fix(deps): update module github.com/ipfs/boxo to v0.39.0

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/ipfs/boxo	v0.38.0 → v0.39.0

---

Release Notes

ipfs/boxo (github.com/ipfs/boxo)

v0.39.0

Compare Source

Added

• gateway: Config.MaxDeserializedResponseSize allows setting a maximum file/directory size for deserialized gateway responses. Content exceeding this limit returns 410 Gone, directing users to run their own IPFS node. Trustless response formats (application/vnd.ipld.raw, application/vnd.ipld.car) are not affected. The size is read from the UnixFS root block, so no extra block fetches are needed for the check. #​1138
• gateway: Config.MaxUnixFSDAGResponseSize allows setting a maximum content size applied to all response formats (deserialized, raw blocks, CAR, TAR). Content exceeding this limit returns 410 Gone. For most handlers the check reuses size information already available in the request path; for CAR responses a lightweight Head call is made only when the limit is configured. #​1138

Changed

• bitswap/server: the default peer comparator now schedules peers fairly. A peer that has never been served, or has waited longer than 10s, outranks non-starved peers. Pending counts cap at 16 for ordering purposes, so peers with small wantlists no longer wait behind peers with large ones. The final tiebreak uses a per-process salted hash of peer.ID, so no peer can craft an ID that permanently outranks everyone. Engines built with WithTaskComparator keep their existing behavior. #​1141
• upgrade to go-libp2p-kad-dht v0.39.1

Fixed

• bitswap/network/bsnet: SendMessage and handleNewStream now close streams in a background goroutine. Previously, stream.Close could hold the caller for up to DefaultNegotiationTimeout (10s) while lazyClientConn.Close waited for the remote peer to complete the multistream handshake. This saturated the bitswap TaskWorkerCount pool when peers were unresponsive and stopped bitswap from serving blocks to other peers. As a side effect, SendMessage no longer returns errors from stream.Close; close failures are logged at Debug. #​1142
• bitswap/server: a peer with a single pending want no longer waits behind peers with large wantlists. #​1141
• pinner/dspinner: RecursiveKeys and DirectKeys now snapshot the pin index under the read lock and release it before emitting pins, so a slow consumer (e.g. the reprovider draining the channel at DHT speed under Provide.Strategy=pinned*) can no longer starve Pin/Unpin/Flush writers. #​1140

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 7 additional dependencies were updated

Details:

Package	Change
github.com/libp2p/go-libp2p-kad-dht	v0.39.0 -> v0.39.1
github.com/ipld/go-ipld-prime	v0.22.0 -> v0.23.0
golang.org/x/exp	v0.0.0-20260312153236-7ab1446f8b90 -> v0.0.0-20260410095643-746e56fc9e2f
golang.org/x/mod	v0.34.0 -> v0.35.0
golang.org/x/net	v0.52.0 -> v0.53.0
golang.org/x/telemetry	v0.0.0-20260311193753-579e4da9a98c -> v0.0.0-20260409153401-be6f6cb8b1fa
golang.org/x/tools	v0.43.0 -> v0.44.0