Skip to content

chore: merge new changes from ipfs/kubo master#2

Open
alvin-reyes wants to merge 934 commits into
IPFSR:masterfrom
ipfs:master
Open

chore: merge new changes from ipfs/kubo master#2
alvin-reyes wants to merge 934 commits into
IPFSR:masterfrom
ipfs:master

Conversation

@alvin-reyes

Copy link
Copy Markdown

No description provided.

lbarrettanderson and others added 30 commits November 26, 2025 21:06
PR #10954 (ExposeRoutingAPI default + GetClosestPeers) was merged after
v0.39.0-rc1 and depends on boxo changes not yet released.
- rewrite overview to lead with user value (self-hosting on consumer hardware)
- reorder highlights: provider features together, then UPnP, then housekeeping
- simplify titles (drop "Amino", "Fixed", verbose descriptions)
- link to Shipyard's sweep provider blogpost
- convert from zsh to bash for portability and shellcheck support
- resolve GitHub handles via multiple methods:
  - noreply email pattern (user@users.noreply.github.com)
  - merge commit messages (Merge pull request #N from user/branch)
  - gh CLI API for PR authors (squash merge commits)
  - gh CLI API for commit authors (fallback for non-PR commits)
- deduplicate contributors by GitHub handle instead of author name
- cache resolved mappings in ~/.cache/mkreleaselog/github-handles.json
- output clickable GitHub profile links in contributor table
resolve version.go conflict by keeping -dev version from master
stop publishing to ipfs/go-ipfs entirely - the deprecation stub
introduced in v0.39 is no longer needed. only ipfs/kubo is published.

- remove legacy-name job from docker-image.yml workflow
- remove .github/legacy/ (Dockerfile.goipfs-stub, goipfs_stub.sh)
- update bin scripts to use ipfs/kubo as default
Signed-off-by: rifeplight <rifeplight@outlook.com>
document known 0.39 limitation where sweep provider may fail to
estimate DHT size when accelerated client is still crawling the
network, resulting in single-region mode without efficiency gains.

also remove accelerated client recommendation from changelog
since it may mislead users into enabling both together.
add link to Shipyard's "Provide Sweep: Solving the DHT Provide
Bottleneck" blogpost and remove stale TODO placeholder
* Add bytes progress tracker for ipfs pin add
* upgrade to boxo that has ipfs/boxo#1071
* ipfswatch: fix loading datastore plugins
* test: add CLI tests for ipfswatch

---------

Co-authored-by: Marcin Rataj <lidel@lidel.org>
* fix: update go-libp2p to v0.46.0

- reduced WebRTC log noise (go-libp2p#3426)
- fixed mDNS discovery on Windows/macOS (go-libp2p#3434)
- includes quic-go v0.57.1 (v0.56.0 + v0.57.0)

* fix(example): kubo-as-a-library test timeout

- use custom ports (4010/4011) to avoid conflicts with default 4001
- add 2-minute context timeout to fail fast
- get peer addresses dynamically instead of hardcoding wrong port
- wait for peer connection synchronously instead of fire-and-forget
- update comments to reference autoconf.FallbackBootstrapPeers

* chore: update p2p-forge to v0.7.0

* fix(test): wait for DHT readiness in GetClosestPeers test

the test was failing for `routing_type=auto` because it only waited for
swarm connections but not for the DHT routing table to be populated.
added a separate probe loop that waits for GetClosestPeers to succeed
before running the actual test assertions.
Bumps [actions/cache](https://github.com/actions/cache) from 4 to 5.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](actions/cache@v4...v5)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* datastore: upgrade go-ds-pebble to v0.5.8

- update 'go-ds-pebble` to [v0.5.8](https://github.com/ipfs/go-ds-pebble/releases/tag/v0.5.8)
  - updates github.com/cockroachdb/pebble to [v2.1.3](https://github.com/cockroachdb/pebble/releases/tag/v2.1.3)
    - enables Go 1.26 support
Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 6 to 7.
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](actions/download-artifact@v6...v7)

---
updated-dependencies:
- dependency-name: actions/download-artifact
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
addresses https://discuss.ipfs.tech/t/19933

- add docs/developer-guide.md with prerequisites, build, test, and troubleshooting
- link from README.md, docs/README.md, and CONTRIBUTING.md
- document test suite differences (unit vs e2e, test/cli vs test/sharness)
- include tips for running specific tests during development
Change the `ipfs key list` behavior to log an error and continue listing keys when a key cannot be read from the keystore or decoded.

Closes: #11102
Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 5.5.1 to 5.5.2.
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](codecov/codecov-action@5a10915...671740a)

---
updated-dependencies:
- dependency-name: codecov/codecov-action
  dependency-version: 5.5.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 5 to 6.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](actions/upload-artifact@v5...v6)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* docs: improve README for first-time users

- add Quick Taste section with real CIDv1 example near top
- rewrite "What is Kubo?" with technical concepts (CIDs, DAGs, UnixFS, Bitswap)
- reorder features to follow user journey (CLI before advanced HTTP features)
- streamline install section with links to docs.ipfs.tech
- organize package managers in tables with Repology version badges
- add supply chain security warning for third-party packages
- surface important docs (metrics, debug guide, customizing)
- update maintainer info with Shipyard branding

Closes #11125
Closes #7298
Closes #5471
Closes #5087

* docs(readme): add changelogs link and fix docs directory URL

* docs(readme): add mDNS/DHT links and clarify build steps

- link LAN discovery to mDNS spec and WAN to Amino DHT glossary
- show both make build and make install with output paths
Use testing/synctest instead of go-clock for artificial time control.
* ci: parallelize gotest by separating test/cli into own job

split the Go Test workflow into two parallel jobs:
- `unit-tests`: runs unit tests (excluding test/cli)
- `cli-tests`: runs test/cli end-to-end tests

test/cli takes ~3 minutes (~50% of total gotest time), so running
it in parallel should reduce wall-clock CI time by ~1.5-2.5 minutes.

both jobs produce JUnit XML and HTML reports for consistent debugging.

* ci(gotest): reduce noise on test timeout panics

add GOTRACEBACK=single to show only one goroutine stack instead of all
when a test timeout panic occurs. this makes CI output much cleaner
when tests hang.

* fix(ci): prevent stderr from corrupting test JSON output

- remove 2>&1 which mixed "go: downloading" stderr messages into JSON
- add JSON validation before parsing
- print failed test names for easier debugging

* ci(gotest): use gotestsum for human-readable test output

- replace per-package coverage loop with single gotestsum invocation
- both unit-tests and cli-tests now show human-readable output
- simplified coverage collection (single -coverprofile, no gocovmerge)
- clarified step names to indicate they run tests

* ci: fix codecov uploads by adding token

- add CODECOV_TOKEN to gotest.yml and sharness.yml
- update codecov-action to v5.5.2
- add fail_ci_if_error: false for robustness

codecov stopped receiving coverage data ~1 year ago when they
started requiring tokens for public repos

* refactor(make): add test_unit and test_cli targets

- add `make test_unit` for unit tests with coverage (used by CI)
- add `make test_cli` for CLI integration tests (used by CI)
- only disable colors when CI env var is set (local dev gets colors)
- remove legacy targets: test_go_test, test_go_short, test_go_race, test_go_expensive
- update gotest.yml to use make targets instead of inline commands
- add test artifacts to .gitignore

* fix(ci): move client/rpc tests to cli-tests job

client/rpc tests use test/cli/harness which requires the ipfs binary.
Move them from test_unit to test_cli where the binary is built.

also:
- update gotestsum to v1.13.0
- simplify workflow step names

* fix(ci): use build tags when listing test packages

go list needs build tags to properly exclude packages like fuse/mfs
when running with TEST_FUSE=0 (nofuse tag).

* fix(ci): move test/integration to cli-tests job

test/integration tests need the ipfs binary, move them from test_unit
to test_cli.

* fix(test): fix flaky kubo-as-a-library and GetClosestPeers tests

kubo-as-a-library: use `Bootstrap()` instead of raw `Swarm().Connect()`
to fix race condition between swarm connection and bitswap peer
discovery. `Bootstrap()` properly integrates peers into the routing
system, ensuring bitswap learns about connected peers synchronously.

GetClosestPeers: simplify retry logic using `EventuallyWithT` with
10-minute timeout. tests all 4 routing types (`auto`, `autoclient`,
`dht`, `dhtclient`) against real bootstrap peers with patient polling.

* fix(example): use bidirectional Swarm().Connect() for reliable bitswap

- connect nodes bidirectionally (A→B and B→A) to simulate mutual peering
- mutual peering protects connection from resource manager culling
- use port 0 for random available ports (avoids CI conflicts)
- enable LoopbackAddressesOnLanDHT for local testing
- move retry logic to test file using require.Eventually

* fix(ci): add test_examples target and parallel example-tests job

- add `make test_examples` target to mk/golang.mk for consistency with test_unit/test_cli
- move example tests to separate parallel CI job (example-tests)
- example: use Bootstrap() with autoconf.FallbackBootstrapPeers for reliable bitswap
- example: increase context timeout to 10 minutes
- test: add 60s per-request timeout to GetClosestPeers (server has 30s routing timeout)
- test: reduce EventuallyWithT to 3 minutes (locally passes in under 1 minute)

* fix(ci): improve test targets, exclusion patterns, and artifact naming

- define COVERPKG_EXCLUDE and UNIT_EXCLUDE as documented variables
- use grep -vE with single regex instead of multiple grep -v calls
- add mkdir -p before rm to ensure directories exist
- add DEPS_GO dependency to test_cli target
- make CLI test timeout configurable via TEST_CLI_TIMEOUT (default 10m)
- fix test_examples cleanup on failure using subshell
- reduce GetClosestPeers test wait time from 3m to 2m
- rename artifacts to match job names: unit-tests-{junit,html}, cli-tests-{junit,html}
- update cli-tests upload-artifact from v5 to v6

* fix(ci): fix unit test exclusion and speed up example test

- fix UNIT_EXCLUDE regex to match client/rpc at end of path
- remove public bootstrap peers from example (only connect to nodeA)
- example test now runs in ~3s instead of timing out

* fix(test): fix flaky TestAddMultipleGCLive race condition

added time.Sleep after spawning GC goroutines to ensure they reach
GCLock() before the test proceeds. without this, the adder's
maybePauseForGC() might check GCRequested() before GC has even
requested the lock, causing the lock to not be released and GC to
block indefinitely.

this matches the existing pattern in TestAddGCLive which already
had this sleep.

also replaced context.Background() with t.Context() in both
TestAddMultipleGCLive and TestAddGCLive for proper test lifecycle
management.

* fix(example): use test harness settings for reliable CI

the kubo-as-a-library example was flaky on CI. applied test-harness-like
settings that match what transports_test.go uses:

- TCP-only on 127.0.0.1 with random port (no QUIC/UDP)
- explicitly disable non-TCP transports (QUIC, Relay, WebTransport, etc)
- use NilRouterOption (no routing) since we connect peers directly
- bitswap works with directly connected peers without DHT lookups
- 2-minute context timeout
- streaming output in test for debugging
lidel and others added 30 commits June 8, 2026 00:58
boxo's Traverse already dedups each root with its own seen set, so the
command-level cid.Set held a second copy of every CID in the DAG. On a
multi-hundred-GiB root that doubled the dedup memory and OOM-killed
daemons mid-stat.

- allocate the set only for multiple roots (cross-root dedup needs it)
- single root derives UniqueBlocks from the per-root block count
Detect carrier-grade or double NAT at startup and log a one-time stderr
notice, turning the recurring "running IPFS kills my home internet"
symptom into a clear cause: a busy node fills the ISP's shared NAT table.

- classify host addresses; a private or shared (RFC 6598 100.64.0.0/10)
  NAT-mapped WAN address that is not a local interface means CGNAT or
  double NAT. overlay addresses on a local interface (tailscale, zerotier)
  and publicly reachable nodes are ignored, so the notice stays quiet.
- add Internal.CGNATCheck and Internal.DeadListenerCheck (both default
  true) to silence the CGNAT notice and the v0.42 dead-listener check.
- expose the classification as the nat field of ipfs swarm addrs autonat.
- docs: config.md entries and v0.43 changelog highlight.

Closes #11326

Co-authored-by: Andrew Gillis <11790789+gammazero@users.noreply.github.com>
* chore: upgrade to boxo v0.41.0
* use tagged release
)

Bumps [github.com/tidwall/gjson](https://github.com/tidwall/gjson) from 1.18.0 to 1.19.0.
- [Commits](tidwall/gjson@v1.18.0...v1.19.0)

---
updated-dependencies:
- dependency-name: github.com/tidwall/gjson
  dependency-version: 1.19.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* docs: optimistic provide is on by default

Optimistic provide has been enabled by default since v0.39, when the
sweep provider became the default, so it has not really been off for
typical nodes. Rewrite the State section in plain language, note that
the Experimental.OptimisticProvide flag only affects the legacy
provider, and link the ProbeLab explainer.

* docs: use non-default ports for experiments

Manual experiments and benchmark daemons must bind non-default ports and
use their own IPFS_PATH so they do not collide with a node already
running on the defaults (4001/5001/8080).
Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 6.0.1 to 7.0.0.
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](codecov/codecov-action@e79a696...fb8b358)

---
updated-dependencies:
- dependency-name: codecov/codecov-action
  dependency-version: 7.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…lang-x group across 1 directory (#11346)

* chore(deps): bump golang.org/x/crypto

Bumps the golang-x group with 1 update in the / directory: [golang.org/x/crypto](https://github.com/golang/crypto).


Updates `golang.org/x/crypto` from 0.51.0 to 0.52.0
- [Commits](golang/crypto@v0.51.0...v0.52.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-version: 0.52.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: golang-x
...

Signed-off-by: dependabot[bot] <support@github.com>

* chore: run make mod_tidy

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Andrew Gillis <11790789+gammazero@users.noreply.github.com>
* fix(l1): return error instead of log.Fatal in HolePunching

Signed-off-by: reflecttypefor <reflecttypefor@outlook.com>

* test: cover HolePunching flag combinations

* docs: highlight clearer hole punching error

The Changelog section is generated at release time, so hand-written
notes belong under Highlights instead.

---------

Signed-off-by: reflecttypefor <reflecttypefor@outlook.com>
Co-authored-by: Marcin Rataj <lidel@lidel.org>
Pulls the AutoTLS DNS-01 registration fix: the client now keeps a
cookie jar so a load-balanced forge endpoint (registration.libp2p.direct)
keeps both PeerID-auth requests on one backend, instead of the second
request hitting a backend that never issued the challenge and failing
with a 401.
* commands: derive peer ID on config replace

Signed-off-by: morning-verlu <258725120+morning-verlu@users.noreply.github.com>

* feat: validate Identity.PeerID against node key

Setting Identity.PeerID to a value that disagrees with the node's
private key produces a config the node refuses to start with. The
config command now validates the field against the stored key, the
same way config replace re-derives it.

- reject a mismatched Identity.PeerID and point at `ipfs key rotate`;
  accept the node's own PeerID in any base58 or CIDv1 form and store
  the canonical base58 string
- share the PeerID derivation between the set path and config replace
- document the identity fields and `ipfs key rotate` in docs/config.md
- cover the set-path guard and base36 normalization in test/cli
- switch the t0070 sharness probe off Identity.PeerID, now validated

---------

Signed-off-by: morning-verlu <258725120+morning-verlu@users.noreply.github.com>
Co-authored-by: morning-verlu <258725120+morning-verlu@users.noreply.github.com>
Co-authored-by: Guillaume Michel <guillaumemichel@users.noreply.github.com>
Co-authored-by: Andrew Gillis <11790789+gammazero@users.noreply.github.com>
Co-authored-by: Marcin Rataj <lidel@lidel.org>
Bumps [actions/checkout](https://github.com/actions/checkout) from 6 to 7.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v6...v7)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [actions/cache](https://github.com/actions/cache) from 5 to 6.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](actions/cache@v5...v6)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* test: cover ipfs get paths containing closing bracket

* test: move get punctuation coverage to test/cli

ipfs get must retrieve UnixFS paths whose segments contain
punctuation that is valid on Linux, macOS, and Windows but is
sensitive to a POSIX shell (issue #9369, where a "]" segment
failed). AGENTS.md prefers test/cli for new integration tests,
and driving ipfs directly avoids the shell-quoting limits of the
sharness loop.

- add test/cli/get_test.go: add a directory with one file per
  segment, then get each "<cid>/<segment>" and compare bytes,
  exercised both offline and against a daemon
- cover the apostrophe segment, which the single-quoted sharness
  test body could not include
- drop the now-redundant punctuation block from t0090-get.sh

---------

Co-authored-by: Guillaume Michel <guillaumemichel@users.noreply.github.com>
Co-authored-by: Marcin Rataj <lidel@lidel.org>
* fix(daemon): return config errors instead of calling log.Fatal

Signed-off-by: blackflytech <blackflytech@outlook.com>

* Update cmd/ipfs/kubo/daemon_config_test.go

---------

Signed-off-by: blackflytech <blackflytech@outlook.com>
Co-authored-by: Andrew Gillis <11790789+gammazero@users.noreply.github.com>
The hole-punching and daemon-config highlights describe the same
user-facing change, a named startup error instead of an abrupt exit,
so fold them into one entry and drop the internal `log.Fatal` wording.
* feat: make telemetry opt-in

Telemetry no longer runs by default. It stays off unless an operator
sets the mode to `on` and configures an `Endpoint`, and Kubo ships with
no built-in telemetry URL, so a default node never phones home.

- plugin: default mode is off; the legacy `auto` and any unrecognized
  value also stay off
- plugin: the implicit default does no work, not even disk IO; only an
  explicit `off` removes a stored telemetry identifier
- plugin: enabling without an endpoint warns and sends nothing; the
  destination comes only from config
- docs: note the opt-in default in the `IPFS_TELEMETRY` reference, the
  plugins table, and the changelog
- tests: cover off-by-default, the auto alias, missing-endpoint, and
  explicit opt-out cleanup, and opt in where the send path runs

* docs: rewrite telemetry.md for opt-in

Rework the telemetry page around the opt-in plugin: how to enable it and
point it at your own collector, the modes and config reference, the HTTP
endpoint API and payload schema, and the privacy model. Match the
plainer style of the sibling docs, with no emoji headers and a table of
contents.

* chore(telemetry): log opt-in enable event

Log when telemetry is enabled, since that's the notable event. The
opt-out branch already logs UUID removal, so the redundant disable
log is dropped.

Co-authored-by: Andrew Gillis <11790789+gammazero@users.noreply.github.com>

---------

Co-authored-by: Andrew Gillis <11790789+gammazero@users.noreply.github.com>
* feat: accept native ipfs:// and ipns:// URIs

Commands that take a content path or CID now also accept native IPFS
URIs (ipfs://cid, ipns://name, and the schemeless ipfs:/ipns: forms),
so a URI copied from a browser or another tool works as-is.

- cmdutils: PathOrCidPath parses via boxo NewPathFromURI; new
  CidFromArg for raw-CID commands takes the root CID and rejects
  sub-paths and mutable IPNS.
- files: cp/stat sources and getNodeFromPath accept URIs and content
  paths; chroot takes its CID via CidFromArg.
- resolve and name resolve normalize URIs before the namespace checks;
  name resolve stays IPNS-only.
- routing, provide, filestore, pin remote: raw-CID args via CidFromArg.

Depends on boxo NewPathFromURI (ipfs/boxo#1182); go.mod pins the PR
commit until it is released.

* depend on boxo@main

* test: fix telemetry opt-out assertions

#11374 made telemetry opt-in and rewrote the explicit "off" mode to no
longer log "telemetry disabled via opt-out", but the opt-out subtests
still assert that string, so TestTelemetry is red on master. Assert the
"telemetry collection skipped: opted out" message the daemon emits
whenever telemetry is off.

* ci: inject .aegir.js for helia interop

@helia/interop v11.0.0+ ships without .aegir.js (ipfs/helia#1049), so
aegir test finds no specs and the interop job fails. Inject a minimal
config pointing at the prebuilt dist specs when it is missing.

Helia's own .aegir.js can't be reused as-is: it globs source .ts specs
that Node won't run from node_modules. The same omission regressed
before (ipfs/helia#1001, fixed by ipfs/helia#1003); see the comment.

* ci: force mocha exit after helia interop run

The node interop specs leave kubo daemon and libp2p handles open, so
mocha prints "N passing" and then hangs until the job timeout instead
of exiting. Pass --exit so mocha quits once the run completes.

---------

Co-authored-by: Andrew Gillis <11790789+gammazero@users.noreply.github.com>
* chore(deps): bump go-libp2p-kad-dht to v0.41.0

Cuts peak memory during reprovides on nodes announcing many CIDs, so
low-memory consumer devices are less likely to be out-of-memory killed
(libp2p/go-libp2p-kad-dht#1259). Pulls quic-go v0.59.1 transitively.

* chore: tidy secondary go modules for kad-dht 0.41

* ci: fix helia-interop for @helia/interop 11.0.3

The .aegir.js restored upstream in ipfs/helia#1066 globs the TypeScript
sources, which node refuses to run from inside node_modules, so the
inject-if-missing workaround skipped it and the job failed. Replace the
config whenever it is missing or globs .ts files, and leave a usable one
untouched so the step self-heals once upstream ships a node_modules-safe
config.

Also drop the IPIP-499 --grep/--invert exclusion: helia implemented the
missing MFS features (ipfs/helia#972) and the test passes now.
#11380)

* chore(deps): bump the golang-x group across 1 directory with 5 updates

Bumps the golang-x group with 2 updates in the / directory: [golang.org/x/crypto](https://github.com/golang/crypto) and [golang.org/x/mod](https://github.com/golang/mod).


Updates `golang.org/x/crypto` from 0.52.0 to 0.53.0
- [Commits](golang/crypto@v0.52.0...v0.53.0)

Updates `golang.org/x/mod` from 0.36.0 to 0.37.0
- [Commits](golang/mod@v0.36.0...v0.37.0)

Updates `golang.org/x/sync` from 0.20.0 to 0.21.0
- [Commits](golang/sync@v0.20.0...v0.21.0)

Updates `golang.org/x/sys` from 0.45.0 to 0.46.0
- [Commits](golang/sys@v0.45.0...v0.46.0)

Updates `golang.org/x/term` from 0.43.0 to 0.44.0
- [Commits](golang/term@v0.43.0...v0.44.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-version: 0.53.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: golang-x
- dependency-name: golang.org/x/mod
  dependency-version: 0.37.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: golang-x
- dependency-name: golang.org/x/sync
  dependency-version: 0.21.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: golang-x
- dependency-name: golang.org/x/sys
  dependency-version: 0.46.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: golang-x
- dependency-name: golang.org/x/term
  dependency-version: 0.44.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: golang-x
...

Signed-off-by: dependabot[bot] <support@github.com>

* chore: run make mod_tidy

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
* fix(mfs): stop repo gc from freezing files ops

Running `ipfs repo gc` alongside `ipfs files` writes could leave MFS
permanently hung: GC deleted directory-node blocks a write had written
to the blockstore but not yet linked into the persisted MFS root, and
the next path lookup blocked forever fetching the missing block while
holding the MFS directory lock, so every later files command piled up
behind it.

MFS mutations now take the pin lock, the same lock `ipfs add` uses, and
GC computes the MFS root only after it holds the GC lock. A write's
blocks are therefore either fully linked into the root before GC runs,
or the write waits for GC to finish, so GC never collects data a live
write still needs.

- core/commands/files.go: hold the pin lock across write, cp, mkdir,
  mv, rm, flush, chcid, chmod, and touch
- gc/gc.go: take the best-effort MFS root snapshot after acquiring the
  GC lock, closing the snapshot-before-lock window
- core/corerepo/gc.go: pass the root as a callback evaluated under the
  lock
- core/node/core.go: document why MFS keeps its online DAG service so
  lazy `ipfs files cp /ipfs/<cid>` pointers still resolve
- gc/gc_test.go: assert the root snapshot is taken under the GC lock

Closes #10842

* fix(mfs): extend gc pin lock to add and fuse

The pin lock that stops garbage collection from collecting live MFS
blocks now covers every path that mutates MFS, not just `ipfs files`,
and every live MFS root is part of the GC live set.

- core/commands/add.go: hold the pin lock while `ipfs add --to-files`
  links the added content into the MFS root
- fuse/writable, fuse/mfs: hold the pin lock across FUSE `/mfs`
  structural writes and file flush, fsync, and release
- fuse/ipns: same for the per-key `/ipns` mounts, and register their
  roots so GC keeps their blocks live
- core/core.go: track mounted MFS roots for the GC live set
- core/corerepo/gc.go: build the live set from the files root plus
  every registered root, skipping a root that errors instead of
  aborting the whole GC

Closes #6113
Closes #7008
Closes #9553

* fix(mfs): fail fast on a missing block

A directory-node block that is missing locally and unreachable would
block an MFS operation forever while it held the directory lock,
wedging the whole MFS and a clean shutdown until the process was
killed. This is what remained after a repo was damaged by an older
Kubo, a manual `ipfs block rm`, or a crash (the lockup in #7844).

MFS now bounds those network reads: an unreachable block fails the
operation with a timeout and releases the lock, while lazily-referenced
content (`ipfs files cp /ipfs/<cid>`) still loads as before.

- config: add DefaultMFSFetchTimeout and pass it to the MFS root via
  mfs.WithFetchTimeout in Import.MFSRootOptions
- go.mod: bump boxo to pull in mfs.WithFetchTimeout

* feat(mfs): honor --timeout in files read and write

Adopt boxo's mfs.File.Open(ctx) so MFS file operations carry a context
and a read or write stuck on a missing block can be cancelled instead of
blocking forever.

- go.mod: bump boxo to pick up mfs.File.Open(ctx)
- core/commands/files.go: pass the request context to files read and
  write, so a client --timeout ends a stuck read or write
- fuse/writable: bind long-lived FUSE descriptors (Create, Open) to the
  mount context via the new Config.MountCtx; the transient Setattr
  truncate uses the per-operation context
- fuse/mfs, fuse/ipns: set MountCtx to the node/mount context
- test/cli: cover files read and write honoring --timeout on unreachable
  content

* chore(deps): bump boxo to merged mfs fix

Switch from the pre-merge branch pseudo-version to the merged commit of
ipfs/boxo#1185, the boxo side of the MFS under-lock work this branch
depends on.

* refactor(fuse): pass request ctx to pin lock

Flush, Release, and Fsync passed context.Background() to the pin lock
while their own ctx argument was in scope. Thread the passed ctx
through instead, matching the other handlers. boxo's default GCLocker
discards the context, so this is a consistency change, not a behavior
change.

#11386 (comment)
#11386 (comment)
#11386 (comment)

Co-authored-by: Andrew Gillis <11790789+gammazero@users.noreply.github.com>

* refactor(gc): const for buffer, simplify roots

Name the GC result channel buffer size as a const, drop the temporary
in the best-effort root snapshot, and use t.Context() in the snapshot
test. The buffer size predates this branch; it only shifted in the diff.

#11386 (comment)
#11386 (comment)
#11386 (comment)
#11386 (comment)

Co-authored-by: Andrew Gillis <11790789+gammazero@users.noreply.github.com>

* refactor(add): collapse pin lock defer

Fold the pin lock's unlock into the defer at both --to-files call
sites, matching the one-line style used elsewhere.

#11386 (comment)
#11386 (comment)

Co-authored-by: Andrew Gillis <11790789+gammazero@users.noreply.github.com>

---------

Co-authored-by: Andrew Gillis <11790789+gammazero@users.noreply.github.com>
…11387)

* fix(key): restore secp256k1 keygen and add PEM PKCS8 import/export

* fix(key): validate --size for fixed-size key types

ed25519 and secp256k1 keys have a single valid size, so a --size
(--bits for init) that does not match it is now an error instead of
being accepted and ignored.

core/coreapi Generate and config.CreateIdentity share a new
options.CheckKeySize helper, so key gen, key rotate, and init accept
--size only when it equals the fixed 256 bits. RSA keeps its variable
size.

* test(cli): cover key lifecycle for all key types

Adds end-to-end CLI coverage of the key commands (gen, list, export,
import, rename, rm, rotate) for rsa, ed25519, and secp256k1. This
mirrors the sharness keystore and rotate suites and extends them to
secp256k1, which they never exercised.

- OpenSSL fixtures under testdata/ pin byte-identical PKCS#8 export
  and import in both directions
- rotate checks the previous identity survives, usable, under the
  backup name
- reserved-name ('self') and restricted-type imports assert the
  specific refusal, not just a non-zero exit

* chore(deps): note secp256k1 version alignment

go-libp2p/core/crypto's key types alias this package, so the direct
and transitive pins must stay on one version to avoid two copies in
the build. The go.mod comment flags that for future dependency bumps.

---------

Co-authored-by: Marcin Rataj <lidel@lidel.org>
Gateway recipes now lead with the decision that matters most for a
public gateway: does it fetch any CID from the network, or serve only
content the node already hosts? They move from the config reference into
the gateway guide, where operators look for them.

- gateway.md: new "Gateway recipes" section (serve-only-your-own-content
  via NoFetch, open recursive gateway, and subdomain/path/DNSLink URL
  styles as linkable sub-headings), a table of contents, and fixes to the
  Directories ordering and the /ipns/ subdomain redirect example; public
  gateways point to the public-utilities and checker pages and the
  self-hosting guide instead of naming hosts
- config.md: recipes replaced by a pointer to the gateway guide
- content-blocking.md: suggest an allowlist (NoFetch) over reactive
  denylist whack-a-mole
* chore(deps): bump go-libp2p and go-libp2p-pubsub

Both are pinned to master pseudo-versions ahead of tagged releases,
with a TODO in go.mod to switch once the tags ship.

go-libp2p adds webrtc-direct v2 handshake support, keeps /certhash
stable across restarts, and stops stale addresses from accumulating
in the peerstore and in published signed peer records. It also fixes
a data race that could take the daemon down mid-response during
ipfs routing findprovs, findpeer, and dht query.

go-libp2p-pubsub frees topic state once the last peer leaves a
topic, closing an unbounded memory growth path (libp2p/go-libp2p-pubsub#705,
the Go counterpart of CVE-2026-46679). Only nodes that opt into
Pubsub.Enabled or Ipns.UsePubsub run the pubsub stack and are
affected.

* feat(config): Internal.NonPublicAddrPublishing

Exposes go-libp2p's NonPublicAddrPublishing as an Internal flag, so a
node can be told to stop publishing addresses the wider internet cannot
reach: private, CGNAT, link-local, loopback, ULA, reserved IPv6, and
special-use DNS names such as .local.

Left unset, kubo passes no option and go-libp2p's default decides. The
default has shifted before (libp2p/go-libp2p#3460), so the flag gives
operators a way to pin the behavior, and makes it easy to see exactly
what a node publishes while chasing a routing problem.

Only the peerstore self-entry and the signed peer record are filtered.
Listening and dialing are untouched, so `ipfs id` keeps reporting the
full set.
Minor dependency updates, no changes to kubo.

- go-block-format v0.2.4
- go-cid v0.6.2
- go-cidutil v0.1.2
- go-datastore v0.9.2
- go-ds-flatfs v0.6.1
- go-ipld-format v0.6.4
- golang.org/x/...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.