Skip to content

build(deps): Bump the all-go group across 1 directory with 6 updates#3349

Open
dependabot[bot] wants to merge 3 commits into
mainfrom
dependabot/go_modules/all-go-089e007e11
Open

build(deps): Bump the all-go group across 1 directory with 6 updates#3349
dependabot[bot] wants to merge 3 commits into
mainfrom
dependabot/go_modules/all-go-089e007e11

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 8, 2026

Copy link
Copy Markdown
Contributor

Bumps the all-go group with 4 updates in the / directory: github.com/aws/aws-sdk-go-v2, github.com/aws/aws-sdk-go-v2/config, github.com/aws/aws-sdk-go-v2/service/kms and golang.org/x/crypto.

Updates github.com/aws/aws-sdk-go-v2 from 1.41.11 to 1.42.0

Commits

Updates github.com/aws/aws-sdk-go-v2/config from 1.32.22 to 1.32.24

Commits

Updates github.com/aws/aws-sdk-go-v2/service/kms from 1.53.2 to 1.53.4

Commits

Updates github.com/aws/smithy-go from 1.27.0 to 1.27.1

Changelog

Sourced from github.com/aws/smithy-go's changelog.

Release (2026-06-05)

General Highlights

  • Dependency Update: Updated to the latest SDK module versions

Module Highlights

  • github.com/aws/smithy-go: v1.27.2
    • Bug Fix: Fix incorrect serialization of unions in CBOR-based protocols.

Release (2026-06-04)

General Highlights

  • Dependency Update: Updated to the latest SDK module versions

Module Highlights

  • github.com/aws/smithy-go: v1.27.1
    • Bug Fix: Fixed a deserialization failure in all protocols when encountering a union with explicit null members.
    • Bug Fix: Fixed a panic when deserializing nested unions in JSON- and CBOR-based protocols.

Release (2026-06-02)

General Highlights

  • Dependency Update: Updated to the latest SDK module versions

Module Highlights

  • github.com/aws/smithy-go: v1.27.0
    • Feature: Add APIs for schema-based serialization.
    • Feature: Add support for all current AWS and Smithy protocols.
    • Bug Fix: Enforce max nesting depth of 128 on CBOR payloads.
  • github.com/aws/smithy-go/aws-http-auth: v1.2.0
    • Feature: Add event stream signer.

Release (2026-05-27)

General Highlights

  • Dependency Update: Updated to the latest SDK module versions

Module Highlights

  • github.com/aws/smithy-go: v1.26.0
    • Feature: Add StringSlice to endpoint rulesfn.

Release (2026-04-23)

General Highlights

  • Dependency Update: Updated to the latest SDK module versions

Module Highlights

  • github.com/aws/smithy-go: v1.25.1
    • Bug Fix: Fixed a memory leak in the LRU cache implementation used by some AWS services.

... (truncated)

Commits

Updates golang.org/x/crypto from 0.52.0 to 0.53.0

Commits
  • 45460e0 go.mod: update golang.org/x dependencies
  • d37c95e pkcs12: limit PBKDF iteration count to prevent CPU exhaustion
  • e2ffffe ssh: reject incomplete gssapi-with-mic configurations
  • 60e158a ssh/test: isolate CLI tests from user SSH config and agent
  • 1b77d23 ssh/knownhosts: reject lines with multiple or unknown markers
  • 3872a2b ssh/knownhosts: verify declared key type matches decoded key
  • 9f72ecc ssh/knownhosts: treat only ASCII space and tab as whitespace
  • 8f405a4 ssh: validate ECDSA curve matches expected algorithm
  • bb41b3d ssh: improve DH GEX group selection using PreferredBits
  • e04e721 ssh/agent: validate ed25519 private key length in Add
  • Additional commits viewable in compare view

Updates golang.org/x/sync from 0.20.0 to 0.21.0

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
build(deps): Bump the all-go group across 1 directory with 6 updates
d3167f7 
Bumps the all-go group with 4 updates in the / directory: [github.com/aws/aws-sdk-go-v2](https://github.com/aws/aws-sdk-go-v2), [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2), [github.com/aws/aws-sdk-go-v2/service/kms](https://github.com/aws/aws-sdk-go-v2) and [golang.org/x/crypto](https://github.com/golang/crypto).


Updates `github.com/aws/aws-sdk-go-v2` from 1.41.11 to 1.42.0
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](aws/aws-sdk-go-v2@v1.41.11...v1.42.0)

Updates `github.com/aws/aws-sdk-go-v2/config` from 1.32.22 to 1.32.24
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](aws/aws-sdk-go-v2@config/v1.32.22...config/v1.32.24)

Updates `github.com/aws/aws-sdk-go-v2/service/kms` from 1.53.2 to 1.53.4
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](aws/aws-sdk-go-v2@service/s3/v1.53.2...service/kms/v1.53.4)

Updates `github.com/aws/smithy-go` from 1.27.0 to 1.27.1
- [Release notes](https://github.com/aws/smithy-go/releases)
- [Changelog](https://github.com/aws/smithy-go/blob/main/CHANGELOG.md)
- [Commits](aws/smithy-go@v1.27.0...v1.27.1)

Updates `golang.org/x/crypto` from 0.52.0 to 0.53.0
- [Commits](golang/crypto@v0.52.0...v0.53.0)

Updates `golang.org/x/sync` from 0.20.0 to 0.21.0
- [Commits](golang/sync@v0.20.0...v0.21.0)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2
  dependency-version: 1.42.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-go
- dependency-name: github.com/aws/aws-sdk-go-v2/config
  dependency-version: 1.32.24
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-go
- dependency-name: github.com/aws/aws-sdk-go-v2/service/kms
  dependency-version: 1.53.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-go
- dependency-name: github.com/aws/smithy-go
  dependency-version: 1.27.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-go
- dependency-name: golang.org/x/crypto
  dependency-version: 0.53.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-go
- dependency-name: golang.org/x/sync
  dependency-version: 0.21.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-go
...

Signed-off-by: dependabot[bot] <support@github.com>
@claude

claude Bot commented Jun 12, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Claude finished @julienrbrt's task in 1m 27s —— View job

Code Review

Tasks

  • Gather context and analyze PR
  • Review dependency changes for security and correctness
  • Check for breaking changes
  • Post final review

Summary

This is a routine Dependabot dependency bump across 6 Go modules (root, apps/evm, apps/grpc, apps/testapp, execution/evm, execution/evm/test, test/docker-e2e, test/e2e) touching 16 files. All changes are version bumps in go.mod/go.sum — no source code is modified. No issues found; safe to merge once CI passes.

Security Highlights

golang.org/x/crypto v0.52.0 → v0.53.0 — the most security-relevant update in this PR:

Fix Impact
pkcs12: limit PBKDF iteration count to prevent CPU exhaustion DoS mitigation — unbounded iterations could be exploited to peg CPU
ssh: reject incomplete gssapi-with-mic configurations Prevents misconfigured SSH connections
ssh/knownhosts: reject lines with multiple or unknown markers Stricter known-hosts parsing
ssh/knownhosts: verify declared key type matches decoded key Prevents key-type spoofing
ssh: validate ECDSA curve matches expected algorithm Crypto correctness guard

This upgrade is desirable and has no breaking API surface.

github.com/aws/smithy-go v1.27.0 → v1.27.1 — stability fixes relevant to the KMS integration:

  • Fixed panic when deserializing nested unions in JSON/CBOR-based protocols
  • Fixed deserialization failure when a union contains explicit null members

Both affect the AWS SDK protocols used by this project's KMS client code.

Dependency Change Breakdown

Package Old New Type
aws-sdk-go-v2 v1.41.11 v1.42.0 minor
aws-sdk-go-v2/config v1.32.22 v1.32.24 patch
aws-sdk-go-v2/service/kms v1.53.2 v1.53.4 patch
aws/smithy-go v1.27.0 v1.27.1 patch, bug fix
golang.org/x/crypto v0.52.0 v0.53.0 security fixes
golang.org/x/sync v0.20.0 v0.21.0 minor (comment fixes only)

Transitive updates pulled in via go mod tidy: aws-sdk-go-v2/{credentials,feature/ec2/imds,internal/configsources,internal/endpoints,internal/v4a,service/internal/*,service/{signin,sso,ssooidc,sts}} and golang.org/x/{mod,sys,telemetry,text,tools} — all patch/minor increments, consistent and expected.

Notable Observation in test/docker-e2e/go.mod

The docker-e2e module additionally bumps several indirect dependencies beyond the stated scope (IPFS/libp2p packages, cloud.google.com/go/auth, go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp, etc.). This is the expected result of go mod tidy cascading through the transitive dependency graph — there is nothing unusual here. The self-referential bump of github.com/evstack/ev-node from v1.1.1 → v1.1.2 (indirect in docker-e2e) reflects the newly published ev-node version referenced by that test module.

CI Status

Check Status
Semantic Pull Request ✅ Passed
Dependabot Go Autofix ⏭️ Skipped (expected for grouped updates)
CI ⏳ Queued
PR #3349 ⏳ Queued

No breaking changes in the AWS SDK v1 → v1.42 bump (minor, no API removals). The golang.org/x/sync v0.21.0 release notes confirm it's documentation-only. All hash entries in go.sum are consistent with the updated module versions.

Verdict: ✅ Approve once CI passes. The golang.org/x/crypto security fixes make this update actively beneficial.

@github-actions

github-actions Bot commented Jun 12, 2026

Copy link
Copy Markdown
Contributor

The latest Buf updates on your PR. Results from workflow CI / buf-check (pull_request).

BuildFormatLintBreakingUpdated (UTC)
✅ passed⏩ skipped✅ passed✅ passedJun 12, 2026, 12:10 PM

@julienrbrt julienrbrt enabled auto-merge June 12, 2026 12:16
@codecov

codecov Bot commented Jun 12, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 60.99%. Comparing base (72c1d4f) to head (117c3de).

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #3349      +/-   ##
==========================================
- Coverage   61.02%   60.99%   -0.03%     
==========================================
  Files         127      127              
  Lines       13879    13879              
==========================================
- Hits         8469     8466       -3     
- Misses       4485     4489       +4     
+ Partials      925      924       -1
Flag Coverage Δ
combined 60.99% <ø> (-0.03%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@julienrbrt julienrbrt julienrbrt approved these changes

Assignees

No one assigned

Labels

T:dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@julienrbrt