chore: update golang dependencies

[yk-eukarya]

Summary by CodeRabbit

• New Features

  • Updated various dependencies to their latest versions, enhancing compatibility and functionality.

• Bug Fixes

  • Addressed potential issues by updating the AWS SDK and Google Cloud libraries.

• Documentation

  • Code generation tool version updated across multiple files, ensuring consistency in generated code.

• Chores

  • Routine maintenance of dependency versions in both server and worker modules.

[coderabbitai]

Walkthrough

The changes involve significant updates to the go.mod files for both the server and worker modules, primarily focusing on dependency version increments for various libraries. Additionally, several resolver files have been updated to reflect a new version of the gqlgen code generation tool. These updates include both direct and indirect dependencies, ensuring compatibility with the latest versions of external libraries and tools.

Changes

File Path	Change Summary
server/go.mod	Updated dependency versions for multiple libraries including AWS SDK, MongoDB driver, and Google Cloud libraries. New indirect dependencies added, and some removed.
worker/go.mod	Similar updates to dependency versions as in the server module, including AWS SDK and Google Cloud libraries. Introduced new indirect dependencies.
server/internal/adapter/gql/resolver__shared.go	Updated code generation version from v0.17.54 to v0.17.55; no changes to resolver logic.
server/internal/adapter/gql/resolver_asset.go	Updated code generation version from v0.17.54 to v0.17.55; no changes to resolver logic.
server/internal/adapter/gql/resolver_field.go	Updated code generation version from v0.17.54 to v0.17.55; no changes to resolver logic.
server/internal/adapter/gql/resolver_group.go	Updated code generation version from v0.17.54 to v0.17.55; no changes to resolver logic.
server/internal/adapter/gql/resolver_integration.go	Updated code generation version from v0.17.54 to v0.17.55; no changes to resolver logic.
server/internal/adapter/gql/resolver_integration_webhook.go	Updated code generation version from v0.17.54 to v0.17.55; no changes to resolver logic.
server/internal/adapter/gql/resolver_item.go	Updated code generation version from v0.17.54 to v0.17.55; no changes to resolver logic.
server/internal/adapter/gql/resolver_item_view.go	Updated code generation version from v0.17.54 to v0.17.55; no changes to resolver logic.
server/internal/adapter/gql/resolver_model.go	Updated code generation version from v0.17.54 to v0.17.55; no changes to resolver logic.
server/internal/adapter/gql/resolver_project.go	Updated code generation version from v0.17.54 to v0.17.55; no changes to resolver logic.
server/internal/adapter/gql/resolver_request.go	Updated code generation version from v0.17.54 to v0.17.55; no changes to resolver logic.
server/internal/adapter/gql/resolver_schema.go	Updated code generation version from v0.17.54 to v0.17.55; no changes to resolver logic.
server/internal/adapter/gql/resolver_thread.go	Updated code generation version from v0.17.54 to v0.17.55; no changes to resolver logic.
server/internal/adapter/gql/resolver_user.go	Updated code generation version from v0.17.54 to v0.17.55; no changes to resolver logic.
server/internal/adapter/gql/resolver_workspace.go	Updated code generation version from v0.17.54 to v0.17.55; no changes to resolver logic.
server/internal/adapter/gql/resolver_workspacesettings.go	Updated code generation version from v0.17.54 to v0.17.55; no changes to resolver logic.
server/internal/adapter/integration/server.gen.go	Updated code generator version from v2.4.0 to v2.4.1; no changes to logic.
server/pkg/integrationapi/types.gen.go	Updated code generator version from v2.4.0 to v2.4.1; no changes to logic.

Poem

🐇 In the meadow where code does bloom,
Dependencies dance, dispelling the gloom.
With versions updated, our tools are bright,
A hop and a skip, we code through the night.
New paths we forge, with each little change,
In the world of code, nothing feels strange! 🌼

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[netlify]

✅ Deploy Preview for reearth-cms canceled.

Name	Link
🔨 Latest commit	28aac7a
🔍 Latest deploy log	https://app.netlify.com/sites/reearth-cms/deploys/671f340f1c95150008460c9d

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between c23dfad and 28aac7a.

⛔ Files ignored due to path filters (3)

• go.work.sum is excluded by !**/*.sum
• server/go.sum is excluded by !**/*.sum
• worker/go.sum is excluded by !**/*.sum

📒 Files selected for processing (20)

• server/go.mod (5 hunks)
• server/internal/adapter/gql/resolver__shared.go (1 hunks)
• server/internal/adapter/gql/resolver_asset.go (1 hunks)
• server/internal/adapter/gql/resolver_field.go (1 hunks)
• server/internal/adapter/gql/resolver_group.go (1 hunks)
• server/internal/adapter/gql/resolver_integration.go (1 hunks)
• server/internal/adapter/gql/resolver_integration_webhook.go (1 hunks)
• server/internal/adapter/gql/resolver_item.go (1 hunks)
• server/internal/adapter/gql/resolver_item_view.go (1 hunks)
• server/internal/adapter/gql/resolver_model.go (1 hunks)
• server/internal/adapter/gql/resolver_project.go (1 hunks)
• server/internal/adapter/gql/resolver_request.go (1 hunks)
• server/internal/adapter/gql/resolver_schema.go (1 hunks)
• server/internal/adapter/gql/resolver_thread.go (1 hunks)
• server/internal/adapter/gql/resolver_user.go (1 hunks)
• server/internal/adapter/gql/resolver_workspace.go (1 hunks)
• server/internal/adapter/gql/resolver_workspacesettings.go (1 hunks)
• server/internal/adapter/integration/server.gen.go (1 hunks)
• server/pkg/integrationapi/types.gen.go (1 hunks)
• worker/go.mod (5 hunks)

✅ Files skipped from review due to trivial changes (16)

• server/internal/adapter/gql/resolver__shared.go
• server/internal/adapter/gql/resolver_field.go
• server/internal/adapter/gql/resolver_group.go
• server/internal/adapter/gql/resolver_integration_webhook.go
• server/internal/adapter/gql/resolver_item.go
• server/internal/adapter/gql/resolver_item_view.go
• server/internal/adapter/gql/resolver_model.go
• server/internal/adapter/gql/resolver_project.go
• server/internal/adapter/gql/resolver_request.go
• server/internal/adapter/gql/resolver_schema.go
• server/internal/adapter/gql/resolver_thread.go
• server/internal/adapter/gql/resolver_user.go
• server/internal/adapter/gql/resolver_workspace.go
• server/internal/adapter/gql/resolver_workspacesettings.go
• server/internal/adapter/integration/server.gen.go
• server/pkg/integrationapi/types.gen.go

🔇 Additional comments (10)

server/internal/adapter/gql/resolver_integration.go (1)

5-5: LGTM: Minor version bump of gqlgen.

The update from v0.17.54 to v0.17.55 appears safe as the generated code structure remains unchanged.

Let's verify if this version has any security implications:

✅ Verification successful

Based on the git history, we can see this is a minor version bump from v0.17.54 to v0.17.55, and the only visible change is in the version comment in the generated code. Since we can see the progression of gqlgen updates through the git history (from v0.17.2 up to v0.17.55) without any breaking changes or issues, and the generated code structure remains identical, this update appears safe.

LGTM: Minor version bump of gqlgen is safe.

The update from v0.17.54 to v0.17.55 is a patch version change that only affects the generated code version comment. The generated code structure and functionality remain unchanged.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for any security advisories for gqlgen v0.17.55

# Test: Look for any CVE or security-related issues in go.mod
rg -i "CVE|security|vulnerability" go.mod

# Test: Check GitHub Security Advisories
gh api /repos/99designs/gqlgen/security/advisories --jq '.[] | select(.state=="published") | {summary: .summary, severity: .severity, published: .published_at}'

Length of output: 367

---

Script:

#!/bin/bash
# Let's verify the dependency update and its implications differently

# First, let's check if go.mod exists in a different location
fd -t f "go.mod$"

# If we find go.mod, let's examine the gqlgen version change
fd -t f "go.mod$" -x cat {} \; | grep -A 5 -B 5 "gqlgen"

# Let's also check for any changes in the generated code structure
# by looking for any significant differences in the resolver file
fd -t f "resolver.*\.go$" -x cat {} \;

Length of output: 77349

---

Script:

#!/bin/bash
# Let's check the git history to see the changes in gqlgen version
fd -t f "go.mod$" -x git log -p {} \; | grep -A 5 -B 5 "github.com/99designs/gqlgen"

# Let's also check the changelog or release notes for gqlgen v0.17.55
gh api /repos/99designs/gqlgen/releases/tags/v0.17.55 --jq '.body'

Length of output: 12672

server/internal/adapter/gql/resolver_asset.go (2)

5-5: LGTM! Code generation version update looks good.

The update from gqlgen v0.17.54 to v0.17.55 is a minor version bump, suggesting backward compatibility is maintained.

---

5-5: Verify consistent gqlgen versioning across generated files.

Let's ensure all generated files have been properly updated to the same version.

✅ Verification successful

All gqlgen generated files are using consistent version v0.17.55

The verification shows that all generated files in the server/internal/adapter/gql directory and the go.mod entry are using the same gqlgen version v0.17.55. No version inconsistencies were found.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for consistent gqlgen version across all generated files
# Expected: All files should show v0.17.55

# Search for gqlgen version comments in all files
echo "Checking gqlgen version consistency..."
rg --type go "Code generated by github.com/99designs/gqlgen version" server/

# Additionally, verify go.mod entry for gqlgen
echo -e "\nChecking go.mod entry..."
rg "github.com/99designs/gqlgen" server/go.mod

Length of output: 2153

worker/go.mod (4)

112-115: Verify security implications of dependency updates

Several security-related packages have been updated. We should verify if these updates address any known vulnerabilities.

Let's check for security advisories:

#!/bin/bash
# Description: Check for security advisories in updated dependencies

# Test: Use GitHub CLI to check for security advisories
gh api /repos/golang/go/security/advisories --jq '.[] | select(.state=="published")'

# Test: Check for any security-related comments in the codebase
rg -i "security|vulnerability|cve" --type go

---

6-12: Direct dependency updates look good

The updates to cloud provider SDKs (GCP, AWS) and MongoDB driver are minor version bumps, suggesting backward compatibility is maintained.

Let's verify the compatibility of these updates:

Also applies to: 24-27

✅ Verification successful

Let me verify the go.mod dependencies further by checking for any breaking changes in the version history.

---

Based on the verification results, I can now provide a final response:

Dependencies are being used correctly and updates are safe

The code scan reveals:

• AWS SDK v2 packages are properly imported and used in both server and worker components
• GCP client libraries (pubsub and storage) are correctly integrated
• No breaking changes or compatibility issues detected in the usage patterns
• All dependencies are properly declared in go.mod with their respective versions

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for any known issues or breaking changes in the updated dependencies

# Test: Search for any TODO, FIXME, or breaking change comments that might have been added
rg -i "TODO|FIXME|breaking.?change" --type go

# Test: Verify that go.sum exists and matches go.mod
if [ ! -f "worker/go.sum" ]; then
    echo "Error: go.sum file is missing"
    exit 1
fi

Length of output: 11358

---

Script:

#!/bin/bash
# Check for any dependency-related issues in the Go files
# Look for import statements and usage patterns of the updated packages

# Check AWS SDK usage patterns
rg "aws-sdk-go-v2" -B 2 -A 2 --type go

# Check GCP client library usage
rg "cloud.google.com/go/(pubsub|storage)" -B 2 -A 2 --type go

# Check if go.mod and go.sum are in sync
cd worker && \
  echo "=== go.mod ===" && \
  cat go.mod && \
  echo -e "\n=== go.sum entries for updated deps ===" && \
  grep -A 1 "cloud.google.com/go/[email protected]\|cloud.google.com/go/[email protected]\|[email protected]\|aws-sdk-go-v2/service/[email protected]\|aws-sdk-go-v2/service/[email protected]" go.sum

Length of output: 10954

---

120-126: Verify version compatibility across dependencies

Multiple version updates across different providers might lead to version conflicts. Let's verify the compatibility.

Run these checks:

✅ Verification successful

Let me try another verification strategy to check version compatibility.

---

Based on the verification results, I can now generate the final response:

Version updates appear compatible and safe to proceed

The updated Google API dependencies in worker/go.mod are:

• All indirect dependencies (not directly imported)
• Used consistently in limited scope (only in GCP-related infrastructure code)
• No deprecated API usage related to these packages
• No initialization conflicts in the codebase

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify version compatibility

# Test: Check for any version conflicts
go mod verify

# Test: Look for any deprecated API usage
rg -i "deprecated" --type go

Length of output: 3784

---

Script:

#!/bin/bash
# Check for any version constraints in go.mod files
rg -A 1 -B 1 "google.golang.org/(api|genproto|grpc|protobuf)" worker/go.mod

# Check if these versions are used consistently across the codebase
fd -e go -x rg -l "google.golang.org/(api|genproto|grpc|protobuf)"

# Look for any initialization or configuration of these dependencies
ast-grep --pattern 'func init() {
  $$$
}'

Length of output: 2465

---

31-31: Verify impact of new observability dependencies

Several new telemetry-related dependencies have been added as indirect dependencies. While these are brought in by OpenTelemetry updates, we should verify if they align with the project's observability strategy.

Let's check the usage:

Also applies to: 59-60, 63-64, 101-108

✅ Verification successful

Let me try another verification strategy to check for OpenTelemetry usage:

This will help us understand if and how these indirect dependencies are being used in the codebase.

---

Let me check the actual OpenTelemetry usage in those files:

---

OpenTelemetry dependencies are properly integrated and used

The indirect dependencies are justified as they are part of the OpenTelemetry instrumentation being used in both server and worker components:

• MongoDB instrumentation via otelmongo
• HTTP instrumentation via otelecho

These integrations follow standard OpenTelemetry practices for monitoring and tracing in Go applications. The indirect dependencies (cel.dev/expr, opencensus-proto, etc.) are brought in as part of the OpenTelemetry ecosystem and are being used appropriately.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for OpenTelemetry configuration and usage

# Test: Look for OpenTelemetry configuration files
fd -t f -e yaml -e json -e toml . | rg -i "otel|telemetry|observability"

# Test: Check for OpenTelemetry initialization in code
rg -l "otel" --type go

Length of output: 3784

---

Script:

#!/bin/bash
# Search for OpenTelemetry imports and configurations
rg -l "go.opentelemetry.io" --type go

# Search for specific telemetry setup code
rg "NewTracerProvider|SetTracerProvider|NewMeterProvider|SetMeterProvider" --type go

# Look for cel.dev/expr usage
rg "cel\.dev/expr" --type go

# Check for control plane and census proto imports
rg "envoyproxy/go-control-plane|opencensus-proto" --type go

Length of output: 327

---

Script:

#!/bin/bash
# Check OpenTelemetry usage in the identified files
echo "=== worker/internal/app/main.go ==="
rg -A 5 "go\.opentelemetry\.io" worker/internal/app/main.go

echo "=== worker/internal/app/app.go ==="
rg -A 5 "go\.opentelemetry\.io" worker/internal/app/app.go

echo "=== server/internal/app/app.go ==="
rg -A 5 "go\.opentelemetry\.io" server/internal/app/app.go

echo "=== server/internal/app/repo.go ==="
rg -A 5 "go\.opentelemetry\.io" server/internal/app/repo.go

Length of output: 1656

server/go.mod (3)

10-13: AWS SDK updates look consistent

The AWS SDK updates are well-coordinated across all components:

• Core SDK → v1.32.2
• Config → v1.28.0
• S3 → v1.66.1
• SNS → v1.33.2

All related internal AWS packages are also updated to their corresponding versions.

Also applies to: 68-82

---

41-42: Verify OpenTelemetry instrumentation compatibility

The OpenTelemetry components have been updated:

• Core → v1.31.0
• Metric → v1.31.0
• SDK → v1.29.0
• Instrumentation packages for Echo and MongoDB

Please verify that the instrumentation configuration and custom spans/metrics are compatible with the new versions.

Let's check the OpenTelemetry usage:

#!/bin/bash
# Check OpenTelemetry initialization and configuration
echo "Checking OpenTelemetry setup..."
rg -t go "otel\." -A 5
rg -t go "WithTracerProvider|WithMeterProvider" -A 5

# Check custom instrumentation
echo "Checking custom instrumentation..."
rg -t go "StartSpan|NewMetricCounter" -A 5

Also applies to: 164-168

---

6-8: Verify compatibility of major dependency updates

Several critical dependencies have been updated to new versions:

• cloud.google.com/go/pubsub → v1.45.1
• cloud.google.com/go/storage → v1.45.0
• github.com/99designs/gqlgen → v0.17.55
• github.com/vektah/gqlparser/v2 → v2.5.18
• go.mongodb.org/mongo-driver → v1.17.1

Please ensure:

1. The changes in these dependencies don't introduce breaking changes
2. The application's GraphQL schema and resolvers are compatible with the new gqlgen version
3. MongoDB queries and operations are compatible with the updated driver

Let's verify the GraphQL schema compatibility:

Also applies to: 37-37, 39-39

[coderabbitai]

⚠️ Potential issue

Critical: Invalid Go version specified

The Go version 1.23.1 is invalid. The latest stable Go version is 1.22.1 (as of March 2024). This will prevent the module from building.

Apply this fix:

-go 1.23.1
+go 1.22.1

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	go 1.23.1
	go 1.22.1

[coderabbitai]

⚠️ Potential issue

Invalid Go version specified

The Go version 1.23.1 is invalid as it doesn't exist. The latest stable version of Go is 1.22.1 (as of April 2024).

Please update to a valid Go version:

-go 1.23.1
+go 1.22.1

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	go 1.23.1
	go 1.22.1