-
Notifications
You must be signed in to change notification settings - Fork 32
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(deps): update module github.com/ethereum/go-ethereum to v1.13.15 [security] #2576
Conversation
…[security] | datasource | package | from | to | | ---------- | ------------------------------- | ------- | -------- | | go | github.com/ethereum/go-ethereum | v1.11.6 | v1.13.15 | Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Important Auto Review SkippedBot user detected. To trigger a single review, invoke the You can disable this status message by setting the Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media? TipsChatThere are 3 ways to chat with CodeRabbit:
Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (invoked as PR comments)
Additionally, you can add CodeRabbit Configration File (
|
Deploying sanguine-fe with Cloudflare Pages
|
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #2576 +/- ##
===================================================
+ Coverage 36.49294% 36.50268% +0.00974%
===================================================
Files 131 131
Lines 10265 10265
Branches 83 83
===================================================
+ Hits 3746 3747 +1
Misses 6016 6016
+ Partials 503 502 -1 ☔ View full report in Codecov by Sentry. |
This PR is stale because it has been open 14 days with no activity. Remove stale label or comment or this will be closed in 5 days. |
Renovate Ignore NotificationBecause you closed this PR without merging, Renovate will ignore this update ( If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR. |
This PR contains the following updates:
v1.11.6
->v1.13.15
Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
GitHub Vulnerability Alerts
CVE-2024-32972
Impact
A vulnerable node can be made to consume very large amounts of memory when handling specially crafted p2p messages sent from an attacker node.
More in-depth details will be released at a later time.
Patches
The fix has been included in geth version
1.13.15
and onwards.Workarounds
No workarounds have been made public.
References
No more information is released at this time.
Credit
This issue was disclosed responsibly by DongHan Kim via the Ethereum bug bounty program. Thank you for your cooperation.
Release Notes
ethereum/go-ethereum (github.com/ethereum/go-ethereum)
v1.13.15
: Ontamalca (v1.13.15)Compare Source
Geth v1.13.15 is a maintenance-release that contains some fixes mainly to avoid snapsync-related data-corruption.
We recommend all users to upgrade to v1.13.15 as soon as possible.
As with all our previous releases, you can find the:
ethereum/client-go
.v1.13.14
: Altaaya (v1.13.14)Compare Source
Geth v1.13.14 is a small maintenance release with a handful of polishes to the blob pool:
This release is NOT critical for the Cancun fork, but recommended to make Geth lighter in anticipation to unknown blob load.
Other fixes:
eth_createAccessList
if--gascap=0
(#28846).For a full rundown of the changes please consult the Geth 1.13.14 release milestone.
As with all our previous releases, you can find the:
ethereum/client-go
.v1.13.13
: Alsages (v1.13.13)Compare Source
This is a minor release with fixes for several issues related to the upcoming Cancun mainnet fork. As such, it is recommended for all mainnet users.
Changes in this release:
eth_fillTransaction
has seen some bug fixes related to blob transactions as well. (#28929, #29037)getClientVersionV1
on the Engine API endpoint. (#28915, #28994)Go API changes:
ethereum.CallMsg
now contains EIP-4844 related fields (#28989)core.GenesisAlloc
is now available from packagecore/types
. We hope this change will reduce external dependencies on packagecore
. (#29003)For a full rundown of the changes please consult the Geth 1.13.13 release milestone.
As with all our previous releases, you can find the:
ethereum/client-go
.v1.13.12
: Edolus (v1.13.12)Compare Source
This release embeds the mainnet fork number for Cancun, scheduled to go live on 13th March, 2024 (unix
1710338135
). The specification can be read here, and it contains the following changes:To go along Cancun, we're providing refreshed Grafana dashboards:
Other than that, the following assorted fixes and features are included in this release:
era
format. Theera
format is meant to provide a cross-client archive formatfor block data (#26621, #28959)
For a full rundown of the changes please consult the Geth 1.13.12 release milestone.
As with all our previous releases, you can find the:
ethereum/client-go
.v1.13.11
: Tremanre (v1.13.11)Compare Source
This release fixes a few bugs and enables the Cancun upgrade for the Sepolia and Holesky networks; Sepolia will upgrade on Jan 31, and Holesky on Feb 7, and naturally this is a required upgrade if you intend to follow either chain.
eth_syncing
is slightly changed, so that it nowdoes reports
true
until transaction indexing is finished. (#28703)rlpdump
: add-pos
flag for displaying byte positions (#28785)For a full rundown of the changes please consult the Geth 1.13.11 release milestone.
As with all our previous releases, you can find the:
ethereum/client-go
.v1.13.10
: Sharjila B (v1.13.10)Compare Source
This release is equivalent to v1.13.9, just contains a version bump. The reason is that a bad commit was tagged on 1.13.9 originally and whilst it was untagged and fixed, some caches (Go's package manager (
go mod
)) managed to store the temporary bad version. As there is no way for us to flush the bad version out, it's cleaner to tag a next version instead. Apologies about the mess.This release fixes a few issues and enables the Cancun upgrade for the Goerli network at block timestamp
1705473
(#28719) which is 6:32:am 17. Jan. 2024 UTC.Apart from the Goerli configuration update, we have a few other changes.
accounts/abi/backends
was rewritten. The improved version is available from the new packageethclient/simulated
. A backwards-compatibility wrapper remains in the old location. (#28202)"error"
. (#28774, #28780)log
for consumers of the geth library (#28747)geth removedb
can now be run non-interactively (#28725)Testing
currentExcessBlobGas
to the state tests for better coverage of state tests (#28735)For a full rundown of the changes please consult the Geth 1.13.9 release milestone.
As with all our previous releases, you can find the:
ethereum/client-go
.v1.13.9
: Sharjila (v1.13.9)Compare Source
This release fixes a few issues and enables the Cancun upgrade for the Goerli network at block timestamp
1705473
(#28719) which is 6:32:am 17. Jan. 2024 UTC.Apart from the Goerli configuration update, we have a few other changes.
accounts/abi/backends
was rewritten. The improved version is available from the new packageethclient/simulated
. A backwards-compatibility wrapper remains in the old location. (#28202)"error"
. (#28774, #28780)log
for consumers of the geth library (#28747)geth removedb
can now be run non-interactively (#28725)Testing
currentExcessBlobGas
to the state tests for better coverage of state tests (#28735)For a full rundown of the changes please consult the Geth 1.13.9 release milestone.
As with all our previous releases, you can find the:
ethereum/client-go
.v1.13.8
: Patavig (v1.13.8)Compare Source
This is a hotfix release for a regression which affects v1.13.6 and v1.13.7: if the node is shut down during sync, the node will refuse to start, with the error message
Fatal: Failed to register the Ethereum service: waiting for sync
(#28718, #28724).Please also see the release notes for v1.13.6 and v1.13.7
For a full rundown of the changes please consult the Geth 1.13.8 release milestone.
As with all our previous releases, you can find the:
ethereum/client-go
.v1.13.7
: Fargeluse (v1.13.7)Compare Source
We're issuing this release to fix an issue with our build pipeline. There are also some other changes:
eth_sendTransaction
RPC method now behaves more correctly for low-fee transactions. (#27834)For a full rundown of the changes please consult the Geth 1.13.7 release milestone.
As with all our previous releases, you can find the:
ethereum/client-go
.v1.13.6
: Porolan (v1.13.6)Compare Source
Geth v1.13.6 is a scheduled maintenance release, but it also contains some changes which might affect node operators, concerning logging.
Gas estimation changes
The gas estimator was heavily reworked (#28600, #28618). The new version runs quite a bit faster (normally completing in 7-8 attempts rather than 18-20). However, the results have an error ratio of
1.5%
, and the estimation outcome won't always be deterministic.Logging changes
In the absence of an 'official' Go logging framework, go-ethereum has, for a very long time, used a custom in-house logger. However, just such an 'official' Go logging framework has now arrived, with the
slog
package.As of
v1.13.6
, geth now usesslog
, which will affect Geth users in different ways.Main changes are as follows:
--verbosity
and--vmodule
options.--log.backtraceat
and--log.debug
are removed.log.Format
and the methodlog.FormatFunc
,TerminalHandler.TerminalFormat
formatting methods (renamed toTerminalHandler.format
)log.Lazy
valuesThe external-facing API is largely the same as the existing Geth logger. Method signatures remain unchanged. A small semantic difference is that a
Handler
can only be set once perLogger
and not changed dynamically. This just means that a new logger must be instantiated every time the handler of the root logger is changed.For users of the
github.com/ethereum/go-ethereum/log
package: If you were using this package for your own project, you will need to change the initialization. If you previously didYou now instead need to do
The lazy handler was useful in the old log package, since it could defer the evaluation of costly attributes until later in the log pipeline. Thus, if the logging was done at 'Trace', we could skip evaluation if logging only was set to 'Info'. With the move to slog, this way of deferring evaluation is no longer needed, since slog introduced 'Enabled'. Thus the caller can do the evaluate-or-not decision at the callsite, which is much more straight-forward than dealing with lazy reflect-based evaluation.
See more about reasoning here: https://github.com/ethereum/go-ethereum/issues/28558#issuecomment-1820606613
More detailed information can be found in the PRs #28187, #28621, #28622 )
Other changes
ns/µs
mismatch in metrics for rpc-methods (#28649)HTTPHost
,WSHost
flags (#28669)evm t8n
support custom tracers (#28557)For a full rundown of the changes please consult the Geth 1.13.6 release milestone.
As with all our previous releases, you can find the:
ethereum/client-go
.v1.13.5
: Carbonaceous (v1.13.5)Compare Source
Geth v1.13.5 is a scheduled maintenance release fixing a potential data corruption in path scheme which could occur due to a power failure (i.e. entire OS / machine crash).
ethclient
and thesimulated
backend to alloweth_call
against specific block hashes (#28084).And bugfixes:
For a full rundown of the changes please consult the Geth 1.13.5 release milestone.
As with all our previous releases, you can find the:
ethereum/client-go
.v1.13.4
: Archanes (v1.13.4)Compare Source
Geth v1.13.4 is a non-urgent hotfix release. The previous version of Geth (v1.13.3) introduced a warning log for bad transaction announcements, and on mainnet it generated too much logging noise due to a protocol violation in Erigon. To prevent overwhelming logging systems, Geth v1.13.4 lower the log to a more reasonable level until the bug in Erigon is fixed #28356.
Apart from the above reason, the release contains:
For a full rundown of the changes please consult the Geth 1.13.4 release milestone.
As with all our previous releases, you can find the:
ethereum/client-go
.v1.13.3
: Armeni (v1.13.3)Compare Source
Geth v1.13.3 is a scheduled maintenance release with various small additions and an important Pebble database fix.
--synctarget
(#28209).eth/66
(Cancun will requireeth/68
anyway) (#28239).snap
missingeth
protocol warning to debug level (#28249).eth/68
(#28261).Features related to the Cancun hardfork:
BLOBFEE
opcode for the upcoming Cancun hard fork (#28098).For a full rundown of the changes please consult the Geth 1.13.3 release milestone.
As with all our previous releases, you can find the:
ethereum/client-go
.v1.13.2
: Phaistos (v1.13.2)Compare Source
Geth v1.13.2 is a bugfix release for the 1.13 family as well as contains the Holesky testnet relaunch.
Note, if you have previously ran Geth with the old Holesky testnet configs, the new version will probably fail to start with a genesis hash mismatch error. You will need to manually delete your
holesky/chaindata
folder and restart. Geth did not implement special code for cleaning up the failed launch of the testnet.block
parameter ineth_call
optional, defaulting tolatest
(#28165).ethclient
retrieving block receipts (#28087).--bootnodes
flag if the list is also configured in the toml file (#28095).For a full rundown of the changes please consult the Geth 1.13.2 release milestone.
As with all our previous releases, you can find the:
ethereum/client-go
.v1.13.1
: Zakros (v1.13.1)Compare Source
Geth v1.13.1 is a hotfix release for v1.13.0.
It fixes the following issues:
path
scheme caused by a weirdly restarted snap sync (#28124, #28126).geth db inspect
command running against oldhash
scheme databases (#28108).Apart from the fixes, v1.13.1 introduces support for configuring Geth via environmental variables (#28103, #28119)!
For a full rundown of the changes please consult the Geth 1.13.1 release milestone.
As with all our previous releases, you can find the:
ethereum/client-go
.v1.13.0
: Therum (v1.13.0)Compare Source
Geth v1.13.0 is a major milestone in the lifetime of Geth, bits and bobs being in development for around 6 years now. Since a release note cannot do it justice, please see our Geth v1.13.0 release blog post.
Still, just to quickly recap, Geth v1.13.0 finally ships a new database model which supports proper, full pruning of historical states; meaning you will never need to take your node offline again to resync or to manually prune. The new database model is optional for now (you need to enable it via
--state.scheme=path
) and does require resyncing the state, since we need to store it completely different (you can keep your ancients, no need to resync the chain too).The path database will become the default eventually, but for safety reasons, we're keeping it opt-in for the moment. The old database model is not going away soon, though long term - unless there's something fundamentally wrong with the path db - it will. As for archive node users, we're working on a new model there too, but it does need a bit more work on top, so that's for another release.
The all important disclaimer: Geth's new path-based storage is considered stable and production ready, but was obviously not battle tested yet outside of the team. Everyone is welcome to use it, but if you have significant risks if your node crashes or goes out of consensus, you might want to wait a bit to see if anyone with a lower risk profile hits any issues.
Apart from the pruning work, the release contains:
eth_estimateGas
to do fewer runs (#27710).eth_getBlockReceipts
RPC API call (#27702).And bugfixes:
--dev
) mode (#27886).For a full rundown of the changes please consult the Geth 1.13.0 release milestone, though do note that the state scheme changes and pruner have been gradually merged over the past year so are not explicitly tagged in this milestone.
As with all our previous releases, you can find the:
ethereum/client-go
.v1.12.2
: Mawinor (v1.12.2)Compare Source
Hot on the heels of v1.12.1 comes our next release, fixing some regressions reported by the community.
Here are the changes:
For a full rundown of the changes please consult the Geth 1.12.2 release milestone.
As with all our previous releases, you can find the:
ethereum/client-go
.v1.12.1
: Antibaar (v1.12.1)Compare Source
Geth v1.12.1 is a maintenance release, albeit a rather large one, since we haven't put out a version since May.
This release is a recommended upgrade for all users and contains security-related fixes.
Here's the list of changes:
Cancun fork
Development for the upcoming Cancun hard fork has been a focus in this release cycle. Do note however, that Geth v1.12.1 is not yet ready for Cancun.
Geth command changes
geth --dev
now simulates a PoS-based chain (#27327)evm blocktest
can now output structured logs (#27396)RPC/GraphQL API changes
yParity
fields, as mandated by the RPC API spec (#27744, #27882)chainID
field in RPC responses, like all other transaction types (#27452)size
field (#27347)eth_estimateGas
now supports state overrides likeeth_call
(#27845)eth_estimateGas
now handles internal chain reorgs more correctly (#27505)eth_getProof
is slight more efficient, and will now return a response in the canonical encoding even for off-spec input parameters (#27309, #27310)eth_getTransactionReceipt
now returnsnull
when the transaction is not available. It used return an error in that case. (#27712)debug_storageRangeAt
now takes a block hash or number as parameter (#27328)debug_getTrieFlushInterval
method reports the internal state saving interval (#27303)returnData
(#27704)Go library changes
If you use batch requests with geth, and also use the go-ethereum RPC client library, we strongly recommend updating your go-ethereum library dependency as well. The new client version handles invalid batch responses way better than before. (#26681)
Node.Attach
no longer returns an error. This is a breaking Go API change. (#27450)Core
Networking
--nodiscover
is used (#27518)Build
For a full rundown of the changes please consult the Geth 1.12.1 release milestone.
As with all our previous releases, you can find the:
ethereum/client-go
.v1.12.0
: Krogam DMZ (v1.12.0)Compare Source
Geth v1.12.0 is a potentially breaking change, hence it was deemed to deserve version bump, to
1.12
.The v1.12 release family drops support for proof-of-work, and thus can not be used any more on PoW-based private chains, or as an upstream library for projects depending on
ethash
PoW (#27178, #27147).In our GraphQL API, a breaking change is that all numeric values are now encoded as hex strings (#26894). The internal GraphQL UI was updated to version 2.0. (#27294).
Regarding our move from
leveldb
topebble
, Geth now defaults to use Pebble as a backend if no existing database is found (#27136). If a previous LevelDB database exists Geth will keep using that, and if you must have LevelDB for some compatibility reasons, you can force it in Geth with the--db.engine=leveldb
flag.We have made progress on "EIP-4844: Shard Blob Transactions" ([#27257](https://togithub.com/ethereum/go-e
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.