Skip to content

build(deps): bump updater backend snapshot to pgx v5#1414

Open
ervcz wants to merge 2 commits into
mainfrom
fix/updater-pgx-v5-upgrade
Open

build(deps): bump updater backend snapshot to pgx v5#1414
ervcz wants to merge 2 commits into
mainfrom
fix/updater-pgx-v5-upgrade

Conversation

@ervcz

@ervcz ervcz commented Jul 7, 2026

Copy link
Copy Markdown
Collaborator

What

Bump the updater module's pinned backend snapshot to the merged pgx v5 commit (#1413), dropping the flagged jackc/pgx/v4 and jackc/pgproto3/v2 indirect dependencies.

Why

Clears the two alerts the updater inherited through its stale backend pin:

Follow-up to #1413, as noted there.

Notes

  • The snapshot raises the module to Go 1.25; CI installs it automatically via go-version-file, so no workflow changes are needed.
  • It also pulls a newer go-omaha where UpdateResponse.Manifest is now a slice, so newUpdateInfo reads it accordingly — no behavior change.

Testing

go build ./..., go vet ./..., go mod verify, and go test ./... against PostgreSQL 17 all pass.

@ervcz ervcz requested a review from a team as a code owner July 7, 2026 07:49
Copilot AI review requested due to automatic review settings July 7, 2026 07:49

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the updater module’s pinned backend snapshot (bringing in the pgx v5 upgrade referenced in #1413) and adjusts the updater’s Omaha response parsing to match a newer go-omaha API that can return multiple manifests.

Changes:

  • Bump github.com/flatcar/nebraska/backend snapshot used by the updater (to pick up pgx v5 and drop flagged pgx/v4 + pgproto3/v2).
  • Update newUpdateInfo to read from UpdateCheck.Manifests instead of a single UpdateCheck.Manifest.
  • Refresh updater/go.mod and updater/go.sum accordingly (including go 1.25.0 alignment with backend).

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 2 comments.

File Description
updater/updateinfo.go Switch updater parsing to use UpdateCheck.Manifests from go-omaha.
updater/go.mod Bump pinned backend/go-omaha versions and refresh indirect deps.
updater/go.sum Recompute dependency checksums after the snapshot + dependency updates.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread updater/updateinfo.go Outdated
Comment thread updater/updateinfo.go Outdated
@ervcz ervcz marked this pull request as draft July 7, 2026 07:58
@ervcz ervcz force-pushed the fix/updater-pgx-v5-upgrade branch 2 times, most recently from 5658052 to caaa867 Compare July 7, 2026 09:08
@ervcz ervcz marked this pull request as ready for review July 7, 2026 10:13
Copilot AI review requested due to automatic review settings July 7, 2026 10:13
@ervcz ervcz force-pushed the fix/updater-pgx-v5-upgrade branch from caaa867 to 747a7ca Compare July 7, 2026 10:14
@ervcz ervcz requested a review from krnowak July 7, 2026 10:14

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 3 changed files in this pull request and generated 1 comment.

Comment thread updater/updateinfo.go Outdated
Copilot AI review requested due to automatic review settings July 7, 2026 10:16

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 3 changed files in this pull request and generated no new comments.

Bump the pinned github.com/flatcar/nebraska/backend module to the merged pgx v5 commit, dropping the flagged jackc/pgx/v4 and jackc/pgproto3/v2 indirect dependencies (CVE-2026-41889, CVE-2026-32286).

The snapshot also raises the module to Go 1.25 and a newer go-omaha whose UpdateResponse.Manifest is now a slice; newUpdateInfo reads it accordingly, with no behavior change.

Signed-off-by: Ervin Rácz <ervin.racz@protonmail.com>
@ervcz ervcz force-pushed the fix/updater-pgx-v5-upgrade branch from 747a7ca to 3732a0b Compare July 7, 2026 10:18
- Change event type from InstallStarted to InstallComplete
- Ensure accurate tracking of installation lifecycle

Signed-off-by: Ervin Rácz <ervin.racz@protonmail.com>
Copilot AI review requested due to automatic review settings July 9, 2026 08:39

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 4 changed files in this pull request and generated 1 comment.

Comment thread updater/updateinfo.go
@John15321

Copy link
Copy Markdown
Member

Im not knowledgeable when it comes sto Nebraska, but trying to help with reviews as I know its hard to get them. My understanding is that in this PR we add a semi-check by always taking the first manifest, in case there are multiple passed, ignoring the rest of them + updating packages?

@ervcz

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants