Skip to content

build(deps): bump the ipfs-ecosystem group across 1 directory with 2 updates#13599

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/go_modules/ipfs-ecosystem-6e467325b1
Open

build(deps): bump the ipfs-ecosystem group across 1 directory with 2 updates#13599
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/go_modules/ipfs-ecosystem-6e467325b1

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 2, 2026
edited
Loading

Bumps the ipfs-ecosystem group with 2 updates in the / directory: github.com/ipfs/bbloom and github.com/ipfs/boxo.

Updates github.com/ipfs/bbloom from 0.0.4 to 0.1.0

Release notes

Sourced from github.com/ipfs/bbloom's releases.

v0.1.0

First release since v0.0.4 (2019). Minimum Go version is now 1.25.

[!NOTE] This release was brought to you by the Shipyard team.

Added

  • NewWithKeys and NewWithBoolsetAndKeys for caller-provided SipHash keys, preventing hash-flooding when the filter holds untrusted data (#30)
  • Custom keys preserved across JSONMarshal/JSONUnmarshal round-trips
  • Godoc comments for all exported symbols, package doc in doc.go
  • Runnable examples: New, NewWithKeys, Bloom.Has, JSONUnmarshal

Fixed

  • Double-hash step forced odd to avoid degenerate probe sequences (#29)
  • LICENSE reformatted as plain-text MIT so pkg.go.dev renders documentation
  • SPDX headers added to source files
  • Replaced deprecated math/rand.Read
  • staticcheck fixes

New Contributors

Full Changelog: ipfs/bbloom@v0.0.4...v0.1.0

Commits
  • 2453b06 chore: bump version to v0.1.0
  • 05d1bb7 docs: explain why this fork exists and how IPFS uses it
  • f2106e3 docs: add examples and improve godoc for exported symbols
  • 5677534 chore: fix LICENSE for GitHub and pkg.go.dev detection
  • e882fc3 feat: allow caller-provided SipHash keys (#30)
  • 2e2ad1b fix: make double-hash step always odd and non-zero (#29)
  • bba0b46 test: false positive bloom filter test and test data generated (#15)
  • 2d3e602 docs: add doc.go and godoc comments for all public symbols (#28)
  • 7a80758 docs: update README and add benchmarks
  • bdd6c3b chore!: bump go.mod to Go 1.25 and run go fix (#27)
  • Additional commits viewable in compare view

Updates github.com/ipfs/boxo from 0.37.0 to 0.39.0

Release notes

Sourced from github.com/ipfs/boxo's releases.

v0.39.0

[!NOTE] This release was brought to you by the Shipyard team.

What's Changed

Added

  • gateway: Config.MaxDeserializedResponseSize allows setting a maximum file/directory size for deserialized gateway responses. Content exceeding this limit returns 410 Gone, directing users to run their own IPFS node. Trustless response formats (application/vnd.ipld.raw, application/vnd.ipld.car) are not affected. The size is read from the UnixFS root block, so no extra block fetches are needed for the check. #1138
  • gateway: Config.MaxUnixFSDAGResponseSize allows setting a maximum content size applied to all response formats (deserialized, raw blocks, CAR, TAR). Content exceeding this limit returns 410 Gone. For most handlers the check reuses size information already available in the request path; for CAR responses a lightweight Head call is made only when the limit is configured. #1138

Changed

  • bitswap/server: the default peer comparator now schedules peers fairly. A peer that has never been served, or has waited longer than 10s, outranks non-starved peers. Pending counts cap at 16 for ordering purposes, so peers with small wantlists no longer wait behind peers with large ones. The final tiebreak uses a per-process salted hash of peer.ID, so no peer can craft an ID that permanently outranks everyone. Engines built with WithTaskComparator keep their existing behavior. #1141
  • upgrade to go-libp2p-kad-dht v0.39.1

Fixed

  • bitswap/network/bsnet: SendMessage and handleNewStream now close streams in a background goroutine. Previously, stream.Close could hold the caller for up to DefaultNegotiationTimeout (10s) while lazyClientConn.Close waited for the remote peer to complete the multistream handshake. This saturated the bitswap TaskWorkerCount pool when peers were unresponsive and stopped bitswap from serving blocks to other peers. As a side effect, SendMessage no longer returns errors from stream.Close; close failures are logged at Debug. #1142
  • bitswap/server: a peer with a single pending want no longer waits behind peers with large wantlists. #1141
  • pinner/dspinner: RecursiveKeys and DirectKeys now snapshot the pin index under the read lock and release it before emitting pins, so a slow consumer (e.g. the reprovider draining the channel at DHT speed under Provide.Strategy=pinned*) can no longer starve Pin/Unpin/Flush writers. #1140

Full Changelog: ipfs/boxo@v0.38.0...v0.39.0

v0.38.0

[!NOTE] This release was brought to you by the Shipyard team.

What's Changed

Added

  • ipns: NewRecord accepts WithMetadata(map[string]any) option for storing custom scalar key-value pairs (string, []byte, int64, int, bool) in the signed DAG-CBOR data of IPNS records. Metadata can be read back via Record.Metadata (returns typed MetadataValue with Kind() discriminator) and iterated with Record.MetadataEntries. Reserved IPNS field names, empty keys, and unsupported value types are rejected. #1085
  • dag/walker: new package for memory-efficient DAG traversal with deduplication. VisitedTracker interface with BloomTracker (scalable bloom filter chain, ~4 bytes/CID vs ~75 bytes for a map) and MapTracker (exact, for tests). WalkDAG provides iterative DFS traversal with integrated dedup, supporting dag-pb, dag-cbor, raw, and other registered codecs. ~2x faster than the legacy go-ipld-prime selector-based traversal. WalkEntityRoots emits only entity roots (files, directories, HAMT shards) instead of every block, skipping internal file chunks. #1124
  • pinner: NewUniquePinnedProvider and NewPinnedEntityRootsProvider log and skip corrupted pin entries instead of aborting the provide cycle, allowing remaining pins to still be provided. #1124
  • routing/http/client: WithProviderInfoFunc option resolves provider addresses at provide-time instead of client construction time. This only impacts legacy HTTP-only custom routing setups that depend on IPIP-526 and were sending unresolved 0.0.0.0 addresses in provider records instead of actual interface addresses. #1115
  • chunker: added Register function to allow custom chunkers to be registered for use with FromString.
  • mfs: added Directory.Mode() and Directory.ModTime() getters to match the existing File.Mode() and File.ModTime() API. #1131

Changed

  • provider: NewPrioritizedProvider now continues to the next stream when one fails instead of stopping all streams. NewConcatProvider added for pre-deduplicated streams. #1124
  • chunker: FromString now rejects malformed size- strings with extra parameters (e.g. size-123-extra was previously silently accepted).
  • gateway: compliance with gateway-conformance v0.13

... (truncated)

Changelog

Sourced from github.com/ipfs/boxo's changelog.

[v0.39.0]

Added

  • gateway: Config.MaxDeserializedResponseSize allows setting a maximum file/directory size for deserialized gateway responses. Content exceeding this limit returns 410 Gone, directing users to run their own IPFS node. Trustless response formats (application/vnd.ipld.raw, application/vnd.ipld.car) are not affected. The size is read from the UnixFS root block, so no extra block fetches are needed for the check. #1138
  • gateway: Config.MaxUnixFSDAGResponseSize allows setting a maximum content size applied to all response formats (deserialized, raw blocks, CAR, TAR). Content exceeding this limit returns 410 Gone. For most handlers the check reuses size information already available in the request path; for CAR responses a lightweight Head call is made only when the limit is configured. #1138

Changed

  • bitswap/server: the default peer comparator now schedules peers fairly. A peer that has never been served, or has waited longer than 10s, outranks non-starved peers. Pending counts cap at 16 for ordering purposes, so peers with small wantlists no longer wait behind peers with large ones. The final tiebreak uses a per-process salted hash of peer.ID, so no peer can craft an ID that permanently outranks everyone. Engines built with WithTaskComparator keep their existing behavior. #1141
  • upgrade to go-libp2p-kad-dht v0.39.1

Fixed

  • bitswap/network/bsnet: SendMessage and handleNewStream now close streams in a background goroutine. Previously, stream.Close could hold the caller for up to DefaultNegotiationTimeout (10s) while lazyClientConn.Close waited for the remote peer to complete the multistream handshake. This saturated the bitswap TaskWorkerCount pool when peers were unresponsive and stopped bitswap from serving blocks to other peers. As a side effect, SendMessage no longer returns errors from stream.Close; close failures are logged at Debug. #1142
  • bitswap/server: a peer with a single pending want no longer waits behind peers with large wantlists. #1141
  • pinner/dspinner: RecursiveKeys and DirectKeys now snapshot the pin index under the read lock and release it before emitting pins, so a slow consumer (e.g. the reprovider draining the channel at DHT speed under Provide.Strategy=pinned*) can no longer starve Pin/Unpin/Flush writers. #1140

[v0.38.0]

Added

  • ipns: NewRecord accepts WithMetadata(map[string]any) option for storing custom scalar key-value pairs (string, []byte, int64, int, bool) in the signed DAG-CBOR data of IPNS records. Metadata can be read back via Record.Metadata (returns typed MetadataValue with Kind() discriminator) and iterated with Record.MetadataEntries. Reserved IPNS field names, empty keys, and unsupported value types are rejected. #1085
  • dag/walker: new package for memory-efficient DAG traversal with deduplication. VisitedTracker interface with BloomTracker (scalable bloom filter chain, ~4 bytes/CID vs ~75 bytes for a map) and MapTracker (exact, for tests). WalkDAG provides iterative DFS traversal with integrated dedup, supporting dag-pb, dag-cbor, raw, and other registered codecs. ~2x faster than the legacy go-ipld-prime selector-based traversal. WalkEntityRoots emits only entity roots (files, directories, HAMT shards) instead of every block, skipping internal file chunks. #1124
  • pinner: NewUniquePinnedProvider and NewPinnedEntityRootsProvider log and skip corrupted pin entries instead of aborting the provide cycle, allowing remaining pins to still be provided. #1124
  • routing/http/client: WithProviderInfoFunc option resolves provider addresses at provide-time instead of client construction time. This only impacts legacy HTTP-only custom routing setups that depend on IPIP-526 and were sending unresolved 0.0.0.0 addresses in provider records instead of actual interface addresses. #1115
  • chunker: added Register function to allow custom chunkers to be registered for use with FromString.
  • mfs: added Directory.Mode() and Directory.ModTime() getters to match the existing File.Mode() and File.ModTime() API. #1131

Changed

  • provider: NewPrioritizedProvider now continues to the next stream when one fails instead of stopping all streams. NewConcatProvider added for pre-deduplicated streams. #1124
  • chunker: FromString now rejects malformed size- strings with extra parameters (e.g. size-123-extra was previously silently accepted).
  • gateway: compliance with gateway-conformance v0.13
  • upgrade to go-libp2p v0.48.0
  • 🛠 mfs: replaced RootOption with a unified Option functional options pattern (e.g. WithCidBuilder, WithChunker, WithMaxLinks). NewRoot, NewEmptyRoot, MkdirWithOpts, and NewEmptyDirectory now accept ...Option. Mkdir takes a MkdirOpts struct (narrowed to Mkparents and Flush flags) followed by ...Option for directory configuration. #1125

Removed

  • gateway: removed dead DoH resolver for .crypto TLD (Unstoppable Domains) #772
  • cmd/boxo-migrate: removed code for go-ipfs migration -- no longer needed.
  • cmd/deprecator: removed code to deprecare relocated ipfs packages -- no longer needed.

Fixed

  • bitswap/server: incoming identity CIDs in wantlist messages are now silently ignored instead of killing the connection to the remote peer. Some IPFS implementations naively send identity CIDs, and disconnecting them for it caused unnecessary churn. #1117
  • bitswap/network: ExtractHTTPAddress now infers default ports for portless HTTP multiaddrs (e.g. /dns/host/https without /tcp/443). #1123
  • mfs: FileDescriptor operations are serialized with a mutex, preventing data races on the underlying DagModifier when FUSE mounts or Kubo RPC commands dispatch concurrent Read, Write, Seek, Truncate, Flush, or Close calls. Flush after Close returns ErrClosed. #1131 #1133
  • mfs: preserve CidBuilder and SizeEstimationMode across setNodeData(), Mkdir() and NewRoot(). #1125

... (truncated)

Commits

@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label May 2, 2026
@github-project-automation github-project-automation Bot moved this to 📌 Triage in FilOz May 2, 2026
@dependabot
build(deps): bump the ipfs-ecosystem group across 1 directory with 2 …
ed5cf83 
…updates

Bumps the ipfs-ecosystem group with 2 updates in the / directory: [github.com/ipfs/bbloom](https://github.com/ipfs/bbloom) and [github.com/ipfs/boxo](https://github.com/ipfs/boxo).


Updates `github.com/ipfs/bbloom` from 0.0.4 to 0.1.0
- [Release notes](https://github.com/ipfs/bbloom/releases)
- [Commits](ipfs/bbloom@v0.0.4...v0.1.0)

Updates `github.com/ipfs/boxo` from 0.37.0 to 0.39.0
- [Release notes](https://github.com/ipfs/boxo/releases)
- [Changelog](https://github.com/ipfs/boxo/blob/main/CHANGELOG.md)
- [Commits](ipfs/boxo@v0.37.0...v0.39.0)

---
updated-dependencies:
- dependency-name: github.com/ipfs/bbloom
  dependency-version: 0.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: ipfs-ecosystem
- dependency-name: github.com/ipfs/boxo
  dependency-version: 0.39.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: ipfs-ecosystem
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the title build(deps): bump the ipfs-ecosystem group with 2 updates build(deps): bump the ipfs-ecosystem group across 1 directory with 2 updates May 4, 2026
@dependabot dependabot Bot force-pushed the dependabot/go_modules/ipfs-ecosystem-6e467325b1 branch from 55c3f3b to ed5cf83 Compare May 4, 2026 07:01
@github-project-automation github-project-automation Bot moved this from 📌 Triage to ✔️ Approved by reviewer in FilOz May 4, 2026
@rvagg rvagg added the skip/changelog This change does not require CHANGELOG.md update label May 4, 2026
rvagg
rvagg reviewed May 4, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@rvagg rvagg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

someone needs to do provenance on the filippo.io/bigmod indirect update and comment on why it's not tagged

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rvagg rvagg rvagg approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file skip/changelog This change does not require CHANGELOG.md update

Projects

FilOz
Status: ✔️ Approved by reviewer

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rvagg