Skip to content

chore(deps): bump github.com/ipfs/boxo from 0.40.0 to 0.41.0#679

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/go_modules/github.com/ipfs/boxo-0.41.0
Open

chore(deps): bump github.com/ipfs/boxo from 0.40.0 to 0.41.0#679
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/go_modules/github.com/ipfs/boxo-0.41.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 8, 2026

Copy link
Copy Markdown
Contributor

Bumps github.com/ipfs/boxo from 0.40.0 to 0.41.0.

Release notes

Sourced from github.com/ipfs/boxo's releases.

v0.41.0

[!NOTE] This release was brought to you by the Shipyard team.

What's Changed

Added

  • ipld/merkledag/traverse: added the Visited interface and Options.Visited field, so callers can plug in their own set for skipping duplicates when SkipDuplicates is on. *go-cid.Set already works as one; a bounded or disk-backed set keeps memory low on very large DAGs.

Changed

Fixed

  • routing/http/server: GET /routing/v1/ipns/{name} no longer gives a cache a window that outlasts the record. It caps max-age to the record's remaining validity and sizes the stale window (stale-while-revalidate/stale-if-error) to the time left after it, so the two never cross the record's EOL. An expired record, or one whose ValidityType is not EOL (unknown expiration), returns Cache-Control: no-store, and a negative TTL no longer yields a negative max-age. #1166
  • gateway: serving a raw IPNS record (GET /ipns/{name}?format=ipns-record) now caps max-age to the record's remaining validity and never lets it go negative, so a cache cannot reuse the record past its EOL. #1166
  • namesys: the IPNS resolver now floors a negative record TTL at zero, so a malformed record can no longer surface a negative TTL through Result.TTL. #1166
  • namesys: a cache hit now reports the TTL remaining in the cache entry rather than the record's original TTL, so a late hit near a record's EOL can no longer advertise a freshness lifetime that outlives the record. #1166
  • ipns: NewRecord floors a negative TTL at zero and Validate rejects records carrying one. #1166
  • bitswap/network/bsnet: stop marking a peer unresponsive on a single failed send attempt. send() is retried by multiAttempt(), which already marks the peer once all retries are exhausted; marking on the first failure could permanently sideline a peer that had just reconnected (the disconnect notification being suppressed), hanging fetches from it until it fully disconnected. #1164

Security

  • tracing: bumped OpenTelemetry OTLP exporters to v1.43.0, which caps the HTTP exporter's response body at 4 MiB. A hostile or man-in-the-middle collector could otherwise exhaust its memory (CVE-2026-39882). The gRPC exporter is unaffected.

Full Changelog: ipfs/boxo@v0.40.0...v0.41.0

Changelog

Sourced from github.com/ipfs/boxo's changelog.

[v0.41.0]

Added

  • ipld/merkledag/traverse: added the Visited interface and Options.Visited field, so callers can plug in their own set for skipping duplicates when SkipDuplicates is on. *go-cid.Set already works as one; a bounded or disk-backed set keeps memory low on very large DAGs.

Changed

Fixed

  • routing/http/server: GET /routing/v1/ipns/{name} no longer gives a cache a window that outlasts the record. It caps max-age to the record's remaining validity and sizes the stale window (stale-while-revalidate/stale-if-error) to the time left after it, so the two never cross the record's EOL. An expired record, or one whose ValidityType is not EOL (unknown expiration), returns Cache-Control: no-store, and a negative TTL no longer yields a negative max-age. #1166
  • gateway: serving a raw IPNS record (GET /ipns/{name}?format=ipns-record) now caps max-age to the record's remaining validity and never lets it go negative, so a cache cannot reuse the record past its EOL. #1166
  • namesys: the IPNS resolver now floors a negative record TTL at zero, so a malformed record can no longer surface a negative TTL through Result.TTL. #1166
  • namesys: a cache hit now reports the TTL remaining in the cache entry rather than the record's original TTL, so a late hit near a record's EOL can no longer advertise a freshness lifetime that outlives the record. #1166
  • ipns: NewRecord floors a negative TTL at zero and Validate rejects records carrying one. #1166
  • bitswap/network/bsnet: stop marking a peer unresponsive on a single failed send attempt. send() is retried by multiAttempt(), which already marks the peer once all retries are exhausted; marking on the first failure could permanently sideline a peer that had just reconnected (the disconnect notification being suppressed), hanging fetches from it until it fully disconnected. #1164

Security

  • tracing: bumped OpenTelemetry OTLP exporters to v1.43.0, which caps the HTTP exporter's response body at 4 MiB. A hostile or man-in-the-middle collector could otherwise exhaust its memory (CVE-2026-39882). The gRPC exporter is unaffected.
Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
chore(deps): bump github.com/ipfs/boxo from 0.40.0 to 0.41.0
27431cb 
Bumps [github.com/ipfs/boxo](https://github.com/ipfs/boxo) from 0.40.0 to 0.41.0.
- [Release notes](https://github.com/ipfs/boxo/releases)
- [Changelog](https://github.com/ipfs/boxo/blob/main/CHANGELOG.md)
- [Commits](ipfs/boxo@v0.40.0...v0.41.0)

---
updated-dependencies:
- dependency-name: github.com/ipfs/boxo
  dependency-version: 0.41.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Jun 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rvagg rvagg Awaiting requested review from rvagg rvagg is a code owner

@willscott willscott Awaiting requested review from willscott willscott is a code owner

@hannahhoward hannahhoward Awaiting requested review from hannahhoward hannahhoward is a code owner

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file go Pull requests that update Go code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants