chore(deps): bump go-libp2p and go-libp2p-pubsub#11389
Merged
Merged
Conversation
Both are pinned to master pseudo-versions ahead of tagged releases, with a TODO in go.mod to switch once the tags ship. go-libp2p adds webrtc-direct v2 handshake support, keeps /certhash stable across restarts, and stops stale addresses from accumulating in the peerstore and in published signed peer records. It also fixes a data race that could take the daemon down mid-response during ipfs routing findprovs, findpeer, and dht query. go-libp2p-pubsub frees topic state once the last peer leaves a topic, closing an unbounded memory growth path (libp2p/go-libp2p-pubsub#705, the Go counterpart of CVE-2026-46679). Only nodes that opt into Pubsub.Enabled or Ipns.UsePubsub run the pubsub stack and are affected.
Exposes go-libp2p's NonPublicAddrPublishing as an Internal flag, so a node can be told to stop publishing addresses the wider internet cannot reach: private, CGNAT, link-local, loopback, ULA, reserved IPv6, and special-use DNS names such as .local. Left unset, kubo passes no option and go-libp2p's default decides. The default has shifted before (libp2p/go-libp2p#3460), so the flag gives operators a way to pin the behavior, and makes it easy to see exactly what a node publishes while chasing a routing problem. Only the peerstore self-entry and the signed peer record are filtered. Listening and dialing are untouched, so `ipfs id` keeps reporting the full set.
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
guillaumemichel
approved these changes
Jul 9, 2026
guillaumemichel
left a comment
Member
There was a problem hiding this comment.
Looks good!
Should we merge as is and bump dependencies before next release?
Member
Author
|
Yes, I think its lesser evil to merge as-is, and switch to final version before RC or even FINAL. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pins
go-libp2pandgo-libp2p-pubsubto master pseudo-versions, ahead of tagged releases, and documents the user-visible changes in the v0.43 changelog.The pubsub bump is the one to look at: it frees topic state once the last peer leaves a topic, closing an unbounded memory growth path. Only nodes that opt into
Pubsub.EnabledorIpns.UsePubsubrun the pubsub stack, so default configs are unaffected.What lands
pubsub memory exhaustion, fixed by go-libp2p-pubsub#708 and go-libp2p-pubsub#707
Publicly disclosed as GHSA-4f8r-922h-2vgv (CVE-2026-46679) against js-libp2p, with the same pattern tracked in the open for Go (go-libp2p-pubsub#705) and Python (py-libp2p#1349).
webrtc-direct v2, go-libp2p#3520
Chrome plans to remove the ICE credential munging the original handshake depends on. Alignment in go-libp2p#3499 and libp2p/specs#672; v2 is specified in libp2p/specs#715. Our listener now accepts v1 and v2. The browser dialer half is js-libp2p#3480, still open, so nothing breaks today; this gets us ahead of it.
Also go-libp2p#3512, stable
/certhashacross restarts, and go-libp2p#3500, capping addresses tracked per ufrag.peerstore hygiene, go-libp2p#3486, go-libp2p#3487, go-libp2p#3494
Caps unconnected addrs per peer, treats a newer signed peer record as replace rather than merge, and stops sealing empty addrs into our own records.
routing query race, go-libp2p#3490
PublishQueryEventnow copies responses before publishing them. This is the general fix behind the crashes in daemon crashes randomly with various memory related crashes when it has been running for quite a while #11287 and invalid memory address or nil pointer dereference #11116. Both were already closed by the kad-dht point-fix (go-libp2p-kad-dht#1244, shipped inv0.41.0), so this PR closes no issues.new
Internal.NonPublicAddrPublishingflag, wiring go-libp2p#3489Controls whether a node publishes addresses the wider internet cannot reach. Unset passes no option, so go-libp2p's default decides. That default has shifted before (go-libp2p#3460), so the flag lets operators pin it, and makes it easy to see what a node actually publishes. Only the peerstore self-entry and the signed peer record are filtered; listening and dialing are untouched.
TODO
Neither dependency has a tagged release carrying these fixes yet, so both
go.modlines have a// TODOmarker.go-libp2ptag a release pastv0.48.0before 0.43 ships?// TODO, update the changelog dependency bullet.go-libp2p-pubsubtag a release pastv0.16.0before 0.43 ships?// TODO, update the changelog dependency bullet.// TODOmarkers gone before 0.43 is cut.Out of scope
The websocket HTTP muxer/handler (go-libp2p#3509) comes along in the bump, but nothing here wires it up, so it stays out of the changelog. That is done in #11333, and will be triaged separately.