 # minor v1.18.1 (1078 days)
go get github.com/charmbracelet/glamour@v0.10.0 # minor v0.9.2-0.20250319212134-549f544650e3 (28 days)
go get github.com/cli/oauth@v1.2.0 # minor v1.1.1 (5 days)
go get github.com/cpuguy83/go-md2man/v2@v2.0.7 # patch v2.0.6 (129 days)
go get github.com/gabriel-vasile/mimetype@v1.4.9 # patch v1.4.8 (95 days)
go get github.com/gdamore/tcell/v2@v2.8.1 # minor v2.5.4 (743 days)
go get github.com/golang/snappy@v1.0.0 # major v0.0.4 (930 days)
go get github.com/hashicorp/go-version@v1.7.0 # minor v1.3.0 (1150 days)
go get github.com/hinshun/vt10x@v0.0.0-20220301184237-5011da428d02 # patch v0.0.0-20220119200601-820417d04eec (41 days)
# breaks tests $ go get github.com/microsoft/dev-tunnels@v0.1.13 # minor v0.0.25 (370 days)
go get github.com/muhammadmuzzammil1998/jsonc@v1.0.0 # major v0.0.0-20201229145248-615b0916ca38 (451 days)
go get github.com/rivo/tview@v0.0.0-20250330220935-949945f8d922 # patch v0.0.0-20221029100920-c4a7e501810d (883 days)
go get github.com/shurcooL/githubv4@v0.0.0-20240727222349-48295856cce7 # patch v0.0.0-20240120211514-18a1ae0e79dc (189 days)
go get github.com/zalando/go-keyring@v0.2.6 # patch v0.2.5 (141 days)
go get google.golang.org/grpc@v1.72.0 # minor v1.71.1 (24 days)
go mod tidy # Debt: Patch 1,478 days (4 years). Minor 4,078 days (11 years). Major 1,381 days (4 years). Total 6,937 days (19 years).

@reneleonhardt reneleonhardt requested a review from a team as a code owner April 29, 2025 08:49
@cliAutomation cliAutomation added the external pull request originating outside of the CLI core team label Apr 29, 2025
@cliAutomation
Copy link
Collaborator

cliAutomation commented Apr 29, 2025

Hi! Thanks for the pull request. Please ensure that this change is linked to an issue by mentioning an issue number in the description of the pull request. If this pull request would close the issue, please put the word 'Fixes' before the issue number somewhere in the pull request body. If this is a tiny change like fixing a typo, feel free to ignore this message.

@williammartin williammartin mentioned this pull request Jun 17, 2025
Closed
@williammartin
Copy link
Member

williammartin commented Jul 4, 2025

Hey @reneleonhardt, thanks for getting things moving on our dependency situation.

Consider allowing at least minor updates in Dependabot, as even patch releases can contain breaking changes sometimes, so your CI can inform you when migrations are needed

Done in #11213

Please note that actions/setup-go go-version-file runs tests against 1.23.0, not 1.23.8

I don't think this is true, because after installing the go directive version, the toolchain version is downloaded.. It isn't ideal though, and I would like setup-go to fix it but I also don't want to either:

  • Keep bumping the go directive when it's not required
  • Manually provide the toolchain version everywhere we use setup-go

If there's another option or if I'm missing something, please let me know.

Please update your toolchain regularly, there have been 3 patch releases containing security fixes since 2025-01-16 1.23.5 (goreleaser respects the toolchain directive)

Introduced a scheduled workflow to check this #11189

Regarding the other dependencies, I bumped them in:

I believe that covers everything in this PR and more, thanks for the nudge.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@williammartin williammartin Awaiting requested review from williammartin williammartin is a code owner automatically assigned from cli/code-reviewers

Assignees

No one assigned

Labels

external pull request originating outside of the CLI core team

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@reneleonhardt @cliAutomation @williammartin