chore(deps): bump go deps

[hanabi1224]

Summary of changes

Changes introduced in this pull request:

Reference issue to close (if applicable)

Closes

Other information and links

Change checklist

• I have performed a self-review of my own code,
• I have made corresponding changes to the documentation. All new code adheres to the team's documentation standards,
• I have added tests that prove my fix is effective or that my feature works (if possible),
• I have made sure the CHANGELOG is up-to-date. All user-facing changes should be reflected in this document.

Summary by CodeRabbit

• Chores

  • Upgraded build environment to Go 1.25 and updated container base image.
  • Refreshed dependencies across networking, datastore, cryptography, telemetry, and related libraries.

• Refactor

  • Simplified and unified logging initialization for clearer defaults and centralized error handling.

• Tests

  • Updated interop test application to Go 1.25 and aligned dependencies with the updated stack.

[coderabbitai]

Walkthrough

Bumps Go toolchain and Docker builder to 1.25.x, updates numerous Go dependencies across f3-sidecar and interop-tests, and centralizes f3-sidecar logging initialization into shared utilities (setLogLevels/checkError), removing repetitive per-component SetLogLevel calls.

Changes

Cohort / File(s)	Summary
Docker base image Dockerfile	Update builder image from golang:1.24-bookworm → golang:1.25-bookworm. No other stage changes.
f3-sidecar logging refactor f3-sidecar/ffi_impl.go, f3-sidecar/main.go, f3-sidecar/utils.go	Consolidate per-component logging into setLogLevels() and error handling via checkError(err). Remove scattered SetLogLevel calls and old helpers; add setLogLevel, setLogLevels, checkError, and setGoDebugEnv.
Module / toolchain upgrades (f3-sidecar) f3-sidecar/go.mod	Bump Go version 1.24.5 → 1.25.2. Update many direct and indirect dependencies (Filecoin state-types, rust2go, ipfs/go-datastore, libp2p, Pion stack, prometheus, quic-go, opentelemetry, golang.org/x/*, protobuf, etc.).
Interop test module upgrades interop-tests/src/tests/go_app/go.mod	Bump Go version 1.24.5 → 1.25.2. Refresh dependency graph to mirror many of the same library/version updates and indirect changes.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor OS
  participant Main as main.go
  participant FFI as ffi_impl.go (init)
  participant Utils as utils.go

  OS->>Main: process start
  Main->>Utils: checkError(setLogLevels())
  Utils-->>Main: ok / err

  OS->>FFI: package init
  FFI->>Utils: checkError(setLogLevels())
  Utils-->>FFI: ok / err
  FFI->>FFI: initialize GoF3NodeImpl

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~30 minutes

Possibly related PRs

• chore(deps): bump go-f3 #6019 — Overlapping large dependency/version bumps in f3-sidecar/go.mod.
• chore: bump go deps #5849 — Related Go toolchain and dependency updates across f3-sidecar and interop tests.
• chore(ci): add go linter #5910 — Related changes to f3-sidecar logging/initialization helpers (checkError/setGoDebugEnv).

Suggested labels

dependencies

Suggested reviewers

• elmattic
• akaladarshi
• sudo-shashank

Pre-merge checks and finishing touches

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Title Check	⚠️ Warning	The title only references bumping Go dependencies while the changeset also includes refactoring of the f3-sidecar logging initialization and new utility functions; thus it does not clearly summarize the main modifications.	Update the title to include the logging refactor alongside the dependency bumps (for example: “chore(deps,logging): bump Go deps and unify f3-sidecar log level initialization”).
Docstring Coverage	⚠️ Warning	Docstring coverage is 14.29% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch hm/bump-go-deps

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b215b50 and c928d4f.

⛔ Files ignored due to path filters (3)

• f3-sidecar/go.sum is excluded by !**/*.sum
• go.work is excluded by !**/*.work
• interop-tests/src/tests/go_app/go.sum is excluded by !**/*.sum

📒 Files selected for processing (6)

• Dockerfile (1 hunks)
• f3-sidecar/ffi_impl.go (1 hunks)
• f3-sidecar/go.mod (6 hunks)
• f3-sidecar/main.go (1 hunks)
• f3-sidecar/utils.go (2 hunks)
• interop-tests/src/tests/go_app/go.mod (5 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• f3-sidecar/utils.go
• Dockerfile

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (23)

• GitHub Check: Bootstrap checks - Forest
• GitHub Check: Bootstrap checks - Lotus
• GitHub Check: Calibnet eth mapping check
• GitHub Check: Devnet checks
• GitHub Check: db-migration-checks
• GitHub Check: Calibnet api test-stateful check
• GitHub Check: Calibnet kademlia checks
• GitHub Check: Wallet tests
• GitHub Check: Diff snapshot export checks
• GitHub Check: Calibnet stateless mode check
• GitHub Check: Forest CLI checks
• GitHub Check: State migrations
• GitHub Check: Calibnet no discovery checks
• GitHub Check: Calibnet stateless RPC check
• GitHub Check: Calibnet check
• GitHub Check: Snapshot export checks
• GitHub Check: Snapshot export checks v2 with F3 data
• GitHub Check: Build forest binaries on Linux AMD64
• GitHub Check: tests
• GitHub Check: tests-release
• GitHub Check: cargo-publish-dry-run
• GitHub Check: Build MacOS
• GitHub Check: All lint checks

🔇 Additional comments (5)

interop-tests/src/tests/go_app/go.mod (1)

118-118: Module path go.yaml.in/yaml/v2 resolves successfully
No changes required.

f3-sidecar/main.go (1)

13-13: Approve logging refactor
Consolidates log level configuration into setLogLevels() wrapped with checkError(), eliminating duplication. Verified both functions are defined in f3-sidecar/utils.go.

f3-sidecar/ffi_impl.go (1)

8-12: Approve initialization flow in ffi_impl.go
Verified that setGoDebugEnv, checkError, and setLogLevels are defined in f3-sidecar/utils.go.

f3-sidecar/go.mod (2)

8-140: No security advisories found in updated dependencies. All upgraded packages are at versions that include the necessary patches for known vulnerabilities.

---

3-3: Confirm Go toolchain version – Go 1.25.2 is a valid stable release as of October 7, 2025.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (3)

f3-sidecar/utils.go (2)

12-13: Prefer standard library error wrapping over xerrors.

The golang.org/x/xerrors package is experimental and primarily intended for Go versions prior to 1.13 to provide error wrapping semantics. Since this project uses Go 1.25.2, you should use the standard library's fmt.Errorf with %w for error wrapping instead.

Based on learnings.

Apply this diff to use standard library error handling:

 import (
 	"context"
+	"fmt"
 	"os"
 	"path/filepath"
 	"time"
 
 	"github.com/filecoin-project/go-f3/gpbft"
 	"github.com/ipfs/go-cid"
 	leveldb "github.com/ipfs/go-ds-leveldb"
 	logging "github.com/ipfs/go-log/v2"
-	"golang.org/x/xerrors"
 )

And update the error wrapping in setLogLevel:

 func setLogLevel(name string, level string) error {
 	if err := logging.SetLogLevel(name, level); err != nil {
-		return xerrors.Errorf("%s %w", name, err)
+		return fmt.Errorf("failed to set log level for %s: %w", name, err)
 	}
 	return nil
 }

---

51-56: Improve error message clarity.

The error message format "%s %w" simply concatenates the component name with the error, which may not be clear to users. Consider providing more context about what operation failed.

This improvement is included in the previous refactor suggestion.

f3-sidecar/go.mod (1)

19-19: Reconsider xerrors dependency addition.

The golang.org/x/xerrors package has been added to support error wrapping in f3-sidecar/utils.go. However, as mentioned in the review of that file, this experimental package is unnecessary on Go 1.25 since the standard library provides equivalent functionality via fmt.Errorf with %w.

If you adopt the standard library error wrapping suggested for f3-sidecar/utils.go, you can remove this dependency:

 	github.com/libp2p/go-libp2p-pubsub v0.15.0
 	github.com/stretchr/testify v1.11.1
 	golang.org/x/crypto v0.42.0
-	golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da
 )

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a87c18e and b215b50.

⛔ Files ignored due to path filters (3)

• f3-sidecar/go.sum is excluded by !**/*.sum
• go.work is excluded by !**/*.work
• interop-tests/src/tests/go_app/go.sum is excluded by !**/*.sum

📒 Files selected for processing (6)

• Dockerfile (1 hunks)
• f3-sidecar/ffi_impl.go (1 hunks)
• f3-sidecar/go.mod (6 hunks)
• f3-sidecar/main.go (1 hunks)
• f3-sidecar/utils.go (2 hunks)
• interop-tests/src/tests/go_app/go.mod (5 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: tests-release
• GitHub Check: tests
• GitHub Check: Build Ubuntu
• GitHub Check: cargo-publish-dry-run
• GitHub Check: Build forest binaries on Linux AMD64
• GitHub Check: All lint checks

🔇 Additional comments (7)

Dockerfile (1)

10-10: LGTM! Base image aligned with toolchain upgrade.

The base image update to golang:1.25-bookworm is consistent with the Go toolchain bump to 1.25.2 in the go.mod files.

f3-sidecar/utils.go (2)

58-71: LGTM! Centralized logging configuration.

The setLogLevels function provides a clean, centralized approach to configuring component log levels. The explicit muting of dht/RtRefreshManager to prevent terminal issues is well-documented.

---

81-84: Retain CGO safety overrides Disabling invalidptr=0,cgocheck=0 remains necessary to avoid “invalid pointer found on stack” panics when using rust2go-generated CGO/unsafe.Pointer calls.

f3-sidecar/ffi_impl.go (1)

8-12: LGTM! Clean refactoring to centralized utilities.

The init function now properly delegates logging configuration to the centralized setLogLevels() utility with consistent error handling via checkError(). This eliminates code duplication and improves maintainability.

f3-sidecar/main.go (1)

13-13: LGTM! Consistent with centralized logging approach.

The initialization now uses the centralized setLogLevels() utility, maintaining consistency with f3-sidecar/ffi_impl.go and eliminating duplicate logging configuration code.

f3-sidecar/go.mod (1)

3-20: Fix govulncheck errors and confirm dependency updates

• go mod verify passed; core deps remain at intended versions with no newer patches available.
• Breaking changes reviewed:
  • go-state-types bump only updates x/sync.
  • go-datastore requires Go 1.24 (project uses 1.25).
  • go-libp2p contains non-breaking minor enhancements.
• govulncheck aborted (ffi_impl.go: undefined: GoF3NodeImpl); fix the build error or exclude FFI code and rerun to ensure no known vulnerabilities.

interop-tests/src/tests/go_app/go.mod (1)

3-14: Fix govulncheck errors and re-run vulnerability scan

govulncheck fails at bitswap_impl.go:24:2 (“undefined: GoBitswapNodeImpl”) and kad_impl.go:19:2 (“undefined: GoKadNodeImpl”); resolve these build errors or use modules-only mode before re-running govulncheck to ensure no critical vulnerabilities remain.