Skip to content

dependency: bump * for June 11, 2026#21959

Merged
ahrtr merged 5 commits into
etcd-io:mainfrom
vivekpatani:dep-bump-2026-06-11
Jun 22, 2026
Merged

dependency: bump * for June 11, 2026#21959
ahrtr merged 5 commits into
etcd-io:mainfrom
vivekpatani:dep-bump-2026-06-11

Conversation

@vivekpatani

@vivekpatani vivekpatani commented Jun 12, 2026

Copy link
Copy Markdown
Contributor

Please read https://github.com/etcd-io/etcd/blob/main/CONTRIBUTING.md#contribution-flow.

This pull request completes this week's etcd dependency updates following our dependency roster and dependency management instructions.

Bumped:

Purely Indirect:

@k8s-ci-robot

Copy link
Copy Markdown

Hi @vivekpatani. Thanks for your PR.

I'm waiting for a etcd-io member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Tip

We noticed you've done this a few times! Consider joining the org to skip this step and gain /lgtm and other bot rights. We recommend asking approvers on your previous PRs to sponsor you.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@ahrtr

ahrtr commented Jun 12, 2026

Copy link
Copy Markdown
Member

/ok-to-test

Comment thread bill-of-materials.json
@codecov

codecov Bot commented Jun 12, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 69.73%. Comparing base (8bd9509) to head (0208ed2).
⚠️ Report is 4 commits behind head on main.

Additional details and impacted files

see 22 files with indirect coverage changes

@@            Coverage Diff             @@
##             main   #21959      +/-   ##
==========================================
+ Coverage   69.65%   69.73%   +0.08%     
==========================================
  Files         449      449              
  Lines       38172    38172              
==========================================
+ Hits        26588    26620      +32     
+ Misses      10152    10119      -33     
- Partials     1432     1433       +1     

Continue to review full report in Codecov by Harness.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 8bd9509...0208ed2. Read the comment docs.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@ivanvc

ivanvc commented Jun 15, 2026

Copy link
Copy Markdown
Member

@vivekpatani, can you drop 8f42705? We should only focus on Go dependency bumps. That Dockerfile is used to track the latest version to keep .devcontainer/devcontainer.json. I may drop the SHA if it gets too noisy. Thanks.

@ivanvc

ivanvc commented Jun 15, 2026

Copy link
Copy Markdown
Member

@vivekpatani, it would also be helpful if you could list the actions for this PR. As a reference, previous PRs #21773 list which ones are indirect, which ones are bumped, etc.

@ahrtr

ahrtr commented Jun 17, 2026

Copy link
Copy Markdown
Member

@vivekpatani can you please resolve the review comments? The new wave of dependabot PRs may come soon.

See upstream PR etcd-io#21946.

Signed-off-by: vivekpatani <9080894+vivekpatani@users.noreply.github.com>
…om 1.43.0 to 1.44.0

See upstream PR etcd-io#21948.

Signed-off-by: vivekpatani <9080894+vivekpatani@users.noreply.github.com>
…lptracegrpc from 1.43.0 to 1.44.0

See upstream PR etcd-io#21949.

Signed-off-by: vivekpatani <9080894+vivekpatani@users.noreply.github.com>
See upstream PR etcd-io#21944.

Signed-off-by: vivekpatani <9080894+vivekpatani@users.noreply.github.com>
See upstream PR etcd-io#21945.

Signed-off-by: vivekpatani <9080894+vivekpatani@users.noreply.github.com>
@vivekpatani vivekpatani force-pushed the dep-bump-2026-06-11 branch from 0f3eadd to 0208ed2 Compare June 17, 2026 21:21
@vivekpatani

Copy link
Copy Markdown
Contributor Author

can you drop 8f42705? We should only focus on Go dependency bumps. That Dockerfile is used to track the latest version to keep .devcontainer/devcontainer.json. I may drop the SHA if it gets too noisy. Thanks.

Dropped.

can you please resolve the review comments? The new wave of dependabot PRs may come soon.

Done.

it would also be helpful if you could list the actions for this PR. As a reference, previous PRs #21773 list which ones are indirect, which ones are bumped, etc.

Updated the description: #21959 (comment)

Thank you @ahrtr @ivanvc feel free to feedback, appreciate it.

@ahrtr

ahrtr commented Jun 18, 2026

Copy link
Copy Markdown
Member

/test pull-etcd-govulncheck

@ahrtr

ahrtr commented Jun 18, 2026

Copy link
Copy Markdown
Member

The workflow failure seems not related to this PR.

@ahrtr

ahrtr commented Jun 18, 2026

Copy link
Copy Markdown
Member

/test pull-etcd-govulncheck

@k8s-ci-robot

Copy link
Copy Markdown

@vivekpatani: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-etcd-govulncheck 0208ed2 link true /test pull-etcd-govulncheck

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@vivekpatani

Copy link
Copy Markdown
Contributor Author

Correct, @ahrtr @ivanvc

From another PR I submitted here:

the govulncheck failure isn't from this PR. govulncheck is installed @latest (scripts/test.sh), and it rolled from v1.3.0 (x-tools v0.44.0) to v1.4.0 (x-tools v0.46.0), which panics on a generic in github.com/olekukonko/ll (pulled in via tablewriter, used by etcdctl/etcdutl/tests). #21971 passed govulncheck on Jun 16 with v1.3.0 and the same olekukonko/ll v0.1.6; this PR hit v1.4.0 on Jun 17 and panicked. it'll hit main and other PRs once they're retested, so we should pin govulncheck instead of @latest?

@ahrtr

ahrtr commented Jun 18, 2026

Copy link
Copy Markdown
Member

Generated by claude code.

Root Cause

The panic is caused by a combination of two things:

1. New cache package uses Go generics

The cache package (e.g., cache/ringbuffer.go:17) uses generic type parameters:

type ringBuffer[T any] struct { ... }
type entry[T any] struct { ... }
type RevisionOf[T any] func(T) int64

2. golang.org/x/tools@v0.46.0 panics on *types.TypeParam

When govulncheck runs, it:

  1. Builds an SSA (Static Single Assignment) representation of all packages
  2. Calls ssa.(*Program).RuntimeTypes() to enumerate all concrete types
  3. That calls ForEachElement in golang.org/x/tools/internal/typesinternal
  4. ForEachElement hits a *types.TypeParam (a generic type parameter) and explicitly panics

Looking at v0.45.0's element.go:124-126 (same logic exists in v0.46.0):

case *types.TypeParam, *types.Union:
    // forEachReachable must not be called on parameterized types.
    panic(T)

In v0.46.0 the panic message was made more descriptive: "ForEachElement called on type containing *types.TypeParam" — which is exactly what appears in the stack trace.

Summary

The cache package's use of Go generics introduced *types.TypeParam into the type graph. govulncheck@v1.4.0 (using golang.org/x/tools@v0.46.0) builds a call graph via SSA analysis, which internally calls ForEachElement — a function that explicitly panics when it encounters a generic type parameter, because it was not designed to handle parameterized types.

This is effectively a bug in govulncheck/golang.org/x/tools: the call graph analysis doesn't support Go generics. The fix needs to come from upstream — either golang.org/x/tools fixes ForEachElement to handle *types.TypeParam, or golang.org/x/vuln avoids calling RuntimeTypes() on SSA programs that contain instantiated generics.

@ahrtr

ahrtr commented Jun 18, 2026

Copy link
Copy Markdown
Member

It looks like a bug in govulncheck/golang.org/x/tools. I am OK to ping to govulncheck@v1.3.0 for now to workaround it. Pls feel free to deliver a PR. @vivekpatani Once it's confirmed and fixed by govulncheck and/or golang.org/x/tools, we can revert the change.

@ahrtr

ahrtr commented Jun 18, 2026

Copy link
Copy Markdown
Member

We are not alone. golang/go#80059

@k8s-ci-robot

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ahrtr, vivekpatani

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@ahrtr ahrtr merged commit 6c84057 into etcd-io:main Jun 22, 2026
33 of 34 checks passed
@vivekpatani vivekpatani deleted the dep-bump-2026-06-11 branch June 22, 2026 22:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Development

Successfully merging this pull request may close these issues.

4 participants