Skip to content

chore(deps): bump Go deps #6342

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
hanabi1224 merged 1 commit into from
Dec 15, 2025
Merged

chore(deps): bump Go deps #6342

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
59 changes: 29 additions & 30 deletions f3-sidecar/go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,16 +6,16 @@ require (
github.com/filecoin-project/go-f3 v0.8.10
github.com/filecoin-project/go-jsonrpc v0.9.0
github.com/filecoin-project/go-state-types v0.17.0
github.com/ihciah/rust2go v0.0.0-20251105132719-caedb7aac7b2
github.com/ihciah/rust2go v0.0.0-20251204052609-e81751674fa5
github.com/ipfs/go-cid v0.6.0
github.com/ipfs/go-datastore v0.9.0
github.com/ipfs/go-ds-leveldb v0.5.2
github.com/ipfs/go-log/v2 v2.9.0
github.com/libp2p/go-libp2p v0.45.0
github.com/libp2p/go-libp2p-kad-dht v0.35.1
github.com/libp2p/go-libp2p v0.46.0
github.com/libp2p/go-libp2p-kad-dht v0.36.0
github.com/libp2p/go-libp2p-pubsub v0.15.0
github.com/stretchr/testify v1.11.1
golang.org/x/crypto v0.45.0
golang.org/x/crypto v0.46.0
)

require (
Expand All @@ -30,7 +30,6 @@ require (
github.com/filecoin-project/go-bitfield v0.2.4 // indirect
github.com/filecoin-project/go-clock v0.1.0 // indirect
github.com/flynn/noise v1.1.0 // indirect
github.com/francoispqt/gojay v1.2.13 // indirect
github.com/go-logr/logr v1.4.3 // indirect
github.com/go-logr/stdr v1.2.2 // indirect
github.com/gogo/protobuf v1.3.2 // indirect
Expand All @@ -46,7 +45,7 @@ require (
github.com/ipld/go-ipld-prime v0.21.0 // indirect
github.com/jackpal/go-nat-pmp v1.0.2 // indirect
github.com/jbenet/go-temp-err-catcher v0.1.0 // indirect
github.com/klauspost/compress v1.18.1 // indirect
github.com/klauspost/compress v1.18.2 // indirect
github.com/klauspost/cpuid/v2 v2.3.0 // indirect
github.com/koron/go-ssdp v0.1.0 // indirect
github.com/libp2p/go-buffer-pool v0.1.0 // indirect
Expand All @@ -62,7 +61,7 @@ require (
github.com/libp2p/go-yamux/v5 v5.1.0 // indirect
github.com/marten-seemann/tcp v0.0.0-20210406111302-dfbc87cc63fd // indirect
github.com/mattn/go-isatty v0.0.20 // indirect
github.com/miekg/dns v1.1.68 // indirect
github.com/miekg/dns v1.1.69 // indirect
github.com/mikioh/tcpinfo v0.0.0-20190314235526-30a79bb1804b // indirect
github.com/mikioh/tcpopt v0.0.0-20190314235656-172688c1accc // indirect
github.com/minio/sha256-simd v1.0.1 // indirect
Expand All @@ -83,61 +82,61 @@ require (
github.com/pbnjay/memory v0.0.0-20210728143218-7b4eea64cf58 // indirect
github.com/pion/datachannel v1.5.10 // indirect
github.com/pion/dtls/v2 v2.2.12 // indirect
github.com/pion/dtls/v3 v3.0.7 // indirect
github.com/pion/ice/v4 v4.0.10 // indirect
github.com/pion/dtls/v3 v3.0.9 // indirect
github.com/pion/ice/v4 v4.1.0 // indirect
github.com/pion/interceptor v0.1.42 // indirect
github.com/pion/logging v0.2.4 // indirect
github.com/pion/mdns/v2 v2.1.0 // indirect
github.com/pion/randutil v0.1.0 // indirect
github.com/pion/rtcp v1.2.16 // indirect
github.com/pion/rtp v1.8.25 // indirect
github.com/pion/sctp v1.8.40 // indirect
github.com/pion/rtp v1.8.26 // indirect
github.com/pion/sctp v1.8.41 // indirect
github.com/pion/sdp/v3 v3.0.16 // indirect
github.com/pion/srtp/v3 v3.0.8 // indirect
github.com/pion/srtp/v3 v3.0.9 // indirect
github.com/pion/stun v0.6.1 // indirect
github.com/pion/stun/v3 v3.0.1 // indirect
github.com/pion/stun/v3 v3.0.2 // indirect
github.com/pion/transport/v2 v2.2.10 // indirect
github.com/pion/transport/v3 v3.1.1 // indirect
github.com/pion/turn/v4 v4.1.3 // indirect
github.com/pion/webrtc/v4 v4.1.6 // indirect
github.com/pion/webrtc/v4 v4.1.8 // indirect
github.com/pmezard/go-difflib v1.0.0 // indirect
github.com/polydawn/refmt v0.89.0 // indirect
github.com/prometheus/client_golang v1.23.2 // indirect
github.com/prometheus/client_model v0.6.2 // indirect
github.com/prometheus/common v0.67.3 // indirect
github.com/prometheus/common v0.67.4 // indirect
github.com/prometheus/procfs v0.19.2 // indirect
github.com/quic-go/qpack v0.5.1 // indirect
github.com/quic-go/quic-go v0.55.0 // indirect
github.com/quic-go/qpack v0.6.0 // indirect
github.com/quic-go/quic-go v0.57.1 // indirect
github.com/quic-go/webtransport-go v0.9.0 // indirect
github.com/spaolacci/murmur3 v1.1.0 // indirect
github.com/syndtr/goleveldb v1.0.0 // indirect
github.com/whyrusleeping/cbor-gen v0.3.1 // indirect
github.com/whyrusleeping/go-keyspace v0.0.0-20160322163242-5b898ac5add1 // indirect
github.com/wlynxg/anet v0.0.5 // indirect
go.dedis.ch/kyber/v4 v4.0.0-pre2.0.20240924132404-4de33740016e // indirect
go.dedis.ch/kyber/v4 v4.0.1-alpha.1 // indirect
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Dec 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# Check git history for kyber version changes in f3-sidecar/go.mod
cd f3-sidecar
git log --oneline -p go.mod | grep -A 5 -B 5 "kyber" | head -40

Repository: ChainSafe/forest

Length of output: 636

🏁 Script executed:

# Check current state vs previous versions
cd f3-sidecar
git show HEAD:go.mod | grep kyber

Repository: ChainSafe/forest

Length of output: 181

🏁 Script executed:

# Search for kyber usage in f3-sidecar codebase
rg -t go "dedis.*kyber" f3-sidecar/

Repository: ChainSafe/forest

Length of output: 42

🌐 Web query:

go.dedis.ch kyber v4 latest stable release version

💡 Result:

The latest stable release for go.dedis.ch/kyber (module import path go.dedis.ch/kyber/v4) is v3.1.0 (released Nov 30, 2022). [1][2]

Sources:

  • GitHub releases (dedis/kyber) — v3.1.0, Nov 30, 2022. [1]
  • pkg.go.dev / go.dedis.ch/kyber/v4 documentation. [2]

🏁 Script executed:

cd f3-sidecar
git show HEAD~1:go.mod 2>/dev/null | grep -i kyber || echo "kyber not present in previous version"

Repository: ChainSafe/forest

Length of output: 97

🏁 Script executed:

# Find which dependency brings in kyber v4
cd f3-sidecar
rg -t go "kyber" --max-count=5

Repository: ChainSafe/forest

Length of output: 42

🏁 Script executed:

# Check go.mod for packages that might depend on kyber
cd f3-sidecar
grep -E "(lotus|filecoin|spec)" go.mod | head -10

Repository: ChainSafe/forest

Length of output: 318

Clarify necessity of alpha-release Kyber v4.0.1-alpha.1 or revert to stable v3.1.0.

Line 116 introduces go.dedis.ch/kyber/v4 v4.0.1-alpha.1 as a new indirect dependency in this PR. Using alpha versions in production—particularly for cryptographic operations—carries significant risk due to potential undisclosed security vulnerabilities, API instability, and harder debugging.

Note: v4.0.0 (stable) does not exist; the latest stable release is v3.1.0 (Nov 2022). Since kyber is marked indirect, it's likely a transitive dependency from filecoin-project/go-f3 v0.8.10. Clarify whether:

  1. The kyber v4 alpha is unavoidable due to go-f3 requirements
  2. Whether go-f3 can work with kyber v3.1.0 instead
  3. If the alpha version is documented or justified in the PR description

If v3.1.0 is compatible, prefer the stable release. If v4.0.1-alpha.1 is unavoidable, document the security rationale.

🤖 Prompt for AI Agents 
In f3-sidecar/go.mod around line 116, the addition of the alpha release
go.dedis.ch/kyber/v4 v4.0.1-alpha.1 (indirect) is risky for crypto code; run `go
mod why go.dedis.ch/kyber/v4` and `go mod graph` to identify which direct
dependency (likely filecoin-project/go-f3) is pulling v4, then either (A) if
compatible, add a direct require for go.dedis.ch/kyber v3.1.0 in go.mod (or a
replace) to pin the stable release and run `go mod tidy` and full test suite, or
(B) if v4 is unavoidable, document this in the PR (why v4 is required, security
review steps, and link to upstream issues/maintainer confirmation) and add a
short go.mod comment and changelog entry; if incompatibilities remain, open an
upstream issue with filecoin-project/go-f3 to request v3 compatibility or
rationale for v4.

go.opencensus.io v0.24.0 // indirect
go.opentelemetry.io/auto/sdk v1.2.1 // indirect
go.opentelemetry.io/otel v1.38.0 // indirect
go.opentelemetry.io/otel/metric v1.38.0 // indirect
go.opentelemetry.io/otel/trace v1.38.0 // indirect
go.opentelemetry.io/otel v1.39.0 // indirect
go.opentelemetry.io/otel/metric v1.39.0 // indirect
go.opentelemetry.io/otel/trace v1.39.0 // indirect
go.uber.org/dig v1.19.0 // indirect
go.uber.org/fx v1.24.0 // indirect
go.uber.org/mock v0.6.0 // indirect
go.uber.org/multierr v1.11.0 // indirect
go.uber.org/zap v1.27.1 // indirect
go.yaml.in/yaml/v2 v2.4.3 // indirect
golang.org/x/exp v0.0.0-20251113190631-e25ba8c21ef6 // indirect
golang.org/x/mod v0.30.0 // indirect
golang.org/x/net v0.47.0 // indirect
golang.org/x/sync v0.18.0 // indirect
golang.org/x/sys v0.38.0 // indirect
golang.org/x/telemetry v0.0.0-20251112162317-03ef243c208a // indirect
golang.org/x/text v0.31.0 // indirect
golang.org/x/exp v0.0.0-20251209150349-8475f28825e9 // indirect
golang.org/x/mod v0.31.0 // indirect
golang.org/x/net v0.48.0 // indirect
golang.org/x/sync v0.19.0 // indirect
golang.org/x/sys v0.39.0 // indirect
golang.org/x/telemetry v0.0.0-20251208220230-2638a1023523 // indirect
golang.org/x/text v0.32.0 // indirect
golang.org/x/time v0.14.0 // indirect
golang.org/x/tools v0.39.0 // indirect
golang.org/x/tools v0.40.0 // indirect
golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da // indirect
gonum.org/v1/gonum v0.16.0 // indirect
google.golang.org/protobuf v1.36.10 // indirect
google.golang.org/protobuf v1.36.11 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
lukechampine.com/blake3 v1.4.1 // indirect
)
Loading
Loading