build(deps): Bump the all-go group across 5 directories with 7 updates

[dependabot]

Bumps the all-go group with 3 updates in the / directory: github.com/celestiaorg/go-header, golang.org/x/crypto and golang.org/x/net.
Bumps the all-go group with 1 update in the /execution/evm directory: github.com/ethereum/go-ethereum.
Bumps the all-go group with 1 update in the /execution/grpc directory: golang.org/x/net.
Bumps the all-go group with 2 updates in the /test/docker-e2e directory: github.com/ethereum/go-ethereum and github.com/docker/docker.
Bumps the all-go group with 2 updates in the /test/e2e directory: github.com/ethereum/go-ethereum and github.com/celestiaorg/tastora.

Updates github.com/celestiaorg/go-header from 0.7.3 to 0.7.4

Release notes

Sourced from github.com/celestiaorg/go-header's releases.

v0.7.4

What's Changed

• fix(store): fixes rare race condition where 2 workers attempt to close errCh at same time by @​renaynay in celestiaorg/go-header#357
• fix(headertest): add locking to header test suite for concurrent use by @​renaynay in celestiaorg/go-header#356

Full Changelog: celestiaorg/go-header@v0.7.3...v0.7.4

Commits

• 425f0dc fix(headertest): add locking to header test suite for concurrent use (#356)
• 62199e0 fix(store): fixes rare race condition where 2 workers attempt to close errCh ...
• See full diff in compare view

Updates golang.org/x/crypto from 0.43.0 to 0.44.0

Commits

• 122a78f go.mod: update golang.org/x dependencies
• c0531f9 all: eliminate vet diagnostics
• 0997000 all: fix some comments
• 017a1aa chacha20poly1305: panic on dst and additionalData overlap
• cf29fa9 sha3: make it mostly a wrapper around crypto/sha3
• 0b7aa0c ssh: use reflect.TypeFor instead of reflect.TypeOf
• 1faea29 all: fix some typos in comment
• See full diff in compare view

Updates golang.org/x/net from 0.46.0 to 0.47.0

Commits

• 9a29643 go.mod: update golang.org/x dependencies
• 07cefd8 context: deprecate
• 5ac9dac publicsuffix: don't treat ip addresses as domain names
• d1f64cc quic: use testing/synctest
• fff0469 http2: document that RFC 7540 prioritization does not work with small payloads
• f35e3a4 http2: fix weight overflow in RFC 7540 write scheduler
• 89adc90 http2: fix typo referring to RFC 9218 as RFC 9128 instead
• 8d76a2c quic: don't defer MAX_STREAMS frames indefinitely
• 027f8b7 quic: fix expected ACK Delay in client's ACK after HANDSHAKE_DONE
• dec9fe7 dns/dnsmessage: update SVCB packing to prohibit name compression
• Additional commits viewable in compare view

Updates golang.org/x/sync from 0.17.0 to 0.18.0

Commits

• 1966f53 errgroup: fix some typos in comment
• See full diff in compare view

Updates github.com/ethereum/go-ethereum from 1.16.6 to 1.16.7

Release notes

Sourced from github.com/ethereum/go-ethereum's releases.

Ballistic Drift Stabilizer (v1.16.7)

This is a re-roll of v1.16.6, including an important fix in the KZG cryptography library.

This release enables the Fusaka hardfork on Ethereum mainnet.

The Fusaka fork is scheduled to occur at 2025-12-03 21:49:11 UTC. Please upgrade your node to v1.16.7 in time for the fork.

This release also enables two blob-parameter-only (BPO) upgrades. These upgrades change protocol parameters to increase the available blob capacity.

• BPO1 on2025-12-09
• BPO2 on 2026-01-07

Fusaka

• Set mainnet timestamps for Osaka (#33063)
• Enable Fusaka for geth --dev mode (#32917)

RPC

• Add eth_sendRawTransactionSync which waits until either a timeout or the transaction is mined. This feature is mostly useful on L2s with lower blocktimes. (#32830, #32930, #32929)
• Add support for eth_simulateV1 in ethclient (#32856)
• Fix for an issue that might crash debug_traceCall (#33015)
• Fix for an issuer where local transactions were not persisted to the journal (#32921)

Core

• Fix for a cryptographic vulnerability in c-kzg-4844. This is only exploitable post-Fusaka. (#33093)
• Add geth --genesis flag as an alternative to running geth init genesis.json (#32844)
• Fix for receipt insertion during ERA file import. (#32934)
• Work on getting the trie node history in order to serve historical eth_getProof request with the new path-based archive node. (#32907, #32914, #32937)
• Further work on cmd/keeper, our guest program for zkVMs (#32816)
• Various optimizations (#32971, #32916, #32965, #32946)

Networking

• New metrics for tracking slow peers (#32964)
• Fix for an issue where disconnected peers were not removed in txFetcher (#32947)

---

For a full rundown of the changes please consult the Geth 1.16.6 and 1.16.7 release milestones.

As with all our previous releases, you can find the:

• Pre-built binaries for all platforms on our downloads page.
• Docker images published under ethereum/client-go (use "stable" tag).

... (truncated)

Commits

• b9f3a3d Merge branch 'master' into release/1.16
• 07129d2 version: release go-ethereum v1.16.7 stable
• 653f8d4 go.mod: update to c-kzg v2.1.5 (#33093)
• 5b77af3 version: begin v1.16.7 release cycle
• See full diff in compare view

Updates golang.org/x/net from 0.46.0 to 0.47.0

Commits

• 9a29643 go.mod: update golang.org/x dependencies
• 07cefd8 context: deprecate
• 5ac9dac publicsuffix: don't treat ip addresses as domain names
• d1f64cc quic: use testing/synctest
• fff0469 http2: document that RFC 7540 prioritization does not work with small payloads
• f35e3a4 http2: fix weight overflow in RFC 7540 write scheduler
• 89adc90 http2: fix typo referring to RFC 9218 as RFC 9128 instead
• 8d76a2c quic: don't defer MAX_STREAMS frames indefinitely
• 027f8b7 quic: fix expected ACK Delay in client's ACK after HANDSHAKE_DONE
• dec9fe7 dns/dnsmessage: update SVCB packing to prohibit name compression
• Additional commits viewable in compare view

Updates github.com/ethereum/go-ethereum from 1.16.6 to 1.16.7

Release notes

Sourced from github.com/ethereum/go-ethereum's releases.

Ballistic Drift Stabilizer (v1.16.7)

This is a re-roll of v1.16.6, including an important fix in the KZG cryptography library.

This release enables the Fusaka hardfork on Ethereum mainnet.

The Fusaka fork is scheduled to occur at 2025-12-03 21:49:11 UTC. Please upgrade your node to v1.16.7 in time for the fork.

This release also enables two blob-parameter-only (BPO) upgrades. These upgrades change protocol parameters to increase the available blob capacity.

• BPO1 on2025-12-09
• BPO2 on 2026-01-07

Fusaka

• Set mainnet timestamps for Osaka (#33063)
• Enable Fusaka for geth --dev mode (#32917)

RPC

• Add eth_sendRawTransactionSync which waits until either a timeout or the transaction is mined. This feature is mostly useful on L2s with lower blocktimes. (#32830, #32930, #32929)
• Add support for eth_simulateV1 in ethclient (#32856)
• Fix for an issue that might crash debug_traceCall (#33015)
• Fix for an issuer where local transactions were not persisted to the journal (#32921)

Core

• Fix for a cryptographic vulnerability in c-kzg-4844. This is only exploitable post-Fusaka. (#33093)
• Add geth --genesis flag as an alternative to running geth init genesis.json (#32844)
• Fix for receipt insertion during ERA file import. (#32934)
• Work on getting the trie node history in order to serve historical eth_getProof request with the new path-based archive node. (#32907, #32914, #32937)
• Further work on cmd/keeper, our guest program for zkVMs (#32816)
• Various optimizations (#32971, #32916, #32965, #32946)

Networking

• New metrics for tracking slow peers (#32964)
• Fix for an issue where disconnected peers were not removed in txFetcher (#32947)

---

For a full rundown of the changes please consult the Geth 1.16.6 and 1.16.7 release milestones.

As with all our previous releases, you can find the:

• Pre-built binaries for all platforms on our downloads page.
• Docker images published under ethereum/client-go (use "stable" tag).

... (truncated)

Commits

• b9f3a3d Merge branch 'master' into release/1.16
• 07129d2 version: release go-ethereum v1.16.7 stable
• 653f8d4 go.mod: update to c-kzg v2.1.5 (#33093)
• 5b77af3 version: begin v1.16.7 release cycle
• See full diff in compare view

Updates github.com/docker/docker from 28.5.1+incompatible to 28.5.2+incompatible

Release notes

Sourced from github.com/docker/docker's releases.

v28.5.2

28.5.2

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 28.5.2 milestone
• moby/moby, 28.5.2 milestone

[!CAUTION] This release contains fixes for three high-severity security vulnerabilities in runc:

• CVE-2025-31133
• CVE-2025-52565
• CVE-2025-52881

All three vulnerabilities ultimately allow (through different methods) for full container breakouts by bypassing runc's restrictions for writing to arbitrary /proc files.

Packaging updates

• Update runc to v1.3.3. moby/moby#51394

Bug fixes and enhancements

• dockerd-rootless.sh: if slirp4netns is not installed, try using pasta (passt). moby/moby#51162
• Update Go runtime to 1.24.9. moby/moby#51387, docker/cli#6613

Deprecations

• Go-SDK: cli/command/image/build: deprecate DefaultDockerfileName, DetectArchiveReader, WriteTempDockerfile, ResolveAndValidateContextPath. These utilities were only used internally and will be removed in the next release. docker/cli#6610
• Go-SDK: cli/command/image/build: deprecate IsArchive utility. docker/cli#6560
• Go-SDK: opts: deprecate ValidateMACAddress. docker/cli#6560
• Go-SDK: opts: deprecate ListOpts.Delete(). docker/cli#6560

Commits

• 89c5e8f Merge pull request #51396 from thaJeztah/28.x_backport_api_docs
• 9b93878 Merge pull request #51395 from thaJeztah/28.x_backport_rootless_reject
• 6178456 Merge pull request #51398 from vvoland/51397-28.x
• 0cae4e5 vendor: github.com/moby/buildkit v0.25.2
• 33cc06f Merge pull request #51394 from vvoland/51393-28.x
• d525277 api/docs: remove BuildCache.Parent field for API v1.42 and up
• 2fbc51b dockerd-rootless.sh: reject DOCKERD_ROOTLESS_ROOTLESSKIT_NET=host
• bd98008 integration-cli: Adjust nofile limits
• 1967515 Dockerfile: update runc binary to v1.3.3
• 4489660 Merge pull request #51387 from thaJeztah/28.x_bump_go
• Additional commits viewable in compare view

Updates github.com/ethereum/go-ethereum from 1.16.6 to 1.16.7

Release notes

Sourced from github.com/ethereum/go-ethereum's releases.

Ballistic Drift Stabilizer (v1.16.7)

This is a re-roll of v1.16.6, including an important fix in the KZG cryptography library.

This release enables the Fusaka hardfork on Ethereum mainnet.

The Fusaka fork is scheduled to occur at 2025-12-03 21:49:11 UTC. Please upgrade your node to v1.16.7 in time for the fork.

This release also enables two blob-parameter-only (BPO) upgrades. These upgrades change protocol parameters to increase the available blob capacity.

• BPO1 on2025-12-09
• BPO2 on 2026-01-07

Fusaka

• Set mainnet timestamps for Osaka (#33063)
• Enable Fusaka for geth --dev mode (#32917)

RPC

• Add eth_sendRawTransactionSync which waits until either a timeout or the transaction is mined. This feature is mostly useful on L2s with lower blocktimes. (#32830, #32930, #32929)
• Add support for eth_simulateV1 in ethclient (#32856)
• Fix for an issue that might crash debug_traceCall (#33015)
• Fix for an issuer where local transactions were not persisted to the journal (#32921)

Core

• Fix for a cryptographic vulnerability in c-kzg-4844. This is only exploitable post-Fusaka. (#33093)
• Add geth --genesis flag as an alternative to running geth init genesis.json (#32844)
• Fix for receipt insertion during ERA file import. (#32934)
• Work on getting the trie node history in order to serve historical eth_getProof request with the new path-based archive node. (#32907, #32914, #32937)
• Further work on cmd/keeper, our guest program for zkVMs (#32816)
• Various optimizations (#32971, #32916, #32965, #32946)

Networking

• New metrics for tracking slow peers (#32964)
• Fix for an issue where disconnected peers were not removed in txFetcher (#32947)

---

For a full rundown of the changes please consult the Geth 1.16.6 and 1.16.7 release milestones.

As with all our previous releases, you can find the:

• Pre-built binaries for all platforms on our downloads page.
• Docker images published under ethereum/client-go (use "stable" tag).

... (truncated)

Commits

• b9f3a3d Merge branch 'master' into release/1.16
• 07129d2 version: release go-ethereum v1.16.7 stable
• 653f8d4 go.mod: update to c-kzg v2.1.5 (#33093)
• 5b77af3 version: begin v1.16.7 release cycle
• See full diff in compare view

Updates github.com/celestiaorg/tastora from 0.7.5 to 0.8.0

Release notes

Sourced from github.com/celestiaorg/tastora's releases.

v0.8.0

What's Changed

• chore(deps): bump github.com/consensys/gnark-crypto from 0.18.0 to 0.18.1 in the go_modules group across 1 directory by @​dependabot[bot] in celestiaorg/tastora#147
• chore: add labeled client and update volume cleanup by @​chatton in celestiaorg/tastora#145
• chore: fix jwt secret flag by @​chatton in celestiaorg/tastora#150

Full Changelog: celestiaorg/tastora@v0.7.5...v0.8.0

Commits

• ef34bd5 chore: fix jwt secret flag (#150)
• 7defa8b chore: add labeled client and update volume cleanup (#145)
• 97525e3 chore(deps): bump github.com/consensys/gnark-crypto (#147)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

The latest Buf updates on your PR. Results from workflow CI / buf-check (pull_request).

Build	Format	Lint	Breaking	Updated (UTC)
✅ passed	⏩ skipped	✅ passed	✅ passed	Nov 19, 2025, 11:16 AM

[claude]

Claude finished @dependabot[bot]'s task —— View job

---

Comprehensive Code Review

This Dependabot PR updates 7 Go dependencies across 5 directories. I've reviewed the changes against the project's security, compatibility, and code quality standards.

---

Summary Assessment

Overall: ✅ APPROVE with observations

The dependency updates are well-structured and include important security fixes. The code changes in test_helpers.go properly adapt to the tastora library's API changes. CI checks are passing/in-progress with no failures detected.

---

Dependency Updates Review

🔒 Security-Critical Updates

1. github.com/ethereum/go-ethereum (1.16.6 → 1.16.7)

• Critical: Fixes cryptographic vulnerability in c-kzg-4844 (CVE details)
• Only exploitable post-Fusaka hardfork (scheduled for 2025-12-03)
• Impact: Multiple modules (execution/evm, test/docker-e2e, test/e2e)
• Recommendation: ✅ Must merge before Fusaka activation

2. github.com/docker/docker (28.5.1 → 28.5.2)

• Critical: Fixes 3 high-severity runc vulnerabilities:
  • CVE-2025-31133
  • CVE-2025-52565
  • CVE-2025-52881
• All allow container breakouts via /proc file bypass
• Impact: test/docker-e2e module
• Recommendation: ✅ Essential security update

📦 Standard Updates

3. github.com/celestiaorg/go-header (0.7.3 → 0.7.4)

• Fixes rare race condition with concurrent errCh closure
• Adds locking to header test suite for concurrent use
• Impact: Root module
• Assessment: ✅ Stability improvement, no breaking changes

4. golang.org/x/crypto (0.43.0 → 0.44.0)

• Panic on dst/additionalData overlap in chacha20poly1305
• Makes sha3 wrapper around crypto/sha3
• Various fixes and improvements
• Assessment: ✅ Safe, standard library maintenance

5. golang.org/x/net (0.46.0 → 0.47.0)

• Deprecates context package
• HTTP/2 fixes for RFC 7540 prioritization and weight overflow
• QUIC improvements (MAX_STREAMS, ACK Delay)
• DNS/SVCB packing update
• Impact: Multiple modules
• Assessment: ✅ Important bug fixes, deprecation is expected

6. golang.org/x/sync (0.17.0 → 0.18.0)

• Minor typo fixes in comments
• Assessment: ✅ Trivial update

7. github.com/celestiaorg/tastora (0.7.5 → 0.8.0) (test/e2e only)

• Adds labeled Docker client
• Fixes JWT secret flag
• Updates volume cleanup
• Assessment: ✅ Test infrastructure improvement

---

Code Changes Review

File: execution/evm/test/test_helpers.go

Change Summary: Updates Docker client usage to align with tastora v0.8.0 API

Detailed Analysis:

// OLD: Direct moby/moby client dependency
-   dockerclient "github.com/moby/moby/client"
-   dockerClients  = make(map[string]*dockerclient.Client)

// NEW: Abstracted via tastora interface
+   tastoratypes "github.com/celestiaorg/tastora/framework/types"
+   dockerClients  = make(map[string]tastoratypes.TastoraDockerClient)

Observations:

✅ Good Abstraction: Moving from concrete *dockerclient.Client to TastoraDockerClient interface improves testability and decoupling

✅ API Alignment: Function name change docker.DockerSetup(t) → docker.Setup(t) follows Go naming conventions (removes stutter)

✅ Type Safety: Return type change maintains type safety through interface contract

✅ Backward Compatibility: Changes are internal to test helpers, no public API impact

Potential Concerns:

⚠️ Interface Contract: Verify that TastoraDockerClient provides all methods previously used from *dockerclient.Client. Based on the code, only basic container operations are needed, which should be covered.

---

Architecture & Code Quality

Concurrency Safety ✅

• Proper mutex usage in getTestScopedDockerSetup (lines 48-49)
• sync.RWMutex protects shared maps appropriately
• No race conditions introduced

Resource Management ✅

• Cleanup registered via t.Cleanup() (line 75)
• Proper context usage throughout
• HTTP response bodies closed correctly (lines 106, 126)

Error Handling ✅

• Consistent error wrapping with %w (lines 107, 144, 159)
• Timeout handling in waitForRethContainer (lines 96-101)
• Early returns on error conditions

Security Considerations ✅

• JWT token handling follows best practices
• Secret decoding properly strips "0x" prefix (line 142)
• Token expiration set appropriately (1 hour, line 152)
• No secrets logged or exposed

---

Testing & CI Status

Current Status:

• ✅ Semantic PR check: PASSED
• ⏳ CI workflow: IN PROGRESS
• ⏳ Main PR workflow: IN PROGRESS
• ✅ Buf checks: PASSED (per comments)

Test Coverage:

• Codecov reports 64.68% coverage (slight -0.10% change likely from dependency updates, not actual coverage loss)
• No modified lines require additional coverage

---

Recommendations

Must Do Before Merge:

1. ✅ Security: This PR contains critical security fixes (go-ethereum KZG, Docker runc). Prioritize merging.
2. ⏳ CI Completion: Wait for in-progress CI checks to complete successfully
3. ✅ Dependencies: All go.mod/go.sum updates appear consistent across modules

Optional Improvements:

1. Documentation: Consider documenting the Fusaka hardfork timeline in project docs
2. Testing: Verify TastoraDockerClient interface compatibility manually if you have concerns about the abstraction
3. Monitoring: After merge, monitor for any Docker client-related test failures in CI

Follow-up Actions:

1. golang.org/x/net context deprecation: Plan migration away from deprecated context package (not urgent, but track it)
2. Security Advisory: If running production nodes, ensure upgrade to go-ethereum 1.16.7 before 2025-12-03

---

Compliance Checklist

Against project guidelines from CLAUDE.md:

• ✅ Go Conventions: Changes follow idiomatic Go style
• ✅ Error Handling: Proper error wrapping and context
• ✅ Security: No keys exposed, proper input validation
• ✅ Concurrency: Safe concurrent access patterns
• ✅ Testing: Test patterns maintained
• ✅ Modularity: go.mod files properly updated across modules

---

Final Verdict

APPROVE ✅

This is a high-quality dependency update PR with critical security fixes. The code changes are minimal, well-scoped, and properly adapt to upstream API changes. The updates are particularly important due to:

1. Ethereum KZG vulnerability (pre-Fusaka fix)
2. Docker container escape vulnerabilities (runc CVEs)

Merge Recommendation: Merge as soon as CI completes successfully.

---

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 64.78%. Comparing base (a75b4bc) to head (452317b).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2854      +/-   ##
==========================================
+ Coverage   64.67%   64.78%   +0.11%     
==========================================
  Files          81       81              
  Lines        7173     7173              
==========================================
+ Hits         4639     4647       +8     
+ Misses       1995     1986       -9     
- Partials      539      540       +1     

Flag	Coverage Δ
combined	64.78% <ø> (+0.11%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.