Skip to content

chore(deps): consolidated dependency refresh#2503

Closed
devarismeroxa wants to merge 1 commit into
mainfrom
chore/dependency-refresh-2026-07
Closed

chore(deps): consolidated dependency refresh#2503
devarismeroxa wants to merge 1 commit into
mainfrom
chore/dependency-refresh-2026-07

Conversation

@devarismeroxa

Copy link
Copy Markdown
Contributor

Bumps the main module's outstanding dependency updates in one green, tidied change instead of merging several behind-main dependabot PRs whose CI was failing only on stale lint/generated-file checks.

Direct

Indirect (security / transitive)

Notable: go directive 1.24.2 → 1.25.0

Forced by grpc 1.81, x/net 0.55, otel 1.43, and grpc-gateway 2.29, which all now require go 1.25. This raises the minimum Go to build Conduit — flagging for visibility.

Deliberately excluded (handled separately)

Verification

go build ./..., go vet, and unit tests for pkg/http, pkg/schemaregistry, pkg/foundation all pass; go mod verify clean.

Risk tier

Tier 3 (deps). Automated gates apply.

🤖 Generated with Claude Code

…abot PRs)

Bumps the main module's outstanding dependency updates in one green,
tidied change instead of merging several behind-main dependabot PRs
whose CI was failing only on stale lint/generated-file checks.

Direct:
- google.golang.org/grpc 1.80.0 -> 1.81.0 (#2495)
- github.com/grpc-ecosystem/grpc-gateway/v2 2.28.0 -> 2.29.0 (#2486)

Indirect (security / transitive):
- golang.org/x/net 0.49.0 -> 0.55.0 (#2501)
- github.com/jackc/pgx/v5 5.7.5 -> 5.9.2 (#2490)
- github.com/apache/thrift 0.16.0 -> 0.23.0 (#2496)
- go.opentelemetry.io/otel 1.41 -> 1.43, golang.org/x/crypto 0.47 -> 0.51,
  and related golang.org/x updates pulled transitively.

Raises the go directive 1.24.2 -> 1.25.0: forced by grpc 1.81, x/net 0.55,
otel 1.43, and grpc-gateway 2.29, which all now require go 1.25.

Not included (handled separately):
- cohere-go 2.14.1 -> 2.18.0 (#2448): breaking API change (UserMessage,
  V2RerankRequest.ReturnDocuments) requiring a code migration in the cohere
  builtin processor.
- tools-module x/crypto/x/net/docker-cli bumps (#2411/#2440/#2500): indirect
  dev-tooling deps reverted by `go mod tidy`; not in the shipped binary.

Verified: go build ./..., go vet, and unit tests for http/schemaregistry/
foundation all pass; go mod verify clean.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@devarismeroxa

Copy link
Copy Markdown
Contributor Author

Closing this. Investigation showed the premise (a simple consolidated dependency refresh) doesn't hold: every current version of the core deps (grpc, grpc-gateway, x/net, otel, pgx, thrift) now declares go 1.25.0, so any of these bumps forces the module go directive to 1.25 — which in turn requires bumping the CI toolchain (golangci-lint, gofumpt, x/tools) and surfaces 34 pre-existing lint issues.

That's a deliberate Go 1.25 upgrade, not a routine refresh, so it's tracked properly in #2506 (with the full diagnosis, toolchain versions, and the list of surfaced fixes). The dependabot go.mod PRs this was meant to supersede will be resolved by that upgrade.

@devarismeroxa devarismeroxa deleted the chore/dependency-refresh-2026-07 branch July 4, 2026 13:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant