release: v2025.1.5

[rustatian]

Reason for This PR

• Bugfix release cycle.

Description of Changes

• Update deps with security fixes. No changes in plugins/API.

License Acceptance

By submitting this pull request, I confirm that my contribution is made under the terms of the MIT license.

PR Checklist

[Author TODO: Meet these criteria.]
[Reviewer TODO: Verify that these criteria are met. Request changes if not]

• All commits in this PR are signed (git commit -s).
• The reason for this PR is clearly provided (issue no. or explanation).
• The description of changes is clear and encompassing.
• Any required documentation changes (code and docs) are included in this PR.
• Any user-facing changes are mentioned in CHANGELOG.md.
• All added/changed functionality is tested.

Summary by CodeRabbit

• Chores
  • Updated multiple dependencies to latest stable versions, including AWS SDK components, Google APIs, and Go tooling packages to maintain security and compatibility.

[coderabbitai]

Walkthrough

Updates multiple Go dependencies in go.mod, including AWS SDK v2 components, Google APIs, and Go tooling packages (golang.org/x/*). Various patch and minor version bumps applied across direct and indirect dependencies without code modifications.

Changes

Cohort / File(s)	Change Summary
Dependency Version Updates go.mod	Updated AWS SDK v2 packages (config, credentials, sqs, sso, ssooidc, sts), Go tooling packages (golang.org/x/crypto, golang.org/x/mod, golang.org/x/net, golang.org/x/text, golang.org/x/tools), Google APIs (google.golang.org/api, google.golang.org/genproto), and misc packages (tklauser/go-sysconf, tklauser/numcpus) to newer patch/minor versions

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Verify dependency version increments are patch/minor level and stable
• Confirm no breaking changes in transitive dependency graph
• Ensure AWS SDK and Google API updates maintain compatibility with existing codebase

Possibly related PRs

• roadrunner-server/roadrunner#1980: Modifies go.mod with overlapping AWS SDK v2 and google.golang.org/genproto dependency bumps
• roadrunner-server/roadrunner#2190: Contains overlapping dependency version updates including AWS SDK v2 and golang.org/x packages
• roadrunner-server/roadrunner#2251: Bumps numerous dependencies with similar Go toolchain and AWS/Google module updates

Suggested labels

R-stable, B-bug

Suggested reviewers

• wolfy-j

Poem

🐰 With versions upgraded, dependencies gleam,
AWS SDK flows and Google's dream,
Go tooling sharpened, security bright,
Our dependencies dance toward the light! ✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'release: v2025.1.4' is specific and matches the PR objective of a bugfix release, clearly indicating a versioned release.
Description check	✅ Passed	The PR description follows the required template with all sections completed: reason provided, changes described, license accepted, and checklist items marked as complete.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch release/v2025.1.5

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e030eeb and 7008e5c.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod (3 hunks)

🧰 Additional context used

🧠 Learnings (3)

📓 Common learnings

Learnt from: CR
Repo: roadrunner-server/roadrunner PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-10-02T16:44:02.549Z
Learning: Applies to /go.mod : Set the module path to github.com/roadrunner-server/roadrunner/v2025 in go.mod

Learnt from: CR
Repo: roadrunner-server/roadrunner PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-10-02T16:44:02.549Z
Learning: Applies to /go.mod : Require Go version 1.25+ in go.mod

Learnt from: CR
Repo: roadrunner-server/roadrunner PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-10-02T16:44:02.549Z
Learning: Applies to /go.mod : Exclude specific problematic dependency versions in go.mod (e.g., go-redis v9.15.0, viper v1.18.x)

📚 Learning: 2025-10-02T16:44:02.549Z

Learnt from: CR
Repo: roadrunner-server/roadrunner PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-10-02T16:44:02.549Z
Learning: Applies to /go.mod : Require Go version 1.25+ in go.mod

Applied to files:

• go.mod

📚 Learning: 2025-10-02T16:44:02.549Z

Learnt from: CR
Repo: roadrunner-server/roadrunner PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-10-02T16:44:02.549Z
Learning: Applies to /go.mod : Exclude specific problematic dependency versions in go.mod (e.g., go-redis v9.15.0, viper v1.18.x)

Applied to files:

• go.mod

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Golang-CI (lint)
• GitHub Check: Unit tests
• GitHub Check: Analyze (go)

🔇 Additional comments (5)

go.mod (5)

167-168: Minor and patch version updates for system utilities are appropriate.

The tklauser package updates (go-sysconf v0.3.15 → v0.3.16 and numcpus v0.10.0 → v0.11.0) are reasonable for a bugfix release cycle. The minor version bump on numcpus is warranted if it addresses platform-specific issues or CPU detection improvements.

---

1-3: Module configuration correctly maintained; all learning constraints satisfied.

The module declaration (lines 1-3) adheres to the learnings: module path is github.com/roadrunner-server/roadrunner/v2025, and Go version is 1.25.4 (meets 1.25+ requirement). The exclude block (lines 57-64) is preserved with problematic versions (go-redis v9.15.0/v9.15.1, viper v1.18.0/v1.18.1, temporal v1.26.1), maintaining safeguards established in prior reviews.

This is a clean, appropriate dependency manifest update for a bugfix release cycle. The version increments are conservative (patch/minor only), and the changes align with the stated goal of security fixes. Based on learnings.

Also applies to: 57-64

---

217-220: Google API dependencies updated coherently; genproto pseudo-versions properly synchronized.

The google.golang.org/api minor version bump (v0.255.0 → v0.256.0) follows typical release cadence. The genproto package updates use synchronized pseudo-versions (all dated 2025-11-11), which ensures consistency across the protobuf code generation ecosystem. This is the correct approach for these interdependent packages. Go version requirement (1.25.4) is appropriate.

---

208-216: golang.org/x packages updated to minor versions; no security fixes in v0.44.0 release.

The golang.org/x packages received routine minor version bumps across the board. Verification shows that golang.org/x/crypto v0.44.0 is a routine module bump with no new security fixes compared to v0.43.0. These updates are forward-compatible maintenance releases and can be approved as-is.

Likely an incorrect or invalid review comment.

---

75-76: Based on the verification attempts:

GitHub GraphQL query returned no known advisories for aws-sdk-go-v2, and web searches reveal AWS uses a responsible disclosure program and encourages reports via HackerOne rather than public GitHub issues. The older AWS SDK for Go v1 has reached end-of-support, with historical CVEs (CVE-2020-8911, CVE-2020-8912) only affecting v1, not v2.

The patch-level version increments are consistent and appropriate for a bugfix release, but I cannot verify specific CVEs being addressed by the versions in the PR. The PR objective mentions "dependency security fixes," but web-available sources don't document which specific vulnerabilities these patch increments resolve. This doesn't mean the updates are incorrect—only that the claim cannot be verified externally.

---

Approve AWS SDK dependency updates; defer specific CVE verification to maintainers.

The updates follow appropriate patch-increment patterns across related AWS SDK components and align with normal maintenance cadence. Whether specific CVEs are addressed requires internal knowledge (e.g., changelog details, internal security tracking, or AWS bulletins) not available through public channels. Proceed with confidence that patch updates are safe; if specific CVE fixes were the goal, document them in the PR description for audit purposes.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull Request Overview

This is a bugfix release (v2025.1.4) that updates dependencies with security fixes without any changes to plugins or API functionality.

• Updates AWS SDK components to latest patch versions
• Updates golang.org/x standard library packages for security fixes
• Updates Google API and genproto packages to latest versions

Reviewed Changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File	Description
go.mod	Updates 20 indirect dependency versions to latest patch/minor releases
go.sum	Updates corresponding checksums for all updated dependencies in go.mod

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 35.37%. Comparing base (e030eeb) to head (7008e5c).
⚠️ Report is 2 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #2257   +/-   ##
=======================================
  Coverage   35.37%   35.37%           
=======================================
  Files          18       18           
  Lines         851      851           
=======================================
  Hits          301      301           
  Misses        511      511           
  Partials       39       39           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.