Apply gofmt, align CI with Go 1.24, and update quic-go for security fixes

[Copilot]

• Assess lint failures (errcheck)
• Fix unchecked Close errors in tests
• Run go test
• Final review and respond to comment

Original prompt

gofmt check failed. The following files need formatting:
i6p/protocol/codec.go
i6p/session/ticket.go
i6p/transfer/batch.go
i6p/transfer/bulk.go
i6p/transfer/erasure/codec.go
i6p/transfer/pool.go
Fix locally with: make fmt
Error: Process completed with exit code 1.

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[TheusHen]

@copilot Error: /home/runner/go/pkg/mod/golang.org/toolchain@v0.0.1-go1.23.0.linux-amd64/src/slices/iter.go:50:17: cannot range over seq (variable of type iter.Seq[E])
Error: /home/runner/work/I6P/I6P/i6p/identity/keys.go:1:1: package requires newer Go version go1.23
Error: /home/runner/work/I6P/I6P/i6p/crypto/ratchet/aead.go:1:1: package requires newer Go version go1.23
Error: /home/runner/work/I6P/I6P/i6p/crypto/aead.go:1:1: package requires newer Go version go1.23
Error: /home/runner/work/I6P/I6P/i6p/protocol/codec.go:1:1: package requires newer Go version go1.23
Error: /home/runner/go/pkg/mod/github.com/quic-go/quic-go@v0.50.0/internal/protocol/connection_id.go:1:1: package requires newer Go version go1.23
Error: /home/runner/go/pkg/mod/github.com/quic-go/quic-go@v0.50.0/internal/utils/buffered_write_closer.go:1:1: package requires newer Go version go1.23
Error: /home/runner/go/pkg/mod/github.com/quic-go/quic-go@v0.50.0/internal/qerr/error_codes.go:1:1: package requires newer Go version go1.23
Error: /home/runner/go/pkg/mod/github.com/quic-go/quic-go@v0.50.0/quicvarint/io.go:1:1: package requires newer Go version go1.23
Error: /home/runner/go/pkg/mod/github.com/quic-go/quic-go@v0.50.0/internal/wire/ack_frame.go:1:1: package requires newer Go version go1.23
Error: /home/runner/go/pkg/mod/github.com/quic-go/quic-go@v0.50.0/logging/connection_tracer.go:1:1: package requires newer Go version go1.23
Error: /home/runner/go/pkg/mod/github.com/quic-go/quic-go@v0.50.0/internal/congestion/bandwidth.go:1:1: package requires newer Go version go1.23
Error: /home/runner/go/pkg/mod/github.com/quic-go/quic-go@v0.50.0/internal/ackhandler/ack_eliciting.go:1:1: package requires newer Go version go1.23
Error: /home/runner/go/pkg/mod/github.com/quic-go/quic-go@v0.50.0/internal/flowcontrol/base_flow_controller.go:1:1: package requires newer Go version go1.23
Error: /home/runner/go/pkg/mod/github.com/quic-go/quic-go@v0.50.0/internal/handshake/aead.go:1:1: package requires newer Go version go1.23
Error: /home/runner/go/pkg/mod/github.com/quic-go/quic-go@v0.50.0/internal/utils/linkedlist/linkedlist.go:12:1: package requires newer Go version go1.23
Error: /home/runner/go/pkg/mod/github.com/quic-go/quic-go@v0.50.0/internal/utils/ringbuffer/ringbuffer.go:1:1: package requires newer Go version go1.23
Error: /home/runner/go/pkg/mod/github.com/quic-go/quic-go@v0.50.0/buffer_pool.go:1:1: package requires newer Go version go1.23
Error: /home/runner/work/I6P/I6P/i6p/session/handshake.go:1:1: package requires newer Go version go1.23
Error: /home/runner/work/I6P/I6P/i6p/transport/quic/tls.go:1:1: package requires newer Go version go1.23
Error: /home/runner/work/I6P/I6P/i6p/doc.go:6:1: package requires newer Go version go1.23
Error: /home/runner/work/I6P/I6P/examples/basic/main.go:1:1: package requires newer Go version go1.23
Error: /home/runner/work/I6P/I6P/i6p/transfer/batch.go:1:1: package requires newer Go version go1.23
Error: /home/runner/work/I6P/I6P/examples/bulk/main.go:1:1: package requires newer Go version go1.23
Error: /home/runner/work/I6P/I6P/examples/crypto/main.go:1:1: package requires newer Go version go1.23
Error: /home/runner/work/I6P/I6P/i6p/transfer/erasure/codec.go:1:1: package requires newer Go version go1.23
Error: /home/runner/work/I6P/I6P/examples/erasure/main.go:1:1: package requires newer Go version go1.23
Error: /home/runner/work/I6P/I6P/i6p/discovery/discovery.go:1:1: package requires newer Go version go1.23
Error: /home/runner/work/I6P/I6P/i6p/discovery/memory/memory.go:1:1: package requires newer Go version go1.23
For details on package patterns, see https://pkg.go.dev/cmd/go#hdr-Package_lists_and_patterns.
Error: Process completed with exit code 1.

[Copilot]

@copilot Error: /home/runner/go/pkg/mod/golang.org/toolchain@v0.0.1-go1.23.0.linux-amd64/src/slices/iter.go:50:17: cannot range over seq (variable of type iter.Seq[E])
Error: /home/runner/work/I6P/I6P...

Updated CI to install Go 1.23 to match the module’s required version (commit 086cd7f).

[TheusHen]

@copilot === Symbol Results ===
Vulnerability #1: GO-2025-4175
Improper application of excluded DNS name constraints when verifying
wildcard names in crypto/x509
More info: https://pkg.go.dev/vuln/GO-2025-4175
Standard library
Found in: crypto/x509@go1.23.12
Fixed in: crypto/x509@go1.24.11
Example traces found:
Error: #1: i6p/transport/quic/transport.go:46:19: quic.Dial calls quic.DialAddr, which eventually calls x509.Certificate.Verify
Vulnerability #2: GO-2025-4155
Excessive resource consumption when printing error string for host
certificate validation in crypto/x509
More info: https://pkg.go.dev/vuln/GO-2025-4155
Standard library
Found in: crypto/x509@go1.23.12
Fixed in: crypto/x509@go1.24.11
Example traces found:
Error: #1: i6p/transport/quic/transport.go:46:19: quic.Dial calls quic.DialAddr, which eventually calls x509.Certificate.Verify
Error: #2: i6p/transport/quic/transport.go:46:19: quic.Dial calls quic.DialAddr, which eventually calls x509.Certificate.VerifyHostname
Vulnerability #3: GO-2025-4017
Panic occurs when queuing undecryptable packets after handshake completion
in github.com/quic-go/quic-go
More info: https://pkg.go.dev/vuln/GO-2025-4017
Module: github.com/quic-go/quic-go
Found in: github.com/quic-go/quic-go@v0.50.0
Fixed in: github.com/quic-go/quic-go@v0.54.1
Example traces found:
Error: #1: i6p/transport/quic/transport.go:46:19: quic.Dial calls quic.DialAddr
Error: #2: i6p/transport/quic/transport.go:19:25: quic.Listen calls quic.ListenAddr
Vulnerability #4: GO-2025-4013
Panic when validating certificates with DSA public keys in crypto/x509
More info: https://pkg.go.dev/vuln/GO-2025-4013
Standard library
Found in: crypto/x509@go1.23.12
Fixed in: crypto/x509@go1.24.8
Example traces found:
Error: #1: i6p/transport/quic/transport.go:46:19: quic.Dial calls quic.DialAddr, which eventually calls x509.Certificate.Verify
Vulnerability #5: GO-2025-4011
Parsing DER payload can cause memory exhaustion in encoding/asn1
More info: https://pkg.go.dev/vuln/GO-2025-4011
Standard library
Found in: encoding/asn1@go1.23.12
Fixed in: encoding/asn1@go1.24.8
Example traces found:
Error: #1: i6p/transport/quic/tls.go:56:30: quic.newSelfSignedTLSConfig calls tls.X509KeyPair, which eventually calls asn1.Unmarshal
Vulnerability #6: GO-2025-4010
Insufficient validation of bracketed IPv6 hostnames in net/url
More info: https://pkg.go.dev/vuln/GO-2025-4010
Standard library
Found in: net/url@go1.23.12
Fixed in: net/url@go1.24.8
Example traces found:
Error: #1: i6p/transport/quic/tls.go:56:30: quic.newSelfSignedTLSConfig calls tls.X509KeyPair, which eventually calls url.Parse
Vulnerability #7: GO-2025-4009
Quadratic complexity when parsing some invalid inputs in encoding/pem
More info: https://pkg.go.dev/vuln/GO-2025-4009
Standard library
Found in: encoding/pem@go1.23.12
Fixed in: encoding/pem@go1.24.8
Example traces found:
Error: #1: i6p/transport/quic/tls.go:56:30: quic.newSelfSignedTLSConfig calls tls.X509KeyPair, which calls pem.Decode
Vulnerability #8: GO-2025-4008
ALPN negotiation error contains attacker controlled information in
crypto/tls
More info: https://pkg.go.dev/vuln/GO-2025-4008
Standard library
Found in: crypto/tls@go1.23.12
Fixed in: crypto/tls@go1.24.8
Example traces found:
Error: #1: i6p/transport/quic/transport.go:46:19: quic.Dial calls quic.DialAddr, which eventually calls tls.QUICConn.Start
Vulnerability #9: GO-2025-4007
Quadratic complexity when checking name constraints in crypto/x509
More info: https://pkg.go.dev/vuln/GO-2025-4007
Standard library
Found in: crypto/x509@go1.23.12
Fixed in: crypto/x509@go1.24.9
Example traces found:
Error: #1: i6p/crypto/x25519.go:32:27: crypto.GenerateX25519 calls curve25519.ScalarBaseMult, which eventually calls x509.CertPool.AppendCertsFromPEM
Error: #2: i6p/transport/quic/transport.go:46:19: quic.Dial calls quic.DialAddr, which eventually calls x509.Certificate.Verify
Error: #3: i6p/transport/quic/tls.go:44:36: quic.newSelfSignedTLSConfig calls x509.CreateCertificate
Error: #4: i6p/transport/quic/tls.go:50:46: quic.newSelfSignedTLSConfig calls x509.MarshalPKCS8PrivateKey
Error: #5: i6p/transport/quic/tls.go:56:30: quic.newSelfSignedTLSConfig calls tls.X509KeyPair, which calls x509.ParseCertificate
Error: #6: i6p/transport/quic/tls.go:56:30: quic.newSelfSignedTLSConfig calls tls.X509KeyPair, which eventually calls x509.ParseECPrivateKey
Error: #7: i6p/transport/quic/tls.go:56:30: quic.newSelfSignedTLSConfig calls tls.X509KeyPair, which eventually calls x509.ParsePKCS1PrivateKey
Error: #8: i6p/transport/quic/tls.go:56:30: quic.newSelfSignedTLSConfig calls tls.X509KeyPair, which eventually calls x509.ParsePKCS8PrivateKey
Vulnerability #10: GO-2025-3735
Panic in Path Probe Loss Recovery Handling in github.com/quic-go/quic-go
More info: https://pkg.go.dev/vuln/GO-2025-3735
Module: github.com/quic-go/quic-go
Found in: github.com/quic-go/quic-go@v0.50.0
Fixed in: github.com/quic-go/quic-go@v0.50.1
Example traces found:
Error: #1: i6p/transport/quic/transport.go:46:19: quic.Dial calls quic.DialAddr, which eventually calls ackhandler.sentPacketHandler.OnLossDetectionTimeout
Error: #2: i6p/transport/quic/transport.go:46:19: quic.Dial calls quic.DialAddr, which eventually calls ackhandler.sentPacketHandler.ReceivedAck
Your code is affected by 10 vulnerabilities from 1 module and the Go standard library.
This scan also found 0 vulnerabilities in packages you import and 12
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
Use '-show verbose' for more details.
Error: Process completed with exit code 3.

[Copilot]

@copilot === Symbol Results ===
Vulnerability #1: GO-2025-4175
Improper application of excluded DNS name constraints when verifying...

Addressed the reported vulnerabilities by upgrading to Go 1.24 and bumping quic-go to v0.54.1 in commit d560d9d. This pulls in the fixed stdlib versions and patched quic-go release.

[TheusHen]

@copilot run golangci-lint
Running [/home/runner/golangci-lint-1.64.8-linux-amd64/golangci-lint config path] in [/home/runner/work/I6P/I6P] ...
Running [/home/runner/golangci-lint-1.64.8-linux-amd64/golangci-lint config verify] in [/home/runner/work/I6P/I6P] ...
Running [/home/runner/golangci-lint-1.64.8-linux-amd64/golangci-lint run --timeout=5m] in [/home/runner/work/I6P/I6P] ...
Error: i6p/transfer/pool_test.go:68:18: Error return value of pool.Close is not checked (errcheck)
defer pool.Close()
^
Error: i6p/session/handshake_test.go:29:16: Error return value of ln.Close is not checked (errcheck)
defer ln.Close()
^
Error: issues found
Ran golangci-lint in 4148ms

[Copilot]

@copilot run golangci-lint
Running [/home/runner/golangci-lint-1.64.8-linux-amd64/golangci-lint config path] in [/home/runner/work/I6P/I6P] ...
Running [/home/runner/golangci-lint-1.64.8-linux-amd...

Checked the errcheck findings by handling deferred closes in tests (commit 82f4b71).