build(deps): Bump the all-go group across 4 directories with 2 updates

[dependabot]

Bumps the all-go group with 1 update in the /apps/evm directory: github.com/ethereum/go-ethereum.
Bumps the all-go group with 1 update in the /execution/evm directory: github.com/ethereum/go-ethereum.
Bumps the all-go group with 2 updates in the /test/docker-e2e directory: github.com/ethereum/go-ethereum and github.com/celestiaorg/tastora.
Bumps the all-go group with 1 update in the /test/e2e directory: github.com/celestiaorg/tastora.

Updates github.com/ethereum/go-ethereum from 1.16.8 to 1.17.0

Release notes

Sourced from github.com/ethereum/go-ethereum's releases.

Eezo-Inlaid Circuitry (v1.17.0)

This is a feature release, with all accumulated development from the last 3 months. See below for the highlights.

Note that this release contains multiple critical security fixes, as well as many bug fixes, and is recommended for all users. However, if you are cautious about upgrades, you can also install v1.16.9 which has just the critical security fixes. Specifically, this release fixes CVE-2026-26313, CVE-2026-26314, CVE-2026-26315.

We recommend recreating your p2p node key after installing this update, which you can do by removing the DATADIR/geth/nodekey file before restarting geth. Note this will cause a change in the p2p node ID, which may break static peering setups.

Highlights

Path-based Archive Node with Proofs

The path-based archive node can now serve proofs (via eth_getProof) for the state of older blocks.

You can configure the block range that supports proving independently from other archive state availability. Specifically, you can use the --history.trienode command-line flag to set the amount of blocks for which tree nodes will be tracked.

This feature is disabled by default. Note that state history cannot easily be recovered once deleted, as it can only be generated by processing blocks. However, you can enable trienode history (and/or state history) at any time to turn a full node into a partial archive node, keeping state from that point in time onwards.

#32727, #32621, #33551, #32981, #33399, #32913, #33303, #33584, #33329, #33681, #33103, #33098, #33515, #32247

EraE History Support

Geth now suports the EraE file format, an archival format for post-merge chain history.

#32157, #33827

OpenTelemetry Tracing

OpenTelemetry tracing is now supported by the RPC server, including support for distributed tracing. We have also added some tracing spans for block processing via the engine API, i.e. engine_newPayload.

#33599, #33452, #33780, #33521

All Changes

Geth CLI

• The geth version-check subcommand has been removed. This command checked the geth website for signed vulnerability notices, and would tell if updates are necessary (#33498)
• There is now a --miner.maxblobs command-line flag to set a limit on blobs included in built blocks (#33129, #33302)
• Geth now supports continuous profiling with Grafana Pyroscope (#33623)
• A rare bug that could halt block production in geth --dev mode was fixed (#33146)
• A new --rpc.rangelimit flag configures the maximum block range for eth_getLogs (#33163)
• geth --exitwhensynced will now set the finalized and safe block (#33038)
• geth --ethstats now reports the newPayload processing time to the stats server (#33395)
• A lot of minor issues in Geth's command-line flag processing have been fixed (#33379, #33338, #33330, #32999, #33279, #33252)
• The evm blocktest command can now read filenames from stdin when no path is provided (#32824)

Fork Implementation

... (truncated)

Commits

• 0cf3d3b version: release go-ethereum v1.17.0 stable
• 9b78f45 crypto/secp256k1: fix coordinate check
• c709c19 eth/catalyst: add initial OpenTelemetry tracing for newPayload (#33521)
• 550ca91 consensus/misc: hardening header verification (#33860)
• a4b3898 internal/telemetry: don't create internal spans without parents (#33780)
• 0cba803 eth/protocols/eth, eth/protocols/snap: delayed p2p message decoding (#33835)
• ad88b68 internal/download: show progress bar only if server gives length (#33842)
• c50e5ed cmd/geth, internal/telemetry: wire OpenTelemetry tracing via CLI flags (#33484)
• d8b92cb rpc,internal/telemetry: fix deferred spanEnd to capture errors via pointer (#...
• ac85a6f rlp: add back Iterator.Count, with fixes (#33841)
• Additional commits viewable in compare view

Updates github.com/ethereum/go-ethereum from 1.16.8 to 1.17.0

Release notes

Sourced from github.com/ethereum/go-ethereum's releases.

Eezo-Inlaid Circuitry (v1.17.0)

This is a feature release, with all accumulated development from the last 3 months. See below for the highlights.

Note that this release contains multiple critical security fixes, as well as many bug fixes, and is recommended for all users. However, if you are cautious about upgrades, you can also install v1.16.9 which has just the critical security fixes. Specifically, this release fixes CVE-2026-26313, CVE-2026-26314, CVE-2026-26315.

We recommend recreating your p2p node key after installing this update, which you can do by removing the DATADIR/geth/nodekey file before restarting geth. Note this will cause a change in the p2p node ID, which may break static peering setups.

Highlights

Path-based Archive Node with Proofs

The path-based archive node can now serve proofs (via eth_getProof) for the state of older blocks.

You can configure the block range that supports proving independently from other archive state availability. Specifically, you can use the --history.trienode command-line flag to set the amount of blocks for which tree nodes will be tracked.

This feature is disabled by default. Note that state history cannot easily be recovered once deleted, as it can only be generated by processing blocks. However, you can enable trienode history (and/or state history) at any time to turn a full node into a partial archive node, keeping state from that point in time onwards.

#32727, #32621, #33551, #32981, #33399, #32913, #33303, #33584, #33329, #33681, #33103, #33098, #33515, #32247

EraE History Support

Geth now suports the EraE file format, an archival format for post-merge chain history.

#32157, #33827

OpenTelemetry Tracing

OpenTelemetry tracing is now supported by the RPC server, including support for distributed tracing. We have also added some tracing spans for block processing via the engine API, i.e. engine_newPayload.

#33599, #33452, #33780, #33521

All Changes

Geth CLI

• The geth version-check subcommand has been removed. This command checked the geth website for signed vulnerability notices, and would tell if updates are necessary (#33498)
• There is now a --miner.maxblobs command-line flag to set a limit on blobs included in built blocks (#33129, #33302)
• Geth now supports continuous profiling with Grafana Pyroscope (#33623)
• A rare bug that could halt block production in geth --dev mode was fixed (#33146)
• A new --rpc.rangelimit flag configures the maximum block range for eth_getLogs (#33163)
• geth --exitwhensynced will now set the finalized and safe block (#33038)
• geth --ethstats now reports the newPayload processing time to the stats server (#33395)
• A lot of minor issues in Geth's command-line flag processing have been fixed (#33379, #33338, #33330, #32999, #33279, #33252)
• The evm blocktest command can now read filenames from stdin when no path is provided (#32824)

Fork Implementation

... (truncated)

Commits

• 0cf3d3b version: release go-ethereum v1.17.0 stable
• 9b78f45 crypto/secp256k1: fix coordinate check
• c709c19 eth/catalyst: add initial OpenTelemetry tracing for newPayload (#33521)
• 550ca91 consensus/misc: hardening header verification (#33860)
• a4b3898 internal/telemetry: don't create internal spans without parents (#33780)
• 0cba803 eth/protocols/eth, eth/protocols/snap: delayed p2p message decoding (#33835)
• ad88b68 internal/download: show progress bar only if server gives length (#33842)
• c50e5ed cmd/geth, internal/telemetry: wire OpenTelemetry tracing via CLI flags (#33484)
• d8b92cb rpc,internal/telemetry: fix deferred spanEnd to capture errors via pointer (#...
• ac85a6f rlp: add back Iterator.Count, with fixes (#33841)
• Additional commits viewable in compare view

Updates github.com/ethereum/go-ethereum from 1.16.8 to 1.17.0

Release notes

Sourced from github.com/ethereum/go-ethereum's releases.

Eezo-Inlaid Circuitry (v1.17.0)

This is a feature release, with all accumulated development from the last 3 months. See below for the highlights.

Note that this release contains multiple critical security fixes, as well as many bug fixes, and is recommended for all users. However, if you are cautious about upgrades, you can also install v1.16.9 which has just the critical security fixes. Specifically, this release fixes CVE-2026-26313, CVE-2026-26314, CVE-2026-26315.

We recommend recreating your p2p node key after installing this update, which you can do by removing the DATADIR/geth/nodekey file before restarting geth. Note this will cause a change in the p2p node ID, which may break static peering setups.

Highlights

Path-based Archive Node with Proofs

The path-based archive node can now serve proofs (via eth_getProof) for the state of older blocks.

You can configure the block range that supports proving independently from other archive state availability. Specifically, you can use the --history.trienode command-line flag to set the amount of blocks for which tree nodes will be tracked.

This feature is disabled by default. Note that state history cannot easily be recovered once deleted, as it can only be generated by processing blocks. However, you can enable trienode history (and/or state history) at any time to turn a full node into a partial archive node, keeping state from that point in time onwards.

#32727, #32621, #33551, #32981, #33399, #32913, #33303, #33584, #33329, #33681, #33103, #33098, #33515, #32247

EraE History Support

Geth now suports the EraE file format, an archival format for post-merge chain history.

#32157, #33827

OpenTelemetry Tracing

OpenTelemetry tracing is now supported by the RPC server, including support for distributed tracing. We have also added some tracing spans for block processing via the engine API, i.e. engine_newPayload.

#33599, #33452, #33780, #33521

All Changes

Geth CLI

• The geth version-check subcommand has been removed. This command checked the geth website for signed vulnerability notices, and would tell if updates are necessary (#33498)
• There is now a --miner.maxblobs command-line flag to set a limit on blobs included in built blocks (#33129, #33302)
• Geth now supports continuous profiling with Grafana Pyroscope (#33623)
• A rare bug that could halt block production in geth --dev mode was fixed (#33146)
• A new --rpc.rangelimit flag configures the maximum block range for eth_getLogs (#33163)
• geth --exitwhensynced will now set the finalized and safe block (#33038)
• geth --ethstats now reports the newPayload processing time to the stats server (#33395)
• A lot of minor issues in Geth's command-line flag processing have been fixed (#33379, #33338, #33330, #32999, #33279, #33252)
• The evm blocktest command can now read filenames from stdin when no path is provided (#32824)

Fork Implementation

... (truncated)

Commits

• 0cf3d3b version: release go-ethereum v1.17.0 stable
• 9b78f45 crypto/secp256k1: fix coordinate check
• c709c19 eth/catalyst: add initial OpenTelemetry tracing for newPayload (#33521)
• 550ca91 consensus/misc: hardening header verification (#33860)
• a4b3898 internal/telemetry: don't create internal spans without parents (#33780)
• 0cba803 eth/protocols/eth, eth/protocols/snap: delayed p2p message decoding (#33835)
• ad88b68 internal/download: show progress bar only if server gives length (#33842)
• c50e5ed cmd/geth, internal/telemetry: wire OpenTelemetry tracing via CLI flags (#33484)
• d8b92cb rpc,internal/telemetry: fix deferred spanEnd to capture errors via pointer (#...
• ac85a6f rlp: add back Iterator.Count, with fixes (#33841)
• Additional commits viewable in compare view

Updates github.com/celestiaorg/tastora from 0.12.0 to 0.15.0

Release notes

Sourced from github.com/celestiaorg/tastora's releases.

v0.15.0

What's Changed

• feat: add start / stop / remove functions to da network by @​chatton in celestiaorg/tastora#177
• feat: add support for Jaeger as OTLP backend by @​chatton in celestiaorg/tastora#180

Full Changelog: celestiaorg/tastora@v0.14.0...v0.15.0

v0.14.0

What's Changed

• feat: Adding support to deploy Spamoor within tastora by @​chatton in celestiaorg/tastora#179

Full Changelog: celestiaorg/tastora@v0.13.0...v0.14.0

Commits

• 0818706 feat: add support for Jaeger as OTLP backend (#180)
• b7053fb feat: add start /stop / remvoe functions to da network (#177)
• 8590eab feat: Adding support to deploy Spamoor within tastora (#179)
• 95c3581 feat: add hyperlane forward relayer support
• f5f7e6d chore: lint fix
• 43ec11f chore: use v0.1.0 image tag
• 9e10057 chore: cancel the context inside test cleanup
• 340b537 chore: address url parsing with normalization
• 0125c9d test: add sanity test for forward relayer and backend startup
• 8f58213 chore: address PR feedback
• Additional commits viewable in compare view

Updates github.com/celestiaorg/tastora from 0.14.0 to 0.15.0

Release notes

Sourced from github.com/celestiaorg/tastora's releases.

v0.15.0

What's Changed

• feat: add start / stop / remove functions to da network by @​chatton in celestiaorg/tastora#177
• feat: add support for Jaeger as OTLP backend by @​chatton in celestiaorg/tastora#180

Full Changelog: celestiaorg/tastora@v0.14.0...v0.15.0

v0.14.0

What's Changed

• feat: Adding support to deploy Spamoor within tastora by @​chatton in celestiaorg/tastora#179

Full Changelog: celestiaorg/tastora@v0.13.0...v0.14.0

Commits

• 0818706 feat: add support for Jaeger as OTLP backend (#180)
• b7053fb feat: add start /stop / remvoe functions to da network (#177)
• 8590eab feat: Adding support to deploy Spamoor within tastora (#179)
• 95c3581 feat: add hyperlane forward relayer support
• f5f7e6d chore: lint fix
• 43ec11f chore: use v0.1.0 image tag
• 9e10057 chore: cancel the context inside test cleanup
• 340b537 chore: address url parsing with normalization
• 0125c9d test: add sanity test for forward relayer and backend startup
• 8f58213 chore: address PR feedback
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[claude]

Claude finished @julienrbrt's task in 1m 21s —— View job

---

Code Review: Dependency Bump PR

• Gather context and analyze PR changes
• Review dependency version changes
• Check CI status
• Assess security implications
• Provide final review

---

Summary

This is a routine Dependabot dependency update across 4 Go modules. The changes are confined entirely to go.mod and go.sum files — no source code is modified.

Security — go-ethereum v1.16.8 → v1.17.0

This update should be prioritized and merged promptly. go-ethereum v1.17.0 contains critical security fixes for three CVEs:

CVE	Advisory
CVE-2026-26313	GHSA-689v-6xwf-5jf3
CVE-2026-26314	GHSA-2gjw-fg97-vg3r
CVE-2026-26315	GHSA-m6j8-rg6r-7mv8

The upgrade affects apps/evm, execution/evm, and test/docker-e2e.

Note: The go-ethereum release recommends regenerating the p2p node key after upgrading (remove DATADIR/geth/nodekey). This is only relevant for running geth nodes — if this project only uses go-ethereum as a library, no action is needed.

Dependency Cleanup

The v1.17.0 upgrade transitively removes several no-longer-needed packages (Verkle tree support was removed from go-ethereum's default dependency surface):

• github.com/crate-crypto/go-ipa
• github.com/ethereum/go-verkle
• github.com/mattn/go-runewidth
• github.com/olekukonko/tablewriter
• github.com/rivo/uniseg

This is a net positive — fewer indirect dependencies reduces attack surface.

tastora Updates

• test/docker-e2e: v0.12.0 → v0.15.0 (3 minor version jump)
• test/e2e: v0.14.0 → v0.15.0 (single minor version)

Changes are additive feature additions only (no breaking changes):

• v0.13.0: Spamoor deployment support
• v0.14.0: (no separate entry, same as v0.13.0 changelog above for docker-e2e)
• v0.15.0: DA network start/stop/remove functions + Jaeger OTLP backend support

Observations

• The test/docker-e2e tastora bump (v0.12.0 → v0.15.0) skips v0.13.0; this is consistent with the Dependabot grouping strategy and is fine since all changes between those versions are non-breaking.
• go.sum line counts decrease significantly (net −69 lines), confirming the transitive dep cleanup is real.
• CI is currently queued/in-progress.

Verdict

Approve. This is a straightforward, well-scoped dependency upgrade. The security fixes in go-ethereum make it important to merge promptly. No code changes; only go.mod/go.sum updates across the expected modules. Already approved by @julienrbrt.

[github-actions]

The latest Buf updates on your PR. Results from workflow CI / buf-check (pull_request).

Build	Format	Lint	Breaking	Updated (UTC)
✅ passed	⏩ skipped	✅ passed	✅ passed	Feb 24, 2026, 9:52 AM

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 60.93%. Comparing base (81d3558) to head (d9505cd).
⚠️ Report is 3 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #3100   +/-   ##
=======================================
  Coverage   60.93%   60.93%           
=======================================
  Files         113      113           
  Lines       11617    11617           
=======================================
  Hits         7079     7079           
  Misses       3739     3739           
  Partials      799      799           

Flag	Coverage Δ
combined	60.93% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.