chore(deps): bump Go deps

[hanabi1224]

Summary of changes

Fix https://github.com/ChainSafe/forest/security/dependabot/135 and https://github.com/ChainSafe/forest/security/dependabot/136

Changes introduced in this pull request:

Reference issue to close (if applicable)

Closes

Other information and links

Change checklist

• I have performed a self-review of my own code,
• I have made corresponding changes to the documentation. All new code adheres to the team's documentation standards,
• I have added tests that prove my fix is effective or that my feature works (if possible),
• I have made sure the CHANGELOG is up-to-date. All user-facing changes should be reflected in this document.

Summary by CodeRabbit

• Chores
  • Updated multiple Go module dependencies including libp2p, libp2p-kad-dht, OpenTelemetry, Prometheus, Pion WebRTC components, and golang.org/x packages to their latest available versions.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

This pull request updates Go module dependencies across three go.mod files: f3-sidecar, interop-tests, and tools/prometheus_metrics_validator. Multiple packages are bumped including rust2go, libp2p, Pion stack components, OpenTelemetry, golang.org/x packages, Prometheus, and protobuf. No public API changes occur.

Changes

Cohort / File(s)	Summary
F3-Sidecar module f3-sidecar/go.mod	Updates rust2go pre-release; upgrades libp2p and libp2p-kad-dht; bumps Pion stack (dtls, ice, webrtc, srtp, stun, rtp), OpenTelemetry, Prometheus, QUIC-Go, kyber/v4, and golang.org/x packages; removes francoispqt/gojay indirect dependency.
Interop-tests module interop-tests/src/tests/go_app/go.mod	Bumps rust2go; upgrades libp2p and kad-dht; updates Pion components, miekg/dns, OpenTelemetry (core, metric, trace), Prometheus common; migrates QUIC stack (qpack/quic-go); updates golang.org/x ecosystem and protobuf.
Prometheus validator tool tools/prometheus_metrics_validator/go.mod	Minor version bumps for Prometheus, Prometheus common, golang.org/x/text, and protobuf.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

• Verify compatibility of rust2go pre-release bump dates and versions across modules
• Check that libp2p, Pion stack, and OpenTelemetry version bumps maintain compatibility with existing code paths
• Confirm QUIC-Go migration from v0.55.0 to v0.57.1 with qpack restructuring does not break interop-tests or f3-sidecar usage

Possibly related PRs

• chore(deps): bump go-f3 #6019: Makes overlapping Go dependency bumps across the same f3-sidecar and interop-tests modules with coordinated rust2go, libp2p, and Pion stack updates.
• chore(deps): bump go-f3 and Go deps #5881: Modifies identical go.mod files with matching dependency version bumps for rust2go, libp2p, Pion stack, and golang.org/x packages.
• chore(deps): bump go deps #6238: Updates Go dependencies in f3-sidecar/go.mod and interop-tests go.mod files with overlapping rust2go, go-libp2p, Pion, and golang.org/x version increments.

Suggested labels

dependencies

Suggested reviewers

• LesnyRumcajs
• akaladarshi
• sudo-shashank

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: bumping Go module dependencies across three separate go.mod files in the repository.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch hm/bump-go-deps

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.5.0)

level=error msg="[linters_context] typechecking error: pattern ./...: directory prefix . does not contain modules listed in go.work or their selected dependencies"

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7ea3316 and 575a90a.

⛔ Files ignored due to path filters (3)

• f3-sidecar/go.sum is excluded by !**/*.sum
• interop-tests/src/tests/go_app/go.sum is excluded by !**/*.sum
• tools/prometheus_metrics_validator/go.sum is excluded by !**/*.sum

📒 Files selected for processing (3)

• f3-sidecar/go.mod (4 hunks)
• interop-tests/src/tests/go_app/go.mod (3 hunks)
• tools/prometheus_metrics_validator/go.mod (2 hunks)

🧰 Additional context used

🧠 Learnings (3)

📓 Common learnings

Learnt from: hanabi1224
Repo: ChainSafe/forest PR: 5930
File: build.rs:64-77
Timestamp: 2025-08-13T09:43:20.301Z
Learning: hanabi1224 prefers hard compile-time errors in build scripts rather than runtime safeguards or collision detection, believing it's better to fail fast and fix root causes of issues like malformed snapshot names.

Learnt from: hanabi1224
Repo: ChainSafe/forest PR: 6057
File: src/cli/subcommands/f3_cmd.rs:0-0
Timestamp: 2025-09-09T10:37:17.947Z
Learning: hanabi1224 prefers having default timeouts (like 10m for --no-progress-timeout) to prevent commands from hanging indefinitely, even when the timeout flag isn't explicitly provided by users. This fail-fast approach is preferred over requiring explicit flag usage.

📚 Learning: 2025-08-07T13:12:23.359Z

Learnt from: hanabi1224
Repo: ChainSafe/forest PR: 5886
File: Makefile:1-1
Timestamp: 2025-08-07T13:12:23.359Z
Learning: golangci-lint version v2.3.1 exists and was released on August 2, 2025. It is currently the latest stable version and can be used in Makefiles and CI configurations. The version follows the v2.x.x numbering scheme, not v1.x.x as I previously incorrectly stated.

Applied to files:

• interop-tests/src/tests/go_app/go.mod
• f3-sidecar/go.mod

📚 Learning: 2025-08-07T13:12:23.359Z

Learnt from: hanabi1224
Repo: ChainSafe/forest PR: 5886
File: Makefile:1-1
Timestamp: 2025-08-07T13:12:23.359Z
Learning: golangci-lint version v2.3.1 exists and is a valid release that can be used in Makefiles and CI configurations. It was released after v2.3.0.

Applied to files:

• interop-tests/src/tests/go_app/go.mod
• f3-sidecar/go.mod

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (8)

• GitHub Check: Coverage
• GitHub Check: Build forest binaries on Linux AMD64
• GitHub Check: tests-release
• GitHub Check: tests
• GitHub Check: cargo-publish-dry-run
• GitHub Check: Build Ubuntu
• GitHub Check: Build MacOS
• GitHub Check: All lint checks

🔇 Additional comments (3)

interop-tests/src/tests/go_app/go.mod (2)

1-3: Remove incorrect Go version concern; clarify or verify the referenced Dependabot advisories.

Go version 1.25.4 is a valid, released version (November 5, 2025) and the file's specification is correct. However, please clarify what specific Dependabot advisories (#135, #136) are being addressed, as these do not appear as identifiable security advisories in the repository context. If these refer to internal tracking numbers or GitHub issues, consider linking to them for clarity. The broad scope of dependency updates (libp2p, Pion stack, QUIC, OpenTelemetry, golang.org/x packages) remains valid for test verification before merging.

Likely an incorrect or invalid review comment.

---

6-6: Pion packages are not directly imported by test code; focus verification on libp2p and kad-dht API compatibility.

The test code in kad_impl.go and bitswap_impl.go only directly imports libp2p and libp2p-kad-dht. The Pion packages (dtls/v3, ice/v4, rtp, sctp, srtp/v3, stun/v3, webrtc/v4) are transitive dependencies and not directly used. API changes in Pion versions are unlikely to impact this module.

However, verify that libp2p v0.46.0 and kad-dht v0.36.0 do not introduce breaking changes to the public APIs used here:

• libp2p.New(), libp2p.ListenAddrStrings() (host creation)
• dht.New(), dht.Mode(), dht.ProtocolPrefix(), dht.DisableProviders(), dht.DisableValues() (DHT options)
• host.Connect(), host.Peerstore(), peer.AddrInfoFromP2pAddr() (core APIs)

f3-sidecar/go.mod (1)

1-3: Correct dependency scope: f3-sidecar updates libp2p v0.46.0 and golang.org/x/crypto v0.46.0 (not Pion/QUIC/OpenTelemetry).

Go version 1.25.4 is valid (released November 5, 2025). However, the review comment incorrectly states that f3-sidecar updates "Pion stack, QUIC, OpenTelemetry"—these are not in the actual dependencies. The real updates are libp2p v0.46.0, golang.org/x/crypto v0.46.0, and transitive dependencies like gogo/protobuf.

With only 7 test functions across 2 test files (ec_test.go and utils_test.go), test coverage for these dependency updates is minimal. Recommend adding tests specifically for libp2p networking paths and cryptographic operations exposed by golang.org/x/crypto v0.46.0.

Security advisories #135 and #136 could not be identified from available context; clarify which package(s) these advisories reference.

Likely an incorrect or invalid review comment.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# Check git history for kyber version changes in f3-sidecar/go.mod
cd f3-sidecar
git log --oneline -p go.mod | grep -A 5 -B 5 "kyber" | head -40

Repository: ChainSafe/forest

Length of output: 636

---

🏁 Script executed:

# Check current state vs previous versions
cd f3-sidecar
git show HEAD:go.mod | grep kyber

Repository: ChainSafe/forest

Length of output: 181

---

🏁 Script executed:

# Search for kyber usage in f3-sidecar codebase
rg -t go "dedis.*kyber" f3-sidecar/

Repository: ChainSafe/forest

Length of output: 42

---

🌐 Web query:

go.dedis.ch kyber v4 latest stable release version

💡 Result:

The latest stable release for go.dedis.ch/kyber (module import path go.dedis.ch/kyber/v4) is v3.1.0 (released Nov 30, 2022). [1][2]

Sources:

• GitHub releases (dedis/kyber) — v3.1.0, Nov 30, 2022. [1]
• pkg.go.dev / go.dedis.ch/kyber/v4 documentation. [2]

---

🏁 Script executed:

cd f3-sidecar
git show HEAD~1:go.mod 2>/dev/null | grep -i kyber || echo "kyber not present in previous version"

Repository: ChainSafe/forest

Length of output: 97

---

🏁 Script executed:

# Find which dependency brings in kyber v4
cd f3-sidecar
rg -t go "kyber" --max-count=5

Repository: ChainSafe/forest

Length of output: 42

---

🏁 Script executed:

# Check go.mod for packages that might depend on kyber
cd f3-sidecar
grep -E "(lotus|filecoin|spec)" go.mod | head -10

Repository: ChainSafe/forest

Length of output: 318

---

Clarify necessity of alpha-release Kyber v4.0.1-alpha.1 or revert to stable v3.1.0.

Line 116 introduces go.dedis.ch/kyber/v4 v4.0.1-alpha.1 as a new indirect dependency in this PR. Using alpha versions in production—particularly for cryptographic operations—carries significant risk due to potential undisclosed security vulnerabilities, API instability, and harder debugging.

Note: v4.0.0 (stable) does not exist; the latest stable release is v3.1.0 (Nov 2022). Since kyber is marked indirect, it's likely a transitive dependency from filecoin-project/go-f3 v0.8.10. Clarify whether:

1. The kyber v4 alpha is unavoidable due to go-f3 requirements
2. Whether go-f3 can work with kyber v3.1.0 instead
3. If the alpha version is documented or justified in the PR description

If v3.1.0 is compatible, prefer the stable release. If v4.0.1-alpha.1 is unavoidable, document the security rationale.

🤖 Prompt for AI Agents

In f3-sidecar/go.mod around line 116, the addition of the alpha release
go.dedis.ch/kyber/v4 v4.0.1-alpha.1 (indirect) is risky for crypto code; run `go
mod why go.dedis.ch/kyber/v4` and `go mod graph` to identify which direct
dependency (likely filecoin-project/go-f3) is pulling v4, then either (A) if
compatible, add a direct require for go.dedis.ch/kyber v3.1.0 in go.mod (or a
replace) to pin the stable release and run `go mod tidy` and full test suite, or
(B) if v4 is unavoidable, document this in the PR (why v4 is required, security
review steps, and link to upstream issues/maintainer confirmation) and add a
short go.mod comment and changelog entry; if incompatibilities remain, open an
upstream issue with filecoin-project/go-f3 to request v3 compatibility or
rationale for v4.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🌐 Web query:

prometheus v0.308.0 pkg.go.dev release security

💡 Result:

Short answer: pkg.go.dev hosts the Prometheus Go module documentation for the repo but does not publish Prometheus release security advisories or detailed release changelogs. For security/fix details for a specific release (e.g. v0.308.0) use the Prometheus project release notes / GitHub releases and the Prometheus security advisories/issues pages. See the pkg.go.dev module page and Prometheus GitHub issue tracker/security discussion for vulnerabilities. [1][2]

Sources:

• Prometheus module on pkg.go.dev (module docs only). [1]
• Prometheus GitHub (issues / security / releases used for advisories and vulnerability reports). Example issue discussing vulnerabilities. [2]

---

🌐 Web query:

google.golang.org/protobuf v1.36.11 security advisory Dependabot

💡 Result:

Short answer: Dependabot alerts for the protojson infinite-loop DoS (CVE-2024-24786) affect google.golang.org/protobuf versions <= v1.32.0 and were fixed in v1.33.0; v1.36.11 is a newer release that already contains the fix (and additional bug/security hardening). Upgrade to v1.36.11 (or any >= v1.33.0) to address that advisory. [1][2][3]

Sources:

• Snyk advisory for CVE-2024-24786 (fix in v1.33.0). [1]
• Go team announcement (security fix / CVE-2024-24786). [2]
• protobuf-go v1.36.11 release notes (user-visible fixes/bugfixes). [3]

---

🌐 Web query:

prometheus/common v0.67.4 pkg.go.dev release notes

💡 Result:

prometheus/common v0.67.4 — release notes (v0.67.4 / 2025-11-18)

• chore: clean up golangci-lint configuration. [1]
• chore: add omitempty to OAuth2 fields with type Secret to avoid requiring them. [1]
• chore: add omitempty tag to all config fields. [1]

Full release entry on GitHub. [1][2]

Sources:
[1] GitHub — prometheus/common release v0.67.4 (Nov 18, 2025).
[2] Example dependabot/PR summary referencing v0.67.4 release notes.

---

🌐 Web query:

golang.org/x/text v0.32.0 security patches Dependabot

💡 Result:

Yes — Dependabot has been opening automated bumps to golang.org/x/text v0.32.0; those PRs (examples: Apache camel-k, plc4x) show Dependabot moving projects from v0.31.0 → v0.32.0. [1][2]

Security context:

• Known x/text vulnerabilities (examples) were fixed in earlier releases: CVE‑2021‑38561 (fixed in 0.3.7) and CVE‑2020‑14040 (fixed in 0.3.3). Upgrading to current module releases (e.g. v0.32.0) addresses those historical issues. [3][4]

If you saw a Dependabot security alert/PR for v0.32.0, it’s the expected automated bump to a newer module version that includes past security fixes; merge or test the PR and update your go.mod to the bumped version to remediate. (If you want, tell me the Dependabot PR URL and I’ll inspect it.)

Sources: [1] Dependabot bump examples (camel‑k). [2] Dependabot PR (plc4x). [3] GitLab/Golang advisory for CVE‑2021‑38561. [4] CVE‑2020‑14040 details.

---

Approve most updates; clarify security scope.

The protobuf upgrade to v1.36.11 does address a known security issue (CVE-2024-24786, a protojson infinite-loop DoS vulnerability fixed in v1.33.0+). However, the other updates are routine maintenance bumps without security implications: prometheus/common v0.67.4 contains only tooling/config cleanups, and golang.org/x/text v0.32.0 incorporates historical security fixes from earlier releases, not targeted advisories. All versions are legitimate and available on pkg.go.dev. The prometheus v0.308.0 bump is a minor version increment unlikely to introduce breaking changes.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 40.41%. Comparing base (7ea3316) to head (575a90a).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files

see 7 files with indirect coverage changes

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 7ea3316...575a90a. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.