chore(deps): update non-k8s-go-dependencies (major)

[red-hat-konflux]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/openshift/velero	v0.10.2-0.20260323191807-216dd62a1caf → v1.2.0
go.yaml.in/yaml/v2	v2.4.4 → v3.0.4
gomodules.xyz/jsonpatch/v2	v2.5.0 → v3.0.1
gopkg.in/evanphx/json-patch.v4	v4.13.0 → v5.9.11

---

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

---

Release Notes

openshift/velero (github.com/openshift/velero)

v1.2.0

Compare Source

v1.1.0

Compare Source

yaml/go-yaml (go.yaml.in/yaml/v2)

v3.0.4

Compare Source

v3.0.3

Compare Source

v3.0.2

Compare Source

v3.0.1

Compare Source

v3.0.0

Compare Source

gomodules/jsonpatch (gomodules.xyz/jsonpatch/v2)

v3.0.1

Compare Source

This release uses our forked gomodules/orderedmap library. Our forked version has 2 major changes:

• Uses *OrderedMap instead of OrderedMap inside nested orderedmaps.
• I ported unstructured helpers from Kubernetes to work with orderedmaps.

v3.0.0

Compare Source

This release uses iancoleman/orderedmap to generate predictable patch. This is very useful if the generated patch is checked into a VCS like git.

evanphx/json-patch (gopkg.in/evanphx/json-patch.v4)

v5.9.11

Compare Source

What's Changed

• Export errBadJSONDoc and errBadJSONPatch errors by @​skitt in #​209

Full Changelog: evanphx/json-patch@v5.9.10...v5.9.11

v5.9.10

Compare Source

What's Changed

• Drop the reference to gopkg.in for v5 by @​skitt in #​203
• remove unmaintained errors pkg(github.com/pkg/errors) by @​koba1t in #​206

New Contributors

• @​skitt made their first contribution in #​203
• @​koba1t made their first contribution in #​206

Full Changelog: evanphx/json-patch@v5.9.0...v5.9.10

v5.9.0

Compare Source

What's Changed

• Validate that the partialDoc is decoded correctly by @​evanphx in #​201
• Add option to control if the output is HTMLEscaped by @​evanphx in #​202

Full Changelog: evanphx/json-patch@v5.8.1...v5.9.0

v5.8.1: Fix API breakage

Compare Source

This PR fixes Operation containing a reference to internal/json and breaking the ability to manually compose one. This restores that ability using a type alias.

Full Changelog: evanphx/json-patch@v5.8.0...v5.8.1

v5.8.0: Blargh Phixs and Empathyprovements

Compare Source

This release fixes a few stray panics, addresses large number accuracy, and improves performance!

What's Changed

• Compare strings after decoding them to handle unicode correctly. Fixes #​172 by @​evanphx in #​195
• Always use UseNumber() to avoid float64 lossyness by @​evanphx in #​194
• Handle null correctly when introduced by replace. Fixes #​171 by @​evanphx in #​196
• Handle from="" more properly. Fixes #​192 by @​evanphx in #​193
• Improve performance by @​evanphx in #​197

Full Changelog: evanphx/json-patch@v5.7.0...v5.8.0

v5.7.0: The 2023 Release

Compare Source

What's Changed

• Fix invalid sprintf by @​howardjohn in #​152
• Add CIFuzz GitHub action by @​DavidKorczynski in #​167
• README: Remove Travis by @​ohkinozomu in #​164
• Updated min supported version to go 1.18 by @​Neo2308 in #​181
• Added dependabot by @​Neo2308 in #​182
• Pre-flight DecodePatch validation: Issue #​177 by @​radwaretaltr in #​180
• Check if raw is a null pointer for findObject by @​JosieLi-Google in #​173
• Bump actions/checkout from 2 to 4 by @​dependabot in #​187
• Fix panic on test op by @​erickertz in #​158

New Contributors

• @​howardjohn made their first contribution in #​152
• @​DavidKorczynski made their first contribution in #​167
• @​ohkinozomu made their first contribution in #​164
• @​Neo2308 made their first contribution in #​181
• @​radwaretaltr made their first contribution in #​180
• @​JosieLi-Google made their first contribution in #​173
• @​dependabot made their first contribution in #​187
• @​erickertz made their first contribution in #​158

Full Changelog: evanphx/json-patch@v5.6.0...v5.7.0

v5.6.0: Bug fixes

Compare Source

What's Changed

• Function ensurePathExists should handle appending correctly by @​MarcelMue in #​148
• Fix partial negative indice support in v4 by @​zqzten in #​146

New Contributors

• @​MarcelMue made their first contribution in #​148
• @​zqzten made their first contribution in #​146

Full Changelog: evanphx/json-patch@v5.5.0...v5.6.0

v5.5.0: Better null handling

Compare Source

This incorporates a few fixes related to how nulls are handles in array's and objects.

v5.3.0: Fix zero sized document crash

Compare Source

This fixes a crash bug where submitted an empty slice as the document would panic.

v5.2.0

Compare Source

v5.1.0

Compare Source

v5.0.0: Proper Go modules release

Compare Source

This release has a proper /v5 directory, unlike the previous releases that did not have a /v4 dir. Thanks to @​BenTheElder for getting this sorted out!

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

[red-hat-konflux]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: go.sum

Command failed: go get -t ./...
go: downloading github.com/openshift/velero v1.2.0
go: downloading github.com/kopia/kopia v0.10.7
go: downloading go.yaml.in/yaml/v2 v2.4.3
go: github.com/openshift/hypershift-oadp-plugin/pkg/common imports
	github.com/vmware-tanzu/velero/pkg/apis/velero/v2alpha1: cannot find module providing package github.com/vmware-tanzu/velero/pkg/apis/velero/v2alpha1

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Updated Go module dependency declarations in go.mod: migrated YAML v2 → v3, replaced json-patch modules with v3/v5 variants, upgraded indirect github.com/hashicorp/go-hclog, and changed a replace to github.com/openshift/velero v1.2.0. No public API changes.

Changes

Cohort / File(s)	Summary
Dependency updates go.mod	Switched YAML indirect from go.yaml.in/yaml/v2 → go.yaml.in/yaml/v3 v3.0.4; replaced gomodules.xyz/jsonpatch/v2 & gopkg.in/evanphx/json-patch.v4 with gomodules.xyz/jsonpatch/v3 v3.0.1 and gopkg.in/evanphx/json-patch.v5 v5.9.11; bumped indirect github.com/hashicorp/go-hclog to v1.6.3; updated replace mapping to github.com/openshift/velero v1.2.0.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 10

✅ Passed checks (10 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and specifically describes the main change: updating non-Kubernetes Go dependencies to major versions, which matches the changeset contents perfectly.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Stable And Deterministic Test Names	✅ Passed	PR modifies only dependencies and configuration files; codebase uses standard Go testing, not Ginkgo, so check is not applicable.
Test Structure And Quality	✅ Passed	This custom check is not applicable to the provided pull request. The PR exclusively modifies go.mod and go.sum files with no test code changes. The codebase uses standard Go testing with testing.T and Gomega assertions, not Ginkgo's BDD framework.
Microshift Test Compatibility	✅ Passed	PR is a dependency update with standard Go unit tests using testing.T pattern, not Ginkgo e2e tests with required constructs like It(), Describe(), Context(), or When().
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No new Ginkgo e2e tests added; only dependency version updates in go.mod file.
Topology-Aware Scheduling Compatibility	✅ Passed	PR only updates go.mod dependencies; no deployment manifests, operator code, or controllers are added or modified.
Ote Binary Stdout Contract	✅ Passed	PR only modifies go.mod dependencies without source code changes that could violate OTE Binary Stdout Contract.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR only updates Go dependencies in go.mod and does not add or modify any Ginkgo e2e tests.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch konflux/mintmaker/main/major-non-k8s-go-dependencies

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: red-hat-konflux[bot]
Once this PR has been reviewed and has the lgtm label, please assign kaovilai for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @red-hat-konflux[bot]. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (3)

go.mod (3)

6-6: ⚠️ Potential issue | 🔴 Critical

Version mismatch for external-snapshotter client.

The package github.com/kubernetes-csi/external-snapshotter/client/v8 appears with two different versions:

• Line 6: v8.2.0 (direct dependency)
• Line 27: v8.4.0 (indirect dependency)

This inconsistency will cause confusion during dependency resolution. Run go mod tidy to reconcile the versions, or explicitly update the direct dependency to match the intended version.

🔧 Recommended fix

 require (
-	github.com/kubernetes-csi/external-snapshotter/client/v8 v8.2.0
+	github.com/kubernetes-csi/external-snapshotter/client/v8 v8.4.0
 	github.com/onsi/gomega v1.39.0

Then run go mod tidy to clean up the indirect entries.

Also applies to: 27-27

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@go.mod` at line 6, The go.mod has a version mismatch for
github.com/kubernetes-csi/external-snapshotter/client/v8 (v8.2.0 vs v8.4.0);
update the direct dependency line for
github.com/kubernetes-csi/external-snapshotter/client/v8 to the intended version
(e.g., v8.4.0) or remove the explicit entry, then run `go mod tidy` to reconcile
indirect entries and ensure the dependency graph is consistent.

---

20-20: ⚠️ Potential issue | 🟠 Major

Remove or update the unused gopkg.in/evanphx/json-patch.v5 dependency.

Two different import paths for the same json-patch package are listed in go.mod:

• Line 20: github.com/evanphx/json-patch/v5 v5.9.11
• Line 40: gopkg.in/evanphx/json-patch.v5 v5.9.11

The modern path (github.com/evanphx/json-patch/v5) is actively used in the codebase, but the legacy gopkg.in path is not imported or referenced anywhere. Since both are marked as indirect dependencies, the gopkg.in entry likely comes from older transitive dependencies. Remove this entry or update the transitive dependencies to eliminate the unused import path and reduce unnecessary binary bloat.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@go.mod` at line 20, Remove the legacy gopkg.in import entry from go.mod:
identify the indirect dependency line referencing gopkg.in/evanphx/json-patch.v5
v5.9.11 and delete it (or run `go mod tidy` to drop unused transitive entries),
ensuring only the modern github.com/evanphx/json-patch/v5 v5.9.11 remains;
verify builds and `go list -m all` to confirm the old gopkg.in path is no longer
present.

---

6-6: ⚠️ Potential issue | 🟡 Minor

Address the external-snapshotter version conflict between direct and vendored dependencies.

The codebase has a significant version mismatch: pkg/common/scheme.go directly imports github.com/kubernetes-csi/external-snapshotter/client/v8, while the vendored Velero (v1.2.0 fork) internally uses client/v7. Both versions are present in go.sum, creating a potential schema registration conflict when both call AddToScheme() on the same runtime scheme.

The other dependencies listed (go.yaml.in/yaml, gomodules.xyz/jsonpatch, go-hclog) are indirect dependencies with no direct usage in the codebase's core logic, making them lower priority.

Ensure that:

• The CustomScheme in pkg/common/scheme.go correctly handles both v7 and v8 volumesnapshot APIs if both are transitively required
• If only v8 is intended, verify that the Velero fork has been updated to use v8 or that the v7 import is not needed
• Run integration tests covering snapshot-related operations to confirm there are no schema conflicts

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@go.mod` at line 6, pkg/common/scheme.go currently registers only one snapshot
client version which causes conflicts when both v7 and v8 are present; update
CustomScheme to explicitly handle both versions by importing the Velero-fork's
client/v7 and the direct client/v8 under distinct aliases (e.g., snapshotv7,
snapshotv8) and invoke snapshotv7.AddToScheme(CustomScheme) and
snapshotv8.AddToScheme(CustomScheme) (or, if the project should only use v8,
update the Velero fork/dependency to v8 or remove the v7 import so only
snapshotv8.AddToScheme is called); after making the change run integration tests
covering snapshot operations to verify no schema registration conflicts remain.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@go.mod`:
- Around line 36-37: The go.mod contains a duplicate indirect requirement for
the module go.yaml.in/yaml/v3 (v3.0.4) — remove one of the identical lines
declaring go.yaml.in/yaml/v3 v3.0.4 and then run `go mod tidy` to re-evaluate
and clean up dependency metadata; look for the duplicate module entry
"go.yaml.in/yaml/v3" in go.mod to locate and delete the redundant line.

---

Outside diff comments:
In `@go.mod`:
- Line 6: The go.mod has a version mismatch for
github.com/kubernetes-csi/external-snapshotter/client/v8 (v8.2.0 vs v8.4.0);
update the direct dependency line for
github.com/kubernetes-csi/external-snapshotter/client/v8 to the intended version
(e.g., v8.4.0) or remove the explicit entry, then run `go mod tidy` to reconcile
indirect entries and ensure the dependency graph is consistent.
- Line 20: Remove the legacy gopkg.in import entry from go.mod: identify the
indirect dependency line referencing gopkg.in/evanphx/json-patch.v5 v5.9.11 and
delete it (or run `go mod tidy` to drop unused transitive entries), ensuring
only the modern github.com/evanphx/json-patch/v5 v5.9.11 remains; verify builds
and `go list -m all` to confirm the old gopkg.in path is no longer present.
- Line 6: pkg/common/scheme.go currently registers only one snapshot client
version which causes conflicts when both v7 and v8 are present; update
CustomScheme to explicitly handle both versions by importing the Velero-fork's
client/v7 and the direct client/v8 under distinct aliases (e.g., snapshotv7,
snapshotv8) and invoke snapshotv7.AddToScheme(CustomScheme) and
snapshotv8.AddToScheme(CustomScheme) (or, if the project should only use v8,
update the Velero fork/dependency to v8 or remove the v7 import so only
snapshotv8.AddToScheme is called); after making the change run integration tests
covering snapshot operations to verify no schema registration conflicts remain.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: bf20e9c1-21c4-4327-9d80-14b2df77bcbb

📥 Commits

Reviewing files that changed from the base of the PR and between faa7cf8 and b31746b.

📒 Files selected for processing (1)

• go.mod

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Remove duplicate entry for go.yaml.in/yaml/v3.

Lines 36 and 37 are identical, both declaring go.yaml.in/yaml/v3 v3.0.4 as an indirect dependency. Remove one of the duplicate entries and run go mod tidy to clean up the file.

🔧 Recommended fix

 	github.com/x448/float16 v0.8.4 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
-	go.yaml.in/yaml/v3 v3.0.4 // indirect
 	golang.org/x/sync v0.19.0 // indirect

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	go.yaml.in/yaml/v3 v3.0.4 // indirect
	go.yaml.in/yaml/v3 v3.0.4 // indirect
	github.com/x448/float16 v0.8.4 // indirect
	go.yaml.in/yaml/v3 v3.0.4 // indirect
	golang.org/x/sync v0.19.0 // indirect

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@go.mod` around lines 36 - 37, The go.mod contains a duplicate indirect
requirement for the module go.yaml.in/yaml/v3 (v3.0.4) — remove one of the
identical lines declaring go.yaml.in/yaml/v3 v3.0.4 and then run `go mod tidy`
to re-evaluate and clean up dependency metadata; look for the duplicate module
entry "go.yaml.in/yaml/v3" in go.mod to locate and delete the redundant line.

[openshift-ci]

@red-hat-konflux[bot]: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/build	22f62a3	link	true	/test build
ci/prow/verify	22f62a3	link	true	/test verify
ci/prow/unit	22f62a3	link	true	/test unit
ci/prow/images	22f62a3	link	true	/test images

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.