kubo 0.41.0

[BrewTestBot]

Created by brew bump

---

Created with brew bump-formula-pr.

Details

release notes

[!NOTE]

This release  was brought to you by the Shipyard team.



Overview
🔦 Highlights

🗑️ Faster Provide Queue Disk Reclamation
✨ New ipfs cid inspect command
🔤 --cid-base fixes across all commands
🔄 Built-in ipfs update command
🖥️ WebUI Improvements
🔧 Correct provider addresses for custom HTTP routing
🔀 Provide.Strategy modifiers: +unique and +entities
📌 pin add and pin update now fast-provide root CID
🌳 New --fast-provide-dag flag for fine-tuned provide control
🛡️ Hardened Provide.Strategy parsing
🔧 Filestore now respects Provide.Strategy
🛡️ ipfs object patch validates UnixFS node types
🔗 MFS: fixed CidBuilder preservation
📂 FUSE Mount Improvements
📦 CARv2 import over HTTP API
🌐 HTTPS proxy support
🛡️ server profile no longer announces loopback and non-public IPv6 addresses
🐹 Go 1.26, Once More with Feeling
🐛 Fixed long-standing random daemon crashes during DHT lookups
📦️ Dependency updates


📝 Changelog
👨‍👩‍👧‍👦 Contributors

Overview
🔦 Highlights
🗑️ Faster Provide Queue Disk Reclamation
Nodes with significant amount of data and DHT provide sweep enabled (Provide.DHT.SweepEnabled, the default since Kubo 0.39) could see their datastore/ directory grow continuously.  Each reprovide cycle rewrote the provider keystore inside the shared repo  datastore, generating tombstones faster than the storage engine could compact  them, and in default configuration Kubo was slow to reclaim this space.
The provider keystore now lives in a dedicated datastore under $IPFS_PATH/provider-keystore/. After each reprovide cycle the old datastore is removed from disk entirely, so space is reclaimed immediately regardless

of storage backend.
On first start after upgrading, stale keystore data is cleaned up from the shared datastore automatically.
To learn more, see kubo#11096, kubo#11198, and go-libp2p-kad-dht#1233.
✨ New ipfs cid inspect command
New subcommand for breaking down a CID into its components. Works offline, supports --enc=json.
$ ipfs cid inspect bafybeigdyrzt5sfp7udm7hu76uh7y26nf3efuylqabf3oclgtqy55fbzdi
CID:        bafybeigdyrzt5sfp7udm7hu76uh7y26nf3efuylqabf3oclgtqy55fbzdi
Version:    1
Multibase:  base32 (b)
Multicodec: dag-pb (0x70)
Multihash:  sha2-256 (0x12)
  Length:   32 bytes
  Digest:   c3c4733ec8affd06cf9e9ff50ffc6bcd2ec85a6170004bb709669c31de94391a
CIDv0:      QmbWqxBEKC3P8tqsKc98xmWNzrzDtRLMiMPL8wBuTGsMnR
CIDv1:      bafybeigdyrzt5sfp7udm7hu76uh7y26nf3efuylqabf3oclgtqy55fbzdi
See ipfs cid --help for all CID-related commands.
🔤 --cid-base fixes across all commands
--cid-base is now respected by every command that outputs CIDs. Previously block stat, block put, block rm, dag stat, refs local, pin remote, and files chroot ignored the flag.
CIDv0 values are now auto-upgraded to CIDv1 when a non-base58btc base is requested, because CIDv0 can only be represented in base58btc.
🔄 Built-in ipfs update command
Kubo now ships with a built-in ipfs update command that downloads release binaries from GitHub and swaps the current one in place. It supersedes the external ipfs-update tool, deprecated since v0.37.
$ ipfs update check
Update available: 0.40.0 -> 0.41.0
Run 'ipfs update install' to install the latest version.
See ipfs update --help for the available subcommands (check, versions, install, revert, clean).
🖥️ WebUI Improvements
IPFS Web UI has been updated to v4.12.0.
IPv6 peer geolocation and Peers screen optimizations
The Peers screen now resolves IPv6 addresses to geographic locations, and the geolocation database has been updated to GeoLite2-City-CSV_20260220. (ipfs-geoip v9.3.0)
Peer locations load faster thanks to UX optimizations in the underlying ipfs-geoip library.
🔧 Correct provider addresses for custom HTTP routing
Nodes using custom routing (Routing.Type=custom) with IPIP-526 could end up publishing unresolved 0.0.0.0 addresses in provider records. Addresses are now resolved at provide-time, and when AutoNAT V2 has confirmed publicly reachable addresses, those are preferred automatically. See #11213.
🔀 Provide.Strategy modifiers: +unique and +entities
Experimental opt-in optimizations for content providers with large repositories where multiple recursive pins share most of their DAG structure (e.g. append-only datasets, versioned archives like dist.ipfs.tech).

+unique: bloom filter dedup across recursive pins. Shared subtrees are traversed only once per reprovide cycle instead of once per pin, cutting I/O from O(pins * blocks) to O(unique blocks) at ~4 bytes/CID.
+entities: announces only entity roots (files, directories, HAMT shards), skipping internal file chunks. Far fewer DHT provider records while keeping all content discoverable by file/directory CID. Implies +unique.

Example: Provide.Strategy = "pinned+mfs+entities"
The default Provide.Strategy=all is unchanged. See Provide.Strategy for configuration details and caveats.
The bloom filter precision is tunable via Provide.BloomFPRate (default ~1 false positive per 4.75M lookups, ~4 bytes per CID).
📌 pin add and pin update now fast-provide root CID
ipfs pin add and ipfs pin update announce the pinned root CID to the routing system immediately after pinning, same as ipfs add and ipfs dag import. This matters for selective strategies like pinned+mfs, where previously the root CID was not announced until the next reprovide cycle (see Provide.DHT.Interval). With the default Provide.Strategy=all, the blockstore already provides every block on write, so this is a no-op.
Both commands now accept --fast-provide-root, --fast-provide-dag, and --fast-provide-wait flags, matching ipfs add and ipfs dag import. See Import for defaults and configuration.
🌳 New --fast-provide-dag flag for fine-tuned provide control
Users with a custom Provide.Strategy (e.g. pinned, pinned+mfs+entities) now have finer control over which CIDs are announced immediately on ipfs add, ipfs dag import, ipfs pin add, and ipfs pin update.
By default, only the root CID is provided right away (--fast-provide-root=true). Child blocks are deferred until the next reprovide cycle. This keeps bulk imports fast and avoids overwhelming online nodes with provide traffic.
Pass --fast-provide-dag=true (or set Import.FastProvideDAG) to provide the full DAG immediately during add, using the active Provide.Strategy to determine scope.
Provide.Strategy=all (default) is unaffected. It provides every block at the blockstore level regardless of this flag.

[!NOTE]

Faster default imports for Provide.Strategy=pinned and pinned+mfs users. Previously, ipfs add --pin eagerly announced every block of newly added content as it was written, through an internal DAG service wrapper. This release routes add-time providing through the new --fast-provide-dag code path, which defaults to false. The result is faster bulk imports and less provide traffic during add: only the root CID is announced immediately (via Import.FastProvideRoot), and child blocks are picked up by the next reprovide cycle (see Provide.DHT.Interval, default 22h). To restore the previous eager-provide behavior on ipfs add, set Import.FastProvideDAG=true (or pass --fast-provide-dag=true per command); the walker honors the active Provide.Strategy. Provide.Strategy=all (the default) is unaffected.

🛡️ Hardened Provide.Strategy parsing
Unknown strategy tokens (e.g. typo "uniuqe"), malformed delimiters ("pinned+"), and invalid combinations ("all+pinned") now produce a clear error at startup instead of being silently ignored.
🔧 Filestore now respects Provide.Strategy
Blocks added via the filestore or urlstore (ipfs add --nocopy) used to ignore Provide.Strategy and were always announced at write time. The filestore is now gated on the strategy the same way the regular blockstore is, so selective strategies get the same fast-provide knobs for filestore-backed content that they already had for regular ipfs add.
🛡️ ipfs object patch validates UnixFS node types
As part of the ongoing deprecation of the legacy ipfs object API (which predates HAMTShard directories and CIDv1), the add-link and rm-link subcommands now validate the root node before mutating it.
These commands operate at the raw dag-pb level and can only safely mutate small, flat UnixFS directories. They are unable to update UnixFS metadata (HAMT bitfields, file Blocksizes), so using them on files or sharded directories would silently produce invalid DAGs. This is now rejected:

File nodes: rejected (corrupts Blocksizes, content lost on read-back)
HAMTShard nodes: rejected (HAMT bitfield not updated, corrupts directory)
Non-UnixFS dag-pb nodes: rejected by default
Directory nodes: allowed (the only safe case)

Use ipfs files commands (mkdir, cp, rm, mv) instead. They handle all directory types correctly, including large sharded directories.
A --allow-non-unixfs flag is available on both ipfs object patch commands to bypass validation.
🔗 MFS: fixed CidBuilder preservation
ipfs files commands now correctly preserve the configured CID version and hash function  (Import.CidVersion, Import.HashFunction) in all MFS operations. Previously, the CidBuilder could be silently lost when modifying file contents, creating nested directories with mkdir -p, or restarting the daemon, causing some entries to fall back to CIDv0/sha2-256.
Additionally, the MFS root directory itself now respects Import.CidVersion and Import.HashFunction at daemon startup. Before this fix, the root always used CIDv0/sha2-256 regardless of config. Because the MFS root CID format is now managed by these config options, ipfs files chcid no longer accepts the root path /. It continues to work on subdirectories.
See boxo#1125 and kubo#11273.
📂 FUSE Mount Improvements
The FUSE implementation has been rewritten on top of hanwen/go-fuse v2, replacing the unmaintained bazil.org/fuse. This fixes long-standing architectural limitations and aligns FUSE mounts with what standard tools expect. FUSE support is still experimental. See docs/fuse.md for setup instructions, and report problems at kubo/issues.

fsync works. Editors (vim, emacs) and databases that call fsync after writing no longer get a silent no-op. Data is flushed through the open file descriptor to the DAG. The full vim save sequence (O_TRUNC + write + fsync + chmod) is tested.
ftruncate works. Tools like rsync --inplace that shrink or grow files via ftruncate(fd, size) no longer get ENOTSUP. Opening existing files with O_TRUNC also works correctly.
chmod and touch no longer drop file content. With Mounts.StoreMode/StoreMtime enabled, setting mode or mtime previously replaced the DAG node without preserving content links, leaving the file empty.
Symlink creation on writable mounts. ln -s target link now works on /mfs and /ipns. Symlinks are stored as UnixFS TSymlink nodes, the same format used by ipfs add.
Rename-over-existing works. Renaming a file onto an existing name (the pattern used by rsync and atomic-save editors) now correctly replaces the target.
Faster reads on /ipfs. Files are read sequentially from the block graph instead of re-resolving from the root on every read call.
Interrupting a stuck cat works. Ctrl-C or kill on a read cancels in-flight block fetches instead of hanging.
External unmount detected. Running fusermount -u from outside the daemon now correctly marks the mount as inactive.
Files are no longer owned by root. Mounts report the uid/gid of the daemon process, so access works without allow_other.
Offline IPNS writes succeed. IPNS records are stored locally and published when connectivity returns.
Empty directories list correctly. Listing an empty directory on /ipfs or /ipns no longer returns an error.
Bare file CIDs work on /ipfs. Accessing a file by its CID directly under the /ipfs mount now works. This was a long-standing regression.
Rename works on /mfs and /ipns. Renaming a file within the same directory no longer leaves the source behind.
IPNS FUSE publish works. Writing files to /ipns/local/ now correctly publishes the updated DAG. Previously IPNS publishing from the FUSE mount was silently blocked.
Concurrent IPNS file operations no longer race. The /ipns file handle serializes Read, Write, Flush, and Release, matching the /mfs mount.
IPNS directory operations flush immediately. Remove and Rename on /ipns flush changes to the MFS root, preventing data loss on daemon restart.
New files use the correct CID version. Files created on /ipns inherit the parent's CID settings instead of falling back to CIDv0.
UnixFS mode and mtime visible in stat. All three mounts show POSIX mode and mtime from UnixFS metadata when present. When absent, sensible POSIX defaults are used (files: 0644/0444, directories: 0755/0555).
Opt-in Mounts.StoreMtime and Mounts.StoreMode. Writable mounts can persist mtime on file creation/write and POSIX mode on chmod for both files and directories. touch on directories also works, which tools like tar and rsync rely on. Both flags are off by default because they change the resulting CID. See Mounts.StoreMtime and Mounts.StoreMode.
ipfs.cid xattr on all mounts. All three mounts expose the node's CID via the ipfs.cid extended attribute on files and directories. The legacy ipfs_cid xattr name (used in earlier versions of /mfs) is no longer supported; use ipfs.cid instead.
statfs works. All three mounts report the free space of the volume backing the local IPFS repo, so /mfs correctly reflects how much new data fits. Fixes macOS Finder refusing copies with "not enough free space".
Per-entry st_blocks and st_blksize reflect UnixFS. All three mounts fill st_blocks from the UnixFS file size so du, ls -s, stat, and "size on disk" in file managers match ls -l. Directories report a nominal 1 block so tools that treat 0 as "unsupported" behave correctly. st_blksize advertises a chunk-aligned preferred I/O size: /mfs and /ipns use Import.UnixFSChunker, so cp, dd, and rsync buffer writes at the chunker boundary; /ipfs uses a stable 1 MiB hint since published CIDs have no single chunker.
Platform compatibility. macOS detection updated from OSXFUSE 2.x to macFUSE 4.x. Linux no longer needs a fusermount symlink; hanwen/go-fuse finds fusermount3 natively.

📦 CARv2 import over HTTP API
ipfs dag import of CARv2 files now works over the HTTP API. Previously it failed with operation not supported: the HTTP multipart stream falsely advertised seek support, which go-car needs for the CARv2 payload offset. See #11253.
🌐 HTTPS proxy support
Kubo's outbound HTTP clients and libp2p /ws+/wss peer dials have long honored the standard HTTPS_PROXY, HTTP_PROXY, and NO_PROXY environment variables; this release extends the WebSocket transport to also accept https:// proxy URLs (TLS to the proxy itself), matching what Kubo's HTTP clients already supported. See docs/environment-variables.md.
🛡️ server profile no longer announces loopback and non-public IPv6 addresses
The opt-in server profile now also blocks IPv4 loopback (127.0.0.0/8) and the IANA-reserved 0000::/3 IPv6 block. Since v0.40.0, libp2p has enumerated all local interfaces, causing public server-profile nodes (including the default IPFS bootstrappers) to leak loopback and unallocated IPv6 prefixes like 1e::/16 through libp2p identify and DHT self-records (see go-libp2p#3460).
Default-configured nodes are unaffected. To pick up the new entries on an existing server-profile node:
$ ipfs config profile apply server
The command is idempotent. See the server profile docs for the full filter list, RFC references, and override guidance.

[!WARNING]

The server profile disables local peer discovery (Discovery.MDNS off, loopback filtered), so co-located daemons on the same host and peers on the same LAN will no longer find each other automatically. Apply only on public-internet nodes where that is intended.

🐹 Go 1.26, Once More with Feeling
Kubo first shipped with Go 1.26 in v0.40.0, but v0.40.1 had to downgrade to Go 1.25 because of a Windows crash in Go's overlapped I/O layer (#11214). Go 1.26.2 fixes that regression upstream (golang/go#78041), so Kubo is back on Go 1.26 across all platforms.
You should see lower memory usage and reduced GC pauses thanks to the new Green Tea garbage collector (10-40% less GC overhead). Reading block data and API responses is faster due to io.ReadAll improvements (~2x faster, ~50% less memory). On 64-bit platforms, heap base address randomization adds a layer of security hardening.
🐛 Fixed long-standing random daemon crashes during DHT lookups
Long-running daemons could exit with invalid memory address or nil pointer dereference or similar memory errors while handling DHT traffic. The cause was a data race in the routing layer that had been latent for years: PublishQueryEvent handed QueryEvent.Responses to subscribers (like findprovs) by pointer while the publisher kept mutating the same AddrInfo.Addrs slices.
Two recent changes likely tipped the race into frequent visible crashes: go-multiaddr v0.15 turned Multiaddr from an interface into a slice-backed struct, and Go 1.26 added heap base address randomization and a new garbage collector. Both likely made torn concurrent reads more likely to dereference unmapped memory.
This release picks up the targeted fix in go-libp2p-kad-dht#1244. A broader fix for the whole class of routing publish races is proposed upstream in go-libp2p#3490.
📦️ Dependency updates

update go-libp2p to v0.48.0
update go-libp2p-kad-dht to v0.39.1 (incl. v0.39.0)
update ipfs-webui to v4.12.0
update gateway-conformance tests to v0.13 (incl. v0.12, v0.11)
update boxo to v0.39.0 (incl. v0.38.0)
update go-cid to v0.6.1 (pulls in go-multibase v0.3.0 with up to 5x faster base58 encoding for CIDv0)
update p2p-forge/client to v0.8.0

📝 Changelog
Full Changelog

github.com/ipfs/kubo:

fix(pins): snapshot index before emitting pins (#11290) (ipfs/kubo#11290)
Upgrade to Boxo v0.39.0 (#11294) (ipfs/kubo#11294)
fix(log): scope provide logs to "provider" subsystem (#11289) (ipfs/kubo#11289)
chore: set version to v0.41.0-rc2
fix(defaultServerFilters): strip loopback and non-public  (#11286) (ipfs/kubo#11286)
chore: bump p2p-forge to v0.8.0 (#11285) (ipfs/kubo#11285)
fix: queryevent addrinfo race in kad-dht (#11288) (ipfs/kubo#11288)
fix(examples): avoid bitswap race, use ed25519 (#11282) (ipfs/kubo#11282)
docs: fix v0.41 changelog highlights
fix(fuse): accurate st_blocks and st_blksize (#11280) (ipfs/kubo#11280)
chore: set version to v0.41.0-rc1
test(fuse): fix racy Statfs assertions
fix(cli/rpc): --cid-base works in all commands (#11239) (ipfs/kubo#11239)
feat(fuse): Statfs (#11261) (ipfs/kubo#11261)
feat: add built-in ipfs update command (#11203) (ipfs/kubo#11203)
fix(filestore): respect Provide.Strategy (#11243) (ipfs/kubo#11243)
feat(provide): +unique and +entities strategy modifiers (#11245) (ipfs/kubo#11245)
fix(fuse): switch to hanwen/go-fuse (#11272) (ipfs/kubo#11272)
Upgrade to Boxo v0.38.0 (#11276) (ipfs/kubo#11276)
feat: go 1.26.2 (#11275) (ipfs/kubo#11275)
fix(mfs): respect Import config (#11273) (ipfs/kubo#11273)
fix(fuse): IPNS writes actually publish (#11271) (ipfs/kubo#11271)
fix(mfs): fix fsync deadlock, set attrs, disable default caching (#11255) (ipfs/kubo#11255)
ci: update gateway-conformance to v0.13 (#11262) (ipfs/kubo#11262)
fix(rpc): CARv2 import over HTTP API (#11253) (ipfs/kubo#11253)
chore: fix gofmt (#11256) (ipfs/kubo#11256)
fix: replace deprecated otelhttp.WithMetricAttributesFn (#11257) (ipfs/kubo#11257)
fix(rpc): validate UnixFS in object patch (#11248) (ipfs/kubo#11248)
fix(cmd): use restrictive file permissions for exported keys (#11246) (ipfs/kubo#11246)
chore: add go-libp2p and kad-dht bumps to v0.41 changelog
feat(cmd): add 'ipfs cid inspect' command (#11241) (ipfs/kubo#11241)
fix(provider): purge keystore datastore after reset (#11198) (ipfs/kubo#11198)
fix: correct provider addresses for custom HTTP routing (#11234) (ipfs/kubo#11234)
fix(rpc/pin): return error if listing an invalid, but known, pin type (#11238) (ipfs/kubo#11238)
fix: validate --max-hamt-fanout CLI flag per UnixFS spec (#11230) (ipfs/kubo#11230)
test: fix flaky tests on ci (#11236) (ipfs/kubo#11236)
docs: use specs.ipfs.tech links for merged IPIPs (#11228) (ipfs/kubo#11228)
chore: add changelog placeholder for v0.42
chore: update webui to v4.12.0 (#11221) (ipfs/kubo#11221)
fix(windows): revert update to Go 1.26 (#11215) (ipfs/kubo#11215)
docs: streamline release checklist ordering and dependencies (#11193) (ipfs/kubo#11193)
Merge release v0.40.0 (ipfs/kubo#11212)
fix(metrics): disable otel exemplars to prevent rune overflow (#11211) (ipfs/kubo#11211)
fix: drop high-cardinality server.address from http_server metrics (#11208) (ipfs/kubo#11208)
test(gateway-conformance): update to v0.11 (#11207) (ipfs/kubo#11207)
chore: update webui to v4.11.1 (#11204) (ipfs/kubo#11204)
docs: add AGENTS.md with instructions for AI coding agents (#11200) (ipfs/kubo#11200)
fix: improve ipfs name put for IPNS record republishing (#11199) (ipfs/kubo#11199)
Upgrade to Boxo v0.37.0 (#11201) (ipfs/kubo#11201)
chore: prepare master for v0.41.0-dev cycle


github.com/ipfs/bbloom (v0.0.4 -> v0.1.0):

chore: bump version to v0.1.0
docs: explain why this fork exists and how IPFS uses it
docs: add examples and improve godoc for exported symbols
chore: fix LICENSE for GitHub and pkg.go.dev detection
feat: allow caller-provided SipHash keys (#30) (ipfs/bbloom#30)
fix: make double-hash step always odd and non-zero (#29) (ipfs/bbloom#29)
test: false positive bloom filter test and test data generated (#15) (ipfs/bbloom#15)
docs: add doc.go and godoc comments for all public symbols (#28) (ipfs/bbloom#28)
docs: update README and add benchmarks
Update collision_test.go
fix: stop using math/rand.Read
sync: update CI config files (#16) (ipfs/bbloom#16)
sync: update CI config files (#13) (ipfs/bbloom#13)
cleanup: fix staticcheck failures (ipfs/bbloom#8)
Add LICENSE (copied from upstream)


github.com/ipfs/boxo (v0.37.0 -> v0.39.0):

Release v0.39.0 (ipfs/boxo#1149)
fix: pinner shutdown race (#1146) (ipfs/boxo#1146)
fix(bitswap): prevent low-pending peer starvation (#1143) (ipfs/boxo#1143)
fix(bitswap/bsnet): close streams in background (#1144) (ipfs/boxo#1144)
fix(dspinner): snapshot index before emitting pins (#1140) (ipfs/boxo#1140)
feat(gateway): add content size limits for responses (#1138) (ipfs/boxo#1138)
test(dag/walker): fix flaky bloom FP assertion (#1139) (ipfs/boxo#1139)
Release v0.38.0 (ipfs/boxo#1137)
feat(ipns): Support adding custom metadata to IPNS record (#1085) (ipfs/boxo#1085)
feat(dag/walker): opt-in BloomTracker to avoid duplicated walks (#1124) (ipfs/boxo#1124)
fix(mfs): prevent flushUp from re-adding unlinked entries (#1134) (ipfs/boxo#1134)
fix(mfs): serialize all FileDescriptor operations (#1133) (ipfs/boxo#1133)
fix(mfs): prevent panic on concurrent flush and close (#1131) (ipfs/boxo#1131)
fix(mfs): preserve CidBuilder object in setNodeData(), Mkdir() and NewRoot() (#1125) (ipfs/boxo#1125)
test(gateway): cover bare CID etag match for dir listings (#1129) (ipfs/boxo#1129)
chore(gateway): bump gateway-conformance to v0.13 (#1130) (ipfs/boxo#1130)
doc...

View the full release notes at https://github.com/ipfs/kubo/releases/tag/v0.41.0.

---

[github-actions]

🤖 An automated task has requested bottles to be published to this PR.

Caution

Please do not push to this PR branch before the bottle commits have been pushed, as this results in a state that is difficult to recover from. If you need to resolve a merge conflict, please use a merge commit. Do not force-push to this PR branch.