Skip to content

chore: merge new changes from ipfs/kubo master#2

Open
alvin-reyes wants to merge 928 commits into
IPFSR:masterfrom
ipfs:master
Open

chore: merge new changes from ipfs/kubo master#2
alvin-reyes wants to merge 928 commits into
IPFSR:masterfrom
ipfs:master

Conversation

@alvin-reyes

Copy link
Copy Markdown

No description provided.

dependabot Bot and others added 30 commits November 25, 2025 07:29
Bumps [actions/checkout](https://github.com/actions/checkout) from 5 to 6.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v5...v6)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3 to 4.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@v3...v4)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: '4'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Andrew Gillis <11790789+gammazero@users.noreply.github.com>
(cherry picked from commit 1141220)
PR #10954 (ExposeRoutingAPI default + GetClosestPeers) was merged after
v0.39.0-rc1 and depends on boxo changes not yet released.
- rewrite overview to lead with user value (self-hosting on consumer hardware)
- reorder highlights: provider features together, then UPnP, then housekeeping
- simplify titles (drop "Amino", "Fixed", verbose descriptions)
- link to Shipyard's sweep provider blogpost
- convert from zsh to bash for portability and shellcheck support
- resolve GitHub handles via multiple methods:
  - noreply email pattern (user@users.noreply.github.com)
  - merge commit messages (Merge pull request #N from user/branch)
  - gh CLI API for PR authors (squash merge commits)
  - gh CLI API for commit authors (fallback for non-PR commits)
- deduplicate contributors by GitHub handle instead of author name
- cache resolved mappings in ~/.cache/mkreleaselog/github-handles.json
- output clickable GitHub profile links in contributor table
resolve version.go conflict by keeping -dev version from master
stop publishing to ipfs/go-ipfs entirely - the deprecation stub
introduced in v0.39 is no longer needed. only ipfs/kubo is published.

- remove legacy-name job from docker-image.yml workflow
- remove .github/legacy/ (Dockerfile.goipfs-stub, goipfs_stub.sh)
- update bin scripts to use ipfs/kubo as default
Signed-off-by: rifeplight <rifeplight@outlook.com>
document known 0.39 limitation where sweep provider may fail to
estimate DHT size when accelerated client is still crawling the
network, resulting in single-region mode without efficiency gains.

also remove accelerated client recommendation from changelog
since it may mislead users into enabling both together.
add link to Shipyard's "Provide Sweep: Solving the DHT Provide
Bottleneck" blogpost and remove stale TODO placeholder
* Add bytes progress tracker for ipfs pin add
* upgrade to boxo that has ipfs/boxo#1071
* ipfswatch: fix loading datastore plugins
* test: add CLI tests for ipfswatch

---------

Co-authored-by: Marcin Rataj <lidel@lidel.org>
* fix: update go-libp2p to v0.46.0

- reduced WebRTC log noise (go-libp2p#3426)
- fixed mDNS discovery on Windows/macOS (go-libp2p#3434)
- includes quic-go v0.57.1 (v0.56.0 + v0.57.0)

* fix(example): kubo-as-a-library test timeout

- use custom ports (4010/4011) to avoid conflicts with default 4001
- add 2-minute context timeout to fail fast
- get peer addresses dynamically instead of hardcoding wrong port
- wait for peer connection synchronously instead of fire-and-forget
- update comments to reference autoconf.FallbackBootstrapPeers

* chore: update p2p-forge to v0.7.0

* fix(test): wait for DHT readiness in GetClosestPeers test

the test was failing for `routing_type=auto` because it only waited for
swarm connections but not for the DHT routing table to be populated.
added a separate probe loop that waits for GetClosestPeers to succeed
before running the actual test assertions.
Bumps [actions/cache](https://github.com/actions/cache) from 4 to 5.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](actions/cache@v4...v5)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* datastore: upgrade go-ds-pebble to v0.5.8

- update 'go-ds-pebble` to [v0.5.8](https://github.com/ipfs/go-ds-pebble/releases/tag/v0.5.8)
  - updates github.com/cockroachdb/pebble to [v2.1.3](https://github.com/cockroachdb/pebble/releases/tag/v2.1.3)
    - enables Go 1.26 support
Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 6 to 7.
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](actions/download-artifact@v6...v7)

---
updated-dependencies:
- dependency-name: actions/download-artifact
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
addresses https://discuss.ipfs.tech/t/19933

- add docs/developer-guide.md with prerequisites, build, test, and troubleshooting
- link from README.md, docs/README.md, and CONTRIBUTING.md
- document test suite differences (unit vs e2e, test/cli vs test/sharness)
- include tips for running specific tests during development
Change the `ipfs key list` behavior to log an error and continue listing keys when a key cannot be read from the keystore or decoded.

Closes: #11102
lidel and others added 30 commits June 5, 2026 21:47
p2p-forge v0.9.0 landed in v0.42 via backport, so list it under v0.42
dependency updates and drop it from v0.43. Also annotate skipped
intermediate releases (Go 1.26.3, kad-dht v0.39.2, go-fuse v2.10.0).
Bot accounts like dependabot[bot] are not human contributors, so
drop entries whose GitHub handle or author name ends in the [bot]
suffix from the release contributor table.
* chore: bump boxo to test ipfs/boxo#1166

Bumps github.com/ipfs/boxo to the tip of fix/ipns-cache-control-expiry
(55fd621d1872) to exercise the IPNS cache-control/TTL/EOL fixes from
ipfs/boxo#1166. Root, docs/examples, and test/dependencies modules
tidied via make mod_tidy.

Signed-off-by: Marcin Rataj <lidel@lidel.org>

* fix: validate ipns lifetime and ttl settings

ipfs name publish now sanitizes its duration flags instead of emitting
a record that fails verification later: a non-positive --lifetime and a
negative --ttl are rejected, an explicit --ttl over --lifetime is
rejected, and an omitted --ttl is capped to --lifetime. The --lifetime
and --ttl defaults are applied server-side so an explicit value is
distinguishable from the default.

The daemon also refuses to start when Ipns.RecordLifetime is shorter
than Ipns.RepublishPeriod, which would let records expire before they
are republished.

Signed-off-by: Marcin Rataj <lidel@lidel.org>

* switch to boxo@main with fix #1166

---------

Signed-off-by: Marcin Rataj <lidel@lidel.org>
Co-authored-by: gammazero <11790789+gammazero@users.noreply.github.com>
boxo's Traverse already dedups each root with its own seen set, so the
command-level cid.Set held a second copy of every CID in the DAG. On a
multi-hundred-GiB root that doubled the dedup memory and OOM-killed
daemons mid-stat.

- allocate the set only for multiple roots (cross-root dedup needs it)
- single root derives UniqueBlocks from the per-root block count
Detect carrier-grade or double NAT at startup and log a one-time stderr
notice, turning the recurring "running IPFS kills my home internet"
symptom into a clear cause: a busy node fills the ISP's shared NAT table.

- classify host addresses; a private or shared (RFC 6598 100.64.0.0/10)
  NAT-mapped WAN address that is not a local interface means CGNAT or
  double NAT. overlay addresses on a local interface (tailscale, zerotier)
  and publicly reachable nodes are ignored, so the notice stays quiet.
- add Internal.CGNATCheck and Internal.DeadListenerCheck (both default
  true) to silence the CGNAT notice and the v0.42 dead-listener check.
- expose the classification as the nat field of ipfs swarm addrs autonat.
- docs: config.md entries and v0.43 changelog highlight.

Closes #11326

Co-authored-by: Andrew Gillis <11790789+gammazero@users.noreply.github.com>
* chore: upgrade to boxo v0.41.0
* use tagged release
)

Bumps [github.com/tidwall/gjson](https://github.com/tidwall/gjson) from 1.18.0 to 1.19.0.
- [Commits](tidwall/gjson@v1.18.0...v1.19.0)

---
updated-dependencies:
- dependency-name: github.com/tidwall/gjson
  dependency-version: 1.19.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* docs: optimistic provide is on by default

Optimistic provide has been enabled by default since v0.39, when the
sweep provider became the default, so it has not really been off for
typical nodes. Rewrite the State section in plain language, note that
the Experimental.OptimisticProvide flag only affects the legacy
provider, and link the ProbeLab explainer.

* docs: use non-default ports for experiments

Manual experiments and benchmark daemons must bind non-default ports and
use their own IPFS_PATH so they do not collide with a node already
running on the defaults (4001/5001/8080).
Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 6.0.1 to 7.0.0.
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](codecov/codecov-action@e79a696...fb8b358)

---
updated-dependencies:
- dependency-name: codecov/codecov-action
  dependency-version: 7.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…lang-x group across 1 directory (#11346)

* chore(deps): bump golang.org/x/crypto

Bumps the golang-x group with 1 update in the / directory: [golang.org/x/crypto](https://github.com/golang/crypto).


Updates `golang.org/x/crypto` from 0.51.0 to 0.52.0
- [Commits](golang/crypto@v0.51.0...v0.52.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-version: 0.52.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: golang-x
...

Signed-off-by: dependabot[bot] <support@github.com>

* chore: run make mod_tidy

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Andrew Gillis <11790789+gammazero@users.noreply.github.com>
* fix(l1): return error instead of log.Fatal in HolePunching

Signed-off-by: reflecttypefor <reflecttypefor@outlook.com>

* test: cover HolePunching flag combinations

* docs: highlight clearer hole punching error

The Changelog section is generated at release time, so hand-written
notes belong under Highlights instead.

---------

Signed-off-by: reflecttypefor <reflecttypefor@outlook.com>
Co-authored-by: Marcin Rataj <lidel@lidel.org>
Pulls the AutoTLS DNS-01 registration fix: the client now keeps a
cookie jar so a load-balanced forge endpoint (registration.libp2p.direct)
keeps both PeerID-auth requests on one backend, instead of the second
request hitting a backend that never issued the challenge and failing
with a 401.
* commands: derive peer ID on config replace

Signed-off-by: morning-verlu <258725120+morning-verlu@users.noreply.github.com>

* feat: validate Identity.PeerID against node key

Setting Identity.PeerID to a value that disagrees with the node's
private key produces a config the node refuses to start with. The
config command now validates the field against the stored key, the
same way config replace re-derives it.

- reject a mismatched Identity.PeerID and point at `ipfs key rotate`;
  accept the node's own PeerID in any base58 or CIDv1 form and store
  the canonical base58 string
- share the PeerID derivation between the set path and config replace
- document the identity fields and `ipfs key rotate` in docs/config.md
- cover the set-path guard and base36 normalization in test/cli
- switch the t0070 sharness probe off Identity.PeerID, now validated

---------

Signed-off-by: morning-verlu <258725120+morning-verlu@users.noreply.github.com>
Co-authored-by: morning-verlu <258725120+morning-verlu@users.noreply.github.com>
Co-authored-by: Guillaume Michel <guillaumemichel@users.noreply.github.com>
Co-authored-by: Andrew Gillis <11790789+gammazero@users.noreply.github.com>
Co-authored-by: Marcin Rataj <lidel@lidel.org>
Bumps [actions/checkout](https://github.com/actions/checkout) from 6 to 7.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v6...v7)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [actions/cache](https://github.com/actions/cache) from 5 to 6.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](actions/cache@v5...v6)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* test: cover ipfs get paths containing closing bracket

* test: move get punctuation coverage to test/cli

ipfs get must retrieve UnixFS paths whose segments contain
punctuation that is valid on Linux, macOS, and Windows but is
sensitive to a POSIX shell (issue #9369, where a "]" segment
failed). AGENTS.md prefers test/cli for new integration tests,
and driving ipfs directly avoids the shell-quoting limits of the
sharness loop.

- add test/cli/get_test.go: add a directory with one file per
  segment, then get each "<cid>/<segment>" and compare bytes,
  exercised both offline and against a daemon
- cover the apostrophe segment, which the single-quoted sharness
  test body could not include
- drop the now-redundant punctuation block from t0090-get.sh

---------

Co-authored-by: Guillaume Michel <guillaumemichel@users.noreply.github.com>
Co-authored-by: Marcin Rataj <lidel@lidel.org>
* fix(daemon): return config errors instead of calling log.Fatal

Signed-off-by: blackflytech <blackflytech@outlook.com>

* Update cmd/ipfs/kubo/daemon_config_test.go

---------

Signed-off-by: blackflytech <blackflytech@outlook.com>
Co-authored-by: Andrew Gillis <11790789+gammazero@users.noreply.github.com>
The hole-punching and daemon-config highlights describe the same
user-facing change, a named startup error instead of an abrupt exit,
so fold them into one entry and drop the internal `log.Fatal` wording.
* feat: make telemetry opt-in

Telemetry no longer runs by default. It stays off unless an operator
sets the mode to `on` and configures an `Endpoint`, and Kubo ships with
no built-in telemetry URL, so a default node never phones home.

- plugin: default mode is off; the legacy `auto` and any unrecognized
  value also stay off
- plugin: the implicit default does no work, not even disk IO; only an
  explicit `off` removes a stored telemetry identifier
- plugin: enabling without an endpoint warns and sends nothing; the
  destination comes only from config
- docs: note the opt-in default in the `IPFS_TELEMETRY` reference, the
  plugins table, and the changelog
- tests: cover off-by-default, the auto alias, missing-endpoint, and
  explicit opt-out cleanup, and opt in where the send path runs

* docs: rewrite telemetry.md for opt-in

Rework the telemetry page around the opt-in plugin: how to enable it and
point it at your own collector, the modes and config reference, the HTTP
endpoint API and payload schema, and the privacy model. Match the
plainer style of the sibling docs, with no emoji headers and a table of
contents.

* chore(telemetry): log opt-in enable event

Log when telemetry is enabled, since that's the notable event. The
opt-out branch already logs UUID removal, so the redundant disable
log is dropped.

Co-authored-by: Andrew Gillis <11790789+gammazero@users.noreply.github.com>

---------

Co-authored-by: Andrew Gillis <11790789+gammazero@users.noreply.github.com>
* feat: accept native ipfs:// and ipns:// URIs

Commands that take a content path or CID now also accept native IPFS
URIs (ipfs://cid, ipns://name, and the schemeless ipfs:/ipns: forms),
so a URI copied from a browser or another tool works as-is.

- cmdutils: PathOrCidPath parses via boxo NewPathFromURI; new
  CidFromArg for raw-CID commands takes the root CID and rejects
  sub-paths and mutable IPNS.
- files: cp/stat sources and getNodeFromPath accept URIs and content
  paths; chroot takes its CID via CidFromArg.
- resolve and name resolve normalize URIs before the namespace checks;
  name resolve stays IPNS-only.
- routing, provide, filestore, pin remote: raw-CID args via CidFromArg.

Depends on boxo NewPathFromURI (ipfs/boxo#1182); go.mod pins the PR
commit until it is released.

* depend on boxo@main

* test: fix telemetry opt-out assertions

#11374 made telemetry opt-in and rewrote the explicit "off" mode to no
longer log "telemetry disabled via opt-out", but the opt-out subtests
still assert that string, so TestTelemetry is red on master. Assert the
"telemetry collection skipped: opted out" message the daemon emits
whenever telemetry is off.

* ci: inject .aegir.js for helia interop

@helia/interop v11.0.0+ ships without .aegir.js (ipfs/helia#1049), so
aegir test finds no specs and the interop job fails. Inject a minimal
config pointing at the prebuilt dist specs when it is missing.

Helia's own .aegir.js can't be reused as-is: it globs source .ts specs
that Node won't run from node_modules. The same omission regressed
before (ipfs/helia#1001, fixed by ipfs/helia#1003); see the comment.

* ci: force mocha exit after helia interop run

The node interop specs leave kubo daemon and libp2p handles open, so
mocha prints "N passing" and then hangs until the job timeout instead
of exiting. Pass --exit so mocha quits once the run completes.

---------

Co-authored-by: Andrew Gillis <11790789+gammazero@users.noreply.github.com>
* chore(deps): bump go-libp2p-kad-dht to v0.41.0

Cuts peak memory during reprovides on nodes announcing many CIDs, so
low-memory consumer devices are less likely to be out-of-memory killed
(libp2p/go-libp2p-kad-dht#1259). Pulls quic-go v0.59.1 transitively.

* chore: tidy secondary go modules for kad-dht 0.41

* ci: fix helia-interop for @helia/interop 11.0.3

The .aegir.js restored upstream in ipfs/helia#1066 globs the TypeScript
sources, which node refuses to run from inside node_modules, so the
inject-if-missing workaround skipped it and the job failed. Replace the
config whenever it is missing or globs .ts files, and leave a usable one
untouched so the step self-heals once upstream ships a node_modules-safe
config.

Also drop the IPIP-499 --grep/--invert exclusion: helia implemented the
missing MFS features (ipfs/helia#972) and the test passes now.
#11380)

* chore(deps): bump the golang-x group across 1 directory with 5 updates

Bumps the golang-x group with 2 updates in the / directory: [golang.org/x/crypto](https://github.com/golang/crypto) and [golang.org/x/mod](https://github.com/golang/mod).


Updates `golang.org/x/crypto` from 0.52.0 to 0.53.0
- [Commits](golang/crypto@v0.52.0...v0.53.0)

Updates `golang.org/x/mod` from 0.36.0 to 0.37.0
- [Commits](golang/mod@v0.36.0...v0.37.0)

Updates `golang.org/x/sync` from 0.20.0 to 0.21.0
- [Commits](golang/sync@v0.20.0...v0.21.0)

Updates `golang.org/x/sys` from 0.45.0 to 0.46.0
- [Commits](golang/sys@v0.45.0...v0.46.0)

Updates `golang.org/x/term` from 0.43.0 to 0.44.0
- [Commits](golang/term@v0.43.0...v0.44.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-version: 0.53.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: golang-x
- dependency-name: golang.org/x/mod
  dependency-version: 0.37.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: golang-x
- dependency-name: golang.org/x/sync
  dependency-version: 0.21.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: golang-x
- dependency-name: golang.org/x/sys
  dependency-version: 0.46.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: golang-x
- dependency-name: golang.org/x/term
  dependency-version: 0.44.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: golang-x
...

Signed-off-by: dependabot[bot] <support@github.com>

* chore: run make mod_tidy

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.