Bump dependencies and go to 1.23.10

[GeorgeTsagk]

Description

Bumps golang to v1.23.10 and updates lnd / tapd / lndclient dependencies to the latest version.

Depends on:
lightninglabs/taproot-assets#1710
lightningnetwork/lnd#10133
lightninglabs/lndclient#236

Closes #1117

[gemini-code-assist]

Summary of Changes

Hello @GeorgeTsagk, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

I've updated the project's Go version to 1.23.10 and refreshed several key dependencies, including lnd, tapd, and lndclient. This update ensures we're running on the latest stable Go release and are compatible with recent changes in our core dependencies, which are being tracked in their respective upstream pull requests.

Highlights

• Go Version Bump: The Go language version has been upgraded from 1.23.9 to 1.23.10 across all relevant Dockerfiles, Makefiles, and Go module files (go.mod). This ensures the project leverages the latest Go features and bug fixes.
• Core Dependency Updates: Key dependencies such as taproot-assets, btclog/v2, btcwallet, docker/cli, docker/docker, jackc/pgx family, lightning-onion, and various golang.org/x modules have been updated to their latest versions.
• Temporary Module Replacements: To facilitate development and testing against unmerged upstream changes, temporary replace directives have been added in go.mod for lnd, lnd/sqldb, and lndclient, pointing to the author's forks. These will be removed once the upstream PRs are merged.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in issue comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments or fill out our survey to provide feedback.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request updates the Go version to 1.23.10 and bumps several dependencies. While this is a routine maintenance task, there are a couple of critical points to address before merging. The go.mod file includes replace directives pointing to a personal fork, which is a security concern and should be removed. Additionally, the base images in the Dockerfiles are no longer pinned to a specific SHA256 digest, which affects build reproducibility and security. My review comments provide more details on these issues.

[gemini-code-assist]

These replace directives point to a personal fork (GeorgeTsagk). While this might be necessary for testing against unmerged pull requests in other repositories, it's a significant security risk and should not be merged into the main branch. Please ensure these are removed before this pull request is merged.

[gemini-code-assist]

The base image golang:1.23.10-alpine is not pinned to a specific digest. This can lead to non-reproducible builds and potential security issues if the tag is updated to point to a different image. It's best practice to pin the base image using its SHA256 digest.

You can find the digest by running docker pull golang:1.23.10-alpine and then docker inspect golang:1.23.10-alpine or docker images --digests golang:1.23.10-alpine.

For example:

FROM golang:1.23.10-alpine@sha256:<some-digest-hash>

[gemini-code-assist]

The base image golang:1.23.10-alpine is not pinned to a specific digest. This can lead to non-reproducible builds and potential security issues if the tag is updated to point to a different image. It's best practice to pin the base image using its SHA256 digest.

You can find the digest by running docker pull golang:1.23.10-alpine and then docker inspect golang:1.23.10-alpine or docker images --digests golang:1.23.10-alpine.

For example:

FROM golang:1.23.10-alpine@sha256:<some-digest-hash>

[gemini-code-assist]

The base image golang:1.23.10-bookworm is not pinned to a specific digest. This can lead to non-reproducible builds and potential security issues if the tag is updated to point to a different image. It's best practice to pin the base image using its SHA256 digest.

You can find the digest by running docker pull golang:1.23.10-bookworm and then docker inspect golang:1.23.10-bookworm or docker images --digests golang:1.23.10-bookworm.

For example:

FROM golang:1.23.10-bookworm@sha256:<some-digest-hash>

[gemini-code-assist]

The base image golang:1.23.10-bookworm is not pinned to a specific digest. This can lead to non-reproducible builds and potential security issues if the tag is updated to point to a different image. It's best practice to pin the base image using its SHA256 digest.

You can find the digest by running docker pull golang:1.23.10-bookworm and then docker inspect golang:1.23.10-bookworm or docker images --digests golang:1.23.10-bookworm.

For example:

FROM golang:1.23.10-bookworm@sha256:<some-digest-hash>

[gemini-code-assist]

The base image golang:1.23.10-bookworm is not pinned to a specific digest. This can lead to non-reproducible builds and potential security issues if the tag is updated to point to a different image. It's best practice to pin the base image using its SHA256 digest.

You can find the digest by running docker pull golang:1.23.10-bookworm and then docker inspect golang:1.23.10-bookworm or docker images --digests golang:1.23.10-bookworm.

For example:

FROM golang:1.23.10-bookworm@sha256:<some-digest-hash>