You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Dependabot PR #3955 ostensibly bumped github.com/ipld/go-ipld-prime from 0.21.0 → 0.23.0, but in practice it pulled in a much larger change set that we can't accept passively. The PR has been closed; this issue tracks the work needed to land the underlying upgrades intentionally.
New indirect dep: golang.org/x/telemetry v0.0.0-20260311193753-579e4da9a98c
Transitive bumps across the IPFS/libp2p stack: go-cid 0.5→0.6, multibase 0.2→0.3, multicodec 0.9→0.10, varint 0.0.7→0.1, mr-tron/base58 1.2→1.3, polydawn/refmt 0.89.0 → 0.89.1-pre, plus the originally-targeted go-ipld-prime 0.21→0.23
Why CI fails
go: go.mod requires go >= 1.25.7 (running go 1.24.11; GOTOOLCHAIN=local)
ERROR: failed to build: process "/bin/sh -c go mod download" did not complete successfully
The client-build-test-publish job uses golang:1.24-alpine3.21 (and golang:1.24-bullseye for the binary stage) with GOTOOLCHAIN=local, so Go cannot auto-download a newer toolchain.
Review the changelog for breaking changes in ed25519, ssh, acme, chacha20, etc.
Search call sites in pkg/, internal/, cmd/ for affected APIs
Run the full test suite incl. integration
Telemetry decision
Decide whether to accept golang.org/x/telemetry as an indirect dep, or pin/replace it. (It is the Go toolchain's opt-in telemetry; usually benign as an indirect, but worth a deliberate ack.)
Regenerate the IPLD / libp2p stack bumps
Once Initial CircleCI setup #1 lands, Dependabot will reopen with a cleaner diff. Review go-ipld-prime 0.21→0.23 changelog (we use it transitively via libp2p/IPFS).
Acceptance
client-build-test-publish is green on main after each step.
go version in built images matches go.mod.
No silent toolchain or x/crypto API regressions in the client.
Background
Dependabot PR #3955 ostensibly bumped
github.com/ipld/go-ipld-primefrom 0.21.0 → 0.23.0, but in practice it pulled in a much larger change set that we can't accept passively. The PR has been closed; this issue tracks the work needed to land the underlying upgrades intentionally.What #3955 actually changed
go.mod:go 1.24/toolchain go1.24.1→go 1.25.7(raises the minimum Go version by a full minor)golang.org/x/crypto0.32.0 → 0.50.0 (18 minors; needs API-break review)golang.org/x/sync0.10.0 → 0.20.0golang.org/x/term0.28.0 → 0.42.0golang.org/x/telemetry v0.0.0-20260311193753-579e4da9a98cgo-cid0.5→0.6,multibase0.2→0.3,multicodec0.9→0.10,varint0.0.7→0.1,mr-tron/base581.2→1.3,polydawn/refmt0.89.0 → 0.89.1-pre, plus the originally-targetedgo-ipld-prime0.21→0.23Why CI fails
The
client-build-test-publishjob usesgolang:1.24-alpine3.21(andgolang:1.24-bullseyefor the binary stage) withGOTOOLCHAIN=local, so Go cannot auto-download a newer toolchain.Proposed work, in order
Toolchain upgrade PR (standalone)
Dockerfile:golang:1.24-alpine3.21→golang:1.25-alpine(line 1) andgolang:1.24-bullseye→golang:1.25-bookworm(line 111).github/workflows/*.ymlfor any pinned Go version (e.g.go-version:inputs)go.modgodirective to1.25(keeptoolchainonly if we want to pin)actions/setup-gousage matchesgo test ./..., and a release buildgolang.org/x/crypto0.32 → 0.50 PR (standalone, after Initial CircleCI setup #1)ed25519,ssh,acme,chacha20, etc.pkg/,internal/,cmd/for affected APIsTelemetry decision
golang.org/x/telemetryas an indirect dep, or pin/replace it. (It is the Go toolchain's opt-in telemetry; usually benign as an indirect, but worth a deliberate ack.)Regenerate the IPLD / libp2p stack bumps
go-ipld-prime0.21→0.23 changelog (we use it transitively via libp2p/IPFS).Acceptance
client-build-test-publishis green onmainafter each step.go versionin built images matchesgo.mod.x/cryptoAPI regressions in the client.References