fix(security): update module github.com/open-feature/flagd/core to v0.13.2 [security]

[connyay]

Summary

• Update github.com/open-feature/flagd/core to v0.13.1 to address security vulnerability
• Adapt InProcess service to handle the new SetState signature that no longer returns change information
• Flag changes are now computed by comparing store state before and after updates

Fixes #814

---

This is a rework of #815 with a small tweak/fix on error handling.

[gemini-code-assist]

Summary of Changes

Hello @connyay, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request primarily focuses on enhancing the security and stability of the flagd provider by updating a core module to address a known vulnerability. It also refactors the internal flag change detection mechanism within the InProcess service to align with updated API signatures, making the system more resilient and accurate in reporting flag state changes. Additionally, it includes a comprehensive update of various Go dependencies to their latest versions.

Highlights

• Security Update: The github.com/open-feature/flagd/core module has been updated to v0.13.2 to address a security vulnerability.
• API Adaptation: The InProcess service has been adapted to a new SetState signature in the flagd/core module, which no longer returns change information directly.
• Improved Flag Change Detection: Flag changes are now computed by comparing the flag store's state before and after updates, providing a more robust mechanism for identifying modifications.
• Dependency Updates: Numerous Go module dependencies have been updated to their latest versions, including golang.org/x/net, google.golang.org/grpc, OpenTelemetry libraries, and various indirect dependencies, ensuring compatibility and incorporating the latest fixes.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request updates github.com/open-feature/flagd/core to v0.13.2 to address a security vulnerability. The changes primarily involve adapting the in-process service to a modified SetState signature from the flagd/core module, which no longer returns change information. The new implementation correctly computes flag changes by comparing the store's state before and after an update. The dependency updates in go.mod and go.sum are appropriate, and the test files have been updated accordingly, including improvements to test robustness. I have one suggestion to improve the efficiency and correctness of the new change detection logic.

[gemini-code-assist]

This function can be made more efficient. Instead of creating a newKeys map and then iterating over oldFlagMap to find deleted keys, you can delete keys from oldFlagMap as you iterate through newFlags. The remaining keys in oldFlagMap will then be the deleted ones. This avoids creating an extra map and a loop, simplifying the logic.

Additionally, a note on correctness: using reflect.DeepEqual on the model.Flag struct might cause false positives for changes. The Targeting field is a JSON string, and DeepEqual will detect changes for formatting differences (e.g., whitespace, key order) that are semantically irrelevant. A more robust solution would be to unmarshal the Targeting JSON and compare the resulting objects. While the current approach is acceptable, it's worth considering this for future improvements to avoid unnecessary change events.

func computeChangedFlags(oldFlagMap map[string]model.Flag, newFlags []model.Flag) []string {
	changedKeys := make([]string, 0)

	// Check for added or modified flags, and remove processed keys from oldFlagMap
	for _, flag := range newFlags {
		oldFlag, exists := oldFlagMap[flag.Key]

		if !exists || !reflect.DeepEqual(oldFlag, flag) {
			changedKeys = append(changedKeys, flag.Key)
		}
		delete(oldFlagMap, flag.Key)
	}

	// Any remaining keys in oldFlagMap are deleted flags
	for key := range oldFlagMap {
		changedKeys = append(changedKeys, key)
	}

	return changedKeys
}

[connyay]

mutating the oldFlagMap seems like an unexpected side effect for minimal performance gains. 👎