Bump github.com/ethereum/go-ethereum from 1.16.8 to 1.17.0

[dependabot]

Bumps github.com/ethereum/go-ethereum from 1.16.8 to 1.17.0.

Release notes

Sourced from github.com/ethereum/go-ethereum's releases.

Eezo-Inlaid Circuitry (v1.17.0)

This is a feature release, with all accumulated development from the last 3 months. See below for the highlights.

Note that this release contains multiple critical security fixes, as well as many bug fixes, and is recommended for all users. However, if you are cautious about upgrades, you can also install v1.16.9 which has just the critical security fixes. Specifically, this release fixes CVE-2026-26313, CVE-2026-26314, CVE-2026-26315.

We recommend recreating your p2p node key after installing this update, which you can do by removing the DATADIR/geth/nodekey file before restarting geth. Note this will cause a change in the p2p node ID, which may break static peering setups.

Highlights

Path-based Archive Node with Proofs

The path-based archive node can now serve proofs (via eth_getProof) for the state of older blocks.

You can configure the block range that supports proving independently from other archive state availability. Specifically, you can use the --history.trienode command-line flag to set the amount of blocks for which tree nodes will be tracked.

This feature is disabled by default. Note that state history cannot easily be recovered once deleted, as it can only be generated by processing blocks. However, you can enable trienode history (and/or state history) at any time to turn a full node into a partial archive node, keeping state from that point in time onwards.

#32727, #32621, #33551, #32981, #33399, #32913, #33303, #33584, #33329, #33681, #33103, #33098, #33515, #32247

EraE History Support

Geth now suports the EraE file format, an archival format for post-merge chain history.

#32157, #33827

OpenTelemetry Tracing

OpenTelemetry tracing is now supported by the RPC server, including support for distributed tracing. We have also added some tracing spans for block processing via the engine API, i.e. engine_newPayload.

#33599, #33452, #33780, #33521

All Changes

Geth CLI

• The geth version-check subcommand has been removed. This command checked the geth website for signed vulnerability notices, and would tell if updates are necessary (#33498)
• There is now a --miner.maxblobs command-line flag to set a limit on blobs included in built blocks (#33129, #33302)
• Geth now supports continuous profiling with Grafana Pyroscope (#33623)
• A rare bug that could halt block production in geth --dev mode was fixed (#33146)
• A new --rpc.rangelimit flag configures the maximum block range for eth_getLogs (#33163)
• geth --exitwhensynced will now set the finalized and safe block (#33038)
• geth --ethstats now reports the newPayload processing time to the stats server (#33395)
• A lot of minor issues in Geth's command-line flag processing have been fixed (#33379, #33338, #33330, #32999, #33279, #33252)
• The evm blocktest command can now read filenames from stdin when no path is provided (#32824)

Fork Implementation

... (truncated)

Commits

• 0cf3d3b version: release go-ethereum v1.17.0 stable
• 9b78f45 crypto/secp256k1: fix coordinate check
• c709c19 eth/catalyst: add initial OpenTelemetry tracing for newPayload (#33521)
• 550ca91 consensus/misc: hardening header verification (#33860)
• a4b3898 internal/telemetry: don't create internal spans without parents (#33780)
• 0cba803 eth/protocols/eth, eth/protocols/snap: delayed p2p message decoding (#33835)
• ad88b68 internal/download: show progress bar only if server gives length (#33842)
• c50e5ed cmd/geth, internal/telemetry: wire OpenTelemetry tracing via CLI flags (#33484)
• d8b92cb rpc,internal/telemetry: fix deferred spanEnd to capture errors via pointer (#...
• ac85a6f rlp: add back Iterator.Count, with fixes (#33841)
• Additional commits viewable in compare view

[alexchen-security]

Just a note in case it helps — I was testing the go-ethereum 1.16.8 → 1.17.x migration path for a similar project and ran into a couple of things:

1. eth.SyncProgress struct changed in 1.17.0 — the HighestBlock field was replaced with a new progress reporting mechanism. If goutils references SyncProgress fields anywhere, those may need updating.

2. The bind.TransactOpts gas estimation behavior changed slightly in 1.17.x — it now uses EIP-1559 fee estimation by default on chains that support it, which can cause different gas values than 1.16.x.

3. ethclient.Client connection handling was refactored — reconnect behavior is slightly different, which may affect long-running gRPC/websocket connections.

Might be worth running the full test suite against 1.17.0 before merging to catch any subtle breakages. Happy to help test if needed.

[alexchen-security]

Also worth noting — go-ethereum v1.17.0 includes fixes for three CVEs:

• CVE-2026-26313
• CVE-2026-26314
• CVE-2026-26315

Since goutils currently pins 1.16.8, any downstream project (including agent-pay) inherits these vulnerabilities. The release notes recommend upgrading to at least 1.16.9 (security-only backport) or 1.17.0+.

This Dependabot PR to 1.17.0 would resolve all three. Might be worth prioritizing the merge.

[alexchen-security]

@hhl42 Just wanted to flag this — the three CVEs mentioned above (CVE-2026-26313/14/15) affect all projects pinning go-ethereum < 1.16.9. Since agent-pay also depends on goutils, it inherits the same exposure.

The v1.17.0 release notes specifically recommend recreating the p2p node key after upgrading. Might be worth coordinating this Dependabot merge with the agent-pay dependency update you did recently.

Happy to help test compatibility if useful.