Skip to content

Update to latest main#11

Open
aleksraiden wants to merge 21 commits into
aleksraiden:mainfrom
cometbft:main
Open

Update to latest main#11
aleksraiden wants to merge 21 commits into
aleksraiden:mainfrom
cometbft:main

Conversation

@aleksraiden

Copy link
Copy Markdown
Owner

satyakwok and others added 21 commits June 15, 2026 17:10
…1693) (#5857)

Closes #1693.

For replay paths that only need validator addresses + voting powers
(`buildLastCommitInfo`, `buildExtendedCommitInfo`), advancing proposer
priorities forward from the most recent stored checkpoint is wasted
work. The advance is `O(height % valSetCheckpointInterval)` and
dominates replay time on chains with infrequent validator-set changes.

The original issue reports ~10x slowdown observed in production. This
PR's benchmark on a 100-validator set shows up to **903x** at worst case
(load at `checkpoint + 99,999`).

## Changes

- Add `Store.LoadValidatorsFast(height)` that returns the
`*ValidatorSet` without `IncrementProposerPriority`. The returned set
has correct addresses, public keys, and voting powers;
`ProposerPriority` reflects the last stored checkpoint, not the
requested height. Documented that callers needing accurate proposer
priority must continue to use `LoadValidators`.
- Wire `buildLastCommitInfoFromStore` and
`buildExtendedCommitInfoFromStore` to use the fast path. Both downstream
paths only call `TM2PB.Validator` (`types/protobuf.go:41`) which reads
`PubKey.Address()` and `VotingPower` only — no proposer priority access.
- Refactor `LoadValidators` internals into a shared
`loadValidatorsAtHeight` helper so both fast and full paths share the
lookup logic.
- Update mock `state/mocks/store.go`.

## Bench

`state/store_test.go::BenchmarkLoadValidatorsSawtooth` on AMD EPYC,
100-validator set, ValidatorsInfo header persisted at the queried height
but ValidatorSet only stored at checkpoint:

| Offset from checkpoint | LoadValidators | LoadValidatorsFast | Speedup
|

|------------------------|----------------|--------------------|---------|
| at_checkpoint | 165 µs | 158 µs | 1.04x |
| +1 | 149 µs | 137 µs | 1.09x |
| +100 | 270 µs | 134 µs | 2.0x |
| +10,000 | 12.4 ms | 132 µs | 94x |
| +99,999 | 126 ms | 140 µs | **903x** |

The sawtooth pattern described in the issue is reproduced and
eliminated.

Reproduce locally:
```
go test ./state -bench BenchmarkLoadValidatorsSawtooth -benchtime=1s -run=^$
```

## Compatibility

- `LoadValidators` semantics unchanged (still advances proposer
priority).
- `LoadValidatorsFast` is additive — no caller is forced to migrate.
- Interface change is additive — third-party `state.Store`
implementations need to add the new method, but this is a single small
addition (mock provided as a template in the diff).

Signed-off-by: satyakwok <119509589+satyakwok@users.noreply.github.com>
Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
…timize retry timer (#5592)

Three improvements to the blocksync block requester:

**Fix: redo events no longer silently dropped**

`redoCh` was typed `chan p2p.ID` with capacity 1. In the dual-peer
scenario, if `redo(peerA)` was already pending in the channel, a
concurrent `redo(peerB)` would be silently dropped — peerB would stall
until the retry timer fired.

Replace with `chan struct{}` (capacity 1) as a coalesced wake-up
signal. Peer IDs are appended to a mutex-protected `redoPeers` slice
in `redo()`, so no event is ever lost regardless of call frequency.

**Fix: stale redo events no longer cancel new requests**

When the retry timer fired and restarted the outer loop, any pending
redo events in `redoPeers` carried over to the next iteration. If the
new iteration happened to pick the same peer, those stale events would
cancel a valid new request.

A generation counter is incremented at the start of each outer loop.
`redo()` records the current generation alongside the peer ID; events
from a previous generation are silently discarded. The retry timer path
also clears `redoPeers` before restarting.

**Perf: reuse retry timer instead of allocating a new one each loop**

Before (new timer allocated per OUTER_LOOP iteration):
- 19396 ns/op, 63488 B/op, 768 allocs/op

After (single timer, reset on each iteration):
- 7589 ns/op, 248 B/op, 3 allocs/op

#### PR checklist

- [x] Tests written/updated
- [x] Changelog entry added in `.changelog` (we use
[unclog](https://github.com/informalsystems/unclog) to manage our
changelog)
- [ ] Updated relevant documentation (`docs/` or `spec/`) and code
comments

---------

Co-authored-by: Alex | Cosmos Labs <alex@cosmoslabs.io>
Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
… in Idle (#5929)

## Description
Fix CI failure at:
https://github.com/cometbft/cometbft/actions/runs/27431355897/job/81082257035?pr=5879
`statusesAreEqual` compared `Status.Idle` with exact equality (`==`)
while every
other time-derived field (`Duration`, `TimeRem`, the rates) allowed a
deviation.
`Idle` is the difference of two timestamps each rounded to the 20ms
`clockRate`,
so scheduling jitter on loaded runners can push the two reads onto
adjacent
ticks, producing a spurious 20ms idle and failing the strict `==`.

This compares `Idle` with the same `maxDeviationForDuration` tolerance,
and makes
`durationsAreEqual` symmetric (absolute diff) so it bounds drift in both
directions.


---

#### PR checklist

- [x] Tests written/updated
- [x] Changelog entry added in `CHANGELOG.md`
- [ ] Updated relevant documentation (`docs/` or `spec/`) and code
comments

---------

Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
Bumps [golang.org/x/sync](https://github.com/golang/sync) from 0.20.0 to
0.21.0.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/golang/sync/commit/5071ed6a9f1617117556b66384f765c934de3698"><code>5071ed6</code></a>
all: fix some comments to improve readability</li>
<li>See full diff in <a
href="https://github.com/golang/sync/compare/v0.20.0...v0.21.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=golang.org/x/sync&package-manager=go_modules&previous-version=0.20.0&new-version=0.21.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
…uring sendError (#5931)

## Summary

Fix CI failure at:
https://github.com/cometbft/cometbft/actions/runs/27214146296/job/80350996164

- `AddBlock` held `pool.mtx` via a deferred `Unlock` while calling
`sendError` on an unbuffered channel. Any concurrent caller that also
needed `pool.mtx` would deadlock until the channel was drained.
- Fix by collecting the error in `sendErr` and dispatching it inside the
`defer` after the mutex is released.
- Adds a regression test `TestAddBlockDoesNotDeadlockOnSendError`.

---

#### PR checklist

- [x] Tests written/updated
- [x] Changelog entry added in `CHANGELOG.md`
- [ ] Updated relevant documentation (`docs/` or `spec/`) and code
comments

---------

Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.55.0 to
0.56.0.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/golang/net/commit/9e7fdbfadb32b0cc7524100014c5cf9b6adc7729"><code>9e7fdbf</code></a>
internal/http3: fix wrong argument being given when validating header
value</li>
<li><a
href="https://github.com/golang/net/commit/b686e5f3573e5f55120d664fc283ed7e80c1af3c"><code>b686e5f</code></a>
internal/http3: add gzip support to transport</li>
<li><a
href="https://github.com/golang/net/commit/8a348850ed6818306667722af2b42a6fc63473e0"><code>8a34885</code></a>
go.mod: update golang.org/x dependencies</li>
<li><a
href="https://github.com/golang/net/commit/72eaf98743302f6e0ad10883163dfc46dc8e8183"><code>72eaf98</code></a>
dns/dnsmessage: correctly validate SVCB record parameter order</li>
<li><a
href="https://github.com/golang/net/commit/82e7868a02167540748b74780b0bf825985256f7"><code>82e7868</code></a>
dns/dnsmessage: avoid panic when parsing SVCB record with truncated
data</li>
<li><a
href="https://github.com/golang/net/commit/b64f1fa4c615965246e5b9e5c9d614916fa8967d"><code>b64f1fa</code></a>
internal/http3: add server support for &quot;Trailer:&quot; magic
prefix</li>
<li><a
href="https://github.com/golang/net/commit/2707ee21efea70599446dd35979b1d1aedf44ada"><code>2707ee2</code></a>
internal/http3: implement HTTP/3 clientConn methods</li>
<li><a
href="https://github.com/golang/net/commit/31358cc259a764905194e3d6c597375b0ff366c1"><code>31358cc</code></a>
internal/http3: snapshot response headers at WriteHeader time</li>
<li><a
href="https://github.com/golang/net/commit/8ecbaa95fea823c19fa74c5c3b53e0bccd473828"><code>8ecbaa9</code></a>
html: don't adjust xml:base</li>
<li><a
href="https://github.com/golang/net/commit/8ae811abe5c2daa55c68d51a101af1c5751a4d55"><code>8ae811a</code></a>
html: properly handle end script tag in fragment mode</li>
<li>Additional commits viewable in <a
href="https://github.com/golang/net/compare/v0.55.0...v0.56.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=golang.org/x/net&package-manager=go_modules&previous-version=0.55.0&new-version=0.56.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Co-authored-by: Alex Cozart <alex@cosmoslabs.io>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
…5879)

## Summary

`handleStream` calls `resolvePeer` to look up or provision the incoming
peer, but `resolvePeer` relies on the peerstore having the peer's
address. libp2p's identify protocol populates the peerstore
asynchronously — there is a window where A has opened a CometBFT stream
to B but B's peerstore is still empty for A, causing `resolvePeer` to
fail and the first message to be dropped.

The fix passes the connection's remote multiaddr directly into
`resolvePeer` as a fallback. When the peerstore has no addresses for the
peer, `resolvePeer` constructs the `addrInfo` inline from the live
connection instead of returning an error. This closes the race without
any peerstore side effects.

---

#### PR checklist

- [x] Tests written/updated
- [x] Changelog entry added in `CHANGELOG.md`
- [ ] Updated relevant documentation (`docs/` or `spec/`) and code
comments

---------

Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
Fixes #2143.

`respondToPeer` was calling `store.LoadBlock`, which internally
unmarshal the raw DB bytes into a `cmtproto.Block` and then calls
`BlockFromProto` to get a `*types.Block`. The function then immediately
called `block.ToProto()` to get back a `cmtproto.Block` for the wire
response. The intermediate Go struct was never used.

Added `LoadBlockProto` to `BlockStore` that stops after the
`proto.Unmarshal` step and returns the `*cmtproto.Block` directly.
`LoadBlock` now delegates to it. `respondToPeer` type-asserts to
`*store.BlockStore` and calls `LoadBlockProto` when possible, with a
fallback for the interface case (used in tests with mocks).

Tested: added `TestLoadBlockProto` to `store/store_test.go` that checks
nil on missing height, correct hash round-trip, and consistency with
`LoadBlock`. Full `./store/...` and `./blocksync/...` suites pass.

---------

Co-authored-by: Dmitry S <11892559+swift1337@users.noreply.github.com>
Co-authored-by: Alex | Cosmos Labs <alex@cosmoslabs.io>
Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
…mplification (#5946)

Implements the optional p2p.MsgBytesFilter interface (defined in
p2p/base_reactor.go) for this reactor.

When provided, this filter runs against the raw message bytes before
unmarshalling, allowing oversized or malformed messages to be rejected
up front. This closes a heap-amplification vector where a small,
count-packed wire payload could be unmarshalled into a
disproportionately large in-memory structure, exhausting memory.

Motivation:

Previously the message bytes went straight to unmarshal with no
pre-decode size/validity check. A crafted gossip message could exploit
this to trigger excessive heap allocation. Rejecting bad messages before
unmarshal eliminates the attack surface.


---

#### PR checklist

- [ ] Tests written/updated
- [ ] Changelog entry added in `CHANGELOG.md`
- [ ] Updated relevant documentation (`docs/` or `spec/`) and code
comments

---------

Co-authored-by: Dmitry S <11892559+swift1337@users.noreply.github.com>
\`StreamReadSized\` enforces a per-read size limit passed in by the
caller (the reactor's \`RecvMessageCapacity\`). The 4 MB
\`MaxStreamSize\` constant is intended as a default fallback for callers
that don't specify a limit.

## Problem

\`StreamReadSized\` applied \`payloadLimit := min(maxSize,
MaxStreamSize)\`, clamping the caller-supplied limit down to 4 MB
regardless of what the reactor configured. Blocksync sets
\`RecvMessageCapacity = MaxBlockSizeBytes + 5 ≈ 100 MB\`; any block >4
MB was rejected with "payload is too large" and the stream was reset.
The send side (\`StreamWrite\`) has no cap and serialises the full
block, so a peer could send a 50 MB block that the receiver would always
reject — a liveness failure for any lp2p node behind on a chain
producing >4 MB blocks. Statesync's 16 MB chunks were similarly
affected.

## Fix

Use \`maxSize\` directly. \`MaxStreamSize\` is now a fallback only when
\`maxSize == 0\` (unset), not a hard global cap. Adds a regression test
for \`maxSize > MaxStreamSize\`.

## Remaining issue

\`readExactly\` does \`make([]byte, payloadSize)\` immediately after
reading the length-prefix header, so a malicious peer can force a
receiver to allocate up to \`RecvMessageCapacity\` bytes before any
payload data arrives. The old 4 MB clamp was inadvertently limiting this
to 4 MB per stream.

The correct fix is to replace \`readExactly\` with
\`io.ReadAll(io.LimitReader(...))\` so allocation grows only as data
arrives. This is left as a follow-up to keep this PR minimal; the real
guard in the meantime is the libp2p resource manager and
\`RecvMessageCapacity\` being set to the consensus-enforced max block
size.

---

#### PR checklist

- [x] Tests written/updated
- [x] Changelog entry added in \`CHANGELOG.md\`
- [ ] Updated relevant documentation (\`docs/\` or \`spec/\`) and code
comments
---

Updates the privval RetrySignerClient to check on shutdown before
retrying.
Without this change it is possible to get into the following shutdown
state:
* Node is requesting a signature from a remote signer
* Shutdown happens on remote signer
* Shutdown happens on node


In this case we have to wait `retries × (timeoutAccept + timeout) ≈
155s` before the node will shut down.

With these changes we will wait a maximum of a single retry timeout
before seeing that `Close` has been called (~3s) and shutdown will
happen after that.

---------

Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
Bumps [actions/checkout](https://github.com/actions/checkout) from 6 to
7.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/actions/checkout/releases">actions/checkout's
releases</a>.</em></p>
<blockquote>
<h2>v7.0.0</h2>
<h2>What's Changed</h2>
<ul>
<li>block checking out fork pr for pull_request_target and workflow_run
by <a href="https://github.com/aiqiaoy"><code>@​aiqiaoy</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2454">actions/checkout#2454</a></li>
<li>Bump actions/publish-immutable-action from 0.0.3 to 0.0.4 in the
minor-actions-dependencies group across 1 directory by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/actions/checkout/pull/2458">actions/checkout#2458</a></li>
<li>Bump flatted from 3.3.1 to 3.4.2 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/actions/checkout/pull/2460">actions/checkout#2460</a></li>
<li>Bump js-yaml from 4.1.0 to 4.2.0 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/actions/checkout/pull/2461">actions/checkout#2461</a></li>
<li>Bump <code>@​actions/core</code> and
<code>@​actions/tool-cache</code> and Remove uuid by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/actions/checkout/pull/2459">actions/checkout#2459</a></li>
<li>upgrade module to esm and update dependencies by <a
href="https://github.com/aiqiaoy"><code>@​aiqiaoy</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2463">actions/checkout#2463</a></li>
<li>Bump the minor-npm-dependencies group across 1 directory with 3
updates by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/actions/checkout/pull/2462">actions/checkout#2462</a></li>
<li>getting ready for checkout v7 release by <a
href="https://github.com/aiqiaoy"><code>@​aiqiaoy</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2464">actions/checkout#2464</a></li>
<li>update error wording by <a
href="https://github.com/aiqiaoy"><code>@​aiqiaoy</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2467">actions/checkout#2467</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/aiqiaoy"><code>@​aiqiaoy</code></a> made
their first contribution in <a
href="https://redirect.github.com/actions/checkout/pull/2454">actions/checkout#2454</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/checkout/compare/v6.0.3...v7.0.0">https://github.com/actions/checkout/compare/v6.0.3...v7.0.0</a></p>
<h2>v6.0.3</h2>
<h2>What's Changed</h2>
<ul>
<li>Update changelog by <a
href="https://github.com/ericsciple"><code>@​ericsciple</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2357">actions/checkout#2357</a></li>
<li>fix: expand merge commit SHA regex and add SHA-256 test cases by <a
href="https://github.com/yaananth"><code>@​yaananth</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2414">actions/checkout#2414</a></li>
<li>Fix checkout init for SHA-256 repositories by <a
href="https://github.com/yaananth"><code>@​yaananth</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2439">actions/checkout#2439</a></li>
<li>Update changelog for v6.0.3 by <a
href="https://github.com/yaananth"><code>@​yaananth</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2446">actions/checkout#2446</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/yaananth"><code>@​yaananth</code></a>
made their first contribution in <a
href="https://redirect.github.com/actions/checkout/pull/2414">actions/checkout#2414</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/checkout/compare/v6...v6.0.3">https://github.com/actions/checkout/compare/v6...v6.0.3</a></p>
<h2>v6.0.2</h2>
<h2>What's Changed</h2>
<ul>
<li>Add orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID
is set by <a
href="https://github.com/TingluoHuang"><code>@​TingluoHuang</code></a>
in <a
href="https://redirect.github.com/actions/checkout/pull/2355">actions/checkout#2355</a></li>
<li>Fix tag handling: preserve annotations and explicit fetch-tags by <a
href="https://github.com/ericsciple"><code>@​ericsciple</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2356">actions/checkout#2356</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/checkout/compare/v6.0.1...v6.0.2">https://github.com/actions/checkout/compare/v6.0.1...v6.0.2</a></p>
<h2>v6.0.1</h2>
<h2>What's Changed</h2>
<ul>
<li>Update all references from v5 and v4 to v6 by <a
href="https://github.com/ericsciple"><code>@​ericsciple</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2314">actions/checkout#2314</a></li>
<li>Add worktree support for persist-credentials includeIf by <a
href="https://github.com/ericsciple"><code>@​ericsciple</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2327">actions/checkout#2327</a></li>
<li>Clarify v6 README by <a
href="https://github.com/ericsciple"><code>@​ericsciple</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2328">actions/checkout#2328</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/checkout/compare/v6...v6.0.1">https://github.com/actions/checkout/compare/v6...v6.0.1</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/actions/checkout/blob/main/CHANGELOG.md">actions/checkout's
changelog</a>.</em></p>
<blockquote>
<h1>Changelog</h1>
<h2>v7.0.0</h2>
<ul>
<li>Block checking out fork PR for pull_request_target and workflow_run
by <a href="https://github.com/aiqiaoy"><code>@​aiqiaoy</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2454">actions/checkout#2454</a></li>
<li>Bump actions/publish-immutable-action from 0.0.3 to 0.0.4 in the
minor-actions-dependencies group across 1 directory by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/actions/checkout/pull/2458">actions/checkout#2458</a></li>
<li>Bump flatted from 3.3.1 to 3.4.2 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/actions/checkout/pull/2460">actions/checkout#2460</a></li>
<li>Bump js-yaml from 4.1.0 to 4.2.0 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/actions/checkout/pull/2461">actions/checkout#2461</a></li>
<li>Bump <code>@​actions/core</code> and
<code>@​actions/tool-cache</code> and Remove uuid by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/actions/checkout/pull/2459">actions/checkout#2459</a></li>
<li>upgrade module to esm and update dependencies by <a
href="https://github.com/aiqiaoy"><code>@​aiqiaoy</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2463">actions/checkout#2463</a></li>
<li>Bump the minor-npm-dependencies group across 1 directory with 3
updates by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/actions/checkout/pull/2462">actions/checkout#2462</a></li>
</ul>
<h2>v6.0.3</h2>
<ul>
<li>Fix checkout init for SHA-256 repositories by <a
href="https://github.com/yaananth"><code>@​yaananth</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2439">actions/checkout#2439</a></li>
<li>fix: expand merge commit SHA regex and add SHA-256 test cases by <a
href="https://github.com/yaananth"><code>@​yaananth</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2414">actions/checkout#2414</a></li>
</ul>
<h2>v6.0.2</h2>
<ul>
<li>Fix tag handling: preserve annotations and explicit fetch-tags by <a
href="https://github.com/ericsciple"><code>@​ericsciple</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2356">actions/checkout#2356</a></li>
</ul>
<h2>v6.0.1</h2>
<ul>
<li>Add worktree support for persist-credentials includeIf by <a
href="https://github.com/ericsciple"><code>@​ericsciple</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2327">actions/checkout#2327</a></li>
</ul>
<h2>v6.0.0</h2>
<ul>
<li>Persist creds to a separate file by <a
href="https://github.com/ericsciple"><code>@​ericsciple</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2286">actions/checkout#2286</a></li>
<li>Update README to include Node.js 24 support details and requirements
by <a href="https://github.com/salmanmkc"><code>@​salmanmkc</code></a>
in <a
href="https://redirect.github.com/actions/checkout/pull/2248">actions/checkout#2248</a></li>
</ul>
<h2>v5.0.1</h2>
<ul>
<li>Port v6 cleanup to v5 by <a
href="https://github.com/ericsciple"><code>@​ericsciple</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2301">actions/checkout#2301</a></li>
</ul>
<h2>v5.0.0</h2>
<ul>
<li>Update actions checkout to use node 24 by <a
href="https://github.com/salmanmkc"><code>@​salmanmkc</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2226">actions/checkout#2226</a></li>
</ul>
<h2>v4.3.1</h2>
<ul>
<li>Port v6 cleanup to v4 by <a
href="https://github.com/ericsciple"><code>@​ericsciple</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2305">actions/checkout#2305</a></li>
</ul>
<h2>v4.3.0</h2>
<ul>
<li>docs: update README.md by <a
href="https://github.com/motss"><code>@​motss</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1971">actions/checkout#1971</a></li>
<li>Add internal repos for checking out multiple repositories by <a
href="https://github.com/mouismail"><code>@​mouismail</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1977">actions/checkout#1977</a></li>
<li>Documentation update - add recommended permissions to Readme by <a
href="https://github.com/benwells"><code>@​benwells</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2043">actions/checkout#2043</a></li>
<li>Adjust positioning of user email note and permissions heading by <a
href="https://github.com/joshmgross"><code>@​joshmgross</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2044">actions/checkout#2044</a></li>
<li>Update README.md by <a
href="https://github.com/nebuk89"><code>@​nebuk89</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2194">actions/checkout#2194</a></li>
<li>Update CODEOWNERS for actions by <a
href="https://github.com/TingluoHuang"><code>@​TingluoHuang</code></a>
in <a
href="https://redirect.github.com/actions/checkout/pull/2224">actions/checkout#2224</a></li>
<li>Update package dependencies by <a
href="https://github.com/salmanmkc"><code>@​salmanmkc</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2236">actions/checkout#2236</a></li>
</ul>
<h2>v4.2.2</h2>
<ul>
<li><code>url-helper.ts</code> now leverages well-known environment
variables by <a href="https://github.com/jww3"><code>@​jww3</code></a>
in <a
href="https://redirect.github.com/actions/checkout/pull/1941">actions/checkout#1941</a></li>
<li>Expand unit test coverage for <code>isGhes</code> by <a
href="https://github.com/jww3"><code>@​jww3</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1946">actions/checkout#1946</a></li>
</ul>
<h2>v4.2.1</h2>
<ul>
<li>Check out other refs/* by commit if provided, fall back to ref by <a
href="https://github.com/orhantoy"><code>@​orhantoy</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1924">actions/checkout#1924</a></li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/actions/checkout/commit/9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0"><code>9c091bb</code></a>
update error wording (<a
href="https://redirect.github.com/actions/checkout/issues/2467">#2467</a>)</li>
<li><a
href="https://github.com/actions/checkout/commit/1044a6dea927916f2c38ba5aeffbc0a847b1221a"><code>1044a6d</code></a>
getting ready for checkout v7 release (<a
href="https://redirect.github.com/actions/checkout/issues/2464">#2464</a>)</li>
<li><a
href="https://github.com/actions/checkout/commit/f0282184c7ce73ab54c7e4ab5a617122602e575f"><code>f028218</code></a>
Bump the minor-npm-dependencies group across 1 directory with 3 updates
(<a
href="https://redirect.github.com/actions/checkout/issues/2462">#2462</a>)</li>
<li><a
href="https://github.com/actions/checkout/commit/d914b262ffc244530a203ab40decab34c3abf34d"><code>d914b26</code></a>
upgrade module to esm and update dependencies (<a
href="https://redirect.github.com/actions/checkout/issues/2463">#2463</a>)</li>
<li><a
href="https://github.com/actions/checkout/commit/537c7ef99cef6e5ddb5e7ff5d16d14510503801d"><code>537c7ef</code></a>
Bump <code>@​actions/core</code> and <code>@​actions/tool-cache</code>
and Remove uuid (<a
href="https://redirect.github.com/actions/checkout/issues/2459">#2459</a>)</li>
<li><a
href="https://github.com/actions/checkout/commit/130a169078a413d3a5246a393625e8e742f387f6"><code>130a169</code></a>
Bump js-yaml from 4.1.0 to 4.2.0 (<a
href="https://redirect.github.com/actions/checkout/issues/2461">#2461</a>)</li>
<li><a
href="https://github.com/actions/checkout/commit/7d09575332117a40b46e5e020664df234cd416f3"><code>7d09575</code></a>
Bump flatted from 3.3.1 to 3.4.2 (<a
href="https://redirect.github.com/actions/checkout/issues/2460">#2460</a>)</li>
<li><a
href="https://github.com/actions/checkout/commit/0f9f3aa320cb53abeb534aeb54048075d9697a0e"><code>0f9f3aa</code></a>
Bump actions/publish-immutable-action (<a
href="https://redirect.github.com/actions/checkout/issues/2458">#2458</a>)</li>
<li><a
href="https://github.com/actions/checkout/commit/f9e715a95fcd1f9253f77dd28f11e88d2d6460c7"><code>f9e715a</code></a>
block checking out fork pr for pull_request_target and workflow_run (<a
href="https://redirect.github.com/actions/checkout/issues/2454">#2454</a>)</li>
<li>See full diff in <a
href="https://github.com/actions/checkout/compare/v6...v7">compare
view</a></li>
</ul>
</details>
<br />

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
### Problem

The socket server (`handleRequest`) and client (`resMatchesReq`) were
missing cases for `Request_InsertTx` and `Request_ReapTxs`, which were
added in the Krakatoa merge (#5615) but never wired into the socket
type-switches.

With `mempool.type = "app"` and the default `abci = "socket"` transport
(out-of-process app):
- Every `ReapTxs` response fails the `resMatchesReq` type-match check
- Returns `ErrUnexpectedResponse` → `stopForError` →
`killTMOnClientError` → `cmtos.Kill()` (SIGTERM)
- `ReapTxs` fires every `ReapInterval` (~500ms), so the node self-kills
within ~500ms of startup

The local and gRPC transports were correctly implemented; only socket
was missed. `ToResponseInsertTx`/`ToResponseReapTxs` helpers were also
missing from `messages.go` (the `ToRequest*` counterparts existed).

### Fix

- Add `Request_InsertTx` and `Request_ReapTxs` cases to `resMatchesReq`
in `abci/client/socket_client.go`
- Add `Request_InsertTx` and `Request_ReapTxs` cases to `handleRequest`
in `abci/server/socket_server.go`
- Add `ToResponseInsertTx` and `ToResponseReapTxs` helpers to
`abci/types/messages.go`
- Add `TestInsertTxReapTxsSocket` round-trip test over a real socket
server/client pair

---

#### PR checklist

- [x] Tests written/updated
- [x] Changelog entry added in `CHANGELOG.md`
- [ ] Updated relevant documentation (`docs/` or `spec/`) and code
comments

---------

Co-authored-by: Dmitry S <11892559+swift1337@users.noreply.github.com>
#5948)

Fixing a small bug in PR #5946

ReadTag decoded protobuf field numbers as a platform-width int
`int(v>>3)`, but the generated gogoproto unmarshaller uses
`int32(wire>>3)`. On 64-bit platforms this let a crafted tag whose high
bits differ (e.g. 8a 80 80 80 80 01, field 2^32+1) be classified as a
different field by the pre-scan than by proto.Unmarshal

As a result, the filter skips the entry while Unmarshal still decoded it
as the real repeated`txs` field, slipping empty entries past the
empty-entry rejection as part of the filter rule


As an evidence

https://github.com/cometbft/cometbft/blob/main/proto/tendermint/mempool/types.pb.go#L327




#### PR checklist

- [x] Tests written/updated
- [x] Changelog entry added in `CHANGELOG.md`
- [x] Updated relevant documentation (`docs/` or `spec/`) and code
comments

Co-authored-by: dianab-cl <diana@cosmoslabs.io>
…ors (#5953)

With `adaptive_sync=true`, consensus starts immediately
(`consensusWaitForSync=false`) and `signAddVote` fires whenever the node
is in the validator set. A catching-up validator can sign a vote for
block B at height H while the blocksync ingestor concurrently commits a
different block B' at H (already decided by the network). The HRS file
and KMS are not sufficient backstops — the conflicting messages are at
different (H,R,step) tuples so `CheckHRS` never fires.

This is a known tradeoff: validators on high-performance chains
(sub-1000ms blocks, high TPS) benefit from adaptive sync to avoid
falling behind and being jailed. The risk is deliberate and
operator-owned.

## Fix

Documentation only — no behavior change:
- `docs/core/block-sync.md`: add explicit equivocation risk warning to
the Adaptive Sync section
- `config/toml.go`: add the same warning to the `adaptive_sync` config
comment

---

#### PR checklist

- [ ] Tests written/updated
- [ ] Changelog entry added in `CHANGELOG.md`
- [x] Updated relevant documentation (`docs/` or `spec/`) and code
comments
Bumps [golang.org/x/sync](https://github.com/golang/sync) from 0.21.0 to
0.22.0.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/golang/sync/commit/1eb64d4bc0cde6da1bb8ebc7f178bb577508e5d0"><code>1eb64d4</code></a>
semaphore: panic on negative weights</li>
<li>See full diff in <a
href="https://github.com/golang/sync/compare/v0.21.0...v0.22.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=golang.org/x/sync&package-manager=go_modules&previous-version=0.21.0&new-version=0.22.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from
0.53.0 to 0.54.0.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/golang/crypto/commit/cdce021fa6c7d9c7eb2743bfbe551f0a98fd5d62"><code>cdce021</code></a>
go.mod: update golang.org/x dependencies</li>
<li><a
href="https://github.com/golang/crypto/commit/d9474cc4853d9ef1a29356975408d4771e5770c6"><code>d9474cc</code></a>
openpgp: make the deprecation message more explicit</li>
<li><a
href="https://github.com/golang/crypto/commit/7626c5025624025bb44739a805f431cf93c06d6e"><code>7626c50</code></a>
ssh: verify declared key type matches decoded key in
authorized_keys</li>
<li><a
href="https://github.com/golang/crypto/commit/0471e7969e6740594dfe354646bf03e5e89de52d"><code>0471e79</code></a>
ssh/agent: enforce strict limits on DSA key parameters</li>
<li><a
href="https://github.com/golang/crypto/commit/6435c37ab681759aff37ba751d0f2238b3043767"><code>6435c37</code></a>
ssh: sanitize client disconnect messages</li>
<li><a
href="https://github.com/golang/crypto/commit/7d695da948bfa44ed6eedcebc8f43bcb50e94a57"><code>7d695da</code></a>
ssh/agent: drain channel stderr in agent forwarders</li>
<li><a
href="https://github.com/golang/crypto/commit/5b7f84159940519e89df4d95465538c1797cee8b"><code>5b7f841</code></a>
acme/autocert: fix data race in Manager.createCert</li>
<li><a
href="https://github.com/golang/crypto/commit/0b316e7ee409f8e5789a0535679d34155cecc75e"><code>0b316e7</code></a>
argon2: update RFC 9106 parameter recommendations</li>
<li><a
href="https://github.com/golang/crypto/commit/55aec0a86b4c522b4f7366e69db55349e9f7ff5c"><code>55aec0a</code></a>
x509roots/fallback: update bundle</li>
<li><a
href="https://github.com/golang/crypto/commit/5f2de1a9f1e29059fbb9f3d34321bd0da935556b"><code>5f2de1a</code></a>
internal: remove wycheproof tests</li>
<li>See full diff in <a
href="https://github.com/golang/crypto/compare/v0.53.0...v0.54.0">compare
view</a></li>
</ul>
</details>
<br />

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
… to prevent peer teardown (#5956)

### Problem

`AppReactor.chunkTxs` sized batches by raw `len(tx)` bytes, ignoring the
2–4 bytes of protobuf wire overhead each entry adds (1-byte field tag +
varint length prefix). A batch of small txs near `MaxTxBytes` serializes
to `MaxTxBytes + N*(2–4)` bytes, exceeding the receiver's
`RecvMessageCapacity`. The connection layer returns "received message
exceeds available capacity" and tears down the peer.

Example overflows (default `MaxTxBytes = 1 MB`):
- 1 000-byte txs: ~+2 564 bytes over capacity
- 1-byte txs: ~+2 097 149 bytes over capacity

Second issue: `GetChannels` sized `RecvMessageCapacity` for a single
`MaxTxBytes`-sized tx while `OnStart` used `MaxBatchBytes` when set, so
configs with `MaxBatchBytes > MaxTxBytes` would overflow at the capacity
check itself.

### Fix

- Add `internal/protowire.RepeatedBytesEntrySize(dataLen int) int` —
exact wire bytes proto adds per `repeated bytes` entry (1-byte tag +
varint(len)), verified against `proto.Size` at all varint boundary
values; panics on negative input.
- `chunkTxs` accounts for this overhead per tx so no encoded batch
exceeds `RecvMessageCapacity`.
- Extract `effectiveMaxBatchBytes()` to deduplicate the
`MaxBatchBytes`/`MaxTxBytes` fallback logic shared by `OnStart` and
`GetChannels`.
- `GetChannels` derives `RecvMessageCapacity` from
`effectiveMaxBatchBytes()`, keeping the advertised capacity in sync with
the actual send ceiling.

---

#### PR checklist

- [x] Tests written/updated
- [x] Changelog entry added in `CHANGELOG.md`
- [ ] Updated relevant documentation (`docs/` or `spec/`) and code
comments

---------

Co-authored-by: Dmitry S <11892559+swift1337@users.noreply.github.com>
Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.56.0 to
0.57.0.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/golang/net/commit/b8f09f6f062ceb4531b7af4bd17a5c8fe9c4b2b5"><code>b8f09f6</code></a>
go.mod: update golang.org/x dependencies</li>
<li><a
href="https://github.com/golang/net/commit/f05f21be5927155a88b371674c298ada54b71cf5"><code>f05f21b</code></a>
idna: reject all-ASCII xn-- labels on all Go versions</li>
<li><a
href="https://github.com/golang/net/commit/0f748cfbba95084c87723e3b7eb7dad9241fc2dd"><code>0f748cf</code></a>
internal/http3: clean up stream I/O methods usages in tests</li>
<li><a
href="https://github.com/golang/net/commit/0bb961e45132c680e2a0117e1df951538a19da61"><code>0bb961e</code></a>
internal/http3: add net/http.ResponseController support</li>
<li><a
href="https://github.com/golang/net/commit/0ca694d2a5adcce7f36d4d65e5f8d72390d94051"><code>0ca694d</code></a>
webdav: document Dir's lack of defense against filesystem
modification</li>
<li><a
href="https://github.com/golang/net/commit/bd5f1dcf71cf0d6d2424021d0a04f191396a46a7"><code>bd5f1dc</code></a>
http2: initialize Transport on NewClientConn</li>
<li><a
href="https://github.com/golang/net/commit/488ff63197ffddbcef2d01107f8a89906a4f28d1"><code>488ff63</code></a>
bpf: add security considerations to package docs</li>
<li><a
href="https://github.com/golang/net/commit/93d1f25be95961edfdf488b9398e53fb9f05f193"><code>93d1f25</code></a>
xsrftoken: avoid token collisions</li>
<li><a
href="https://github.com/golang/net/commit/5a3baee349e65853c34b4377bebe7676a64dbc87"><code>5a3baee</code></a>
internal/http3: prevent panic in QPACK decoder due to overflow</li>
<li>See full diff in <a
href="https://github.com/golang/net/compare/v0.56.0...v0.57.0">compare
view</a></li>
</ul>
</details>
<br />

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
…5973)

Bumps
[github.com/prometheus/common](https://github.com/prometheus/common)
from 0.68.1 to 0.70.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/prometheus/common/releases">github.com/prometheus/common's
releases</a>.</em></p>
<blockquote>
<h2>v0.70.0</h2>
<h2>What's Changed</h2>
<ul>
<li>config: fix TLSVersion.String() printing pointer address by <a
href="https://github.com/s3onghyun"><code>@​s3onghyun</code></a> in <a
href="https://redirect.github.com/prometheus/common/pull/929">prometheus/common#929</a></li>
<li>build(deps): bump golang.org/x/net from 0.55.0 to 0.56.0 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/prometheus/common/pull/933">prometheus/common#933</a></li>
<li>Manually go mod tidy by <a
href="https://github.com/SuperQ"><code>@​SuperQ</code></a> in <a
href="https://redirect.github.com/prometheus/common/pull/934">prometheus/common#934</a></li>
<li>Synchronize common files from prometheus/prometheus by <a
href="https://github.com/prombot"><code>@​prombot</code></a> in <a
href="https://redirect.github.com/prometheus/common/pull/937">prometheus/common#937</a></li>
<li>route: add support for the QUERY HTTP method by <a
href="https://github.com/roidelapluie"><code>@​roidelapluie</code></a>
in <a
href="https://redirect.github.com/prometheus/common/pull/932">prometheus/common#932</a></li>
<li>Combine and extend Prometheus text and OpenMetrics 1.0 encoder
benchmarks by <a
href="https://github.com/dashpole"><code>@​dashpole</code></a> in <a
href="https://redirect.github.com/prometheus/common/pull/943">prometheus/common#943</a></li>
<li>build(deps): bump the codeql group with 4 updates by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/prometheus/common/pull/938">prometheus/common#938</a></li>
<li>build(deps): bump actions/setup-go from 6.2.0 to 6.5.0 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/prometheus/common/pull/940">prometheus/common#940</a></li>
<li>build(deps): bump actions/upload-artifact from 4.6.2 to 7.0.1 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/prometheus/common/pull/942">prometheus/common#942</a></li>
<li>build(deps): bump ossf/scorecard-action from 2.1.2 to 2.4.3 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/prometheus/common/pull/939">prometheus/common#939</a></li>
<li>build(deps): bump actions/checkout from 3.1.0 to 7.0.0 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/prometheus/common/pull/941">prometheus/common#941</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/s3onghyun"><code>@​s3onghyun</code></a>
made their first contribution in <a
href="https://redirect.github.com/prometheus/common/pull/929">prometheus/common#929</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/prometheus/common/compare/v0.69.0...v0.70.0">https://github.com/prometheus/common/compare/v0.69.0...v0.70.0</a></p>
<h2>v0.69.0</h2>
<h2>What's Changed</h2>
<ul>
<li>config: strip credentials on cross-host redirects by <a
href="https://github.com/roidelapluie"><code>@​roidelapluie</code></a>
in <a
href="https://redirect.github.com/prometheus/common/pull/901">prometheus/common#901</a></li>
<li>Modernize Go by <a
href="https://github.com/SuperQ"><code>@​SuperQ</code></a> in <a
href="https://redirect.github.com/prometheus/common/pull/919">prometheus/common#919</a></li>
<li>config: make isCrossHostRedirect sticky across the redirect chain by
<a
href="https://github.com/roidelapluie"><code>@​roidelapluie</code></a>
in <a
href="https://redirect.github.com/prometheus/common/pull/920">prometheus/common#920</a></li>
<li>config: check cross-host redirect before OAuth2 token fetch by <a
href="https://github.com/roidelapluie"><code>@​roidelapluie</code></a>
in <a
href="https://redirect.github.com/prometheus/common/pull/921">prometheus/common#921</a></li>
<li>expfmt: fix nil pointer panic when parsing empty braces
&quot;{}&quot; by <a
href="https://github.com/roidelapluie"><code>@​roidelapluie</code></a>
in <a
href="https://redirect.github.com/prometheus/common/pull/922">prometheus/common#922</a></li>
<li>model: reduce allocations in Time.UnmarshalJSON by <a
href="https://github.com/bboreham"><code>@​bboreham</code></a> in <a
href="https://redirect.github.com/prometheus/common/pull/918">prometheus/common#918</a></li>
<li>config: resolve LoadHTTPConfigFile paths relative to the config file
by <a
href="https://github.com/roidelapluie"><code>@​roidelapluie</code></a>
in <a
href="https://redirect.github.com/prometheus/common/pull/925">prometheus/common#925</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/prometheus/common/compare/v0.68.1...v0.69.0">https://github.com/prometheus/common/compare/v0.68.1...v0.69.0</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/prometheus/common/blob/main/CHANGELOG.md">github.com/prometheus/common's
changelog</a>.</em></p>
<blockquote>
<h2>v0.70.0 / 2026-07-10</h2>
<h3>Enhancements</h3>
<ul>
<li>route: add support for the QUERY HTTP method. <a
href="https://redirect.github.com/prometheus/common/issues/932">#932</a></li>
</ul>
<h3>Bugfixes</h3>
<ul>
<li>config: fix <code>TLSVersion.String()</code> printing a pointer
address instead of the numeric version for unknown TLS versions. <a
href="https://redirect.github.com/prometheus/common/issues/929">#929</a></li>
</ul>
<h3>Internal</h3>
<ul>
<li>expfmt: add <code>BenchmarkConvertMetricFamily</code> comparing the
Prometheus text and OpenMetrics 1.0 encoders. <a
href="https://redirect.github.com/prometheus/common/issues/943">#943</a></li>
<li>Update Go dependencies. <a
href="https://redirect.github.com/prometheus/common/issues/933">#933</a>
<a
href="https://redirect.github.com/prometheus/common/issues/934">#934</a></li>
<li>Synchronize common files from prometheus/prometheus. <a
href="https://redirect.github.com/prometheus/common/issues/923">#923</a>
<a
href="https://redirect.github.com/prometheus/common/issues/927">#927</a>
<a
href="https://redirect.github.com/prometheus/common/issues/930">#930</a>
<a
href="https://redirect.github.com/prometheus/common/issues/937">#937</a></li>
<li>Update GitHub Actions. <a
href="https://redirect.github.com/prometheus/common/issues/938">#938</a>
<a
href="https://redirect.github.com/prometheus/common/issues/939">#939</a>
<a
href="https://redirect.github.com/prometheus/common/issues/940">#940</a>
<a
href="https://redirect.github.com/prometheus/common/issues/941">#941</a>
<a
href="https://redirect.github.com/prometheus/common/issues/942">#942</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/prometheus/common/compare/v0.69.0...v0.70.0">https://github.com/prometheus/common/compare/v0.69.0...v0.70.0</a></p>
<h2>v0.69.0 / 2026-06-17</h2>
<h3>Security / behavior changes</h3>
<ul>
<li><strong>config: credentials are no longer forwarded across
cross-host redirects.</strong> When <code>FollowRedirects</code> is
enabled, the HTTP client now strips <code>Authorization</code>,
<code>Cookie</code>, <code>Proxy-Authorization</code> and other
sensitive headers, and skips basic-auth, bearer-token and OAuth2
credentials, when a redirect points to a different host. This aligns
with Go's <code>net/http</code> behavior. Callers that relied on
credentials being sent to a redirect target on another host will need to
target that host directly. <a
href="https://redirect.github.com/prometheus/common/issues/901">#901</a>
<a
href="https://redirect.github.com/prometheus/common/issues/920">#920</a>
<a
href="https://redirect.github.com/prometheus/common/issues/921">#921</a></li>
<li>config: <code>LoadHTTPConfigFile</code> now resolves relative file
paths (e.g. <code>*_file</code> credentials, <code>http_headers</code>
files) against the config file's own directory instead of its parent
directory. Configs that worked around the old behavior by prefixing
paths with the config's directory name must drop that prefix. <a
href="https://redirect.github.com/prometheus/common/issues/925">#925</a></li>
</ul>
<h3>Bugfixes</h3>
<ul>
<li>expfmt: fix nil pointer panic when parsing empty braces
<code>{}</code>. <a
href="https://redirect.github.com/prometheus/common/issues/922">#922</a></li>
<li>model: fix <code>Time.UnmarshalJSON</code> for larger negative
numbers. <a
href="https://redirect.github.com/prometheus/common/issues/918">#918</a></li>
</ul>
<h3>Performance</h3>
<ul>
<li>model: reduce allocations in <code>Time.UnmarshalJSON</code>. <a
href="https://redirect.github.com/prometheus/common/issues/918">#918</a></li>
</ul>
<h3>Internal</h3>
<ul>
<li>Synchronize common files from prometheus/prometheus. <a
href="https://redirect.github.com/prometheus/common/issues/917">#917</a></li>
<li>Modernize Go. <a
href="https://redirect.github.com/prometheus/common/issues/919">#919</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/prometheus/common/compare/v0.68.1...v0.69.0">https://github.com/prometheus/common/compare/v0.68.1...v0.69.0</a></p>
<h2>v0.67.2 / 2025-10-28</h2>
<h2>What's Changed</h2>
<ul>
<li>config: Fix panic in <code>tlsRoundTripper</code> when CA file is
absent by <a href="https://github.com/ndk"><code>@​ndk</code></a> in <a
href="https://redirect.github.com/prometheus/common/pull/792">prometheus/common#792</a></li>
<li>Cleanup linting issues by <a
href="https://github.com/SuperQ"><code>@​SuperQ</code></a> in <a
href="https://redirect.github.com/prometheus/common/pull/860">prometheus/common#860</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/ndk"><code>@​ndk</code></a> made their
first contribution in <a
href="https://redirect.github.com/prometheus/common/pull/792">prometheus/common#792</a></li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/prometheus/common/commit/5eff7a827920b6f175ea02b222f7c827a0fe80ad"><code>5eff7a8</code></a>
Merge pull request <a
href="https://redirect.github.com/prometheus/common/issues/941">#941</a>
from prometheus/dependabot/github_actions/actions/che...</li>
<li><a
href="https://github.com/prometheus/common/commit/a23c5b344ad9200c0073133920fe60a9882c9d28"><code>a23c5b3</code></a>
Merge pull request <a
href="https://redirect.github.com/prometheus/common/issues/939">#939</a>
from prometheus/dependabot/github_actions/ossf/scorec...</li>
<li><a
href="https://github.com/prometheus/common/commit/9e1eb871ced38b03648a38558ac3de66edeff2b5"><code>9e1eb87</code></a>
Merge pull request <a
href="https://redirect.github.com/prometheus/common/issues/942">#942</a>
from prometheus/dependabot/github_actions/actions/upl...</li>
<li><a
href="https://github.com/prometheus/common/commit/ab2736d28a9fce77b0186e36b5d3318b74115298"><code>ab2736d</code></a>
Merge pull request <a
href="https://redirect.github.com/prometheus/common/issues/940">#940</a>
from prometheus/dependabot/github_actions/actions/set...</li>
<li><a
href="https://github.com/prometheus/common/commit/e596873192a72855876b1c38cdb634bb73f5ba00"><code>e596873</code></a>
Merge pull request <a
href="https://redirect.github.com/prometheus/common/issues/938">#938</a>
from prometheus/dependabot/github_actions/codeql-ac07...</li>
<li><a
href="https://github.com/prometheus/common/commit/97c066a87b2345f146b345141f0f14aaab7ad387"><code>97c066a</code></a>
Add BenchmarkConvertMetricFamily comparing Prometheus text and
OpenMetrics 1....</li>
<li><a
href="https://github.com/prometheus/common/commit/62e9d0f61d355b574225f66628a5f94be2bc1c29"><code>62e9d0f</code></a>
Merge pull request <a
href="https://redirect.github.com/prometheus/common/issues/932">#932</a>
from roidelapluie/roidelapluie/route-query</li>
<li><a
href="https://github.com/prometheus/common/commit/6c312397a5da723c995ee9c16263f252c1d6b4a1"><code>6c31239</code></a>
build(deps): bump actions/upload-artifact from 4.6.2 to 7.0.1</li>
<li><a
href="https://github.com/prometheus/common/commit/755e9d686dec00400191cc8483872831aff1b9cd"><code>755e9d6</code></a>
build(deps): bump actions/checkout from 3.1.0 to 7.0.0</li>
<li><a
href="https://github.com/prometheus/common/commit/556d7402ea9a80cab60297e4dc98149b5410e24f"><code>556d740</code></a>
build(deps): bump actions/setup-go from 6.2.0 to 6.5.0</li>
<li>Additional commits viewable in <a
href="https://github.com/prometheus/common/compare/v0.68.1...v0.70.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/prometheus/common&package-manager=go_modules&previous-version=0.68.1&new-version=0.70.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

7 participants