Skip to content

Comments

build(deps): Bump the all-go group across 4 directories with 2 updates#3100

Merged
julienrbrt merged 2 commits intomainfrom
dependabot/go_modules/apps/evm/all-go-740309fc33
Feb 24, 2026
Merged

build(deps): Bump the all-go group across 4 directories with 2 updates#3100
julienrbrt merged 2 commits intomainfrom
dependabot/go_modules/apps/evm/all-go-740309fc33

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Feb 23, 2026

Bumps the all-go group with 1 update in the /apps/evm directory: github.com/ethereum/go-ethereum.
Bumps the all-go group with 1 update in the /execution/evm directory: github.com/ethereum/go-ethereum.
Bumps the all-go group with 2 updates in the /test/docker-e2e directory: github.com/ethereum/go-ethereum and github.com/celestiaorg/tastora.
Bumps the all-go group with 1 update in the /test/e2e directory: github.com/celestiaorg/tastora.

Updates github.com/ethereum/go-ethereum from 1.16.8 to 1.17.0

Release notes

Sourced from github.com/ethereum/go-ethereum's releases.

Eezo-Inlaid Circuitry (v1.17.0)

This is a feature release, with all accumulated development from the last 3 months. See below for the highlights.

Note that this release contains multiple critical security fixes, as well as many bug fixes, and is recommended for all users. However, if you are cautious about upgrades, you can also install v1.16.9 which has just the critical security fixes. Specifically, this release fixes CVE-2026-26313, CVE-2026-26314, CVE-2026-26315.

We recommend recreating your p2p node key after installing this update, which you can do by removing the DATADIR/geth/nodekey file before restarting geth. Note this will cause a change in the p2p node ID, which may break static peering setups.

Highlights

Path-based Archive Node with Proofs

The path-based archive node can now serve proofs (via eth_getProof) for the state of older blocks.

You can configure the block range that supports proving independently from other archive state availability. Specifically, you can use the --history.trienode command-line flag to set the amount of blocks for which tree nodes will be tracked.

This feature is disabled by default. Note that state history cannot easily be recovered once deleted, as it can only be generated by processing blocks. However, you can enable trienode history (and/or state history) at any time to turn a full node into a partial archive node, keeping state from that point in time onwards.

#32727, #32621, #33551, #32981, #33399, #32913, #33303, #33584, #33329, #33681, #33103, #33098, #33515, #32247

EraE History Support

Geth now suports the EraE file format, an archival format for post-merge chain history.

#32157, #33827

OpenTelemetry Tracing

OpenTelemetry tracing is now supported by the RPC server, including support for distributed tracing. We have also added some tracing spans for block processing via the engine API, i.e. engine_newPayload.

#33599, #33452, #33780, #33521

All Changes

Geth CLI

  • The geth version-check subcommand has been removed. This command checked the geth website for signed vulnerability notices, and would tell if updates are necessary (#33498)
  • There is now a --miner.maxblobs command-line flag to set a limit on blobs included in built blocks (#33129, #33302)
  • Geth now supports continuous profiling with Grafana Pyroscope (#33623)
  • A rare bug that could halt block production in geth --dev mode was fixed (#33146)
  • A new --rpc.rangelimit flag configures the maximum block range for eth_getLogs (#33163)
  • geth --exitwhensynced will now set the finalized and safe block (#33038)
  • geth --ethstats now reports the newPayload processing time to the stats server (#33395)
  • A lot of minor issues in Geth's command-line flag processing have been fixed (#33379, #33338, #33330, #32999, #33279, #33252)
  • The evm blocktest command can now read filenames from stdin when no path is provided (#32824)

Fork Implementation

... (truncated)

Commits
  • 0cf3d3b version: release go-ethereum v1.17.0 stable
  • 9b78f45 crypto/secp256k1: fix coordinate check
  • c709c19 eth/catalyst: add initial OpenTelemetry tracing for newPayload (#33521)
  • 550ca91 consensus/misc: hardening header verification (#33860)
  • a4b3898 internal/telemetry: don't create internal spans without parents (#33780)
  • 0cba803 eth/protocols/eth, eth/protocols/snap: delayed p2p message decoding (#33835)
  • ad88b68 internal/download: show progress bar only if server gives length (#33842)
  • c50e5ed cmd/geth, internal/telemetry: wire OpenTelemetry tracing via CLI flags (#33484)
  • d8b92cb rpc,internal/telemetry: fix deferred spanEnd to capture errors via pointer (#...
  • ac85a6f rlp: add back Iterator.Count, with fixes (#33841)
  • Additional commits viewable in compare view

Updates github.com/ethereum/go-ethereum from 1.16.8 to 1.17.0

Release notes

Sourced from github.com/ethereum/go-ethereum's releases.

Eezo-Inlaid Circuitry (v1.17.0)

This is a feature release, with all accumulated development from the last 3 months. See below for the highlights.

Note that this release contains multiple critical security fixes, as well as many bug fixes, and is recommended for all users. However, if you are cautious about upgrades, you can also install v1.16.9 which has just the critical security fixes. Specifically, this release fixes CVE-2026-26313, CVE-2026-26314, CVE-2026-26315.

We recommend recreating your p2p node key after installing this update, which you can do by removing the DATADIR/geth/nodekey file before restarting geth. Note this will cause a change in the p2p node ID, which may break static peering setups.

Highlights

Path-based Archive Node with Proofs

The path-based archive node can now serve proofs (via eth_getProof) for the state of older blocks.

You can configure the block range that supports proving independently from other archive state availability. Specifically, you can use the --history.trienode command-line flag to set the amount of blocks for which tree nodes will be tracked.

This feature is disabled by default. Note that state history cannot easily be recovered once deleted, as it can only be generated by processing blocks. However, you can enable trienode history (and/or state history) at any time to turn a full node into a partial archive node, keeping state from that point in time onwards.

#32727, #32621, #33551, #32981, #33399, #32913, #33303, #33584, #33329, #33681, #33103, #33098, #33515, #32247

EraE History Support

Geth now suports the EraE file format, an archival format for post-merge chain history.

#32157, #33827

OpenTelemetry Tracing

OpenTelemetry tracing is now supported by the RPC server, including support for distributed tracing. We have also added some tracing spans for block processing via the engine API, i.e. engine_newPayload.

#33599, #33452, #33780, #33521

All Changes

Geth CLI

  • The geth version-check subcommand has been removed. This command checked the geth website for signed vulnerability notices, and would tell if updates are necessary (#33498)
  • There is now a --miner.maxblobs command-line flag to set a limit on blobs included in built blocks (#33129, #33302)
  • Geth now supports continuous profiling with Grafana Pyroscope (#33623)
  • A rare bug that could halt block production in geth --dev mode was fixed (#33146)
  • A new --rpc.rangelimit flag configures the maximum block range for eth_getLogs (#33163)
  • geth --exitwhensynced will now set the finalized and safe block (#33038)
  • geth --ethstats now reports the newPayload processing time to the stats server (#33395)
  • A lot of minor issues in Geth's command-line flag processing have been fixed (#33379, #33338, #33330, #32999, #33279, #33252)
  • The evm blocktest command can now read filenames from stdin when no path is provided (#32824)

Fork Implementation

... (truncated)

Commits
  • 0cf3d3b version: release go-ethereum v1.17.0 stable
  • 9b78f45 crypto/secp256k1: fix coordinate check
  • c709c19 eth/catalyst: add initial OpenTelemetry tracing for newPayload (#33521)
  • 550ca91 consensus/misc: hardening header verification (#33860)
  • a4b3898 internal/telemetry: don't create internal spans without parents (#33780)
  • 0cba803 eth/protocols/eth, eth/protocols/snap: delayed p2p message decoding (#33835)
  • ad88b68 internal/download: show progress bar only if server gives length (#33842)
  • c50e5ed cmd/geth, internal/telemetry: wire OpenTelemetry tracing via CLI flags (#33484)
  • d8b92cb rpc,internal/telemetry: fix deferred spanEnd to capture errors via pointer (#...
  • ac85a6f rlp: add back Iterator.Count, with fixes (#33841)
  • Additional commits viewable in compare view

Updates github.com/ethereum/go-ethereum from 1.16.8 to 1.17.0

Release notes

Sourced from github.com/ethereum/go-ethereum's releases.

Eezo-Inlaid Circuitry (v1.17.0)

This is a feature release, with all accumulated development from the last 3 months. See below for the highlights.

Note that this release contains multiple critical security fixes, as well as many bug fixes, and is recommended for all users. However, if you are cautious about upgrades, you can also install v1.16.9 which has just the critical security fixes. Specifically, this release fixes CVE-2026-26313, CVE-2026-26314, CVE-2026-26315.

We recommend recreating your p2p node key after installing this update, which you can do by removing the DATADIR/geth/nodekey file before restarting geth. Note this will cause a change in the p2p node ID, which may break static peering setups.

Highlights

Path-based Archive Node with Proofs

The path-based archive node can now serve proofs (via eth_getProof) for the state of older blocks.

You can configure the block range that supports proving independently from other archive state availability. Specifically, you can use the --history.trienode command-line flag to set the amount of blocks for which tree nodes will be tracked.

This feature is disabled by default. Note that state history cannot easily be recovered once deleted, as it can only be generated by processing blocks. However, you can enable trienode history (and/or state history) at any time to turn a full node into a partial archive node, keeping state from that point in time onwards.

#32727, #32621, #33551, #32981, #33399, #32913, #33303, #33584, #33329, #33681, #33103, #33098, #33515, #32247

EraE History Support

Geth now suports the EraE file format, an archival format for post-merge chain history.

#32157, #33827

OpenTelemetry Tracing

OpenTelemetry tracing is now supported by the RPC server, including support for distributed tracing. We have also added some tracing spans for block processing via the engine API, i.e. engine_newPayload.

#33599, #33452, #33780, #33521

All Changes

Geth CLI

  • The geth version-check subcommand has been removed. This command checked the geth website for signed vulnerability notices, and would tell if updates are necessary (#33498)
  • There is now a --miner.maxblobs command-line flag to set a limit on blobs included in built blocks (#33129, #33302)
  • Geth now supports continuous profiling with Grafana Pyroscope (#33623)
  • A rare bug that could halt block production in geth --dev mode was fixed (#33146)
  • A new --rpc.rangelimit flag configures the maximum block range for eth_getLogs (#33163)
  • geth --exitwhensynced will now set the finalized and safe block (#33038)
  • geth --ethstats now reports the newPayload processing time to the stats server (#33395)
  • A lot of minor issues in Geth's command-line flag processing have been fixed (#33379, #33338, #33330, #32999, #33279, #33252)
  • The evm blocktest command can now read filenames from stdin when no path is provided (#32824)

Fork Implementation

... (truncated)

Commits
  • 0cf3d3b version: release go-ethereum v1.17.0 stable
  • 9b78f45 crypto/secp256k1: fix coordinate check
  • c709c19 eth/catalyst: add initial OpenTelemetry tracing for newPayload (#33521)
  • 550ca91 consensus/misc: hardening header verification (#33860)
  • a4b3898 internal/telemetry: don't create internal spans without parents (#33780)
  • 0cba803 eth/protocols/eth, eth/protocols/snap: delayed p2p message decoding (#33835)
  • ad88b68 internal/download: show progress bar only if server gives length (#33842)
  • c50e5ed cmd/geth, internal/telemetry: wire OpenTelemetry tracing via CLI flags (#33484)
  • d8b92cb rpc,internal/telemetry: fix deferred spanEnd to capture errors via pointer (#...
  • ac85a6f rlp: add back Iterator.Count, with fixes (#33841)
  • Additional commits viewable in compare view

Updates github.com/celestiaorg/tastora from 0.12.0 to 0.15.0

Release notes

Sourced from github.com/celestiaorg/tastora's releases.

v0.15.0

What's Changed

Full Changelog: celestiaorg/tastora@v0.14.0...v0.15.0

v0.14.0

What's Changed

Full Changelog: celestiaorg/tastora@v0.13.0...v0.14.0

Commits
  • 0818706 feat: add support for Jaeger as OTLP backend (#180)
  • b7053fb feat: add start /stop / remvoe functions to da network (#177)
  • 8590eab feat: Adding support to deploy Spamoor within tastora (#179)
  • 95c3581 feat: add hyperlane forward relayer support
  • f5f7e6d chore: lint fix
  • 43ec11f chore: use v0.1.0 image tag
  • 9e10057 chore: cancel the context inside test cleanup
  • 340b537 chore: address url parsing with normalization
  • 0125c9d test: add sanity test for forward relayer and backend startup
  • 8f58213 chore: address PR feedback
  • Additional commits viewable in compare view

Updates github.com/celestiaorg/tastora from 0.14.0 to 0.15.0

Release notes

Sourced from github.com/celestiaorg/tastora's releases.

v0.15.0

What's Changed

Full Changelog: celestiaorg/tastora@v0.14.0...v0.15.0

v0.14.0

What's Changed

Full Changelog: celestiaorg/tastora@v0.13.0...v0.14.0

Commits
  • 0818706 feat: add support for Jaeger as OTLP backend (#180)
  • b7053fb feat: add start /stop / remvoe functions to da network (#177)
  • 8590eab feat: Adding support to deploy Spamoor within tastora (#179)
  • 95c3581 feat: add hyperlane forward relayer support
  • f5f7e6d chore: lint fix
  • 43ec11f chore: use v0.1.0 image tag
  • 9e10057 chore: cancel the context inside test cleanup
  • 340b537 chore: address url parsing with normalization
  • 0125c9d test: add sanity test for forward relayer and backend startup
  • 8f58213 chore: address PR feedback
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the all-go group with 1 update in the /apps/evm directory: [github.com/ethereum/go-ethereum](https://github.com/ethereum/go-ethereum).
Bumps the all-go group with 1 update in the /execution/evm directory: [github.com/ethereum/go-ethereum](https://github.com/ethereum/go-ethereum).
Bumps the all-go group with 2 updates in the /test/docker-e2e directory: [github.com/ethereum/go-ethereum](https://github.com/ethereum/go-ethereum) and [github.com/celestiaorg/tastora](https://github.com/celestiaorg/tastora).
Bumps the all-go group with 1 update in the /test/e2e directory: [github.com/celestiaorg/tastora](https://github.com/celestiaorg/tastora).


Updates `github.com/ethereum/go-ethereum` from 1.16.8 to 1.17.0
- [Release notes](https://github.com/ethereum/go-ethereum/releases)
- [Commits](ethereum/go-ethereum@v1.16.8...v1.17.0)

Updates `github.com/ethereum/go-ethereum` from 1.16.8 to 1.17.0
- [Release notes](https://github.com/ethereum/go-ethereum/releases)
- [Commits](ethereum/go-ethereum@v1.16.8...v1.17.0)

Updates `github.com/ethereum/go-ethereum` from 1.16.8 to 1.17.0
- [Release notes](https://github.com/ethereum/go-ethereum/releases)
- [Commits](ethereum/go-ethereum@v1.16.8...v1.17.0)

Updates `github.com/celestiaorg/tastora` from 0.12.0 to 0.15.0
- [Release notes](https://github.com/celestiaorg/tastora/releases)
- [Commits](celestiaorg/tastora@v0.12.0...v0.15.0)

Updates `github.com/celestiaorg/tastora` from 0.14.0 to 0.15.0
- [Release notes](https://github.com/celestiaorg/tastora/releases)
- [Commits](celestiaorg/tastora@v0.12.0...v0.15.0)

---
updated-dependencies:
- dependency-name: github.com/ethereum/go-ethereum
  dependency-version: 1.17.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-go
- dependency-name: github.com/ethereum/go-ethereum
  dependency-version: 1.17.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-go
- dependency-name: github.com/ethereum/go-ethereum
  dependency-version: 1.17.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-go
- dependency-name: github.com/celestiaorg/tastora
  dependency-version: 0.15.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-go
- dependency-name: github.com/celestiaorg/tastora
  dependency-version: 0.15.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-go
...

Signed-off-by: dependabot[bot] <support@github.com>
@claude
Copy link
Contributor

claude bot commented Feb 24, 2026

Claude finished @julienrbrt's task in 1m 21s —— View job


Code Review: Dependency Bump PR

  • Gather context and analyze PR changes
  • Review dependency version changes
  • Check CI status
  • Assess security implications
  • Provide final review

Summary

This is a routine Dependabot dependency update across 4 Go modules. The changes are confined entirely to go.mod and go.sum files — no source code is modified.

Security — go-ethereum v1.16.8 → v1.17.0

This update should be prioritized and merged promptly. go-ethereum v1.17.0 contains critical security fixes for three CVEs:

CVE Advisory
CVE-2026-26313 GHSA-689v-6xwf-5jf3
CVE-2026-26314 GHSA-2gjw-fg97-vg3r
CVE-2026-26315 GHSA-m6j8-rg6r-7mv8

The upgrade affects apps/evm, execution/evm, and test/docker-e2e.

Note: The go-ethereum release recommends regenerating the p2p node key after upgrading (remove DATADIR/geth/nodekey). This is only relevant for running geth nodes — if this project only uses go-ethereum as a library, no action is needed.

Dependency Cleanup

The v1.17.0 upgrade transitively removes several no-longer-needed packages (Verkle tree support was removed from go-ethereum's default dependency surface):

  • github.com/crate-crypto/go-ipa
  • github.com/ethereum/go-verkle
  • github.com/mattn/go-runewidth
  • github.com/olekukonko/tablewriter
  • github.com/rivo/uniseg

This is a net positive — fewer indirect dependencies reduces attack surface.

tastora Updates

  • test/docker-e2e: v0.12.0 → v0.15.0 (3 minor version jump)
  • test/e2e: v0.14.0 → v0.15.0 (single minor version)

Changes are additive feature additions only (no breaking changes):

  • v0.13.0: Spamoor deployment support
  • v0.14.0: (no separate entry, same as v0.13.0 changelog above for docker-e2e)
  • v0.15.0: DA network start/stop/remove functions + Jaeger OTLP backend support

Observations

  • The test/docker-e2e tastora bump (v0.12.0 → v0.15.0) skips v0.13.0; this is consistent with the Dependabot grouping strategy and is fine since all changes between those versions are non-breaking.
  • go.sum line counts decrease significantly (net −69 lines), confirming the transitive dep cleanup is real.
  • CI is currently queued/in-progress.

Verdict

Approve. This is a straightforward, well-scoped dependency upgrade. The security fixes in go-ethereum make it important to merge promptly. No code changes; only go.mod/go.sum updates across the expected modules. Already approved by @julienrbrt.

@julienrbrt julienrbrt enabled auto-merge February 24, 2026 09:51
@github-actions
Copy link
Contributor

The latest Buf updates on your PR. Results from workflow CI / buf-check (pull_request).

BuildFormatLintBreakingUpdated (UTC)
✅ passed⏩ skipped✅ passed✅ passedFeb 24, 2026, 9:52 AM

@codecov
Copy link

codecov bot commented Feb 24, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 60.93%. Comparing base (81d3558) to head (d9505cd).
⚠️ Report is 3 commits behind head on main.

Additional details and impacted files
@@           Coverage Diff           @@
##             main    #3100   +/-   ##
=======================================
  Coverage   60.93%   60.93%           
=======================================
  Files         113      113           
  Lines       11617    11617           
=======================================
  Hits         7079     7079           
  Misses       3739     3739           
  Partials      799      799           
Flag Coverage Δ
combined 60.93% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@julienrbrt julienrbrt added this pull request to the merge queue Feb 24, 2026
Merged via the queue into main with commit 6a6c2a0 Feb 24, 2026
29 checks passed
@julienrbrt julienrbrt deleted the dependabot/go_modules/apps/evm/all-go-740309fc33 branch February 24, 2026 10:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant