Skip to content

fix(deps): update all dependencies #186

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix(deps): update all dependencies #186

wants to merge 1 commit into from
+39 −22

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Mar 4, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence Type Update
github.com/evanw/esbuild v0.25.4 -> v0.25.5 age adoption passing confidence require patch
github.com/libp2p/go-libp2p v0.41.1 -> v0.42.0 age adoption passing confidence require minor
github/codeql-action v3.28.18 -> v3.29.0 age adoption passing confidence action minor
go (source) 1.24.3 -> 1.24.4 age adoption passing confidence toolchain patch
golang.org/x/tools v0.33.0 -> v0.34.0 age adoption passing confidence require minor

Release Notes

evanw/esbuild (github.com/evanw/esbuild)

v0.25.5

Compare Source

  • Fix a regression with browser in package.json (#​4187)

    The fix to #​4144 in version 0.25.3 introduced a regression that caused browser overrides specified in package.json to fail to override relative path names that end in a trailing slash. That behavior change affected the [email protected] package. This regression has been fixed, and now has test coverage.

  • Add support for certain keywords as TypeScript tuple labels (#​4192)

    Previously esbuild could incorrectly fail to parse certain keywords as TypeScript tuple labels that are parsed by the official TypeScript compiler if they were followed by a ? modifier. These labels included function, import, infer, new, readonly, and typeof. With this release, these keywords will now be parsed correctly. Here's an example of some affected code:

    type Foo = [
  value: any,
  readonly?: boolean, // This is now parsed correctly
]

  • Add CSS prefixes for the stretch sizing value (#​4184)

    This release adds support for prefixing CSS declarations such as div { width: stretch }. That CSS is now transformed into this depending on what the --target= setting includes:

    div {
  width: -webkit-fill-available;
  width: -moz-available;
  width: stretch;
}
libp2p/go-libp2p (github.com/libp2p/go-libp2p)

v0.42.0

Compare Source

⚠ Breaking Changes

Added a new method, VerifySourceAddress(net.Addr) bool, to the Resource Manager interface.
For more details see the Source Address Verification section.

For custom implementation which want to opt out of Source Address Verification and keep the existing behavior, return false from the method.

🔦 Highlights

Per Address Reachability via AutoNAT v2

libp2p hosts can now determine reachability for individual addresses using AutoNATV2. To opt in to reachability checking use the EnableAutoNATV2 libp2p option. Using this nodes can now determine their IPv4, IPv6, and browser address reachability separately. In a future release, AutoRelay will use this information and make appropriate relay reservations accordingly. https://pkg.go.dev/github.com/libp2p/go-libp2p#EnableAutoNATv2

To query addresses by their reachability, ConfirmedAddrs() (reachable, unreachable, unknown []ma.Multiaddr) that provides Reachability information per host address. https://pkg.go.dev/github.com/libp2p/go-libp2p/p2p/host/basic#BasicHost.ConfirmedAddrs
For notifications, Subscribe to the event event.EvtHostReachableAddrsChanged https://pkg.go.dev/github.com/libp2p/go-libp2p/core/event#EvtHostReachableAddrsChanged

Rate Limiting

We've introduced the package github.com/libp2p/go-libp2p/x/rate for rate limiting. The struct rate.Limiter provides Global, Network Specific, and Subnet Specific rate limiting. The Subnet specific rate limits allows for better DoS Protection by rate limiting malicious IPs. https://pkg.go.dev/github.com/libp2p/go-libp2p/x/rate

Use Limit(f func(s network.Stream)) func(s network.Stream) on Limiter to limit specific stream handlers. For example, within libp2p, the Identify Service uses this as
ids.Host.SetStreamHandler(IDPush, ids.rateLimiter.Limit(ids.handlePush)) to rate limit the number of times peers can perform identify push.

For non Stream use cases use the Allow(ip) method on the limiter.

Connection Rate Limiting

New connection requests are now rate limited per IP. By default we allow 1 connection every 5 seconds from an IP address with a burst of 16 connections per IP. The burst is high enough that this should only block malicious peers.

To configure the connection rate limits, use the WithConnRateLimiters option on the Resource Manager. https://pkg.go.dev/github.com/libp2p/go-libp2p/p2p/host/resource-manager#WithConnRateLimiters

Source Address Verification for QUIC

This release introduces Source Address Verification for QUIC, preventing DoS attacks by spoofing IP addresses. See: https://www.rfc-editor.org/rfc/rfc9000.html#section-8 for details.

We are now gating incoming QUIC connections before the handshake is started. This further improves DoS protection by not wasting CPU on handshaking QUIC connections which would have been dropped by the Resource Manager.

Other changes
  • WebRTC Direct peers can now send messages of up to 256 kB (see spec: https://github.com/libp2p/specs/pull/628)
  • Refactored the addressing code within BasicHost and moved it into Address Manager. In a future release, this will be exposed to users with an improved Address API for the libp2p Host.

What's Changed

New Contributors

Full Changelog: libp2p/go-libp2p@v0.41.0...v0.42.0

github/codeql-action (github/codeql-action)

v3.29.0

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.29.0 - 11 Jun 2025

  • Update default CodeQL bundle version to 2.22.0. #​2925
  • Bump minimum CodeQL bundle version to 2.16.6. #​2912

See the full CHANGELOG.md for more information.

v3.28.19

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.28.19 - 03 Jun 2025
  • The CodeQL Action no longer includes its own copy of the extractor for the actions language, which is currently in public preview.
    The actions extractor has been included in the CodeQL CLI since v2.20.6. If your workflow has enabled the actions language and you have pinned
    your tools: property to a specific version of the CodeQL CLI earlier than v2.20.6, you will need to update to at least CodeQL v2.20.6 or disable
    actions analysis.
  • Update default CodeQL bundle version to 2.21.4. #​2910

See the full CHANGELOG.md for more information.

golang/go (go)

v1.24.4

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/all branch 10 times, most recently from 696e194 to bb45447 Compare March 10, 2025 19:49
@renovate renovate bot force-pushed the renovate/all branch 10 times, most recently from ec3c091 to fbb3f3d Compare March 17, 2025 22:37
@renovate renovate bot force-pushed the renovate/all branch 9 times, most recently from e54b752 to 681271d Compare March 25, 2025 23:37
@renovate renovate bot changed the title fix(deps): update all dependencies - autoclosed fix(deps): update all dependencies May 20, 2025
@renovate renovate bot reopened this May 20, 2025
@renovate renovate bot force-pushed the renovate/all branch 5 times, most recently from b057ef5 to 7a8ffbc Compare May 27, 2025 22:42
@renovate renovate bot force-pushed the renovate/all branch 2 times, most recently from b4289e3 to 56af09c Compare May 30, 2025 21:26
@renovate renovate bot force-pushed the renovate/all branch 7 times, most recently from 76424ca to f6dda5f Compare June 12, 2025 10:48
@renovate renovate bot force-pushed the renovate/all branch 10 times, most recently from e70fdb7 to a085730 Compare June 18, 2025 21:02
@renovate Renovate
Copy link
Contributor Author

renovate bot commented Jun 23, 2025

ℹ Artifact update notice

File name: tools/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 15 additional dependencies were updated

Details:

Package Change
github.com/libp2p/go-libp2p v0.41.1 -> v0.42.0
github.com/libp2p/go-yamux/v5 v5.0.0 -> v5.0.1
github.com/multiformats/go-multiaddr v0.15.0 -> v0.16.0
github.com/multiformats/go-multicodec v0.9.0 -> v0.9.1
github.com/multiformats/go-multistream v0.6.0 -> v0.6.1
github.com/prometheus/client_golang v1.21.1 -> v1.22.0
github.com/prometheus/client_model v0.6.1 -> v0.6.2
github.com/prometheus/common v0.62.0 -> v0.64.0
github.com/prometheus/procfs v0.15.1 -> v0.16.1
golang.org/x/crypto v0.37.0 -> v0.39.0
golang.org/x/exp v0.0.0-20250305212735-054e65f0b394 -> v0.0.0-20250606033433-dcc06ee1d476
golang.org/x/mod v0.24.0 -> v0.25.0
golang.org/x/sync v0.14.0 -> v0.15.0
golang.org/x/text v0.24.0 -> v0.26.0
lukechampine.com/blake3 v1.4.0 -> v1.4.1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants