chore(deps): bump go-deps

[hanabi1224]

Summary of changes

Changes introduced in this pull request:

• bump go-f3 to v0.8.12
• bump crypto to latest to resolve https://github.com/ChainSafe/forest/security/dependabot/126 and https://github.com/ChainSafe/forest/security/dependabot/128 (see chore(deps): replace golang.org/x/crypto/sha3 with go-keccak, upgrade x/crypto filecoin-project/go-f3#1064 )
• bump other go-deps with go get -u && go mod tidy

Reference issue to close (if applicable)

Closes

Other information and links

Change checklist

• I have performed a self-review of my own code,
• I have made corresponding changes to the documentation. All new code adheres to the team's documentation standards,
• I have added tests that prove my fix is effective or that my feature works (if possible),
• I have made sure the CHANGELOG is up-to-date. All user-facing changes should be reflected in this document.

Outside contributions

• I have read and agree to the CONTRIBUTING document.
• I have read and agree to the AI Policy document. I understand that failure to comply with the guidelines will lead to rejection of the pull request.

Summary by CodeRabbit

• Chores
  • Updated internal dependencies to newer versions across the project, including cryptographic and networking libraries, to maintain system compatibility and security.

[coderabbitai]

Walkthrough

Updates Go module dependencies across three files: f3-sidecar, interop-tests/src/tests/go_app, and tools/prometheus_metrics_validator. Dependencies bumped include filecoin-project/go-f3, libp2p, Pion networking stack, golang.org/x modules (crypto, exp, mod, net, telemetry, text, tools), OpenTelemetry, and prometheus to newer versions.

Changes

Cohort / File(s)	Summary
Go module dependency updates f3-sidecar/go.mod, interop-tests/src/tests/go_app/go.mod, tools/prometheus_metrics_validator/go.mod	Bumped versions across indirect and direct dependencies, including go-f3 (v0.8.11→v0.8.12), Pion stack components (dtls, ice, interceptor, rtp, sdp, srtp, stun, transport, webrtc), golang.org/x modules (crypto v0.43.0→v0.47.0, exp, mod, net, telemetry, text, tools), libp2p, OpenTelemetry, prometheus, and quic-go to newer minor/patch releases.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• chore(deps): bump Go deps #6342: Updates the same go.mod files with identical dependency version bumps (go-f3, libp2p, Pion stack, golang.org/x modules).
• chore(deps): bump go deps #6238: Modifies the same Go module files to bump many of the same dependencies (libp2p, rust2go, Pion stack, golang.org/x/*).
• chore(deps): bump go-f3 #6019: Performs overlapping dependency version bumps in the same go.mod files (go-f3, rust2go, libp2p, Pion, OpenTelemetry).

Suggested labels

dependencies, go

Suggested reviewers

• sudo-shashank
• LesnyRumcajs
• akaladarshi

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'chore(deps): bump go-deps' accurately describes the main change—dependency version updates across Go modules.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch hm/bump-go-deps

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.5.0)

level=error msg="[linters_context] typechecking error: pattern ./...: directory prefix . does not contain modules listed in go.work or their selected dependencies"

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

f3-sidecar/go.mod (1)

21-143: ⚠️ Potential issue | 🔴 Critical

Pin golang.org/x/crypto to v0.43.0.

The current version v0.47.0 is incompatible with go-f3 v0.8.12. Versions v0.44.0 and later removed the assembly-optimized Keccak implementation, causing the Keccak code path to fall back to the slow generic implementation and triggering CI timeouts. This constraint is documented in go-f3 PRs #1055 and #1063.

🤖 Fix all issues with AI agents

In `@f3-sidecar/go.mod`:
- Around line 5-19: Update the pinned version of the golang.org/x/crypto
dependency in the require block: change the version for module
golang.org/x/crypto from v0.47.0 to v0.43.0 so the legacy Keccak assembly path
used by go-f3 remains available; make the edit where golang.org/x/crypto is
listed in the require(...) section of the go.mod file.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 63.31%. Comparing base (b5c8f56) to head (ec9656a).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

see 8 files with indirect coverage changes

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update b5c8f56...ec9656a. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.