build(deps): Bump the all-go group across 5 directories with 5 updates

[dependabot]

Bumps the all-go group with 2 updates in the / directory: github.com/celestiaorg/go-header and github.com/libp2p/go-libp2p-kad-dht.
Bumps the all-go group with 1 update in the /apps/evm directory: github.com/celestiaorg/go-header.
Bumps the all-go group with 1 update in the /apps/testapp directory: github.com/celestiaorg/go-header.
Bumps the all-go group with 2 updates in the /execution/grpc directory: golang.org/x/net and google.golang.org/protobuf.
Bumps the all-go group with 1 update in the /test/e2e directory: github.com/celestiaorg/tastora.

Updates github.com/celestiaorg/go-header from 0.7.4 to 0.8.0

Release notes

Sourced from github.com/celestiaorg/go-header's releases.

v0.8.0

What's Changed

• chore(sync): Improve metrics, remove unnecessary by @​renaynay in celestiaorg/go-header#354
• chore: bump deps | remove replace by @​Wondertan in celestiaorg/go-header#360
• feat: Add DeleteRange method to Store by @​julienrbrt in celestiaorg/go-header#347

New Contributors

• @​julienrbrt made their first contribution in celestiaorg/go-header#347

Full Changelog: celestiaorg/go-header@v0.7.4...v0.8.0

Commits

• 3f61d14 feat: Add DeleteRange method to Store (#347)
• 3ca208c chore: bump deps | remove replace (#360)
• aa5c4a6 chore(sync): Improve metrics, remove unnecessary (#354)
• See full diff in compare view

Updates github.com/libp2p/go-libp2p-kad-dht from 0.36.0 to 0.37.0

Release notes

Sourced from github.com/libp2p/go-libp2p-kad-dht's releases.

v0.37.0

[!NOTE] This release was brought to you by the Shipyard team.

Overview

This is a minor release focused on dependency updates and bug fixes. The most significant changes are:

• Breaking change: The deprecated providers/ package has been removed. Users still importing from providers/ must migrate to records/.
• Dependency update: Upgraded to go-libp2p v0.46.
• Provider bug fixes: Several fixes to improve provider system stability, including proper handling of peers during keyspace exploration.

This release contains no major feature additions but improves overall reliability of the DHT implementation.

What's Changed

• chore: bump go-libp2p to v0.46 by @​guillaumemichel in libp2p/go-libp2p-kad-dht#1209
• tests: fix flaky TestHandleRemotePeerProtocolChanges by @​guillaumemichel in libp2p/go-libp2p-kad-dht#1212
• tests: fix flaky TestOptimisticProvide by @​guillaumemichel in libp2p/go-libp2p-kad-dht#1213
• fix(records): clone addresses received from peerstore by @​guillaumemichel in libp2p/go-libp2p-kad-dht#1210
• fix(provider): don't discard peers if they all share CPL during exploration by @​guillaumemichel in libp2p/go-libp2p-kad-dht#1216
• chore: remove deprecated providers pkg by @​guillaumemichel in libp2p/go-libp2p-kad-dht#1211
• fix(provider): close worker pool before wg.Wait() by @​lidel in libp2p/go-libp2p-kad-dht#1218
• fix(provider): hold scheduleLk when reading schedule.Size() in test by @​lidel in libp2p/go-libp2p-kad-dht#1219
• fix(provider): keyspace exploration should succeed with a single peer by @​guillaumemichel in libp2p/go-libp2p-kad-dht#1220

Full Changelog: libp2p/go-libp2p-kad-dht@v0.36.0...v0.37.0

Commits

• 23423e3 chore: release v0.37.0 (#1221)
• 087717c fix(provider): keyspace exploration should succeed with a single peer (#1220)
• 015f632 fix(provider): hold scheduleLk when reading schedule.Size() in test (#1219)
• 6fee38f fix(provider): close worker pool before wg.Wait() (#1218)
• e8e7cf5 chore: remove deprecated providers pkg (#1211)
• 0ad6ca5 fix(provider): don't discard peers if they all share CPL during exploration (...
• bb64bfa fix(records): clone addresses received from peerstore (#1210)
• 9d7c64c tests: fix flaky TestOptimisticProvide (#1213)
• 19925f5 tests: fix flaky TestHandleRemotePeerProtocolChanges (#1212)
• 666af0e chore: bump go-libp2p to v0.46 (#1209)
• See full diff in compare view

Updates github.com/celestiaorg/go-header from 0.7.5-0.20260116211018-3f61d145c9d2 to 0.8.0

Release notes

Sourced from github.com/celestiaorg/go-header's releases.

v0.8.0

What's Changed

• chore(sync): Improve metrics, remove unnecessary by @​renaynay in celestiaorg/go-header#354
• chore: bump deps | remove replace by @​Wondertan in celestiaorg/go-header#360
• feat: Add DeleteRange method to Store by @​julienrbrt in celestiaorg/go-header#347

New Contributors

• @​julienrbrt made their first contribution in celestiaorg/go-header#347

Full Changelog: celestiaorg/go-header@v0.7.4...v0.8.0

Commits

• 3f61d14 feat: Add DeleteRange method to Store (#347)
• 3ca208c chore: bump deps | remove replace (#360)
• aa5c4a6 chore(sync): Improve metrics, remove unnecessary (#354)
• See full diff in compare view

Updates github.com/celestiaorg/go-header from 0.7.5-0.20260116211018-3f61d145c9d2 to 0.8.0

Release notes

Sourced from github.com/celestiaorg/go-header's releases.

v0.8.0

What's Changed

• chore(sync): Improve metrics, remove unnecessary by @​renaynay in celestiaorg/go-header#354
• chore: bump deps | remove replace by @​Wondertan in celestiaorg/go-header#360
• feat: Add DeleteRange method to Store by @​julienrbrt in celestiaorg/go-header#347

New Contributors

• @​julienrbrt made their first contribution in celestiaorg/go-header#347

Full Changelog: celestiaorg/go-header@v0.7.4...v0.8.0

Commits

• 3f61d14 feat: Add DeleteRange method to Store (#347)
• 3ca208c chore: bump deps | remove replace (#360)
• aa5c4a6 chore(sync): Improve metrics, remove unnecessary (#354)
• See full diff in compare view

Updates golang.org/x/net from 0.47.0 to 0.49.0

Commits

• d977772 go.mod: update golang.org/x dependencies
• eea413e internal/http3: use go1.25 synctest.Test instead of go1.24 synctest.Run
• 9ace223 websocket: add missing call to resp.Body.Close
• 7d3dbb0 http2: buffer the most recently received PRIORITY_UPDATE frame
• 35e1306 go.mod: update golang.org/x dependencies
• 7c36036 http2, webdav, websocket: fix %q verb uses with wrong type
• ec11ecc trace: fix data race in RenderEvents
• bff14c5 http2: don't PING a responsive server when resetting a stream
• 88a6421 dns/dnsmessage: avoid use of "strings" and "math" in dns/dnsmessage
• 123d099 http2: support net/http.Transport.NewClientConn
• Additional commits viewable in compare view

Updates google.golang.org/protobuf from 1.36.10 to 1.36.11

Updates github.com/celestiaorg/tastora from 0.8.0 to 0.9.0

Release notes

Sourced from github.com/celestiaorg/tastora's releases.

v0.9.0

What's Changed

• chore(deps): bump github.com/dvsekhvalnov/jose2go from 1.6.0 to 1.7.0 in the go_modules group across 1 directory by @​dependabot[bot] in celestiaorg/tastora#151
• chore(deps): bump golang.org/x/crypto from 0.41.0 to 0.45.0 in the go_modules group across 1 directory by @​dependabot[bot] in celestiaorg/tastora#152
• chore: add helpers to deploy parts of the stack by @​chatton in celestiaorg/tastora#155
• chore: adding hyperlane configuration types by @​chatton in celestiaorg/tastora#154
• chore: hyeperlane support part 2 - initial core and warp deployment by @​chatton in celestiaorg/tastora#156
• chore: hyperlane - deploy noop ism by @​chatton in celestiaorg/tastora#157
• chore: move internal helpers into separate util package by @​chatton in celestiaorg/tastora#162
• chore: enroll remote router by @​chatton in celestiaorg/tastora#158
• chore: hyperlane support part 5 - enroll cosmos remote router by @​chatton in celestiaorg/tastora#159
• chore: hyperlane part 6 - perform MsgRemoteTransfer by @​chatton in celestiaorg/tastora#160
• chore: enable configuration of binary for evm single by @​chatton in celestiaorg/tastora#164

Full Changelog: celestiaorg/tastora@v0.8.0...v0.9.0

Commits

• 529f7e1 chore: enable configuration of binary (#164)
• 196802a chore: hyperlane part 6 - perform MsgRemoteTransfer (#160)
• 749da71 chore: hyperlane support part 5 - enroll cosmos remote router (#159)
• f0c0830 chore: enroll remote router (#158)
• 7b769e4 chore: move internal helpers into separate util package (#162)
• 821219d chore: hyperlane - deploy noop ism (#157)
• 20b6e75 chore: hyperlane support part 2 - initial core and warp deployment (#156)
• 9090e5a chore: adding hyperlane configuration types (#154)
• 4938900 chore: add helpers to deploy parts of the stack (#155)
• f1db2f0 chore(deps): bump golang.org/x/crypto (#152)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

The latest Buf updates on your PR. Results from workflow CI / buf-check (pull_request).

Build	Format	Lint	Breaking	Updated (UTC)
✅ passed	⏩ skipped	✅ passed	✅ passed	Jan 20, 2026, 10:17 AM

[claude]

Claude finished @dependabot[bot]'s task in 1m 45s —— View job

---

Dependency Update Review

Reviewing this dependabot PR that bumps multiple Go dependencies.

Tasks

• Review dependency version changes and release notes
• Check for breaking changes in updated packages
• Verify mock file regeneration (hstore.go)
• Search codebase for DHT usage patterns
• Analyze security implications
• Provide comprehensive review feedback

Review Complete

This dependency update PR looks safe to merge. Here's my comprehensive analysis:

---

1. Code Quality & Architecture ✅

Dependency Updates:

• github.com/celestiaorg/go-header (0.7.4 → 0.8.0) - across 4 modules
• github.com/libp2p/go-libp2p-kad-dht (0.36.0 → 0.37.0) - root module
• golang.org/x/net (0.47.0 → 0.49.0) - execution/grpc module
• google.golang.org/protobuf (1.36.10 → 1.36.11) - execution/grpc module
• github.com/celestiaorg/tastora (0.8.0 → 0.9.0) - test/e2e module

Mock Regeneration (test/mocks/external/hstore.go):
The mock file was properly regenerated to include the new DeleteRange method from go-header v0.8.0. The implementation follows mockery best practices with:

• Proper generic type handling: MockStore[H header.Header[H]]
• Type-safe expecter pattern
• Correct variadic argument handling
• Panic on missing return values (good for test safety)

Actual Usage of DeleteRange:
The codebase already uses DeleteRange in rollback commands:

• apps/testapp/cmd/rollback.go:102-108
• apps/evm/cmd/rollback.go (similar usage)

This new method provides essential functionality for header store cleanup during rollback operations.

---

2. Error Handling & Resilience ✅

No Breaking Changes in go-libp2p-kad-dht v0.37.0:
While the release notes mention removal of the deprecated providers/ package, I verified the ev-node codebase:

• ✅ No imports of github.com/libp2p/go-libp2p-kad-dht/providers
• ✅ Uses only the main DHT interface (pkg/p2p/client.go:13, 53, 262)
• ✅ Standard DHT initialization with dht.New() and dht.Bootstrap()

Provider Bug Fixes in go-libp2p-kad-dht v0.37.0:
The update includes several provider stability fixes:

• Fixed keyspace exploration with single peer (Spec for staking module differences #1220)
• Proper peer handling during CPL exploration (Repo Restructing #1216)
• Worker pool cleanup fixes (Remove unused fields in full node #1218, Remove unused fields in Full Node #1219)
• Address cloning from peerstore (Update LICENSE #1210)

These fixes improve reliability without requiring code changes.

---

3. Security ✅

golang.org/x/net (0.47.0 → 0.49.0):

• HTTP/2 PING optimization (reduced unnecessary PINGs)
• Data race fix in trace.RenderEvents
• WebSocket body close fix (prevents resource leaks)
• DNS message parsing improvements

google.golang.org/protobuf (1.36.10 → 1.36.11):

• Patch release, likely bug fixes

tastora (0.8.0 → 0.9.0):

• E2E test framework updates (Hyperlane support)
• Security dependency bumps: golang.org/x/crypto (0.41.0 → 0.45.0)

No security vulnerabilities introduced.

---

4. Performance & Resource Efficiency ✅

go-header v0.8.0 improvements:

• Improved metrics in sync component
• Dependency cleanup (removed unnecessary replaces)
• New DeleteRange method enables efficient bulk deletion

go-libp2p-kad-dht v0.37.0 improvements:

• Flaky test fixes indicate better concurrency handling
• Provider system stability improvements
• go-libp2p v0.46 upgrade brings performance enhancements

---

5. Testing & Reliability ✅

Mock Regeneration:

• Ran make mock-gen to update mocks with new DeleteRange method
• All go.mod files properly updated with make tidy-all

CI Status:

• Semantic Pull Request: ✅ Passed
• Buf check: ✅ Passed
• CI and other checks: In progress

Test Coverage:
The rollback commands (testapp and evm) already call DeleteRange, so this update enables previously uncompiled code to work correctly.

---

6. Documentation & Developer Experience ✅

All changes are in dependency files (go.mod, go.sum) and auto-generated mocks. No documentation updates needed.

---

Summary

Recommendation: APPROVE AND MERGE

This is a clean dependency bump PR with:

• ✅ No breaking changes affecting ev-node
• ✅ Proper mock regeneration
• ✅ Security improvements (golang.org/x/net, golang.org/x/crypto via tastora)
• ✅ Stability improvements (libp2p provider fixes)
• ✅ New functionality properly integrated (DeleteRange)
• ✅ All tidying and regeneration completed

The PR follows best practices for dependency management and includes only the necessary changes across multiple go.mod files.

---

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 59.33%. Comparing base (9ad4016) to head (e9a40c3).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2999      +/-   ##
==========================================
- Coverage   59.53%   59.33%   -0.20%     
==========================================
  Files         107      108       +1     
  Lines       10075    10103      +28     
==========================================
- Hits         5998     5995       -3     
- Misses       3447     3477      +30     
- Partials      630      631       +1     

Flag	Coverage Δ
combined	59.33% <ø> (-0.20%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.