chore(deps): bump go deps

[hanabi1224]

Summary of changes

bump go deps to fix https://github.com/ChainSafe/forest/security/dependabot/154 and https://github.com/ChainSafe/forest/security/dependabot/155

Changes introduced in this pull request:

Reference issue to close (if applicable)

Closes

Other information and links

Change checklist

• I have performed a self-review of my own code,
• I have made corresponding changes to the documentation. All new code adheres to the team's documentation standards,
• I have added tests that prove my fix is effective or that my feature works (if possible),
• I have made sure the CHANGELOG is up-to-date. All user-facing changes should be reflected in this document.

Outside contributions

• I have read and agree to the CONTRIBUTING document.
• I have read and agree to the AI Policy document. I understand that failure to comply with the guidelines will lead to rejection of the pull request.

Summary by CodeRabbit

• Chores
  • Updated multiple project dependencies for improved security, performance, and stability across networking libraries, cryptography packages, telemetry components, and monitoring tools.
  • Upgraded Go standard library packages and related development tooling to latest available versions.

[coderabbitai]

Walkthrough

This PR updates Go module dependencies across three go.mod files: f3-sidecar, interop-tests, and tools/prometheus_metrics_validator. Changes include version bumps for libp2p, rust2go, Pion WebRTC components, OpenTelemetry, golang.org/x packages, and other indirect dependencies.

Changes

Cohort / File(s)	Summary
F3-Sidecar Dependencies f3-sidecar/go.mod	Updated direct dependencies: go-jsonrpc v0.10.0→v0.10.1, rust2go pseudo-version, go-libp2p v0.47.0→v0.48.0, go-libp2p-kad-dht v0.37.1→v0.38.0, golang.org/x/crypto v0.48.0→v0.49.0. Updated indirect dependencies: gnark-crypto, secp256k1, boxo, go-ipld-prime, Pion stack (ice, sctp, sdp, webrtc), refmt, prometheus/procfs, OpenTelemetry family, and golang.org/x/* utilities.
Interop Tests Dependencies interop-tests/src/tests/go_app/go.mod	Updated direct dependencies: rust2go pseudo-version, boxo v0.36.0→v0.37.0, go-libp2p v0.47.0→v0.48.0, go-libp2p-kad-dht v0.37.1→v0.38.0, secp256k1 v4.4.0→v4.4.1, Pion stack upgrades (ice, sctp, sdp, webrtc), OpenTelemetry to v1.42.0, golang.org/x packages, yaml/v2 v2.4.3→v2.4.4, go-ipld-prime v0.21.0→v0.22.0. Removed dtls/v2 and stun v0.6.1 entries.
Prometheus Metrics Validator Dependencies tools/prometheus_metrics_validator/go.mod	Updated direct dependencies: prometheus v0.309.1→v0.310.0, cli/v3 v3.6.2→v3.7.0. Updated indirect dependencies: yaml/v2 v2.4.3→v2.4.4, golang.org/x/text v0.34.0→v0.35.0.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• chore(deps): bump go-f3 #6019: Updates same f3-sidecar and interop-tests go.mod dependencies including rust2go, boxo, libp2p, and OpenTelemetry modules.
• chore(deps): bump go deps #6238: Performs overlapping dependency version bumps across f3-sidecar/go.mod with libp2p, rust2go, boxo, otel, and golang.org/x packages.
• chore(deps): bump go-deps #6536: Modifies the same go.mod files with overlapping dependency updates including rust2go, libp2p, boxo, and prometheus/otel.

Suggested reviewers

• akaladarshi
• sudo-shashank
• LesnyRumcajs

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'chore(deps): bump go deps' clearly and specifically describes the main change—updating Go dependencies across multiple modules.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch hm/bump-go-deps

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch hm/bump-go-deps

📝 Coding Plan

• Generate coding plan for human review comments

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.11.3)

level=error msg="[linters_context] typechecking error: pattern ./...: directory prefix . does not contain modules listed in go.work or their selected dependencies"

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

f3-sidecar/go.mod (1)

14-15: Note potential cross-repository compatibility concerns with lotus.

The linked repository filecoin-project/lotus uses overlapping libp2p dependencies. Based on the linked findings:

• lotus imports github.com/libp2p/go-libp2p and github.com/libp2p/go-libp2p-kad-dht extensively across networking, pubsub, and DHT modules
• lotus go.mod shows go-libp2p v0.47.0 and kad-dht v0.38.0

This Forest PR updates to go-libp2p v0.48.0, which differs from lotus's v0.47.0. If Forest and lotus interact at the networking layer, version mismatches could cause:

• Protocol incompatibilities
• DHT routing issues
• Pubsub message handling differences

Please verify that these version differences are acceptable for the integration between Forest and lotus, especially for F3 consensus communication.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@f3-sidecar/go.mod` around lines 14 - 15, The go.mod bumps
github.com/libp2p/go-libp2p to v0.48.0 (while lotus uses v0.47.0 for go-libp2p
and v0.38.0 for go-libp2p-kad-dht), which may introduce cross-repo compatibility
issues; confirm compatibility by either pinning go-libp2p to v0.47.0 to match
lotus or explicitly validating v0.48.0: review the libp2p and kad-dht changelogs
for breaking changes, run end-to-end networking/DHT/pubsub integration tests
between Forest (F3) and lotus, and if any incompatibility appears, adjust the
dependency in go.mod (github.com/libp2p/go-libp2p and
github.com/libp2p/go-libp2p-kad-dht) to the compatible version or add module
replacement rules to enforce a compatible set.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@f3-sidecar/go.mod`:
- Around line 49-50: Update code to handle boxo v0.37.0 breaking changes: search
for any gateway/content-negotiation code and ensure the new “?format=” override
behavior is correct; if you rely on automatic codec conversions enable
Config.AllowCodecConversion=true where codec conversions were previously
implicit; replace any Zipkin tracing exporter usage with OTLP-compatible code
paths or route Zipkin to OTLP ingestion; review any UnixFS HAMT sharding setup
and adjust HAMTShardingSize to account for the threshold change (>= → >); audit
uses of chunker.DefaultBlockSize (now a var and 2MiB max) and adjust chunker
configuration if you depended on the old 1MiB constant; finally run
unit/integration tests and validate OpenTelemetry and Pion WebRTC compatibility
(OTel v1.42.0 and Pion v4.2.9) and update go.mod/go.sum accordingly.

---

Nitpick comments:
In `@f3-sidecar/go.mod`:
- Around line 14-15: The go.mod bumps github.com/libp2p/go-libp2p to v0.48.0
(while lotus uses v0.47.0 for go-libp2p and v0.38.0 for go-libp2p-kad-dht),
which may introduce cross-repo compatibility issues; confirm compatibility by
either pinning go-libp2p to v0.47.0 to match lotus or explicitly validating
v0.48.0: review the libp2p and kad-dht changelogs for breaking changes, run
end-to-end networking/DHT/pubsub integration tests between Forest (F3) and
lotus, and if any incompatibility appears, adjust the dependency in go.mod
(github.com/libp2p/go-libp2p and github.com/libp2p/go-libp2p-kad-dht) to the
compatible version or add module replacement rules to enforce a compatible set.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: b87e57db-092b-47a5-a1f5-8c5ab42c41e0

📥 Commits

Reviewing files that changed from the base of the PR and between ef963b4 and 7d88aa8.

⛔ Files ignored due to path filters (3)

• f3-sidecar/go.sum is excluded by !**/*.sum
• interop-tests/src/tests/go_app/go.sum is excluded by !**/*.sum
• tools/prometheus_metrics_validator/go.sum is excluded by !**/*.sum

📒 Files selected for processing (3)

• f3-sidecar/go.mod
• interop-tests/src/tests/go_app/go.mod
• tools/prometheus_metrics_validator/go.mod

[hanabi1224]

@coderabbitai create 3 issues to track the implementation of https://github.com/filecoin-project/FIPs/blob/master/FRCs/frc-0089.md, porting filecoin-project/lotus#12093 and porting filecoin-project/lotus#13547

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

Let me first gather details about all three items so I can create meaningful issue titles and descriptions.

Now let me fetch the Lotus PR details.

---

🏁 Script executed:

#!/bin/bash
# Fetch Lotus PR `#12093` details
gh pr view 12093 --repo filecoin-project/lotus --json title,body,url 2>/dev/null | jq '{title, url, body: (.body | .[0:500])}'

echo "---"

# Fetch Lotus PR `#13547` details
gh pr view 13547 --repo filecoin-project/lotus --json title,body,url 2>/dev/null | jq '{title, url, body: (.body | .[0:500])}'

Length of output: 3

---

Let me fetch the PR details via web search.

Let me fetch the Lotus PR details directly via the GitHub REST API.

---

🏁 Script executed:

#!/bin/bash
# Fetch Lotus PR `#12093` via REST API
curl -s "https://api.github.com/repos/filecoin-project/lotus/pulls/12093" \
  -H "Accept: application/vnd.github.v3+json" | jq '{title, html_url, body: (.body | .[0:600])}'

echo "---"

# Fetch Lotus PR `#13547` via REST API
curl -s "https://api.github.com/repos/filecoin-project/lotus/pulls/13547" \
  -H "Accept: application/vnd.github.v3+json" | jq '{title, html_url, body: (.body | .[0:600])}'

Length of output: 1565

---

Now I have all the details. Let me create the 3 issues.

---

🏁 Script executed:

#!/bin/bash
# Issue 1: FRC-0089 Implementation
gh issue create \
  --repo ChainSafe/forest \
  --title "feat: implement FRC-0089 EC finality calculator" \
  --assignee hanabi1224 \
  --body "## Overview

Implement the EC (Expected Consensus) finality calculator as specified in [FRC-0089](https://github.com/filecoin-project/FIPs/blob/master/FRCs/frc-0089.md).

## Background

FRC-0089 proposes a dynamic finality calculator for Filecoin that considers observed chain history to attain finality guarantees more efficiently than the current static 900-epoch threshold. The calculator can achieve a 2^{-30} error probability in approximately 30 epochs (~15 minutes), a ~30x improvement over the current approach.

## References

- FRC-0089 spec: https://github.com/filecoin-project/FIPs/blob/master/FRCs/frc-0089.md
- Reference implementation (ec-finality-calculator): https://github.com/consensus-shipyard/ec-finality-calculator

## Related

- Raised during review of https://github.com/ChainSafe/forest/pull/6757 by `@hanabi1224`"

echo "---"

# Issue 2: Port Lotus PR `#12093`
gh issue create \
  --repo ChainSafe/forest \
  --title "feat: port Lotus PR `#12093` - EC finality calculator shed tool (FRC-0089)" \
  --assignee hanabi1224 \
  --body "## Overview

Port the EC finality calculator shed/CLI tool from Lotus to Forest, as implemented in [filecoin-project/lotus#12093](https://github.com/filecoin-project/lotus/pull/12093).

## Background

Lotus PR `#12093` (\`feat(shed): ec finality calculator (FRC-0089)\`) adds a shed utility that takes a file of chain tipset counts and computes the EC finality probability based on FRC-0089. This is a standalone CLI tool useful for analysis and validation.

## References

- Lotus PR: https://github.com/filecoin-project/lotus/pull/12093
- FRC-0089 spec: https://github.com/filecoin-project/FIPs/blob/master/FRCs/frc-0089.md
- EC finality calculator reference: https://github.com/consensus-shipyard/ec-finality-calculator

## Related

- Raised during review of https://github.com/ChainSafe/forest/pull/6757 by `@hanabi1224`"

echo "---"

# Issue 3: Port Lotus PR `#13547`
gh issue create \
  --repo ChainSafe/forest \
  --title "feat: port Lotus PR `#13547` - integrate EC finality calculator into API and Eth RPC (FRC-0089)" \
  --assignee hanabi1224 \
  --body "## Overview

Port the deep integration of the FRC-0089 EC finality calculator into Forest's API and Eth RPC, as implemented in [filecoin-project/lotus#13547](https://github.com/filecoin-project/lotus/pull/13547).

## Background

Lotus PR `#13547` (\`feat(api): integrate EC finality calculator into v2 API and Eth RPC\`) builds on the shed tool from `#12093` and integrates the EC finality calculator more deeply:

- Moves the calculator into the core node and adds a caching module (recalculates once per head change at most).
- Adds the probabilistic EC finality calculator alongside F3 for determining \`finalized\`/\`safe\` tipsets — effectively \`finalized = min(f3, ec-calculator)\`, replacing the static 900-epoch fallback.
- Introduces the \`ChainGetTipSetFinalityStatus\` v2 API endpoint.
- Wires the calculator into both v2 and Eth tag resolution.

## References

- Lotus PR: https://github.com/filecoin-project/lotus/pull/13547
- Depends on porting: https://github.com/filecoin-project/lotus/pull/12093
- FRC-0089 spec: https://github.com/filecoin-project/FIPs/blob/master/FRCs/frc-0089.md

## Related

- Raised during review of https://github.com/ChainSafe/forest/pull/6757 by `@hanabi1224`"

Length of output: 235

---

@hanabi1224 The sandbox environment doesn't have GitHub authentication available, so I wasn't able to create the issues automatically. Here are the 3 issues ready to be created — you can open them directly using these links:

---

Issue 1 — Implement FRC-0089 EC finality calculator

Title: feat: implement FRC-0089 EC finality calculator

🔗 Create Issue

Body:

## Overview

Implement the EC (Expected Consensus) finality calculator as specified in [FRC-0089](https://github.com/filecoin-project/FIPs/blob/master/FRCs/frc-0089.md).

## Background

FRC-0089 proposes a dynamic finality calculator for Filecoin that considers observed chain history to attain finality guarantees more efficiently than the current static 900-epoch threshold. The calculator can achieve a 2^{-30} error probability in approximately 30 epochs (~15 minutes), a ~30x improvement over the current approach.

## References

- FRC-0089 spec: https://github.com/filecoin-project/FIPs/blob/master/FRCs/frc-0089.md
- Reference implementation: https://github.com/consensus-shipyard/ec-finality-calculator

## Related

- Raised during review of https://github.com/ChainSafe/forest/pull/6757

---

Issue 2 — Port Lotus #12093: EC finality calculator shed tool

Title: feat: port Lotus PR #12093 - EC finality calculator shed tool (FRC-0089)

🔗 Create Issue

Body:

## Overview

Port the EC finality calculator shed/CLI tool from Lotus to Forest, as implemented in [filecoin-project/lotus#12093](https://github.com/filecoin-project/lotus/pull/12093).

## Background

Lotus PR `#12093` (`feat(shed): ec finality calculator (FRC-0089)`) adds a shed utility that takes a file of chain tipset counts and computes the EC finality probability based on FRC-0089. This is a standalone CLI tool useful for analysis and validation.

## References

- Lotus PR: https://github.com/filecoin-project/lotus/pull/12093
- FRC-0089 spec: https://github.com/filecoin-project/FIPs/blob/master/FRCs/frc-0089.md
- EC finality calculator reference: https://github.com/consensus-shipyard/ec-finality-calculator

## Related

- Raised during review of https://github.com/ChainSafe/forest/pull/6757

---

Issue 3 — Port Lotus #13547: Integrate EC finality calculator into API and Eth RPC

Title: feat: port Lotus PR #13547 - integrate EC finality calculator into API and Eth RPC (FRC-0089)

🔗 Create Issue

Body:

## Overview

Port the deep integration of the FRC-0089 EC finality calculator into Forest's API and Eth RPC, as implemented in [filecoin-project/lotus#13547](https://github.com/filecoin-project/lotus/pull/13547).

## Background

Lotus PR `#13547` (`feat(api): integrate EC finality calculator into v2 API and Eth RPC`) builds on the shed tool from `#12093` and integrates the EC finality calculator more deeply:

- Moves the calculator into the core node and adds a caching module (recalculates once per head change at most).
- Adds the probabilistic EC finality calculator alongside F3 for determining `finalized`/`safe` tipsets — effectively `finalized = min(f3, ec-calculator)`, replacing the static 900-epoch fallback.
- Introduces the `ChainGetTipSetFinalityStatus` v2 API endpoint.
- Wires the calculator into both v2 and Eth tag resolution.

## References

- Lotus PR: https://github.com/filecoin-project/lotus/pull/13547
- Depends on porting: https://github.com/filecoin-project/lotus/pull/12093
- FRC-0089 spec: https://github.com/filecoin-project/FIPs/blob/master/FRCs/frc-0089.md

## Related

- Raised during review of https://github.com/ChainSafe/forest/pull/6757

---

🧠 Learnings used

Learnt from: hanabi1224
Repo: ChainSafe/forest PR: 5930
File: build.rs:64-77
Timestamp: 2025-08-13T09:43:20.301Z
Learning: hanabi1224 prefers hard compile-time errors in build scripts rather than runtime safeguards or collision detection, believing it's better to fail fast and fix root causes of issues like malformed snapshot names.

---

Learnt from: hanabi1224
Repo: ChainSafe/forest PR: 6057
File: src/cli/subcommands/f3_cmd.rs:0-0
Timestamp: 2025-09-09T10:37:17.947Z
Learning: hanabi1224 prefers having default timeouts (like 10m for --no-progress-timeout) to prevent commands from hanging indefinitely, even when the timeout flag isn't explicitly provided by users. This fail-fast approach is preferred over requiring explicit flag usage.