Chore/bump

[pilat]

Bump Go, deps

Summary by CodeRabbit

• Chores

  • Updated Go runtime from 1.23 to 1.25 across build and CI workflows.
  • Modernized project dependencies (Docker/Compose, Kubernetes-related modules, OpenTelemetry, gRPC, and many supporting libraries) for compatibility and performance.

• Tests

  • End-to-end tests now run without test caching to ensure fresh execution each run.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Upgrades Go toolchain from 1.23 → 1.25 across CI/workflow files and project module (go directive → 1.25.5); large dependency modernization in go.mod including replace directives for Docker→Moby and many direct/indirect version bumps; small runtime/test behavior and API-type adjustments in cmd/* files and Makefile.

Changes

Cohort / File(s)	Summary
CI/CD Go version updates \.github/workflows/build-and-release.yaml, \.github/workflows/ci.yaml	Bumped env GO_VERSION from 1.23 to "1.25" (quoted string) used by setup-go steps.
Go module & dependency modernization go.mod	go directive updated go 1.23.3 → go 1.25.5; many direct deps upgraded (compose-go, docker/cli, docker/compose, docker/docker, cobra, testify, golang.org/x/*, etc.); added replace directives mapping github.com/docker/docker and subpaths → github.com/moby/moby versions; extensive transitive dependency updates.
Build/test Makefile change Makefile	test-e2e now runs go test with -count=1 to disable caching (always re-run tests).
API interface type changes in CLI code cmd/devbox/devbox.go, cmd/devbox/restart.go, cmd/devbox/run.go	Public/global variable and function parameter types changed from api.Service → api.Compose. Call sites updated to pass api.Compose; implementation calls (e.g., Ps) remain functionally equivalent.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

• Areas requiring extra attention:
  • go.mod: verify replace directives and ensure module graph builds cleanly; run go mod tidy and go test ./....
  • Docker→Moby mappings and +incompatible versions: check API surface compatibility and potential import path issues.
  • Large transitive upgrades (k8s, containerd, gRPC, OpenTelemetry): scan for breaking changes and run integration/e2e tests.
  • CLI API type changes (api.Service → api.Compose): ensure all callers and implementations satisfy new interface; run compile and unit tests.
  • CI workflows: confirm runner actions accept quoted GO_VERSION and setup-go supports targeted Go version.

Possibly related PRs

• ci: e2e tests are part of CI #15 — also updates the CI workflow Go version (GO_VERSION in .github/workflows/ci.yaml), likely related to the same toolchain upgrade.

Pre-merge checks and finishing touches

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.
Title check	❓ Inconclusive	The title 'Chore/bump' is vague and generic, using non-descriptive terms that don't convey meaningful information about the specific changes.	Revise the title to be more specific about the changes, e.g., 'Bump Go to 1.25 and update dependencies' or 'Update Go version and modernize dependency tree'.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore/bump

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ce10b3c and 7713884.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (7)

• .github/workflows/build-and-release.yaml
• .github/workflows/ci.yaml
• Makefile
• cmd/devbox/devbox.go
• cmd/devbox/restart.go
• cmd/devbox/run.go
• go.mod

🧰 Additional context used

📓 Path-based instructions (1)

cmd/devbox/**/*.go

⚙️ CodeRabbit configuration file

cmd/devbox/**/*.go: This directory contains CLI commands using Cobra framework.
Each command is in a separate file with an init() function that registers via root.AddCommand().

Review for:

• Proper error handling with context wrapping (fmt.Errorf with %w)
• Consistent command structure following existing patterns
• Appropriate use of runWrapper for context handling
• Clear, concise command descriptions
• No over-engineering - only implement what's needed

Files:

• cmd/devbox/restart.go
• cmd/devbox/run.go
• cmd/devbox/devbox.go

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Lint & Test
• GitHub Check: E2E Tests

🔇 Additional comments (8)

Makefile (1)

20-21: LGTM!

Adding -count=1 to disable test caching is appropriate for end-to-end tests, ensuring they run fresh each time rather than relying on cached results.

go.mod (3)

5-9: LGTM - Replace directives are correctly specified.

The replace directives mapping github.com/docker/docker to github.com/moby/moby are correct and follow the standard pattern for using the Moby fork.

---

14-14: Confirm docker/compose/v2 v2.40.2 contains CVE-2025-62725 fix.

The fix for CVE-2025-62725 was released in Docker Compose v2.40.2 on October 27, 2025. This version addresses the path traversal vulnerability affecting v2.34.0 through v2.40.1.

---

49-49: Dependency correctly pins containerd/v2 v2.1.5 which fixes both vulnerabilities.

CVE-2024-25621 (privilege escalation) is fixed in version 2.1.5, and GHSA-m6hq-p25p-ffr2 (goroutine leak memory exhaustion) has been fixed in version 2.1.5. This dependency is secure and properly addresses the identified CVEs.

cmd/devbox/restart.go (1)

134-134: LGTM - Consistent API type change.

The signature change from api.Service to api.Compose is consistent with the changes in devbox.go and run.go. The function body correctly uses the interface methods.

cmd/devbox/run.go (1)

117-117: LGTM - Consistent API type change.

The signature change from api.Service to api.Compose is consistent with the changes in devbox.go and restart.go. The function logic remains correct.

.github/workflows/build-and-release.yaml (1)

16-16: Go 1.25 is available and stable—CI/CD setup is correct.

Go 1.25 was released in August 2025, and Go 1.25.5 was released on December 2, 2025 with security and stability fixes. The version pinning is appropriate for a current production workflow.

cmd/devbox/devbox.go (1)

22-22: api.Compose interface is correctly used in docker/compose/v2 v2.40.2.

The Compose interface exists in github.com/docker/compose/v2/pkg/api, and the change from api.Service to api.Compose is valid. NewComposeService returns api.Compose, confirming the interface is the correct type for the global apiService variable. The usage is consistently applied across devbox.go, restart.go, and run.go.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (2)

.github/workflows/ci.yaml (1)

14-14: Same version verification needed.

Same concern as in build-and-release.yaml - verify Go 1.25 exists before merging.

go.mod (1)

3-3: Verify Go 1.25.5 release.

Ensure this Go version has been officially released and is production-ready.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7d7a534 and ce10b3c.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (3)

• .github/workflows/build-and-release.yaml
• .github/workflows/ci.yaml
• go.mod

🧰 Additional context used

🪛 OSV Scanner (2.3.0)

go.mod

[HIGH] 47-47: github.com/containerd/containerd/v2 2.1.1: containerd affected by a local privilege escalation via wide permissions on CRI directory in github.com/containerd/containerd

(GO-2025-4100)

---

[HIGH] 47-47: github.com/containerd/containerd/v2 2.1.1: containerd CRI server: Host memory exhaustion through Attach goroutine leak in github.com/containerd/containerd

(GO-2025-4108)

---

[HIGH] 47-47: github.com/containerd/containerd/v2 2.1.1: containerd CRI server: Host memory exhaustion through Attach goroutine leak

(GHSA-m6hq-p25p-ffr2)

---

[HIGH] 47-47: github.com/containerd/containerd/v2 2.1.1: containerd affected by a local privilege escalation via wide permissions on CRI directory

(GHSA-pwhc-rpq9-4c8w)

---

[HIGH] 10-10: github.com/docker/compose/v2 2.36.2: Docker Compose Vulnerable to Path Traversal via OCI Artifact Layer Annotations in github.com/docker/compose

(GO-2025-4077)

---

[HIGH] 10-10: github.com/docker/compose/v2 2.36.2: Docker Compose Vulnerable to Path Traversal via OCI Artifact Layer Annotations

(GHSA-gv8h-7v7w-r22q)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: E2E Tests
• GitHub Check: Lint & Test

🔇 Additional comments (2)

go.mod (2)

5-5: LGTM: Standard Docker replace directive.

The replace directive for github.com/docker/docker → github.com/moby/moby is a standard pattern in the Go/Docker ecosystem.

---

8-16: Verify compatibility of dependency updates.

Direct dependency updates look reasonable, but ensure breaking changes in major version bumps are handled:

• docker/cli: v27 → v28
• docker/compose/v2: v2.32 → v2.36
• docker/docker: v27 → v28

Run integration tests to confirm compatibility.