chore: upgrade go-f3 to v0.8.8

[hanabi1224]

Summary of changes

Changes introduced in this pull request:

• upgrade go-f3 to v0.8.8

Reference issue to close (if applicable)

Closes

Other information and links

Change checklist

• I have performed a self-review of my own code,
• I have made corresponding changes to the documentation. All new code adheres to the team's documentation standards,
• I have added tests that prove my fix is effective or that my feature works (if possible),
• I have made sure the CHANGELOG is up-to-date. All user-facing changes should be reflected in this document.

Summary by CodeRabbit

• Chores
  • Updated and adjusted dependency versions for improved compatibility and stability. No changes to application features or user-facing functionality.

[coderabbitai]

Walkthrough

Dependency versions were updated in the go.mod files for both the f3-sidecar/v2 module and the Go application test suite. The changes include a mix of upgrades, downgrades, and additions to direct and indirect dependencies, with no modifications to exported entities or code logic.

Changes

File(s)	Change Summary
f3-sidecar/go.mod	Updated direct dependencies (go-f3, go-libp2p-pubsub), downgraded/added several indirect dependencies, and added new ones. No code or API changes.
interop-tests/src/tests/go_app/go.mod	Upgraded ipfs/boxo, downgraded several other dependencies, especially patch versions. No code or API changes.

Poem

In the garden of Go, dependencies grow,
Some rise, some fall, as the sidecar flows.
Patch by patch, the versions align,
With modules refreshed, the builds will shine.
A hop, a skip, a versioned delight—
The rabbit approves, dependencies just right!
🐇✨

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

f3-sidecar/go.mod (1)

133-133: golang.org/x/exp bumped forward – run go vet ./... before merge

Unlike the other downgrades, x/exp moved forward (dcc06ee1d476), and the package is still experimental. Ensure no new breaking API is pulled in by dependent packages.
Running go vet or the repo’s CI linter should catch any surprises.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5235d02 and 4951a07.

⛔ Files ignored due to path filters (2)

• f3-sidecar/go.sum is excluded by !**/*.sum
• interop-tests/src/tests/go_app/go.sum is excluded by !**/*.sum

📒 Files selected for processing (2)

• f3-sidecar/go.mod (7 hunks)
• interop-tests/src/tests/go_app/go.mod (6 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (8)

• GitHub Check: Build forest binaries on Linux AMD64
• GitHub Check: tests
• GitHub Check: tests-release
• GitHub Check: rubocop
• GitHub Check: All lint checks
• GitHub Check: cargo-publish-dry-run
• GitHub Check: Build Ubuntu
• GitHub Check: Build MacOS

🔇 Additional comments (4)

interop-tests/src/tests/go_app/go.mod (2)

7-7: ipfs/boxo upgraded – double-check cross-module alignment

ipfs/boxo is now pinned to v0.33.0 here, while f3-sidecar/go.mod was pulled back to v0.30.0. Having two major-compatible but diverging minor versions in the same workspace can lead to two copies of the package landing in the final build, bloating binaries and risking subtle ABI mismatches (e.g. init() side effects).
Confirm that both modules are built in isolation, or converge to one version (preferred: the newer v0.33.0) with:

go work sync        # if you use Go workspaces
go mod tidy -e
go list -m all | grep boxo

---

28-114: Multiple indirect downgrades – verify you’re not discarding security patches

The following libraries were rolled back:

• github.com/go-logr/logr → v1.4.2
• github.com/klauspost/cpuid/v2 → v2.2.10
• github.com/libp2p/go-flow-metrics → v0.2.0
• github.com/pion/* packages (logging, rtp, sdp)
• github.com/prometheus/common → v0.64.0
• go.opentelemetry.io/otel{,/metric,/trace} → v1.35.0

Downgrades often surface because of transitive constraints introduced by another dependency bump (here: go-f3/boxo). Before merging, run:

go list -m -json all | jq -r 'select(.Replace==null) | "\(.Path) \(.Version)"' > versions.txt

…and compare against the previous lockfile to ensure no CVE-fix versions are lost.

If the resolver chose these older tags only to satisfy an outdated indirect constraint, consider using go get -u=patch ./... && go mod tidy to pick the newest patch releases within the chosen minor lines.

f3-sidecar/go.mod (2)

6-6: go-f3 bumped to v0.8.8 – LGTM

The main objective of the PR is fulfilled; no API-breaking changes are expected between 0.8.7 → 0.8.8. Good catch keeping the sidecar on the latest patch.

---

124-126: OpenTelemetry rolled back to v1.35.0 – confirm exporter/runtime parity

Downgrading OTEL core/metric/trace from v1.37.x → v1.35.0 may break compatibility with:

• instrumented binaries already deployed with 1.37 resource schema
• collectors running >= 1.36 that expect newer proto definitions

Make sure all components (collectors, sidecars, in-process exporters) share the same minor line, or explicitly vendor the older proto files.

[coderabbitai]

⚠️ Potential issue

ipfs/boxo pinned to v0.30.0 – conflicts with test module

This sidecar module now depends on an older boxo than the interop test module (v0.33.0). Resolving two different minor versions across a workspace will lead to duplicated symbols.
Recommend aligning to the newer tag unless go-f3 requires the older one. If the older tag is mandatory, add an explicit replace directive in the test module to avoid ambiguity.

🤖 Prompt for AI Agents

In f3-sidecar/go.mod at line 47, the dependency on github.com/ipfs/boxo is
pinned to v0.30.0, which conflicts with the interop test module using v0.33.0.
To fix this, update the version of github.com/ipfs/boxo in this go.mod file to
v0.33.0 to align with the test module. If the older version is required by
go-f3, instead add a replace directive in the test module's go.mod to explicitly
resolve the version conflict and avoid duplicated symbols.

[LesnyRumcajs]

@hanabi1224 is it actionable or not useful?

[coderabbitai]

Seems like the humans are having a chat. I'll hop back into my burrow for now. If you need me again, just tag @coderabbitai in a new comment, and I'll come hopping out!

[hanabi1224]

@hanabi1224 is it actionable or not useful?

@LesnyRumcajs I've run into some dependency hell of go-libp2p, upgrading everything does not compile.

[coderabbitai]

🛠️ Refactor suggestion

PubSub minor upgrade – ensure libp2p core stays compatible

go-libp2p-pubsub is now v0.14.2 while go-libp2p core is held at v0.42.0. The pubsub changelog notes optional feature-flags that rely on go-libp2p >= v0.43.
If you hit build-time symbol mismatches, bump core as well:

-	github.com/libp2p/go-libp2p v0.42.0
+	github.com/libp2p/go-libp2p v0.43.0

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents

In f3-sidecar/go.mod at line 15, the go-libp2p-pubsub module was upgraded to
v0.14.2, which may require go-libp2p core to be at least v0.43 due to new
feature flags. To fix potential build-time symbol mismatches, update the
go-libp2p core dependency version to v0.43 or higher in the go.mod file to
maintain compatibility with the pubsub module.