Skip to content

Update Go module dependencies#2583

Open
Thushani-Jayasekera wants to merge 6 commits into
wso2:mainfrom
Thushani-Jayasekera:fix-vulenrabilities
Open

Update Go module dependencies#2583
Thushani-Jayasekera wants to merge 6 commits into
wso2:mainfrom
Thushani-Jayasekera:fix-vulenrabilities

Conversation

@Thushani-Jayasekera

Copy link
Copy Markdown
Contributor

$subject

@coderabbitai

coderabbitai Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Warning

Review limit reached

@Thushani-Jayasekera, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 42 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: dd19b180-a9b9-46ef-b999-7c06d318a8dd

📥 Commits

Reviewing files that changed from the base of the PR and between be3c8ee and 2ae16e1.

⛔ Files ignored due to path filters (17)
  • cli/it/go.sum is excluded by !**/*.sum
  • cli/src/go.sum is excluded by !**/*.sum
  • common/go.sum is excluded by !**/*.sum
  • event-gateway/gateway-builder/go.sum is excluded by !**/*.sum
  • event-gateway/gateway-runtime/go.sum is excluded by !**/*.sum
  • event-gateway/it/go.sum is excluded by !**/*.sum
  • gateway/gateway-builder/go.sum is excluded by !**/*.sum
  • gateway/gateway-controller/go.sum is excluded by !**/*.sum
  • gateway/gateway-runtime/policy-engine/go.sum is excluded by !**/*.sum
  • gateway/it/go.sum is excluded by !**/*.sum
  • go.work is excluded by !**/*.work
  • go.work.sum is excluded by !**/*.sum
  • kubernetes/gateway-operator/go.sum is excluded by !**/*.sum
  • platform-api/go.sum is excluded by !**/*.sum
  • sdk/ai/go.sum is excluded by !**/*.sum
  • tests/integration-e2e/go.sum is excluded by !**/*.sum
  • tests/mock-servers/mock-platform-api/go.sum is excluded by !**/*.sum
📒 Files selected for processing (15)
  • cli/it/go.mod
  • cli/src/go.mod
  • common/go.mod
  • event-gateway/gateway-builder/go.mod
  • event-gateway/gateway-runtime/go.mod
  • event-gateway/it/go.mod
  • gateway/gateway-builder/go.mod
  • gateway/gateway-controller/go.mod
  • gateway/gateway-runtime/policy-engine/go.mod
  • gateway/it/go.mod
  • kubernetes/gateway-operator/go.mod
  • platform-api/go.mod
  • sdk/ai/go.mod
  • tests/integration-e2e/go.mod
  • tests/mock-servers/mock-platform-api/go.mod
📝 Walkthrough

Walkthrough

The pull request updates Go module dependency versions across core, gateway, integration, operator, SDK, platform, and mock-server modules. The CLI indirect dependency list is also reduced, and the gateway runtime SDK core dependency is upgraded.

Changes

Go module dependency alignment

Layer / File(s) Summary
Core module dependency updates
cli/src/go.mod, common/go.mod, platform-api/go.mod
Direct and indirect dependency versions are updated, and the CLI’s indirect dependency list is reduced.
Gateway runtime dependency updates
event-gateway/.../go.mod, gateway/gateway-controller/go.mod, gateway/gateway-runtime/policy-engine/go.mod
Gateway runtime modules update the SDK core and golang.org/x/* dependency versions.
Integration and tooling dependency updates
event-gateway/it/go.mod, gateway/it/go.mod, kubernetes/gateway-operator/go.mod, sdk/ai/go.mod, tests/mock-servers/*/go.mod
Integration, operator, SDK, and mock-server modules update indirect golang.org/x/* dependencies.

Estimated code review effort: 2 (Simple) | ~10 minutes

Suggested reviewers: pubudu538, malinthaprasan, RakhithaRR, VirajSalaka, CrowleyRajapakse, hisanhunais, HiranyaKavishani, HeshanSudarshana, ashera96, PasanT9, thivindu, Krishanx92

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Description check ⚠️ Warning The description is just a placeholder and omits nearly all required template sections. Replace the placeholder with the full template, including Purpose, Goals, Approach, tests, security checks, docs, related PRs, and test environment.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly summarizes the main change: updating Go module dependencies.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

coderabbitai[bot]
coderabbitai Bot previously approved these changes Jul 10, 2026
@github-actions

Copy link
Copy Markdown
Contributor

Dependency Validation Results

Dependency name: golang.org/x/term
Version: v0.43.0 (was v0.40.0)
Approved: ❌ No - Module not found in dependency registry

Dependency name: golang.org/x/text
Version: v0.37.0 (was v0.35.0)
Allowed range: >=v0.31.0
Approved: ✅ Yes

Dependency name: golang.org/x/crypto
Version: v0.52.0 (was v0.50.0)
Allowed range: >=v0.31.0
Approved: ✅ Yes

Dependency name: golang.org/x/crypto
Version: v0.52.0 (was v0.50.0)
Allowed range: >=v0.31.0
Approved: ✅ Yes


Next Steps

  1. Review the validation failures listed above
  2. Check if dependencies are in the approved dependency list
  3. Options to resolve:
    • Remove the unapproved dependencies from this PR
    • OR submit a PR to add these dependencies to the approved list in engineering-governance
  4. Once resolved, push changes to re-run validation

This PR is blocked until all dependencies are approved.

⚠️ Please verify the scope of the dependencies usage is necessary

@github-actions

Copy link
Copy Markdown
Contributor

Dependency Validation Results

Dependency name: golang.org/x/term
Version: v0.43.0 (was v0.40.0)
Approved: ❌ No - Module not found in dependency registry

Dependency name: golang.org/x/text
Version: v0.37.0 (was v0.35.0)
Allowed range: >=v0.31.0
Approved: ✅ Yes

Dependency name: golang.org/x/crypto
Version: v0.52.0 (was v0.50.0)
Allowed range: >=v0.31.0
Approved: ✅ Yes

Dependency name: golang.org/x/crypto
Version: v0.52.0 (was v0.50.0)
Allowed range: >=v0.31.0
Approved: ✅ Yes


Next Steps

  1. Review the validation failures listed above
  2. Check if dependencies are in the approved dependency list
  3. Options to resolve:
    • Remove the unapproved dependencies from this PR
    • OR submit a PR to add these dependencies to the approved list in engineering-governance
  4. Once resolved, push changes to re-run validation

This PR is blocked until all dependencies are approved.

⚠️ Please verify the scope of the dependencies usage is necessary

coderabbitai[bot]
coderabbitai Bot previously approved these changes Jul 11, 2026
@github-actions

Copy link
Copy Markdown
Contributor

Dependency Validation Results

Dependency name: golang.org/x/term
Version: v0.43.0 (was v0.40.0)
Approved: ❌ No - Module not found in dependency registry

Dependency name: golang.org/x/text
Version: v0.37.0 (was v0.35.0)
Allowed range: >=v0.31.0
Approved: ✅ Yes

Dependency name: golang.org/x/crypto
Version: v0.52.0 (was v0.50.0)
Allowed range: >=v0.31.0
Approved: ✅ Yes

Dependency name: github.com/knadh/koanf/providers/file
Version: v1.2.1 (was v1.2.0)
Allowed range: >=v1.2.1
Approved: ✅ Yes

Dependency name: golang.org/x/crypto
Version: v0.52.0 (was v0.50.0)
Allowed range: >=v0.31.0
Approved: ✅ Yes


Next Steps

  1. Review the validation failures listed above
  2. Check if dependencies are in the approved dependency list
  3. Options to resolve:
    • Remove the unapproved dependencies from this PR
    • OR submit a PR to add these dependencies to the approved list in engineering-governance
  4. Once resolved, push changes to re-run validation

This PR is blocked until all dependencies are approved.

⚠️ Please verify the scope of the dependencies usage is necessary

- Added `github.com/hashicorp/go-uuid` and `github.com/kr/pretty` to various modules.
- Updated `golang.org/x/mod` to version 0.35.0 in multiple modules.
- Bumped versions for several dependencies including `github.com/gorilla/websocket`, `github.com/aws/aws-sdk-go-v2`, and `github.com/go-openapi/jsonpointer`.
- Updated `golang.org/x/time` to version 0.14.0.
- Adjusted indirect dependencies in `go.mod` files for improved compatibility and security.
@github-actions

Copy link
Copy Markdown
Contributor

Dependency Validation Results

Dependency name: golang.org/x/term
Version: v0.43.0 (was v0.40.0)
Approved: ❌ No - Module not found in dependency registry

Dependency name: golang.org/x/text
Version: v0.37.0 (was v0.35.0)
Allowed range: >=v0.31.0
Approved: ✅ Yes

Dependency name: golang.org/x/crypto
Version: v0.52.0 (was v0.50.0)
Allowed range: >=v0.31.0
Approved: ✅ Yes

Dependency name: golang.org/x/mod
Version: v0.35.0 (was v0.32.0)
Approved: ❌ No - Module not found in dependency registry

Dependency name: github.com/gorilla/websocket
Version: v1.5.4-0.20250319132907-e064f32e3674 (was v1.5.3)
Allowed range: >=v1.5.3
Approved: ✅ Yes

Dependency name: github.com/gorilla/websocket
Version: v1.5.4-0.20250319132907-e064f32e3674 (was v1.5.3)
Allowed range: >=v1.5.3
Approved: ✅ Yes

Dependency name: golang.org/x/mod
Version: v0.35.0 (was v0.32.0)
Approved: ❌ No - Module not found in dependency registry

Dependency name: github.com/gorilla/websocket
Version: v1.5.4-0.20250319132907-e064f32e3674 (was v1.5.3)
Allowed range: >=v1.5.3
Approved: ✅ Yes

Dependency name: github.com/knadh/koanf/providers/file
Version: v1.2.1 (was v1.2.0)
Allowed range: >=v1.2.1
Approved: ✅ Yes

Dependency name: github.com/gorilla/websocket
Version: v1.5.4-0.20250319132907-e064f32e3674 (was v1.5.3)
Allowed range: >=v1.5.3
Approved: ✅ Yes

Dependency name: golang.org/x/crypto
Version: v0.52.0 (was v0.50.0)
Allowed range: >=v0.31.0
Approved: ✅ Yes

Dependency name: github.com/gorilla/websocket
Version: v1.5.4-0.20250319132907-e064f32e3674 (was v1.5.3)
Allowed range: >=v1.5.3
Approved: ✅ Yes

Dependency name: github.com/mattn/go-sqlite3
Version: v1.14.41 (was v1.14.34)
Allowed range: >=v1.14.32
Approved: ✅ Yes


Next Steps

  1. Review the validation failures listed above
  2. Check if dependencies are in the approved dependency list
  3. Options to resolve:
    • Remove the unapproved dependencies from this PR
    • OR submit a PR to add these dependencies to the approved list in engineering-governance
  4. Once resolved, push changes to re-run validation

This PR is blocked until all dependencies are approved.

⚠️ Please verify the scope of the dependencies usage is necessary

- Added go.mod entries for several dependencies including `github.com/creack/pty`, `github.com/kr/pretty`, and `github.com/go-openapi/swag`.
- Updated `golang.org/x/time` and `github.com/gorilla/websocket` to their latest versions across multiple modules.
- Adjusted indirect dependencies in `go.mod` files for improved compatibility and security.
@github-actions

Copy link
Copy Markdown
Contributor

Dependency Validation Results

Dependency name: golang.org/x/term
Version: v0.43.0 (was v0.40.0)
Approved: ❌ No - Module not found in dependency registry

Dependency name: golang.org/x/text
Version: v0.37.0 (was v0.35.0)
Allowed range: >=v0.31.0
Approved: ✅ Yes

Dependency name: golang.org/x/crypto
Version: v0.52.0 (was v0.50.0)
Allowed range: >=v0.31.0
Approved: ✅ Yes

Dependency name: golang.org/x/mod
Version: v0.35.0 (was v0.32.0)
Approved: ❌ No - Module not found in dependency registry

Dependency name: github.com/gorilla/websocket
Version: v1.5.4-0.20250319132907-e064f32e3674 (was v1.5.3)
Allowed range: >=v1.5.3
Approved: ✅ Yes

Dependency name: github.com/gorilla/websocket
Version: v1.5.4-0.20250319132907-e064f32e3674 (was v1.5.3)
Allowed range: >=v1.5.3
Approved: ✅ Yes

Dependency name: golang.org/x/mod
Version: v0.35.0 (was v0.32.0)
Approved: ❌ No - Module not found in dependency registry

Dependency name: github.com/gorilla/websocket
Version: v1.5.4-0.20250319132907-e064f32e3674 (was v1.5.3)
Allowed range: >=v1.5.3
Approved: ✅ Yes

Dependency name: github.com/knadh/koanf/providers/file
Version: v1.2.1 (was v1.2.0)
Allowed range: >=v1.2.1
Approved: ✅ Yes

Dependency name: github.com/gorilla/websocket
Version: v1.5.4-0.20250319132907-e064f32e3674 (was v1.5.3)
Allowed range: >=v1.5.3
Approved: ✅ Yes

Dependency name: golang.org/x/crypto
Version: v0.52.0 (was v0.50.0)
Allowed range: >=v0.31.0
Approved: ✅ Yes

Dependency name: github.com/gorilla/websocket
Version: v1.5.4-0.20250319132907-e064f32e3674 (was v1.5.3)
Allowed range: >=v1.5.3
Approved: ✅ Yes

Dependency name: github.com/mattn/go-sqlite3
Version: v1.14.41 (was v1.14.34)
Allowed range: >=v1.14.32
Approved: ✅ Yes


Next Steps

  1. Review the validation failures listed above
  2. Check if dependencies are in the approved dependency list
  3. Options to resolve:
    • Remove the unapproved dependencies from this PR
    • OR submit a PR to add these dependencies to the approved list in engineering-governance
  4. Once resolved, push changes to re-run validation

This PR is blocked until all dependencies are approved.

⚠️ Please verify the scope of the dependencies usage is necessary

@Thushani-Jayasekera

Copy link
Copy Markdown
Contributor Author

Dependency updates- wso2/engineering-governance#26

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants