build(deps): Bump the all-go group across 5 directories with 6 updates

[dependabot]

Bumps the all-go group with 2 updates in the / directory: connectrpc.com/connect and golang.org/x/crypto.
Bumps the all-go group with 3 updates in the /execution/grpc directory: connectrpc.com/connect, golang.org/x/net and github.com/evstack/ev-node.
Bumps the all-go group with 1 update in the /sequencers/single directory: github.com/evstack/ev-node.
Bumps the all-go group with 2 updates in the /test/docker-e2e directory: github.com/celestiaorg/tastora and github.com/docker/docker.
Bumps the all-go group with 1 update in the /test/e2e directory: github.com/celestiaorg/tastora.

Updates connectrpc.com/connect from 1.19.0 to 1.19.1

Release notes

Sourced from connectrpc.com/connect's releases.

v1.19.1

What's Changed

Bugfixes

• Fix bounds check on envelope for 32-bit archs by @​emcfarlane in #887
• Fix CallInfo header/trailer propagation on error responses by @​emcfarlane in #892

Full Changelog: connectrpc/connect-go@v1.19.0...v1.19.1

Commits

• ad95987 Prepare for v1.19.1 (#895)
• a19db8a Fix CallInfo header/trailer propagation on error responses (#892)
• af35892 Fix bounds check on envelope for 32-bit archs (#887)
• ab1cd05 Fix README.md (#890)
• 79c4205 Update README.md to use validate-go and codify example in internal/example (#...
• 5efe980 Back to development (#884)
• See full diff in compare view

Updates golang.org/x/crypto from 0.42.0 to 0.43.0

Commits

• 627cb89 go.mod: update golang.org/x dependencies
• dca4914 acme: fix autocert TestHTTPHandlerDefaultFallback
• 1336e21 x509roots/fallback: update bundle
• 2beaa59 ssh: add VerifiedPublicKeyCallback
• 66c3d8c ssh: add support for FIPS mode
• ddb4e80 ssh: remove custom contains, use slices.Contains
• f4d47b0 ssh: return clearer error when signature algorithm is used as key format
• 96dc232 x509roots/fallback/bundle: add bundle package to export root certs
• 8c9ba31 all: freeze and deprecate more packages
• 559e062 ssh/agent: return an error for unexpected message types
• See full diff in compare view

Updates golang.org/x/net from 0.44.0 to 0.45.0

Commits

• 2002a06 go.mod: update golang.org/x dependencies
• 59706cd html: impose open element stack size limit
• 6ec8895 html: align in row insertion mode with spec
• 5393563 http2: fix RFC 9218 write scheduler not being idempotent
• b2ab371 internal/httpsfv: implement parsing support for date and display string
• edb764c internal/httpsfv: add parsing functionality for types defined in RFC 8941
• fbba2c2 internal/httpsfv: add support for consuming Display String and Date type
• 47a241f http2: make the error channel pool per-Server
• 51f657b webdav/internal/xml: use the built-in min function
• f2e909b internal/httpsfv: implement parsing support for Dictionary and List type.
• Additional commits viewable in compare view

Updates connectrpc.com/connect from 1.19.0 to 1.19.1

Release notes

Sourced from connectrpc.com/connect's releases.

v1.19.1

What's Changed

Bugfixes

• Fix bounds check on envelope for 32-bit archs by @​emcfarlane in #887
• Fix CallInfo header/trailer propagation on error responses by @​emcfarlane in #892

Full Changelog: connectrpc/connect-go@v1.19.0...v1.19.1

Commits

• ad95987 Prepare for v1.19.1 (#895)
• a19db8a Fix CallInfo header/trailer propagation on error responses (#892)
• af35892 Fix bounds check on envelope for 32-bit archs (#887)
• ab1cd05 Fix README.md (#890)
• 79c4205 Update README.md to use validate-go and codify example in internal/example (#...
• 5efe980 Back to development (#884)
• See full diff in compare view

Updates golang.org/x/net from 0.44.0 to 0.46.0

Commits

• 2002a06 go.mod: update golang.org/x dependencies
• 59706cd html: impose open element stack size limit
• 6ec8895 html: align in row insertion mode with spec
• 5393563 http2: fix RFC 9218 write scheduler not being idempotent
• b2ab371 internal/httpsfv: implement parsing support for date and display string
• edb764c internal/httpsfv: add parsing functionality for types defined in RFC 8941
• fbba2c2 internal/httpsfv: add support for consuming Display String and Date type
• 47a241f http2: make the error channel pool per-Server
• 51f657b webdav/internal/xml: use the built-in min function
• f2e909b internal/httpsfv: implement parsing support for Dictionary and List type.
• Additional commits viewable in compare view

Updates github.com/evstack/ev-node from 1.0.0-beta.6 to 1.0.0-beta.7

Commits

• 8c85f1a build(deps): Bump alpine from 3.22.1 to 3.22.2 in the patch-updates group (#2...
• ac00304 refactor(syncer): fix last data check for both da and syncer + optimize (#2747)
• 1ff30ea feat(store)!: add batching for atomicity (#2746)
• 05124cc refactor(apps): rollback cmd updates (#2744)
• 2c85e06 chore: add makefile for tools (#2743)
• 6c7c85c chore: fix markdown lint (#2742)
• fdc59ab build(deps): Bump the all-go group across 5 directories with 6 updates (#2738)
• 184f42f refactor(block): improve cancellation (#2741)
• a491aee chore: make the prompt go oriented (#2739)
• 528081b perf(block): use sync/atomic instead of mutexes (#2735)
• Additional commits viewable in compare view

Updates github.com/evstack/ev-node from 1.0.0-beta.6 to 1.0.0-beta.7

Commits

• 8c85f1a build(deps): Bump alpine from 3.22.1 to 3.22.2 in the patch-updates group (#2...
• ac00304 refactor(syncer): fix last data check for both da and syncer + optimize (#2747)
• 1ff30ea feat(store)!: add batching for atomicity (#2746)
• 05124cc refactor(apps): rollback cmd updates (#2744)
• 2c85e06 chore: add makefile for tools (#2743)
• 6c7c85c chore: fix markdown lint (#2742)
• fdc59ab build(deps): Bump the all-go group across 5 directories with 6 updates (#2738)
• 184f42f refactor(block): improve cancellation (#2741)
• a491aee chore: make the prompt go oriented (#2739)
• 528081b perf(block): use sync/atomic instead of mutexes (#2735)
• Additional commits viewable in compare view

Updates github.com/celestiaorg/tastora from 0.6.0 to 0.7.1

Release notes

Sourced from github.com/celestiaorg/tastora's releases.

v0.7.1

What's Changed

• fix: force volume removal by @​mojtaba-esk in celestiaorg/tastora#139

Full Changelog: celestiaorg/tastora@v0.7.0...v0.7.1

v0.7.0

What's Changed

• feat: add support for evm-single by @​chatton in celestiaorg/tastora#122
• feat: add ability to skip init step for chains by @​chatton in celestiaorg/tastora#138

Full Changelog: celestiaorg/tastora@v0.6.1...v0.6.2

v0.6.1

What's Changed

• feat: remove orphan volumes on chain removal by @​mojtaba-esk in celestiaorg/tastora#135
• fix: preserve volumes on container removal option by @​mojtaba-esk in celestiaorg/tastora#137
• fix: ensure volumes can be rebound to new containers by @​chatton in celestiaorg/tastora#136

Full Changelog: celestiaorg/tastora@v0.6.0...v0.6.1

Commits

• 5228a72 fix: force volume removal (#139)
• 3e0fbe5 feat: add ability to skip init step for chains (#138)
• 031c5c4 feat: add support for evm-single (#122)
• 736d4bc fix: ensure volumes can be rebound to new containers (#136)
• 9c2b3df fix: preserve volumes on container removal option (#137)
• b8f62cc feat: remove orphan volumes on chain removal (#135)
• See full diff in compare view

Updates github.com/docker/docker from 28.5.0+incompatible to 28.5.1+incompatible

Release notes

Sourced from github.com/docker/docker's releases.

v28.5.1

28.5.1

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 28.5.1 milestone
• moby/moby, 28.5.1 milestone
• Deprecated and removed features, see Deprecated Features.
• Changes to the Engine API, see API version history.

Bug fixes and enhancements

• Update BuildKit to v0.25.1. moby/moby#51137
• Update Go runtime to 1.24.8. moby/moby#51133, docker/cli#6541

Deprecations

• api/types/image: InspectResponse: deprecate Parent and DockerVersion fields. moby/moby#51105
• api/types/plugin: deprecate Config.DockerVersion field. moby/moby#51110

Commits

• f8215cc Merge pull request #51137 from austinvazquez/cherry-pick-vendor-buildkit-0.25...
• 40a856a hack: add patch to buildkit tests
• 5d1c311 vendor: update buildkit to v0.25.1
• 90506c1 Merge pull request #51133 from vvoland/51132-28.x
• 17db0cd Merge pull request #51128 from thaJeztah/28.x_backport_gcpolicy-invalid-calcu...
• f7c40ea update to go1.24.8
• dccf7c8 builder: use proper percentage calculations for default gc policy
• 0f040aa Merge pull request #51126 from vvoland/51124-28.x
• 5b1a039 ci: fix cache for go modules
• 8fa4bd5 Merge pull request #51121 from crazy-max/28.x_ci-caches-fixes
• Additional commits viewable in compare view

Updates github.com/celestiaorg/tastora from 0.6.0 to 0.7.1

Release notes

Sourced from github.com/celestiaorg/tastora's releases.

v0.7.1

What's Changed

• fix: force volume removal by @​mojtaba-esk in celestiaorg/tastora#139

Full Changelog: celestiaorg/tastora@v0.7.0...v0.7.1

v0.7.0

What's Changed

• feat: add support for evm-single by @​chatton in celestiaorg/tastora#122
• feat: add ability to skip init step for chains by @​chatton in celestiaorg/tastora#138

Full Changelog: celestiaorg/tastora@v0.6.1...v0.6.2

v0.6.1

What's Changed

• feat: remove orphan volumes on chain removal by @​mojtaba-esk in celestiaorg/tastora#135
• fix: preserve volumes on container removal option by @​mojtaba-esk in celestiaorg/tastora#137
• fix: ensure volumes can be rebound to new containers by @​chatton in celestiaorg/tastora#136

Full Changelog: celestiaorg/tastora@v0.6.0...v0.6.1

Commits

• 5228a72 fix: force volume removal (#139)
• 3e0fbe5 feat: add ability to skip init step for chains (#138)
• 031c5c4 feat: add support for evm-single (#122)
• 736d4bc fix: ensure volumes can be rebound to new containers (#136)
• 9c2b3df fix: preserve volumes on container removal option (#137)
• b8f62cc feat: remove orphan volumes on chain removal (#135)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

The latest Buf updates on your PR. Results from workflow CI and Release / buf-check (pull_request).

Build	Format	Lint	Breaking	Updated (UTC)
✅ passed	⏩ skipped	✅ passed	✅ passed	Oct 14, 2025, 8:12 AM

[claude]

Claude finished @dependabot[bot]'s task —— View job

---

Comprehensive Code Review - Dependency Update PR

This PR updates 6 Go dependencies across 5 directories. I've reviewed the changes for security implications, breaking changes, version consistency, and overall code quality.

---

Summary Assessment: ✅ APPROVED with Minor Notes

This is a well-managed dependency update PR that brings important bug fixes and security improvements. The changes are safe to merge.

---

Detailed Review

1. Dependency Updates Analysis

Core Updates:

• connectrpc.com/connect: v1.19.0 → v1.19.1
• golang.org/x/crypto: v0.42.0 → v0.43.0
• golang.org/x/net: v0.44.0 → v0.45.0 (root) / v0.46.0 (execution/grpc)
• github.com/evstack/ev-node: v1.0.0-beta.6 → v1.0.0-beta.7
• github.com/celestiaorg/tastora: v0.6.0 → v0.7.1
• github.com/docker/docker: v28.5.0 → v28.5.1

2. Security Assessment ✅

Positive Findings:

1. connectrpc.com/connect v1.19.1 - Critical bug fixes:

   • Fixed bounds check on envelope for 32-bit architectures (Copy share package into Rollkit #887)
   • Fixed CallInfo header/trailer propagation on error responses (Add StateFraudProof proof type #892)
   • These are defensive fixes that improve reliability and prevent potential panics

2. golang.org/x/crypto v0.43.0 - Security enhancements:

   • SSH FIPS mode support added
   • VerifiedPublicKeyCallback for enhanced SSH security
   • Better error handling for signature algorithm misuse
   • Updated x509roots/fallback bundle (certificate trust store updates)
   • Deprecation of older, less secure packages

3. golang.org/x/net v0.45.0/v0.46.0 - Stability improvements:

   • HTML parser security fix: imposed open element stack size limit (prevents DoS)
   • HTTP/2 RFC 9218 write scheduler idempotency fix
   • HTML parsing alignment with spec (reduces edge-case vulnerabilities)

4. github.com/celestiaorg/tastora v0.7.1 - Infrastructure improvements:

   • Force volume removal fix (Block sync #139)
   • EVM-single support and init step control
   • Better container lifecycle management

5. github.com/docker/docker v28.5.1 - Maintenance release:

   • BuildKit v0.25.1 update
   • Go runtime update to 1.24.8

Security Verdict: ✅ All updates contain important bug fixes and security improvements. No known vulnerabilities introduced.

---

3. Breaking Changes Check ✅

No Breaking Changes Detected:

• All updates are patch/minor versions following semver
• connectrpc.com/connect: Patch release (1.19.0→1.19.1) - backward compatible
• golang.org/x/crypto: Minor bump (0.42→0.43) - additive changes only
• golang.org/x/net: Minor bump (0.44→0.45/0.46) - internal fixes only
• github.com/evstack/ev-node: Beta version bump - managed internally
• github.com/celestiaorg/tastora: Minor bump (0.6→0.7.1) - feature additions
• github.com/docker/docker: Patch release (28.5.0→28.5.1) - bug fixes only

Note: golang.org/x/crypto does deprecate some packages (as noted in release notes), but these are not used in this codebase based on the import patterns.

---

4. Version Consistency Analysis ⚠️ Minor Inconsistency Noted

Inconsistency Found:

• golang.org/x/net version differs between modules:
  • Root, sequencers/single, test modules: v0.45.0
  • execution/grpc: v0.46.0

Impact Assessment: Low/None

• This is a one minor version difference (v0.45.0 vs v0.46.0)
• Both are recent versions with similar security fixes
• The difference likely arose from separate dependency resolution
• No functional issues expected as golang.org/x/net maintains backward compatibility

Recommendation:
This inconsistency is acceptable for now, but consider standardizing to v0.46.0 in a follow-up PR by running:

go get golang.org/x/[email protected]
make tidy-all

---

5. Transitive Dependencies ✅

The PR properly updated transitive dependencies in sequencers/single/go.mod:

• Added: dgraph-io/badger/v4, dgraph-io/ristretto/v2, dustin/go-humanize
• Added: golang/groupcache, google/flatbuffers
• Added: ipfs/go-ds-badger4, pkg/errors, go.opencensus.io

These are expected transitive dependencies from the github.com/evstack/ev-node v1.0.0-beta.7 update. The PR description mentions this upgrade includes:

• Storage batching for atomicity (feat(store)!: add batching for atomicity  #2746)
• Syncer optimizations (refactor(syncer): fix last data check for both da and syncer + optimize #2747)
• Performance improvements using sync/atomic (perf(block): use sync/atomic instead of mutexes #2735)

Verdict: ✅ Transitive dependencies are correctly resolved.

---

6. Code Quality & Best Practices ✅

Positive Observations:

1. Proper Commit Structure:

   • Two clean commits: dependency bump + make tidy-all
   • Shows proper Go module maintenance workflow

2. CI Passing:

   • Buf check passed (protobuf validation)
   • Indicates no breaking changes in generated code

3. Comprehensive Testing:

   • Per CLAUDE.md, this repo has extensive test coverage
   • Recommend running: make test-all before merge
   • Also run: make lint to ensure no new issues

4. Module Hygiene:

   • All go.sum files properly updated
   • No manual edits to go.sum (good practice)
   • Consistent go version (1.24.6) across all modules

---

7. Production Readiness ✅

Pre-Merge Checklist:

• Security review completed
• Breaking changes assessed
• Version consistency reviewed
• Recommended: Run make test-all locally or in CI
• Recommended: Run make lint to verify no new issues
• Optional: Consider standardizing golang.org/x/net to v0.46.0

---

Recommendations

Immediate Actions:

1. ✅ Merge this PR - All critical checks passed
2. Verify CI test suite passes (beyond buf-check)

Follow-up Actions (Optional):

1. Standardize golang.org/x/net to v0.46.0 across all modules
2. Monitor for any runtime issues post-deployment (unlikely given the nature of updates)

Long-term Considerations:

1. Consider automating dependency updates with Dependabot auto-merge for patch releases
2. The project is well-structured with good module boundaries - no architectural concerns

---

Final Verdict

✅ APPROVED - This PR is safe to merge. The dependency updates bring valuable bug fixes and security improvements without introducing breaking changes or security risks.

The minor version inconsistency in golang.org/x/net is not blocking and can be addressed in a future PR if desired.

---

Review Checklist:

• Analyze PR changes and dependency updates
• Review security implications of updated dependencies
• Check for breaking changes in updated packages
• Verify version consistency across modules
• Review release notes for critical fixes
• Provide comprehensive feedback

---

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 61.39%. Comparing base (0dc7b27) to head (804caeb).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #2757   +/-   ##
=======================================
  Coverage   61.39%   61.39%           
=======================================
  Files          81       81           
  Lines        8573     8573           
=======================================
  Hits         5263     5263           
  Misses       2816     2816           
  Partials      494      494           

Flag	Coverage Δ
combined	61.39% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.