Skip to content

chore(deps): bump go deps #6238

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
LesnyRumcajs merged 1 commit into from
Nov 7, 2025
Merged

chore(deps): bump go deps #6238

LesnyRumcajs merged 1 commit into from
Nov 7, 2025

Conversation

@hanabi1224
Copy link
Contributor

@hanabi1224 hanabi1224 commented Nov 7, 2025
edited by coderabbitai bot
Loading

Summary of changes

bump go deps and resolve the breaking change in go-libp2p: https://filecoinproject.slack.com/archives/CP50PPW2X/p1762446290629389

Changes introduced in this pull request:

Reference issue to close (if applicable)

Closes

Other information and links

Change checklist

  • I have performed a self-review of my own code,
  • I have made corresponding changes to the documentation. All new code adheres to the team's documentation standards,
  • I have added tests that prove my fix is effective or that my feature works (if possible),
  • I have made sure the CHANGELOG is up-to-date. All user-facing changes should be reflected in this document.

Summary by CodeRabbit

  • Chores
    • Updated Go module dependencies across sidecar and interop-test modules, including libp2p (v0.45.0), IPFS components, Prometheus libraries, WebRTC stack, and cryptographic utilities to latest versions.
    • Enhanced logging infrastructure integration.

@hanabi1224 hanabi1224 marked this pull request as ready for review November 7, 2025 09:24
@hanabi1224 hanabi1224 requested a review from a team as a code owner November 7, 2025 09:24
@hanabi1224 hanabi1224 requested review from LesnyRumcajs and sudo-shashank and removed request for a team November 7, 2025 09:24
@coderabbitai
Copy link
Contributor

coderabbitai bot commented Nov 7, 2025
edited
Loading

Walkthrough

This pull request updates Go module dependencies in f3-sidecar and interop-tests, bumping versions for libp2p, ipfs/boxo, pion components, Prometheus, and Go standard library packages. Additionally, logging integration is added to f3-sidecar/utils.go to route slog through the existing go-log system.

Changes

Cohort / File(s) Summary
Go module dependency updates
f3-sidecar/go.mod, interop-tests/src/tests/go_app/go.mod		 Multiple version bumps across ecosystem packages: libp2p v0.45.0, ipfs/boxo v0.35.2, ipfs/go-log/v2 v2.9.0, pion components (webrtc v4.1.6, rtp v1.8.25, etc.), Prometheus common v0.67.2, and golang.org/x/\* packages (crypto v0.43.0, net v0.46.0, sys v0.37.0, etc.).
Logging integration
f3-sidecar/utils.go		 Routes Go's slog logs through go-log system and initializes libp2p shim for logging in setLogLevels function. No behavioral changes to existing log level settings.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

  • Dependency version updates are mechanical and repetitive across two files; verify version compatibility and semver alignment
  • Logging changes in utils.go are initialization-only; confirm slog/gologshim integration doesn't introduce side effects

Possibly related PRs

Suggested labels

dependencies, go

Suggested reviewers

  • LesnyRumcajs
  • akaladarshi
  • sudo-shashank

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)
Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. You can run @coderabbitai generate docstrings to improve docstring coverage.
✅ Passed checks (2 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The PR title 'chore(deps): bump go deps' accurately describes the main change—updating Go dependencies across multiple modules—and aligns with the changeset that shows version bumps for go-jsonrpc, libp2p, Pion stack, Prometheus, and golang.org/x packages.
✨ Finishing touches
  • 📝 Generate docstrings
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch hm/bump-go-deps
📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f2c9f94 and 527b2c9.

⛔ Files ignored due to path filters (2)
  • f3-sidecar/go.sum is excluded by !**/*.sum
  • interop-tests/src/tests/go_app/go.sum is excluded by !**/*.sum
📒 Files selected for processing (3)
  • f3-sidecar/go.mod (6 hunks)
  • f3-sidecar/utils.go (3 hunks)
  • interop-tests/src/tests/go_app/go.mod (7 hunks)
🧰 Additional context used
🧠 Learnings (3)
📓 Common learnings 
Learnt from: hanabi1224
Repo: ChainSafe/forest PR: 5930
File: build.rs:64-77
Timestamp: 2025-08-13T09:43:20.301Z
Learning: hanabi1224 prefers hard compile-time errors in build scripts rather than runtime safeguards or collision detection, believing it's better to fail fast and fix root causes of issues like malformed snapshot names.

Learnt from: hanabi1224
Repo: ChainSafe/forest PR: 6057
File: src/cli/subcommands/f3_cmd.rs:0-0
Timestamp: 2025-09-09T10:37:17.947Z
Learning: hanabi1224 prefers having default timeouts (like 10m for --no-progress-timeout) to prevent commands from hanging indefinitely, even when the timeout flag isn't explicitly provided by users. This fail-fast approach is preferred over requiring explicit flag usage.
📚 Learning: 2025-08-07T13:12:23.359Z 
Learnt from: hanabi1224
Repo: ChainSafe/forest PR: 5886
File: Makefile:1-1
Timestamp: 2025-08-07T13:12:23.359Z
Learning: golangci-lint version v2.3.1 exists and was released on August 2, 2025. It is currently the latest stable version and can be used in Makefiles and CI configurations. The version follows the v2.x.x numbering scheme, not v1.x.x as I previously incorrectly stated.

Applied to files:

  • interop-tests/src/tests/go_app/go.mod
📚 Learning: 2025-08-07T13:12:23.359Z 
Learnt from: hanabi1224
Repo: ChainSafe/forest PR: 5886
File: Makefile:1-1
Timestamp: 2025-08-07T13:12:23.359Z
Learning: golangci-lint version v2.3.1 exists and is a valid release that can be used in Makefiles and CI configurations. It was released after v2.3.0.

Applied to files:

  • interop-tests/src/tests/go_app/go.mod
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (7)
  • GitHub Check: Build forest binaries on Linux AMD64
  • GitHub Check: tests-release
  • GitHub Check: tests
  • GitHub Check: cargo-publish-dry-run
  • GitHub Check: Build Ubuntu
  • GitHub Check: Build MacOS
  • GitHub Check: All lint checks
🔇 Additional comments (4)
f3-sidecar/utils.go (2)

6-6: LGTM: Imports added for logging integration.

The new imports for log/slog and gologshim are appropriate for routing logs through the go-log system.

Also applies to: 15-15

61-65: Logging integration correctly addresses go-libp2p breaking change.

Both required APIs have been verified:

  • logging.SlogHandler() exists in go-log/v2 v2.9.0
  • gologshim.SetDefaultHandler() exists in go-libp2p v0.45.0

The implementation matches the documented example and calls are in the correct order.

f3-sidecar/go.mod (1)

7-14: All dependency updates are secure; no unpatched vulnerabilities detected.

The security verification confirms that the updated versions are safe:

  • go-libp2p v0.45.0: All detected vulnerabilities are in older versions (≤0.27.3 and earlier).
  • golang.org/x/crypto v0.43.0: All detected vulnerabilities are patched (CRITICAL authorization bypass fixed in 0.31.0, HIGH DoS fixed in 0.35.0, all others similarly addressed).

No action required.

interop-tests/src/tests/go_app/go.mod (1)

6-11: No security issues identified; dependency updates are safe to proceed.

go-libp2p v0.45.0 has no public CVEs. Earlier high-impact vulnerabilities were fixed in older go-libp2p releases (0.27.8, 0.28.2, 0.29.1), and v0.45.0 is above all patched versions. The CVE affecting libp2p v0.45.0 applies to the Rust implementation, not go-libp2p. Other major dependencies (rust2go, boxo, go-cid, go-log) showed no disclosed vulnerabilities. The dependency updates are compatible and secure.

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.5.0)

level=error msg="[linters_context] typechecking error: pattern ./...: directory prefix . does not contain modules listed in go.work or their selected dependencies"

Comment @coderabbitai help to get the list of available commands and usage tips.

@LesnyRumcajs LesnyRumcajs added this pull request to the merge queue Nov 7, 2025
Merged via the queue into main with commit 53acfdf Nov 7, 2025
47 checks passed
@LesnyRumcajs LesnyRumcajs deleted the hm/bump-go-deps branch November 7, 2025 10:17
@coderabbitai coderabbitai bot mentioned this pull request Dec 15, 2025
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@LesnyRumcajs LesnyRumcajs LesnyRumcajs approved these changes

@sudo-shashank sudo-shashank Awaiting requested review from sudo-shashank sudo-shashank is a code owner automatically assigned from ChainSafe/forest

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@hanabi1224 @LesnyRumcajs