ethersphere · janos · Feb 19, 2026 · Feb 19, 2026 · Feb 19, 2026
diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
@@ -78,10 +78,10 @@ jobs:
       with:
         configFile: commitlint.config.js
     - name: GolangCI-Lint
-      uses: golangci/golangci-lint-action@v8
+      uses: golangci/golangci-lint-action@v9
       with:
         skip-cache: false
-        version: v2.5.0
+        version: v2.10.1
     - name: Whitespace check
       run: make check-whitespace
     - name: go mod tidy check

diff --git a/.golangci.yml b/.golangci.yml
@@ -67,6 +67,12 @@ linters:
       - linters:
           - paralleltest
         path: pkg/log
+      - linters:
+          - staticcheck
+        text: 'SA5008: should encoding/json ignore this field or name it "-"\? Either use `json:"-"` to ignore the field or use `json:"''-'',"` to specify "-" as the name'
+      - linters:
+          - staticcheck
+        text: "SA5008: malformed `json` tag: invalid trailing ',' character"
     paths:
       - third_party$
       - builtin$

diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM golang:1.25 AS build
+FROM golang:1.26 AS build
 
 WORKDIR /src
 # enable modules caching in separate layer

diff --git a/Dockerfile.dev b/Dockerfile.dev
@@ -1,4 +1,4 @@
-FROM golang:1.25 AS build
+FROM golang:1.26 AS build
 
 ARG REACHABILITY_OVERRIDE_PUBLIC=false
 ARG BATCHFACTOR_OVERRIDE_PUBLIC=5

diff --git a/Makefile b/Makefile
@@ -1,7 +1,7 @@
 GO ?= go
 GOBIN ?= $$($(GO) env GOPATH)/bin
 GOLANGCI_LINT ?= $(GOBIN)/golangci-lint
-GOLANGCI_LINT_VERSION ?= v2.5.0
+GOLANGCI_LINT_VERSION ?= v2.10.1
 GOGOPROTOBUF ?= protoc-gen-gogofaster
 GOGOPROTOBUF_VERSION ?= v1.3.1
 BEEKEEPER_INSTALL_DIR ?= $(GOBIN)

diff --git a/cmd/bee/cmd/db_test.go b/cmd/bee/cmd/db_test.go
@@ -214,9 +214,6 @@ func TestDBNuke_FLAKY(t *testing.T) {
 		Logger:          log.Noop,
 		ReserveCapacity: storer.DefaultReserveCapacity,
 	}, path.Join(dataDir, "localstore"))
-	if err != nil {
-		t.Fatal(err)
-	}
 	defer db.Close()
 
 	info, err = db.DebugInfo(ctx)

diff --git a/go.mod b/go.mod
@@ -1,8 +1,6 @@
 module github.com/ethersphere/bee/v2
 
-go 1.25
-
-toolchain go1.25.2
+go 1.26
 
 require (
 	contrib.go.opencensus.io/exporter/prometheus v0.4.2

diff --git a/pkg/accesscontrol/grantee.go b/pkg/accesscontrol/grantee.go
@@ -149,6 +149,7 @@ func serialize(publicKeys []*ecdsa.PublicKey) ([]byte, error) {
 		// TODO: check if this is the correct way to serialize the public key
 		// Is this the only curve we support?
 		// Should we have switch case for different curves?
+		//nolint:staticcheck // SA1019: ecdsa fields are deprecated, but secp256k1 is not supported by crypto/ecdh
 		pubBytes := crypto.S256().Marshal(key.X, key.Y)
 		b = append(b, pubBytes...)
 	}

diff --git a/pkg/accesscontrol/session.go b/pkg/accesscontrol/session.go
@@ -37,6 +37,7 @@ func (s *SessionStruct) Key(publicKey *ecdsa.PublicKey, nonces [][]byte) ([][]by
 	if publicKey == nil {
 		return nil, ErrInvalidPublicKey
 	}
+	//nolint:staticcheck // SA1019: ecdsa fields are deprecated, but secp256k1 is not supported by crypto/ecdh
 	x, y := publicKey.ScalarMult(publicKey.X, publicKey.Y, s.key.D.Bytes())
 	if x == nil || y == nil {
 		return nil, ErrSecretKeyInfinity

diff --git a/pkg/api/chunk_stream_test.go b/pkg/api/chunk_stream_test.go
@@ -37,7 +37,7 @@ func TestChunkUploadStream(t *testing.T) {
 	)
 
 	t.Run("upload and verify", func(t *testing.T) {
-		chsToGet := []swarm.Chunk{}
+		chsToGet := make([]swarm.Chunk, 0, 5)
 		for range 5 {
 			ch := testingc.GenerateTestRandomChunk()
 

diff --git a/pkg/api/util.go b/pkg/api/util.go
@@ -150,7 +150,7 @@ func mapStructure(input, output any, hooks map[string]func(v string) (string, er
 
 	// Do input sanity checks.
 	inputVal = reflect.ValueOf(input)
-	if inputVal.Kind() == reflect.Ptr {
+	if inputVal.Kind() == reflect.Pointer {
 		inputVal = inputVal.Elem()
 	}
 	switch {
@@ -163,7 +163,7 @@ func mapStructure(input, output any, hooks map[string]func(v string) (string, er
 	// Do output sanity checks.
 	outputVal = reflect.ValueOf(output)
 	switch {
-	case outputVal.Kind() != reflect.Ptr:
+	case outputVal.Kind() != reflect.Pointer:
 		return errors.New("output is not a pointer")
 	case outputVal.Elem().Kind() != reflect.Struct:
 		return errors.New("output is not a struct")
@@ -174,7 +174,7 @@ func mapStructure(input, output any, hooks map[string]func(v string) (string, er
 	var set func(string, reflect.Value) error
 	set = func(value string, field reflect.Value) error {
 		switch fieldKind := field.Kind(); fieldKind {
-		case reflect.Ptr:
+		case reflect.Pointer:
 			if field.IsNil() {
 				field.Set(reflect.New(field.Type().Elem()))
 			}

diff --git a/pkg/bmt/proof_test.go b/pkg/bmt/proof_test.go
@@ -26,7 +26,7 @@ func TestProofCorrectness(t *testing.T) {
 	verifySegments := func(t *testing.T, exp []string, found [][]byte) {
 		t.Helper()
 
-		var expSegments [][]byte
+		expSegments := make([][]byte, 0, len(exp))
 		for _, v := range exp {
 			decoded, err := hex.DecodeString(v)
 			if err != nil {
@@ -154,7 +154,7 @@ func TestProofCorrectness(t *testing.T) {
 			"745bae095b6ff5416b4a351a167f731db6d6f5924f30cd88d48e74261795d27b",
 		}
 
-		var segments [][]byte
+		segments := make([][]byte, 0, len(segmentStrings))
 		for _, v := range segmentStrings {
 			decoded, err := hex.DecodeString(v)
 			if err != nil {

diff --git a/pkg/crypto/crypto.go b/pkg/crypto/crypto.go
@@ -65,14 +65,17 @@ func GenerateSecp256k1Key() (*ecdsa.PrivateKey, error) {
 
 // EncodeSecp256k1PrivateKey encodes raw ECDSA private key.
 func EncodeSecp256k1PrivateKey(k *ecdsa.PrivateKey) ([]byte, error) {
+	//nolint:staticcheck // SA1019: ecdsa fields are deprecated, but secp256k1 is not supported by crypto/ecdh
 	pvk, _ := btcec.PrivKeyFromBytes(k.D.Bytes())
 	return pvk.Serialize(), nil
 }
 
 // EncodeSecp256k1PublicKey encodes raw ECDSA public key in a 33-byte compressed format.
 func EncodeSecp256k1PublicKey(k *ecdsa.PublicKey) []byte {
 	var x, y btcec.FieldVal
+	//nolint:staticcheck // SA1019: ecdsa fields are deprecated, but secp256k1 is not supported by crypto/ecdh
 	x.SetByteSlice(k.X.Bytes())
+	//nolint:staticcheck // SA1019: ecdsa fields are deprecated, but secp256k1 is not supported by crypto/ecdh
 	y.SetByteSlice(k.Y.Bytes())
 	return btcec.NewPublicKey(&x, &y).SerializeCompressed()
 }
@@ -112,9 +115,11 @@ func Secp256k1PrivateKeyFromBytes(data []byte) *ecdsa.PrivateKey {
 // NewEthereumAddress returns a binary representation of ethereum blockchain address.
 // This function is based on github.com/ethereum/go-ethereum/crypto.PubkeyToAddress.
 func NewEthereumAddress(p ecdsa.PublicKey) ([]byte, error) {
+	//nolint:staticcheck // SA1019: ecdsa fields are deprecated, but secp256k1 is not supported by crypto/ecdh
 	if p.X == nil || p.Y == nil {
 		return nil, errors.New("invalid public key")
 	}
+	//nolint:staticcheck // SA1019: ecdsa fields are deprecated, but secp256k1 is not supported by crypto/ecdh
 	pubBytes := crypto.S256().Marshal(p.X, p.Y)
 	pubHash, err := LegacyKeccak256(pubBytes[1:])
 	if err != nil {

diff --git a/pkg/crypto/crypto_test.go b/pkg/crypto/crypto_test.go
@@ -33,7 +33,7 @@ func TestGenerateSecp256k1Key(t *testing.T) {
 		t.Fatal("nil key")
 	}
 
-	if bytes.Equal(k1.D.Bytes(), k2.D.Bytes()) {
+	if k1.Equal(k2) {
 		t.Fatal("two generated keys are equal")
 	}
 }
@@ -56,7 +56,7 @@ func TestGenerateSecp256k1EDG(t *testing.T) {
 		t.Fatal("nil key")
 	}
 
-	if bytes.Equal(k1.D.Bytes(), k2.D.Bytes()) {
+	if k1.Equal(k2) {
 		t.Fatal("two generated keys are equal")
 	}
 }
@@ -97,7 +97,7 @@ func TestEncodeSecp256k1PrivateKey(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	if !bytes.Equal(k1.D.Bytes(), k2.D.Bytes()) {
+	if !k1.Equal(k2) {
 		t.Fatal("encoded and decoded keys are not equal")
 	}
 }
@@ -117,7 +117,7 @@ func TestEncodeSecp256k1EDG(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	if !bytes.Equal(k1.D.Bytes(), k2.D.Bytes()) {
+	if !k1.Equal(k2) {
 		t.Fatal("encoded and decoded keys are not equal")
 	}
 }
@@ -137,7 +137,7 @@ func TestSecp256k1PrivateKeyFromBytes(t *testing.T) {
 		t.Fatal("nil key")
 	}
 
-	if !bytes.Equal(k1.D.Bytes(), k2.D.Bytes()) {
+	if !k1.Equal(k2) {
 		t.Fatal("two generated keys are not equal")
 	}
 }
@@ -160,7 +160,7 @@ func TestGenerateSecp256r1Key(t *testing.T) {
 		t.Fatal("nil key")
 	}
 
-	if bytes.Equal(k1.D.Bytes(), k2.D.Bytes()) {
+	if k1.Equal(k2) {
 		t.Fatal("two generated keys are equal")
 	}
 }
@@ -183,7 +183,7 @@ func TestGenerateSecp256r1EDG(t *testing.T) {
 		t.Fatal("nil key")
 	}
 
-	if bytes.Equal(r1.D.Bytes(), r2.D.Bytes()) {
+	if r1.Equal(r2) {
 		t.Fatal("two generated keys are equal")
 	}
 }
@@ -203,7 +203,7 @@ func TestEncodeSecp256r1PrivateKey(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	if !bytes.Equal(r1.D.Bytes(), r2.D.Bytes()) {
+	if !r1.Equal(r2) {
 		t.Fatal("encoded and decoded keys are not equal")
 	}
 }
@@ -223,7 +223,7 @@ func TestEncodeSecp256r1EDG(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	if !bytes.Equal(r1.D.Bytes(), r2.D.Bytes()) {
+	if !r1.Equal(r2) {
 		t.Fatal("encoded and decoded keys are not equal")
 	}
 }

diff --git a/pkg/crypto/dh.go b/pkg/crypto/dh.go
@@ -29,6 +29,7 @@ func NewDH(key *ecdsa.PrivateKey) DH {
 // safety warning: this method is not meant to be exposed as it does not validate private and public keys
 // are  on the same curve
 func (dh *defaultDH) SharedKey(pub *ecdsa.PublicKey, salt []byte) ([]byte, error) {
+	//nolint:staticcheck // SA1019: ecdsa fields are deprecated, but secp256k1 is not supported by crypto/ecdh
 	x, _ := pub.ScalarMult(pub.X, pub.Y, dh.key.D.Bytes())
 	if x == nil {
 		return nil, errors.New("shared secret is point at infinity")

diff --git a/pkg/crypto/signer.go b/pkg/crypto/signer.go
@@ -139,6 +139,7 @@ func (d *defaultSigner) SignTypedData(typedData *eip712.TypedData) ([]byte, erro
 
 // sign the provided hash and convert it to the ethereum (r,s,v) format.
 func (d *defaultSigner) sign(sighash []byte, isCompressedKey bool) ([]byte, error) {
+	//nolint:staticcheck // SA1019: ecdsa fields are deprecated, but secp256k1 is not supported by crypto/ecdh
 	pvk, _ := btcec.PrivKeyFromBytes(d.key.D.Bytes())
 	signature, err := btcecdsa.SignCompact(pvk, sighash, isCompressedKey)
 	if err != nil {

diff --git a/pkg/crypto/signer_test.go b/pkg/crypto/signer_test.go
@@ -41,7 +41,7 @@ func TestDefaultSigner(t *testing.T) {
 			t.Fatal(err)
 		}
 
-		if pubKey.X.Cmp(privKey.X) != 0 || pubKey.Y.Cmp(privKey.Y) != 0 {
+		if !pubKey.Equal(&privKey.PublicKey) {
 			t.Fatalf("wanted %v but got %v", pubKey, &privKey.PublicKey)
 		}
 	})
@@ -54,7 +54,7 @@ func TestDefaultSigner(t *testing.T) {
 			t.Fatal(err)
 		}
 
-		if pubKey.X.Cmp(privKey.X) == 0 && pubKey.Y.Cmp(privKey.Y) == 0 {
+		if pubKey.Equal(&privKey.PublicKey) {
 			t.Fatal("expected different public key")
 		}
 	})
@@ -228,11 +228,7 @@ func TestRecoverEIP712(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	if privKey.X.Cmp(pubKey.X) != 0 {
-		t.Fatalf("recovered wrong public key. wanted %x, got %x", privKey.PublicKey, pubKey)
-	}
-
-	if privKey.Y.Cmp(pubKey.Y) != 0 {
+	if !privKey.PublicKey.Equal(pubKey) {
 		t.Fatalf("recovered wrong public key. wanted %x, got %x", privKey.PublicKey, pubKey)
 	}
 }

diff --git a/pkg/file/buffer_test.go b/pkg/file/buffer_test.go
@@ -114,10 +114,10 @@ func TestCopyBuffer(t *testing.T) {
 		swarm.ChunkSize*17 + 3,
 	}
 
-	testCases := []struct {
+	testCases := make([]struct {
 		readBufferSize int
 		dataSize       int
-	}{}
+	}, 0, len(dataSizes)*len(readBufferSizes))
 
 	for i := range readBufferSizes {
 		for j := range dataSizes {

diff --git a/pkg/file/pipeline/bmt/bmt_test.go b/pkg/file/pipeline/bmt/bmt_test.go
@@ -52,7 +52,7 @@ func TestBmtWriter(t *testing.T) {
 			mockChainWriter := mock.NewChainWriter()
 			writer := bmt.NewBmtWriter(mockChainWriter)
 
-			var data []byte
+			data := make([]byte, 0, len(tc.data))
 
 			if !tc.noSpan {
 				data = make([]byte, 8)

diff --git a/pkg/hive/hive_test.go b/pkg/hive/hive_test.go
@@ -146,7 +146,7 @@ func TestBroadcastPeers(t *testing.T) {
 			underlays = []ma.Multiaddr{u, u2}
 		} else {
 			n := (i % 3) + 1
-			for j := 0; j < n; j++ {
+			for j := range n {
 				port := i + j*10000
 				u, err := ma.NewMultiaddr("/ip4/127.0.0.1/udp/" + strconv.Itoa(port))
 				if err != nil {

diff --git a/pkg/keystore/file/key.go b/pkg/keystore/file/key.go
@@ -11,6 +11,7 @@ import (
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"
+	"crypto/sha3"
 	"encoding/hex"
 	"encoding/json"
 	"fmt"
@@ -21,7 +22,6 @@ import (
 	"github.com/ethersphere/bee/v2/pkg/keystore"
 	"github.com/google/uuid"
 	"golang.org/x/crypto/scrypt"
-	"golang.org/x/crypto/sha3"
 )
 
 var _ keystore.Service = (*Service)(nil)

diff --git a/pkg/keystore/test/test.go b/pkg/keystore/test/test.go
@@ -5,7 +5,6 @@
 package test
 
 import (
-	"bytes"
 	"errors"
 	"testing"
 
@@ -52,7 +51,7 @@ func Service(t *testing.T, s keystore.Service, edg keystore.EDG) {
 	if created {
 		t.Fatal("key is created, but should not be")
 	}
-	if !bytes.Equal(k1.D.Bytes(), k2.D.Bytes()) {
+	if !k1.Equal(k2) {
 		t.Fatal("two keys are not equal")
 	}
 
@@ -70,7 +69,7 @@ func Service(t *testing.T, s keystore.Service, edg keystore.EDG) {
 	if !created {
 		t.Fatal("key is not created")
 	}
-	if bytes.Equal(k1.D.Bytes(), k3.D.Bytes()) {
+	if k1.Equal(k3) {
 		t.Fatal("two keys are equal, but should not be")
 	}
 
@@ -82,7 +81,7 @@ func Service(t *testing.T, s keystore.Service, edg keystore.EDG) {
 	if created {
 		t.Fatal("key is created, but should not be")
 	}
-	if !bytes.Equal(k3.D.Bytes(), k4.D.Bytes()) {
+	if !k3.Equal(k4) {
 		t.Fatal("two keys are not equal")
 	}
 }
diff --git a/pkg/log/formatter.go b/pkg/log/formatter.go
@@ -362,7 +362,7 @@ func (f *formatter) prettyWithFlags(value any, flags uint32, depth int) string {
 		}
 		buf.WriteByte('}')
 		return buf.String()
-	case reflect.Ptr, reflect.Interface:
+	case reflect.Pointer, reflect.Interface:
 		if v.IsNil() {
 			return null
 		}
@@ -434,7 +434,7 @@ func isEmpty(v reflect.Value) bool {
 		return v.Float() == 0
 	case reflect.Complex64, reflect.Complex128:
 		return v.Complex() == 0
-	case reflect.Interface, reflect.Ptr:
+	case reflect.Interface, reflect.Pointer:
 		return v.IsNil()
 	}
 	return false