deps: bump vitess 0.17.6 -> 0.22.4, grpc -> 1.79.3, Go -> 1.24#155
Draft
mcrauwel wants to merge 2 commits into
Draft
deps: bump vitess 0.17.6 -> 0.22.4, grpc -> 1.79.3, Go -> 1.24#155mcrauwel wants to merge 2 commits into
mcrauwel wants to merge 2 commits into
Conversation
Clears the open Dependabot security alerts that have a fix available and unblocks building under modern Go toolchains (vitess 0.17.6 fails to link under Go >= 1.23 due to the runtime.roundupsize linkname change). Dependency changes: - vitess.io/vitess v0.17.6 -> v0.22.4 (critical + 2 medium alerts) - google.golang.org/grpc v1.65.0 -> v1.79.3 (critical alert) - go-sql-driver/mysql v1.8.1 -> v1.9.3, edwards25519 -> v1.1.1 (low alert) - transitive x/net -> v0.48.0 and glog -> v1.2.5 (medium alerts) via tidy - go directive 1.22.2 -> 1.24.0; go mod tidy raises it to 1.24.13 because vitess v0.22.4 requires that floor, so CI needs Go >= 1.24.13 Code changes for vitess API churn (purely mechanical): - DecodePosition moved from go/mysql to go/mysql/replication; repoint the import and the four call sites in planetscale_edge_database.go - vtgateservice.VitessClient gained ExecuteMulti and StreamExecuteMulti; add no-op stubs to vstreamClientMock Remaining open alert: the high-severity vitess advisory (affects <= 0.23.2) has no patched release available upstream, so it cannot be cleared yet. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
mcrauwel
force-pushed
the
mcrauwel/dep-bump
branch
from
5d59ecb to
15fd006
Compare
The grpc/protobuf bump pulled in google.golang.org/protobuf v1.36.10, which deprecated MessageInfo.Exporter. The checked-in code was generated by protoc-gen-go v1.34.1 and still referenced it, failing staticcheck (SA1019). Regenerate with protoc-gen-go v1.36.10. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Bumps vitess, grpc and the Go version to clear the open Dependabot security alerts that have a fix available, and to unblock building under modern Go toolchains. vitess 0.17.6 fails to link under Go ≥ 1.23 (the
runtime.roundupsizelinkname change), so the Go bump is gated on the vitess bump — they're one change.Dependency changes
vitess.io/vitessv0.17.6 → v0.22.4 — clears 1 critical + 2 medium alertsgoogle.golang.org/grpcv1.65.0 → v1.79.3 — clears 1 critical alertgithub.com/go-sql-driver/mysqlv1.8.1 → v1.9.3,filippo.io/edwards25519→ v1.1.1 — clears 1 low alertgolang.org/x/net→ v0.48.0,github.com/golang/glog→ v1.2.5 (viago mod tidy) — clears 2 medium alertsgo mod tidyraises it to 1.24.13 because vitess v0.22.4 declares that floor. CI/Buildkite must run Go ≥ 1.24.13.Alert result: 8 of 9 cleared. The remaining HIGH vitess advisory (affects
<= 0.23.2) has no patched release upstream, so it cannot be cleared at any version yet.Code changes (purely mechanical vitess API churn)
DecodePositionmoved fromgo/mysqltogo/mysql/replication— repointed the import and its four call sites inplanetscale_edge_database.go.vtgateservice.VitessClientgainedExecuteMultiandStreamExecuteMulti— added no-op stubs tovstreamClientMock.No behavioral changes.
Testing
go build ./...,go vet ./...clean;cmd/e2ecompiles.cmd/internalandcmd/airbyte-sourceunit tests pass — notably on local Go 1.25.3, which previously could not link vitess at all.cmd/e2esuite (needs a real DB) has not been run — must pass on Buildkite before merge.🤖 Generated with Claude Code