chore: update deps and use go from devenv

[xenOs76]

Summary by CodeRabbit

• Chores
  • Updated dependencies to latest versions for improved stability and security.
  • Improved development environment configuration for streamlined Go tooling setup.
  • Enhanced build process to include automated Go module vendoring.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Configuration and dependency management updates enable Go language support in the development environment, add Go module vendoring to build workflows, remove unused configuration, update multiple Go dependencies, and extend the gitignore rules.

Changes

Cohort / File(s)	Change Summary
Go Language Configuration devenv.nix	Enables Go language support via languages.go attribute; removes commented-out Go config and unused inputs.nixpkgsStable import; adds go mod vendor calls to update-go-deps and build scripts.
Development Configuration Cleanup devenv.yaml	Removes nixpkgsStable input section and its associated rolling URL pin.
Dependency Updates go.mod	Updates 12 dependencies including chroma (v2.20.0→v2.21.1), cobra (v1.10.1→v1.10.2), golang.org/x/term, golang.org/x/crypto, and various indirect dependencies.
Ignore List .gitignore	Adds vendor directory to the deny-list.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

• devenv.nix: Review the addition of Go vendoring commands in build/update-go-deps scripts to ensure proper execution order and absence of side effects.
• go.mod: Verify that dependency bumps (especially indirect transitive updates to crypto and sys libraries) don't introduce breaking changes.

Possibly related PRs

• Build: restore Go dependencies update #5: Modifies Go dependency update/build scripting in devenv.nix similarly, including go mod vendor command additions.

Poem

🐰 Vendor directories tucked in gitignore's den,
Go modules dancing, now bundled again—
Scripts whisper "vendor!" before each build's flight,
Dependencies waltzing to versions more bright,
A rabbit's work never quite done, but done right! 🌿

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: updating dependencies in go.mod and configuring Go language support in devenv configuration files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore/update_deps

---

📜 Recent review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a00b1dc and fd50732.

⛔ Files ignored due to path filters (2)

• devenv.lock is excluded by !**/*.lock
• go.sum is excluded by !**/*.sum

📒 Files selected for processing (4)

• .gitignore (1 hunks)
• devenv.nix (3 hunks)
• devenv.yaml (0 hunks)
• go.mod (2 hunks)

💤 Files with no reviewable changes (1)

• devenv.yaml

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: xenOs76
Repo: xenOs76/https-wrench PR: 5
File: devenv.nix:569-569
Timestamp: 2025-11-15T17:16:55.075Z
Learning: In the xenOs76/https-wrench repository, the devenv.nix test environment is local-only without GitHub CI integration, so automatic dependency updates in enterTest are acceptable for the maintainer's workflow.

📚 Learning: 2025-11-15T17:16:55.075Z

Learnt from: xenOs76
Repo: xenOs76/https-wrench PR: 5
File: devenv.nix:569-569
Timestamp: 2025-11-15T17:16:55.075Z
Learning: In the xenOs76/https-wrench repository, the devenv.nix test environment is local-only without GitHub CI integration, so automatic dependency updates in enterTest are acceptable for the maintainer's workflow.

Applied to files:

• devenv.nix

🔇 Additional comments (5)

.gitignore (1)

7-7: LGTM!

Adding the vendor directory to .gitignore is appropriate and aligns with the Go module vendoring workflow introduced in the devenv.nix changes.

devenv.nix (3)

6-6: LGTM!

Removing the unused inputs.nixpkgsStable import is appropriate cleanup.

---

19-22: LGTM!

The Go language configuration correctly enables Go tooling from the devenv. This aligns with the PR objective to use Go from devenv.

---

160-161: LGTM!

Adding go mod vendor to both the update-go-deps and build scripts ensures consistent vendoring workflow. The placement is appropriate:

• In update-go-deps: after go mod tidy and before vulnerability checks
• In build: before the actual build step

This aligns with adding vendor to .gitignore.

Also applies to: 169-169

go.mod (1)

7-7: All dependency versions exist and are free of known security vulnerabilities.

The updated packages (github.com/alecthomas/chroma/v2 v2.21.1, github.com/gookit/goutil v0.7.2, github.com/spf13/cobra v1.10.2, and golang.org/x/term v0.38.0) are valid versions with no known security advisories.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}