Skip to content

build(deps): bump dependencies and go toolchain to fix govulncheck#179

Merged
rileyhilliard merged 1 commit intomainfrom
chore/combined-dep-bumps
Feb 13, 2026
Merged

build(deps): bump dependencies and go toolchain to fix govulncheck#179
rileyhilliard merged 1 commit intomainfrom
chore/combined-dep-bumps

Conversation

@rileyhilliard
Copy link
Copy Markdown
Owner

@rileyhilliard rileyhilliard commented Feb 13, 2026
edited by coderabbitai bot
Loading

Summary

  • Bumps github.com/charmbracelet/bubbles from v0.21.1-0.20250623103423-23b8fd6302d7 to v0.21.1
  • Bumps github.com/go-viper/mapstructure/v2 from v2.4.0 to v2.5.0
  • Bumps golang.org/x/crypto from v0.47.0 to v0.48.0
  • Bumps golang.org/x/term from v0.39.0 to v0.40.0
  • Bumps Go toolchain from 1.24.12 to 1.24.13, fixing GO-2026-4337 (crypto/tls session resumption vuln that was failing govulncheck in CI)

Supersedes #172, #173, #174, #175.

Test plan

  • go build ./cmd/rr succeeds
  • go vet ./... clean
  • All unit + integration tests pass
  • Pre-push lint + coverage gate passes

Summary by CodeRabbit

  • Chores

    • Updated Go toolchain from 1.24.12 to 1.24.13.
    • Upgraded multiple dependencies to latest patch and minor versions for improved stability and security.

  • Bug Fixes

    • Enhanced task execution synchronization to ensure reliable completion and proper shutdown handling.

  • Tests

    • Added regression test coverage for remote task execution scenarios.

This was referenced Feb 13, 2026
Closed
Closed
Closed
Closed
@coderabbitai
Copy link
Copy Markdown

coderabbitai bot commented Feb 13, 2026
edited
Loading

Warning

Rate limit exceeded

@rileyhilliard has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 5 minutes and 45 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

Walkthrough

Updates Go toolchain from 1.24.12 to 1.24.13 and bumps multiple module dependencies to patch/minor versions. Introduces deadlock prevention in the task orchestrator via an allDone signaling channel to synchronize dispatcher and worker termination, with accompanying regression test.

Changes

Cohort / File(s) Summary
Dependency Updates
go.mod		 Bumps Go toolchain and updates 10 module dependencies (bubbles, mapstructure, crypto, term, ansi, cellbuf, displaywidth, uax29, sys, text) to newer patch/minor versions.
Orchestrator Synchronization
internal/parallel/orchestrator.go		 Introduces allDone channel for dispatcher-worker synchronization to break circular wait. Revises dispatcher loop to handle channel close and completion signals; updates result tracking (expected vs. collected); ensures per-task failure results when all hosts unavailable; refines re-queue and shutdown flow.
Regression Testing
internal/parallel/orchestrator_test.go		 Adds TestOrchestrator_RemotePath_CompletesWithoutDeadlock to verify orchestrator completes without deadlock under unreachable hosts with 5-second timeout. Test appears duplicated in two insertion locations.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~50 minutes

🚥 Pre-merge checks | ✅ 3 | ❌ 1
❌ Failed checks (1 warning)
Check name Status Explanation Resolution
Title check ⚠️ Warning The PR title references dependency and toolchain bumps to fix govulncheck, but the changeset includes significant functional changes (orchestrator deadlock fix) alongside dependency updates. Update the title to reflect both major changes, e.g.: 'fix: resolve orchestrator deadlock and bump dependencies for govulncheck' to accurately represent the functional logic changes included in this PR.
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Merge Conflict Detection ✅ Passed ✅ No merge conflicts detected when merging into main

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch chore/combined-dep-bumps

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@rileyhilliard
build(deps): bump dependencies and go toolchain to fix govulncheck
3108eb0 
- bubbles: v0.21.1-0.20250623103423-23b8fd6302d7 -> v0.21.1
- mapstructure/v2: v2.4.0 -> v2.5.0
- x/crypto: v0.47.0 -> v0.48.0
- x/term: v0.39.0 -> v0.40.0
- go toolchain: 1.24.12 -> 1.24.13 (fixes GO-2026-4337 crypto/tls vuln)

Combines PRs #172, #173, #174, #175.
@rileyhilliard rileyhilliard force-pushed the chore/combined-dep-bumps branch from 497a784 to 3108eb0 Compare February 13, 2026 22:08
@rileyhilliard rileyhilliard merged commit 5927c8f into main Feb 13, 2026
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rileyhilliard