Skip to content

[STAB-4] Downgrade version required by cosmos SDK to not force upgrading any of the versions in the dYdX fork of Cosmos#5

Merged
lcwik merged 1 commit intodydx-fork-v0.37.0from
lukestab4
Apr 28, 2023
Merged

[STAB-4] Downgrade version required by cosmos SDK to not force upgrading any of the versions in the dYdX fork of Cosmos#5
lcwik merged 1 commit intodydx-fork-v0.37.0from
lukestab4

Conversation

@lcwik
Copy link

@lcwik lcwik commented Apr 28, 2023
edited
Loading

This reduces/prevents any upgrades for the cosmos SDK fork go.mod files when we want it to consume the dYdX fork of CometBFT

Note that these are all newer versions of dependencies from the 0.37.0 release before commit a5a3706 ugraded them.

@lcwik
[STAB-4] Downgrade version required by cosmos SDK to not force upgrad…
350fc88 
…ing any of the versions in the dYdX fork of Cosmos

This prevents any upgrades for any of the go.mod files.
@linear
Copy link

linear bot commented Apr 28, 2023

STAB-4

@lcwik lcwik merged commit e9257fb into dydx-fork-v0.37.0 Apr 28, 2023
@lcwik lcwik deleted the lukestab4 branch April 28, 2023 18:02
pthmas referenced this pull request in 01builders/dydx-cometbft Aug 7, 2025
@mergify @melekes
chore(deps): bump Go version to 1.23.5 (backport cometbft#4888) (come…
d4a24c1 
…tbft#4890)

due to sec vuln

Vulnerability #1: GO-2025-3420
Sensitive headers incorrectly sent after cross-domain redirect in
net/http
  More info: https://pkg.go.dev/vuln/GO-2025-3420
  Standard library
    Found in: net/http@go1.23.1
    Fixed in: net/http@go1.23.5
    Example traces found:
Error: #1: rpc/jsonrpc/client/http_json_client.go:231:34:
client.Client.Call calls http.Client.Do
Error: #2: libs/cli/setup.go:89:26: cli.Executor.Execute calls
cobra.Command.Execute, which eventually calls http.Client.Get
Error: #3: cmd/cometbft/commands/debug/util.go:70:23: debug.dumpProfile
calls http.Get

Vulnerability #2: GO-2025-3373
Usage of IPv6 zone IDs can bypass URI name constraints in crypto/x509
  More info: https://pkg.go.dev/vuln/GO-2025-3373
  Standard library
    Found in: crypto/x509@go1.23.1
    Fixed in: crypto/x509@go1.23.5
    Example traces found:
Error: #1: abci/tutorials/abci-v2-forum-app/model/db.go:143:20:
model.DB.Close calls badger.DB.Close, which eventually calls
x509.CertPool.AppendCertsFromPEM
Error: #2: internal/autofile/group.go:468:30: autofile.GroupReader.Read
calls bufio.Reader.Read, which eventually calls x509.Certificate.Verify
Error: #3: rpc/jsonrpc/client/ws_client.go:290:29: client.WSClient.dial
calls websocket.Dialer.Dial, which eventually calls
x509.Certificate.VerifyHostname
Error: #4: light/errors.go:483:84: light.errBadWitness.Error calls
x509.HostnameError.Error
Error: #5: rpc/jsonrpc/server/http_server.go:166:19:
server.ServeTLSWithShutdown calls http.Server.ServeTLS, which eventually
calls x509.ParseCertificate
Error: #6: rpc/jsonrpc/server/http_server.go:166:19:
server.ServeTLSWithShutdown calls http.Server.ServeTLS, which eventually
calls x509.ParseECPrivateKey
Error: #7: rpc/jsonrpc/server/http_server.go:166:19:
server.ServeTLSWithShutdown calls http.Server.ServeTLS, which eventually
calls x509.ParsePKCS1PrivateKey
Error: #8: rpc/jsonrpc/server/http_server.go:166:19:
server.ServeTLSWithShutdown calls http.Server.ServeTLS, which eventually
calls x509.ParsePKCS8PrivateKey
<hr>This is an automatic backport of pull request cometbft#4888 done by
[Mergify](https://mergify.com).

---------

Co-authored-by: Anton Kaliaev <anton.kalyaev@gmail.com>
pthmas pushed a commit that referenced this pull request Aug 28, 2025
@melekes
chore(deps): bump Go version to 1.23.5 (cometbft#4888)
e4cbca8 
due to sec vuln

Vulnerability #1: GO-2025-3420
Sensitive headers incorrectly sent after cross-domain redirect in
net/http
  More info: https://pkg.go.dev/vuln/GO-2025-3420
  Standard library
    Found in: net/http@go1.23.1
    Fixed in: net/http@go1.23.5
    Example traces found:
Error: #1: rpc/jsonrpc/client/http_json_client.go:231:34:
client.Client.Call calls http.Client.Do
Error: #2: libs/cli/setup.go:89:26: cli.Executor.Execute calls
cobra.Command.Execute, which eventually calls http.Client.Get
Error: #3: cmd/cometbft/commands/debug/util.go:70:23: debug.dumpProfile
calls http.Get

Vulnerability #2: GO-2025-3373
Usage of IPv6 zone IDs can bypass URI name constraints in crypto/x509
  More info: https://pkg.go.dev/vuln/GO-2025-3373
  Standard library
    Found in: crypto/x509@go1.23.1
    Fixed in: crypto/x509@go1.23.5
    Example traces found:
Error: #1: abci/tutorials/abci-v2-forum-app/model/db.go:143:20:
model.DB.Close calls badger.DB.Close, which eventually calls
x509.CertPool.AppendCertsFromPEM
Error: #2: internal/autofile/group.go:468:30: autofile.GroupReader.Read
calls bufio.Reader.Read, which eventually calls x509.Certificate.Verify
Error: #3: rpc/jsonrpc/client/ws_client.go:290:29: client.WSClient.dial
calls websocket.Dialer.Dial, which eventually calls
x509.Certificate.VerifyHostname
Error: #4: light/errors.go:483:84: light.errBadWitness.Error calls
x509.HostnameError.Error
Error: #5: rpc/jsonrpc/server/http_server.go:166:19:
server.ServeTLSWithShutdown calls http.Server.ServeTLS, which eventually
calls x509.ParseCertificate
Error: #6: rpc/jsonrpc/server/http_server.go:166:19:
server.ServeTLSWithShutdown calls http.Server.ServeTLS, which eventually
calls x509.ParseECPrivateKey
Error: #7: rpc/jsonrpc/server/http_server.go:166:19:
server.ServeTLSWithShutdown calls http.Server.ServeTLS, which eventually
calls x509.ParsePKCS1PrivateKey
Error: #8: rpc/jsonrpc/server/http_server.go:166:19:
server.ServeTLSWithShutdown calls http.Server.ServeTLS, which eventually
calls x509.ParsePKCS8PrivateKey
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@jonfung-dydx jonfung-dydx jonfung-dydx approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lcwik @jonfung-dydx