chore(deps): update dependency ipfs/kubo to v0.31.0

[uniget-bot]

This PR contains the following updates:

Package	Update	Change
ipfs/kubo	minor	0.30.0 -> 0.31.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

ipfs/kubo (ipfs/kubo)

v0.31.0

Compare Source

• Overview
• 🗣 Discuss
• 🔦 Highlights
  • Experimental Pebble Datastore
  • New metrics
  • lowpower profile no longer breaks DHT announcements
  • go 1.23, boxo 0.24 and go-libp2p 0.36.5
• 📝 Changelog
• 👨‍👩‍👧‍👦 Contributors

This release was brought to you by the Shipyard team.

Overview

Release v0.31.0 issue #​10499

🗣 Discuss

If you have comments, questions, or feedback on this release, please post here.

If you experienced any bugs with the release, please post an issue.

🔦 Highlights

Experimental Pebble Datastore

Pebble provides a high-performance alternative to leveldb as the datastore, and provides a modern replacement for legacy badgerv1.

A fresh Kubo node can be initialized with pebbleds profile via ipfs init --profile pebbleds.

There are a number of parameters available for tuning pebble's performance to your specific needs. Default values are used for any parameters that are not configured or are set to their zero-value.
For a description of the available tuning parameters, see kubo/docs/datastores.md#pebbleds.

New metrics

• Added 3 new go metrics: go_gc_gogc_percent, go_gc_gomemlimit_bytes and go_sched_gomaxprocs_threads as those are recommended by the Go team
• Added network usage metrics: process_network_receive_bytes_total and process_network_transmit_bytes_total
• Removed go_memstat_lookups_total metric which was always 0

lowpower profile no longer breaks DHT announcements

We've notices users were applying lowpower profile, and then reporting content routing issues. This was because lowpower disabled reprovider system and locally hosted data was no longer announced on Amino DHT.

This release changes lowpower profile to not change reprovider settings, ensuring the new users are not sabotaging themselves. It also adds annouce-on and announce-off profiles for controlling announcement settings separately.

[!IMPORTANT]
If you've ever applied the lowpower profile before, there is a high chance your node is not announcing to DHT anymore.
If you have Reprovider.Interval set to 0 you may want to wet it to 22h (or run ipfs config profile apply announce-on) to fix your system.

As a convenience, ipfs daemon will warn if reprovide system is disabled, creating oportinity to fix configuration if it was not intentional.

go 1.23, boxo 0.24 and go-libp2p 0.36.5

Various bugfixes. Please update.

📝 Changelog

Full Changelog

• github.com/ipfs/kubo:
  • fix: go 1.23(.2) (#​10540) (ipfs/kubo#10540)
  • chore: bump version to 0.32.0-dev
  • feat(routing/http): support IPIP-484 and streaming (#​10534) (ipfs/kubo#10534)
  • fix(daemon): webui URL when rpc is catch-all (#​10520) (ipfs/kubo#10520)
  • chore: update changelog and config doc with more info about pebble (#​10533) (ipfs/kubo#10533)
  • feat: pebbleds profile and plugin (#​10530) (ipfs/kubo#10530)
  • chore: dependency updates for 0.31 (#​10511) (ipfs/kubo#10511)
  • feat: explicit announce-on/off profiles (#​10524) (ipfs/kubo#10524)
  • fix(core): look for MFS root in local repo only (#​8661) (ipfs/kubo#8661)
  • Fix issue in ResourceManager and nopfsPlugin about repo path (#​10492) (ipfs/kubo#10492)
  • feat(bitswap): allow configuring WithWantHaveReplaceSize (#​10512) (ipfs/kubo#10512)
  • refactor: simplify logic for MFS pinning (#​10506) (ipfs/kubo#10506)
  • docs: clarify Gateway.PublicGateways (#​10525) (ipfs/kubo#10525)
  • chore: clarify dep update in RELEASE_CHECKLIST.md (#​10518) (ipfs/kubo#10518)
  • feat: ipfs-webui v4.3.2 (#​10523) (ipfs/kubo#10523)
  • docs(config): add useful references
  • docs(config): improve profile descriptions (#​10517) (ipfs/kubo#10517)
  • docs: update RELEASE_CHECKLIST.md (#​10496) (ipfs/kubo#10496)
  • chore: create next changelog (#​10510) (ipfs/kubo#10510)
  • Merge Release: v0.30.0 [skip changelog] (ipfs/kubo#10508)
  • chore: boxo v0.23.0 and go-libp2p v0.36.3 (#​10507) (ipfs/kubo#10507)
  • docs: replace outdated package paths described in rpc README (#​10505) (ipfs/kubo#10505)
  • fix: switch back to go 1.22 (#​10502) (ipfs/kubo#10502)
  • fix(cli): preserve hostname specified with --api in http request headers (#​10497) (ipfs/kubo#10497)
  • chore: upgrade to go 1.23 (#​10486) (ipfs/kubo#10486)
  • fix: error during config when running benchmarks (#​10495) (ipfs/kubo#10495)
  • chore: update go-unixfsnode, cmds, and boxo (#​10494) (ipfs/kubo#10494)
  • Docs fix spelling issues (#​10493) (ipfs/kubo#10493)
  • chore: update version (#​10491) (ipfs/kubo#10491)
• github.com/ipfs/boxo (v0.23.0 -> v0.24.0):
  • Release v0.24.0 (ipfs/boxo#683)
• github.com/ipfs/go-ipld-cbor (v0.1.0 -> v0.2.0):
  • v0.2.0
  • deprecate DumpObject() in favor of better named Encode()
  • add an EncodeWriter method, using the pooled marshallers
  • fix expCid vs actualCid guard
• github.com/ipld/go-car/v2 (v2.13.1 -> v2.14.2):
  • v2.14.2 bump
  • fix: goreleaser v2 compat, trigger release-binaries with workflow_run
  • v2.14.1 bump
  • chore: update fuzz to Go 1.22
  • v2.14.0 bump
  • fix(cmd): properly pick up --inverse and --cid-file args (ipld/go-car#531)
  • Re-factor cmd functions to library (ipld/go-car#524)
  • ci: uci/copy-templates (ipld/go-car#521)
  • Add a car ls --unixfs-blocks to render two-column output (ipld/go-car#514)
• github.com/libp2p/go-libp2p (v0.36.3 -> v0.36.5):
  • chore: remove Roadmap file (#​2954) (libp2p/go-libp2p#2954)
  • fix: Release v0.36.5
  • autonatv2: recover from panics (#​2992) (libp2p/go-libp2p#2992)
  • basichost: ensure no duplicates in Addrs output (#​2980) (libp2p/go-libp2p#2980)
  • Release v0.36.4
  • peerstore: better GC in membacked peerstore (#​2960) (libp2p/go-libp2p#2960)
  • fix: use quic.Version instead of the deprecated quic.VersionNumber (#​2955) (libp2p/go-libp2p#2955)
  • tcp: fix metrics for multiple calls to Close (#​2953) (libp2p/go-libp2p#2953)
• github.com/libp2p/go-libp2p-kbucket (v0.6.3 -> v0.6.4):
  • release v0.6.4 (libp2p/go-libp2p-kbucket#135)
  • feat: add log printing when peer added and removed table (libp2p/go-libp2p-kbucket#134)
  • Upgrade to go-log v2.5.1 (libp2p/go-libp2p-kbucket#132)
  • chore: update go-libp2p-asn-util
• github.com/multiformats/go-multiaddr-dns (v0.3.1 -> v0.4.0):
  • Release v0.4.0 (#​64) (multiformats/go-multiaddr-dns#64)
  • Limit total number of resolved addresses from DNS response (#​63) (multiformats/go-multiaddr-dns#63)
  • fix!: Only resolve the first DNS-like component (#​61) (multiformats/go-multiaddr-dns#61)
  • sync: update CI config files (#​43) (multiformats/go-multiaddr-dns#43)
  • remove deprecated types (multiformats/go-multiaddr-dns#37)
  • remove Jenkinsfile (multiformats/go-multiaddr-dns#40)
  • sync: update CI config files (#​29) (multiformats/go-multiaddr-dns#29)
  • use net.IP.Equal to compare IP addresses (multiformats/go-multiaddr-dns#30)

👨‍👩‍👧‍👦 Contributors

Contributor	Commits	Lines ±	Files Changed
Will Scott	3	+731/-581	14
Daniel N	17	+1034/-191	33
Marco Munizaga	5	+721/-404	12
Andrew Gillis	9	+765/-266	35
Marcin Rataj	17	+568/-323	41
Daniel Norman	3	+232/-111	10
sukun	4	+93/-8	8
Jorropo	2	+48/-45	5
Marten Seemann	3	+19/-47	5
fengzie	1	+29/-26	5
Rod Vagg	7	+27/-11	9
gopherfarm	1	+14/-14	6
web3-bot	3	+13/-10	3
Michael Muré	2	+16/-5	4
i-norden	1	+9/-9	1
Elias Rad	1	+7/-7	4
Prithvi Shahi	1	+0/-11	2
Lucas Molas	1	+5/-4	1
elecbug	1	+6/-2	1
gammazero	2	+2/-2	2
chris erway	1	+2/-2	2
Russell Dempsey	1	+2/-1	1
guillaumemichel	1	+1/-1	1

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[nicholasdille-bot]

Auto-approved because label type/renovate is present.

[github-actions]

🔍 Vulnerabilities of ghcr.io/uniget-org/tools/kubo:0.31.0

📦 Image Reference ghcr.io/uniget-org/tools/kubo:0.31.0

digest	sha256:18107002e45089d2e4442405b524c6d495a4bba5b4cee684a334b700a6019875
vulnerabilities
platform	linux/amd64
size	47 MB
packages	244

gopkg.in/square/go-jose.v2 2.5.1 (golang) pkg:golang/gopkg.in/square/go-jose.v2@2.5.1 Improper Handling of Highly Compressed Data (Data Amplification) Affected range <=2.6.0 Fixed version Not Fixed CVSS Score 4.3 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L Description Impact An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). Thanks to Enze Wang@Alioth and Jianjun Chen@Zhongguancun Lab (@zer0yu and @chenjj) for reporting. Patches The problem is fixed in the following packages and versions: github.com/go-jose/go-jose/v4 version 4.0.1 github.com/go-jose/go-jose/v3 version 3.0.3 gopkg.in/go-jose/go-jose.v2 version 2.6.3 The problem will not be fixed in the following package because the package is archived: gopkg.in/square/go-jose.v2

github.com/rs/cors 1.10.1 (golang) pkg:golang/github.com/rs/cors@1.10.1 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Affected range >=1.9.0 <1.11.0 Fixed version 1.11.0 Description Middleware causes a prohibitive amount of heap allocations when processing malicious preflight requests that include a Access-Control-Request-Headers (ACRH) header whose value contains many commas. This behavior can be abused by attackers to produce undue load on the middleware/server as an attempt to cause a denial of service.

google.golang.org/grpc 1.64.0 (golang) pkg:golang/google.golang.org/grpc@1.64.0 Exposure of Sensitive Information to an Unauthorized Actor Affected range >=1.64.0 <1.64.1 Fixed version 1.64.1 Description Impact This issue represents a potential PII concern. If applications were printing or logging a context containing gRPC metadata, the affected versions will contain all the metadata, which may include private information. Patches The issue first appeared in 1.64.0 and is patched in 1.64.1 and 1.65.0 Workarounds If using an affected version and upgrading is not possible, ensuring you do not log or print contexts will avoid the problem.

[github-actions]

Attempting automerge. See https://github.com/uniget-org/tools/actions/runs/11376957780.

[github-actions]

PR is clean and can be merged. See https://github.com/uniget-org/tools/actions/runs/11376957780.