[2023-04-25] Bump dependencies identified by dependabot

[fuweid]

• dependency: bump github.com/alexkohler/nakedret from 1.0.1 to 1.0.2

Please read https://github.com/etcd-io/etcd/blob/main/CONTRIBUTING.md#contribution-flow.

[ahrtr]

Based on Indirect dependencies, usually we don't bump a dependency if all modules just indirectly depend on it, such as github.com/benbjohnson/clock.

Note that uber-go/zap/blob/v1.24.0 depends on github.com/benbjohnson/clock 1.1.0, but it already bumped the dependency to 1.3.0 in its main branch. Next time when we bump go.uber.org/zap, the github.com/benbjohnson/clock will be automatially updated.

[fuweid]

Hi @ahrtr

For github.com/benbjohnson/clock dep, I will delete the commit in this pr.

I have a question about indirect deps in tools/cmd,

The github.com/hexfusion/schwag requires the following two deps. But schwag hasn't been updated for a long time.
For this case, we just ignore it, right?

• github.com/go-openapi/spec
• github.com/go-openapi/jsonpointer

And for the publicsuffix-go and sqlx deps, they are required by cfssl command. So we should handle it next time when cfssl is updated. Is it correct?

If my understand is correct, this pull-request only needs to bump one dep nakedret.

[ahrtr]

If my understand is correct, this pull-request only needs to bump one dep nakedret.

Correct.

The github.com/hexfusion/schwag requires the following two deps.

I suggest to remove the dependency on github.com/hexfusion/schwag; of course, in a separate PR.

So we should handle it next time when cfssl is updated. Is it correct?

github.com/cloudflare/cfssl--> github.com/zmap/zcrypto --> github.com/weppos/publicsuffix-go.

We should push github.com/cloudflare/cfssl to bump github.com/zmap/zcrypto firstly.

[ahrtr]

LGTM

Thanks @fuweid

next turn: @chaochn47

[ahrtr]

@fuweid could you please close all the PRs opened by dependabot?

[fuweid]

@ahrtr thanks for the help 😂 I will close it by myself next time.

[ahrtr]

@fuweid could you please close all the PRs opened by dependabot?

Just closed the PRs myself.

[ahrtr]

followups:

1. push github.com/cloudflare/cfssl to bump github.com/zmap/zcrypto, or just raise a PR for github.com/cloudflare/cfssl directly. Probably we can suggest cloudflare/cfssl to enable & configure dependabot as well.
2. investigate how to remove the dependency on github.com/hexfusion/schwag

[fuweid]

handling the github.com/hexfusion/schwag case right now.

[chaochn47]

LGTM

Thanks @fuweid

next turn: @chaochn47

I did not see any direct dependencies needs to be bumped up this week, so I closed all of PRs opened by dependabot.

Could you please take a look if I did the right thing? @ahrtr, thanks!

[ahrtr]

Thanks @chaochn47. It's correct to close the PRs bumping indirect dependencies.

I see that the PR #15806 isn't closed. It isn't an indirect dependency, but I vaguely remember that it's also causing incompatibility issue, and it couldn't pass the workflow checks. I am not sure whether you have already double checked it. Are you raising separate PR for it?

[chaochn47]

Good catch, somehow I missed that PR #15806, will raise a separate PR for it otel version bump up.