build(deps): Bump authlib deps and tidy dependent modules#673
Conversation
Bundles Dependabot PRs #638, #639, #670, #541 into a single update: - github.com/lestrrat-go/jwx/v2 2.1.6 -> 2.1.7 (#638) - google.golang.org/grpc 1.81.1 -> 1.82.0 (#639) - golang.org/x/net 0.56.0 -> 0.57.0 (#670) - github.com/spiffe/go-spiffe/v2 2.6.0 -> 2.8.1 (#541) The authbridge-envoy and authbridge-proxy modules replace authlib via a local path directive, so bumping authlib's dependencies leaves their go.sum stale. Dependabot only tidies the module it edits, which is why each of the four PRs failed the envoy/proxy Go CI Lint step (go vet with GOWORK=off: 'updates to go.mod needed; go mod tidy'). This bundle runs go mod tidy in all three modules. Assisted-By: Claude (Anthropic AI) <noreply@anthropic.com> Signed-off-by: Paolo Dettori <dettori@us.ibm.com>
📝 WalkthroughWalkthroughUpdated direct and indirect dependency versions in the authlib, Envoy, and proxy Go modules, including JWX, SPIFFE, ChangesDependency updates
Estimated code review effort: 2 (Simple) | ~10 minutes Possibly related PRs
Suggested reviewers: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Warning There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure. 🔧 golangci-lint (2.12.2)level=error msg="[linters_context] typechecking error: pattern ./...: directory prefix . does not contain main module or its selected dependencies" Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
🧹 Nitpick comments (1)
authbridge/authlib/go.mod (1)
10-10: 📐 Maintainability & Code Quality | 🔵 Trivial | 🏗️ Heavy liftTrack the JWX v2 migration separately.
authbridge/authlibstill importsgithub.com/lestrrat-go/jwx/v2/..., so keep a follow-up issue for the eventual v3/v4 move and the API/JWT serialization compatibility checks.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@authbridge/authlib/go.mod` at line 10, Keep the current github.com/lestrrat-go/jwx/v2 dependency unchanged in authbridge/authlib, and create or reference a follow-up issue tracking the eventual v3/v4 migration, including API and JWT serialization compatibility checks.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@authbridge/authlib/go.mod`:
- Line 10: Keep the current github.com/lestrrat-go/jwx/v2 dependency unchanged
in authbridge/authlib, and create or reference a follow-up issue tracking the
eventual v3/v4 migration, including API and JWT serialization compatibility
checks.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: a8ffab8b-4563-41d8-9add-95aabc83221c
⛔ Files ignored due to path filters (3)
authbridge/authlib/go.sumis excluded by!**/*.sumauthbridge/cmd/authbridge-envoy/go.sumis excluded by!**/*.sumauthbridge/cmd/authbridge-proxy/go.sumis excluded by!**/*.sum
📒 Files selected for processing (3)
authbridge/authlib/go.modauthbridge/cmd/authbridge-envoy/go.modauthbridge/cmd/authbridge-proxy/go.mod
huang195
left a comment
There was a problem hiding this comment.
Summary
Perfetto — a textbook dependency-maintenance PR. It bundles four Dependabot authlib bumps (jwx/v2 2.1.6→2.1.7, grpc 1.81.1→1.82.0, x/net 0.56.0→0.57.0, go-spiffe/v2 2.6.0→2.8.1) and re-tidies the two dependent modules (authbridge-envoy, authbridge-proxy) that go stale through the replace … => ../../authlib directive — the exact cause of those modules' Lint-step CI failures on the individual Dependabot PRs.
Verified the diff against the documented bundle: every changed version is an upgrade to a legitimate release, plus the expected transitive closure (x/sys, x/crypto, x/sync, x/text, jwx's goccy/go-json / blackmagic / segmentio/asm / dcrec/secp256k1, and the genproto pseudo-versions — inherent to that Google module, not a smell). No replace/fork/downgrade changes, and the change is confined to go.mod/go.sum across all three modules.
Security discipline noted and appreciated: #640 (OPA) is intentionally excluded because it pulls a high-severity transitive vuln (oras-go 2.6.1, GHSA-fxhp-mv3v-67qp) — correct to hold it. CI's dependency/vuln scanners (Dependency Review, Trivy, CodeQL) all pass. Bravo. 🇮🇹
Maintainer author, DCO signed, CI green. No inline comments.
Assisted-By: Claude Code
Bundles Dependabot's opa 1.4.2 -> 1.18.2 bump (kagenti#640) with an explicit oras.land/oras-go/v2 v2.6.2 pin to avoid the high-severity transitive advisory GHSA-fxhp-mv3v-67qp (oras-go tar hardlink extraction escape), which opa 1.18.2 otherwise pulls in via oras-go 2.6.1 and which fails the Dependency Review check (fail-on-severity: moderate). Applies the bump in authlib and runs `go mod tidy` (GOWORK=off) in authlib and every module that `replace`s it (authbridge-envoy, authbridge-proxy, abctl) so their go.mod/go.sum stay in sync. Same pattern as kagenti#673. Verified locally (GOWORK=off): go vet, go build, and go test -race pass in authlib/envoy/proxy; the proxy lite variant (exclude_plugin_* tags) builds and tests; abctl vets clean. oras-go resolves to 2.6.2 in all modules with no residual 2.5.0/2.6.1. Supersedes and closes kagenti#640. Assisted-By: Claude (Anthropic AI) <noreply@anthropic.com> Signed-off-by: Paolo Dettori <dettori@us.ibm.com>
Summary
Bundles four Dependabot
authlibdependency bumps into a single update and fixes the shared CI failure they all hit.Why bundle
authbridge/cmd/authbridge-envoyandauthbridge/cmd/authbridge-proxybothreplace github.com/kagenti/kagenti-extensions/authbridge/authlib => ../../authlib. When Dependabot bumps a dependency insideauthlib, it only tidiesauthlib'sgo.mod/go.sum— the two dependent modules go stale. That's why each of the four PRs above passedGo CI (authlib)but failedGo CI (authbridge authbridge-envoy)andGo CI (authbridge authbridge-proxy)at the Lint step:This PR applies all four bumps in
authliband runsgo mod tidyinauthlib,authbridge-envoy, andauthbridge-proxy. Verified locally withgo vet ./...(GOWORK=off) passing in all three modules.Supersedes and closes #638, #639, #670, #541.
Assisted-By: Claude Code
Summary by CodeRabbit