Upgrade dependencies (2025/11/30)

[pan93412]

• chore: upgrade dependencies
• chore: regenerate resolvers

Summary by CodeRabbit

• Chores
  • Updated dependencies across core modules to maintain stability, security, and performance standards.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

This pull request updates multiple Go dependencies in go.mod to their latest versions, including gqlgen, posthog-go, go-yaml, quic-go, zap, and several standard library packages. Generated GraphQL resolver files are automatically updated to reflect the new gqlgen version in their headers.

Changes

Cohort / File(s)	Change Summary
Dependency Version Bumps go.mod	Updated 8 direct dependencies to newer versions: gqlgen (v0.17.83→v0.17.84), posthog-go (v1.6.12→v1.6.13), go-yaml (v1.18.0→v1.19.0), quic-go (v0.56.1→v0.57.1), zap (v1.27.0→v1.27.1), golang.org/x/crypto (v0.44.0→v0.45.0), golang.org/x/exp (pseudo-version bump), and google.golang.org/genproto/googleapis/rpc (timestamp update).
Generated Resolver Headers graph/database.resolvers.go, graph/ent.resolvers.go, graph/event.resolvers.go, graph/question.resolvers.go, graph/rank.resolvers.go, graph/user.resolvers.go	Auto-generated file headers updated to reflect gqlgen version change from v0.17.83 to v0.17.84. Comments reformatted across multiple lines. No functional code changes.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~5–10 minutes

• Review the dependency version bumps in go.mod for any known breaking changes or security advisories in the updated packages (particularly gqlgen, quic-go, and crypto packages)
• Verify that auto-generated resolver files are correctly updated without unintended code logic changes

Possibly related PRs

• chore: upgrade dependencies #33 — Modifies the same go.mod dependency entries (notably quic-go and golang.org/x/exp), representing sequential upstream version bumps
• upgrade dependencies #32 — Updates generated GraphQL resolver file headers by bumping the gqlgen codegen version (v0.17.83), directly preceding this PR's v0.17.84 bump

Poem

🐰 Dependencies hop along,
Versions dance and grow strong,
From v83 to v84,
GraphQL resolvers shine once more!
Update complete, all's well in the warren! 🌱

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main purpose of the changeset: upgrading Go module dependencies across multiple packages with date reference.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch upgrade-dependencies-1130

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (5)

graph/user.resolvers.go (1)

3-6: ****

Header formatting and gqlgen version bump consistent across all resolver files. No functional changes to resolver logic.

graph/ent.resolvers.go (1)

3-6: ****

Consistent header reformatting and version annotation bump. No functional changes.

graph/rank.resolvers.go (1)

3-6: ****

Header format and version bump aligned with other resolvers.

graph/question.resolvers.go (1)

3-6: ****

Header formatting consistent. Resolver implementations unchanged.

graph/event.resolvers.go (1)

3-6: ****

Header format and version consistent. No functional changes.

🧹 Nitpick comments (2)

go.mod (2)

137-137: Pseudo-version for golang.org/x/exp used; consider pinning to a release version.

Line 137 uses a pseudo-version (v0.0.0-20251125195548-87e1e737ad39) for golang.org/x/exp. Pseudo-versions track specific commits on a development branch and are less stable than released versions. If a stable release exists, prefer that for reproducibility and clarity.

Verify whether a stable release of golang.org/x/exp is available and consider pinning to it instead of a pseudo-version.

---

144-144: Pseudo-version for google.golang.org/genproto/googleapis/rpc used; consider released version if available.

Line 144 uses a pseudo-version for google.golang.org/genproto/googleapis/rpc. Similar to golang.org/x/exp, consider checking if a stable release tag is available.

Review whether a stable released version of google.golang.org/genproto/googleapis/rpc exists and prefer that over a pseudo-version for better maintainability.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 56b7067 and 9d14c23.

⛔ Files ignored due to path filters (2)

• flake.lock is excluded by !**/*.lock
• go.sum is excluded by !**/*.sum

📒 Files selected for processing (7)

• go.mod (5 hunks)
• graph/database.resolvers.go (1 hunks)
• graph/ent.resolvers.go (1 hunks)
• graph/event.resolvers.go (1 hunks)
• graph/question.resolvers.go (1 hunks)
• graph/rank.resolvers.go (1 hunks)
• graph/user.resolvers.go (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Run Tests
• GitHub Check: Lint and Check Formatting

🔇 Additional comments (2)

graph/database.resolvers.go (1)

3-6: Auto-generated code headers updated for gqlgen v0.17.84—LGTM.

All resolver files (database, user, ent, rank, question, event) show identical non-functional header reformatting and version bump from v0.17.83 → v0.17.84. No logic changes detected; consistent with code regeneration from gqlgen upgrade.

go.mod (1)

5-27: golang.org/x/crypto v0.45.0 is a security patch release with no breaking changes; quic-go v0.57.1 is safe with no breaking changes; go.sum file exists.

The dependency updates are verified as safe:

• golang.org/x/crypto v0.45.0 (line 136): Security patch release fixing CVE-2025-58181 (SSH GSSAPI DoS) and CVE-2025-47914 (SSH agent panic). No breaking changes—update is justified.
• github.com/quic-go/quic-go v0.57.1 (line 109): Tiny patch release (one commit) fixing a handshake bug with session tickets disabled on Go 1.26. No breaking changes.
• github.com/99designs/gqlgen v0.17.84 (line 8): Patch version aligns with resolver regeneration.
• go.sum file exists in the repository, ensuring dependency tree reproducibility.

All updates are safe to proceed with.