chore: bump duty to v1.0.1237

[flankbot]

Automated changes by create-pull-request GitHub action

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Update to go.mod realigning the dependency graph: multiple direct module bumps (notably flanksource modules and go-git), AWS SDK patch upgrades, additions/removals of several transitive indirects; no exported/public API changes. (≤50 words)

Changes

Cohort / File(s)	Summary
Dependency manifest go.mod	Bumped many direct modules (e.g., github.com/flanksource/artifacts v1.0.20→v1.0.21, github.com/flanksource/commons v1.44.1→v1.46.0, github.com/flanksource/deps v1.0.23→v1.0.24, github.com/flanksource/duty v1.0.1183→v1.0.1191, github.com/go-git/go-git/v5 v5.16.4→v5.16.5).
AWS SDK & related go.mod	AWS SDK v2 patch updates (config v1.32.7→v1.32.9, credentials v1.19.7→v1.19.9, sso v1.30.9→v1.30.10, ssooidc v1.35.13→v1.35.14).
Indirects added/updated go.mod	Added/updated many transitive indirects (e.g., armon/go-socks5, xeipuuv/gojsonpointer/gojsonreference/gojsonschema, github.com/flanksource/sandbox-runtime, flanksource/clicky adjustments).
Stdlib/infra transitive bumps & removals go.mod	Updated golang.org/x/* modules (crypto/net/sys/term/text) to newer patch versions and removed several older indirects (examples: go-json-experiment/json, shurcooL/*, kaptinlin/*, go-localereader).

Possibly related PRs

• chore: bump duty to v1.0.1140 #2808 — also bumps github.com/flanksource/duty in go.mod.
• chore: bump duty to v1.0.1180 #2873 — modifies the same duty dependency entry in go.mod.
• chore: bump duty to v1.0.1145 #2817 — another PR updating github.com/flanksource/duty in go.mod.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title claims to bump duty to v1.0.1237, but the actual change in go.mod updates duty from v1.0.1183 to v1.0.1191, not v1.0.1237.	Update the PR title to accurately reflect the actual duty version change: 'chore: bump duty to v1.0.1191'.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch bump-duty-auto-pr

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch bump-duty-auto-pr

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

go.mod (1)

404-406: Consider migrating from unmaintained xeipuuv modules to actively maintained alternatives.

No known security advisories exist for these three modules. However, all three are no longer actively maintained:

• gojsonschema v1.2.0 (last activity 5+ years ago; latest release Oct 2019)
• gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 (published Jan 2018)
• gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f (published Sep 2019)

Identify which direct dependency currently requires these modules and evaluate migrating to actively maintained JSON schema or pointer libraries.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed. In `@go.mod` around lines 404 - 406, The project currently depends indirectly on github.com/xeipuuv/gojsonschema, github.com/xeipuuv/gojsonreference, and github.com/xeipuuv/gojsonpointer; locate which direct module in go.mod pulls them in (use go list -m all or go mod graph to find the parent module) and evaluate replacing it with an actively maintained JSON Schema library (e.g., qri-io/jsonschema or santhosh-tekuri/jsonschema) or a maintained fork; if a swap is feasible, update the direct dependency in go.mod to one that does not import the xeipuuv packages (or add a temporary replace directive), run go mod tidy, run the full test suite, and verify behavior for schema validation functions referenced in your codebase (search for any usage of gojsonschema types/functions to update call sites). 

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed. Nitpick comments: In `@go.mod`: - Around line 404-406: The project currently depends indirectly on github.com/xeipuuv/gojsonschema, github.com/xeipuuv/gojsonreference, and github.com/xeipuuv/gojsonpointer; locate which direct module in go.mod pulls them in (use go list -m all or go mod graph to find the parent module) and evaluate replacing it with an actively maintained JSON Schema library (e.g., qri-io/jsonschema or santhosh-tekuri/jsonschema) or a maintained fork; if a swap is feasible, update the direct dependency in go.mod to one that does not import the xeipuuv packages (or add a temporary replace directive), run go mod tidy, run the full test suite, and verify behavior for schema validation functions referenced in your codebase (search for any usage of gojsonschema types/functions to update call sites). 

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4b25e04 and 057ec9f.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod

[coderabbitai]

🧹 Nitpick comments (1)

go.mod (1)

404-406: Recommend upstream duty package migrate to an actively maintained JSON Schema library.

xeipuuv/gojsonschema v1.2.0 is effectively unmaintained: latest release October 2019, most recent commit October 2020, with 108 open issues and 32 open PRs and no activity in 5+ years. While no CVEs are currently published, the lack of upstream maintenance means security issues discovered would not be patched. Consider alternatives like github.com/santhosh-tekuri/jsonschema or github.com/qri-io/jsonschema.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed. In `@go.mod` around lines 404 - 406, The project is depending on the unmaintained module github.com/xeipuuv/gojsonschema (referenced in go.mod) so migrate the duty package to a maintained JSON Schema library (for example github.com/santhosh-tekuri/jsonschema or github.com/qri-io/jsonschema): replace the go.mod require of github.com/xeipuuv/gojsonschema with the chosen replacement, update all call sites that use types/functions from github.com/xeipuuv/gojsonschema (search for imports of "github.com/xeipuuv/gojsonschema" and identifiers like Validate, NewSchemaLoader, or NewReferenceLoader) to the new library's API, run and fix failing tests, and ensure schema loading/compilation and validation error semantics are adapted (including updating any error handling or loader options) before committing the change. 

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed. Nitpick comments: In `@go.mod`: - Around line 404-406: The project is depending on the unmaintained module github.com/xeipuuv/gojsonschema (referenced in go.mod) so migrate the duty package to a maintained JSON Schema library (for example github.com/santhosh-tekuri/jsonschema or github.com/qri-io/jsonschema): replace the go.mod require of github.com/xeipuuv/gojsonschema with the chosen replacement, update all call sites that use types/functions from github.com/xeipuuv/gojsonschema (search for imports of "github.com/xeipuuv/gojsonschema" and identifiers like Validate, NewSchemaLoader, or NewReferenceLoader) to the new library's API, run and fix failing tests, and ensure schema loading/compilation and validation error semantics are adapted (including updating any error handling or loader options) before committing the change. 

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 057ec9f and 177e6a3.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

go.mod (1)

406-408: Consider checking for updates to xeipuuv JSON schema packages.

The xeipuuv packages are pulled in as transitive dependencies and use older versions: gojsonpointer and gojsonreference are from January 2018 (~8 years old), while gojsonschema v1.2.0 is from October 2019 (~6 years old). Maintained alternatives like santhosh-tekuri/jsonschema, go-openapi/jsonpointer, and google/jsonschema-go support newer JSON Schema drafts and may be worth evaluating if upstream dependencies (particularly flanksource/duty) can be updated.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed. In `@go.mod` around lines 406 - 408, The go.mod lists old xeipuuv modules (github.com/xeipuuv/gojsonpointer, github.com/xeipuuv/gojsonreference, github.com/xeipuuv/gojsonschema) as transitive dependencies; update or replace them by first checking whether the direct dependency (e.g., flanksource/duty) can be upgraded to a version that vendors newer JSON Schema support, and if not evaluate replacing xeipuuv usage with maintained alternatives (santhosh-tekuri/jsonschema, go-openapi/jsonpointer, google/jsonschema-go) across the codebase; identify code paths referencing gojsonpointer/gojsonreference/gojsonschema and either bump their versions in go.mod to newer tags or refactor call sites to the chosen alternative, run `go mod tidy` and all tests to validate compatibility. 

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed. Inline comments: In `@go.mod`: - Around line 20-28: commons v1.46.0 flips default logging to stderr (via the --log-to-stderr flag) so update any startup/config or invocations that assume logs go to stdout: either explicitly pass --log-to-stderr=false where services/processes are started, or adjust your logging initialization to set the commons logging output back to stdout; also audit all places that parse or redirect stdout for logs (CI, container args, scripts) and change them accordingly. For duty v1.0.1190, search for usages of RunCmd and any previously imported unexported helpers from duty and replace them with the new public API or in-place implementations (remove/replace calls to RunCmd and references to the now-unexported helpers). Finally, note the go-git v5.16.5 security update and ensure your module update is applied (no code changes required unless you vendor or pin older versions). --- Nitpick comments: In `@go.mod`: - Around line 406-408: The go.mod lists old xeipuuv modules (github.com/xeipuuv/gojsonpointer, github.com/xeipuuv/gojsonreference, github.com/xeipuuv/gojsonschema) as transitive dependencies; update or replace them by first checking whether the direct dependency (e.g., flanksource/duty) can be upgraded to a version that vendors newer JSON Schema support, and if not evaluate replacing xeipuuv usage with maintained alternatives (santhosh-tekuri/jsonschema, go-openapi/jsonpointer, google/jsonschema-go) across the codebase; identify code paths referencing gojsonpointer/gojsonreference/gojsonschema and either bump their versions in go.mod to newer tags or refactor call sites to the chosen alternative, run `go mod tidy` and all tests to validate compatibility. 

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4578177 and c609160.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod