build(deps): Bump the all-go group across 2 directories with 3 updates

[dependabot]

Bumps the all-go group with 2 updates in the / directory: github.com/goccy/go-yaml and github.com/libp2p/go-libp2p-kad-dht.
Bumps the all-go group with 1 update in the /apps/evm directory: github.com/ethereum/go-ethereum.

Updates github.com/goccy/go-yaml from 1.18.0 to 1.19.0

Release notes

Sourced from github.com/goccy/go-yaml's releases.

1.19.0

What's Changed

• Revert "feat: Dont make copies of structs for validation" by @​shuheiktgw in goccy/go-yaml#763
• Add decode option that allows specific field prefixes by @​cpuguy83 in goccy/go-yaml#795
• Normalize CR and CRLF in multi-line strings by @​shuheiktgw in goccy/go-yaml#754
• Support non string map keys by @​shuheiktgw in goccy/go-yaml#756
• Skip directive in path operations by @​shuheiktgw in goccy/go-yaml#758
• Add indentation to flow values on new lines by @​shuheiktgw in goccy/go-yaml#759
• Add support for RawMessage, similar to json.RawMessage by @​thanethomson in goccy/go-yaml#790

New Contributors

• @​cpuguy83 made their first contribution in goccy/go-yaml#795
• @​thanethomson made their first contribution in goccy/go-yaml#790

Full Changelog: goccy/go-yaml@v1.18.0...v1.19.0

Commits

• a7b4bfb Add support for RawMessage, similar to json.RawMessage (#790)
• 07c09c0 Add indentation to flow values on new lines (#759)
• 0040ab4 Skip directive in path operations (#758)
• 7901e98 Support non string map keys (#756)
• f4d1347 Normalize CR and CRLF in multi-line strings (#754)
• 90e8525 Add decode option that allows specific field prefixes (#795)
• 25e5d90 Revert "feat: Dont make copies of structs for validation (#737)" (#763)
• See full diff in compare view

Updates github.com/libp2p/go-libp2p-kad-dht from 0.35.1 to 0.36.0

Release notes

Sourced from github.com/libp2p/go-libp2p-kad-dht's releases.

v0.36.0

[!NOTE] This release was brought to you by the Shipyard team.

Overview

This release brings major improvements to the Sweep provider system: detailed runtime statistics, persistence of reprovide state across restarts, and better connection handling. These features ship to Kubo users in v0.39.

Highlights

Sweep provider statistics API

The SweepingProvider now exposes detailed runtime statistics through a new Stats() method, enabling monitoring tools to track provider health and throughput.

Available metrics include:

• Queue sizes and worker utilization
• Reprovide schedule and progress
• Network statistics (connected peers, regions)
• Operation rates and success counts

This powers the ipfs provide stat command in Kubo v0.39+. See #1144.

Reprovide cycle persistence and resume

The Sweep provider now persists its state to the datastore and automatically resumes after restarts:

• Persistent progress: The provider saves its position in the reprovide cycle. On restart, it continues from where it stopped instead of starting over.
• Catch-up reproviding: If the node was offline, all CIDs overdue for reprovide are immediately queued.
• Persistent provide queue: Pending provide operations survive restarts.

This fixes the long-standing issue where restarts would reset the reprovide cycle. See #1167, #1170, #1176, #1193.

Connectivity callbacks

Users can now register callbacks to be notified when the provider's connectivity status changes. This enables applications to track and react to connectivity state transitions. See #1194.

Connection protection during provides

New option to protect libp2p connections and keep addresses in the peerstore during provide operations. This prevents the connection manager from pruning connections that are actively being used for provides. See #1172.

Metric rename: provider_provides_total

The Sweep provider metric has been renamed from total_provide_count_total to provider_provides_total to follow OpenTelemetry naming conventions and match other kad-dht metrics.

Migration: Update any Prometheus queries or dashboards using the old metric name. See #1195.

... (truncated)

Commits

• f46f48a new version (#1204)
• 958a349 update dependencies (#1205)
• cf74329 chore(deps): bump golang.org/x/crypto from 0.42.0 to 0.45.0 (#1203)
• 6d2d861 fix(provider): protect SweepingProvider.wg (#1200)
• 7eb605c fix(ResettableKeystore): race when closing during reset (#1201)
• 58b46ba fix(provider): conflict resolution (#1199)
• 47e51c0 fix(provider): remove from trie by pruning prefix (#1198)
• 3fa0f96 fix(provider): rename metric to follow OpenTelemetry conventions (#1195)
• 1acbd9b fix(provider): resume cycle from persisted keystore (#1193)
• edead48 feat(provider): connectivity callbacks (#1194)
• Additional commits viewable in compare view

Updates github.com/ethereum/go-ethereum from 1.16.5 to 1.16.7

Release notes

Sourced from github.com/ethereum/go-ethereum's releases.

Ballistic Drift Stabilizer (v1.16.7)

This is a re-roll of v1.16.6, including an important fix in the KZG cryptography library.

This release enables the Fusaka hardfork on Ethereum mainnet.

The Fusaka fork is scheduled to occur at 2025-12-03 21:49:11 UTC. Please upgrade your node to v1.16.7 in time for the fork.

This release also enables two blob-parameter-only (BPO) upgrades. These upgrades change protocol parameters to increase the available blob capacity.

• BPO1 on2025-12-09
• BPO2 on 2026-01-07

Fusaka

• Set mainnet timestamps for Osaka (#33063)
• Enable Fusaka for geth --dev mode (#32917)

RPC

• Add eth_sendRawTransactionSync which waits until either a timeout or the transaction is mined. This feature is mostly useful on L2s with lower blocktimes. (#32830, #32930, #32929)
• Add support for eth_simulateV1 in ethclient (#32856)
• Fix for an issue that might crash debug_traceCall (#33015)
• Fix for an issuer where local transactions were not persisted to the journal (#32921)

Core

• Fix for a cryptographic vulnerability in c-kzg-4844. This is only exploitable post-Fusaka. (#33093)
• Add geth --genesis flag as an alternative to running geth init genesis.json (#32844)
• Fix for receipt insertion during ERA file import. (#32934)
• Work on getting the trie node history in order to serve historical eth_getProof request with the new path-based archive node. (#32907, #32914, #32937)
• Further work on cmd/keeper, our guest program for zkVMs (#32816)
• Various optimizations (#32971, #32916, #32965, #32946)

Networking

• New metrics for tracking slow peers (#32964)
• Fix for an issue where disconnected peers were not removed in txFetcher (#32947)

---

For a full rundown of the changes please consult the Geth 1.16.6 and 1.16.7 release milestones.

As with all our previous releases, you can find the:

• Pre-built binaries for all platforms on our downloads page.
• Docker images published under ethereum/client-go (use "stable" tag).

... (truncated)

Commits

• b9f3a3d Merge branch 'master' into release/1.16
• 07129d2 version: release go-ethereum v1.16.7 stable
• 653f8d4 go.mod: update to c-kzg v2.1.5 (#33093)
• 5b77af3 version: begin v1.16.7 release cycle
• 386c3de Merge branch 'master' into release/1.16
• 044828e version: release go-ethereum v1.16.6
• 0250724 params: set osaka and BPO1 & BPO2 mainnet dates (#33063)
• 28c59b7 core/rawdb: fix db inspector by supporting trienode history (#33087)
• 18a9027 common: fix duration comparison in PrettyAge (#33064)
• e6d34c1 eth/tracers: fix prestateTracer for EIP-6780 SELFDESTRUCT (#33050)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

The latest Buf updates on your PR. Results from workflow CI / buf-check (pull_request).

Build	Format	Lint	Breaking	Updated (UTC)
✅ passed	⏩ skipped	✅ passed	✅ passed	Dec 2, 2025, 10:01 AM

[claude]

Claude finished @dependabot[bot]'s task —— View job

---

Dependency Update Review ✅

Summary

This PR bumps three Go dependencies across multiple modules:

• github.com/goccy/go-yaml: 1.18.0 → 1.19.0
• github.com/libp2p/go-libp2p-kad-dht: 0.35.1 → 0.36.0
• github.com/ethereum/go-ethereum: 1.16.5 → 1.16.7

Overall Assessment: ✅ APPROVE - These are safe, non-breaking updates with important improvements and fixes.

---

Detailed Analysis

1. github.com/goccy/go-yaml (1.18.0 → 1.19.0)

Usage in codebase: Used in pkg/config/yaml.go:10 for YAML marshalling/unmarshalling of configuration files.

Changes:

• ✅ No breaking changes
• Improved multi-line string normalization (CR/CRLF handling)
• Added support for non-string map keys
• Added RawMessage type (similar to json.RawMessage)
• Better flow value indentation
• New decode option for field prefixes

Risk Assessment: Low ⚠️

• The codebase uses standard YAML operations (marshal/unmarshal with comments)
• Changes are additive and improve compatibility
• No API changes that would affect current usage

2. github.com/libp2p/go-libp2p-kad-dht (0.35.1 → 0.36.0)

Usage in codebase: Used in pkg/p2p/client.go:13 for DHT peer discovery and routing.

Changes:

• ✅ Major improvements to Sweep provider system
• New statistics API for monitoring provider health
• Reprovide cycle persistence - state survives restarts (important improvement!)
• Connection protection during provides
• Connectivity callbacks for status tracking
• ⚠️ BREAKING: Metric renamed from total_provide_count_total to provider_provides_total

Risk Assessment: Low-Medium ⚠️

• The codebase uses DHT for peer discovery, not provider functionality heavily
• Persistence improvements are beneficial for node restarts
• Action Required: If Prometheus metrics are monitored, update dashboards/queries for the renamed metric
• No API-breaking changes in core DHT functionality used by ev-node

3. github.com/ethereum/go-ethereum (1.16.5 → 1.16.7)

Usage in codebase: Used extensively in apps/evm/ and execution/evm/ modules.

Changes:

• ✅ Enables Fusaka hardfork on mainnet (2025-12-03 21:49:11 UTC)
• ✅ Security fix: Fixes cryptographic vulnerability in c-kzg-4844 (CVE not specified, exploitable post-Fusaka)
• Enables BPO1 (2025-12-09) and BPO2 (2026-01-07) for increased blob capacity
• New eth_sendRawTransactionSync RPC method
• Support for eth_simulateV1 in ethclient
• Various optimizations and bug fixes
• Receipt insertion fix for ERA file import
• Transaction journal persistence fix

Risk Assessment: Low ⚠️

• This update includes a critical security fix and should be merged
• Fusaka hardfork is scheduled for Dec 3, 2025 (tomorrow!)
• No breaking API changes for normal EVM usage
• The cryptography fix is important for post-Fusaka security

---

Security Considerations

✅ Positive Security Impacts

1. go-ethereum: Fixes cryptographic vulnerability in KZG library (c-kzg-4844 v2.1.5)
2. go-libp2p-kad-dht: Better connection management and state persistence improves reliability
3. All dependencies are from trusted, well-maintained projects

⚠️ Potential Issues

1. Metric rename in go-libp2p-kad-dht requires monitoring update
2. Fusaka hardfork timing is tight (Dec 3, 2025) - needs quick deployment

---

Compatibility & Breaking Changes

Cross-Module Consistency ✅

All modules are updated consistently:

• Root go.mod and go.sum
• apps/evm/go.mod and go.sum
• apps/grpc/go.mod and go.sum
• apps/testapp/go.mod and go.sum
• test/e2e/go.mod and go.sum

Breaking Changes

• None for the APIs ev-node uses
• Only breaking change is the Prometheus metric rename (if monitored)

---

Code Quality Assessment

✅ What's Good

1. Automated dependency management: Dependabot ensures timely updates
2. Consistent updates: All modules updated together, avoiding version conflicts
3. Critical timing: go-ethereum update includes important hardfork and security fix
4. go.sum integrity: All checksums properly updated

Recommendations

1. ✅ Merge this PR quickly due to:
   • Critical security fix in go-ethereum
   • Fusaka hardfork on Dec 3, 2025
2. ⚠️ Monitor deployment and verify:
   • Node syncs properly after Fusaka
   • No issues with peer discovery (go-libp2p-kad-dht)
   • YAML config parsing works correctly
3. 📊 Update Prometheus dashboards if monitoring total_provide_count_total metric → use provider_provides_total

---

Testing Status

CI Status: ✅ 1 passed, 3 in progress

• ✅ Semantic Pull Request: Passed
• ⏳ CI: In progress
• ⏳ PR build(deps): Bump the all-go group across 2 directories with 3 updates #2898: In progress
• ⏳ Claude Code Review: In progress
• ⏹️ Dependabot Go Autofix: Skipped

Test Coverage: Dependencies updated consistently across all go.mod files. Integration and E2E tests will verify compatibility.

---

Final Recommendation

✅ APPROVE and MERGE

This PR should be merged promptly due to:

1. Critical security fix in go-ethereum (c-kzg-4844 vulnerability)
2. Fusaka hardfork support required by Dec 3, 2025
3. Low risk - no breaking API changes for ev-node's usage patterns
4. Positive improvements - state persistence, better error handling, enhanced features

The updates are well-tested, come from reputable sources, and include important fixes and features for the ev-node rollup framework.

---

Action Items

• Merge this PR after CI passes
• Deploy to testnet/staging first
• Verify Fusaka hardfork activation
• Update Prometheus dashboards (if using provider metrics)
• Monitor peer discovery and network connectivity

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 64.55%. Comparing base (4481fea) to head (62cb315).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2898      +/-   ##
==========================================
- Coverage   64.67%   64.55%   -0.13%     
==========================================
  Files          81       81              
  Lines        7380     7380              
==========================================
- Hits         4773     4764       -9     
- Misses       2065     2074       +9     
  Partials      542      542              

Flag	Coverage Δ
combined	64.55% <ø> (-0.13%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.