Skip to content

build(deps): Bump authlib deps and tidy dependent modules#673

Merged
huang195 merged 1 commit into
mainfrom
build/bundle-authlib-deps
Jul 16, 2026
Merged

build(deps): Bump authlib deps and tidy dependent modules#673
huang195 merged 1 commit into
mainfrom
build/bundle-authlib-deps

Conversation

@pdettori

@pdettori pdettori commented Jul 15, 2026

Copy link
Copy Markdown
Member

Summary

Bundles four Dependabot authlib dependency bumps into a single update and fixes the shared CI failure they all hit.

Dependency From To Original PR
github.com/lestrrat-go/jwx/v2 2.1.6 2.1.7 #638
google.golang.org/grpc 1.81.1 1.82.0 #639
golang.org/x/net 0.56.0 0.57.0 #670
github.com/spiffe/go-spiffe/v2 2.6.0 2.8.1 #541

Why bundle

authbridge/cmd/authbridge-envoy and authbridge/cmd/authbridge-proxy both replace github.com/kagenti/kagenti-extensions/authbridge/authlib => ../../authlib. When Dependabot bumps a dependency inside authlib, it only tidies authlib's go.mod/go.sum — the two dependent modules go stale. That's why each of the four PRs above passed Go CI (authlib) but failed Go CI (authbridge authbridge-envoy) and Go CI (authbridge authbridge-proxy) at the Lint step:

go: updates to go.mod needed; to update it: go mod tidy

This PR applies all four bumps in authlib and runs go mod tidy in authlib, authbridge-envoy, and authbridge-proxy. Verified locally with go vet ./... (GOWORK=off) passing in all three modules.

Supersedes and closes #638, #639, #670, #541.

Note: #640 (opa 1.4.2 → 1.18.2) is intentionally not included — it introduces a high-severity transitive vulnerability (oras-go 2.6.1, GHSA-fxhp-mv3v-67qp) and is being held separately.

Assisted-By: Claude Code

Summary by CodeRabbit

  • Chores
    • Updated underlying libraries and indirect components across AuthBridge modules.
    • Incorporated newer versions of networking, security, authentication, and RPC-related components.
    • No user-facing features or API changes were introduced.

Bundles Dependabot PRs #638, #639, #670, #541 into a single update:

- github.com/lestrrat-go/jwx/v2 2.1.6 -> 2.1.7 (#638)
- google.golang.org/grpc 1.81.1 -> 1.82.0 (#639)
- golang.org/x/net 0.56.0 -> 0.57.0 (#670)
- github.com/spiffe/go-spiffe/v2 2.6.0 -> 2.8.1 (#541)

The authbridge-envoy and authbridge-proxy modules replace authlib via a
local path directive, so bumping authlib's dependencies leaves their
go.sum stale. Dependabot only tidies the module it edits, which is why
each of the four PRs failed the envoy/proxy Go CI Lint step
(go vet with GOWORK=off: 'updates to go.mod needed; go mod tidy').
This bundle runs go mod tidy in all three modules.

Assisted-By: Claude (Anthropic AI) <noreply@anthropic.com>
Signed-off-by: Paolo Dettori <dettori@us.ibm.com>
@coderabbitai

coderabbitai Bot commented Jul 15, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

Updated direct and indirect dependency versions in the authlib, Envoy, and proxy Go modules, including JWX, SPIFFE, golang.org/x/*, gRPC, genproto, and supporting transitive packages.

Changes

Dependency updates

Layer / File(s) Summary
Authlib dependency graph
authbridge/authlib/go.mod
Bumped direct dependencies and related indirect versions, including JWX, SPIFFE, golang.org/x/*, gRPC, genproto, and supporting packages.
Command module dependency alignment
authbridge/cmd/authbridge-envoy/go.mod, authbridge/cmd/authbridge-proxy/go.mod
Updated shared indirect dependencies across the Envoy and proxy modules, including JWX, SPIFFE, golang.org/x/*, gRPC, genproto, and supporting packages.

Estimated code review effort: 2 (Simple) | ~10 minutes

Possibly related PRs

Suggested reviewers: huang195

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the dependency bump and tidy updates across authlib and dependent modules.
Linked Issues check ✅ Passed authbridge/authlib's jwx/v2 dependency was bumped from 2.1.6 to 2.1.7 as requested.
Out of Scope Changes check ✅ Passed The changes stay within dependency bumps and go mod tidy updates for authlib and its dependent modules.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch build/bundle-authlib-deps

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.12.2)

level=error msg="[linters_context] typechecking error: pattern ./...: directory prefix . does not contain main module or its selected dependencies"


Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
authbridge/authlib/go.mod (1)

10-10: 📐 Maintainability & Code Quality | 🔵 Trivial | 🏗️ Heavy lift

Track the JWX v2 migration separately. authbridge/authlib still imports github.com/lestrrat-go/jwx/v2/..., so keep a follow-up issue for the eventual v3/v4 move and the API/JWT serialization compatibility checks.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@authbridge/authlib/go.mod` at line 10, Keep the current
github.com/lestrrat-go/jwx/v2 dependency unchanged in authbridge/authlib, and
create or reference a follow-up issue tracking the eventual v3/v4 migration,
including API and JWT serialization compatibility checks.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@authbridge/authlib/go.mod`:
- Line 10: Keep the current github.com/lestrrat-go/jwx/v2 dependency unchanged
in authbridge/authlib, and create or reference a follow-up issue tracking the
eventual v3/v4 migration, including API and JWT serialization compatibility
checks.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: a8ffab8b-4563-41d8-9add-95aabc83221c

📥 Commits

Reviewing files that changed from the base of the PR and between 6f75bc9 and ae1f7e4.

⛔ Files ignored due to path filters (3)
  • authbridge/authlib/go.sum is excluded by !**/*.sum
  • authbridge/cmd/authbridge-envoy/go.sum is excluded by !**/*.sum
  • authbridge/cmd/authbridge-proxy/go.sum is excluded by !**/*.sum
📒 Files selected for processing (3)
  • authbridge/authlib/go.mod
  • authbridge/cmd/authbridge-envoy/go.mod
  • authbridge/cmd/authbridge-proxy/go.mod

@huang195 huang195 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Summary

Perfetto — a textbook dependency-maintenance PR. It bundles four Dependabot authlib bumps (jwx/v2 2.1.6→2.1.7, grpc 1.81.1→1.82.0, x/net 0.56.0→0.57.0, go-spiffe/v2 2.6.0→2.8.1) and re-tidies the two dependent modules (authbridge-envoy, authbridge-proxy) that go stale through the replace … => ../../authlib directive — the exact cause of those modules' Lint-step CI failures on the individual Dependabot PRs.

Verified the diff against the documented bundle: every changed version is an upgrade to a legitimate release, plus the expected transitive closure (x/sys, x/crypto, x/sync, x/text, jwx's goccy/go-json / blackmagic / segmentio/asm / dcrec/secp256k1, and the genproto pseudo-versions — inherent to that Google module, not a smell). No replace/fork/downgrade changes, and the change is confined to go.mod/go.sum across all three modules.

Security discipline noted and appreciated: #640 (OPA) is intentionally excluded because it pulls a high-severity transitive vuln (oras-go 2.6.1, GHSA-fxhp-mv3v-67qp) — correct to hold it. CI's dependency/vuln scanners (Dependency Review, Trivy, CodeQL) all pass. Bravo. 🇮🇹

Maintainer author, DCO signed, CI green. No inline comments.

Assisted-By: Claude Code

@huang195
huang195 merged commit 10d1575 into main Jul 16, 2026
21 checks passed
@github-project-automation github-project-automation Bot moved this from New/ToDo to Done in Kagenti Issue Prioritization Jul 16, 2026
@huang195
huang195 deleted the build/bundle-authlib-deps branch July 16, 2026 00:16
pdettori added a commit to pdettori/kagenti-extensions that referenced this pull request Jul 16, 2026
Bundles Dependabot's opa 1.4.2 -> 1.18.2 bump (kagenti#640) with an explicit
oras.land/oras-go/v2 v2.6.2 pin to avoid the high-severity transitive
advisory GHSA-fxhp-mv3v-67qp (oras-go tar hardlink extraction escape),
which opa 1.18.2 otherwise pulls in via oras-go 2.6.1 and which fails
the Dependency Review check (fail-on-severity: moderate).

Applies the bump in authlib and runs `go mod tidy` (GOWORK=off) in
authlib and every module that `replace`s it (authbridge-envoy,
authbridge-proxy, abctl) so their go.mod/go.sum stay in sync. Same
pattern as kagenti#673.

Verified locally (GOWORK=off): go vet, go build, and go test -race pass
in authlib/envoy/proxy; the proxy lite variant (exclude_plugin_* tags)
builds and tests; abctl vets clean. oras-go resolves to 2.6.2 in all
modules with no residual 2.5.0/2.6.1.

Supersedes and closes kagenti#640.

Assisted-By: Claude (Anthropic AI) <noreply@anthropic.com>
Signed-off-by: Paolo Dettori <dettori@us.ibm.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: Done

Development

Successfully merging this pull request may close these issues.

3 participants