chore(deps): bump libp2p-gossipsub from 0.49.2 to 0.49.3

[dependabot]

Bumps libp2p-gossipsub from 0.49.2 to 0.49.3.

Release notes

Sourced from libp2p-gossipsub's releases.

libp2p-v0.56.0

See individual changelogs for details.

Notably, we've removed support for async-std in all crates, as async-std has been discontinued. Users should switch to using tokio instead. For now, we've kept the abstractions for supporting alternative runtimes, although not all parts may be public. Please open an issue if you are planning to support a custom runtime and run into any issues with that..

Thanks to everyone who contributed to the release!

libp2p-v0.55.0

See individual changelogs for details.

Thanks everyone who contributed to it! ❤️

libp2p-v0.54.0

See individual changelogs for details.

Thanks everyone who contributed to it! ❤️

libp2p-v0.53.2

See individual changelogs for details.

libp2p-v0.53.1

See individual changelogs for details.

libp2p-v0.53.0

The most ergonomic version of rust-libp2p yet!

We've been busy again, with over 250 PRs being merged into master since v0.52.0 (excluding dependency updates).

Backwards-compatible features

Numerous improvements landed as patch releases since the v0.52.0 release, for example a new, type-safe SwarmBuilder that also encompasses the most common transport protocols:

let mut swarm = libp2p::SwarmBuilder::with_new_identity()
    .with_tokio()
    .with_tcp(
        tcp::Config::default().port_reuse(true).nodelay(true),
        noise::Config::new,
        yamux::Config::default,
    )?
    .with_quic()
    .with_dns()?
    .with_relay_client(noise::Config::new, yamux::Config::default)?
    .with_behaviour(|keypair, relay_client| Behaviour {
        relay_client,
        ping: ping::Behaviour::default(),
        dcutr: dcutr::Behaviour::new(keypair.public().to_peer_id()),
    })?
    .build();
</tr></table> 

... (truncated)

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

---

Note

Low Risk
Lockfile-only dependency update with small patch bump to a networking crate; main risk is unforeseen build/runtime differences from transitive version shifts (notably socket2, windows-sys, and syn).

Overview
Bumps libp2p-gossipsub from 0.49.2 to 0.49.3.

Regenerates Cargo.lock, resulting in transitive dependency version changes including socket2 (0.6.2 → 0.5.10), several windows-sys version downgrades, oauth2 switching base64 (0.22.1 → 0.21.7), and data-encoding-macro-internal using syn 1 instead of syn 2.

^{Written by Cursor Bugbot for commit 12fd412. This will update automatically on new commits. Configure here.}

[meroreviewer]

🤖 AI Code Reviewer

Reviewed by 3 agents | Quality score: 95% | Review time: 116.6s

---

✅ No Issues Found

All agents reviewed the code and found no issues. LGTM! 🎉

---

_{🤖 Generated by AI Code Reviewer | Review ID: review-fc6f0234}

[meroreviewer]

🤖 AI Code Reviewer

Reviewed by 3 agents | Quality score: 95% | Review time: 89.1s

---

✅ No Issues Found

All agents reviewed the code and found no issues. LGTM! 🎉

---

_{🤖 Generated by AI Code Reviewer | Review ID: review-e20f97e1}

[meroreviewer]

🤖 AI Code Reviewer

Reviewed by 3 agents | Quality score: 95% | Review time: 98.3s

---

✅ No Issues Found

All agents reviewed the code and found no issues. LGTM! 🎉

---

_{🤖 Generated by AI Code Reviewer | Review ID: review-7deac671}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

[cursor]

Unintended widespread dependency downgrades across lockfile

Medium Severity

A simple patch bump of libp2p-gossipsub (0.49.2 → 0.49.3) has caused ~13 unrelated dependencies to be downgraded, including socket2 (0.6.2 → 0.5.10) for quinn, quinn-udp, and hyper-util, windows-sys (0.61.2 → 0.48.0) for winapi-util, syn (2.0.117 → 1.0.109) for data-encoding-macro-internal, and base64 (0.22.1 → 0.21.7) for oauth2. This suggests the lockfile was fully regenerated rather than surgically updated, potentially reverting security and bug fixes in those dependencies.

Additional Locations (2)

• Cargo.lock#L7925-L7926
• Cargo.lock#L11421-L11422

 

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.