Skip to content

fix(deps): update module github.com/klauspost/compress to v1.18.6#4

Open
alaudaa-renovate[bot] wants to merge 1 commit into
mainfrom
renovate/github.com-klauspost-compress-1.18.x
Open

fix(deps): update module github.com/klauspost/compress to v1.18.6#4
alaudaa-renovate[bot] wants to merge 1 commit into
mainfrom
renovate/github.com-klauspost-compress-1.18.x

Conversation

@alaudaa-renovate

@alaudaa-renovate alaudaa-renovate Bot commented Apr 10, 2026
edited
Loading

Copy link
Copy Markdown

This PR contains the following updates:

Package Change Age Confidence
github.com/klauspost/compress v1.18.0 -> v1.18.6 age confidence

Release Notes

klauspost/compress (github.com/klauspost/compress)

v1.18.6

Compare Source

What's Changed

New Contributors

Full Changelog: klauspost/compress@v1.18.5...v1.18.6

v1.18.5

Compare Source

What's Changed

Full Changelog: klauspost/compress@v1.18.4...v1.18.5

v1.18.4

Compare Source

What's Changed

New Contributors

Full Changelog: klauspost/compress@v1.18.2...v1.18.4

v1.18.3

Compare Source

Downstream CVE-2025-61728

See https://github.com/golang/go/issues/77102

Full Changelog: klauspost/compress@v1.18.2...v1.18.3

v1.18.2

Compare Source

What's Changed

v1.18.1 is marked "retracted" due to invalid flate/zip/gzip encoding.

New Contributors

Full Changelog: klauspost/compress@v1.18.1...v1.18.2

v1.18.1

Compare Source

What's Changed

New Contributors

Full Changelog: klauspost/compress@v1.18.0...v1.18.1

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@alaudaa-renovate

alaudaa-renovate Bot commented Apr 10, 2026

Copy link
Copy Markdown
Author

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • The go directive was updated for compatibility reasons

Details:

Package Change
go 1.23.0 -> 1.24

@alaudabot

alaudabot commented Apr 10, 2026
edited
Loading

Copy link
Copy Markdown

🤖 AI Code Review

Property Value
Model opencode/minimax-m2.5-free
Style strict
Issues Found 1
Config Source centralized
Profile ❌ Not Found
Personalized Prompt ❌ No
Prompt Path .github/review/profiles/alaudadevops/storage/pr-review.md
Alauda Skills ✅ base-acp-operator-list, base-acp-operator-release, base-authoring, base-m365, base-ocp-operator-list, base-skill-setup, builders-alauda-pipeline, builders-component-knowledge, builders-confluence, builders-jira, builders-notify-wecom, builders-prd-to-testcase, builders-publish-errata, builders-roadmap-studio, builders-story-split, cross-repo-add-mirror, cross-repo-publish, devops-autodns, devops-candidate-version-supervisor, devops-connectors-acceptance-test, devops-connectors-explore, devops-connectors-poc-case, devops-connectors-review, devops-connectors-unit-test, devops-connectors-upgrade-test, devops-connectors-write-user-docs, devops-creating-tekton-pipelines, devops-fix-go-vulns, devops-fork-alauda-binary-release, devops-gen-advanced-form-descriptors, devops-jira-rfd-acceptance, devops-knowledge-adoption, devops-refresh-containerfile-digests, devops-refresh-containerfile-tags, devops-replace-strings, devops-scan-docker-keywords, devops-sync-alauda-github-releases, devops-tekton-dynamic-form-optimizer, devops-tekton-operator-task-e2e, devops-tekton-pipeline-delivery, devops-tekton-task-delivery, devops-tekton-task-overview-template, devops-tekton-task-version-upgrade, devops-tekton-upgrade-notes, devops-tool-report-troubleshoot, devops-ui-e2e-code-audit, devops-ui-e2e-fix-base-on-report, devops-ui-e2e-regression-and-fix, devops-ui-generate-e2e-from-feature, devops-ui-pre-setup, devops-upgrade-go, devops-upstream-backport-cve, devops-upstream-upgrade
Reviewed at 2026-05-11 21:31:10 UTC

Summary

This PR updates the github.com/klauspost/compress dependency from v1.18.0 to v1.18.6 (including CVE-2025-61728 security fix), but also inadvertently bumps the Go version declaration from 1.23.0 to 1.24.0 in go.mod. The dependency changes are in vendor/ only. The Go version bump is a critical concern as it raises the minimum Go version requirement beyond what the PR title/intent suggests.

Review Statistics

Category Count
Critical Issues 1
Warnings 0
Suggestions 1
Files Reviewed 3

Critical Issues

  • [go.mod:2] (bug/breaking-change): The go version directive is changed from 1.23.0 to 1.24.0. This raises the minimum Go version requirement for this project. If the project is intended to support Go 1.23, this change may break compatibility for users on older Go versions. Ensure this version bump is intentional and not an unintended side effect of the dependency update.

Warnings

(None)

Suggestions

  • [vendor/modules.txt:34] (refactor/cleanup): Consider running go mod tidy to ensure go.mod and go.sum are fully consistent after the vendor update, and verify the Go version directive change is intentional before merging.

Positive Feedback

  • The dependency update from v1.18.0 to v1.18.6 includes important security fixes: CVE-2025-61728 is addressed in v1.18.3.
  • The new ResetWithOptions method added to Encoder and Decoder (in vendor changes) provides more flexibility for encoder/decoder reuse.
  • The new simple_go124.go file adds EncodeTo/DecodeTo convenience functions for simple compression use cases.
  • README and documentation files in vendor are kept up-to-date with the upstream library.
ℹ️ About this review

This review was automatically generated using the run-actions workflow.

  • Shared prompt: .github/prompts/code-review.md
  • Config source: centralized
  • Profile path: Not Found
  • Profile ref: a5ba7c9bfeb72d3920971664d476ed377fcc5b94
  • No repository-specific prompt configured
  • Alauda skills: base-acp-operator-list, base-acp-operator-release, base-authoring, base-m365, base-ocp-operator-list, base-skill-setup, builders-alauda-pipeline, builders-component-knowledge, builders-confluence, builders-jira, builders-notify-wecom, builders-prd-to-testcase, builders-publish-errata, builders-roadmap-studio, builders-story-split, cross-repo-add-mirror, cross-repo-publish, devops-autodns, devops-candidate-version-supervisor, devops-connectors-acceptance-test, devops-connectors-explore, devops-connectors-poc-case, devops-connectors-review, devops-connectors-unit-test, devops-connectors-upgrade-test, devops-connectors-write-user-docs, devops-creating-tekton-pipelines, devops-fix-go-vulns, devops-fork-alauda-binary-release, devops-gen-advanced-form-descriptors, devops-jira-rfd-acceptance, devops-knowledge-adoption, devops-refresh-containerfile-digests, devops-refresh-containerfile-tags, devops-replace-strings, devops-scan-docker-keywords, devops-sync-alauda-github-releases, devops-tekton-dynamic-form-optimizer, devops-tekton-operator-task-e2e, devops-tekton-pipeline-delivery, devops-tekton-task-delivery, devops-tekton-task-overview-template, devops-tekton-task-version-upgrade, devops-tekton-upgrade-notes, devops-tool-report-troubleshoot, devops-ui-e2e-code-audit, devops-ui-e2e-fix-base-on-report, devops-ui-e2e-regression-and-fix, devops-ui-generate-e2e-from-feature, devops-ui-pre-setup, devops-upgrade-go, devops-upstream-backport-cve, devops-upstream-upgrade

@danielfbm

danielfbm commented Apr 16, 2026

Copy link
Copy Markdown

PR Assist Bot Analysis

Failure Type: Infrastructure / Migration
Failed Checks: run (5s failure)
Root Cause: The run workflow attempts to auto-close all PRs with message: 'This repository has been migrated to https://github.com/containers/container-libs. Please open your PR there.' The action failed with Resource not accessible by integration (permissions issue).
Recommendation: Verify if this fork is still actively maintained. If the repo has migrated, this security bump should be applied upstream at https://github.com/containers/container-libs instead.

@alaudabot

alaudabot commented Apr 21, 2026

Copy link
Copy Markdown

/retest

@alaudabot

alaudabot commented Apr 21, 2026

Copy link
Copy Markdown

PR Assist Bot Analysis

Status: PR is mergeable, but blocked by a stale GitHub Actions check.
Failing Check: run (5s failure) — the superbrothers/close-pull-request workflow tried to auto-close this PR ~10 days ago and failed with Resource not accessible by integration (insufficient token permissions).
Note: This check cannot be re-triggered via /retest (GitHub Actions, not PaC). The check is stale and unrelated to the code changes (compress v1.18.5).
Recommendation: A repository admin should either re-run the failed workflow, dismiss the check, or bypass the branch protection to merge this valid security update.

@alaudabot

alaudabot commented Apr 22, 2026

Copy link
Copy Markdown

PR Assist Bot Analysis

Status: Merge blocked — review required
Checks: AI Code Review ✅, but run check failed
Reason: Branch protection requires at least one approving review. Additionally the run GitHub Actions check failed.
Action: Please have a maintainer review this PR at #4

@alaudaa-renovate
fix(deps): update module github.com/klauspost/compress to v1.18.6
8fdfb63 
Signed-off-by: alaudaa-renovate[bot] <219066560+alaudaa-renovate[bot]@users.noreply.github.com>
@alaudaa-renovate alaudaa-renovate Bot force-pushed the renovate/github.com-klauspost-compress-1.18.x branch from 9c1978f to 8fdfb63 Compare May 11, 2026 21:29
@alaudaa-renovate alaudaa-renovate Bot changed the title fix(deps): update module github.com/klauspost/compress to v1.18.5 fix(deps): update module github.com/klauspost/compress to v1.18.6 May 11, 2026
alaudabot
alaudabot reviewed May 11, 2026
View reviewed changes
Comment thread go.mod
@@ -1,5 +1,5 @@
// Deprecated: Use go.podman.io/storage instead.
go 1.23.0
go 1.24

@alaudabot alaudabot May 11, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Critical (bug/breaking-change): The go version directive is bumped from 1.23.0 to 1.24.0. This raises the minimum Go version requirement for the project. If this project is intended to support Go 1.23, this change may break compatibility for users on older Go versions. Please verify this version bump is intentional and not an unintended side effect of the dependency vendor update.

@alaudabot

alaudabot commented Jun 15, 2026

Copy link
Copy Markdown

🚨 Stale Pull Request Warning

This pull request has been inactive for 34 days.

Automated Actions Schedule:

  • ⚠️ Warning: After 30 days (now)
  • 🔒 Auto-close: After 60 days
  • 🗑️ Branch deletion: After 90 days (if not protected)

To keep this PR active:

  • Add new commits
  • Reply to this comment
  • Request reviews

Protected branches (won't be deleted): main,release-*,alauda-*

This is an automated message. Reply to this comment to reset the inactivity timer.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alaudabot alaudabot alaudabot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@alaudabot @danielfbm