Skip to content

update go-logger and other vulnerable packages#782

Merged
matthyx merged 1 commit into
mainfrom
bump
Apr 17, 2026
Merged

update go-logger and other vulnerable packages#782
matthyx merged 1 commit into
mainfrom
bump

Conversation

@matthyx
Copy link
Copy Markdown
Contributor

@matthyx matthyx commented Apr 17, 2026
edited by coderabbitai Bot
Loading

Summary by CodeRabbit

  • Chores
    • Updated Go toolchain from version 1.25.0 to 1.25.8
    • Upgraded direct dependencies including logging, networking, gRPC, and cloud platform libraries
    • Refreshed indirect dependencies across telemetry, cloud, and cryptographic tooling libraries

@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented Apr 17, 2026
edited
Loading

📝 Walkthrough

Walkthrough

Updated Go toolchain from 1.25.0 to 1.25.8 and bumped multiple dependencies, including direct updates to go-logger, golang.org/x packages, and google.golang.org/grpc. Refreshed indirect dependencies across cloud, telemetry, networking, crypto, and AWS SDK libraries.

Changes

Cohort / File(s) Summary
Go Module Dependencies
go.mod		 Updated Go toolchain version to 1.25.8. Bumped direct dependencies: go-logger (v0.0.24→v0.0.28), golang.org/x/net (v0.51.0→v0.53.0), golang.org/x/sys (v0.42.0→v0.43.0), google.golang.org/grpc (v1.79.3→v1.80.0). Refreshed indirect dependencies across cloud.google.com/go packages, OpenTelemetry modules, networking/crypto tooling (golang.org/x utilities, oauth2), and AWS SDK v2 modules.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

Suggested labels

release

Poem

🐰 Dependencies dance with numbers new,
Version bumps and patches too,
From 1.25 to heights so bright,
Our telemetry shines with light,
Compatibility and care take flight! ✨

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately describes the main change: updating go-logger and other vulnerable packages to newer versions, which aligns with the primary focus of the go.mod dependency upgrades.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch bump

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 17, 2026

Performance Benchmark Results

Node-Agent Resource Usage
Metric BEFORE AFTER Delta
Avg CPU (cores) 0.162 0.159 -1.5%
Peak CPU (cores) 0.167 0.163 -2.5%
Avg Memory (MiB) 416.008 312.642 -24.8%
Peak Memory (MiB) 420.469 320.668 -23.7%
Dedup Effectiveness (AFTER only)
Event Type Passed Deduped Ratio
capabilities 0 0 N/A
hardlink 6000 0 0.0%
http 1704 119455 98.6%
network 900 77999 98.9%
open 34857 621172 94.7%
symlink 6000 0 0.0%
syscall 984 1914 66.0%
Event Counters
Metric BEFORE AFTER
capability_counter 9 7
dns_counter 1432 1427
exec_counter 7162 7137
network_counter 94200 93850
open_counter 785286 781999
syscall_counter 3646 3538

@matthyx
update go-logger and other vulnerable packages
cad0de6 
Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com>
coderabbitai[bot]
coderabbitai Bot reviewed Apr 17, 2026
View reviewed changes
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
go.mod (1)

59-59: Consider migrating grpc.Dial() to grpc.NewClient() in pkg/sbommanager/v1/sbom_manager.go for consistency.

The codebase uses the deprecated grpc.Dial() in pkg/sbommanager/v1/sbom_manager.go:108, while other gRPC clients in the same codebase (pkg/sbomscanner/v1/client.go, pkg/sbomscanner/v1/integration_test.go, pkg/sbomscanner/v1/server_test.go) use grpc.NewClient(). Although grpc.Dial() remains fully supported in gRPC v1.80.0, migrating to grpc.NewClient() would improve code consistency and align with the recommended API.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@go.mod` at line 59, The sbom manager currently uses the deprecated
grpc.Dial() call in pkg/sbommanager/v1/sbom_manager.go; replace that call with
grpc.NewClient(...) to match the rest of the codebase (as used in
pkg/sbomscanner/*). Specifically, find the grpc.Dial(...) invocation (and its
returned conn variable) in the SBOM manager initialization, call
grpc.NewClient(ctx, target, opts...) instead, update the variable/type to the
returned grpc.Client, adjust any subsequent uses (e.g., connection methods and
Close semantics) to the new client API, and update imports if necessary so the
file mirrors the grpc.NewClient usage pattern from the sbomscanner clients.
🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@go.mod`:
- Line 59: The sbom manager currently uses the deprecated grpc.Dial() call in
pkg/sbommanager/v1/sbom_manager.go; replace that call with grpc.NewClient(...)
to match the rest of the codebase (as used in pkg/sbomscanner/*). Specifically,
find the grpc.Dial(...) invocation (and its returned conn variable) in the SBOM
manager initialization, call grpc.NewClient(ctx, target, opts...) instead,
update the variable/type to the returned grpc.Client, adjust any subsequent uses
(e.g., connection methods and Close semantics) to the new client API, and update
imports if necessary so the file mirrors the grpc.NewClient usage pattern from
the sbomscanner clients.
ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d2846735-4332-4938-8a3f-27c038dea427

📥 Commits

Reviewing files that changed from the base of the PR and between 1746a8d and cad0de6.

⛔ Files ignored due to path filters (1)
  • go.sum is excluded by !**/*.sum
📒 Files selected for processing (1)
  • go.mod

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 17, 2026

Performance Benchmark Results

Node-Agent Resource Usage
Metric BEFORE AFTER Delta
Avg CPU (cores) 0.159 0.156 -1.9%
Peak CPU (cores) 0.166 0.163 -1.7%
Avg Memory (MiB) 399.249 312.275 -21.8%
Peak Memory (MiB) 416.289 315.992 -24.1%
Dedup Effectiveness (AFTER only)
Event Type Passed Deduped Ratio
capabilities 0 0 N/A
hardlink 6000 0 0.0%
http 1704 119456 98.6%
network 900 77926 98.9%
open 33026 623220 95.0%
symlink 6000 0 0.0%
syscall 976 1892 66.0%
Event Counters
Metric BEFORE AFTER
capability_counter 10 7
dns_counter 1442 1408
exec_counter 7287 7077
network_counter 95660 92997
open_counter 798671 776568
syscall_counter 3676 3363

@matthyx matthyx merged commit 08e93f0 into main Apr 17, 2026
28 checks passed
@matthyx matthyx deleted the bump branch April 17, 2026 12:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@matthyx