bump cometbft from v0.38.15 to v0.38.19

[oncloudit]

bump cometbft from v0.38.15 to v0.38.19

Summary by CodeRabbit

• Chores
  • Updated the Go directive and added a newer toolchain for improved compatibility and support.
  • Upgraded numerous third-party libraries (gRPC, protobuf, OpenTelemetry, crypto, Prometheus, CLI tooling, and others) to recent stable releases to enhance performance, stability, and security.
  • General maintenance to keep the platform aligned with upstream ecosystem updates.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

Updates only to go.mod: advances Go directive to 1.22.11, adds toolchain go1.24.9, and bumps many dependency versions (gRPC/protobuf/genproto, CometBFT, OpenTelemetry, Prometheus, golang.org/x/*, etc.). No source code changes.

Changes

Cohort / File(s)	Summary of changes
Go directives go.mod	go directive: 1.22.7 → 1.22.11; added toolchain go1.24.9
Core networking & RPC go.mod	google.golang.org/grpc: v1.67.1 → v1.70.0; google.golang.org/protobuf: v1.35.1 → v1.36.5; google.golang.org/genproto/googleapis/api and .../rpc updated to 2024-12 snapshots
CometBFT go.mod	github.com/cometbft/cometbft: v0.38.15 → v0.38.21
CLI tooling go.mod	github.com/spf13/cobra: v1.8.1 → v1.9.1; github.com/spf13/pflag: v1.0.5 → v1.0.6
Observability go.mod	go.opentelemetry.io/otel / .../trace: v1.24.0 → v1.32.0; github.com/prometheus/client_golang: v1.20.5 → v1.21.0; github.com/prometheus/common: v0.60.1 → v0.62.0
golang.org/x updates go.mod	x/crypto: v0.28.0 → v0.33.0; x/net: v0.30.0 → v0.35.0; x/oauth2: v0.23.0 → v0.24.0; x/sync: v0.8.0 → v0.11.0; x/sys: v0.26.0 → v0.30.0; x/term: v0.25.0 → v0.29.0; x/text: v0.19.0 → v0.22.0
Cloud metadata go.mod	cloud.google.com/go/compute/metadata: v0.5.0 → v0.5.2
Crypto & compression go.mod	github.com/decred/dcrd/dcrec/secp256k1/v4: v4.3.0 → v4.4.0; github.com/klauspost/compress: v1.17.9 → v1.17.11
Logging & testing go.mod	github.com/golang/glog: v1.2.2 → v1.2.3; github.com/stretchr/testify: v1.9.0 → v1.10.0
Misc/indirects go.mod	Indirect/replace entries updated to align with new versions; no other repo files changed

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• Update dependencies #2985 — Similar go.mod dependency bumps affecting gRPC, genproto (api/rpc), GCE metadata, and x/oauth2; likely related dependency maintenance.

Suggested reviewers

• mitch1024

Poem

Thump-thump I hop through the mod tree,
Nibbling versions, one-two-three.
Toolchain shiny, deps aligned,
Tidy carrots all well-timed.
A rabbit's cheer — updates complete! 🥕🐇

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The pull request title claims to bump cometbft from v0.38.15 to v0.38.19, but the actual changeset shows cometbft was updated to v0.38.21, not v0.38.19. The title is outdated and inaccurate.	Update the pull request title to reflect the actual final version: 'bump cometbft from v0.38.15 to v0.38.21' or adjust it to accurately describe all dependency updates included in the PR.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.5.0)

Error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions
The command is terminated due to an error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ab7502b and 35ee2d8.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod (9 hunks)

🧰 Additional context used

🪛 OSV Scanner (2.2.3)

go.mod

[HIGH] 69-69: golang.org/x/crypto 0.33.0: Potential denial of service in golang.org/x/crypto

(GO-2025-3487)

---

[HIGH] 69-69: golang.org/x/crypto 0.33.0: golang.org/x/crypto Vulnerable to Denial of Service (DoS) via Slow or Incomplete Key Exchange

(GHSA-hcg3-q754-cr77)

---

[HIGH] 184-184: github.com/golang/glog 1.2.3: Vulnerability when creating log files in github.com/golang/glog

(GO-2025-3372)

---

[HIGH] 184-184: github.com/golang/glog 1.2.3: Insecure Temporary File usage in github.com/golang/glog

(GHSA-6wxm-mpqj-6jpf)

---

[HIGH] 258-258: golang.org/x/oauth2 0.24.0: Unexpected memory consumption during token parsing in golang.org/x/oauth2

(GO-2025-3488)

---

[HIGH] 258-258: golang.org/x/oauth2 0.24.0: golang.org/x/oauth2 Improper Validation of Syntactic Correctness of Input vulnerability

(GHSA-6v2p-p543-phr9)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Run Unit Tests

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Security regression: golang.org/x/crypto v0.33.0 ships a known DoS vulnerability.

OSV reports GO-2025-3487 / GHSA-hcg3-q754-cr77 flag this exact release for a slow/incomplete key exchange DoS. Please bump to the patched version (or roll back) before merging so we don’t ship a known vulnerability. Based on static analysis hints.

🧰 Tools

🪛 OSV Scanner (2.2.3)

[HIGH] 69-69: golang.org/x/crypto 0.33.0: Potential denial of service in golang.org/x/crypto

(GO-2025-3487)

---

[HIGH] 69-69: golang.org/x/crypto 0.33.0: golang.org/x/crypto Vulnerable to Denial of Service (DoS) via Slow or Incomplete Key Exchange

(GHSA-hcg3-q754-cr77)

🤖 Prompt for AI Agents

go.mod lines 69-71: the project pins golang.org/x/crypto to v0.33.0 which
contains a known DoS vuln; update the dependency to a patched release (e.g., at
least v0.34.0 or the latest stable patch) by running `go get
golang.org/x/crypto@v0.34.0` (or `@latest`), then run `go mod tidy` to update
go.mod/go.sum and run tests/lint to verify; commit the updated go.mod and go.sum
files before merging.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Security regression: github.com/golang/glog v1.2.3 is flagged for insecure temp-file handling.

OSV ID GO-2025-3372 / GHSA-6wxm-mpqj-6jpf marks 1.2.3 as vulnerable when creating log files. Please move to the patched release that fixes this issue prior to release. Based on static analysis hints.

🧰 Tools

🪛 OSV Scanner (2.2.3)

[HIGH] 184-184: github.com/golang/glog 1.2.3: Vulnerability when creating log files in github.com/golang/glog

(GO-2025-3372)

---

[HIGH] 184-184: github.com/golang/glog 1.2.3: Insecure Temporary File usage in github.com/golang/glog

(GHSA-6wxm-mpqj-6jpf)

🤖 Prompt for AI Agents

In go.mod around lines 184 to 186, the dependency github.com/golang/glog is
pinned to v1.2.3 which is flagged for insecure temp-file handling; update the
glog requirement to a patched non-vulnerable release (bump the version to the
patched v1.x tag), then run go get github.com/golang/glog@<patched-version> and
go mod tidy to update go.sum, rebuild/run tests to verify no breakages, and
commit the updated go.mod and go.sum.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Security regression: golang.org/x/oauth2 v0.24.0 carries high-severity parsing flaws.

Per GO-2025-3488 / GHSA-6v2p-p543-phr9 this version can consume excessive memory when parsing tokens due to lax validation. Upgrade to the patched version (or revert) to avoid introducing the issue. Based on static analysis hints.

🧰 Tools

🪛 OSV Scanner (2.2.3)

[HIGH] 258-258: golang.org/x/oauth2 0.24.0: Unexpected memory consumption during token parsing in golang.org/x/oauth2

(GO-2025-3488)

---

[HIGH] 258-258: golang.org/x/oauth2 0.24.0: golang.org/x/oauth2 Improper Validation of Syntactic Correctness of Input vulnerability

(GHSA-6v2p-p543-phr9)

🤖 Prompt for AI Agents

In go.mod around lines 258-260, golang.org/x/oauth2 is pinned at v0.24.0 which
has a high-severity parsing vulnerability; update the module to a patched
release (e.g., v0.25.0 or later) by changing the version requirement, run go get
golang.org/x/oauth2@v0.25.0 (or newer), then run go mod tidy and rebuild/test to
ensure the dependency graph and indirect references are updated and no
regressions occur.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@go.mod`:
- Line 10: Update build and CI to require Go 1.22.11+ and validate the new
CometBFT dependency "github.com/cometbft/cometbft v0.38.21" works: set the Go
toolchain version used by local builds and CI to >=1.22.11, run full integration
tests exercising state sync and consensus (including BitArray/voting power
scenarios) to catch stricter validation rejections, and add test cases or CI
checks for the new additive config option "max-snapshot-chunks" if you intend to
use state sync with chunking.

🧹 Nitpick comments (1)

go.mod (1)

229-231: Consider verifying Prometheus client compatibility.

The Prometheus client libraries received minor version bumps. While these are indirect dependencies and the changes are likely non-breaking, you may want to verify compatibility if your application uses custom Prometheus metrics.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🌐 Web query:

CometBFT v0.38.21 release notes changelog

💡 Result:

CometBFT v0.38.21 (released Jan 23, 2026) includes two changes: [1]

• State sync: Adds a new config option max-snapshot-chunks to let operators cap the maximum snapshot size they’ll accept (in chunks), and rejects peers that exceed the configured limit. [2]
• Tests: Adds comprehensive unit tests for TotalVotingPowerSafe (including boundary/overflow cases) to improve coverage and safety checks. [3]

Full changelog (compare): v0.38.20...v0.38.21. [1]

Sources: [1] [2] [3]

---

🌐 Web query:

CometBFT v0.38.21 cosmos-sdk v0.50 compatibility

💡 Result:

Yes—CometBFT v0.38.21 is compatible with Cosmos SDK v0.50.x, because Cosmos SDK 0.50 chains are built against the CometBFT 0.38 line (ABCI 2.0 / “Comet38”). [1]

In practice, many SDK v0.50.x-based projects pin some v0.38.* patch (e.g., IBC release notes show SDK v0.50.13 using CometBFT v0.38.15), and moving within the same minor series (0.38.* → 0.38.*) is intended to be patch-compatible. [2] [3]

Rule of thumb: keep major+minor aligned (0.38 for SDK 0.50); choosing a newer patch like 0.38.21 is generally fine. [1] [3]

Sources:
[1] https://medium.com/cosmwasm/cosmjs-0-32-supports-sdk-0-50-8b87920defec
[2] https://docs.cosmos.network/ibc/v10.1.x/changelog/release-notes
[3] https://socket.dev/go/package/github.com/cometbft/cometbft

---

🌐 Web query:

CometBFT v0.38 breaking changes between v0.38.15 and v0.38.21

💡 Result:

Between CometBFT v0.38.15 and v0.38.21, there are no documented “BREAKING CHANGES” (in the sense of intentional API/protocol breaks) in the release notes for the intervening patch releases; changes are primarily bugfixes, security hardening, and small additions. [1][2]

Notable items that can still be practically breaking for some deployments:

• Build/toolchain requirement change: v0.38.17 bumps the minimum Go version to 1.22.11, which will break builds using older Go toolchains. [1]
• Security hardening (stricter validation):
  • v0.38.15 patches a high-severity issue where vote extensions could trigger a panic when handling invalid precommit data. [3]
  • v0.38.19 is a security patch release fixing invalid BitArray handling that could lead to a network halt; stricter message validation can change how nodes react to malformed peer messages (drop/reject instead of processing). [2][4]
• Behavior/validation tightening: v0.38.20 adds voting power validation, which may cause nodes to reject/flag invalid data that previously slipped through. [2]
• Config surface area change (additive): v0.38.21 adds a state-sync setting for maximum snapshot chunks (new config option; typically non-breaking unless you rely on strict config schemas/tools). [2]

Sources: Cosmos CometBFT v0.38 release notes (up through v0.38.18) [1], CometBFT GitHub releases (v0.38.19–v0.38.21) [2], security advisory for v0.38.15 [3], security advisory for v0.38.19 [4].

---

Validate Go 1.22.11 requirement and test security-hardened changes.

CometBFT v0.38.21 is compatible with cosmos-sdk v0.50.11-lsm. The upgrade from v0.38.15 includes no formal breaking changes but introduces practical implications:

• Go 1.22.11+ is now required (enforced in v0.38.17); ensure your build environment meets this.
• Security hardening in v0.38.19–v0.38.20 tightens validation (BitArray handling, voting power checks); test that these stricter checks don't cause unexpected peer rejections or validation failures in your deployment.
• v0.38.21 adds an additive config option (max-snapshot-chunks for state sync); no action needed unless you plan to use it.

Confirm Go version compatibility and perform integration testing with the stricter validation rules.

🤖 Prompt for AI Agents

In `@go.mod` at line 10, Update build and CI to require Go 1.22.11+ and validate
the new CometBFT dependency "github.com/cometbft/cometbft v0.38.21" works: set
the Go toolchain version used by local builds and CI to >=1.22.11, run full
integration tests exercising state sync and consensus (including BitArray/voting
power scenarios) to catch stricter validation rejections, and add test cases or
CI checks for the new additive config option "max-snapshot-chunks" if you intend
to use state sync with chunking.