chore: bump Go deps

[hanabi1224]

Summary of changes

To fix:
https://github.com/ChainSafe/forest/security/dependabot/211

Changes introduced in this pull request:

Reference issue to close (if applicable)

Closes

Other information and links

Change checklist

• I have performed a self-review of my own code,
• I have made corresponding changes to the documentation. All new code adheres to the team's documentation standards,
• I have added tests that prove my fix is effective or that my feature works (if possible),
• I have made sure the CHANGELOG is up-to-date. All user-facing changes should be reflected in this document.

Outside contributions

• I have read and agree to the CONTRIBUTING document.
• I have read and agree to the AI Policy document. I understand that failure to comply with the guidelines will lead to rejection of the pull request.

Summary by CodeRabbit

• Chores
  • Updated Go module dependencies across multiple components to maintain compatibility with upstream libraries. Updates include IPFS networking libraries, cryptographic packages, compression utilities, and observability frameworks.

[coderabbitai]

Walkthrough

Updated Go module dependencies across three files by incrementing versions for libraries including IPFS-related modules (go-cid, boxo, libp2p-kad-dht), Pion packages (WebRTC, ICE, SCTP, STUN), OpenTelemetry modules, and standard Go tooling packages (golang.org/x/crypto, golang.org/x/net, golang.org/x/sys, etc.).

Changes

Cohort / File(s)	Summary
IPFS and Networking Dependencies f3-sidecar/go.mod, interop-tests/src/tests/go_app/go.mod	Bumped github.com/ipfs/go-cid (0.6.0→0.6.1), github.com/ipfs/boxo (0.37.0→0.38.0), github.com/libp2p/go-libp2p-kad-dht (0.38.0→0.39.0), Pion packages (webrtc 4.2.9→4.2.11, ice 4.2.1→4.2.4, sctp 1.9.3→1.9.4, stun 3.1.1→3.1.2), and base58/multibase utilities.
OpenTelemetry and Go Runtime f3-sidecar/go.mod, interop-tests/src/tests/go_app/go.mod	Advanced go.opentelemetry.io/otel (1.42.0→1.43.0) and metric/trace submodules, plus golang.org/x packages (crypto 0.49.0→0.50.0, net 0.52.0→0.53.0, sys 0.42.0→0.43.0, text 0.35.0→0.36.0, mod/exp/tools/telemetry to newer versions).
Prometheus Validator Tool tools/prometheus_metrics_validator/go.mod	Updated github.com/prometheus/prometheus (0.310.0→0.311.2) and github.com/urfave/cli/v3 (3.7.0→3.8.0), with indirect golang.org/x/text bump (0.35.0→0.36.0).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• chore: bump go compiler and deps #6597 — Updates overlapping Go module dependencies in the same files with identical or closely-related version bumps.
• chore(deps): bump Go deps #6342 — Performs overlapping dependency bumps including ipfs/go-cid, libp2p-kad-dht, golang.org/x/crypto, and Pion/OpenTelemetry packages.
• chore(deps): bump go deps #6135 — Changes f3-sidecar and interop-tests go.mod files with identical dependency version increments (go-libp2p-kad-dht, ipfs/boxo, go-cid, golang.org/x/*).

Suggested reviewers

• sudo-shashank
• LesnyRumcajs

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'chore: bump Go deps' directly and accurately describes the main change: updating Go module dependencies across three go.mod files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch hm/bump-go-deps

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch hm/bump-go-deps

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.11.4)

level=error msg="[linters_context] typechecking error: pattern ./...: directory prefix . does not contain modules listed in go.work or their selected dependencies"

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@f3-sidecar/go.mod`:
- Around line 10-18: tools/prometheus_metrics_validator still pins older
pre-bump deps (golang.org/x/crypto v0.49.0, golang.org/x/sys v0.42.0,
go.opentelemetry.io/otel v1.42.0); update
tools/prometheus_metrics_validator/go.mod to match the bumped versions used in
the workspace (e.g., golang.org/x/crypto -> v0.50.0 and the corresponding bumped
versions of golang.org/x/sys and go.opentelemetry.io/otel), then regenerate
tools/prometheus_metrics_validator/go.sum so it no longer contains the old
versions; check the dependency entries by name (golang.org/x/crypto,
golang.org/x/sys, go.opentelemetry.io/otel) to locate and replace them.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 8a43dfa0-4c6d-415d-8b01-712b3dbe3bc7

📥 Commits

Reviewing files that changed from the base of the PR and between 61502d6 and 1f8f9ae.

⛔ Files ignored due to path filters (3)

• f3-sidecar/go.sum is excluded by !**/*.sum
• interop-tests/src/tests/go_app/go.sum is excluded by !**/*.sum
• tools/prometheus_metrics_validator/go.sum is excluded by !**/*.sum

📒 Files selected for processing (3)

• f3-sidecar/go.mod
• interop-tests/src/tests/go_app/go.mod
• tools/prometheus_metrics_validator/go.mod