Skip to content

chore: update kubo v0.41.0#133

Open
D4ryl00 wants to merge 3 commits into
berty:mainfrom
D4ryl00:chore/update-kubo-v0.41.0
Open

chore: update kubo v0.41.0#133
D4ryl00 wants to merge 3 commits into
berty:mainfrom
D4ryl00:chore/update-kubo-v0.41.0

Conversation

@D4ryl00
Copy link
Copy Markdown
Collaborator

@D4ryl00 D4ryl00 commented Jun 3, 2026

Summary

  • Upgrade Go to 1.26.3, kubo to v0.41.0, libp2p to v0.48.0, go-ds-badger2 to v0.1.5
  • Add Path() string method to RepoMobile to satisfy the updated repo.Repo interface introduced in kubo v0.41.0
  • Replace removed DefaultBootstrapAddresses with AutoPlaceholder
  • Fix NewRepoMobile call to pass the repo directory instead of the sqlite file path (kubo now calls Path() to create keystore subdirectories)

Dependencies

@D4ryl00
chore: update kubo v0.41.0
150ba65 
- upgrade go 1.26.3, kubo v0.41.0, libp2p v0.48.0, go-ds-badger2 v0.1.5
- add Path() method to RepoMobile (new in repo.Repo interface, kubo v0.41.0)
- replace DefaultBootstrapAddresses with AutoPlaceholder (removed upstream)
- pass repo directory instead of sqlite file path to NewRepoMobile

Signed-off-by: D4ryl00 <d4ryl00@gmail.com>
@D4ryl00 D4ryl00 self-assigned this Jun 3, 2026
@guardrails
Copy link
Copy Markdown

guardrails Bot commented Jun 3, 2026

⚠️ We detected 22 security issues in this pull request:

Vulnerable Libraries (22)
Severity Details
High pkg:golang/github.com/ipfs/go-log/v2@v2.9.1 upgrade to: > v2.9.1
Critical pkg:golang/github.com/ipfs/kubo@v0.41.0 upgrade to: > v0.41.0
Critical pkg:golang/github.com/ipfs/go-cid@v0.6.1 upgrade to: > v0.6.1
Critical pkg:golang/github.com/dgraph-io/badger/v2@v2.2007.4 upgrade to: > v2.2007.4
Critical pkg:golang/github.com/ipfs/go-ipld-cbor@v0.2.1 upgrade to: > v0.2.1
High pkg:golang/github.com/stretchr/testify@v1.11.1 upgrade to: > v1.11.1
Critical pkg:golang/google.golang.org/grpc@v1.79.3 upgrade to: > v1.79.3
High pkg:golang/golang.org/x/tools@v0.44.0 upgrade to: > v0.44.0
N/A pkg:golang/golang.org/x/crypto@v0.50.0 upgrade to: 0.52.0
High pkg:golang/go.uber.org/zap@v1.27.1 upgrade to: > v1.27.1
Critical pkg:golang/github.com/multiformats/go-multiaddr@v0.16.1 upgrade to: > v0.16.1
Critical pkg:golang/github.com/libp2p/go-libp2p-pubsub@v0.15.0 upgrade to: > v0.15.0
High pkg:golang/github.com/prometheus/client_golang@v1.23.2 upgrade to: > v1.23.2
Critical pkg:golang/berty.tech/go-orbit-db@v1.22.3-0.20260603105145-e1cb4a9a9a7f upgrade to: > v1.22.3-0.20260603105145-e1cb4a9a9a7f
High pkg:golang/github.com/ipfs/go-datastore@v0.9.1 upgrade to: > v0.9.1
Critical pkg:golang/github.com/multiformats/go-multiaddr-dns@v0.5.0 upgrade to: > v0.5.0
Critical pkg:golang/github.com/ipfs/go-ds-badger2@v0.1.5 upgrade to: > v0.1.5
High pkg:golang/google.golang.org/protobuf@v1.36.11 upgrade to: > v1.36.11
Critical pkg:golang/berty.tech/go-ipfs-repo-encrypted@v1.3.1-0.20260601130618-6d410a1fc4a3 upgrade to: > v1.3.1-0.20260601130618-6d410a1fc4a3
Critical pkg:golang/github.com/libp2p/go-libp2p@v0.48.0 upgrade to: > v0.48.0
Critical pkg:golang/github.com/libp2p/go-libp2p-kad-dht@v0.39.1 upgrade to: > v0.39.1
Critical pkg:golang/berty.tech/go-ipfs-log@v1.10.3-0.20260601132612-e987bfe3f584 upgrade to: > v1.10.3-0.20260601132612-e987bfe3f584

More info on how to fix Vulnerable Libraries in Go.

👉 Go to the dashboard for detailed results.

📥 Happy? Share your feedback with us.

D4ryl00 added 2 commits June 4, 2026 01:07
@D4ryl00
ci: update golangci-lint to v2.12.2 for go1.26 and fix lint
0e6e5d8 
golangci-lint 1.59.1 cannot read go1.26 export data ("unsupported
version: 2"). Bump it to 2.12.2 and migrate the config to the v2 format.

Fix the issues newly surfaced by the updated staticcheck/gosec rules:
- rename builtin-shadowing vars (max, clear)
- migrate deprecated cfg.Reprovider to cfg.Provide (kubo v0.41)
- fix non-constant format string in fmt.Errorf
- exclude noisy gosec G115 (safe int conversions) and annotate the
  G118 false positive (cancel is tracked and called elsewhere)

Signed-off-by: D4ryl00 <d4ryl00@gmail.com>
@D4ryl00
fix: restore block replication and persistent repo reopen for kubo v0.41
1fd4eec 
kubo v0.41 changed two defaults that broke weshnet:

- Bitswap broadcast control is now enabled by default, reducing the set
  of peers a WANT is broadcast to based on prior block-serving history.
  In weshnet's small meshes a freshly connected peer is never asked for
  blocks, so orbitdb log entries never replicate (heads arrive over
  pubsub but the entries can't be fetched). Disable broadcast control in
  the base config and in the test repo to restore broadcast-to-all.

- The DHT sweeping reprovider is now enabled by default and keeps a
  dedicated keystore datastore whose lock is not released synchronously
  on node Close, making a persistent repo fail to reopen ("resource
  temporarily unavailable"). Disable it for persistent repos.

Fixes the stable tests Test_Add_Messages_To_Cache, TestReactivate*,
and ExampleNewPersistentServiceClient_basic.

Signed-off-by: D4ryl00 <d4ryl00@gmail.com>
@D4ryl00 D4ryl00 marked this pull request as ready for review June 3, 2026 23:33
@D4ryl00 D4ryl00 requested a review from jefft0 June 4, 2026 08:11
@jefft0
Copy link
Copy Markdown
Contributor

jefft0 commented Jun 4, 2026

@D4ryl00, what do you think about the recommended upgrades from guardrails?
#133 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jefft0 jefft0 Awaiting requested review from jefft0

At least 1 approving review is required to merge this pull request.

Assignees

@D4ryl00 D4ryl00

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@D4ryl00 @jefft0