Dependency Updates
Dependency Updates Guide
This guide covers the process for updating Kure’s dependencies, including version tracking, risk assessment, and coordinated upgrades.
Version Management Overview
Kure tracks dependency versions in three places:
| File | Purpose |
|---|---|
go.mod | Go module dependencies (authoritative for build) |
versions.yaml | Version metadata: current version, supported range, constraints |
docs/compatibility.md | Generated from versions.yaml — never edit directly |
The sync-versions.sh script validates consistency between go.mod and versions.yaml, and regenerates docs/compatibility.md.
Update Risk Levels
Patch Updates (Low Risk)
Patch bumps (e.g., v1.5.0 → v1.5.1) contain bug fixes only.
go get <module>@v<new-version>
go mod tidyUpdate versions.yaml current field. No supported_range change needed.
Minor Updates (Medium Risk)
Minor bumps (e.g., v1.19 → v1.20) may add new APIs or deprecate existing ones.
- Review the upstream changelog for breaking changes
- Check if Kure uses any deprecated APIs
- Update
go.mod,versions.yaml(bothcurrentandsupported_range) - Run
make verifyto catch compile-time breakage
Major Updates (High Risk)
Major bumps (e.g., v1 → v2) likely have breaking API changes.
- Review the migration guide thoroughly
- Assess impact on all callers (check with
grep -rfor imports) - Update code to use new APIs
- Update
versions.yamland documentation - Consider impact on Crane (see
AGENTS.md§ Crane Integration)
Coordinated Upgrade Rules
Some dependencies must be upgraded together to avoid version conflicts.
Flux Ecosystem
All github.com/fluxcd/* packages must be upgraded together. Flux releases coordinate versions across:
flux2/v2helm-controller/apikustomize-controller/apinotification-controller/apisource-controller/apiimage-automation-controller/apipkg/apis/meta,pkg/apis/kustomize
Kubernetes (k8s.io/*)
All k8s.io/ packages must stay at the same patch release. Kure uses replace directives in go.mod to enforce this. See the comment block in go.mod for details.
When can replace directives be removed? Only when ALL direct and transitive dependencies converge on the same k8s.io/ minor version. Check with:
go mod graph | grep 'k8s.io/' | awk '{print $2}' | sort -uCNPG Ecosystem
cloudnative-pg, barman-cloud, machinery, and plugin-barman-cloud are related but versioned independently. Check compatibility notes in versions.yaml before upgrading.
Bundling Dependabot PRs
When multiple Dependabot PRs accumulate, bundle them into a single PR:
- Create a feature branch:
git checkout -b chore/bundle-dependency-updates main - Run
go getfor all dependencies (Flux packages first for coordinated upgrades) - Run
go mod tidy - Update
versions.yamlentries - Regenerate docs:
./scripts/sync-versions.sh generate - Validate:
./scripts/sync-versions.sh check - Run full verification:
make verify && make test-race - Commit, push, and create PR
- Reference all Dependabot PR numbers in the PR body to auto-close them
Dangerous Upgrades to Watch For
| Dependency | Risk | Watch For |
|---|---|---|
| cert-manager major (v1 → v2) | Breaking | API group changes, CRD schema changes |
| k8s.io major (e.g., v0.35 → v0.36) | Breaking | API removals, type changes, replace directive updates |
| Flux major (v2 → v3) | Breaking | API version removals (v1beta1 → v1 migrations) |
| controller-runtime major | Breaking | Interface changes affecting all CRD-based packages |
Validation Checklist
Before merging any dependency update:
-
./scripts/sync-versions.sh check— versions.yaml ↔ go.mod consistency -
make verify— tidy + lint + test -
make test-race— race condition detection - k8s.io replace directives unchanged (unless intentionally bumping)
-
docs/compatibility.mdregenerated ifversions.yamlchanged
See Also
- DEVELOPMENT.md § Dependabot Management — PR commands for managing Dependabot PRs
- compatibility.md — Generated compatibility matrix
- versions.yaml — Version source of truth