fix(f3): pin crypto@v0.43.0

[hanabi1224]

Summary of changes

Pin crypto@0.43.0 as it removed some assembly optimizations since v0.44.0. See filecoin-project/go-f3#1063 (comment) for details

Changes introduced in this pull request:

Reference issue to close (if applicable)

Closes

Other information and links

Change checklist

• I have performed a self-review of my own code,
• I have made corresponding changes to the documentation. All new code adheres to the team's documentation standards,
• I have added tests that prove my fix is effective or that my feature works (if possible),
• I have made sure the CHANGELOG is up-to-date. All user-facing changes should be reflected in this document.

Summary by CodeRabbit

• Chores
  • Updated project dependencies to maintain compatibility and stability.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

The pull request updates multiple Go module dependency versions in the f3-sidecar/go.mod file, downgrading or adjusting versions for packages including libp2p/go-libp2p-kad-dht, golang.org/x/crypto, github.com/miekg/dns, and several golang.org/x/\* packages.

Changes

Cohort / File(s)	Summary
Go Module Dependency Updates f3-sidecar/go.mod	Downgraded or adjusted versions across 10 dependency entries, including libp2p/go-libp2p-kad-dht (v0.37.0 → v0.35.1), golang.org/x/crypto (v0.47.0 → v0.43.0), github.com/miekg/dns (v1.1.69 → v1.1.68), and multiple golang.org/x/\* packages (exp, mod, net, telemetry, text, tools).

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~4 minutes

Possibly related PRs

• chore(deps): bump go-f3 and Go deps #5881: Modifies the same f3-sidecar/go.mod file with overlapping dependency version updates (miekg/dns, golang.org/x modules).
• chore(deps): bump golang.org/x/crypto #6256: Updates golang.org/x/crypto version in f3-sidecar/go.mod with conflicting or related version pinning.
• chore(f3): bump go-f3 #6425: Adjusts libp2p/go-libp2p-kad-dht and golang.org/x/crypto dependencies in the same manifest file.

Suggested reviewers

• sudo-shashank
• LesnyRumcajs

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main change: pinning the crypto dependency to v0.43.0, which aligns with the primary modification in the go.mod file.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.5.0)

level=error msg="[linters_context] typechecking error: pattern ./...: directory prefix . does not contain modules listed in go.work or their selected dependencies"

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@f3-sidecar/go.mod`:
- Line 18: Replace the pinned dependency golang.org/x/crypto v0.43.0 in go.mod
with at least v0.45.0 to include fixes for the SSH CVEs (CVE-2025-58181 and
CVE-2025-47914), and update or remove the accompanying comment about assembly
optimizations/commit cf29fa96f8b66328e59829f064539321159bfa5b to reflect that
SHA-3 is delegated to crypto/sha3 (Go 1.24+) and that the security-fix upgrade
should be used unless a documented, measured performance regression is proven
for this codebase.