Skip to content

Bump go.sia.tech/hostd/v2 from 2.6.0-beta.4 to 2.6.0 in the dependencies group #45

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ChrisSchinnerl merged 1 commit into from
Feb 2, 2026
Merged

Bump go.sia.tech/hostd/v2 from 2.6.0-beta.4 to 2.6.0 in the dependencies group #45

ChrisSchinnerl merged 1 commit into from
Feb 2, 2026

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Jan 30, 2026

Bumps the dependencies group with 1 update: go.sia.tech/hostd/v2.

Updates go.sia.tech/hostd/v2 from 2.6.0-beta.4 to 2.6.0

Release notes

Sourced from go.sia.tech/hostd/v2's releases.

v2.6.0

Features

  • Extend settings with syncerIngressLimit and syncerEgressLimit to set bandwidth rate limits on the syncer.
  • Record syncer bandwidth stats.
  • Register an alert if funding a contract formation, renewal or refresh fails.
  • Track disk I/O in metrics.

Cache sector subtrees to reduce disk IO for partial reads.

This change reduces the minimum read size from 4MiB to 4KiB when reading segments of a sector.

Warning: this cache drastically reduces disk IO, but increases the hostd database by 8GiB per TiB of data stored.

Add support for instant sync

New users can sync instantly using hostd --instant. When instant syncing, the hostd node initializes using a Utreexo-based checkpoint and can immediately validate blocks from that point forward without replaying the whole chain state. The state is extremely compact and committed in block headers, making this initialization both quick and secure. Learn more

The wallet is required to only have v2 history to use instant syncing.

Fixes

  • Add monitoring and rate limiting for quic.
  • Fixed a panic when contracts are rejected.
  • Fixed an issue with the backup endpoint locking up the host.
  • Periodically prune stored_sectors table.
  • Properly return decoding error when decoding slice in decodable.Scan.
  • Sync sector to disk after writing instead of tracking changed volumes.
  • Update core dependency to v0.19.0 and coreutils dependency v0.20.0.
Changelog

Sourced from go.sia.tech/hostd/v2's changelog.

2.6.0 (2026-01-22)

Features

  • Extend settings with syncerIngressLimit and syncerEgressLimit to set bandwidth rate limits on the syncer.
  • Record syncer bandwidth stats.
  • Register an alert if funding a contract formation, renewal or refresh fails.
  • Track disk I/O in metrics.

Cache sector subtrees to reduce disk IO for partial reads.

This change reduces the minimum read size from 4MiB to 4KiB when reading segments of a sector

Add support for instant sync

New users can sync instantly using hostd --instant. When instant syncing, the hostd node initializes using a Utreexo-based checkpoint and can immediately validate blocks from that point forward without replaying the whole chain state. The state is extremely compact and committed in block headers, making this initialization both quick and secure. Learn more

The wallet is required to only have v2 history to use instant syncing.

Fixes

  • Add monitoring and rate limiting for quic.
  • Fixed a panic when contracts are rejected.
  • Fixed an issue with the backup endpoint locking up the host.
  • Periodically prune stored_sectors table
  • Properly return decoding error when decoding slice in decodable.Scan.
  • Sync sector to disk after writing instead of tracking changed volumes.
  • Update core dependency to v0.19.0 and coreutils dependency v0.20.0.

2.5.1 (2025-11-12)

Fixes

  • Fix TestIntegrityCheck NDF

2.5.0 (2025-11-10)

Features

  • Trigger rescan when wallet seed changes

Fixes

  • Add OpenAPI spec
  • Archive V1 contracts with proof window after require height.
  • Fix host not renewing V2 contracts that have a capacity > size.
  • Fix integrity checks using cache
  • Fixed RPCFreeSectors NDFs.
  • Prevent overwriting an existing revision with an older one.
  • Return proto4.ErrNotEnoughStorage instead of internal error in StoreSector.

... (truncated)

Commits
  • e04511b Merge pull request #872 from SiaFoundation/release
  • 0c5a759 chore: prepare release 2.6.0
  • c85f0fa Merge pull request #911 from SiaFoundation/nate/reset-chain-state
  • 3490538 reset chain state on instant sync
  • ff829af Merge pull request #910 from SiaFoundation/chris/fsync
  • aaea138 changeset
  • 77e8756 remove changedVolumes and sync on sector write
  • 274b3b7 Merge pull request #909 from SiaFoundation/chris/docodable-return-dec-error
  • 76d9455 changeset
  • fc617d2 return dec.Err() when decoding slice in Scan
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
Bump go.sia.tech/hostd/v2 in the dependencies group
4b9ef9d 
Bumps the dependencies group with 1 update: [go.sia.tech/hostd/v2](https://github.com/SiaFoundation/hostd).


Updates `go.sia.tech/hostd/v2` from 2.6.0-beta.4 to 2.6.0
- [Release notes](https://github.com/SiaFoundation/hostd/releases)
- [Changelog](https://github.com/SiaFoundation/hostd/blob/master/CHANGELOG.md)
- [Commits](SiaFoundation/hostd@v2.6.0-beta.4...v2.6.0)

---
updated-dependencies:
- dependency-name: go.sia.tech/hostd/v2
  dependency-version: 2.6.0
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels Jan 30, 2026
@socket-security
Copy link

socket-security bot commented Jan 30, 2026

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedgo.sia.tech/​hostd/​v2@​v2.6.0-beta.4 ⏵ v2.6.074 +1100100100100

View full report

@socket-security
Copy link

socket-security bot commented Jan 30, 2026

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: golang go.sia.tech/hostd/v2 is 98.0% likely obfuscated

Confidence: 0.98

Location: Package overview

From: go.modgolang/go.sia.tech/hostd/v2@v2.6.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/go.sia.tech/hostd/v2@v2.6.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@ChrisSchinnerl ChrisSchinnerl merged commit 106e788 into master Feb 2, 2026
9 checks passed
@ChrisSchinnerl ChrisSchinnerl deleted the dependabot/go_modules/dependencies-7d28125542 branch February 2, 2026 09:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file go Pull requests that update go code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ChrisSchinnerl