Skip to content

upgrade go deps, migrate cache to fido #17

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
tstromberg merged 3 commits into from
Jan 17, 2026
Merged

upgrade go deps, migrate cache to fido #17

tstromberg merged 3 commits into from
Jan 17, 2026

Conversation

@tstromberg
Copy link
Member

@tstromberg tstromberg commented Jan 17, 2026

No description provided.

@kusari-inspector
Copy link

kusari-inspector bot commented Jan 17, 2026
edited
Loading

Kusari Inspector

Kusari Analysis Results:

Do not proceed without addressing issues

Caution

Flagged Issues Detected
These changes contain flagged issues that may introduce security risks.

While code analysis shows no security vulnerabilities, the dependency analysis identifies two critical blockers that must be addressed: (1) GPL-3.0 licensing in github.com/codeGROOVE-dev/turnclient poses legal/compliance risk requiring derivative works to use the same copyleft license, potentially conflicting with your project's licensing model. (2) Newly added transitive dependency github.com/puzpuzpuz/xsync/v4 is unmaintained (0/10 score, no activity in 90 days), creating supply chain security risk as it won't receive security patches if vulnerabilities emerge. Action required: Verify GPL-3.0 compatibility with your project license or find alternative to turnclient with permissive licensing and actively maintained dependencies. The code itself is clean with no vulnerabilities, secrets, or security issues detected.

Note

View full detailed analysis result for more information on the output and the checks that were run.

Required Dependency Mitigations

  • UNMAINTAINED DEPENDENCY: github.com/puzpuzpuz/xsync/v4@v4.3.0 is newly added but shows no maintenance activity in the last 90 days (0/10 score). This package is brought in as a transitive dependency via github.com/codegroove-dev/turnclient. Consider finding an alternative to turnclient that uses a more actively maintained concurrency library, or contact the turnclient maintainers to see if they can switch to a maintained alternative.
  • LICENSE RISK: github.com/codeGROOVE-dev/turnclient uses GPL-3.0 (strong copyleft license). This license requires derivative works to be released under GPL-3.0 as well, which may conflict with your project's licensing model. Verify this is acceptable for your project's license requirements, or consider an alternative dependency with a more permissive license (MIT, Apache-2.0, BSD-3-Clause).

@kusari-inspector rerun - Trigger a re-analysis of this PR
@kusari-inspector feedback [your message] - Send feedback to our AI and team
See Kusari's documentation for setup and configuration.
Commit: da7e920, performed at: 2026-01-17T16:32:12Z

Found this helpful? Give it a 👍 or 👎 reaction!

@kusari-inspector
Copy link

kusari-inspector bot commented Jan 17, 2026

Kusari PR Analysis rerun based on - da7e920 performed at: 2026-01-17T16:32:12Z - link to updated analysis

@tstromberg tstromberg merged commit 3bc7239 into main Jan 17, 2026
3 of 4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tstromberg