chore: update go-libp2p to v0.41.1 #13173
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Addresses CVE-2025-49140 - a critical vulnerability affecting versions v0.1.36 through v0.1.38 that allows remote crashes of Pion-based SFU implementations. Fixes #13169 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
This updates go-libp2p from v0.39.1 to v0.41.1, which includes: - Bug fixes for connection gating, WebRTC memory leaks, and AutoNAT improvements - Updated go-multiaddr to v0.15.0 which changed the Multiaddr API - Fixed type conversion issues in node/builder.go and cli/miner/run.go to handle the new concrete Multiaddr type 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
There was a problem hiding this comment.
Pull Request Overview
This PR updates library dependencies for go-libp2p and go-multiaddr to their latest compatible versions while addressing API compatibility issues due to breaking changes.
- Update go-libp2p from v0.39.1 to v0.41.1 and go-multiaddr to v0.15.0
- Handle type conversion and error checking for Multiaddr creation in node/builder.go and cli/miner/run.go
Reviewed Changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| node/builder.go | Added error handling for Multiaddr creation and explicit conversion for APIEndpoint assignment |
| go.mod | Updated dependency versions to align with latest releases |
| cli/miner/run.go | Added error handling for Multiaddr creation with updated conversion to APIEndpoint |
|
I believe this also supercedes #12912 but there is discussion about https://github.com/libp2p/go-libp2p-kad-dht that I'm not sure if is properly accounted for. |
|
This is also being done in preparation for #13169, where we assume a new go-libp2p release will come out. |
|
in We'll need to figure out how to address that, maybe there are new types we can use or we have to implement our own, or this test just needs to be refactored. The |
The API test was recursively checking all struct fields for interfaces that don't implement json.Marshaler, even when the containing struct itself implements json.Marshaler. This caused failures with the new go-multiaddr v0.15.0 which contains multiaddr.Transcoder interfaces deep within the data structures. When a struct implements json.Marshaler, it handles its own marshaling, so we don't need to validate its internal fields. Fixes unit-cli test failures introduced by go-libp2p v0.41.1 upgrade. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
|
I think this is ready for review now that CI is green. It would also be good to have a maintainer to check the release notes of 0.40 and 0.41 in https://github.com/libp2p/go-libp2p/releases . I didn't notice anything of concern. |
rvagg
approved these changes
Jun 13, 2025
github-project-automation
bot
moved this from 🔎 Awaiting Review
to ✔️ Approved by reviewer
in FilOz
github-project-automation
bot
moved this from ✔️ Approved by reviewer
to 🎉 Done
in FilOz
This was referenced Jun 13, 2025
BigLep
added a commit
that referenced
this pull request
Jun 30, 2025
Updates go-libp2p from v0.39.1 to v0.42.0. This builds on the work to update to 0.41.1 in #13173 and validates the draft PR submitted in #13179. Key dependency updates: - go-yamux v4.0.2 → v5.0.1 (major version bump) - go-datastore v0.6.0 → v0.8.2 (API compatibility) - go-multiaddr v0.14.0 → v0.16.0 - go-ds-badger2 v0.1.3 → v0.1.5 (fixes API breaking change) - Multiple golang.org/x/* standard library updates All changes maintain API compatibility with existing lotus code. Local testing shows successful compilation and unit tests pass. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
1 task
BigLep
added a commit
that referenced
this pull request
Jun 30, 2025
* chore: update go-libp2p to v0.42.0 Updates go-libp2p from v0.39.1 to v0.42.0. This builds on the work to update to 0.41.1 in #13173 and validates the draft PR submitted in #13179. Key dependency updates: - go-yamux v4.0.2 → v5.0.1 (major version bump) - go-datastore v0.6.0 → v0.8.2 (API compatibility) - go-multiaddr v0.14.0 → v0.16.0 - go-ds-badger2 v0.1.3 → v0.1.5 (fixes API breaking change) - Multiple golang.org/x/* standard library updates All changes maintain API compatibility with existing lotus code. Local testing shows successful compilation and unit tests pass. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * chore: update CHANGELOG.md for go-libp2p v0.42.0 * chore: update Go version to 1.23.10 and remove toolchain directive * chore: update all Go version references to 1.23.10 - Update GO_VERSION_MIN to enforce 1.23.10 minimum - Update .go-version for version managers - Update README.md badge and documentation - Update installation example to use 1.23.10 This follows the lotus standard practice of updating all Go version files together for consistency across the codebase. * chore: update Dockerfile to use Go 1.23.10 Updates the Docker base image from golang:1.23.7-bullseye to golang:1.23.10-bullseye to match the updated Go version requirements. * chore: run go mod tidy to clean up unused checksums Removes checksums for modules that are no longer needed after the go-libp2p v0.42.0 update and Go 1.23.10 version bump. * chore: remove .go-version from tracking and add to .gitignore The .go-version file is developer-specific and should not be tracked in version control. Developers can create their own local .go-version file for their preferred Go version manager (gvm, g, etc.). * fix(docker): update Rust version to 1.86.0 to match filecoin-ffi requirements The filecoin-ffi submodule now requires Rust 1.86.0 as specified in rust-toolchain.toml, but the Dockerfile was still using Rust 1.63.0, causing Docker builds to fail during the 'make clean deps' step when trying to update the Rust toolchain. Also add changelog entry for Go version update to 1.23.10. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> --------- Co-authored-by: Claude <noreply@anthropic.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Changes Made
node/builder.goandcli/miner/run.goto handle the new concrete Multiaddr type (previously was an interface)Test Plan
go mod tidymake clean allmake unittestsgo vetThis supersedes the draft PR #12921 and brings Lotus up to the stable v0.41.1 release of go-libp2p.
🤖 Generated with Claude Code