build(deps): Bump the all-go group across 3 directories with 3 updates

[dependabot]

Bumps the all-go group with 2 updates in the / directory: golang.org/x/crypto and golang.org/x/net.
Bumps the all-go group with 1 update in the /execution/grpc directory: golang.org/x/net.
Bumps the all-go group with 1 update in the /test/docker-e2e directory: github.com/evstack/ev-node/execution/evm.

Updates golang.org/x/crypto from 0.48.0 to 0.49.0

Commits

• 982eaa6 go.mod: update golang.org/x dependencies
• 159944f ssh,acme: clean up tautological/impossible nil conditions
• a408498 acme: only require prompt if server has terms of service
• cab0f71 all: upgrade go directive to at least 1.25.0 [generated]
• 2f26647 x509roots/fallback: update bundle
• See full diff in compare view

Updates golang.org/x/net from 0.51.0 to 0.52.0

Commits

• 316e20c go.mod: update golang.org/x dependencies
• 9767a42 internal/http3: add support for plugging into net/http
• 4a81284 http2: update docs to disrecommend this package
• dec6603 dns/dnsmessage: reject too large of names early during unpack
• 8afa12f http2: deprecate write schedulers
• 38019a2 http2: add missing copyright header to export_test.go
• 039b87f internal/http3: return error when Write is used after status 304 is set
• 6267c6c internal/http3: add HTTP 103 Early Hints support to ClientConn
• 591bdf3 internal/http3: add HTTP 103 Early Hints support to Server
• 1faa6d8 internal/http3: avoid potential race when aborting RoundTrip
• Additional commits viewable in compare view

Updates golang.org/x/net from 0.51.0 to 0.52.0

Commits

• 316e20c go.mod: update golang.org/x dependencies
• 9767a42 internal/http3: add support for plugging into net/http
• 4a81284 http2: update docs to disrecommend this package
• dec6603 dns/dnsmessage: reject too large of names early during unpack
• 8afa12f http2: deprecate write schedulers
• 38019a2 http2: add missing copyright header to export_test.go
• 039b87f internal/http3: return error when Write is used after status 304 is set
• 6267c6c internal/http3: add HTTP 103 Early Hints support to ClientConn
• 591bdf3 internal/http3: add HTTP 103 Early Hints support to Server
• 1faa6d8 internal/http3: avoid potential race when aborting RoundTrip
• Additional commits viewable in compare view

Updates github.com/evstack/ev-node/execution/evm from 1.0.0-rc.4 to 1.0.0

Release notes

Sourced from github.com/evstack/ev-node/execution/evm's releases.

v1.0.0

A major part of the Evolve Stack has been released. Introducing the v1.0.0 release of ev-node and execution/evm. Those packages are LTS.

Full Changelog

For a complete list of all changes including new features, improvements, and bug fixes, see CHANGELOG.md.

Images

• ghcr.io/evstack/ev-node-evm:v1.0.0
• ghcr.io/evstack/ev-node-grpc:v1.0.0-rc.6
• ghcr.io/evstack/ev-node-testapp:v1.0.0

Changelog

Sourced from github.com/evstack/ev-node/execution/evm's changelog.

v1.0.0

Fixed

• Persist cache snapshot only once at shutdown to avoid Badger vlog increase. #3153

v1.0.0-rc.5

Added

• Add disaster recovery for sequencer
  • Catch up possible DA-only blocks when restarting. #3057
  • Verify DA and P2P state on restart (prevent double-signing). #3061
• Node pruning support. #2984
  • Two different sort of pruning implemented: Classic pruning (all): prunes given HEAD-n blocks from the databases, including store metadatas. Auto Storage Optimization (metadata): prunes only the state metadatas, keeps all blocks. By using one or the other, you are losing the ability to rollback or replay transactions earlier than HEAD-n. When using classic pruning, you aren't able to fetch blocks prior to HEAD-n.

Fixed

• Fix block timer to account for execution time. Previously, the block timer reset to the full block_time duration after ProduceBlock completed, making the effective interval block_time + execution_time. Now the timer subtracts elapsed execution time so blocks are produced at the configured cadence.

Changes

• Store pending blocks separately from executed blocks key. #3073
• Fixes issues with force inclusion verification on sync nodes. #3057
• Add flag to local-da to produce empty DA blocks (closer to the real system). #3057
• Validate P2P DA height hints against the latest known DA height to prevent malicious peers from triggering runaway catchup. #3128
• Replace syncer DA polling system by DA subscription via websockets. #3131

Commits

• 2c9ca1b chore: remove replaces from ev-node (#3158)
• abb6b71 chore: fix some function names in comment (#3156)
• 7c829ca fix: persist snapshot once for avoiding badger vlog (#3153)
• ba25ea8 build(deps): Bump docker/setup-buildx-action from 3 to 4 (#3148)
• c588547 build(deps): Bump the all-go group across 5 directories with 8 updates (#3147)
• f74b456 build(deps): Bump docker/login-action from 3 to 4 (#3149)
• 5fd8236 build(deps): Bump docker/build-push-action from 6 to 7 (#3151)
• 34db946 build(deps): Bump actions/setup-go from 6.2.0 to 6.3.0 (#3150)
• 87d8ba9 chore: prep evm rc.5 (#3145)
• e599cae build(deps): bump ev-node (#3144)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[claude]

Claude finished @julienrbrt's task in 32s —— View job

---

Code Review: Dependency Bump PR

• Gather context and analyze changes
• Review dependency updates
• Check CI status

---

Summary

This is a routine Dependabot dependency update PR with no logic changes — only go.mod and go.sum files are modified across 9 modules.

Updates:

Dependency	From	To	Modules
golang.org/x/crypto	0.48.0	0.49.0	/, apps/*, execution/evm, test/*
golang.org/x/net	0.51.0	0.52.0	/, apps/*, execution/*, test/*
github.com/evstack/ev-node/execution/evm	1.0.0-rc.4	1.0.0	test/docker-e2e

Assessment

No concerns. All changes are dependency version bumps with no source code modifications.

• golang.org/x/crypto 0.49.0 includes minor fixes (tautological nil conditions, ACME ToS logic, x509 root bundle update) — safe to upgrade.
• golang.org/x/net 0.52.0 includes DNS message parsing hardening (dns/dnsmessage: reject too large of names early during unpack) — this is a mild security improvement worth having.
• execution/evm 1.0.0 (from rc.4) is a stable release of the project's own package, bumping test/docker-e2e from the RC to the final release — correct and expected.

CI Status: Main CI is still running (queued/in-progress). Semantic PR check passed ✅. No failures.

Reviewer @julienrbrt has already approved — this PR looks good to merge once CI completes.

[github-actions]

The latest Buf updates on your PR. Results from workflow CI / buf-check (pull_request).

Build	Format	Lint	Breaking	Updated (UTC)
✅ passed	⏩ skipped	✅ passed	✅ passed	Mar 16, 2026, 10:42 PM

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 60.24%. Comparing base (6f1d539) to head (62ce393).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #3168   +/-   ##
=======================================
  Coverage   60.24%   60.24%           
=======================================
  Files         115      115           
  Lines       11902    11902           
=======================================
  Hits         7170     7170           
  Misses       3921     3921           
  Partials      811      811           

Flag	Coverage Δ
combined	60.24% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.