Update to latest main#11
Open
aleksraiden wants to merge 21 commits into
Open
Conversation
aleksraiden
commented
Jul 2, 2026
Owner
…1693) (#5857) Closes #1693. For replay paths that only need validator addresses + voting powers (`buildLastCommitInfo`, `buildExtendedCommitInfo`), advancing proposer priorities forward from the most recent stored checkpoint is wasted work. The advance is `O(height % valSetCheckpointInterval)` and dominates replay time on chains with infrequent validator-set changes. The original issue reports ~10x slowdown observed in production. This PR's benchmark on a 100-validator set shows up to **903x** at worst case (load at `checkpoint + 99,999`). ## Changes - Add `Store.LoadValidatorsFast(height)` that returns the `*ValidatorSet` without `IncrementProposerPriority`. The returned set has correct addresses, public keys, and voting powers; `ProposerPriority` reflects the last stored checkpoint, not the requested height. Documented that callers needing accurate proposer priority must continue to use `LoadValidators`. - Wire `buildLastCommitInfoFromStore` and `buildExtendedCommitInfoFromStore` to use the fast path. Both downstream paths only call `TM2PB.Validator` (`types/protobuf.go:41`) which reads `PubKey.Address()` and `VotingPower` only — no proposer priority access. - Refactor `LoadValidators` internals into a shared `loadValidatorsAtHeight` helper so both fast and full paths share the lookup logic. - Update mock `state/mocks/store.go`. ## Bench `state/store_test.go::BenchmarkLoadValidatorsSawtooth` on AMD EPYC, 100-validator set, ValidatorsInfo header persisted at the queried height but ValidatorSet only stored at checkpoint: | Offset from checkpoint | LoadValidators | LoadValidatorsFast | Speedup | |------------------------|----------------|--------------------|---------| | at_checkpoint | 165 µs | 158 µs | 1.04x | | +1 | 149 µs | 137 µs | 1.09x | | +100 | 270 µs | 134 µs | 2.0x | | +10,000 | 12.4 ms | 132 µs | 94x | | +99,999 | 126 ms | 140 µs | **903x** | The sawtooth pattern described in the issue is reproduced and eliminated. Reproduce locally: ``` go test ./state -bench BenchmarkLoadValidatorsSawtooth -benchtime=1s -run=^$ ``` ## Compatibility - `LoadValidators` semantics unchanged (still advances proposer priority). - `LoadValidatorsFast` is additive — no caller is forced to migrate. - Interface change is additive — third-party `state.Store` implementations need to add the new method, but this is a single small addition (mock provided as a template in the diff). Signed-off-by: satyakwok <119509589+satyakwok@users.noreply.github.com> Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
…timize retry timer (#5592) Three improvements to the blocksync block requester: **Fix: redo events no longer silently dropped** `redoCh` was typed `chan p2p.ID` with capacity 1. In the dual-peer scenario, if `redo(peerA)` was already pending in the channel, a concurrent `redo(peerB)` would be silently dropped — peerB would stall until the retry timer fired. Replace with `chan struct{}` (capacity 1) as a coalesced wake-up signal. Peer IDs are appended to a mutex-protected `redoPeers` slice in `redo()`, so no event is ever lost regardless of call frequency. **Fix: stale redo events no longer cancel new requests** When the retry timer fired and restarted the outer loop, any pending redo events in `redoPeers` carried over to the next iteration. If the new iteration happened to pick the same peer, those stale events would cancel a valid new request. A generation counter is incremented at the start of each outer loop. `redo()` records the current generation alongside the peer ID; events from a previous generation are silently discarded. The retry timer path also clears `redoPeers` before restarting. **Perf: reuse retry timer instead of allocating a new one each loop** Before (new timer allocated per OUTER_LOOP iteration): - 19396 ns/op, 63488 B/op, 768 allocs/op After (single timer, reset on each iteration): - 7589 ns/op, 248 B/op, 3 allocs/op #### PR checklist - [x] Tests written/updated - [x] Changelog entry added in `.changelog` (we use [unclog](https://github.com/informalsystems/unclog) to manage our changelog) - [ ] Updated relevant documentation (`docs/` or `spec/`) and code comments --------- Co-authored-by: Alex | Cosmos Labs <alex@cosmoslabs.io> Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
… in Idle (#5929) ## Description Fix CI failure at: https://github.com/cometbft/cometbft/actions/runs/27431355897/job/81082257035?pr=5879 `statusesAreEqual` compared `Status.Idle` with exact equality (`==`) while every other time-derived field (`Duration`, `TimeRem`, the rates) allowed a deviation. `Idle` is the difference of two timestamps each rounded to the 20ms `clockRate`, so scheduling jitter on loaded runners can push the two reads onto adjacent ticks, producing a spurious 20ms idle and failing the strict `==`. This compares `Idle` with the same `maxDeviationForDuration` tolerance, and makes `durationsAreEqual` symmetric (absolute diff) so it bounds drift in both directions. --- #### PR checklist - [x] Tests written/updated - [x] Changelog entry added in `CHANGELOG.md` - [ ] Updated relevant documentation (`docs/` or `spec/`) and code comments --------- Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
Bumps [golang.org/x/sync](https://github.com/golang/sync) from 0.20.0 to 0.21.0. <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/golang/sync/commit/5071ed6a9f1617117556b66384f765c934de3698"><code>5071ed6</code></a> all: fix some comments to improve readability</li> <li>See full diff in <a href="https://github.com/golang/sync/compare/v0.20.0...v0.21.0">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
…uring sendError (#5931) ## Summary Fix CI failure at: https://github.com/cometbft/cometbft/actions/runs/27214146296/job/80350996164 - `AddBlock` held `pool.mtx` via a deferred `Unlock` while calling `sendError` on an unbuffered channel. Any concurrent caller that also needed `pool.mtx` would deadlock until the channel was drained. - Fix by collecting the error in `sendErr` and dispatching it inside the `defer` after the mutex is released. - Adds a regression test `TestAddBlockDoesNotDeadlockOnSendError`. --- #### PR checklist - [x] Tests written/updated - [x] Changelog entry added in `CHANGELOG.md` - [ ] Updated relevant documentation (`docs/` or `spec/`) and code comments --------- Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.55.0 to 0.56.0. <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/golang/net/commit/9e7fdbfadb32b0cc7524100014c5cf9b6adc7729"><code>9e7fdbf</code></a> internal/http3: fix wrong argument being given when validating header value</li> <li><a href="https://github.com/golang/net/commit/b686e5f3573e5f55120d664fc283ed7e80c1af3c"><code>b686e5f</code></a> internal/http3: add gzip support to transport</li> <li><a href="https://github.com/golang/net/commit/8a348850ed6818306667722af2b42a6fc63473e0"><code>8a34885</code></a> go.mod: update golang.org/x dependencies</li> <li><a href="https://github.com/golang/net/commit/72eaf98743302f6e0ad10883163dfc46dc8e8183"><code>72eaf98</code></a> dns/dnsmessage: correctly validate SVCB record parameter order</li> <li><a href="https://github.com/golang/net/commit/82e7868a02167540748b74780b0bf825985256f7"><code>82e7868</code></a> dns/dnsmessage: avoid panic when parsing SVCB record with truncated data</li> <li><a href="https://github.com/golang/net/commit/b64f1fa4c615965246e5b9e5c9d614916fa8967d"><code>b64f1fa</code></a> internal/http3: add server support for "Trailer:" magic prefix</li> <li><a href="https://github.com/golang/net/commit/2707ee21efea70599446dd35979b1d1aedf44ada"><code>2707ee2</code></a> internal/http3: implement HTTP/3 clientConn methods</li> <li><a href="https://github.com/golang/net/commit/31358cc259a764905194e3d6c597375b0ff366c1"><code>31358cc</code></a> internal/http3: snapshot response headers at WriteHeader time</li> <li><a href="https://github.com/golang/net/commit/8ecbaa95fea823c19fa74c5c3b53e0bccd473828"><code>8ecbaa9</code></a> html: don't adjust xml:base</li> <li><a href="https://github.com/golang/net/commit/8ae811abe5c2daa55c68d51a101af1c5751a4d55"><code>8ae811a</code></a> html: properly handle end script tag in fragment mode</li> <li>Additional commits viewable in <a href="https://github.com/golang/net/compare/v0.55.0...v0.56.0">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Co-authored-by: Alex Cozart <alex@cosmoslabs.io> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
…5879) ## Summary `handleStream` calls `resolvePeer` to look up or provision the incoming peer, but `resolvePeer` relies on the peerstore having the peer's address. libp2p's identify protocol populates the peerstore asynchronously — there is a window where A has opened a CometBFT stream to B but B's peerstore is still empty for A, causing `resolvePeer` to fail and the first message to be dropped. The fix passes the connection's remote multiaddr directly into `resolvePeer` as a fallback. When the peerstore has no addresses for the peer, `resolvePeer` constructs the `addrInfo` inline from the live connection instead of returning an error. This closes the race without any peerstore side effects. --- #### PR checklist - [x] Tests written/updated - [x] Changelog entry added in `CHANGELOG.md` - [ ] Updated relevant documentation (`docs/` or `spec/`) and code comments --------- Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
Fixes #2143. `respondToPeer` was calling `store.LoadBlock`, which internally unmarshal the raw DB bytes into a `cmtproto.Block` and then calls `BlockFromProto` to get a `*types.Block`. The function then immediately called `block.ToProto()` to get back a `cmtproto.Block` for the wire response. The intermediate Go struct was never used. Added `LoadBlockProto` to `BlockStore` that stops after the `proto.Unmarshal` step and returns the `*cmtproto.Block` directly. `LoadBlock` now delegates to it. `respondToPeer` type-asserts to `*store.BlockStore` and calls `LoadBlockProto` when possible, with a fallback for the interface case (used in tests with mocks). Tested: added `TestLoadBlockProto` to `store/store_test.go` that checks nil on missing height, correct hash round-trip, and consistency with `LoadBlock`. Full `./store/...` and `./blocksync/...` suites pass. --------- Co-authored-by: Dmitry S <11892559+swift1337@users.noreply.github.com> Co-authored-by: Alex | Cosmos Labs <alex@cosmoslabs.io> Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
--- Remove kms in favor of https://github.com/cosmos/kms
…mplification (#5946) Implements the optional p2p.MsgBytesFilter interface (defined in p2p/base_reactor.go) for this reactor. When provided, this filter runs against the raw message bytes before unmarshalling, allowing oversized or malformed messages to be rejected up front. This closes a heap-amplification vector where a small, count-packed wire payload could be unmarshalled into a disproportionately large in-memory structure, exhausting memory. Motivation: Previously the message bytes went straight to unmarshal with no pre-decode size/validity check. A crafted gossip message could exploit this to trigger excessive heap allocation. Rejecting bad messages before unmarshal eliminates the attack surface. --- #### PR checklist - [ ] Tests written/updated - [ ] Changelog entry added in `CHANGELOG.md` - [ ] Updated relevant documentation (`docs/` or `spec/`) and code comments --------- Co-authored-by: Dmitry S <11892559+swift1337@users.noreply.github.com>
\`StreamReadSized\` enforces a per-read size limit passed in by the caller (the reactor's \`RecvMessageCapacity\`). The 4 MB \`MaxStreamSize\` constant is intended as a default fallback for callers that don't specify a limit. ## Problem \`StreamReadSized\` applied \`payloadLimit := min(maxSize, MaxStreamSize)\`, clamping the caller-supplied limit down to 4 MB regardless of what the reactor configured. Blocksync sets \`RecvMessageCapacity = MaxBlockSizeBytes + 5 ≈ 100 MB\`; any block >4 MB was rejected with "payload is too large" and the stream was reset. The send side (\`StreamWrite\`) has no cap and serialises the full block, so a peer could send a 50 MB block that the receiver would always reject — a liveness failure for any lp2p node behind on a chain producing >4 MB blocks. Statesync's 16 MB chunks were similarly affected. ## Fix Use \`maxSize\` directly. \`MaxStreamSize\` is now a fallback only when \`maxSize == 0\` (unset), not a hard global cap. Adds a regression test for \`maxSize > MaxStreamSize\`. ## Remaining issue \`readExactly\` does \`make([]byte, payloadSize)\` immediately after reading the length-prefix header, so a malicious peer can force a receiver to allocate up to \`RecvMessageCapacity\` bytes before any payload data arrives. The old 4 MB clamp was inadvertently limiting this to 4 MB per stream. The correct fix is to replace \`readExactly\` with \`io.ReadAll(io.LimitReader(...))\` so allocation grows only as data arrives. This is left as a follow-up to keep this PR minimal; the real guard in the meantime is the libp2p resource manager and \`RecvMessageCapacity\` being set to the consensus-enforced max block size. --- #### PR checklist - [x] Tests written/updated - [x] Changelog entry added in \`CHANGELOG.md\` - [ ] Updated relevant documentation (\`docs/\` or \`spec/\`) and code comments
--- Updates the privval RetrySignerClient to check on shutdown before retrying. Without this change it is possible to get into the following shutdown state: * Node is requesting a signature from a remote signer * Shutdown happens on remote signer * Shutdown happens on node In this case we have to wait `retries × (timeoutAccept + timeout) ≈ 155s` before the node will shut down. With these changes we will wait a maximum of a single retry timeout before seeing that `Close` has been called (~3s) and shutdown will happen after that. --------- Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
Bumps [actions/checkout](https://github.com/actions/checkout) from 6 to 7. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/checkout/releases">actions/checkout's releases</a>.</em></p> <blockquote> <h2>v7.0.0</h2> <h2>What's Changed</h2> <ul> <li>block checking out fork pr for pull_request_target and workflow_run by <a href="https://github.com/aiqiaoy"><code>@aiqiaoy</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2454">actions/checkout#2454</a></li> <li>Bump actions/publish-immutable-action from 0.0.3 to 0.0.4 in the minor-actions-dependencies group across 1 directory by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/checkout/pull/2458">actions/checkout#2458</a></li> <li>Bump flatted from 3.3.1 to 3.4.2 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/checkout/pull/2460">actions/checkout#2460</a></li> <li>Bump js-yaml from 4.1.0 to 4.2.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/checkout/pull/2461">actions/checkout#2461</a></li> <li>Bump <code>@actions/core</code> and <code>@actions/tool-cache</code> and Remove uuid by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/checkout/pull/2459">actions/checkout#2459</a></li> <li>upgrade module to esm and update dependencies by <a href="https://github.com/aiqiaoy"><code>@aiqiaoy</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2463">actions/checkout#2463</a></li> <li>Bump the minor-npm-dependencies group across 1 directory with 3 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/checkout/pull/2462">actions/checkout#2462</a></li> <li>getting ready for checkout v7 release by <a href="https://github.com/aiqiaoy"><code>@aiqiaoy</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2464">actions/checkout#2464</a></li> <li>update error wording by <a href="https://github.com/aiqiaoy"><code>@aiqiaoy</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2467">actions/checkout#2467</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/aiqiaoy"><code>@aiqiaoy</code></a> made their first contribution in <a href="https://redirect.github.com/actions/checkout/pull/2454">actions/checkout#2454</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/checkout/compare/v6.0.3...v7.0.0">https://github.com/actions/checkout/compare/v6.0.3...v7.0.0</a></p> <h2>v6.0.3</h2> <h2>What's Changed</h2> <ul> <li>Update changelog by <a href="https://github.com/ericsciple"><code>@ericsciple</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2357">actions/checkout#2357</a></li> <li>fix: expand merge commit SHA regex and add SHA-256 test cases by <a href="https://github.com/yaananth"><code>@yaananth</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2414">actions/checkout#2414</a></li> <li>Fix checkout init for SHA-256 repositories by <a href="https://github.com/yaananth"><code>@yaananth</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2439">actions/checkout#2439</a></li> <li>Update changelog for v6.0.3 by <a href="https://github.com/yaananth"><code>@yaananth</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2446">actions/checkout#2446</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/yaananth"><code>@yaananth</code></a> made their first contribution in <a href="https://redirect.github.com/actions/checkout/pull/2414">actions/checkout#2414</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/checkout/compare/v6...v6.0.3">https://github.com/actions/checkout/compare/v6...v6.0.3</a></p> <h2>v6.0.2</h2> <h2>What's Changed</h2> <ul> <li>Add orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID is set by <a href="https://github.com/TingluoHuang"><code>@TingluoHuang</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2355">actions/checkout#2355</a></li> <li>Fix tag handling: preserve annotations and explicit fetch-tags by <a href="https://github.com/ericsciple"><code>@ericsciple</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2356">actions/checkout#2356</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/checkout/compare/v6.0.1...v6.0.2">https://github.com/actions/checkout/compare/v6.0.1...v6.0.2</a></p> <h2>v6.0.1</h2> <h2>What's Changed</h2> <ul> <li>Update all references from v5 and v4 to v6 by <a href="https://github.com/ericsciple"><code>@ericsciple</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2314">actions/checkout#2314</a></li> <li>Add worktree support for persist-credentials includeIf by <a href="https://github.com/ericsciple"><code>@ericsciple</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2327">actions/checkout#2327</a></li> <li>Clarify v6 README by <a href="https://github.com/ericsciple"><code>@ericsciple</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2328">actions/checkout#2328</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/checkout/compare/v6...v6.0.1">https://github.com/actions/checkout/compare/v6...v6.0.1</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/actions/checkout/blob/main/CHANGELOG.md">actions/checkout's changelog</a>.</em></p> <blockquote> <h1>Changelog</h1> <h2>v7.0.0</h2> <ul> <li>Block checking out fork PR for pull_request_target and workflow_run by <a href="https://github.com/aiqiaoy"><code>@aiqiaoy</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2454">actions/checkout#2454</a></li> <li>Bump actions/publish-immutable-action from 0.0.3 to 0.0.4 in the minor-actions-dependencies group across 1 directory by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/checkout/pull/2458">actions/checkout#2458</a></li> <li>Bump flatted from 3.3.1 to 3.4.2 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/checkout/pull/2460">actions/checkout#2460</a></li> <li>Bump js-yaml from 4.1.0 to 4.2.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/checkout/pull/2461">actions/checkout#2461</a></li> <li>Bump <code>@actions/core</code> and <code>@actions/tool-cache</code> and Remove uuid by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/checkout/pull/2459">actions/checkout#2459</a></li> <li>upgrade module to esm and update dependencies by <a href="https://github.com/aiqiaoy"><code>@aiqiaoy</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2463">actions/checkout#2463</a></li> <li>Bump the minor-npm-dependencies group across 1 directory with 3 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/checkout/pull/2462">actions/checkout#2462</a></li> </ul> <h2>v6.0.3</h2> <ul> <li>Fix checkout init for SHA-256 repositories by <a href="https://github.com/yaananth"><code>@yaananth</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2439">actions/checkout#2439</a></li> <li>fix: expand merge commit SHA regex and add SHA-256 test cases by <a href="https://github.com/yaananth"><code>@yaananth</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2414">actions/checkout#2414</a></li> </ul> <h2>v6.0.2</h2> <ul> <li>Fix tag handling: preserve annotations and explicit fetch-tags by <a href="https://github.com/ericsciple"><code>@ericsciple</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2356">actions/checkout#2356</a></li> </ul> <h2>v6.0.1</h2> <ul> <li>Add worktree support for persist-credentials includeIf by <a href="https://github.com/ericsciple"><code>@ericsciple</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2327">actions/checkout#2327</a></li> </ul> <h2>v6.0.0</h2> <ul> <li>Persist creds to a separate file by <a href="https://github.com/ericsciple"><code>@ericsciple</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2286">actions/checkout#2286</a></li> <li>Update README to include Node.js 24 support details and requirements by <a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2248">actions/checkout#2248</a></li> </ul> <h2>v5.0.1</h2> <ul> <li>Port v6 cleanup to v5 by <a href="https://github.com/ericsciple"><code>@ericsciple</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2301">actions/checkout#2301</a></li> </ul> <h2>v5.0.0</h2> <ul> <li>Update actions checkout to use node 24 by <a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2226">actions/checkout#2226</a></li> </ul> <h2>v4.3.1</h2> <ul> <li>Port v6 cleanup to v4 by <a href="https://github.com/ericsciple"><code>@ericsciple</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2305">actions/checkout#2305</a></li> </ul> <h2>v4.3.0</h2> <ul> <li>docs: update README.md by <a href="https://github.com/motss"><code>@motss</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1971">actions/checkout#1971</a></li> <li>Add internal repos for checking out multiple repositories by <a href="https://github.com/mouismail"><code>@mouismail</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1977">actions/checkout#1977</a></li> <li>Documentation update - add recommended permissions to Readme by <a href="https://github.com/benwells"><code>@benwells</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2043">actions/checkout#2043</a></li> <li>Adjust positioning of user email note and permissions heading by <a href="https://github.com/joshmgross"><code>@joshmgross</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2044">actions/checkout#2044</a></li> <li>Update README.md by <a href="https://github.com/nebuk89"><code>@nebuk89</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2194">actions/checkout#2194</a></li> <li>Update CODEOWNERS for actions by <a href="https://github.com/TingluoHuang"><code>@TingluoHuang</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2224">actions/checkout#2224</a></li> <li>Update package dependencies by <a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2236">actions/checkout#2236</a></li> </ul> <h2>v4.2.2</h2> <ul> <li><code>url-helper.ts</code> now leverages well-known environment variables by <a href="https://github.com/jww3"><code>@jww3</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1941">actions/checkout#1941</a></li> <li>Expand unit test coverage for <code>isGhes</code> by <a href="https://github.com/jww3"><code>@jww3</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1946">actions/checkout#1946</a></li> </ul> <h2>v4.2.1</h2> <ul> <li>Check out other refs/* by commit if provided, fall back to ref by <a href="https://github.com/orhantoy"><code>@orhantoy</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1924">actions/checkout#1924</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/actions/checkout/commit/9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0"><code>9c091bb</code></a> update error wording (<a href="https://redirect.github.com/actions/checkout/issues/2467">#2467</a>)</li> <li><a href="https://github.com/actions/checkout/commit/1044a6dea927916f2c38ba5aeffbc0a847b1221a"><code>1044a6d</code></a> getting ready for checkout v7 release (<a href="https://redirect.github.com/actions/checkout/issues/2464">#2464</a>)</li> <li><a href="https://github.com/actions/checkout/commit/f0282184c7ce73ab54c7e4ab5a617122602e575f"><code>f028218</code></a> Bump the minor-npm-dependencies group across 1 directory with 3 updates (<a href="https://redirect.github.com/actions/checkout/issues/2462">#2462</a>)</li> <li><a href="https://github.com/actions/checkout/commit/d914b262ffc244530a203ab40decab34c3abf34d"><code>d914b26</code></a> upgrade module to esm and update dependencies (<a href="https://redirect.github.com/actions/checkout/issues/2463">#2463</a>)</li> <li><a href="https://github.com/actions/checkout/commit/537c7ef99cef6e5ddb5e7ff5d16d14510503801d"><code>537c7ef</code></a> Bump <code>@actions/core</code> and <code>@actions/tool-cache</code> and Remove uuid (<a href="https://redirect.github.com/actions/checkout/issues/2459">#2459</a>)</li> <li><a href="https://github.com/actions/checkout/commit/130a169078a413d3a5246a393625e8e742f387f6"><code>130a169</code></a> Bump js-yaml from 4.1.0 to 4.2.0 (<a href="https://redirect.github.com/actions/checkout/issues/2461">#2461</a>)</li> <li><a href="https://github.com/actions/checkout/commit/7d09575332117a40b46e5e020664df234cd416f3"><code>7d09575</code></a> Bump flatted from 3.3.1 to 3.4.2 (<a href="https://redirect.github.com/actions/checkout/issues/2460">#2460</a>)</li> <li><a href="https://github.com/actions/checkout/commit/0f9f3aa320cb53abeb534aeb54048075d9697a0e"><code>0f9f3aa</code></a> Bump actions/publish-immutable-action (<a href="https://redirect.github.com/actions/checkout/issues/2458">#2458</a>)</li> <li><a href="https://github.com/actions/checkout/commit/f9e715a95fcd1f9253f77dd28f11e88d2d6460c7"><code>f9e715a</code></a> block checking out fork pr for pull_request_target and workflow_run (<a href="https://redirect.github.com/actions/checkout/issues/2454">#2454</a>)</li> <li>See full diff in <a href="https://github.com/actions/checkout/compare/v6...v7">compare view</a></li> </ul> </details> <br /> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
### Problem The socket server (`handleRequest`) and client (`resMatchesReq`) were missing cases for `Request_InsertTx` and `Request_ReapTxs`, which were added in the Krakatoa merge (#5615) but never wired into the socket type-switches. With `mempool.type = "app"` and the default `abci = "socket"` transport (out-of-process app): - Every `ReapTxs` response fails the `resMatchesReq` type-match check - Returns `ErrUnexpectedResponse` → `stopForError` → `killTMOnClientError` → `cmtos.Kill()` (SIGTERM) - `ReapTxs` fires every `ReapInterval` (~500ms), so the node self-kills within ~500ms of startup The local and gRPC transports were correctly implemented; only socket was missed. `ToResponseInsertTx`/`ToResponseReapTxs` helpers were also missing from `messages.go` (the `ToRequest*` counterparts existed). ### Fix - Add `Request_InsertTx` and `Request_ReapTxs` cases to `resMatchesReq` in `abci/client/socket_client.go` - Add `Request_InsertTx` and `Request_ReapTxs` cases to `handleRequest` in `abci/server/socket_server.go` - Add `ToResponseInsertTx` and `ToResponseReapTxs` helpers to `abci/types/messages.go` - Add `TestInsertTxReapTxsSocket` round-trip test over a real socket server/client pair --- #### PR checklist - [x] Tests written/updated - [x] Changelog entry added in `CHANGELOG.md` - [ ] Updated relevant documentation (`docs/` or `spec/`) and code comments --------- Co-authored-by: Dmitry S <11892559+swift1337@users.noreply.github.com>
#5948) Fixing a small bug in PR #5946 ReadTag decoded protobuf field numbers as a platform-width int `int(v>>3)`, but the generated gogoproto unmarshaller uses `int32(wire>>3)`. On 64-bit platforms this let a crafted tag whose high bits differ (e.g. 8a 80 80 80 80 01, field 2^32+1) be classified as a different field by the pre-scan than by proto.Unmarshal As a result, the filter skips the entry while Unmarshal still decoded it as the real repeated`txs` field, slipping empty entries past the empty-entry rejection as part of the filter rule As an evidence https://github.com/cometbft/cometbft/blob/main/proto/tendermint/mempool/types.pb.go#L327 #### PR checklist - [x] Tests written/updated - [x] Changelog entry added in `CHANGELOG.md` - [x] Updated relevant documentation (`docs/` or `spec/`) and code comments Co-authored-by: dianab-cl <diana@cosmoslabs.io>
…ors (#5953) With `adaptive_sync=true`, consensus starts immediately (`consensusWaitForSync=false`) and `signAddVote` fires whenever the node is in the validator set. A catching-up validator can sign a vote for block B at height H while the blocksync ingestor concurrently commits a different block B' at H (already decided by the network). The HRS file and KMS are not sufficient backstops — the conflicting messages are at different (H,R,step) tuples so `CheckHRS` never fires. This is a known tradeoff: validators on high-performance chains (sub-1000ms blocks, high TPS) benefit from adaptive sync to avoid falling behind and being jailed. The risk is deliberate and operator-owned. ## Fix Documentation only — no behavior change: - `docs/core/block-sync.md`: add explicit equivocation risk warning to the Adaptive Sync section - `config/toml.go`: add the same warning to the `adaptive_sync` config comment --- #### PR checklist - [ ] Tests written/updated - [ ] Changelog entry added in `CHANGELOG.md` - [x] Updated relevant documentation (`docs/` or `spec/`) and code comments
Bumps [golang.org/x/sync](https://github.com/golang/sync) from 0.21.0 to 0.22.0. <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/golang/sync/commit/1eb64d4bc0cde6da1bb8ebc7f178bb577508e5d0"><code>1eb64d4</code></a> semaphore: panic on negative weights</li> <li>See full diff in <a href="https://github.com/golang/sync/compare/v0.21.0...v0.22.0">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.53.0 to 0.54.0. <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/golang/crypto/commit/cdce021fa6c7d9c7eb2743bfbe551f0a98fd5d62"><code>cdce021</code></a> go.mod: update golang.org/x dependencies</li> <li><a href="https://github.com/golang/crypto/commit/d9474cc4853d9ef1a29356975408d4771e5770c6"><code>d9474cc</code></a> openpgp: make the deprecation message more explicit</li> <li><a href="https://github.com/golang/crypto/commit/7626c5025624025bb44739a805f431cf93c06d6e"><code>7626c50</code></a> ssh: verify declared key type matches decoded key in authorized_keys</li> <li><a href="https://github.com/golang/crypto/commit/0471e7969e6740594dfe354646bf03e5e89de52d"><code>0471e79</code></a> ssh/agent: enforce strict limits on DSA key parameters</li> <li><a href="https://github.com/golang/crypto/commit/6435c37ab681759aff37ba751d0f2238b3043767"><code>6435c37</code></a> ssh: sanitize client disconnect messages</li> <li><a href="https://github.com/golang/crypto/commit/7d695da948bfa44ed6eedcebc8f43bcb50e94a57"><code>7d695da</code></a> ssh/agent: drain channel stderr in agent forwarders</li> <li><a href="https://github.com/golang/crypto/commit/5b7f84159940519e89df4d95465538c1797cee8b"><code>5b7f841</code></a> acme/autocert: fix data race in Manager.createCert</li> <li><a href="https://github.com/golang/crypto/commit/0b316e7ee409f8e5789a0535679d34155cecc75e"><code>0b316e7</code></a> argon2: update RFC 9106 parameter recommendations</li> <li><a href="https://github.com/golang/crypto/commit/55aec0a86b4c522b4f7366e69db55349e9f7ff5c"><code>55aec0a</code></a> x509roots/fallback: update bundle</li> <li><a href="https://github.com/golang/crypto/commit/5f2de1a9f1e29059fbb9f3d34321bd0da935556b"><code>5f2de1a</code></a> internal: remove wycheproof tests</li> <li>See full diff in <a href="https://github.com/golang/crypto/compare/v0.53.0...v0.54.0">compare view</a></li> </ul> </details> <br /> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
… to prevent peer teardown (#5956) ### Problem `AppReactor.chunkTxs` sized batches by raw `len(tx)` bytes, ignoring the 2–4 bytes of protobuf wire overhead each entry adds (1-byte field tag + varint length prefix). A batch of small txs near `MaxTxBytes` serializes to `MaxTxBytes + N*(2–4)` bytes, exceeding the receiver's `RecvMessageCapacity`. The connection layer returns "received message exceeds available capacity" and tears down the peer. Example overflows (default `MaxTxBytes = 1 MB`): - 1 000-byte txs: ~+2 564 bytes over capacity - 1-byte txs: ~+2 097 149 bytes over capacity Second issue: `GetChannels` sized `RecvMessageCapacity` for a single `MaxTxBytes`-sized tx while `OnStart` used `MaxBatchBytes` when set, so configs with `MaxBatchBytes > MaxTxBytes` would overflow at the capacity check itself. ### Fix - Add `internal/protowire.RepeatedBytesEntrySize(dataLen int) int` — exact wire bytes proto adds per `repeated bytes` entry (1-byte tag + varint(len)), verified against `proto.Size` at all varint boundary values; panics on negative input. - `chunkTxs` accounts for this overhead per tx so no encoded batch exceeds `RecvMessageCapacity`. - Extract `effectiveMaxBatchBytes()` to deduplicate the `MaxBatchBytes`/`MaxTxBytes` fallback logic shared by `OnStart` and `GetChannels`. - `GetChannels` derives `RecvMessageCapacity` from `effectiveMaxBatchBytes()`, keeping the advertised capacity in sync with the actual send ceiling. --- #### PR checklist - [x] Tests written/updated - [x] Changelog entry added in `CHANGELOG.md` - [ ] Updated relevant documentation (`docs/` or `spec/`) and code comments --------- Co-authored-by: Dmitry S <11892559+swift1337@users.noreply.github.com> Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.56.0 to 0.57.0. <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/golang/net/commit/b8f09f6f062ceb4531b7af4bd17a5c8fe9c4b2b5"><code>b8f09f6</code></a> go.mod: update golang.org/x dependencies</li> <li><a href="https://github.com/golang/net/commit/f05f21be5927155a88b371674c298ada54b71cf5"><code>f05f21b</code></a> idna: reject all-ASCII xn-- labels on all Go versions</li> <li><a href="https://github.com/golang/net/commit/0f748cfbba95084c87723e3b7eb7dad9241fc2dd"><code>0f748cf</code></a> internal/http3: clean up stream I/O methods usages in tests</li> <li><a href="https://github.com/golang/net/commit/0bb961e45132c680e2a0117e1df951538a19da61"><code>0bb961e</code></a> internal/http3: add net/http.ResponseController support</li> <li><a href="https://github.com/golang/net/commit/0ca694d2a5adcce7f36d4d65e5f8d72390d94051"><code>0ca694d</code></a> webdav: document Dir's lack of defense against filesystem modification</li> <li><a href="https://github.com/golang/net/commit/bd5f1dcf71cf0d6d2424021d0a04f191396a46a7"><code>bd5f1dc</code></a> http2: initialize Transport on NewClientConn</li> <li><a href="https://github.com/golang/net/commit/488ff63197ffddbcef2d01107f8a89906a4f28d1"><code>488ff63</code></a> bpf: add security considerations to package docs</li> <li><a href="https://github.com/golang/net/commit/93d1f25be95961edfdf488b9398e53fb9f05f193"><code>93d1f25</code></a> xsrftoken: avoid token collisions</li> <li><a href="https://github.com/golang/net/commit/5a3baee349e65853c34b4377bebe7676a64dbc87"><code>5a3baee</code></a> internal/http3: prevent panic in QPACK decoder due to overflow</li> <li>See full diff in <a href="https://github.com/golang/net/compare/v0.56.0...v0.57.0">compare view</a></li> </ul> </details> <br /> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
…5973) Bumps [github.com/prometheus/common](https://github.com/prometheus/common) from 0.68.1 to 0.70.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/prometheus/common/releases">github.com/prometheus/common's releases</a>.</em></p> <blockquote> <h2>v0.70.0</h2> <h2>What's Changed</h2> <ul> <li>config: fix TLSVersion.String() printing pointer address by <a href="https://github.com/s3onghyun"><code>@s3onghyun</code></a> in <a href="https://redirect.github.com/prometheus/common/pull/929">prometheus/common#929</a></li> <li>build(deps): bump golang.org/x/net from 0.55.0 to 0.56.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/prometheus/common/pull/933">prometheus/common#933</a></li> <li>Manually go mod tidy by <a href="https://github.com/SuperQ"><code>@SuperQ</code></a> in <a href="https://redirect.github.com/prometheus/common/pull/934">prometheus/common#934</a></li> <li>Synchronize common files from prometheus/prometheus by <a href="https://github.com/prombot"><code>@prombot</code></a> in <a href="https://redirect.github.com/prometheus/common/pull/937">prometheus/common#937</a></li> <li>route: add support for the QUERY HTTP method by <a href="https://github.com/roidelapluie"><code>@roidelapluie</code></a> in <a href="https://redirect.github.com/prometheus/common/pull/932">prometheus/common#932</a></li> <li>Combine and extend Prometheus text and OpenMetrics 1.0 encoder benchmarks by <a href="https://github.com/dashpole"><code>@dashpole</code></a> in <a href="https://redirect.github.com/prometheus/common/pull/943">prometheus/common#943</a></li> <li>build(deps): bump the codeql group with 4 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/prometheus/common/pull/938">prometheus/common#938</a></li> <li>build(deps): bump actions/setup-go from 6.2.0 to 6.5.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/prometheus/common/pull/940">prometheus/common#940</a></li> <li>build(deps): bump actions/upload-artifact from 4.6.2 to 7.0.1 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/prometheus/common/pull/942">prometheus/common#942</a></li> <li>build(deps): bump ossf/scorecard-action from 2.1.2 to 2.4.3 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/prometheus/common/pull/939">prometheus/common#939</a></li> <li>build(deps): bump actions/checkout from 3.1.0 to 7.0.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/prometheus/common/pull/941">prometheus/common#941</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/s3onghyun"><code>@s3onghyun</code></a> made their first contribution in <a href="https://redirect.github.com/prometheus/common/pull/929">prometheus/common#929</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/prometheus/common/compare/v0.69.0...v0.70.0">https://github.com/prometheus/common/compare/v0.69.0...v0.70.0</a></p> <h2>v0.69.0</h2> <h2>What's Changed</h2> <ul> <li>config: strip credentials on cross-host redirects by <a href="https://github.com/roidelapluie"><code>@roidelapluie</code></a> in <a href="https://redirect.github.com/prometheus/common/pull/901">prometheus/common#901</a></li> <li>Modernize Go by <a href="https://github.com/SuperQ"><code>@SuperQ</code></a> in <a href="https://redirect.github.com/prometheus/common/pull/919">prometheus/common#919</a></li> <li>config: make isCrossHostRedirect sticky across the redirect chain by <a href="https://github.com/roidelapluie"><code>@roidelapluie</code></a> in <a href="https://redirect.github.com/prometheus/common/pull/920">prometheus/common#920</a></li> <li>config: check cross-host redirect before OAuth2 token fetch by <a href="https://github.com/roidelapluie"><code>@roidelapluie</code></a> in <a href="https://redirect.github.com/prometheus/common/pull/921">prometheus/common#921</a></li> <li>expfmt: fix nil pointer panic when parsing empty braces "{}" by <a href="https://github.com/roidelapluie"><code>@roidelapluie</code></a> in <a href="https://redirect.github.com/prometheus/common/pull/922">prometheus/common#922</a></li> <li>model: reduce allocations in Time.UnmarshalJSON by <a href="https://github.com/bboreham"><code>@bboreham</code></a> in <a href="https://redirect.github.com/prometheus/common/pull/918">prometheus/common#918</a></li> <li>config: resolve LoadHTTPConfigFile paths relative to the config file by <a href="https://github.com/roidelapluie"><code>@roidelapluie</code></a> in <a href="https://redirect.github.com/prometheus/common/pull/925">prometheus/common#925</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/prometheus/common/compare/v0.68.1...v0.69.0">https://github.com/prometheus/common/compare/v0.68.1...v0.69.0</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/prometheus/common/blob/main/CHANGELOG.md">github.com/prometheus/common's changelog</a>.</em></p> <blockquote> <h2>v0.70.0 / 2026-07-10</h2> <h3>Enhancements</h3> <ul> <li>route: add support for the QUERY HTTP method. <a href="https://redirect.github.com/prometheus/common/issues/932">#932</a></li> </ul> <h3>Bugfixes</h3> <ul> <li>config: fix <code>TLSVersion.String()</code> printing a pointer address instead of the numeric version for unknown TLS versions. <a href="https://redirect.github.com/prometheus/common/issues/929">#929</a></li> </ul> <h3>Internal</h3> <ul> <li>expfmt: add <code>BenchmarkConvertMetricFamily</code> comparing the Prometheus text and OpenMetrics 1.0 encoders. <a href="https://redirect.github.com/prometheus/common/issues/943">#943</a></li> <li>Update Go dependencies. <a href="https://redirect.github.com/prometheus/common/issues/933">#933</a> <a href="https://redirect.github.com/prometheus/common/issues/934">#934</a></li> <li>Synchronize common files from prometheus/prometheus. <a href="https://redirect.github.com/prometheus/common/issues/923">#923</a> <a href="https://redirect.github.com/prometheus/common/issues/927">#927</a> <a href="https://redirect.github.com/prometheus/common/issues/930">#930</a> <a href="https://redirect.github.com/prometheus/common/issues/937">#937</a></li> <li>Update GitHub Actions. <a href="https://redirect.github.com/prometheus/common/issues/938">#938</a> <a href="https://redirect.github.com/prometheus/common/issues/939">#939</a> <a href="https://redirect.github.com/prometheus/common/issues/940">#940</a> <a href="https://redirect.github.com/prometheus/common/issues/941">#941</a> <a href="https://redirect.github.com/prometheus/common/issues/942">#942</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/prometheus/common/compare/v0.69.0...v0.70.0">https://github.com/prometheus/common/compare/v0.69.0...v0.70.0</a></p> <h2>v0.69.0 / 2026-06-17</h2> <h3>Security / behavior changes</h3> <ul> <li><strong>config: credentials are no longer forwarded across cross-host redirects.</strong> When <code>FollowRedirects</code> is enabled, the HTTP client now strips <code>Authorization</code>, <code>Cookie</code>, <code>Proxy-Authorization</code> and other sensitive headers, and skips basic-auth, bearer-token and OAuth2 credentials, when a redirect points to a different host. This aligns with Go's <code>net/http</code> behavior. Callers that relied on credentials being sent to a redirect target on another host will need to target that host directly. <a href="https://redirect.github.com/prometheus/common/issues/901">#901</a> <a href="https://redirect.github.com/prometheus/common/issues/920">#920</a> <a href="https://redirect.github.com/prometheus/common/issues/921">#921</a></li> <li>config: <code>LoadHTTPConfigFile</code> now resolves relative file paths (e.g. <code>*_file</code> credentials, <code>http_headers</code> files) against the config file's own directory instead of its parent directory. Configs that worked around the old behavior by prefixing paths with the config's directory name must drop that prefix. <a href="https://redirect.github.com/prometheus/common/issues/925">#925</a></li> </ul> <h3>Bugfixes</h3> <ul> <li>expfmt: fix nil pointer panic when parsing empty braces <code>{}</code>. <a href="https://redirect.github.com/prometheus/common/issues/922">#922</a></li> <li>model: fix <code>Time.UnmarshalJSON</code> for larger negative numbers. <a href="https://redirect.github.com/prometheus/common/issues/918">#918</a></li> </ul> <h3>Performance</h3> <ul> <li>model: reduce allocations in <code>Time.UnmarshalJSON</code>. <a href="https://redirect.github.com/prometheus/common/issues/918">#918</a></li> </ul> <h3>Internal</h3> <ul> <li>Synchronize common files from prometheus/prometheus. <a href="https://redirect.github.com/prometheus/common/issues/917">#917</a></li> <li>Modernize Go. <a href="https://redirect.github.com/prometheus/common/issues/919">#919</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/prometheus/common/compare/v0.68.1...v0.69.0">https://github.com/prometheus/common/compare/v0.68.1...v0.69.0</a></p> <h2>v0.67.2 / 2025-10-28</h2> <h2>What's Changed</h2> <ul> <li>config: Fix panic in <code>tlsRoundTripper</code> when CA file is absent by <a href="https://github.com/ndk"><code>@ndk</code></a> in <a href="https://redirect.github.com/prometheus/common/pull/792">prometheus/common#792</a></li> <li>Cleanup linting issues by <a href="https://github.com/SuperQ"><code>@SuperQ</code></a> in <a href="https://redirect.github.com/prometheus/common/pull/860">prometheus/common#860</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/ndk"><code>@ndk</code></a> made their first contribution in <a href="https://redirect.github.com/prometheus/common/pull/792">prometheus/common#792</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/prometheus/common/commit/5eff7a827920b6f175ea02b222f7c827a0fe80ad"><code>5eff7a8</code></a> Merge pull request <a href="https://redirect.github.com/prometheus/common/issues/941">#941</a> from prometheus/dependabot/github_actions/actions/che...</li> <li><a href="https://github.com/prometheus/common/commit/a23c5b344ad9200c0073133920fe60a9882c9d28"><code>a23c5b3</code></a> Merge pull request <a href="https://redirect.github.com/prometheus/common/issues/939">#939</a> from prometheus/dependabot/github_actions/ossf/scorec...</li> <li><a href="https://github.com/prometheus/common/commit/9e1eb871ced38b03648a38558ac3de66edeff2b5"><code>9e1eb87</code></a> Merge pull request <a href="https://redirect.github.com/prometheus/common/issues/942">#942</a> from prometheus/dependabot/github_actions/actions/upl...</li> <li><a href="https://github.com/prometheus/common/commit/ab2736d28a9fce77b0186e36b5d3318b74115298"><code>ab2736d</code></a> Merge pull request <a href="https://redirect.github.com/prometheus/common/issues/940">#940</a> from prometheus/dependabot/github_actions/actions/set...</li> <li><a href="https://github.com/prometheus/common/commit/e596873192a72855876b1c38cdb634bb73f5ba00"><code>e596873</code></a> Merge pull request <a href="https://redirect.github.com/prometheus/common/issues/938">#938</a> from prometheus/dependabot/github_actions/codeql-ac07...</li> <li><a href="https://github.com/prometheus/common/commit/97c066a87b2345f146b345141f0f14aaab7ad387"><code>97c066a</code></a> Add BenchmarkConvertMetricFamily comparing Prometheus text and OpenMetrics 1....</li> <li><a href="https://github.com/prometheus/common/commit/62e9d0f61d355b574225f66628a5f94be2bc1c29"><code>62e9d0f</code></a> Merge pull request <a href="https://redirect.github.com/prometheus/common/issues/932">#932</a> from roidelapluie/roidelapluie/route-query</li> <li><a href="https://github.com/prometheus/common/commit/6c312397a5da723c995ee9c16263f252c1d6b4a1"><code>6c31239</code></a> build(deps): bump actions/upload-artifact from 4.6.2 to 7.0.1</li> <li><a href="https://github.com/prometheus/common/commit/755e9d686dec00400191cc8483872831aff1b9cd"><code>755e9d6</code></a> build(deps): bump actions/checkout from 3.1.0 to 7.0.0</li> <li><a href="https://github.com/prometheus/common/commit/556d7402ea9a80cab60297e4dc98149b5410e24f"><code>556d740</code></a> build(deps): bump actions/setup-go from 6.2.0 to 6.5.0</li> <li>Additional commits viewable in <a href="https://github.com/prometheus/common/compare/v0.68.1...v0.70.0">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.