build(deps): bump updater backend snapshot to pgx v5#1414
Open
ervcz wants to merge 2 commits into
Open
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the updater module’s pinned backend snapshot (bringing in the pgx v5 upgrade referenced in #1413) and adjusts the updater’s Omaha response parsing to match a newer go-omaha API that can return multiple manifests.
Changes:
- Bump
github.com/flatcar/nebraska/backendsnapshot used by the updater (to pick up pgx v5 and drop flagged pgx/v4 + pgproto3/v2). - Update
newUpdateInfoto read fromUpdateCheck.Manifestsinstead of a singleUpdateCheck.Manifest. - Refresh
updater/go.modandupdater/go.sumaccordingly (includinggo 1.25.0alignment with backend).
Reviewed changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| updater/updateinfo.go | Switch updater parsing to use UpdateCheck.Manifests from go-omaha. |
| updater/go.mod | Bump pinned backend/go-omaha versions and refresh indirect deps. |
| updater/go.sum | Recompute dependency checksums after the snapshot + dependency updates. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
5658052 to
caaa867
Compare
caaa867 to
747a7ca
Compare
Bump the pinned github.com/flatcar/nebraska/backend module to the merged pgx v5 commit, dropping the flagged jackc/pgx/v4 and jackc/pgproto3/v2 indirect dependencies (CVE-2026-41889, CVE-2026-32286). The snapshot also raises the module to Go 1.25 and a newer go-omaha whose UpdateResponse.Manifest is now a slice; newUpdateInfo reads it accordingly, with no behavior change. Signed-off-by: Ervin Rácz <ervin.racz@protonmail.com>
747a7ca to
3732a0b
Compare
- Change event type from InstallStarted to InstallComplete - Ensure accurate tracking of installation lifecycle Signed-off-by: Ervin Rácz <ervin.racz@protonmail.com>
Member
|
Im not knowledgeable when it comes sto Nebraska, but trying to help with reviews as I know its hard to get them. My understanding is that in this PR we add a semi-check by always taking the first manifest, in case there are multiple passed, ignoring the rest of them + updating packages? |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Bump the
updatermodule's pinnedbackendsnapshot to the merged pgx v5 commit (#1413), dropping the flaggedjackc/pgx/v4andjackc/pgproto3/v2indirect dependencies.Why
Clears the two alerts the
updaterinherited through its stalebackendpin:DataRowdecode panic / DoSFollow-up to #1413, as noted there.
Notes
go-version-file, so no workflow changes are needed.go-omahawhereUpdateResponse.Manifestis now a slice, sonewUpdateInforeads it accordingly — no behavior change.Testing
go build ./...,go vet ./...,go mod verify, andgo test ./...against PostgreSQL 17 all pass.