Skip to content

chore(deps): bump go-bus + ratelimiter to retire docker/docker (Aikido)#582

Closed
dorothyyzh wants to merge 3 commits into
masterfrom
fix/aikido-retire-docker-docker-2026-05-13
Closed

chore(deps): bump go-bus + ratelimiter to retire docker/docker (Aikido)#582
dorothyyzh wants to merge 3 commits into
masterfrom
fix/aikido-retire-docker-docker-2026-05-13

Conversation

@dorothyyzh
Copy link
Copy Markdown
Contributor

@dorothyyzh dorothyyzh commented May 13, 2026
edited
Loading

Status: DRAFT — pinned to upstream PR branches (pseudo-versions). Will be re-pointed to proper tags once upstream PRs merge. Do not merge yet.

Summary

Two changes that together retire github.com/docker/docker from qor5/x/v3's dependency graph:

  1. Bump qor5/go-bus and theplant/ratelimiter to pseudo-versions of their docker/docker-removal branches:
  2. Add redisx package — a first-class Redis test container helper, mirroring gormx for Postgres. Exists so downstream consumers (theplant/ratelimiter, future syncx/admin Redis needs) don't have to depend on theplant/testenv (which still pins docker/docker) or each fork their own internal helper.

Combined with #581 (which already migrated gormx itself off docker/docker onto github.com/moby/moby/api), this fully retires docker/docker from qor5/x/v3's graph.

Why

docker/docker is frozen at v28.5.2+incompatible on the Go module proxy — moby moved Go-module publishing to github.com/moby/moby/api and github.com/moby/moby/v2. Aikido flags docker/docker for CVE-2026-33997 / 34040 (group 25543337) for which no fix can ship via the legacy module path. qor5/x is the foundational library for all theplant/* services — dropping docker/docker here cascades into every downstream service (cms, consent, loyalty, pim, marketing, iam, ciam, adex, etc.).

Changes

redisx package (new)

// Same API shape as gormx:
func OpenContainer(ctx, *ContainerConfig) (*Container, error)
func SetupContainer(ctx, *lifecycle.Lifecycle, *ContainerConfig) (*Container, error)

type ContainerConfig struct { Image string }
type Container struct {
    testcontainers.Container
    Client *redis.Client
}
func (*Container) Close(ctx) error

Backed by testcontainers-go/modules/redis (already moby-migrated in v0.42.0). 1 source file + 1 smoke test file (~135 lines total).

go.mod (the dep bumps)

  • github.com/qor5/go-bus v0.0.0-20250731113321-2c127f29aaaav0.1.1-0.20260513042224-f44a29d2650c
  • github.com/theplant/ratelimiter v1.0.1v1.0.2-0.20260513051226-060e61f4e5d3
  • github.com/docker/docker v28.5.2+incompatible // indirectremoved
  • github.com/moby/{docker-image-spec,go-archive,patternmatcher,sys/sequential,sys/user,sys/userns,term}all removed (transitive cleanup)

go.sum updated to match.

Verification

  • go build ./... clean
  • go vet ./... clean
  • go test ./... pass (all packages, including gormx, redisx, gormx/postgresx, ratelimiterx, exchange)
  • redisx smoke test: container starts, Ping succeeds, Set/Get round-trip succeeds
  • go mod why github.com/docker/docker(main module does not need package github.com/docker/docker)
  • docker/docker no longer in go.mod
  • theplant/testenv no longer in go.mod

Merge plan

  1. Merge qor5/go-bus#20 → tag (e.g. v0.1.1)
  2. Merge theplant/ratelimiter#14 → tag (e.g. v1.0.2)
  3. Update this PR's go.mod to point at the new tags (replace pseudo-versions)
  4. Re-run go mod tidy && go test ./... to confirm
  5. Mark this PR ready for review and merge → tag qor5/x (e.g. v3.3.0)
  6. Downstream: bump qor5/x in qor5/syncx, qor5/admin, theplant/relay, and business services

Deployment note

Skill opens this PR; it does not touch any release-* branch.

@claude
chore(deps): bump go-bus + ratelimiter to drop docker/docker (Aikido)
8d1b870 
Bumps the two remaining transitive paths that pulled
`github.com/docker/docker` into this module's `go.mod`:

- `github.com/qor5/go-bus` -> pseudo-version pointing at
  qor5/go-bus#20 HEAD (migrates its tests off `testenv` to `gormx`).
- `github.com/theplant/ratelimiter` v1.0.1 -> pseudo-version pointing at
  theplant/ratelimiter#14 HEAD (same migration pattern).

With these two upstreams off `theplant/testenv` (the sole importer of
`github.com/docker/docker/api/types/container`), MVS no longer pulls
`docker/docker` into `qor5/x/v3`'s `go.mod`. Combined with PR #581
(`gormx` itself moved to `github.com/moby/moby/api`), this fully retires
`github.com/docker/docker v28.5.2+incompatible` from this module's
dependency graph.

Verification:
- `go build ./...` clean
- `go vet ./...` clean
- `go test ./...` pass (all packages — including ratelimiterx, gormx,
  exchange)
- `go mod why github.com/docker/docker` -> not needed
- `docker/docker` no longer in `go.mod`
- `theplant/testenv` no longer in `go.mod`

DRAFT until upstream PRs merge:
- qor5/go-bus#20
- theplant/ratelimiter#14

After both merge + tag, the pseudo-versions above will be replaced with
proper tags before merging this PR.

Aikido group 25543337 (CVE-2026-33997 / CVE-2026-34040).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This was referenced May 13, 2026
Closed
Closed
@claude
feat(redisx): add Redis test container helper (Aikido)
a019f7f 
Mirrors `gormx.OpenContainer` / `SetupContainer` but for Redis,
backed by `testcontainers-go/modules/redis`. Same API shape:

- `OpenContainer(ctx, *ContainerConfig) (*Container, error)`
- `SetupContainer(ctx, *lifecycle.Lifecycle, *ContainerConfig)` for
  DI-managed cleanup
- `ContainerConfig` / `DefaultContainerConfig()`
- `Container { testcontainers.Container; Client *redis.Client }`

Exists because `theplant/testenv` (the only existing Redis container
helper in the org's Go ecosystem) still pins `github.com/docker/docker`
and is blocking the migration off it. Downstream consumers (theplant/
ratelimiter#14, and future syncx/admin needs) need a moby-only Redis
helper; rather than each forking its own `internal/testsupport`,
make this a first-class part of qor5/x next to gormx.

Verification:
- `go build ./redisx/...` clean
- `go vet ./redisx/...` clean
- `go test ./redisx/...` pass (smoke test: start container, Ping,
  Set/Get round-trip)
- `go mod why github.com/docker/docker` still reports "not needed"
  after the add — docker/docker remains absent from `go.mod`

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
dorothyyzh added a commit to theplant/ratelimiter that referenced this pull request May 13, 2026
@dorothyyzh @claude
chore: use qor5/x/v3/redisx instead of internal redis helper
593294b 
qor5/x#582 now exposes a first-class `redisx` package mirroring `gormx`.
Switch this repo's two Redis-using tests to the shared helper and drop
the temporary `internal/testsupport/redis.go` that existed only to
keep this PR independent.

Net effect: same behavior, one fewer place to maintain a redis container
helper across the org.

Verification:
- `go build ./...` clean
- `go test ./...` pass (all 3 packages, ~10s)
- `docker/docker` still absent from `go.mod`
- `theplant/testenv` still absent from `go.mod`

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@dorothyyzh dorothyyzh mentioned this pull request May 13, 2026
Closed
@claude
feat(gormx): add MustStartRawTestSuite for testenv-equivalent setup
f23cd74 
MustStartTestSuite (existing) wires the full SetupDatabase data path,
which installs three production plugins:
  - OmitAssociationsPlugin: silently omits GORM associations on
    Create/Update/Delete (changes semantics for tests that exercise
    associations)
  - SoftDeleteUpdatedAtPlugin
  - TracingPlugin: writes a JSON log line per query to the
    appkit/log default sink (pollutes stdout/stderr — breaks any
    `Example_*` test that relies on byte-exact output capture)

These behaviors are correct for production-like integration tests,
but they make MustStartTestSuite an unsafe drop-in replacement when
migrating tests off `github.com/theplant/testenv` (which was a plain
gorm.Open with no plugins).

MustStartRawTestSuite returns the same *TestSuite shape but skips
SetupDatabase entirely: it opens the connection with
`gorm.Open(postgres.Open(c.DSN), &gorm.Config{})`, equivalent to what
testenv.SetupDatabase did. Container teardown is still managed by the
lifecycle, so callers get the cleanup ergonomics (works correctly
across `os.Exit` because the lifecycle handles signals) without
silently changing GORM semantics or polluting test output.

Two callers to choose between:
- MustStartTestSuite     -> production data path (3 existing callers
                            in qor5/x: gormx_test, postgresx_test,
                            ratelimiterx/grpc_test)
- MustStartRawTestSuite  -> testenv-equivalent (the in-flight
                            migrations of theplant/relay,
                            theplant/ratelimiter, qor5/go-bus,
                            qor5/syncx, qor5/admin)

Verification:
- TestMustStartRawTestSuite: AutoMigrate + Create + First round-trip
- TestRawTestSuiteNoTracingOutput: captures stdout/stderr while
  running migrations and a Create, asserts no `"caller":"trace.go`
  JSON appears (i.e. tracing is NOT installed)
- Full `go test ./gormx/...` pass

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@dorothyyzh dorothyyzh closed this May 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dorothyyzh