chore(deps): bump golang.org/x/crypto

[hanabi1224]

Summary of changes

Fixes
https://github.com/ChainSafe/forest/security/dependabot/126
https://github.com/ChainSafe/forest/security/dependabot/127
https://github.com/ChainSafe/forest/security/dependabot/128
https://github.com/ChainSafe/forest/security/dependabot/129

Changes introduced in this pull request:

Reference issue to close (if applicable)

Closes

Other information and links

Change checklist

• I have performed a self-review of my own code,
• I have made corresponding changes to the documentation. All new code adheres to the team's documentation standards,
• I have added tests that prove my fix is effective or that my feature works (if possible),
• I have made sure the CHANGELOG is up-to-date. All user-facing changes should be reflected in this document.

Summary by CodeRabbit

• Chores

  • Bumped Go toolchain to 1.25.4 for improved stability and security.
  • Upgraded core dependencies (crypto, networking, sync, text, tooling, logging, and Prometheus-related libraries) to current vetted versions.
  • Updated Prometheus metrics validator to work with the latest parser/API changes.

• Notes

  • No public/exported APIs were changed.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Updates Go toolchain from 1.25.2 to 1.25.4 and bumps multiple golang.org/x/* and Prometheus-related dependencies; adapts prometheus_metrics_validator to the new textparse.ParserOptions API (replacing SymbolTable-based parser initialization).

Changes

Cohort / File(s)	Summary
Go toolchain & x/ dependency bumps* f3-sidecar/go.mod, interop-tests/src/tests/go_app/go.mod	Bump Go toolchain 1.25.2 -> 1.25.4; update golang.org/x/crypto, x/exp, x/mod, x/net, x/sync, x/sys, x/text, x/tools, x/telemetry, x/time and other indirects.
Prometheus & CLI deps tools/prometheus_metrics_validator/go.mod	Bump Go toolchain to 1.25.4; upgrade github.com/prometheus/prometheus v0.306.0 -> v0.307.3, github.com/urfave/cli/v3 v3.4.1 -> v3.6.1, and related indirects (prometheus/common, x/text).
Prometheus parser API adaptation tools/prometheus_metrics_validator/main.go	Remove model/labels import and refactor textparse.New invocation to use textparse.ParserOptions (EnableTypeAndUnitLabels, ConvertClassicHistogramsToNHCB) instead of a SymbolTable + boolean flags.

Sequence Diagram(s)

mermaid
sequenceDiagram
participant Validator as prometheus_metrics_validator
participant TextParse as textparse.New
Note over Validator,TextParse #DDFFDD: Old flow
Validator->>TextParse: textparse.New(reader, optsFlags..., symbolTable)
TextParse-->>Validator: parser (old signature)
Note over Validator,TextParse #FFEECC: New flow
Validator->>TextParse: textparse.New(reader, nil, ParserOptions{EnableTypeAndUnitLabels: true, ConvertClassicHistogramsToNHCB: true})
TextParse-->>Validator: parser (new signature)

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Review tools/prometheus_metrics_validator/main.go for correct ParserOptions usage and any effects on parsing behavior or error handling.
• Verify module version consistency across go.mod files to avoid mismatched x/* indirects.

Possibly related PRs

• chore(deps): bump go-f3 #6019: Overlapping dependency bumps in f3-sidecar/go.mod and interop-tests/src/tests/go_app/go.mod.
• chore(deps): bump go-f3 and Go deps #5881: Similar Go toolchain and golang.org/x/* dependency updates across the same modules.

Suggested labels

dependencies, go

Suggested reviewers

• sudo-shashank
• akaladarshi
• LesnyRumcajs

Pre-merge checks and finishing touches

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title mentions bumping golang.org/x/crypto, but the PR also bumps the Go toolchain and numerous other dependencies across three modules, making the title incomplete and overly narrow.	Consider a more comprehensive title like 'chore(deps): bump Go toolchain and dependencies' to accurately reflect all the significant changes in the PR.
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch hm/bump-go-deps

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1ab4ec7 and e6465a8.

⛔ Files ignored due to path filters (2)

• f3-sidecar/go.sum is excluded by !**/*.sum
• interop-tests/src/tests/go_app/go.sum is excluded by !**/*.sum

📒 Files selected for processing (2)

• f3-sidecar/go.mod (5 hunks)
• interop-tests/src/tests/go_app/go.mod (4 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• f3-sidecar/go.mod

🧰 Additional context used

🧠 Learnings (3)

📓 Common learnings

Learnt from: hanabi1224
Repo: ChainSafe/forest PR: 5886
File: Makefile:1-1
Timestamp: 2025-08-07T13:12:23.359Z
Learning: golangci-lint version v2.3.1 exists and is a valid release that can be used in Makefiles and CI configurations. It was released after v2.3.0.

Learnt from: hanabi1224
Repo: ChainSafe/forest PR: 5886
File: Makefile:1-1
Timestamp: 2025-08-07T13:12:23.359Z
Learning: golangci-lint version v2.3.1 exists and was released on August 2, 2025. It is currently the latest stable version and can be used in Makefiles and CI configurations. The version follows the v2.x.x numbering scheme, not v1.x.x as I previously incorrectly stated.

Learnt from: hanabi1224
Repo: ChainSafe/forest PR: 5930
File: build.rs:64-77
Timestamp: 2025-08-13T09:43:20.301Z
Learning: hanabi1224 prefers hard compile-time errors in build scripts rather than runtime safeguards or collision detection, believing it's better to fail fast and fix root causes of issues like malformed snapshot names.

Learnt from: hanabi1224
Repo: ChainSafe/forest PR: 6057
File: src/cli/subcommands/f3_cmd.rs:0-0
Timestamp: 2025-09-09T10:37:17.947Z
Learning: hanabi1224 prefers having default timeouts (like 10m for --no-progress-timeout) to prevent commands from hanging indefinitely, even when the timeout flag isn't explicitly provided by users. This fail-fast approach is preferred over requiring explicit flag usage.

📚 Learning: 2025-08-07T13:12:23.359Z

Learnt from: hanabi1224
Repo: ChainSafe/forest PR: 5886
File: Makefile:1-1
Timestamp: 2025-08-07T13:12:23.359Z
Learning: golangci-lint version v2.3.1 exists and was released on August 2, 2025. It is currently the latest stable version and can be used in Makefiles and CI configurations. The version follows the v2.x.x numbering scheme, not v1.x.x as I previously incorrectly stated.

Applied to files:

• interop-tests/src/tests/go_app/go.mod

📚 Learning: 2025-08-07T13:12:23.359Z

Learnt from: hanabi1224
Repo: ChainSafe/forest PR: 5886
File: Makefile:1-1
Timestamp: 2025-08-07T13:12:23.359Z
Learning: golangci-lint version v2.3.1 exists and is a valid release that can be used in Makefiles and CI configurations. It was released after v2.3.0.

Applied to files:

• interop-tests/src/tests/go_app/go.mod

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (7)

• GitHub Check: Build MacOS
• GitHub Check: Build Ubuntu
• GitHub Check: cargo-publish-dry-run
• GitHub Check: tests
• GitHub Check: tests-release
• GitHub Check: All lint checks
• GitHub Check: Build forest binaries on Linux AMD64

🔇 Additional comments (3)

interop-tests/src/tests/go_app/go.mod (3)

3-3: Go toolchain bump from 1.25.2 to 1.25.4 aligns with PR objectives.

This patch-level toolchain update is appropriate for pulling in security and stability fixes from the Go runtime. Ensure this version is available in your CI/CD environment and matches the target Go version in other modules (e.g., f3-sidecar/go.mod and tools/prometheus_metrics_validator/go.mod as mentioned in the PR).

---

83-83: Minor dependency updates are consistent with security patching strategy.

The patch-level updates to Pion (interceptor, mdns/v2, transport/v3, turn/v4) and Prometheus-related packages, along with go.uber.org/zap, are appropriately scoped and appear to be coordinated updates. These align with the broader golang.org/x/* ecosystem refresh.

Also applies to: 85-85, 95-95, 96-96, 101-101, 117-117

---

119-128: I need to search for information about the other golang.org/x package updates to verify coverage of all four Dependabot alerts.

I need more targeted searches for the specific package versions in the PR. Let me search for the recent Go security announcements and changelog information for these versions.

Let me search for information about Dependabot alerts or release notes that might reference all four alerts together.

Verify Dependabot alert mapping and x/sys v0.38.0 role in security fixes.

golang.org/x/crypto v0.45.0 fixes CVE-2025-58181 (SSH servers parsing GSSAPI auth don't validate OID count, allowing unbounded memory consumption) and CVE-2025-47914 (SSH agent servers don't validate message sizes on new-identity requests, causing panic on malformed input). golang.org/x/net v0.47.0 was published November 11, 2025, and earlier releases of this package have addressed HTML parsing performance and memory issues. However, the web search could not verify the specific role of golang.org/x/sys v0.38.0 or confirm which of the four Dependabot alerts (126, 127, 128, 129) map to each CVE.

Ensure the PR description or Dependabot alerts page explicitly documents that all four referenced alerts are resolved by these versions before merging.

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.5.0)

level=error msg="[linters_context] typechecking error: pattern ./...: directory prefix . does not contain modules listed in go.work or their selected dependencies"

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}