Skip to content

build(deps): bump the go_modules group across 1 directory with 7 updates #95

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

build(deps): bump the go_modules group across 1 directory with 7 updates #95

wants to merge 1 commit into from

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Oct 10, 2025

Bumps the go_modules group with 3 updates in the / directory: github.com/cometbft/cometbft, github.com/cosmos/cosmos-sdk and github.com/quic-go/quic-go.

Updates github.com/cometbft/cometbft from 0.38.15 to 0.38.17

Release notes

Sourced from github.com/cometbft/cometbft's releases.

v0.38.17

See the CHANGELOG for this release.

v0.38.16

See the CHANGELOG for this release.

Changelog

Sourced from github.com/cometbft/cometbft's changelog.

v0.38.17

February 3, 2025

This release fixes two security issues (ASA-2025-001, ASA-2025-002). Users are encouraged to upgrade as soon as possible.

BUG FIXES

  • [blocksync] Ban peer if it reports height lower than what was previously reported (ASA-2025-001)
  • [types] Check that Part.Index equals Part.Proof.Index (ASA-2025-001)

DEPENDENCIES

  • [go/runtime] Bump minimum Go version to 1.22.11 (#4891)

v0.38.16

December 20 2024

This release:

  • fixes a bug that caused a node produce errors caused by the sending of next PEX requests too soon. As a consequence of this incorrect behavior a node would be marked as BAD.
  • Adds a proper description of ExtendedVoteInfo and VoteInfo in the spec.

BUG FIXES

  • [mocks] Mockery v2.49.0 broke the mocks. We had to add a .mockery.yaml to properly handle this change. (#4521)
Commits
  • d03254d chore: v0.38.17 release (#4909)
  • d8b51b4 build(deps): Bump google.golang.org/grpc from 1.69.4 to 1.70.0 (#4901)
  • 415c0da Merge commit from fork
  • 2cebfde Merge commit from fork
  • 68f79b1 build(deps): Bump google.golang.org/protobuf from 1.36.3 to 1.36.4 (#4900)
  • 4f70ba6 build(deps): bump Go version to 1.22.11 (#4891)
  • 930813e build(deps): Bump docker/build-push-action from 6.12.0 to 6.13.0 (#4882)
  • c86f898 build(deps): Bump github.com/prometheus/common from 0.61.0 to 0.62.0 (#4865)
  • 807bd18 build(deps): Bump github.com/go-git/go-git/v5 from 5.13.0 to 5.13.2 (#4861)
  • 7d8440b build(deps): Bump golang.org/x/net from 0.33.0 to 0.34.0 (#4859)
  • Additional commits viewable in compare view

Updates github.com/cosmos/cosmos-sdk from 0.50.10 to 0.50.14

Release notes

Sourced from github.com/cosmos/cosmos-sdk's releases.

v0.50.14

Cosmos SDK v0.50.14 Release Notes

🚀 Highlights

This patch release fixes GHSA-p22h-3m2v-cmgh. It resolves a x/distribution module issue that can halt chains when the historical rewards pool overflows. Chains using the x/distribution module are affected by this issue.

We recommended upgrading to this patch release as soon as possible.

This patch is state-breaking; chains must perform a coordinated upgrade. This patch cannot be applied in a rolling upgrade.

📝 Changelog

Check out the changelog for an exhaustive list of changes or compare changes from the last release.

v0.50.13

Cosmos SDK v0.50.13 Release Notes

💬 Release Discussion

🚀 Highlights

This patch release fixes GHSA-47ww-ff84-4jrg. It resolves a x/group module issue that can halt chains when there is invalid state in the endblocker. Only users of the x/group module are affected by this issue.

We recommended to upgrade to this patch release as soon as possible.

This patch is not state-breaking, so chains can upgrade in a rolling manner. This does not have to be a coordinated upgrade. However, validators should upgrade as soon as possible when the release is made available. If the vulnerability is exploited before 2/3 is patched, the chain will halt.

📝 Changelog

Check out the changelog for an exhaustive list of changes or compare changes from last release.

v0.50.12

Cosmos SDK v0.50.12 Release Notes

💬 Release Discussion

🚀 Highlights

This patch release fixes GHSA-x5vx-95h7-rv4p. It resolves a x/group module issue that can halt chain when handling a malicious proposal. Only users of the x/group module are affected by this issue.

We recommended to upgrade to this patch release as soon as possible. When upgrading from <= v0.50.11, please use a chain upgrade to ensure that 2/3 of the validator power upgrade to v0.50.12.

... (truncated)

Changelog

Sourced from github.com/cosmos/cosmos-sdk's changelog.

v0.50.14 - 2025-07-08

Bug Fixes

v0.50.13 - 2025-03-12

Bug Fixes

v0.50.12 - 2025-02-20

Bug Fixes

v0.50.11 - 2024-12-16

Features

  • (crypto/keyring) #21653 New Linux-only backend that adds Linux kernel's keyctl support.

Improvements

  • (server) #21941 Regenerate addrbook.json for in place testnet.

Bug Fixes

  • Fix ABS-0043/ABS-0044 Limit recursion depth for unknown field detection and unpack any
  • (server) #22564 Fix fallback genesis path in server
  • (x/group) #22425 Proper address rendering in error
  • (sims) #21906 Skip sims test when running dry on validators
  • (cli) #21919 Query address-by-acc-num by account_id instead of id.
  • (x/group) #22229 Accept 1 and try in CLI for group proposal exec.
Commits
  • f2e6295 Merge commit from fork
  • 7b9d2ff Merge commit from fork
  • 9816440 Merge commit from fork
  • 158f146 chore: remove unused orm module (backport #23633) (#23637)
  • effb71f docs: correct explanation on how to set custom signer via depinject (backport...
  • b9db4d2 docs(keyring): add keyctl docs (backport #23563) (#23566)
  • 5f08d21 feat(client/v2): add map support (backport #23544) (#23554)
  • f1b139d feat(x/tx): add an option to encode maps using amino json (backport #23539) (...
  • 9d3c384 build(deps): Bump github.com/cosmos/ledger-cosmos-go from 0.13.3 to 0.14.0 (#...
  • f465587 build(deps): Bump github.com/cosmos/cosmos-db from 1.1.0 to 1.1.1 (#23030)
  • Additional commits viewable in compare view

Updates cosmossdk.io/math from 1.3.0 to 1.4.0

Commits

Updates github.com/golang/glog from 1.2.2 to 1.2.3

Release notes

Sourced from github.com/golang/glog's releases.

v1.2.3

What's Changed

Full Changelog: golang/glog@v1.2.2...v1.2.3

Commits

Updates github.com/quic-go/quic-go from 0.46.0 to 0.49.1

Release notes

Sourced from github.com/quic-go/quic-go's releases.

v0.49.0

In this release, we added support for HTTP client traces. We also fixed a large number of bugs that could lead to connection stalls, deadlocks and memory leaks. See the "Major Fixes" section for more details.

New Features

  • http3: add support for client traces net/http/httptrace.ClientTrace: #4749. Thanks to @​lRoccoon for the contribution!

Major Fixes

  • fix accounting for lost RESET_STREAM frames in the stream, leading to potential connection stalls / deadlocks: #4804. Thanks to @​Wondertan for reporting and testing the fix!
  • fix memory leak when the connection ID is rotated when the CONNECTION_CLOSE packet is sent: #4852. Thanks to @​MarcoPolo for debugging this issue and contributing a fix!
  • http3: fix QUIC connection re-dialing logic: #4854, #4875, #4879
  • trigger sending of a new packet when a MAX_DATA frame (connection-level flow control update) is queued: #4844
  • Transport.Close was reworked: calls to Transport.Dial are now canceled, and return the newly introduced ErrTransportClosed, as do calls to Transport.Listen: #4883

Enhancements

  • trace dropping of packets by the Transport when no server is set: #4789
  • trace dropping of packets that the Transport doesn't send a stateless for: #4826
  • drain received packets when the connection is closed: #4773
  • add Prometheus metrics for sent and received packets: #4910
  • reduce calls to time.Now all over the code base: #4731, #4885, #4886, #4906
  • packetize DATA_BLOCKED frames in the same QUIC packet that caused us to block on connection-level flow control: #4845
  • packetize STREAM_DATA_BLOCKED frames in the same QUIC packed that caused us to block on stream-level flow control: #4801
  • we now don't enforce that only one Transport listens on any given net.PacketConn: #4851

Other Fixes

  • drain the server's connection accept queue before returning ErrClosed from Accept: #4846. Thanks to @​sukunrt for discovering this bug and providing very helpful reviews!
  • preserve the error returned from SendStream.Write if it is closed after is canceled: #4882
  • fix race condition on concurrent calls to Transport.Dial and Transport.Close: #4904
  • qlog: fix logging of packet_in_flight on the metrics_updated event: #4895
  • fix errors.Is error comparisons: #4824, #4825, #4877
  • http3: fix race condition on concurrent calls to http.Response.Body.Close: #4798. Thanks to @​RPRX for the contribution!
  • flowcontrol: reset the connection send window on 0-RTT rejection: #4764
  • wait for connection to shut down when the Dial context is cancelled: #4872
  • http3: the http.Request.Body is now properly closed on all code paths that return a non-nil error: #4874
  • NEW_CONNECTION_ID frames are now rejected when zero-length connection IDs are used, as required by the RFC: #4878
  • the stream ID of STREAM_DATA_BLOCKED frames is now validated, as required by the RFC: #4836
  • fix ECN markings of packets sent in GSO batches when the marking changes: #4835
  • the AEAD used to calculate the Retry Integrity Tag is now created lazily, avoiding a panic on initialization when using Go 1.24 FIPS-only mode: #4916
  • use a 24h maximum token age as default value for Transport.MaxTokenAge: #4763

Behind the Scenes

In the v0.48.0 release, we started migrating our test suite away from Ginkgo (tracking issue: #3652). This is an absolutely massive endeavor. Before we started, the number of LOC of Ginkgo tests was more than 41,000.

In this release, we're bringing this number down to less than 8,500 LOC: #4736, #4746, #4775, #4783, #4788, #4790, #4795, #4796, #4797, #4799, #4814, #4816, #4817, #4823, #4837, #4842, #4847, #4848, #4849, #4853, #4857, #4860, #4861, #4862, #4863, #4864, #4865, #4869, #4876, #4881, #4907.

There's still a lot of work ahead, but we'll hopefully be able to finish this item in the next couple of months.

... (truncated)

Commits
  • 275c172 drop initial packets when the handshake is confirmed
  • c385cd1 handshake: lazily create the AEAD used for Retry (#4916)
  • fb9d8e3 metrics: add Prometheus metrics for sent and received packets (#4910)
  • e12f91c clean up MTU probe packet sending logic (#4914)
  • a4c9b04 simply PTO probe packet sending logic (#4913)
  • d41f974 fix memory leak on connection ID rotation when closing connection (#4852)
  • 3023083 migrate the MTU discoverer tests away from Ginkgo (#4907)
  • bea70c6 fix flaky TestALPN integration test (#4909)
  • eb70424 fix race condition on concurrent use of Transport.Dial and Close (#4904)
  • 5d4835e preserve error from SendStream during cancellation and closing (#4882)
  • Additional commits viewable in compare view

Updates golang.org/x/crypto from 0.28.0 to 0.32.0

Commits
  • 8929309 go.mod: update golang.org/x dependencies
  • 4a75ba5 all: make function and struct comments match the names
  • b4f1988 ssh: make the public key cache a 1-entry FIFO cache
  • 7042ebc openpgp/clearsign: just use rand.Reader in tests
  • 3e90321 go.mod: update golang.org/x dependencies
  • 8c4e668 x509roots/fallback: update bundle
  • 6018723 go.mod: update golang.org/x dependencies
  • 71ed71b README: don't recommend go get
  • 750a45f sha3: add MarshalBinary, AppendBinary, and UnmarshalBinary
  • 36b1725 sha3: avoid trailing permutation
  • Additional commits viewable in compare view

Updates golang.org/x/net from 0.30.0 to 0.34.0

Commits
  • 8da7ed1 go.mod: update golang.org/x dependencies
  • 2124140 all: make function and struct comments match the names
  • e9d95ba http2: do not surface errors from a conn's idle timer expiring
  • c2be992 quic: remember which remote connection IDs have been retired
  • dfc720d go.mod: update golang.org/x dependencies
  • 8e66b04 html: use strings.EqualFold instead of lowering ourselves
  • b935f7b html: avoid endless loop on error token
  • 9af49ef route: remove unused sizeof* consts
  • 6705db9 quic: clean up crypto streams when dropping packet protection keys
  • 4ef7588 quic: handle ACK frame in packet which drops number space
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
build(deps): bump the go_modules group across 1 directory with 7 updates
dfdf9be 
Bumps the go_modules group with 3 updates in the / directory: [github.com/cometbft/cometbft](https://github.com/cometbft/cometbft), [github.com/cosmos/cosmos-sdk](https://github.com/cosmos/cosmos-sdk) and [github.com/quic-go/quic-go](https://github.com/quic-go/quic-go).


Updates `github.com/cometbft/cometbft` from 0.38.15 to 0.38.17
- [Release notes](https://github.com/cometbft/cometbft/releases)
- [Changelog](https://github.com/cometbft/cometbft/blob/main/CHANGELOG.md)
- [Commits](cometbft/cometbft@v0.38.15...v0.38.17)

Updates `github.com/cosmos/cosmos-sdk` from 0.50.10 to 0.50.14
- [Release notes](https://github.com/cosmos/cosmos-sdk/releases)
- [Changelog](https://github.com/cosmos/cosmos-sdk/blob/v0.50.14/CHANGELOG.md)
- [Commits](cosmos/cosmos-sdk@v0.50.10...v0.50.14)

Updates `cosmossdk.io/math` from 1.3.0 to 1.4.0
- [Release notes](https://github.com/cosmos/cosmos-sdk/releases)
- [Changelog](https://github.com/cosmos/cosmos-sdk/blob/main/CHANGELOG.md)
- [Commits](cosmos/cosmos-sdk@log/v1.3.0...log/v1.4.0)

Updates `github.com/golang/glog` from 1.2.2 to 1.2.3
- [Release notes](https://github.com/golang/glog/releases)
- [Commits](golang/glog@v1.2.2...v1.2.3)

Updates `github.com/quic-go/quic-go` from 0.46.0 to 0.49.1
- [Release notes](https://github.com/quic-go/quic-go/releases)
- [Commits](quic-go/quic-go@v0.46.0...v0.49.1)

Updates `golang.org/x/crypto` from 0.28.0 to 0.32.0
- [Commits](golang/crypto@v0.28.0...v0.32.0)

Updates `golang.org/x/net` from 0.30.0 to 0.34.0
- [Commits](golang/net@v0.30.0...v0.34.0)

---
updated-dependencies:
- dependency-name: github.com/cometbft/cometbft
  dependency-version: 0.38.17
  dependency-type: direct:production
  dependency-group: go_modules
- dependency-name: github.com/cosmos/cosmos-sdk
  dependency-version: 0.50.14
  dependency-type: direct:production
  dependency-group: go_modules
- dependency-name: cosmossdk.io/math
  dependency-version: 1.4.0
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: github.com/golang/glog
  dependency-version: 1.2.3
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: github.com/quic-go/quic-go
  dependency-version: 0.49.1
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: golang.org/x/crypto
  dependency-version: 0.32.0
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: golang.org/x/net
  dependency-version: 0.34.0
  dependency-type: indirect
  dependency-group: go_modules
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github
Copy link
Contributor Author

dependabot bot commented on behalf of github Oct 10, 2025

Labels

The following labels could not be found: T:dependencies. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants