ipfs/kubo v0.41.0

on GitHub

• Overview
• 🔦 Highlights
  • 🗑️ Faster Provide Queue Disk Reclamation
  • ✨ New ipfs cid inspect command
  • 🔤 --cid-base fixes across all commands
  • 🔄 Built-in ipfs update command
  • 🖥️ WebUI Improvements
  • 🔧 Correct provider addresses for custom HTTP routing
  • 🔀 Provide.Strategy modifiers: +unique and +entities
  • 📌 pin add and pin update now fast-provide root CID
  • 🌳 New --fast-provide-dag flag for fine-tuned provide control
  • 🛡️ Hardened Provide.Strategy parsing
  • 🔧 Filestore now respects Provide.Strategy
  • 🛡️ ipfs object patch validates UnixFS node types
  • 🔗 MFS: fixed CidBuilder preservation
  • 📂 FUSE Mount Improvements
  • 📦 CARv2 import over HTTP API
  • 🌐 HTTPS proxy support
  • 🛡️ server profile no longer announces loopback and non-public IPv6 addresses
  • 🐹 Go 1.26, Once More with Feeling
  • 🐛 Fixed long-standing random daemon crashes during DHT lookups
  • 📦️ Dependency updates
• 📝 Changelog
• 👨‍👩‍👧‍👦 Contributors

Overview

🔦 Highlights

🗑️ Faster Provide Queue Disk Reclamation

Nodes with significant amount of data and DHT provide sweep enabled (Provide.DHT.SweepEnabled, the default since Kubo 0.39) could see their datastore/ directory grow continuously. Each reprovide cycle rewrote the provider keystore inside the shared repo datastore, generating tombstones faster than the storage engine could compact them, and in default configuration Kubo was slow to reclaim this space.

The provider keystore now lives in a dedicated datastore under $IPFS_PATH/provider-keystore/. After each reprovide cycle the old datastore is removed from disk entirely, so space is reclaimed immediately regardless
of storage backend.

On first start after upgrading, stale keystore data is cleaned up from the shared datastore automatically.

To learn more, see kubo#11096, kubo#11198, and go-libp2p-kad-dht#1233.

✨ New ipfs cid inspect command

New subcommand for breaking down a CID into its components. Works offline, supports --enc=json.

$ ipfs cid inspect bafybeigdyrzt5sfp7udm7hu76uh7y26nf3efuylqabf3oclgtqy55fbzdi
CID:        bafybeigdyrzt5sfp7udm7hu76uh7y26nf3efuylqabf3oclgtqy55fbzdi
Version:    1
Multibase:  base32 (b)
Multicodec: dag-pb (0x70)
Multihash:  sha2-256 (0x12)
  Length:   32 bytes
  Digest:   c3c4733ec8affd06cf9e9ff50ffc6bcd2ec85a6170004bb709669c31de94391a
CIDv0:      QmbWqxBEKC3P8tqsKc98xmWNzrzDtRLMiMPL8wBuTGsMnR
CIDv1:      bafybeigdyrzt5sfp7udm7hu76uh7y26nf3efuylqabf3oclgtqy55fbzdi

See ipfs cid --help for all CID-related commands.

🔤 --cid-base fixes across all commands

--cid-base is now respected by every command that outputs CIDs. Previously block stat, block put, block rm, dag stat, refs local, pin remote, and files chroot ignored the flag.

CIDv0 values are now auto-upgraded to CIDv1 when a non-base58btc base is requested, because CIDv0 can only be represented in base58btc.

🔄 Built-in ipfs update command

Kubo now ships with a built-in ipfs update command that downloads release binaries from GitHub and swaps the current one in place. It supersedes the external ipfs-update tool, deprecated since v0.37.

$ ipfs update check
Update available: 0.40.0 -> 0.41.0
Run 'ipfs update install' to install the latest version.

See ipfs update --help for the available subcommands (check, versions, install, revert, clean).

🖥️ WebUI Improvements

IPFS Web UI has been updated to v4.12.0.

IPv6 peer geolocation and Peers screen optimizations

The Peers screen now resolves IPv6 addresses to geographic locations, and the geolocation database has been updated to GeoLite2-City-CSV_20260220. (ipfs-geoip v9.3.0)

Peer locations load faster thanks to UX optimizations in the underlying ipfs-geoip library.

🔧 Correct provider addresses for custom HTTP routing

Nodes using custom routing (Routing.Type=custom) with IPIP-526 could end up publishing unresolved 0.0.0.0 addresses in provider records. Addresses are now resolved at provide-time, and when AutoNAT V2 has confirmed publicly reachable addresses, those are preferred automatically. See #11213.

🔀 Provide.Strategy modifiers: +unique and +entities

Experimental opt-in optimizations for content providers with large repositories where multiple recursive pins share most of their DAG structure (e.g. append-only datasets, versioned archives like dist.ipfs.tech).

• +unique: bloom filter dedup across recursive pins. Shared subtrees are traversed only once per reprovide cycle instead of once per pin, cutting I/O from O(pins * blocks) to O(unique blocks) at ~4 bytes/CID.
• +entities: announces only entity roots (files, directories, HAMT shards), skipping internal file chunks. Far fewer DHT provider records while keeping all content discoverable by file/directory CID. Implies +unique.

Example: Provide.Strategy = "pinned+mfs+entities"

The default Provide.Strategy=all is unchanged. See Provide.Strategy for configuration details and caveats.

The bloom filter precision is tunable via Provide.BloomFPRate (default ~1 false positive per 4.75M lookups, ~4 bytes per CID).

📌 pin add and pin update now fast-provide root CID

ipfs pin add and ipfs pin update announce the pinned root CID to the routing system immediately after pinning, same as ipfs add and ipfs dag import. This matters for selective strategies like pinned+mfs, where previously the root CID was not announced until the next reprovide cycle (see Provide.DHT.Interval). With the default Provide.Strategy=all, the blockstore already provides every block on write, so this is a no-op.

Both commands now accept --fast-provide-root, --fast-provide-dag, and --fast-provide-wait flags, matching ipfs add and ipfs dag import. See Import for defaults and configuration.

🌳 New --fast-provide-dag flag for fine-tuned provide control

Users with a custom Provide.Strategy (e.g. pinned, pinned+mfs+entities) now have finer control over which CIDs are announced immediately on ipfs add, ipfs dag import, ipfs pin add, and ipfs pin update.

By default, only the root CID is provided right away (--fast-provide-root=true). Child blocks are deferred until the next reprovide cycle. This keeps bulk imports fast and avoids overwhelming online nodes with provide traffic.

Pass --fast-provide-dag=true (or set Import.FastProvideDAG) to provide the full DAG immediately during add, using the active Provide.Strategy to determine scope.

Provide.Strategy=all (default) is unaffected. It provides every block at the blockstore level regardless of this flag.

🛡️ Hardened Provide.Strategy parsing

Unknown strategy tokens (e.g. typo "uniuqe"), malformed delimiters ("pinned+"), and invalid combinations ("all+pinned") now produce a clear error at startup instead of being silently ignored.

🔧 Filestore now respects Provide.Strategy

Blocks added via the filestore or urlstore (ipfs add --nocopy) used to ignore Provide.Strategy and were always announced at write time. The filestore is now gated on the strategy the same way the regular blockstore is, so selective strategies get the same fast-provide knobs for filestore-backed content that they already had for regular ipfs add.

🛡️ ipfs object patch validates UnixFS node types

As part of the ongoing deprecation of the legacy ipfs object API (which predates HAMTShard directories and CIDv1), the add-link and rm-link subcommands now validate the root node before mutating it.

These commands operate at the raw dag-pb level and can only safely mutate small, flat UnixFS directories. They are unable to update UnixFS metadata (HAMT bitfields, file Blocksizes), so using them on files or sharded directories would silently produce invalid DAGs. This is now rejected:

• File nodes: rejected (corrupts Blocksizes, content lost on read-back)
• HAMTShard nodes: rejected (HAMT bitfield not updated, corrupts directory)
• Non-UnixFS dag-pb nodes: rejected by default
• Directory nodes: allowed (the only safe case)

Use ipfs files commands (mkdir, cp, rm, mv) instead. They handle all directory types correctly, including large sharded directories.

A --allow-non-unixfs flag is available on both ipfs object patch commands to bypass validation.

🔗 MFS: fixed CidBuilder preservation

ipfs files commands now correctly preserve the configured CID version and hash function (Import.CidVersion, Import.HashFunction) in all MFS operations. Previously, the CidBuilder could be silently lost when modifying file contents, creating nested directories with mkdir -p, or restarting the daemon, causing some entries to fall back to CIDv0/sha2-256.

Additionally, the MFS root directory itself now respects Import.CidVersion and Import.HashFunction at daemon startup. Before this fix, the root always used CIDv0/sha2-256 regardless of config. Because the MFS root CID format is now managed by these config options, ipfs files chcid no longer accepts the root path /. It continues to work on subdirectories.

See boxo#1125 and kubo#11273.

📂 FUSE Mount Improvements

The FUSE implementation has been rewritten on top of hanwen/go-fuse v2, replacing the unmaintained bazil.org/fuse. This fixes long-standing architectural limitations and aligns FUSE mounts with what standard tools expect. FUSE support is still experimental. See docs/fuse.md for setup instructions, and report problems at kubo/issues.

• fsync works. Editors (vim, emacs) and databases that call fsync after writing no longer get a silent no-op. Data is flushed through the open file descriptor to the DAG. The full vim save sequence (O_TRUNC + write + fsync + chmod) is tested.
• ftruncate works. Tools like rsync --inplace that shrink or grow files via ftruncate(fd, size) no longer get ENOTSUP. Opening existing files with O_TRUNC also works correctly.
• chmod and touch no longer drop file content. With Mounts.StoreMode/StoreMtime enabled, setting mode or mtime previously replaced the DAG node without preserving content links, leaving the file empty.
• Symlink creation on writable mounts. ln -s target link now works on /mfs and /ipns. Symlinks are stored as UnixFS TSymlink nodes, the same format used by ipfs add.
• Rename-over-existing works. Renaming a file onto an existing name (the pattern used by rsync and atomic-save editors) now correctly replaces the target.
• Faster reads on /ipfs. Files are read sequentially from the block graph instead of re-resolving from the root on every read call.
• Interrupting a stuck cat works. Ctrl-C or kill on a read cancels in-flight block fetches instead of hanging.
• External unmount detected. Running fusermount -u from outside the daemon now correctly marks the mount as inactive.
• Files are no longer owned by root. Mounts report the uid/gid of the daemon process, so access works without allow_other.
• Offline IPNS writes succeed. IPNS records are stored locally and published when connectivity returns.
• Empty directories list correctly. Listing an empty directory on /ipfs or /ipns no longer returns an error.
• Bare file CIDs work on /ipfs. Accessing a file by its CID directly under the /ipfs mount now works. This was a long-standing regression.
• Rename works on /mfs and /ipns. Renaming a file within the same directory no longer leaves the source behind.
• IPNS FUSE publish works. Writing files to /ipns/local/ now correctly publishes the updated DAG. Previously IPNS publishing from the FUSE mount was silently blocked.
• Concurrent IPNS file operations no longer race. The /ipns file handle serializes Read, Write, Flush, and Release, matching the /mfs mount.
• IPNS directory operations flush immediately. Remove and Rename on /ipns flush changes to the MFS root, preventing data loss on daemon restart.
• New files use the correct CID version. Files created on /ipns inherit the parent's CID settings instead of falling back to CIDv0.
• UnixFS mode and mtime visible in stat. All three mounts show POSIX mode and mtime from UnixFS metadata when present. When absent, sensible POSIX defaults are used (files: 0644/0444, directories: 0755/0555).
• Opt-in Mounts.StoreMtime and Mounts.StoreMode. Writable mounts can persist mtime on file creation/write and POSIX mode on chmod for both files and directories. touch on directories also works, which tools like tar and rsync rely on. Both flags are off by default because they change the resulting CID. See Mounts.StoreMtime and Mounts.StoreMode.
• ipfs.cid xattr on all mounts. All three mounts expose the node's CID via the ipfs.cid extended attribute on files and directories. The legacy ipfs_cid xattr name (used in earlier versions of /mfs) is no longer supported; use ipfs.cid instead.
• statfs works. All three mounts report the free space of the volume backing the local IPFS repo, so /mfs correctly reflects how much new data fits. Fixes macOS Finder refusing copies with "not enough free space".
• Per-entry st_blocks and st_blksize reflect UnixFS. All three mounts fill st_blocks from the UnixFS file size so du, ls -s, stat, and "size on disk" in file managers match ls -l. Directories report a nominal 1 block so tools that treat 0 as "unsupported" behave correctly. st_blksize advertises a chunk-aligned preferred I/O size: /mfs and /ipns use Import.UnixFSChunker, so cp, dd, and rsync buffer writes at the chunker boundary; /ipfs uses a stable 1 MiB hint since published CIDs have no single chunker.
• Platform compatibility. macOS detection updated from OSXFUSE 2.x to macFUSE 4.x. Linux no longer needs a fusermount symlink; hanwen/go-fuse finds fusermount3 natively.

📦 CARv2 import over HTTP API

ipfs dag import of CARv2 files now works over the HTTP API. Previously it failed with operation not supported: the HTTP multipart stream falsely advertised seek support, which go-car needs for the CARv2 payload offset. See #11253.

🌐 HTTPS proxy support

Kubo's outbound HTTP clients and libp2p /ws+/wss peer dials have long honored the standard HTTPS_PROXY, HTTP_PROXY, and NO_PROXY environment variables; this release extends the WebSocket transport to also accept https:// proxy URLs (TLS to the proxy itself), matching what Kubo's HTTP clients already supported. See docs/environment-variables.md.

🛡️ server profile no longer announces loopback and non-public IPv6 addresses

The opt-in server profile now also blocks IPv4 loopback (127.0.0.0/8) and the IANA-reserved 0000::/3 IPv6 block. Since v0.40.0, libp2p has enumerated all local interfaces, causing public server-profile nodes (including the default IPFS bootstrappers) to leak loopback and unallocated IPv6 prefixes like 1e::/16 through libp2p identify and DHT self-records (see go-libp2p#3460).

Default-configured nodes are unaffected. To pick up the new entries on an existing server-profile node:

$ ipfs config profile apply server

The command is idempotent. See the server profile docs for the full filter list, RFC references, and override guidance.

🐹 Go 1.26, Once More with Feeling

Kubo first shipped with Go 1.26 in v0.40.0, but v0.40.1 had to downgrade to Go 1.25 because of a Windows crash in Go's overlapped I/O layer (#11214). Go 1.26.2 fixes that regression upstream (golang/go#78041), so Kubo is back on Go 1.26 across all platforms.

You should see lower memory usage and reduced GC pauses thanks to the new Green Tea garbage collector (10-40% less GC overhead). Reading block data and API responses is faster due to io.ReadAll improvements (~2x faster, ~50% less memory). On 64-bit platforms, heap base address randomization adds a layer of security hardening.

🐛 Fixed long-standing random daemon crashes during DHT lookups

Long-running daemons could exit with invalid memory address or nil pointer dereference or similar memory errors while handling DHT traffic. The cause was a data race in the routing layer that had been latent for years: PublishQueryEvent handed QueryEvent.Responses to subscribers (like findprovs) by pointer while the publisher kept mutating the same AddrInfo.Addrs slices.

Two recent changes likely tipped the race into frequent visible crashes: go-multiaddr v0.15 turned Multiaddr from an interface into a slice-backed struct, and Go 1.26 added heap base address randomization and a new garbage collector. Both likely made torn concurrent reads more likely to dereference unmapped memory.

This release picks up the targeted fix in go-libp2p-kad-dht#1244. A broader fix for the whole class of routing publish races is proposed upstream in go-libp2p#3490.

📦️ Dependency updates

• update go-libp2p to v0.48.0
• update go-libp2p-kad-dht to v0.39.1 (incl. v0.39.0)
• update ipfs-webui to v4.12.0
• update gateway-conformance tests to v0.13 (incl. v0.12, v0.11)
• update boxo to v0.39.0 (incl. v0.38.0)
• update go-cid to v0.6.1 (pulls in go-multibase v0.3.0 with up to 5x faster base58 encoding for CIDv0)
• update p2p-forge/client to v0.8.0

📝 Changelog

👨‍👩‍👧‍👦 Contributors