build(deps): Bump the all-go group across 5 directories with 8 updates

[dependabot]

Bumps the all-go group with 3 updates in the / directory: cloud.google.com/go/kms, golang.org/x/crypto and golang.org/x/net.
Bumps the all-go group with 1 update in the /execution/evm directory: github.com/evstack/ev-node.
Bumps the all-go group with 2 updates in the /execution/grpc directory: golang.org/x/net and github.com/evstack/ev-node.
Bumps the all-go group with 2 updates in the /test/docker-e2e directory: github.com/celestiaorg/tastora and github.com/evstack/ev-node/execution/evm.
Bumps the all-go group with 2 updates in the /test/e2e directory: github.com/celestiaorg/tastora and github.com/cosmos/cosmos-sdk.

Updates cloud.google.com/go/kms from 1.27.0 to 1.28.0

Release notes

Sourced from cloud.google.com/go/kms's releases.

kms: v1.28.0

v1.28.0 (2026-04-09)

retail: v1.28.0

v1.28.0 (2026-04-09)

Changelog

Sourced from cloud.google.com/go/kms's changelog.

1.28.0 (2024-05-01)

Features

• documentai: A new message FoundationModelTuningOptions is added (1d757c6)
• documentai: Support Chunk header and footer in Doc AI external proto (1d757c6)

Bug Fixes

• documentai: Bump x/net to v0.24.0 (ba31ed5)

Commits

• da03b21 chore: librarian release pull request: 20251218T080438Z (#13495)
• be7e387 test(bigquery/v2/query): deflake TestIntegration_QueryCancelWait (#13488)
• ce62012 chore: librarian generate pull request: 20251217T081427Z (#13492)
• ab56892 docs(spanner): Update client side metrics and permission issues in README (#...
• af39539 test(storage/dataflux): skip flaky test (#13490)
• 0e9a8d6 chore(storage): add configurations and defaults for PCU feature (#13461)
• 2416108 chore: librarian release pull request: 20251215T194424Z (#13486)
• 14979ec chore(firestore): replace deprecated io/ioutil (#12362)
• 46fd4f4 chore(bigtable): replace deprecated io/ioutil (#12358)
• 2a546c0 chore: librarian release pull request: 20251215T160018Z (#13482)
• Additional commits viewable in compare view

Updates golang.org/x/crypto from 0.49.0 to 0.50.0

Commits

• 03ca0dc go.mod: update golang.org/x dependencies
• 8400f4a ssh: respect signer's algorithm preference in pickSignatureAlgorithm
• 81c6cb3 ssh: swap cbcMinPaddingSize to cbcMinPacketSize to get encLength
• See full diff in compare view

Updates golang.org/x/net from 0.52.0 to 0.53.0

Commits

• a8d1fc1 go.mod: update golang.org/x dependencies
• 056ac74 quic: avoid depending on golang.org/x/sys/unix
• c85f611 http3: add http3 package for testing in std
• 805fc81 http2: add transport API tests
• e63b894 http2: support testing via net/http.Transport.RoundTrip
• 9ee1e48 http2/hpack: prevent HeaderField from escaping during encoding
• 1e71bd8 http2: prevent hanging Transport due to bad SETTINGS frame
• 7bca150 internal/http3: respect net/http Server Shutdown context when shutting down
• 44c41be internal/http3: prevent server from holding mutex when sleeping during shutdown
• 228a67a internal/http3: add CloseIdleConnections support in transport
• Additional commits viewable in compare view

Updates google.golang.org/api from 0.273.1 to 0.274.0

Release notes

Sourced from google.golang.org/api's releases.

v0.274.0

0.274.0 (2026-04-02)

Features

• all: Auto-regenerate discovery clients (#3555) (0e634ae)

Changelog

Sourced from google.golang.org/api's changelog.

0.274.0 (2026-04-02)

Features

• all: Auto-regenerate discovery clients (#3555) (0e634ae)

Commits

• 6c759a2 chore(main): release 0.274.0 (#3556)
• 0e634ae feat(all): auto-regenerate discovery clients (#3555)
• 0f75259 chore: embargo aiplatform:v1beta1 temporarily (#3554)
• See full diff in compare view

Updates github.com/evstack/ev-node from 1.0.0 to 1.1.0

Release notes

Sourced from github.com/evstack/ev-node's releases.

v1.1.0

This is a minor feature and bugfix release building on v1.0.0. It introduces AWS & GCP KMS signer backend support. Additionally several internal improvements have happened, notably publisher-mode synchronization for failover scenarios, forced inclusion namespace event subscriptions.

Upgrade from v1.0.0 is recommended for all operators for enhanced stability.

Full Changelog

For a complete list of all changes including new features, improvements, and bug fixes, see CHANGELOG.md.

Images

• ghcr.io/evstack/ev-node-evm:v1.1.0
• ghcr.io/evstack/ev-node-grpc:v1.1.0-rc.2
• ghcr.io/evstack/ev-node-testapp:v1.1.0

v1.1.0-rc.2 (2026-04-07)

ev-node v1.1.0-rc.2

⚠️ This is a draft release. Please verify its content before publishing

This is a maintenance and reliability release candidate, containing targeted: improvements to P2P stability, failover handling, and execution layer correctness.

Operators running v1.1.0-rc.1 are encouraged to upgrade.

Tested upgrade paths

• ev-node v1.0.0-rc.1 -> ev-node v1.1.0-rc.2

---

Full Changelog

For a complete list of all changes including new features, improvements, and bug fixes, see CHANGELOG.md.

Images

• ghcr.io/evstack/ev-node-evm:v1.1.0-rc.2
• ghcr.io/evstack/ev-node-grpc:v1.1.0-rc.2
• ghcr.io/evstack/ev-node-testapp:v1.1.0-rc.2

v1.1.0-rc.1 (2026-03-31)

ev-node v1.1.0-rc.1

This is a release candidate for v1.1.0, focused on new features and stability improvements. It introduces:

• AWS & GCP KMS signer backend support
• Forced inclusion namespace event subscriptions
• Several bug fixes addressing memory management, sync reliability, and DA client resilience.

Operators running v1.0.0 are encouraged to test this release candidate before the stable v1.1.0 release.

Tested upgrade paths

• ev-node v1.0.0 -> ev-node v1.1.0-rc.1

... (truncated)

Changelog

Sourced from github.com/evstack/ev-node's changelog.

v1.1.0

No changes from v1.1.0-rc.2.

v1.1.0-rc.2

Changes

• Added publisher-mode synchronization option for failover scenarios with early P2P infrastructure readiness #3222
• Improve P2P transient network failure #3212
• Improve execution/evm check for stored meta not stale #3221

v1.1.0-rc.1

Added

• Add AWS & GCP KMS signer backend #3171
• Subscribe to forced inclusion namespace events #3146
• Display block source in sync log #3193

Fixed

• Avoid evicting yet to be processed heights #3204
• Bound Badger index cache memory to prevent growth with chain length 3209
• Refetch latest da height instead of da height +1 when P2P is offline #3201
• Fix race on startup sync. #3162
• Strict raft state. #3167
• Retry fetching the timestamp on error in da-client #3166

Commits

• 6f09600 chore: correct vm ui link and include in json benchmark result (#3234)
• 536f57e build(deps): Bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.87.1 to 1.99...
• d2a29e8 chore: prep rc.2 (#3231)
• d163059 fix: Publisher-mode synchronization option for failover scenario (#3222)
• 04c9cad feat(pkg/p2p): reconnect on disconnected peers (#3212)
• ff88b95 build(deps): Bump the all-go group across 4 directories with 11 updates (#3228)
• 3d5591d build(deps): Bump defu from 6.1.4 to 6.1.6 in /docs in the npm_and_yarn group...
• a8bd8b2 build(deps): Bump benchmark-action/github-action-benchmark from 1.21.0 to 1.2...
• 920f0c9 build(deps): Bump extractions/setup-just from 3 to 4 (#3227)
• 022b565 chore: Better check for stored meta not stale (#3221)
• Additional commits viewable in compare view

Updates golang.org/x/net from 0.52.0 to 0.53.0

Commits

• a8d1fc1 go.mod: update golang.org/x dependencies
• 056ac74 quic: avoid depending on golang.org/x/sys/unix
• c85f611 http3: add http3 package for testing in std
• 805fc81 http2: add transport API tests
• e63b894 http2: support testing via net/http.Transport.RoundTrip
• 9ee1e48 http2/hpack: prevent HeaderField from escaping during encoding
• 1e71bd8 http2: prevent hanging Transport due to bad SETTINGS frame
• 7bca150 internal/http3: respect net/http Server Shutdown context when shutting down
• 44c41be internal/http3: prevent server from holding mutex when sleeping during shutdown
• 228a67a internal/http3: add CloseIdleConnections support in transport
• Additional commits viewable in compare view

Updates github.com/evstack/ev-node from 1.0.0 to 1.1.0

Release notes

Sourced from github.com/evstack/ev-node's releases.

v1.1.0

This is a minor feature and bugfix release building on v1.0.0. It introduces AWS & GCP KMS signer backend support. Additionally several internal improvements have happened, notably publisher-mode synchronization for failover scenarios, forced inclusion namespace event subscriptions.

Upgrade from v1.0.0 is recommended for all operators for enhanced stability.

Full Changelog

For a complete list of all changes including new features, improvements, and bug fixes, see CHANGELOG.md.

Images

• ghcr.io/evstack/ev-node-evm:v1.1.0
• ghcr.io/evstack/ev-node-grpc:v1.1.0-rc.2
• ghcr.io/evstack/ev-node-testapp:v1.1.0

v1.1.0-rc.2 (2026-04-07)

ev-node v1.1.0-rc.2

⚠️ This is a draft release. Please verify its content before publishing

This is a maintenance and reliability release candidate, containing targeted: improvements to P2P stability, failover handling, and execution layer correctness.

Operators running v1.1.0-rc.1 are encouraged to upgrade.

Tested upgrade paths

• ev-node v1.0.0-rc.1 -> ev-node v1.1.0-rc.2

---

Full Changelog

For a complete list of all changes including new features, improvements, and bug fixes, see CHANGELOG.md.

Images

• ghcr.io/evstack/ev-node-evm:v1.1.0-rc.2
• ghcr.io/evstack/ev-node-grpc:v1.1.0-rc.2
• ghcr.io/evstack/ev-node-testapp:v1.1.0-rc.2

v1.1.0-rc.1 (2026-03-31)

ev-node v1.1.0-rc.1

This is a release candidate for v1.1.0, focused on new features and stability improvements. It introduces:

• AWS & GCP KMS signer backend support
• Forced inclusion namespace event subscriptions
• Several bug fixes addressing memory management, sync reliability, and DA client resilience.

Operators running v1.0.0 are encouraged to test this release candidate before the stable v1.1.0 release.

Tested upgrade paths

• ev-node v1.0.0 -> ev-node v1.1.0-rc.1

... (truncated)

Changelog

Sourced from github.com/evstack/ev-node's changelog.

v1.1.0

No changes from v1.1.0-rc.2.

v1.1.0-rc.2

Changes

• Added publisher-mode synchronization option for failover scenarios with early P2P infrastructure readiness #3222
• Improve P2P transient network failure #3212
• Improve execution/evm check for stored meta not stale #3221

v1.1.0-rc.1

Added

• Add AWS & GCP KMS signer backend #3171
• Subscribe to forced inclusion namespace events #3146
• Display block source in sync log #3193

Fixed

• Avoid evicting yet to be processed heights #3204
• Bound Badger index cache memory to prevent growth with chain length 3209
• Refetch latest da height instead of da height +1 when P2P is offline #3201
• Fix race on startup sync. #3162
• Strict raft state. #3167
• Retry fetching the timestamp on error in da-client #3166

Commits

• 6f09600 chore: correct vm ui link and include in json benchmark result (#3234)
• 536f57e build(deps): Bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.87.1 to 1.99...
• d2a29e8 chore: prep rc.2 (#3231)
• d163059 fix: Publisher-mode synchronization option for failover scenario (#3222)
• 04c9cad feat(pkg/p2p): reconnect on disconnected peers (#3212)
• ff88b95 build(deps): Bump the all-go group across 4 directories with 11 updates (#3228)
• 3d5591d build(deps): Bump defu from 6.1.4 to 6.1.6 in /docs in the npm_and_yarn group...
• a8bd8b2 build(deps): Bump benchmark-action/github-action-benchmark from 1.21.0 to 1.2...
• 920f0c9 build(deps): Bump extractions/setup-just from 3 to 4 (#3227)
• 022b565 chore: Better check for stored meta not stale (#3221)
• Additional commits viewable in compare view

Updates github.com/celestiaorg/tastora from 0.17.0 to 0.18.0

Release notes

Sourced from github.com/celestiaorg/tastora's releases.

v0.18.0

What's Changed

• fix: flaky TestDockerKeyringTestSuite/TestBackend by @​rootulp in celestiaorg/tastora#192
• ci: add merge_group trigger to workflows by @​rootulp in celestiaorg/tastora#193
• chore: Update CODEOWNERS by @​rootulp in celestiaorg/tastora#190
• feat: add WithBlockWaitTimeout to ChainBuilder by @​rootulp in celestiaorg/tastora#189

Full Changelog: celestiaorg/tastora@v0.17.0...v0.18.0

Commits

• 73cff81 feat: add WithBlockWaitTimeout to ChainBuilder (#189)
• cfce4f0 chore: Update CODEOWNERS (#190)
• 08cea29 Merge pull request #193 from celestiaorg/fix/add-merge-group-trigger
• 792abd0 ci: add merge_group trigger to workflows
• f46602e Merge pull request #192 from rootulp/rootulp/fix-flaky-docker-keyring-test
• 700a7ac fix: log error when dockerKeyring initialization fails in Backend()
• 3e03c33 fix(test): wait for exec completion in DockerKeyringTestSuite setup
• See full diff in compare view

Updates github.com/evstack/ev-node/execution/evm from 1.0.0 to 1.0.1

Changelog

Sourced from github.com/evstack/ev-node/execution/evm's changelog.

Changelog

[Unreleased]

Changes

• Improve reaper to sustain txs burst better #3236

v1.1.0

No changes from v1.1.0-rc.2.

v1.1.0-rc.2

Changes

• Added publisher-mode synchronization option for failover scenarios with early P2P infrastructure readiness #3222
• Improve P2P transient network failure #3212
• Improve execution/evm check for stored meta not stale #3221

v1.1.0-rc.1

Added

• Add AWS & GCP KMS signer backend #3171
• Subscribe to forced inclusion namespace events #3146
• Display block source in sync log #3193

Fixed

• Avoid evicting yet to be processed heights #3204
• Bound Badger index cache memory to prevent growth with chain length 3209
• Refetch latest da height instead of da height +1 when P2P is offline #3201
• Fix race on startup sync. #3162
• Strict raft state. #3167
• Retry fetching the timestamp on error in da-client #3166

Commits

• d163059 fix: Publisher-mode synchronization option for failover scenario (#3222)
• 04c9cad feat(pkg/p2p): reconnect on disconnected peers (#3212)
• ff88b95 build(deps): Bump the all-go group across 4 directories with 11 updates (#3228)
• 3d5591d build(deps): Bump defu from 6.1.4 to 6.1.6 in /docs in the npm_and_yarn group...
• a8bd8b2 build(deps): Bump benchmark-action/github-action-benchmark from 1.21.0 to 1.2...
• 920f0c9 build(deps): Bump extractions/setup-just from 3 to 4 (#3227)
• 022b565 chore: Better check for stored meta not stale (#3221)
• 4840f50 chore: mixed benchmark test (#3223)
• cc9f965 ci: optimize Go and Docker layer caching (#3213)
• 4a70e0b chore: prep app for v1.1.0-rc.1 (#3220)
• Additional commits viewable in compare view

Updates github.com/celestiaorg/tastora from 0.16.1-0.20260312082036-2ee1b0a2ac4e to 0.18.0

Release notes

Sourced from github.com/celestiaorg/tastora's releases.

v0.18.0

What's Changed

• fix: flaky TestDockerKeyringTestSuite/TestBackend by @​rootulp in celestiaorg/tastora#192
• ci: add merge_group trigger to workflows by @​rootulp in celestiaorg/tastora#193
• chore: Update CODEOWNERS by @​rootulp in celestiaorg/tastora#190
• feat: add WithBlockWaitTimeout to ChainBuilder by @​rootulp in celestiaorg/tastora#189

Full Changelog: celestiaorg/tastora@v0.17.0...v0.18.0

Commits

• 73cff81 feat: add WithBlockWaitTimeout to ChainBuilder (#189)
• cfce4f0 chore: Update CODEOWNERS (#190)
• 08cea29 Merge pull request #193 from celestiaorg/fix/add-merge-group-trigger
• 792abd0 ci: add merge_group trigger to workflows
• f46602e Merge pull request #192 from rootulp/rootulp/fix-flaky-docker-keyring-test
• 700a7ac fix: log error when dockerKeyring initialization fails in Backend()
• 3e03c33 fix(test): wait for exec completion in DockerKeyringTestSuite setup
• See full diff in compare view

Updates github.com/cosmos/cosmos-sdk from 0.53.6 to 0.54.0

Changelog

Sourced from github.com/cosmos/cosmos-sdk's changelog.

Changelog

UNRELEASED

Breaking Changes

• (x/consensus) #25607 Add AuthorityParams to consensus params. When set, the consensus params authority takes precedence over per-keeper authority for all module parameter updates. Keeper constructor signatures are unchanged.
• (x/staking) #25724 Validate BondDenom in MsgUpdateParams to prevent setting non-existent or zero-supply denoms.
• #25778 Update log to log v2.
• #25090 Moved deprecated modules to ./contrib. These modules are still available but will no longer be actively maintained or supported in the Cosmos SDK Bug Bounty program.
  • x/group
  • x/nft
  • x/circuit
  • x/crisis

... (truncated)

Commits

• 7317c10 Merge pull request #26284 from cosmos/ma/update-store
• 8bfdba5 update store to v2.0.0
• f45bfa5 Merge pull request #26282 from cosmos/ma/update-log
• fd4136f update to log/v2.1.0
• d4aae32 Merge pull request #26279 from cosmos/ma/changelog
• 1b23049 Merge pull request #26280 from cosmos/ma/bump-comet
• 408e563 tidy
• ec3cb63 bump cometbft to v0.39.0
• 064990e prep log changelog for release
• 27fd427 prep client v2 changelog
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[julienrbrt]

@dependabot ignore github.com/cosmos/cosmos-sdk

[dependabot]

OK, I won't notify you about github.com/cosmos/cosmos-sdk again, unless you unignore it.

[claude]

Claude finished @julienrbrt's task in 1m 39s —— View job

---

PR Review: Dependency Bump (all-go group)

Tasks:

• Read AGENTS.md / CLAUDE.md for repo guidelines
• Analyze changed go.mod files for dependency version bumps
• Check for potential breaking changes in updated dependencies
• Identify cosmos-sdk concern flagged in comments
• Provide final review

---

⚠️ Blocking Issue — cosmos-sdk v0.54.0

@julienrbrt explicitly ignored github.com/cosmos/cosmos-sdk via @dependabot ignore, but this PR still includes the bump from v0.53.6 → v0.54.0 in test/e2e/go.mod. Dependabot will eventually recreate this PR without the cosmos-sdk change, but the current PR should not be merged with it included.

Why this matters — cosmos-sdk v0.54.0 has significant breaking changes:

• cosmossdk.io/api: v0.9.2 → v1.0.0 (major version, breaking API)
• cosmossdk.io/core: v0.11.3 → v1.1.0 (major version change)
• github.com/cometbft/cometbft: v0.38.21 → v0.39.0 (breaking consensus upgrade)
• New github.com/cosmos/cosmos-sdk/store/v2 v2.0.0 module introduced
• New cosmossdk.io/log/v2 dependency
• 20+ new OTel packages pulled into test/e2e as transitive dependencies
• Modules x/group, x/nft, x/circuit, x/crisis moved to ./contrib

This is a large, potentially breaking upgrade that deserves its own dedicated PR — not bundled into a routine dependency bump.

---

⚠️ Inconsistent Go Toolchain Version

Caused directly by the cosmos-sdk v0.54.0 bump:

• All other modules: go 1.25.6 → go 1.25.7 ✅
• test/e2e/go.mod: go 1.25.7 → go 1.25.9 ❌

The test/e2e module requires a newer Go minimum due to cosmos-sdk's updated requirements. This inconsistency across the module tree will be resolved once the cosmos-sdk bump is reverted.

---

✅ Remaining Updates Look Good

The following updates are routine and safe:

Dependency	Old	New	Notes
golang.org/x/crypto	0.49.0	0.50.0	SSH algorithm fixes (security improvement)
golang.org/x/net	0.52.0	0.53.0	HTTP/2 stability fixes, hanging transport fix
cloud.google.com/go/kms	1.27.0	1.28.0	Minor feature release
google.golang.org/api	0.273.1	0.274.0	Auto-regenerated clients
github.com/evstack/ev-node	1.0.0	1.1.0	Own module v1.1.0: KMS signer, P2P stability, failover fixes
github.com/evstack/ev-node/execution/evm	1.0.0	1.0.1	Patch: stale meta check improvement
github.com/celestiaorg/tastora	0.16.1-pre	0.18.0	WithBlockWaitTimeout, flaky test fixes
github.com/libp2p/go-libp2p	0.47.0	0.48.0	(in docker-e2e only) — minor P2P update

The golang.org/x/net 0.53.0 upgrade is particularly welcome as it includes a fix for a hanging HTTP/2 Transport due to bad SETTINGS frames.

---

Recommendation

Do not merge this PR. Comment @dependabot recreate to have dependabot regenerate this PR excluding github.com/cosmos/cosmos-sdk (which was already ignored). All other dependency updates in this PR are safe and desirable once the cosmos-sdk bump is removed.

[github-actions]

The latest Buf updates on your PR. Results from workflow CI / buf-check (pull_request).

Build	Format	Lint	Breaking	Updated (UTC)
✅ passed	⏩ skipped	✅ passed	✅ passed	Apr 14, 2026, 7:22 AM

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.