Skip to content

[CORE-15] Update the CometBFT fork to 0.37.0#4

Merged
lcwik merged 10 commits intodydx-fork-v0.37.0from
lukefork
Apr 27, 2023
Merged

[CORE-15] Update the CometBFT fork to 0.37.0#4
lcwik merged 10 commits intodydx-fork-v0.37.0from
lukefork

Conversation

@lcwik
Copy link

@lcwik lcwik commented Apr 26, 2023

Notable changes from the v0.37.0-rc2 branch:

  • merged all the README.md changes into one commit since there were a lot of merge conflicts there making future upgrades easier
  • replace tendermint/tendermint imports with cometbft/cometbft

ttl33 and others added 10 commits April 26, 2023 10:21
@ttl33 @lcwik
Ignore PlaceOrder/CancelOrder in mempool reaping and recheck
d6e75f1
@ttl33 @lcwik
Add locking around processing of a block
e344474
@ttl33 @lcwik
remove debug statement
90b962f
@lcwik
add dydx-specific changes to v1 mempool
578acc1
@lcwik
fix recheck
a53465c
@prettymuchbryce @lcwik
Log successful transactions as Info rather than Debug
b139093
@lucas-dydx @lcwik
Set KeepInvalidTxsInCache to true in mempool config
26148fe
@prettymuchbryce @lcwik
Add fork workflow instructions
4a4afcf
@prettymuchbryce @lcwik
Fix broken CI and unit tests (#1)
1a8ee4e 
* Test commit

* empty commit to trigger build

* empty commit to trigger build

* Fix TestEndBlockValidatorUpdatesResultingInEmptySet

* Fix test failures

* Add replace using tm-db v0.6.6

* Remove test comment
@lcwik
[STAB-17] Make unsynchronized local client (#3)
34f9dd9 
This is effectively a copy of the fully unsynchronized local client found in tendermint/tendermint#9660. Note that this was reverted and replaced by a version that has a mutex per instance of the client in tendermint/tendermint#9830. This change can be removed once a fully unsynchronized client is added back.
@lcwik lcwik changed the title Update the CometBFT fork to 0.37.0 [CORE-15] Update the CometBFT fork to 0.37.0 Apr 26, 2023
@linear
Copy link

linear bot commented Apr 26, 2023

CORE-15

@lcwik lcwik merged commit 4a837dd into dydx-fork-v0.37.0 Apr 27, 2023
@lcwik lcwik deleted the lukefork branch April 27, 2023 02:48
pthmas referenced this pull request in 01builders/dydx-cometbft Aug 7, 2025
@mergify @melekes
chore(deps): bump Go version to 1.23.5 (backport cometbft#4888) (come…
d4a24c1 
…tbft#4890)

due to sec vuln

Vulnerability #1: GO-2025-3420
Sensitive headers incorrectly sent after cross-domain redirect in
net/http
  More info: https://pkg.go.dev/vuln/GO-2025-3420
  Standard library
    Found in: net/http@go1.23.1
    Fixed in: net/http@go1.23.5
    Example traces found:
Error: #1: rpc/jsonrpc/client/http_json_client.go:231:34:
client.Client.Call calls http.Client.Do
Error: #2: libs/cli/setup.go:89:26: cli.Executor.Execute calls
cobra.Command.Execute, which eventually calls http.Client.Get
Error: #3: cmd/cometbft/commands/debug/util.go:70:23: debug.dumpProfile
calls http.Get

Vulnerability #2: GO-2025-3373
Usage of IPv6 zone IDs can bypass URI name constraints in crypto/x509
  More info: https://pkg.go.dev/vuln/GO-2025-3373
  Standard library
    Found in: crypto/x509@go1.23.1
    Fixed in: crypto/x509@go1.23.5
    Example traces found:
Error: #1: abci/tutorials/abci-v2-forum-app/model/db.go:143:20:
model.DB.Close calls badger.DB.Close, which eventually calls
x509.CertPool.AppendCertsFromPEM
Error: #2: internal/autofile/group.go:468:30: autofile.GroupReader.Read
calls bufio.Reader.Read, which eventually calls x509.Certificate.Verify
Error: #3: rpc/jsonrpc/client/ws_client.go:290:29: client.WSClient.dial
calls websocket.Dialer.Dial, which eventually calls
x509.Certificate.VerifyHostname
Error: #4: light/errors.go:483:84: light.errBadWitness.Error calls
x509.HostnameError.Error
Error: #5: rpc/jsonrpc/server/http_server.go:166:19:
server.ServeTLSWithShutdown calls http.Server.ServeTLS, which eventually
calls x509.ParseCertificate
Error: #6: rpc/jsonrpc/server/http_server.go:166:19:
server.ServeTLSWithShutdown calls http.Server.ServeTLS, which eventually
calls x509.ParseECPrivateKey
Error: #7: rpc/jsonrpc/server/http_server.go:166:19:
server.ServeTLSWithShutdown calls http.Server.ServeTLS, which eventually
calls x509.ParsePKCS1PrivateKey
Error: #8: rpc/jsonrpc/server/http_server.go:166:19:
server.ServeTLSWithShutdown calls http.Server.ServeTLS, which eventually
calls x509.ParsePKCS8PrivateKey
<hr>This is an automatic backport of pull request cometbft#4888 done by
[Mergify](https://mergify.com).

---------

Co-authored-by: Anton Kaliaev <anton.kalyaev@gmail.com>
pthmas pushed a commit that referenced this pull request Aug 28, 2025
@melekes
chore(deps): bump Go version to 1.23.5 (cometbft#4888)
e4cbca8 
due to sec vuln

Vulnerability #1: GO-2025-3420
Sensitive headers incorrectly sent after cross-domain redirect in
net/http
  More info: https://pkg.go.dev/vuln/GO-2025-3420
  Standard library
    Found in: net/http@go1.23.1
    Fixed in: net/http@go1.23.5
    Example traces found:
Error: #1: rpc/jsonrpc/client/http_json_client.go:231:34:
client.Client.Call calls http.Client.Do
Error: #2: libs/cli/setup.go:89:26: cli.Executor.Execute calls
cobra.Command.Execute, which eventually calls http.Client.Get
Error: #3: cmd/cometbft/commands/debug/util.go:70:23: debug.dumpProfile
calls http.Get

Vulnerability #2: GO-2025-3373
Usage of IPv6 zone IDs can bypass URI name constraints in crypto/x509
  More info: https://pkg.go.dev/vuln/GO-2025-3373
  Standard library
    Found in: crypto/x509@go1.23.1
    Fixed in: crypto/x509@go1.23.5
    Example traces found:
Error: #1: abci/tutorials/abci-v2-forum-app/model/db.go:143:20:
model.DB.Close calls badger.DB.Close, which eventually calls
x509.CertPool.AppendCertsFromPEM
Error: #2: internal/autofile/group.go:468:30: autofile.GroupReader.Read
calls bufio.Reader.Read, which eventually calls x509.Certificate.Verify
Error: #3: rpc/jsonrpc/client/ws_client.go:290:29: client.WSClient.dial
calls websocket.Dialer.Dial, which eventually calls
x509.Certificate.VerifyHostname
Error: #4: light/errors.go:483:84: light.errBadWitness.Error calls
x509.HostnameError.Error
Error: #5: rpc/jsonrpc/server/http_server.go:166:19:
server.ServeTLSWithShutdown calls http.Server.ServeTLS, which eventually
calls x509.ParseCertificate
Error: #6: rpc/jsonrpc/server/http_server.go:166:19:
server.ServeTLSWithShutdown calls http.Server.ServeTLS, which eventually
calls x509.ParseECPrivateKey
Error: #7: rpc/jsonrpc/server/http_server.go:166:19:
server.ServeTLSWithShutdown calls http.Server.ServeTLS, which eventually
calls x509.ParsePKCS1PrivateKey
Error: #8: rpc/jsonrpc/server/http_server.go:166:19:
server.ServeTLSWithShutdown calls http.Server.ServeTLS, which eventually
calls x509.ParsePKCS8PrivateKey
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@jonfung-dydx jonfung-dydx jonfung-dydx approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@lcwik @jonfung-dydx @ttl33 @prettymuchbryce @lucas-dydx