fix: bump go-ethereum to v1.16.8 to fix CVE-2026-22868#7
Merged
Conversation
Addresses GHSA-mq3p-rrmp-79jg - high CPU usage DoS via malicious p2p message. Previous version v1.13.5 was affected (all versions <= 1.16.7).
grandizzy
added a commit
that referenced
this pull request
Jan 29, 2026
Expand integration tests to match tempo-foundry's tempo-check.sh CI coverage, similar to pytempo PR #7. New integration tests: - Node connectivity (client version check) - Fee token liquidity (AlphaUSD, BetaUSD, ThetaUSD) - Send with custom fee token - 2D nonces (nonce_key) - Expiring nonces (valid_before, valid_after) - Sponsored transactions (fee payer) - Batch transactions (multiple calls) - setUserFeeToken Skipped tests (require specific setup): - Access keys (needs investigation on devnet) - DEX operations (require liquidity setup) CI changes: - Integration tests (Devnet/Testnet) now run on all PRs, not just main/schedule Test results: 12 passed, 3 skipped Amp-Thread-ID: https://ampcode.com/threads/T-019c0a32-581b-717c-b814-0d5614d0ff97 Co-authored-by: Amp <amp@ampcode.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
motivation
go-ethereum v1.13.5 is affected by CVE-2026-22868 (GHSA-mq3p-rrmp-79jg), a high-severity vulnerability where an attacker can cause high CPU usage via a malicious p2p message, leading to denial of service.
implications
The dependency is now on a patched version (v1.16.8), eliminating the DoS attack vector. Minimum Go version bumped to 1.24 as required by the new go-ethereum version.
Users on Go 1.21-1.23 can pin to v0.1.0 but will remain on the vulnerable go-ethereum version.
testing
go build ./...passesnext steps
After merging:
git tag v0.2.0 && git push origin v0.2.0