dependency: bump dependabot dependencies

[pchan]

Please read https://github.com/etcd-io/etcd/blob/main/CONTRIBUTING.md#contribution-flow.

I have manually bumped the following direct dependencies. Only the first one below has been raised by dependabot. The rest were raised as indirect dependencies.

1. bump golang.org/x/sys from 0.7.0 to 0.8.0
2. bump golang.org/x/sync from 0.1.0 to 0.2.0
3. bump golang.org/x/net from 0.9.0 to 0.10.0

A lot of dependencies in tools/mod are indirect dependencies so haven't bumped them.

• build(deps): bump golang.org/x/sys from 0.7.0 to 0.8.0 #15853 - bumped manually
• build(deps): bump golang.org/x/sys from 0.7.0 to 0.8.0 in /tools/mod #15850 - pure indirect
• build(deps): bump golang.org/x/sync from 0.1.0 to 0.2.0 in /tools/mod #15849 - pure indirect
• build(deps): bump golang.org/x/net from 0.9.0 to 0.10.0 in /tools/mod #15848 - pure indirect
• build(deps): bump golang.org/x/term from 0.7.0 to 0.8.0 in /tools/mod #15847 - pure indirect
• build(deps): bump github.com/zmap/zlint/v3 from 3.1.0 to 3.4.1 in /tools/mod #15846 - pure indirect

cc: @ahrtr @jmhbnz

[jmhbnz]

LGTM - Thanks for taking care of dependencies this week @pchan 🙏🏻

[ahrtr]

When we bump a dependency of mixed case, in which some modules directly while others indirectly depend on a dependency, we should try to bump the dependency for all modules, no matter it's direct or indirect dependency.

Let's use golang.org/x/sys as an example in this PR, you bumped it to 0.8.0 for part of the modules. Some modules (e.g. ago.etcd.io/etcd/api/v3 ) are still depending on the old version 0.7.0.

[ahrtr]

Please try to ensure all modules depend on the same version of each dependency.

[ahrtr]

ping @pchan

Please try to get this PR done this week, as there will be another round of dependency bumping next week.

[pchan]

When we bump a dependency of mixed case, in which some modules directly while others indirectly depend on a dependency, we should try to bump the dependency for all modules, no matter it's direct or indirect dependency.

When I went through the indirect section (link) of the guide, I got the impression that we will have to update indirect dependencies only via upgrading direct dependencies. This would have involved analysing dependency graph etc. But all I had to do was to use go get package@version to upgrade indirect dependencies just like direct ones. For folks who are new, I can drop a line in the guide highlighting this.

[chaochn47]

LGTM.

Should indirect dependencies specified in tools/go.mod be upgraded? For example github.com/zmap/zlint/v3. From the guidance, looks like not. It's not a big issue though.

[ahrtr]

When I went through the indirect section (link) of the guide, I got the impression that we will have to update indirect dependencies only via upgrading direct dependencies.

No matter direct or indirect dependency, once we decide to bump it, we follow the same guide below,

• https://github.com/etcd-io/etcd/blob/main/Documentation/contributor-guide/dependency_management.md#steps-to-bump-a-dependency

[ahrtr]

LGTM

Thanks @pchan

[ahrtr]

Should indirect dependencies specified in tools/go.mod be upgraded? For example github.com/zmap/zlint/v3. From the guidance, looks like not. It's not a big issue though.

Correct. I will let it in this time, but please try to follow #indirect-dependencies.

[pchan]

Should indirect dependencies specified in tools/go.mod be upgraded? For example github.com/zmap/zlint/v3. From the guidance <https://github.com/etcd-io/etcd/blob/main/Documentation/contributor-guide/dependency_management.md#indirect-dependencies>, looks like not. It's not a big issue though.

Can you please help me understand which indirect dependency you are referring to? I upgraded the one in tools/mod/go.mod from github.com/zmap/zlint/v3 v3.1.0 to github.com/zmap/zlint/v3 v3.4.1 Please see commit db07ec9

…

Message ID: ***@***.***>

[pchan]

Correct. I will let it in this time, but please try to follow #indirect-dependencies.

Can you please be specific on which indirect dependency was left out. The commit db07ec9 addresses the zmap/zlint one. I had added it as a separate commit.

Every dependabot PR marked as complete in #15862 (comment) can be closed

[ahrtr]

Note that github.com/zmap/zlint/v3 is directly depended on by https://github.com/cloudflare/cfssl, the better way is to push cfssl to bump zlint, and afterwards etcd bumps new cfssl version.

FYI.

• bump github.com/zmap/zlint/v3 from 3.1.0 to 3.4.1 cloudflare/cfssl#1291
• configure dependabot cloudflare/cfssl#1292

[fuweid]

@ahrtr Thanks for taking this follow-up!

[pchan]

Note that github.com/zmap/zlint/v3 is directly depended on by https://github.com/cloudflare/cfssl, the better way is to push cfssl to bump zlint, and afterwards etcd bumps new cfssl version.

FYI.

• bump github.com/zmap/zlint/v3 from 3.1.0 to 3.4.1 cloudflare/cfssl#1291
• configure dependabot cloudflare/cfssl#1292

Thanks for the context. To find the direct dependency, I ran the go mod why command [1]. It lists cfssl but also go.etcd.io/etcd/tools/v3. For golang.org/x/sys in tools/mod I see other listings [2]. Do you have any specific mechanism to idenitfy the direct dependency unambiguously ?

[1]

~: go mod why -m github.com/zmap/zlint/v3
# github.com/zmap/zlint/v3
go.etcd.io/etcd/tools/v3
github.com/cloudflare/cfssl/cmd/cfssl
github.com/cloudflare/cfssl/cli
github.com/cloudflare/cfssl/config
github.com/zmap/zlint/v3

[2]

go mod why -m golang.org/x/sys
# golang.org/x/sys
go.etcd.io/etcd/tools/v3
github.com/gordonklaus/ineffassign
golang.org/x/tools/go/packages
golang.org/x/sys/execabs