upgrade to latest dependencies (#1649)

bumping knative.dev/hack af735b2...50b120a:
  > 50b120a bump gotestfmt to newest version (# 449)
  > f2be520 [release-1.19] 🐛 Fix knative.dev/toolbox for older versions of Golang (# 444)
bumping knative.dev/eventing 931f60b...f53c251:
  > f53c251 [release-1.19] fix typo [skip-dot-release] (# 8743)
  > 5e02349 [release-1.19] Upgrade to latest dependencies (# 8720)
  > 49edf43 [release-1.19] Fix mt-broker-ingress auth to work with structured event too (# 8713)
bumping knative.dev/reconciler-test 67ad192...624cba8:
  > 624cba8 Update default ko version to 0.18.0 (# 837)
  > b4a9751 upgrade to latest dependencies (# 835)
  > 2f11b06 upgrade to latest dependencies (# 834)
bumping knative.dev/pkg 077dcf0...4ebd86b:
  > 4ebd86b upgrade to latest dependencies (# 3282)
  > 7da1174 upgrade to latest dependencies (# 3281)
  > 2be9d56 Lock before iterating map so that code does not panic on concurrent write (# 3279)

Signed-off-by: Knative Automation <[email protected]>

Author: knative-automation

go.mod

@@ -20,10 +20,10 @@ require (
 	k8s.io/client-go v0.33.4
 	k8s.io/code-generator v0.33.4
 	k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff
-	knative.dev/eventing v0.46.4
-	knative.dev/hack v0.0.0-20250902154142-af735b2738d6
-	knative.dev/pkg v0.0.0-20250909011231-077dcf0d00e8
-	knative.dev/reconciler-test v0.0.0-20250912162922-67ad19295884
+	knative.dev/eventing v0.46.6
+	knative.dev/hack v0.0.0-20251022160748-50b120a65f30
+	knative.dev/pkg v0.0.0-20251022162148-4ebd86bc2d85
+	knative.dev/reconciler-test v0.0.0-20251023120348-624cba8ba108
 	sigs.k8s.io/controller-runtime v0.19.0
 )
 

go.sum

@@ -1163,14 +1163,14 @@ k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff h1:/usPimJzUKKu+m+TE36gUy
 k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff/go.mod h1:5jIi+8yX4RIb8wk3XwBo5Pq2ccx4FP10ohkbSKCZoK8=
 k8s.io/utils v0.0.0-20241210054802-24370beab758 h1:sdbE21q2nlQtFh65saZY+rRM6x6aJJI8IUa1AmH/qa0=
 k8s.io/utils v0.0.0-20241210054802-24370beab758/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-knative.dev/eventing v0.46.4 h1:Kc3TiJzVJRvH/XE0zT14J1L+OgBykzYzobvCcit8jJE=
-knative.dev/eventing v0.46.4/go.mod h1:KkMqluebpiT7TCXwqUfI0cG2EfZ8yjlapOlwOHYEnL4=
-knative.dev/hack v0.0.0-20250902154142-af735b2738d6 h1:JYZgO9bni32T+BB5v6WpeRFm1hjj+EypBLZCk6HZBt0=
-knative.dev/hack v0.0.0-20250902154142-af735b2738d6/go.mod h1:R0ritgYtjLDO9527h5vb5X6gfvt5LCrJ55BNbVDsWiY=
-knative.dev/pkg v0.0.0-20250909011231-077dcf0d00e8 h1:n0BMHXIem9MyDkK4vfA4Vzdxaf1e+EeLJ6k+8exCjjI=
-knative.dev/pkg v0.0.0-20250909011231-077dcf0d00e8/go.mod h1:a1amDzo4YIUNuGeDgEz/uDHs5MQVYI1DXnRnEpWCAts=
-knative.dev/reconciler-test v0.0.0-20250912162922-67ad19295884 h1:o+aMyv+92MK4B9BeXv3qAsSQRyO1Qx/HxggV+1aWh8Q=
-knative.dev/reconciler-test v0.0.0-20250912162922-67ad19295884/go.mod h1:3BN2+QgyAHpbKEKephULEVNYyUsqx1QK/ALGOZhliTs=
+knative.dev/eventing v0.46.6 h1:8htZletYsoC9rXDz4lbtsgGAAPc95CTpcV9jmACyRqA=
+knative.dev/eventing v0.46.6/go.mod h1:dIWODSwvwagsvXxcsBiOtaL3Zr2svaegjpCvW0IfBFk=
+knative.dev/hack v0.0.0-20251022160748-50b120a65f30 h1:4fzUJrTmIbqgttXMBuLFC7/m2p0146EM3h9Wn2pBm9U=
+knative.dev/hack v0.0.0-20251022160748-50b120a65f30/go.mod h1:R0ritgYtjLDO9527h5vb5X6gfvt5LCrJ55BNbVDsWiY=
+knative.dev/pkg v0.0.0-20251022162148-4ebd86bc2d85 h1:6cFtFO8JE0AiY66BphR3taXbqdTlupFF69lL/0EhrSE=
+knative.dev/pkg v0.0.0-20251022162148-4ebd86bc2d85/go.mod h1:riEe6VGLodQ/KC4zWRnOqE6Lo5/CkKfwW/RQmNUPltU=
+knative.dev/reconciler-test v0.0.0-20251023120348-624cba8ba108 h1:TtUzomlP3ZdcnSzTEvICDKJrngpZF5yy2FzlxLnBL0U=
+knative.dev/reconciler-test v0.0.0-20251023120348-624cba8ba108/go.mod h1:n81D9QPYPKvjpVkxYpvfwRX9VWOVtCtBzni3ZRpOkrw=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=

vendor/knative.dev/eventing/pkg/apis/eventing/v1alpha1/requestreply_types.go

@@ -32,7 +32,7 @@ import (
 // +genreconciler
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 
-// RequestRepluy represents synchronous interface to sending and receiving events from a Broker.
+// RequestReply represents synchronous interface to sending and receiving events from a Broker.
 type RequestReply struct {
 	metav1.TypeMeta `json:",inline"`
 	// +optional

vendor/knative.dev/eventing/pkg/auth/verifier.go

@@ -17,7 +17,6 @@ limitations under the License.
 package auth
 
 import (
-	"bytes"
 	"context"
 	"encoding/json"
 	"fmt"
@@ -32,6 +31,7 @@ import (
 	"go.opentelemetry.io/otel"
 	corev1listers "k8s.io/client-go/listers/core/v1"
 	"knative.dev/eventing/pkg/eventingtls"
+	"knative.dev/eventing/pkg/utils"
 	"knative.dev/pkg/configmap"
 	"knative.dev/pkg/network"
 	"knative.dev/pkg/observability/tracing"
@@ -161,7 +161,7 @@ func (v *Verifier) verifyAuthN(ctx context.Context, audience *string, req *http.
 // verifyAuthZ verifies if the given idToken is allowed by the resources eventPolicyStatus
 func (v *Verifier) verifyAuthZ(ctx context.Context, features feature.Flags, idToken *IDToken, resourceNamespace string, policyRefs []duckv1.AppliedEventPolicyRef, req *http.Request, resp http.ResponseWriter) error {
 	if len(policyRefs) > 0 {
-		req, err := copyRequest(req)
+		req, err := utils.CopyRequest(req)
 		if err != nil {
 			resp.WriteHeader(http.StatusInternalServerError)
 			return fmt.Errorf("failed to copy request body: %w", err)
@@ -335,35 +335,6 @@ func (v *Verifier) getKubernetesOIDCDiscovery(features feature.Flags, client *ht
 	return openIdConfig, nil
 }
 
-// copyRequest makes a copy of the http request which can be consumed as needed, leaving the original request
-// able to be consumed as well.
-func copyRequest(req *http.Request) (*http.Request, error) {
-	// check if we actually need to copy the body, otherwise we can return the original request
-	if req.Body == nil || req.Body == http.NoBody {
-		return req, nil
-	}
-
-	var buf bytes.Buffer
-	if _, err := buf.ReadFrom(req.Body); err != nil {
-		return nil, fmt.Errorf("failed to read request body while copying it: %w", err)
-	}
-
-	if err := req.Body.Close(); err != nil {
-		return nil, fmt.Errorf("failed to close original request body ready while copying request: %w", err)
-	}
-
-	// set the original request body to be readable again
-	req.Body = io.NopCloser(&buf)
-
-	// return a new request with a readable body and same headers as the original
-	// we don't need to set any other fields as cloudevents only uses the headers
-	// and body to construct the Message/Event.
-	return &http.Request{
-		Header: req.Header,
-		Body:   io.NopCloser(bytes.NewReader(buf.Bytes())),
-	}, nil
-}
-
 type openIDMetadata struct {
 	Issuer        string   `json:"issuer"`
 	JWKSURI       string   `json:"jwks_uri"`

vendor/knative.dev/eventing/pkg/utils/utils.go

@@ -17,6 +17,10 @@ limitations under the License.
 package utils
 
 import (
+	"bytes"
+	"fmt"
+	"io"
+	"net/http"
 	"regexp"
 	"strings"
 
@@ -91,3 +95,32 @@ func GenerateFixedName(owner metav1.Object, prefix string) string {
 	// A dot must be followed by [a-z0-9] to be DNS1123 compliant. Make sure we are not joining a dot and a dash.
 	return strings.TrimSuffix(prefix, ".") + uid
 }
+
+// CopyRequest makes a copy of the http request which can be consumed as needed, leaving the original request
+// able to be consumed as well.
+func CopyRequest(req *http.Request) (*http.Request, error) {
+	// check if we actually need to copy the body, otherwise we can return the original request
+	if req.Body == nil || req.Body == http.NoBody {
+		return req, nil
+	}
+
+	var buf bytes.Buffer
+	if _, err := buf.ReadFrom(req.Body); err != nil {
+		return nil, fmt.Errorf("failed to read request body while copying it: %w", err)
+	}
+
+	if err := req.Body.Close(); err != nil {
+		return nil, fmt.Errorf("failed to close original request body ready while copying request: %w", err)
+	}
+
+	// set the original request body to be readable again
+	req.Body = io.NopCloser(&buf)
+
+	// return a new request with a readable body and same headers as the original
+	// we don't need to set any other fields as cloudevents only uses the headers
+	// and body to construct the Message/Event.
+	return &http.Request{
+		Header: req.Header,
+		Body:   io.NopCloser(bytes.NewReader(buf.Bytes())),
+	}, nil
+}

vendor/knative.dev/hack/library.sh

@@ -588,7 +588,7 @@ function report_go_test() {
   logfile="${logfile/.xml/.jsonl}"
   echo "Running go test with args: ${go_test_args[*]}"
   local gotest_retcode=0
-  go_run gotest.tools/gotestsum@v1.11.0 \
+  go_run gotest.tools/gotestsum@v1.13.0 \
     --format "${GO_TEST_VERBOSITY:-testname}" \
     --junitfile "${xml}" \
     --junitfile-testsuite-name relative \
@@ -681,7 +681,7 @@ function start_knative_eventing_extension() {
 # Parameters: $1 - tool package for go run.
 #             $2..$n - parameters passed to the tool.
 function go_run() {
-  local package
+  local package gotoolchain
   package="$1"
   if [[ "$package" != *@* ]]; then
     abort 'Package for "go_run" needs to have @version'
@@ -696,6 +696,11 @@ function go_run() {
     GORUN_PATH="$(mktemp -t -d -u gopath.XXXXXXXX)"
   fi
   export GORUN_PATH
+  gotoolchain="$(go env GOTOOLCHAIN)"
+  if [[ "$package" == knative.dev/toolbox/* ]]; then
+    gotoolchain=auto
+  fi
+  GOTOOLCHAIN="${gotoolchain}" \
   GOPATH="${GORUN_PATH}" \
   GOFLAGS='' \
     go run "$package" "$@"

vendor/knative.dev/hack/presubmit-tests.sh

@@ -141,7 +141,7 @@ function __build_test_runner_for_module() {
   # Don't merge these two lines, or return code will always be 0.
   # Get all build tags in go code (ignore /vendor, /hack and /third_party)
   local tags
-  tags="$(go run knative.dev/toolbox/go-ls-tags@latest --joiner=,)"
+  tags="$(go_run knative.dev/toolbox/go-ls-tags@latest --joiner=,)"
   local go_pkg_dirs
   go_pkg_dirs="$(go list -tags "${tags}" ./...)" || return $?
   if [[ -z "${go_pkg_dirs}" ]]; then

vendor/knative.dev/pkg/controller/queue_metrics.go

@@ -121,6 +121,10 @@ func (m *queueMetrics) updateUnfinishedWork() {
 	// doesn't seem to have non-hacky ways to reset the summary metrics.
 	var total float64
 	var oldest float64
+
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
 	for _, t := range m.processingStartTimes {
 		age := m.sinceInSeconds(t)
 		total += age

vendor/knative.dev/reconciler-test/pkg/images/ko/publish.go

@@ -30,7 +30,7 @@ var ErrKoPublishFailed = errors.New("ko publish failed")
 func Publish(ctx context.Context, path string) (string, error) {
 	version := os.Getenv("GOOGLE_KO_VERSION")
 	if version == "" {
-		version = "v0.15.2"
+		version = "v0.18.0"
 	}
 	args := []string{
 		"go", "run", fmt.Sprintf("github.com/google/ko@%s", version),

vendor/modules.txt

@@ -1243,7 +1243,7 @@ k8s.io/utils/net
 k8s.io/utils/pointer
 k8s.io/utils/ptr
 k8s.io/utils/trace
-# knative.dev/eventing v0.46.4
+# knative.dev/eventing v0.46.6
 ## explicit; go 1.24.0
 knative.dev/eventing/cmd/heartbeats
 knative.dev/eventing/pkg/adapter/v2
@@ -1379,10 +1379,10 @@ knative.dev/eventing/test/rekt/resources/trigger
 knative.dev/eventing/test/test_images
 knative.dev/eventing/test/test_images/event-sender
 knative.dev/eventing/test/test_images/print
-# knative.dev/hack v0.0.0-20250902154142-af735b2738d6
+# knative.dev/hack v0.0.0-20251022160748-50b120a65f30
 ## explicit; go 1.21
 knative.dev/hack
-# knative.dev/pkg v0.0.0-20250909011231-077dcf0d00e8
+# knative.dev/pkg v0.0.0-20251022162148-4ebd86bc2d85
 ## explicit; go 1.24.0
 knative.dev/pkg/apis
 knative.dev/pkg/apis/duck
@@ -1497,7 +1497,7 @@ knative.dev/pkg/webhook/json
 knative.dev/pkg/webhook/resourcesemantics
 knative.dev/pkg/webhook/resourcesemantics/defaulting
 knative.dev/pkg/webhook/resourcesemantics/validation
-# knative.dev/reconciler-test v0.0.0-20250912162922-67ad19295884
+# knative.dev/reconciler-test v0.0.0-20251023120348-624cba8ba108
 ## explicit; go 1.24.0
 knative.dev/reconciler-test/cmd/eventshub
 knative.dev/reconciler-test/pkg/environment