perf: optimize dependency resolver with map-based deduplication#2
Closed
perf: optimize dependency resolver with map-based deduplication#2
Conversation
Otherwise, we get test failures on macOS if macOS has decided to put .DS_Store entries in the test fixtures. Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
…hore#4426) Bumps [github.com/goccy/go-yaml](https://github.com/goccy/go-yaml) from 1.18.0 to 1.19.0. - [Release notes](https://github.com/goccy/go-yaml/releases) - [Changelog](https://github.com/goccy/go-yaml/blob/master/CHANGELOG.md) - [Commits](goccy/go-yaml@v1.18.0...v1.19.0) --- updated-dependencies: - dependency-name: github.com/goccy/go-yaml dependency-version: 1.19.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…#4424) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.31.4 to 4.31.6. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@e12f017...fe4161a) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.31.6 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
….2 (anchore#4427) Bumps [github.com/olekukonko/tablewriter](https://github.com/olekukonko/tablewriter) from 1.1.1 to 1.1.2. - [Commits](olekukonko/tablewriter@v1.1.1...v1.1.2) --- updated-dependencies: - dependency-name: github.com/olekukonko/tablewriter dependency-version: 1.1.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
…17 (anchore#4413) Bumps [github.com/gkampitakis/go-snaps](https://github.com/gkampitakis/go-snaps) from 0.5.15 to 0.5.17. - [Release notes](https://github.com/gkampitakis/go-snaps/releases) - [Commits](gkampitakis/go-snaps@v0.5.15...0.5.17) --- updated-dependencies: - dependency-name: github.com/gkampitakis/go-snaps dependency-version: 0.5.17 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
…nchore#4421) --------- Signed-off-by: Yuntao Hu <victorhu493@gmail.com> Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com> Co-authored-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
…18 (anchore#4432) Bumps [github.com/gkampitakis/go-snaps](https://github.com/gkampitakis/go-snaps) from 0.5.17 to 0.5.18. - [Release notes](https://github.com/gkampitakis/go-snaps/releases) - [Commits](gkampitakis/go-snaps@0.5.17...0.5.18) --- updated-dependencies: - dependency-name: github.com/gkampitakis/go-snaps dependency-version: 0.5.18 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.0 to 6.0.1. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@1af3b93...8e8c483) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…re#4435) Bumps [github.com/spf13/cobra](https://github.com/spf13/cobra) from 1.10.1 to 1.10.2. - [Release notes](https://github.com/spf13/cobra/releases) - [Commits](spf13/cobra@v1.10.1...v1.10.2) --- updated-dependencies: - dependency-name: github.com/spf13/cobra dependency-version: 1.10.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…nchore#4434) Bumps [github.com/github/go-spdx/v2](https://github.com/github/go-spdx) from 2.3.4 to 2.3.5. - [Release notes](https://github.com/github/go-spdx/releases) - [Commits](github/go-spdx@v2.3.4...v2.3.5) --- updated-dependencies: - dependency-name: github.com/github/go-spdx/v2 dependency-version: 2.3.5 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
… one should be omitted (anchore#4419) --------- Signed-off-by: Yuntao Hu <victorhu493@gmail.com>
The recent react / next CVE uses "vercel" as the vendor, see https://nvd.nist.gov/vuln/detail/CVE-2025-55182 Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
…chore#4449) Signed-off-by: Keith Zantow <kzantow@gmail.com>
) Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.39.0 to 0.40.0. - [Release notes](https://github.com/golang/tools/releases) - [Commits](golang/tools@v0.39.0...v0.40.0) --- updated-dependencies: - dependency-name: golang.org/x/tools dependency-version: 0.40.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…#4446) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.31.6 to 4.31.7. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@fe4161a...cf1bb45) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.31.7 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…nchore#4448) Bumps [github.com/go-git/go-billy/v5](https://github.com/go-git/go-billy) from 5.6.2 to 5.7.0. - [Release notes](https://github.com/go-git/go-billy/releases) - [Commits](go-git/go-billy@v5.6.2...v5.7.0) --- updated-dependencies: - dependency-name: github.com/go-git/go-billy/v5 dependency-version: 5.7.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…anchore#4445) Bumps [actions/create-github-app-token](https://github.com/actions/create-github-app-token) from 2.1.4 to 2.2.1. - [Release notes](https://github.com/actions/create-github-app-token/releases) - [Commits](actions/create-github-app-token@6701853...29824e6) --- updated-dependencies: - dependency-name: actions/create-github-app-token dependency-version: 2.2.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
anchore#4447) Bumps [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) from 7.0.8 to 7.0.11. - [Release notes](https://github.com/peter-evans/create-pull-request/releases) - [Commits](peter-evans/create-pull-request@271a8d0...22a9089) --- updated-dependencies: - dependency-name: peter-evans/create-pull-request dependency-version: 7.0.11 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* chore(deps): update tools to latest versions Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * chore: suppress revive on internal/os package name golangci-lint has started flagging internal/os package name for shadowing the stdlib package named "os". Suppress this. Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> --------- Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com> Co-authored-by: Will Murphy <willmurphyscode@users.noreply.github.com>
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: willmurphyscode <12529630+willmurphyscode@users.noreply.github.com>
…e#4458) Bumps [anchore/sbom-action](https://github.com/anchore/sbom-action) from 0.20.10 to 0.20.11. - [Release notes](https://github.com/anchore/sbom-action/releases) - [Changelog](https://github.com/anchore/sbom-action/blob/main/RELEASE.md) - [Commits](anchore/sbom-action@fbfd9c6...43a17d6) --- updated-dependencies: - dependency-name: anchore/sbom-action dependency-version: 0.20.11 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
anchore#4459) Bumps [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) from 7.0.11 to 8.0.0. - [Release notes](https://github.com/peter-evans/create-pull-request/releases) - [Commits](peter-evans/create-pull-request@22a9089...98357b1) --- updated-dependencies: - dependency-name: peter-evans/create-pull-request dependency-version: 8.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…anchore#4460) Bumps [github.com/jedib0t/go-pretty/v6](https://github.com/jedib0t/go-pretty) from 6.7.5 to 6.7.7. - [Release notes](https://github.com/jedib0t/go-pretty/releases) - [Commits](jedib0t/go-pretty@v6.7.5...v6.7.7) --- updated-dependencies: - dependency-name: github.com/jedib0t/go-pretty/v6 dependency-version: 6.7.7 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
…ssary (anchore#4390) * Adding a second function to validate/correct urls that are just github repositories Signed-off-by: Kendrick <kmartinix@gmail.com> * Adding test case to capture github repositories Signed-off-by: Kendrick <kmartinix@gmail.com> --------- Signed-off-by: Kendrick <kmartinix@gmail.com>
…nchore#4412) Removes an accidental `fmt.Println("error", err)` that was left in the javascript dependency parser. This causes noisy output to stdout when parsing npm package-lock.json files that contain dependency specifiers that aren't valid PURLs. Signed-off-by: Chris Greeno <chris@fresha.com>
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
…e#4471) Bumps [actions/cache](https://github.com/actions/cache) from 4.3.0 to 5.0.0. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@0057852...a783357) --- updated-dependencies: - dependency-name: actions/cache dependency-version: 5.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* fixed anchore#4430 exclude dev pnpm pkg Signed-off-by: Rez Moss <hi@rezmoss.com> * use existing dev deps option Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * fixed anchore#4430 exclude dev pnpm pkg, add test Signed-off-by: Rez Moss <hi@rezmoss.com> * fixed anchore#4430 exclude dev pnpm pkg, add test Signed-off-by: Rez Moss <hi@rezmoss.com> --------- Signed-off-by: Rez Moss <hi@rezmoss.com> Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: promalert <promalert@outlook.com>
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: willmurphyscode <12529630+willmurphyscode@users.noreply.github.com>
A CI failure was observed where a generated file was only partly written when the CI job immediately tried to read it. Put in an fs.Sync call to eliminate this flakiness. Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
* fixed anchore#4550, catalog mongodb bin Signed-off-by: Rez Moss <hi@rezmoss.com> * fixed anchore#4550, catalog mongodb bin Signed-off-by: Rez Moss <hi@rezmoss.com> --------- Signed-off-by: Rez Moss <hi@rezmoss.com>
Bumps the actions-minor-patch group with 1 update in the / directory: [anchore/sbom-action](https://github.com/anchore/sbom-action). Updates `anchore/sbom-action` from 0.21.0 to 0.21.1 - [Release notes](https://github.com/anchore/sbom-action/releases) - [Changelog](https://github.com/anchore/sbom-action/blob/main/RELEASE.md) - [Commits](anchore/sbom-action@a930d0a...0b82b0b) --- updated-dependencies: - dependency-name: anchore/sbom-action dependency-version: 0.21.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-minor-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the go-minor-patch group with 4 updates: [github.com/vbatts/go-mtree](https://github.com/vbatts/go-mtree), [modernc.org/sqlite](https://gitlab.com/cznic/sqlite), [github.com/goccy/go-yaml](https://github.com/goccy/go-yaml) and [github.com/gpustack/gguf-parser-go](https://github.com/gpustack/gguf-parser-go). Updates `github.com/vbatts/go-mtree` from 0.6.0 to 0.7.0 - [Release notes](https://github.com/vbatts/go-mtree/releases) - [Changelog](https://github.com/vbatts/go-mtree/blob/main/releases.md) - [Commits](vbatts/go-mtree@v0.6.0...v0.7.0) Updates `modernc.org/sqlite` from 1.42.2 to 1.43.0 - [Commits](https://gitlab.com/cznic/sqlite/compare/v1.42.2...v1.43.0) Updates `github.com/goccy/go-yaml` from 1.19.1 to 1.19.2 - [Release notes](https://github.com/goccy/go-yaml/releases) - [Changelog](https://github.com/goccy/go-yaml/blob/master/CHANGELOG.md) - [Commits](goccy/go-yaml@v1.19.1...v1.19.2) Updates `github.com/gpustack/gguf-parser-go` from 0.22.1 to 0.23.1 - [Release notes](https://github.com/gpustack/gguf-parser-go/releases) - [Commits](gpustack/gguf-parser-go@v0.22.1...v0.23.1) --- updated-dependencies: - dependency-name: github.com/vbatts/go-mtree dependency-version: 0.7.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-minor-patch - dependency-name: modernc.org/sqlite dependency-version: 1.43.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-minor-patch - dependency-name: github.com/goccy/go-yaml dependency-version: 1.19.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go-minor-patch - dependency-name: github.com/gpustack/gguf-parser-go dependency-version: 0.23.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-minor-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: willmurphyscode <12529630+willmurphyscode@users.noreply.github.com>
* chore: new slack action Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * TEMP: exit 1 to test slack notify Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * new slack integration everywhere Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> --------- Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
* ci: enable zizmor to fail PRs Enable zizmor (gh actions yaml linter) to fail builds in PRs. Fix any outstanding linting errors found by this tool. Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * fix outdated version comments Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> --------- Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
Bumps the go-minor-patch group with 1 update in the / directory: [github.com/spdx/tools-golang](https://github.com/spdx/tools-golang). Updates `github.com/spdx/tools-golang` from 0.5.6 to 0.5.7 - [Release notes](https://github.com/spdx/tools-golang/releases) - [Changelog](https://github.com/spdx/tools-golang/blob/main/RELEASE-NOTES.md) - [Commits](spdx/tools-golang@v0.5.6...v0.5.7) --- updated-dependencies: - dependency-name: github.com/spdx/tools-golang dependency-version: 0.5.7 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go-minor-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
Bumps the go-minor-patch group with 6 updates: | Package | From | To | | --- | --- | --- | | [github.com/github/go-spdx/v2](https://github.com/github/go-spdx) | `2.3.5` | `2.3.6` | | [github.com/go-viper/mapstructure/v2](https://github.com/go-viper/mapstructure) | `2.4.0` | `2.5.0` | | [golang.org/x/mod](https://github.com/golang/mod) | `0.31.0` | `0.32.0` | | [golang.org/x/net](https://github.com/golang/net) | `0.48.0` | `0.49.0` | | [modernc.org/sqlite](https://gitlab.com/cznic/sqlite) | `1.43.0` | `1.44.1` | | [golang.org/x/tools](https://github.com/golang/tools) | `0.40.0` | `0.41.0` | Updates `github.com/github/go-spdx/v2` from 2.3.5 to 2.3.6 - [Release notes](https://github.com/github/go-spdx/releases) - [Commits](github/go-spdx@v2.3.5...v2.3.6) Updates `github.com/go-viper/mapstructure/v2` from 2.4.0 to 2.5.0 - [Release notes](https://github.com/go-viper/mapstructure/releases) - [Changelog](https://github.com/go-viper/mapstructure/blob/main/CHANGELOG.md) - [Commits](go-viper/mapstructure@v2.4.0...v2.5.0) Updates `golang.org/x/mod` from 0.31.0 to 0.32.0 - [Commits](golang/mod@v0.31.0...v0.32.0) Updates `golang.org/x/net` from 0.48.0 to 0.49.0 - [Commits](golang/net@v0.48.0...v0.49.0) Updates `modernc.org/sqlite` from 1.43.0 to 1.44.1 - [Changelog](https://gitlab.com/cznic/sqlite/blob/master/CHANGELOG.md) - [Commits](https://gitlab.com/cznic/sqlite/compare/v1.43.0...v1.44.1) Updates `golang.org/x/tools` from 0.40.0 to 0.41.0 - [Release notes](https://github.com/golang/tools/releases) - [Commits](golang/tools@v0.40.0...v0.41.0) --- updated-dependencies: - dependency-name: github.com/github/go-spdx/v2 dependency-version: 2.3.6 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go-minor-patch - dependency-name: github.com/go-viper/mapstructure/v2 dependency-version: 2.5.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-minor-patch - dependency-name: golang.org/x/mod dependency-version: 0.32.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-minor-patch - dependency-name: golang.org/x/net dependency-version: 0.49.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-minor-patch - dependency-name: modernc.org/sqlite dependency-version: 1.44.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-minor-patch - dependency-name: golang.org/x/tools dependency-version: 0.41.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-minor-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…with 3 updates (anchore#4568) Bumps the actions-minor-patch group with 3 updates in the / directory: [actions/checkout](https://github.com/actions/checkout), [actions/setup-go](https://github.com/actions/setup-go) and [github/codeql-action](https://github.com/github/codeql-action). Bumps the actions-minor-patch group with 1 update in the /.github/actions/bootstrap directory: [actions/setup-go](https://github.com/actions/setup-go). Updates `actions/checkout` from 6.0.1 to 6.0.2 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@8e8c483...de0fac2) Updates `actions/setup-go` from 6.1.0 to 6.2.0 - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@4dc6199...7a3fe6c) Updates `github/codeql-action` from 4.31.9 to 4.31.10 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@5d4e8d1...cdefb33) Updates `actions/setup-go` from 6.1.0 to 6.2.0 - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@4dc6199...7a3fe6c) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-minor-patch - dependency-name: actions/setup-go dependency-version: 6.2.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-minor-patch - dependency-name: github/codeql-action dependency-version: 4.31.10 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-minor-patch - dependency-name: actions/setup-go dependency-version: 6.2.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-minor-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…e#4558) Signed-off-by: Keith Zantow <kzantow@gmail.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: willmurphyscode <12529630+willmurphyscode@users.noreply.github.com>
…re#4573) --------- Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
…age (anchore#4500) Signed-off-by: Alan Pope <alan@popey.com> Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com> Co-authored-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
…th 2 updates (anchore#4584) Bumps the actions-minor-patch group with 2 updates in the / directory: [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) and [zizmorcore/zizmor-action](https://github.com/zizmorcore/zizmor-action). Updates `peter-evans/create-pull-request` from 8.0.0 to 8.1.0 - [Release notes](https://github.com/peter-evans/create-pull-request/releases) - [Commits](peter-evans/create-pull-request@98357b1...c0f553f) Updates `zizmorcore/zizmor-action` from 0.3.0 to 0.4.1 - [Release notes](https://github.com/zizmorcore/zizmor-action/releases) - [Commits](zizmorcore/zizmor-action@e639db9...1356984) --- updated-dependencies: - dependency-name: peter-evans/create-pull-request dependency-version: 8.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-minor-patch - dependency-name: zizmorcore/zizmor-action dependency-version: 0.4.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-minor-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
--------- Signed-off-by: Rez Moss <hi@rezmoss.com> Signed-off-by: Christopher Angelo Phillips <32073428+spiffcs@users.noreply.github.com> Co-authored-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Replace strset-based deduplication with efficient map-based approach to avoid
external dependency overhead. Use struct keys instead of string concatenation
for relationship tracking, eliminating temporary string allocations.
Changes:
- Add pairKey struct to track relationship pairs without string concatenation
- Replace strset.New() with map[string]struct{} in deduplicate()
- Use pairKey struct in Resolve() to avoid string key construction
- Remove dependency on scylladb/go-set/strset
Benchmarks:
- BenchmarkDeduplicate_VeryLarge (5000 strings): 85566 ns/op, 237232 B/op, 27 allocs/op
- BenchmarkResolve_CraftedRelationships_VeryLarge (1000 pkgs): 857822 ns/op, 1.03 MB, 12063 allocs/op
Related: PR anchore#4585 (closed)
Adds comparison benchmarks showing: - Deduplicate: 27% faster (91 vs 125 µs) but 5% more memory for 5000 strings - Resolve: Similar performance, 1% less memory, 8% fewer allocations for 1000 packages The map-based deduplication provides faster execution while using comparable memory. The struct key for relationship tracking reduces allocations slightly.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
14 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Replace strset-based deduplication with efficient map-based approach to avoid external dependency overhead. Use struct keys instead of string concatenation for relationship tracking, eliminating temporary string allocations.
Changes
pairKeystruct to track relationship pairs without string concatenationstrset.New()withmap[string]struct{}indeduplicate()pairKeystruct inResolve()to avoid string key constructionscylladb/go-set/strsetPerformance Impact
Benchmarks
Run on AMD Ryzen 9 7900:
Deduplication benchmarks:
Relationship resolution benchmarks:
Allocation Reduction
The map-based deduplication avoids:
string(providingPkgID) + "-" + string(dependantPkg.ID()))For a 1000-package project with complex relationships, this reduces allocations and memory pressure while providing O(1) lookup performance.
Rationale
This change optimizes the dependency resolution hot path used by all package catalogers. Benefits:
map[K]struct{}is the standard Go pattern for setsThe reviewer noted that while
map[]struct{}is more verbose than strset, it's the standard Go approach and avoids temporary allocations in the hot path.Testing
Related
Closes: Part of memory optimization effort described in PR #4585 (which will be closed in favor of focused, individually-benchmarked PRs)