Skip to content

build(deps): Bump the all-go group across 7 directories with 11 updates#3364

Merged
julienrbrt merged 3 commits into
mainfrom
dependabot/go_modules/all-go-768f5439a3
Jun 29, 2026
Merged

build(deps): Bump the all-go group across 7 directories with 11 updates#3364
julienrbrt merged 3 commits into
mainfrom
dependabot/go_modules/all-go-768f5439a3

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 22, 2026

Copy link
Copy Markdown
Contributor

Bumps the all-go group with 6 updates in the / directory:

Package From To
github.com/aws/aws-sdk-go-v2 1.41.11 1.42.0
github.com/aws/aws-sdk-go-v2/config 1.32.22 1.32.25
github.com/aws/aws-sdk-go-v2/service/kms 1.53.2 1.53.4
golang.org/x/crypto 0.52.0 0.53.0
golang.org/x/net 0.55.0 0.56.0
google.golang.org/api 0.283.0 0.286.0

Bumps the all-go group with 1 update in the /apps/evm directory: github.com/ethereum/go-ethereum.
Bumps the all-go group with 1 update in the /apps/loadgen directory: github.com/spf13/cobra.
Bumps the all-go group with 1 update in the /execution/evm directory: github.com/ethereum/go-ethereum.
Bumps the all-go group with 1 update in the /execution/grpc directory: golang.org/x/net.
Bumps the all-go group with 2 updates in the /test/docker-e2e directory: github.com/ethereum/go-ethereum and github.com/moby/moby/client.
Bumps the all-go group with 1 update in the /test/e2e directory: github.com/ethereum/go-ethereum.

Updates github.com/aws/aws-sdk-go-v2 from 1.41.11 to 1.42.0

Commits

Updates github.com/aws/aws-sdk-go-v2/config from 1.32.22 to 1.32.25

Commits

Updates github.com/aws/aws-sdk-go-v2/service/kms from 1.53.2 to 1.53.4

Commits

Updates github.com/aws/smithy-go from 1.27.0 to 1.27.1

Changelog

Sourced from github.com/aws/smithy-go's changelog.

Release (2026-06-05)

General Highlights

  • Dependency Update: Updated to the latest SDK module versions

Module Highlights

  • github.com/aws/smithy-go: v1.27.2
    • Bug Fix: Fix incorrect serialization of unions in CBOR-based protocols.

Release (2026-06-04)

General Highlights

  • Dependency Update: Updated to the latest SDK module versions

Module Highlights

  • github.com/aws/smithy-go: v1.27.1
    • Bug Fix: Fixed a deserialization failure in all protocols when encountering a union with explicit null members.
    • Bug Fix: Fixed a panic when deserializing nested unions in JSON- and CBOR-based protocols.

Release (2026-06-02)

General Highlights

  • Dependency Update: Updated to the latest SDK module versions

Module Highlights

  • github.com/aws/smithy-go: v1.27.0
    • Feature: Add APIs for schema-based serialization.
    • Feature: Add support for all current AWS and Smithy protocols.
    • Bug Fix: Enforce max nesting depth of 128 on CBOR payloads.
  • github.com/aws/smithy-go/aws-http-auth: v1.2.0
    • Feature: Add event stream signer.

Release (2026-05-27)

General Highlights

  • Dependency Update: Updated to the latest SDK module versions

Module Highlights

  • github.com/aws/smithy-go: v1.26.0
    • Feature: Add StringSlice to endpoint rulesfn.

Release (2026-04-23)

General Highlights

  • Dependency Update: Updated to the latest SDK module versions

Module Highlights

  • github.com/aws/smithy-go: v1.25.1
    • Bug Fix: Fixed a memory leak in the LRU cache implementation used by some AWS services.

... (truncated)

Commits

Updates golang.org/x/crypto from 0.52.0 to 0.53.0

Commits
  • 45460e0 go.mod: update golang.org/x dependencies
  • d37c95e pkcs12: limit PBKDF iteration count to prevent CPU exhaustion
  • e2ffffe ssh: reject incomplete gssapi-with-mic configurations
  • 60e158a ssh/test: isolate CLI tests from user SSH config and agent
  • 1b77d23 ssh/knownhosts: reject lines with multiple or unknown markers
  • 3872a2b ssh/knownhosts: verify declared key type matches decoded key
  • 9f72ecc ssh/knownhosts: treat only ASCII space and tab as whitespace
  • 8f405a4 ssh: validate ECDSA curve matches expected algorithm
  • bb41b3d ssh: improve DH GEX group selection using PreferredBits
  • e04e721 ssh/agent: validate ed25519 private key length in Add
  • Additional commits viewable in compare view

Updates golang.org/x/net from 0.55.0 to 0.56.0

Commits
  • 9e7fdbf internal/http3: fix wrong argument being given when validating header value
  • b686e5f internal/http3: add gzip support to transport
  • 8a34885 go.mod: update golang.org/x dependencies
  • 72eaf98 dns/dnsmessage: correctly validate SVCB record parameter order
  • 82e7868 dns/dnsmessage: avoid panic when parsing SVCB record with truncated data
  • b64f1fa internal/http3: add server support for "Trailer:" magic prefix
  • 2707ee2 internal/http3: implement HTTP/3 clientConn methods
  • 31358cc internal/http3: snapshot response headers at WriteHeader time
  • 8ecbaa9 html: don't adjust xml:base
  • 8ae811a html: properly handle end script tag in fragment mode
  • Additional commits viewable in compare view

Updates golang.org/x/sync from 0.20.0 to 0.21.0

Commits

Updates google.golang.org/api from 0.283.0 to 0.286.0

Release notes

Sourced from google.golang.org/api's releases.

v0.286.0

0.286.0 (2026-06-22)

Features

v0.285.0

0.285.0 (2026-06-16)

Features

v0.284.0

0.284.0 (2026-06-09)

Features

Changelog

Sourced from google.golang.org/api's changelog.

0.286.0 (2026-06-22)

Features

0.285.0 (2026-06-16)

Features

0.284.0 (2026-06-09)

Features

Commits

Updates github.com/ethereum/go-ethereum from 1.17.3 to 1.17.4

Commits
  • 36a7dc7 version: release go-ethereum v1.17.4
  • 6b72f26 triedb/pathdb: log the expected version in obsolete-index cleanup (#35194)
  • e5ff359 p2p/discover: fix waiting wrong duration (#35002)
  • 7c9032d all: change reflect.Ptr to reflect.Pointer (#35176)
  • 8c540cb eth/catalyst: add testing_commitBlockV1 (#34995)
  • 7122ecc eth/protocols/snap: remove uncovered states before resuming (#35159)
  • 0e810e4 eth, triedb, internal: add snap/2 sync progress (#35178)
  • 1be5da2 eth/protocols/snap: redo the snap sync if the bal is unavailable (#35181)
  • ad68ce2 eth: reserve peer slot for usable snap peer (#35180)
  • cb387c9 cmd/devp2p/internal/ethtest: validate received txs, not the sent ones (#35170)
  • Additional commits viewable in compare view

Updates github.com/spf13/cobra from 1.9.1 to 1.10.2

Release notes

Sourced from github.com/spf13/cobra's releases.

v1.10.2

🔧 Dependencies

  • chore: Migrate from gopkg.in/yaml.v3 to go.yaml.in/yaml/v3 by @​dims in spf13/cobra#2336 - the gopkg.in/yaml.v3 package has been deprecated for some time: this should significantly cleanup dependency/supply-chains for consumers of spf13/cobra

📈 CI/CD

🔥✍🏼 Docs

🍂 Refactors

🤗 New Contributors

Full Changelog: spf13/cobra@v1.10.1...v1.10.2

Thank you to our amazing contributors!!!!! 🐍 🚀

v1.10.1

🐛 Fix

v1.0.9 of pflags brought back ParseErrorsWhitelist and marked it as deprecated

Full Changelog: spf13/cobra@v1.10.0...v1.10.1

v1.10.0

What's Changed

🚨 Attention!

This version of pflag carried a breaking change: it renamed ParseErrorsWhitelist to ParseErrorsAllowlist which can break builds if both pflag and cobra are dependencies in your project.

  • If you use both pflag and cobra, upgrade pflagto 1.0.8 andcobrato1.10.0`
  • or use the newer, fixed version of pflag v1.0.9 which keeps the deprecated ParseErrorsWhitelist

... (truncated)

Commits

Updates github.com/ethereum/go-ethereum from 1.17.3 to 1.17.4

Commits
  • 36a7dc7 version: release go-ethereum v1.17.4
  • 6b72f26 triedb/pathdb: log the expected version in obsolete-index cleanup (#35194)
  • e5ff359 p2p/discover: fix waiting wrong duration (#35002)
  • 7c9032d all: change reflect.Ptr to reflect.Pointer (#35176)
  • 8c540cb eth/catalyst: add testing_commitBlockV1 (#34995)
  • 7122ecc eth/protocols/snap: remove uncovered states before resuming (#35159)
  • 0e810e4 eth, triedb, internal: add snap/2 sync progress (#35178)
  • 1be5da2 eth/protocols/snap: redo the snap sync if the bal is unavailable (#35181)
  • ad68ce2 eth: reserve peer slot for usable snap peer (#35180)
  • cb387c9 cmd/devp2p/internal/ethtest: validate received txs, not the sent ones (#35170)
  • Additional commits viewable in compare view

Updates golang.org/x/net from 0.55.0 to 0.56.0

Commits
  • 9e7fdbf internal/http3: fix wrong argument being given when validating header value
  • b686e5f internal/http3: add gzip support to transport
  • 8a34885 go.mod: update golang.org/x dependencies
  • 72eaf98 dns/dnsmessage: correctly validate SVCB record parameter order
  • 82e7868 dns/dnsmessage: avoid panic when parsing SVCB record with truncated data
  • b64f1fa internal/http3: add server support for "Trailer:" magic prefix
  • 2707ee2 internal/http3: implement HTTP/3 clientConn methods
  • 31358cc internal/http3: snapshot response headers at WriteHeader time
  • 8ecbaa9 html: don't adjust xml:base
  • 8ae811a html: properly handle end script tag in fragment mode
  • Additional commits viewable in compare view

Updates github.com/ethereum/go-ethereum from 1.17.3 to 1.17.4

Commits
  • 36a7dc7 version: release go-ethereum v1.17.4
  • 6b72f26 triedb/pathdb: log the expected version in obsolete-index cleanup (#35194)
  • e5ff359 p2p/discover: fix waiting wrong duration (#35002)
  • 7c9032d all: change reflect.Ptr to reflect.Pointer (#35176)
  • 8c540cb eth/catalyst: add testing_commitBlockV1 (#34995)
  • 7122ecc eth/protocols/snap: remove uncovered states before resuming (#35159)
  • 0e810e4 eth, triedb, internal: add snap/2 sync progress (#35178)
  • 1be5da2 eth/protocols/snap: redo the snap sync if the bal is unavailable (#35181)
  • ad68ce2 eth: reserve peer slot for usable snap peer (#35180)
  • cb387c9 cmd/devp2p/internal/ethtest: validate received txs, not the sent ones (#35170)
  • Additional commits viewable in compare view

Updates github.com/moby/moby/client from 0.4.1 to 0.5.0

Release notes

Sourced from github.com/moby/moby/client's releases.

client/0.5.0

0.5.0

Changelog

  • The new GET /images/{name}/attestations endpoint returns in-toto attestation statements (such as SLSA provenance and SPDX SBOM) attached to an image, with optional platform selection, predicate type filtering, and an opt-in statement query parameter for retrieving the verbatim statement bodies. Tools can now retrieve attestation metadata and content directly from the daemon instead of performing additional registry round-trips. moby/moby#52636

client/v0.5.0-rc.1

0.5.0-rc.1

Changelog

  • The new GET /images/{name}/attestations endpoint returns in-toto attestation statements (such as SLSA provenance and SPDX SBOM) attached to an image, with optional platform selection, predicate type filtering, and an opt-in statement query parameter for retrieving the verbatim statement bodies. Tools can now retrieve attestation metadata and content directly from the daemon instead of performing additional registry round-trips. moby/moby#52636
Changelog

Sourced from github.com/moby/moby/client's changelog.

0.5.0 (2013-07-17)

  • Runtime: List all processes running inside a container with 'docker top'
  • Runtime: Host directories can be mounted as volumes with 'docker run -v'
  • Runtime: Containers can expose public UDP ports (eg, '-p 123/udp')
  • Runtime: Optionally specify an exact public port (eg. '-p 80:4500')
  • Registry: New image naming scheme inspired by Go packaging convention allows arbitrary combinations of registries
  • Builder: ENTRYPOINT instruction sets a default binary entry point to a container
  • Builder: VOLUME instruction marks a part of the container as persistent data
  • Builder: 'docker build' displays the full output of a build by default
  • Runtime: 'docker login' supports additional options
  • Runtime: Dont save a container's hostname when committing an image.
  • Registry: Fix issues when uploading images to a private registry

0.4.8 (2013-07-01)

  • Builder: New build operation ENTRYPOINT adds an executable entry point to the container.
  • Runtime: Fix a bug which caused 'docker run -d' to no longer print the container ID.
  • Tests: Fix issues in the test suite

0.4.7 (2013-06-28)

  • Registry: easier push/pull to a custom registry
  • Remote API: the progress bar updates faster when downloading and uploading large files
  • Remote API: fix a bug in the optional unix socket transport
  • Runtime: improve detection of kernel version
  • Runtime: host directories can be mounted as volumes with 'docker run -b'
  • Runtime: fix an issue when only attaching to stdin
  • Runtime: use 'tar --numeric-owner' to avoid uid mismatch across multiple hosts
  • Hack: improve test suite and dev environment
  • Hack: remove dependency on unit tests on 'os/user'
  • Documentation: add terminology section

0.4.6 (2013-06-22)

  • Runtime: fix a bug which caused creation of empty images (and volumes) to crash.

0.4.5 (2013-06-21)

  • Builder: 'docker build git://URL' fetches and builds a remote git repository
  • Runtime: 'docker ps -s' optionally prints container size
  • Tests: Improved and simplified
  • Runtime: fix a regression introduced in 0.4.3 which caused the logs command to fail.
  • Builder: fix a regression when using ADD with single regular file.

0.4.4 (2013-06-19)

  • Builder: fix a regression introduced in 0.4.3 which caused builds to fail on new clients.

0.4.3 (2013-06-19)

  • Builder: ADD of a local file will detect tar archives and unpack them
  • Runtime: Remove bsdtar dependency
  • Runtime: Add unix socket and multiple -H support
  • Runtime: Prevent rm of running containers
  • Runtime: Use go1.1 cookiejar
  • Builder: ADD improvements: use tar for copy + automatically unpack local archives

... (truncated)

Commits
  • 51f6c4a Merge pull request #1227 from dotcloud/bump_0.5.0
  • f4eaec3 Merge pull request #1226 from metalivedev/easydockerfile
  • b083418 change -b -> -v and add udp example
  • 5794857 Merge pull request #1169 from crosbymichael/buildfile-tests
  • e7f3f6f Add unit tests for buildfile config instructions
  • aa56714 Make dockerfile docs easier to find. Clean up formatting.
  • f8dfd0a Merge pull request #1225 from dotcloud/hotfix_docker_rmi
  • 3dbf9c6 Merge pull request #1219 from metalivedev/docs-repoupdate
  • de563a3 Merge pull request #1194 from crosbymichael/build-verbose
  • 9cf2b41 change rm usage in docs
  • Additional commits viewable in compare view

Updates github.com/ethereum/go-ethereum from 1.17.3 to 1.17.4

Commits
  • 36a7dc7 version: release go-ethereum v1.17.4
  • 6b72f26 triedb/pathdb: log the expected version in obsolete-index cleanup (#35194)
  • e5ff359 p2p/discover: fix waiting wrong duration (#35002)
  • 7c9032d all: change reflect.Ptr to reflect.Pointer (#35176)
  • 8c540cb eth/catalyst: add testing_commitBlockV1 (#34995)
  • 7122ecc eth/protocols/snap: remove uncovered states before resuming (#35159)
  • 0e810e4 eth, triedb, internal: add snap/2 sync progress (#35178)
  • 1be5da2 eth/protocols/snap: redo the snap sync if the bal is unavailable (#35181)
  • ad68ce2 eth: reserve peer slot for usable snap peer (#35180)
  • cb387c9 cmd/devp2p/internal/ethtest: validate received txs, not the sent ones (#35170)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
build(deps): Bump the all-go group across 7 directories with 11 updates
f47b7e2 
Bumps the all-go group with 6 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [github.com/aws/aws-sdk-go-v2](https://github.com/aws/aws-sdk-go-v2) | `1.41.11` | `1.42.0` |
| [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2) | `1.32.22` | `1.32.25` |
| [github.com/aws/aws-sdk-go-v2/service/kms](https://github.com/aws/aws-sdk-go-v2) | `1.53.2` | `1.53.4` |
| [golang.org/x/crypto](https://github.com/golang/crypto) | `0.52.0` | `0.53.0` |
| [golang.org/x/net](https://github.com/golang/net) | `0.55.0` | `0.56.0` |
| [google.golang.org/api](https://github.com/googleapis/google-api-go-client) | `0.283.0` | `0.286.0` |

Bumps the all-go group with 1 update in the /apps/evm directory: [github.com/ethereum/go-ethereum](https://github.com/ethereum/go-ethereum).
Bumps the all-go group with 1 update in the /apps/loadgen directory: [github.com/spf13/cobra](https://github.com/spf13/cobra).
Bumps the all-go group with 1 update in the /execution/evm directory: [github.com/ethereum/go-ethereum](https://github.com/ethereum/go-ethereum).
Bumps the all-go group with 1 update in the /execution/grpc directory: [golang.org/x/net](https://github.com/golang/net).
Bumps the all-go group with 2 updates in the /test/docker-e2e directory: [github.com/ethereum/go-ethereum](https://github.com/ethereum/go-ethereum) and [github.com/moby/moby/client](https://github.com/moby/moby).
Bumps the all-go group with 1 update in the /test/e2e directory: [github.com/ethereum/go-ethereum](https://github.com/ethereum/go-ethereum).


Updates `github.com/aws/aws-sdk-go-v2` from 1.41.11 to 1.42.0
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](aws/aws-sdk-go-v2@v1.41.11...v1.42.0)

Updates `github.com/aws/aws-sdk-go-v2/config` from 1.32.22 to 1.32.25
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](aws/aws-sdk-go-v2@config/v1.32.22...config/v1.32.25)

Updates `github.com/aws/aws-sdk-go-v2/service/kms` from 1.53.2 to 1.53.4
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](aws/aws-sdk-go-v2@service/s3/v1.53.2...service/kms/v1.53.4)

Updates `github.com/aws/smithy-go` from 1.27.0 to 1.27.1
- [Release notes](https://github.com/aws/smithy-go/releases)
- [Changelog](https://github.com/aws/smithy-go/blob/main/CHANGELOG.md)
- [Commits](aws/smithy-go@v1.27.0...v1.27.1)

Updates `golang.org/x/crypto` from 0.52.0 to 0.53.0
- [Commits](golang/crypto@v0.52.0...v0.53.0)

Updates `golang.org/x/net` from 0.55.0 to 0.56.0
- [Commits](golang/net@v0.55.0...v0.56.0)

Updates `golang.org/x/sync` from 0.20.0 to 0.21.0
- [Commits](golang/sync@v0.20.0...v0.21.0)

Updates `google.golang.org/api` from 0.283.0 to 0.286.0
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md)
- [Commits](googleapis/google-api-go-client@v0.283.0...v0.286.0)

Updates `github.com/ethereum/go-ethereum` from 1.17.3 to 1.17.4
- [Release notes](https://github.com/ethereum/go-ethereum/releases)
- [Commits](ethereum/go-ethereum@v1.17.3...v1.17.4)

Updates `github.com/spf13/cobra` from 1.9.1 to 1.10.2
- [Release notes](https://github.com/spf13/cobra/releases)
- [Commits](spf13/cobra@v1.9.1...v1.10.2)

Updates `github.com/ethereum/go-ethereum` from 1.17.3 to 1.17.4
- [Release notes](https://github.com/ethereum/go-ethereum/releases)
- [Commits](ethereum/go-ethereum@v1.17.3...v1.17.4)

Updates `golang.org/x/net` from 0.55.0 to 0.56.0
- [Commits](golang/net@v0.55.0...v0.56.0)

Updates `github.com/ethereum/go-ethereum` from 1.17.3 to 1.17.4
- [Release notes](https://github.com/ethereum/go-ethereum/releases)
- [Commits](ethereum/go-ethereum@v1.17.3...v1.17.4)

Updates `github.com/moby/moby/client` from 0.4.1 to 0.5.0
- [Release notes](https://github.com/moby/moby/releases)
- [Changelog](https://github.com/moby/moby/blob/v0.5.0/CHANGELOG.md)
- [Commits](moby/moby@v0.4.1...v0.5.0)

Updates `github.com/ethereum/go-ethereum` from 1.17.3 to 1.17.4
- [Release notes](https://github.com/ethereum/go-ethereum/releases)
- [Commits](ethereum/go-ethereum@v1.17.3...v1.17.4)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2
  dependency-version: 1.42.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-go
- dependency-name: github.com/aws/aws-sdk-go-v2/config
  dependency-version: 1.32.25
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-go
- dependency-name: github.com/aws/aws-sdk-go-v2/service/kms
  dependency-version: 1.53.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-go
- dependency-name: github.com/aws/smithy-go
  dependency-version: 1.27.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-go
- dependency-name: golang.org/x/crypto
  dependency-version: 0.53.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-go
- dependency-name: golang.org/x/net
  dependency-version: 0.56.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-go
- dependency-name: golang.org/x/sync
  dependency-version: 0.21.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-go
- dependency-name: google.golang.org/api
  dependency-version: 0.286.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-go
- dependency-name: github.com/ethereum/go-ethereum
  dependency-version: 1.17.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-go
- dependency-name: github.com/spf13/cobra
  dependency-version: 1.10.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-go
- dependency-name: github.com/ethereum/go-ethereum
  dependency-version: 1.17.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-go
- dependency-name: golang.org/x/net
  dependency-version: 0.56.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-go
- dependency-name: github.com/ethereum/go-ethereum
  dependency-version: 1.17.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-go
- dependency-name: github.com/moby/moby/client
  dependency-version: 0.5.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-go
- dependency-name: github.com/ethereum/go-ethereum
  dependency-version: 1.17.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-go
...

Signed-off-by: dependabot[bot] <support@github.com>
@julienrbrt julienrbrt enabled auto-merge June 29, 2026 10:35
@claude

claude Bot commented Jun 29, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Claude finished @julienrbrt's task in 2m 1s —— View job

Dependency Bump Review

  • Gather context (CLAUDE.md / AGENTS.md, PR structure)
  • Review dependency changes for security, breaking changes, and correctness
  • Check go.mod / go.sum consistency across directories
  • Provide final review summary

Review Summary

This is a routine Dependabot dependency bump across 7 Go modules. All changes are confined to go.mod and go.sum files. The overall update is safe to merge.

Notable Highlights

Security-relevant update — golang.org/x/crypto 0.52.0 → 0.53.0

This is the most important change in the PR. It includes several hardening fixes:

  • pkcs12: limits PBKDF iteration count to prevent CPU exhaustion (DoS prevention)
  • ssh: validates ECDSA curve matches expected algorithm
  • ssh/knownhosts: rejects lines with multiple or unknown markers, verifies declared key type matches decoded key
  • ssh: rejects incomplete gssapi-with-mic configurations

Worth applying promptly given the DoS protection.

github.com/aws/smithy-go 1.27.0 → 1.27.1

Bug fixes: deserialization failure when encountering a union with explicit null members, and a panic when deserializing nested unions in JSON/CBOR-based protocols. Relevant if this project uses KMS or other AWS services via smithy-go.

github.com/ethereum/go-ethereum 1.17.3 → 1.17.4

Patch release: bug fix for p2p/discover waiting the wrong duration, snap sync improvements. No breaking changes. Updated consistently across apps/evm, execution/evm, test/docker-e2e, and test/e2e.

New transitive dependency: github.com/fjl/jsonw v0.1.0

Appears in execution/evm/go.mod, apps/evm/go.mod, and test/docker-e2e/go.mod as a new indirect dependency introduced by go-ethereum v1.17.4. Not a concern — it's a small JSON utility library from the go-ethereum team.

Observations

golang.org/x/net version skew in apps/loadgen

All modules target v0.56.0, but apps/loadgen/go.mod lands at v0.55.0. This is expected: the cosmos SDK dependency tree constrains golang.org/x/net to v0.55.0, and Go's MVS selects the minimum that satisfies all constraints within that module. Not a bug.

apps/loadgen has broader transitive changes than described

The PR description says loadgen bumps only github.com/spf13/cobra, but the diff also shows many cosmos SDK indirect dependencies updating (e.g., cosmossdk.io/api v0.7.6 → v0.9.2, cosmos-sdk v0.50.14 → v0.53.6, cometbft v0.38.17 → v0.38.21). This is because Dependabot resolves the full transitive dependency graph when updating the group. These are all indirect dependencies, and they look consistent with a cosmos SDK point release chain. No action required, but it's worth being aware that the scope of the loadgen bump is wider than the headline suggests.

cosmossdk.io/depinject removed from apps/loadgen

cosmossdk.io/depinject v1.1.0 was dropped as an indirect dependency. This is consistent with cosmos-sdk v0.53.6 no longer surfacing it as a transitive requirement. No user-facing impact.

github.com/moby/moby/client 0.4.1 → 0.5.0 (test/docker-e2e only)

The 0.5.0 release adds a new GET /images/{name}/attestations endpoint — purely additive. No breaking changes to existing client APIs.

github.com/spf13/cobra 1.9.1 → 1.10.2

Migrates from gopkg.in/yaml.v3 to go.yaml.in/yaml/v3 (the canonical successor). Also bumps pflag to v1.0.10. No behavioral changes expected for existing CLI commands in this repo.

Verdict

All changes look correct. Versions are updated consistently across dependent modules. No breaking changes detected. The golang.org/x/crypto security fixes make this update worth landing promptly.

@github-actions

github-actions Bot commented Jun 29, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

The latest Buf updates on your PR. Results from workflow CI / buf-check (pull_request).

BuildFormatLintBreakingUpdated (UTC)
✅ passed⏩ skipped✅ passed⏩ skippedJun 29, 2026, 10:35 AM

@codecov

codecov Bot commented Jun 29, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 60.61%. Comparing base (69c655c) to head (596bfbf).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #3364   +/-   ##
=======================================
  Coverage   60.61%   60.61%           
=======================================
  Files         129      129           
  Lines       14205    14205           
=======================================
  Hits         8611     8611           
  Misses       4639     4639           
  Partials      955      955
Flag Coverage Δ
combined 60.61% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@julienrbrt julienrbrt added this pull request to the merge queue Jun 29, 2026
Merged via the queue into main with commit a5ad63c Jun 29, 2026
32 checks passed
@julienrbrt julienrbrt deleted the dependabot/go_modules/all-go-768f5439a3 branch June 29, 2026 11:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@julienrbrt julienrbrt julienrbrt approved these changes

Assignees

No one assigned

Labels

T:dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@julienrbrt