[VC-45029] Upgrade all the Go dependencies in preparation for a release#722
Merged
Conversation
I used go-mod-upgrade to update only the vcert module and it pulled in the updated pflag and sync dependencies. Then I ran `make go-tidy` to cleanup the go.sum file. - Bump direct dependencies: vcert, pflag, x/sync - Update indirect dependencies: genqlient, fsnotify, duration, gqlparser, pkcs8, x/crypto, x/net, oauth2, sys, term, text - Refresh go.sum for new versions Signed-off-by: Richard Wall <richard.wall@cyberark.com>
- Bump k8s.io/api, k8s.io/apimachinery, k8s.io/client-go, k8s.io/component-base to v0.34.1 - Update sigs.k8s.io/yaml to v1.6.0 - Update several indirect dependencies to latest versions - Add new indirect dependencies for yaml and structured-merge-diff Signed-off-by: Richard Wall <richard.wall@cyberark.com>
- Upgrade sigs.k8s.io/controller-runtime to v0.22.1 - Upgrade cel.dev/expr to v0.24.0 and github.com/google/cel-go to v0.26.0 - Upgrade k8s.io/apiextensions-apiserver and k8s.io/apiserver to v0.34.0 - Update go.sum for new dependency versions Signed-off-by: Richard Wall <richard.wall@cyberark.com>
Signed-off-by: Richard Wall <richard.wall@cyberark.com>
- Bump github.com/cenkalti/backoff/v5 from v5.0.2 to v5.0.3 in go.mod - Update go.sum to reflect new dependency version Signed-off-by: Richard Wall <richard.wall@cyberark.com>
- Update go.mod and go.sum to use latest golang.org/x/sync - Ensure compatibility with new dependency version Signed-off-by: Richard Wall <richard.wall@cyberark.com>
- Bump github.com/prometheus/client_golang to v1.23.2 - Bump github.com/stretchr/testify to v1.11.1 - Update indirect Prometheus and protobuf dependencies - Update golang.org/x/net to v0.43.0 in go.mod and go.sum Signed-off-by: Richard Wall <richard.wall@cyberark.com>
Signed-off-by: Richard Wall <richard.wall@cyberark.com>
- Introduce firefly connection type to CRD schemas - Add firefly accessToken retrieval steps and validation rules - Update controller-gen version annotation - Adjust validation to require one of tpp, vaas, vcp, or firefly - Update LICENSES for new and upgraded dependencies Signed-off-by: Richard Wall <richard.wall@cyberark.com>
- Add instructions for upgrading Go dependencies using go-mod-upgrade - Update govulncheck step to use make verify-govulncheck - Renumber and clarify release steps for improved readability Signed-off-by: Richard Wall <richard.wall@cyberark.com>
wallrj-cyberark
commented
Sep 18, 2025
| make generate | ||
| ``` | ||
|
|
||
| Finally, create a PR with the changes and merge it. |
Contributor
Author
There was a problem hiding this comment.
That's what I'm doing in this PR.
| ```bash | ||
| go install golang.org/x/vuln/cmd/govulncheck@latest | ||
| govulncheck -v ./... | ||
| make verify-govulncheck |
Contributor
Author
There was a problem hiding this comment.
The verify-govulncheck was fixed recently, to allow it run when there non-opensource Go modules in use:
$ make verify-govulncheck
Running 'GOTOOLCHAIN=go1.25.1 _bin/tools/govulncheck ./...' in directory '.'
No vulnerabilities found.
wallrj-cyberark
changed the title
wallrj-cyberark
commented
Sep 18, 2025
Contributor
Author
There was a problem hiding this comment.
[14:37:00]* Copilot(gpt-4.1) created the following table which lists Go dependencies that were updated, showing their previous and new versions, update type, and links to their release notes or changelogs (where available).
| Dependency | Previous Version | New Version | Update Type | Release Notes Link |
|---|---|---|---|---|
| github.com/cenkalti/backoff/v5 | v5.0.2 | v5.0.3 | Patch | https://github.com/cenkalti/backoff/releases |
| github.com/jetstack/venafi-connection-lib | v0.4.1-0.20250617093438-475079c98311 | v0.5.0 | Minor | https://github.com/jetstack/venafi-connection-lib/releases |
| github.com/prometheus/client_golang | v1.22.0 | v1.23.2 | Minor | https://github.com/prometheus/client_golang/releases |
| github.com/spf13/cobra | v1.9.1 | v1.10.1 | Minor | https://github.com/spf13/cobra/releases |
| github.com/stretchr/testify | v1.10.0 | v1.11.1 | Minor | https://github.com/stretchr/testify/releases |
| golang.org/x/sync | v0.16.0 | v0.17.0 | Minor | https://pkg.go.dev/changelog/golang.org/x/sync |
| k8s.io/api | v0.33.2 | v0.34.1 | Minor | https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-0.34.md |
| k8s.io/apimachinery | v0.33.2 | v0.34.1 | Minor | https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-0.34.md |
| k8s.io/client-go | v0.33.2 | v0.34.1 | Minor | https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-0.34.md |
| k8s.io/component-base | v0.33.2 | v0.34.1 | Minor | https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-0.34.md |
| sigs.k8s.io/controller-runtime | v0.21.0 | v0.22.1 | Minor | https://github.com/kubernetes-sigs/controller-runtime/releases |
| sigs.k8s.io/yaml | v1.4.0 | v1.6.0 | Minor | https://github.com/kubernetes-sigs/yaml/releases |
| cel.dev/expr | v0.19.1 | v0.24.0 | Minor | https://github.com/google/cel-go/releases |
| github.com/fxamacker/cbor/v2 | v2.7.0 | v2.9.0 | Minor | https://github.com/fxamacker/cbor/releases |
| github.com/google/cel-go | v0.23.2 | v0.26.0 | Minor | https://github.com/google/cel-go/releases |
| github.com/google/gnostic-models | v0.6.9 | v0.7.0 | Minor | https://github.com/google/gnostic/releases |
| github.com/goccy/go-yaml | v1.17.1 | v1.18.0 | Patch | https://github.com/goccy/go-yaml/releases |
| github.com/golang-jwt/jwt/v5 | v5.2.2 | v5.3.0 | Patch | https://github.com/golang-jwt/jwt/releases |
| github.com/emicklei/go-restful/v3 | v3.11.2 | v3.12.2 | Minor | https://github.com/emicklei/go-restful/releases |
| github.com/prometheus/client_model | v0.6.1 | v0.6.2 | Patch | https://github.com/prometheus/client_model/releases |
| github.com/prometheus/common | v0.62.0 | v0.66.1 | Minor | https://github.com/prometheus/common/releases |
| github.com/prometheus/procfs | v0.15.1 | v0.16.1 | Patch | https://github.com/prometheus/procfs/releases |
| go.opentelemetry.io/otel | v1.33.0 | v1.35.0 | Minor | https://github.com/open-telemetry/opentelemetry-go/releases |
| go.opentelemetry.io/otel/trace | v1.33.0 | v1.35.0 | Minor | https://github.com/open-telemetry/opentelemetry-go/releases |
| go.opentelemetry.io/otel/metric | v1.33.0 | v1.35.0 | Minor | https://github.com/open-telemetry/opentelemetry-go/releases |
| go.opentelemetry.io/otel/sdk | v1.33.0 | v1.34.0 | Patch | https://github.com/open-telemetry/opentelemetry-go/releases |
| go.opentelemetry.io/otel/exporters/otlp/otlptrace | v1.33.0 | v1.34.0 | Patch | https://github.com/open-telemetry/opentelemetry-go/releases |
| go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc | v1.33.0 | v1.34.0 | Patch | https://github.com/open-telemetry/opentelemetry-go/releases |
| go.yaml.in/yaml/v2 | not present | v2.4.2 | New | https://github.com/go-yaml/yaml/releases |
| go.yaml.in/yaml/v3 | not present | v3.0.4 | New | https://github.com/go-yaml/yaml/releases |
| k8s.io/apiextensions-apiserver | v0.33.1 | v0.34.0 | Minor | https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-0.34.md |
| k8s.io/apiserver | v0.33.1 | v0.34.0 | Minor | https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-0.34.md |
| k8s.io/kube-openapi | v0.0.0-20250318190949-c8a335a9a2ff | v0.0.0-20250710124328-f3f2b991d03b | Patch | https://github.com/kubernetes/kube-openapi/releases |
| k8s.io/utils | v0.0.0-20250502105355-0f33e8f1c979 | v0.0.0-20250604170112-4c0f3b243397 | Patch | https://github.com/kubernetes/utils/releases |
| sigs.k8s.io/json | v0.0.0-20241010143419-9aa6b5e7a4b3 | v0.0.0-20241014173422-cfa47c3a1cc8 | Patch | https://github.com/kubernetes-sigs/json/releases |
| sigs.k8s.io/structured-merge-diff | v4.6.0 | v6.3.0 | Minor | https://github.com/kubernetes-sigs/structured-merge-diff/releases |
Member
There was a problem hiding this comment.
Thanks, that's super helpful.
I see sigs.k8s.io/structured-merge-diff went from
v4.6.0 to v6.3.0, big jump; weird thought that Copilot said it's just a minor version bump 😅 i've looked at their release notes and all good; your table made it super easy to do!
I see that there was also a bump of go-yaml/yaml from v2 to v3, I think it's OK. What's weird is that https://github.com/go-yaml/yaml/ is deprecated, I guess it's a transitive dep that hasn't been updated to https://github.com/yaml/go-yaml (@inteon is a contributor of that project I learned recently!)
Contributor
Author
There was a problem hiding this comment.
I see sigs.k8s.io/structured-merge-diff went from v4.6.0 to v6.3.0, big jump; weird thought that Copilot said it's just a minor version bump 😅 i've looked at their release notes and all good; your table made it super easy to do!
That was probably because in my prompt I only mentioned patch and minor...wasn't expecting any major updates. I said:
"Create markdown table showing the previous and new versions of each dependency and show which are patch updates and which are minor updates."
I see that there was also a bump of go-yaml/yaml from v2 to v3, I think it's OK. What's weird is that https://github.com/go-yaml/yaml/ is deprecated, I guess it's a transitive dep that hasn't been updated to https://github.com/yaml/go-yaml (@inteon is a contributor of that project I learned recently!)
Not sure. It was pulled in as a transitive dependency of the k8s.io/ dependencies: 5cbd8f2
mladen-rusev-cyberark
approved these changes
Sep 18, 2025
maelvls
approved these changes
Sep 18, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
I want to release the venafi-kubernetes-agent and the new cyberark-disco-agent soon, so in preparation I've updated all the Go dependencies and added that step to the release process, in accordance with the venafi-enhanced-issuer release process:
Dependency Updates
controller-runtimev0.22.1k8s.io/api,client-go,apimachinery,component-basev0.34.1prometheus/client_golangv1.23.2spf13/cobrav1.10.1jetstack/venafi-connection-libv0.5.0sigs.k8s.io/structured-merge-diff/v6(was v4)go.yaml.in/yaml/v2,go.yaml.in/yaml/v3addedgo.sumandLICENSESupdated to reflect new/removed dependencies.Documentation Improvements
RELEASE.mdnow includes:go-mod-upgrade.govulncheck.LICENSES: Updates for new/removed dependencies and license types.