Skip to content

chore: update go version and package dependencies#782

Open
vfusco wants to merge 1 commit into
feature/bump-contracts-3.0from
feature/update-dependencies
Open

chore: update go version and package dependencies#782
vfusco wants to merge 1 commit into
feature/bump-contracts-3.0from
feature/update-dependencies

Conversation

@vfusco
Copy link
Copy Markdown
Collaborator

@vfusco vfusco commented Jun 6, 2026

No description provided.

@vfusco vfusco added this to the 2.0.0 milestone Jun 6, 2026
@vfusco vfusco requested review from Copilot and mpolitzer June 6, 2026 16:00
@vfusco vfusco self-assigned this Jun 6, 2026
@socket-security
Copy link
Copy Markdown

socket-security Bot commented Jun 6, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedgithub.com/​ethereum/​go-ethereum@​v1.17.0 ⏵ v1.17.37610010010070
Updatedgithub.com/​aws/​aws-sdk-go-v2@​v1.41.2 ⏵ v1.41.1271100100100100
Updatedgithub.com/​jackc/​pgx/​v5@​v5.8.0 ⏵ v5.10.073100 +75100100100
Updatedgolang.org/​x/​text@​v0.34.0 ⏵ v0.37.077100100100100
Updatedgithub.com/​aws/​aws-sdk-go-v2/​config@​v1.32.10 ⏵ v1.32.2388 +1100100100100
Updatedgithub.com/​oapi-codegen/​runtime@​v1.1.2 ⏵ v1.4.198100100100100
Updatedgithub.com/​go-jet/​jet/​v2@​v2.14.1 ⏵ v2.15.099 +2100100100100
Updatedgithub.com/​aws/​aws-sdk-go-v2/​service/​kms@​v1.50.1 ⏵ v1.53.399 +1100100100100
Updatedgolang.org/​x/​sync@​v0.19.0 ⏵ v0.20.099100100100100

View full report

@socket-security
Copy link
Copy Markdown

socket-security Bot commented Jun 6, 2026
edited
Loading

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: golang github.com/pelletier/go-toml/v2 is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: ?golang/github.com/spf13/viper@v1.21.0golang/github.com/pelletier/go-toml/v2@v2.3.1

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/github.com/pelletier/go-toml/v2@v2.3.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: golang golang.org/x/tools is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: ?golang/golang.org/x/text@v0.37.0golang/github.com/ethereum/go-ethereum@v1.17.3golang/github.com/deepmap/oapi-codegen/v2@v2.2.0golang/golang.org/x/tools@v0.44.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/golang.org/x/tools@v0.44.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

Copilot AI reviewed Jun 6, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the module’s Go/tooling baseline and refreshes Go dependencies, along with updating the third-party license reporting template to reflect the new dependency set.

Changes:

  • Bump the Go version declared in go.mod and update a set of direct/indirect Go module dependencies (reflected in go.sum).
  • Update THIRD_PARTY_LICENSES.md entries to match the updated dependency graph (including newly introduced modules).
  • Adjust the go-licenses template (dev/licenses.tpl) to include the document header and trim trailing whitespace.

Reviewed changes

Copilot reviewed 3 out of 4 changed files in this pull request and generated 2 comments.

File Description
THIRD_PARTY_LICENSES.md Updates recorded dependency versions/licenses to match the new module set.
go.mod Bumps the Go version directive and updates several direct/indirect dependency versions.
go.sum Updates module checksums to reflect dependency version changes.
dev/licenses.tpl Updates the go-licenses report template (adds header; trims trailing whitespace).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread go.mod
Comment thread dev/licenses.tpl
@vfusco vfusco force-pushed the feature/update-dependencies branch from fe6c89e to 61418ae Compare June 6, 2026 16:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@mpolitzer mpolitzer Awaiting requested review from mpolitzer

Assignees

@vfusco vfusco

Labels

None yet

Projects

Rollups SDK
Status: Todo

Milestone

2.0.0

Development

Successfully merging this pull request may close these issues.

2 participants

@vfusco