Skip to content

Build(deps): Bump github.com/onsi/gomega from 1.30.0 to 1.40.0#153

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/github.com/onsi/gomega-1.39.1
Open

Build(deps): Bump github.com/onsi/gomega from 1.30.0 to 1.40.0#153
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/github.com/onsi/gomega-1.39.1

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Apr 28, 2026

Copy link
Copy Markdown

Bumps github.com/onsi/gomega from 1.30.0 to 1.40.0.

Release notes

Sourced from github.com/onsi/gomega's releases.

v1.40.0

1.40.0

We're adopting a new release strategy to minimize dependency bloat in projects that consume Gomega. It is a limitation of the go mod toolchain that test subdependencies of your project's direct dependencies get pulled in as indirect dependencies. In the case of Gomega, this ends up pulling in all of Ginkgo into your go.mod even if you are only using Gomega (Gomega uses Ginkgo for its own tests).

Going forward, releases will strip out all tests, tidy up the go.mod and then push this stripped down version to a new master-lite branch. These stripped-down versions will receive the vx.y.z git tag and will be picked up by the go toolchain.

Please open an issue if this new release process causes unexpected changes for your projects.

v1.39.1

1.39.1

Update all dependencies. This auto-updated the required version of Go to 1.24, consistent with the fact that Go 1.23 has been out of support for almost six months.

v1.39.0

1.39.0

Features

Add MatchErrorStrictly which only passes if errors.Is(actual, expected) returns true. MatchError, by contrast, will fallback to string comparison.

v1.38.3

1.38.3

Fixes

make string formatitng more consistent for users who use format.Object directly

v1.38.2

1.38.2

  • roll back to go 1.23.0 [c404969]

v1.38.1

1.38.1

Fixes

Numerous minor fixes and dependency bumps

v1.38.0

1.38.0

Features

  • gstruct handles extra unexported fields [4ee7ed0]

Fixes

  • support [] in IgnoringTopFunction function signatures (#851) [36bbf72]

Maintenance

  • Bump golang.org/x/net from 0.40.0 to 0.41.0 (#846) [529d408]

... (truncated)

Changelog

Sourced from github.com/onsi/gomega's changelog.

1.40.0

We're adopting a new release strategy to minimize dependency bloat in projects that consume Gomega. It is a limitation of the go mod toolchain that test subdependencies of your project's direct dependencies get pulled in as indirect dependencies. In the case of Gomega, this ends up pulling in all of Ginkgo into your go.mod even if you are only using Gomega (Gomega uses Ginkgo for its own tests).

Going forward, releases will strip out all tests, tidy up the go.mod and then push this stripped down version to a new master-lite branch. These stripped-down versions will receive the vx.y.z git tag and will be picked up by the go toolchain.

Please open an issue if this new release process causes unexpected changes for your projects.

1.39.1

Update all dependencies. This auto-updated the required version of Go to 1.24, consistent with the fact that Go 1.23 has been out of support for almost six months.

1.39.0

Features

Add MatchErrorStrictly which only passes if errors.Is(actual, expected) returns true. MatchError, by contrast, will fallback to string comparison.

1.38.3

Fixes

make string formatitng more consistent for users who use format.Object directly

1.38.2

  • roll back to go 1.23.0 [c404969]

1.38.1

Fixes

Numerous minor fixes and dependency bumps

1.38.0

Features

  • gstruct handles extra unexported fields [4ee7ed0]

Fixes

  • support [] in IgnoringTopFunction function signatures (#851) [36bbf72]

Maintenance

  • Bump golang.org/x/net from 0.40.0 to 0.41.0 (#846) [529d408]
  • Fix typo [acd1f55]
  • Bump google.golang.org/protobuf from 1.36.5 to 1.36.6 (#835) [bae65a0]
  • Bump nokogiri from 1.18.4 to 1.18.8 in /docs (#842) [8dda91f]
  • Bump golang.org/x/net from 0.39.0 to 0.40.0 (#843) [212d812]
  • Bump github.com/onsi/ginkgo/v2 from 2.23.3 to 2.23.4 (#839) [59bd7f9]
  • Bump nokogiri from 1.18.1 to 1.18.4 in /docs (#834) [328c729]
  • Bump uri from 1.0.2 to 1.0.3 in /docs (#826) [9a798a1]

... (truncated)

Commits

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels Apr 28, 2026
@coderabbitai

coderabbitai Bot commented Apr 28, 2026

Copy link
Copy Markdown

Walkthrough

Updated module dependencies in go.mod: bumped direct requirements (github.com/onsi/gomega, golang.org/x/crypto), added an indirect go.yaml.in/yaml/v3, and refreshed multiple indirect golang.org/x/*, google.golang.org/protobuf, and other transitive module versions. No code/API changes.

Changes

Dependency Version Updates

Layer / File(s) Summary
Primary requirements
go.mod
Updated direct requires: github.com/onsi/gomega (v1.30.0 → v1.40.0), golang.org/x/crypto (v0.41.0 → v0.47.0).
Indirect additions / bumps
go.mod
Added go.yaml.in/yaml/v3 as indirect; bumped golang.org/x/term (v0.34.0 → v0.39.0) and google.golang.org/protobuf (v1.34.0 → v1.36.7).
Transitive ecosystem updates
go.mod
Bumped indirects: github.com/google/go-cmp (v0.6.0 → v0.7.0), golang.org/x/net (v0.43.0 → v0.49.0), golang.org/x/sys (v0.35.0 → v0.40.0), golang.org/x/text (v0.28.0 → v0.33.0), golang.org/x/tools (v0.36.0 → v0.40.0) and others listed in go.mod.
Lock / tidy implications
go.mod
File reflects a go mod tidy-style refresh: version bumps and indirect entry adjustments only; no source changes.
Tests / CI (if present)
go.mod, CI files*
No tests or CI files changed in this diff; reviewer may run go test/go mod tidy locally to validate builds. (*not included in PR)

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Title check ⚠️ Warning The title mentions bumping gomega from 1.30.0 to 1.39.1, but the actual changes in go.mod show gomega updated to v1.40.0, creating a mismatch with the stated version. Update the PR title to accurately reflect that gomega was bumped to v1.40.0, not v1.39.1, to match the actual changeset.
✅ Passed checks (4 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description check ✅ Passed The description is related to the changeset, providing release notes and changelog information for the gomega dependency update, despite version inconsistencies with the title.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch dependabot/go_modules/github.com/onsi/gomega-1.39.1

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@go.mod`:
- Around line 92-95: The go.mod currently pins github.com/golang/glog to v1.2.0
which is vulnerable; update that dependency to v1.2.4 (or later) by replacing
the line "github.com/golang/glog v1.2.0" with "github.com/golang/glog v1.2.4"
(or run `go get github.com/golang/glog@v1.2.4`) and then run `go mod tidy` to
refresh the module graph; verify builds and tests to ensure no regressions after
updating the glog dependency.
- Around line 73-77: Update the vulnerable dependency golang.org/x/oauth2
(currently listed as golang.org/x/oauth2 v0.19.0) to v0.27.0 or later in go.mod;
change the version spec to the new version, run go get
golang.org/x/oauth2@v0.27.0 (or go get golang.org/x/oauth2@latest) and then run
go mod tidy to refresh go.sum, and finally run your test/build to ensure
compatibility with the updated module.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 44004663-7a4c-4861-a123-e161a15adee7

📥 Commits

Reviewing files that changed from the base of the PR and between 6202709 and 8163548.

⛔ Files ignored due to path filters (1)
  • go.sum is excluded by !**/*.sum
📒 Files selected for processing (1)
  • go.mod

Comment thread go.mod Outdated
Comment on lines +73 to +77
golang.org/x/mod v0.32.0 // indirect
golang.org/x/oauth2 v0.19.0 // indirect
golang.org/x/term v0.34.0 // indirect
google.golang.org/protobuf v1.34.0 // indirect
golang.org/x/sync v0.19.0 // indirect
golang.org/x/term v0.39.0 // indirect
google.golang.org/protobuf v1.36.7 // indirect

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Verify known vulnerabilities and fixed versions for golang.org/x/oauth2
curl -s https://api.osv.dev/v1/query \
  -H 'Content-Type: application/json' \
  -d '{"package":{"ecosystem":"Go","name":"golang.org/x/oauth2"},"version":"0.19.0"}' | jq .

Repository: openshift-online/ocm-common

Length of output: 4067


Upgrade vulnerable golang.org/x/oauth2 from v0.19.0 to v0.27.0 or later.

golang.org/x/oauth2 v0.19.0 contains a HIGH-severity vulnerability (CVE-2025-22868) that allows malformed tokens to cause unexpected memory consumption. Upgrade to v0.27.0 or later to patch this issue.

🧰 Tools
🪛 OSV Scanner (2.3.5)

[HIGH] 74-74: golang.org/x/oauth2 0.19.0: Unexpected memory consumption during token parsing in golang.org/x/oauth2

(GO-2025-3488)


[HIGH] 74-74: golang.org/x/oauth2 0.19.0: golang.org/x/oauth2 Improper Validation of Syntactic Correctness of Input vulnerability

(GHSA-6v2p-p543-phr9)

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@go.mod` around lines 73 - 77, Update the vulnerable dependency
golang.org/x/oauth2 (currently listed as golang.org/x/oauth2 v0.19.0) to v0.27.0
or later in go.mod; change the version spec to the new version, run go get
golang.org/x/oauth2@v0.27.0 (or go get golang.org/x/oauth2@latest) and then run
go mod tidy to refresh go.sum, and finally run your test/build to ensure
compatibility with the updated module.

Comment thread go.mod Outdated
Comment on lines +92 to +95
github.com/go-logr/logr v1.4.3 // indirect
github.com/golang/glog v1.2.0
github.com/google/go-cmp v0.6.0 // indirect
github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 // indirect
github.com/google/go-cmp v0.7.0 // indirect
github.com/google/pprof v0.0.0-20260115054156-294ebfa9ad83 // indirect

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Verify known vulnerabilities and fixed versions for github.com/golang/glog
curl -s https://api.osv.dev/v1/query \
  -H 'Content-Type: application/json' \
  -d '{"package":{"ecosystem":"Go","name":"github.com/golang/glog"},"version":"1.2.0"}' | jq .

Repository: openshift-online/ocm-common

Length of output: 7695


Upgrade github.com/golang/glog to v1.2.4 or later.

github.com/golang/glog v1.2.0 contains CVE-2024-45339 (GHSA-6wxm-mpqj-6jpf), an insecure temporary file vulnerability that allows unprivileged attackers to predict log file paths and pre-create symlinks to sensitive files, leading to file overwrite. This is fixed in v1.2.4.

🧰 Tools
🪛 OSV Scanner (2.3.5)

[HIGH] 93-93: github.com/golang/glog 1.2.0: Vulnerability when creating log files in github.com/golang/glog

(GO-2025-3372)


[HIGH] 93-93: github.com/golang/glog 1.2.0: Insecure Temporary File usage in github.com/golang/glog

(GHSA-6wxm-mpqj-6jpf)

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@go.mod` around lines 92 - 95, The go.mod currently pins
github.com/golang/glog to v1.2.0 which is vulnerable; update that dependency to
v1.2.4 (or later) by replacing the line "github.com/golang/glog v1.2.0" with
"github.com/golang/glog v1.2.4" (or run `go get github.com/golang/glog@v1.2.4`)
and then run `go mod tidy` to refresh the module graph; verify builds and tests
to ensure no regressions after updating the glog dependency.

Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.30.0 to 1.40.0.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](onsi/gomega@v1.30.0...v1.40.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
  dependency-version: 1.39.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the title Build(deps): Bump github.com/onsi/gomega from 1.30.0 to 1.39.1 Build(deps): Bump github.com/onsi/gomega from 1.30.0 to 1.40.0 May 11, 2026
@dependabot dependabot Bot force-pushed the dependabot/go_modules/github.com/onsi/gomega-1.39.1 branch from 8163548 to 7ea1dcc Compare May 11, 2026 11:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file go Pull requests that update go code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants