bump cometbft from v0.38.15 to v0.38.19

[oncloudit]

bump cometbft from v0.38.15 to v0.38.19

Summary by CodeRabbit

• Chores
  • Updated the Go runtime and toolchain to newer stable versions for improved compatibility and support.
  • Refreshed underlying libraries to the latest stable releases, enhancing performance, stability, and security.
  • General maintenance to keep the platform aligned with upstream ecosystem updates.

[coderabbitai]

Walkthrough

Updates go.mod: advances Go version to 1.22.11, adds toolchain go1.24.9, and bumps multiple dependencies (CometBFT, Cobra, gRPC, Protobuf, OpenTelemetry, Prometheus, golang.org/x/*, etc.). No code files changed; only module requirements/directives adjusted.

Changes

Cohort / File(s)	Summary of changes
Go directives go.mod	go directive: 1.22.7 → 1.22.11; added toolchain directive: go1.24.9
Core networking & RPC go.mod	google.golang.org/grpc: v1.67.1 → v1.70.0; google.golang.org/protobuf: v1.35.1 → v1.36.5; google.golang.org/genproto/googleapis/api, .../rpc to 2024-12 snapshots
CometBFT go.mod	github.com/cometbft/cometbft: v0.38.15 → v0.38.19
CLI tooling go.mod	github.com/spf13/cobra: v1.8.1 → v1.9.1; github.com/spf13/pflag: v1.0.5 → v1.0.6
Observability go.mod	go.opentelemetry.io/otel, .../trace: v1.24.0 → v1.32.0; github.com/prometheus/client_golang: v1.20.5 → v1.21.0; github.com/prometheus/common: v0.60.1 → v0.62.0
golang.org/x updates go.mod	x/crypto: v0.28.0 → v0.33.0; x/net: v0.30.0 → v0.35.0; x/oauth2: v0.23.0 → v0.24.0; x/sync: v0.8.0 → v0.11.0; x/sys: v0.26.0 → v0.30.0; x/term: v0.25.0 → v0.29.0; x/text: v0.19.0 → v0.22.0
Cloud metadata go.mod	cloud.google.com/go/compute/metadata: v0.5.0 → v0.5.2
Crypto & compression go.mod	github.com/decred/dcrd/dcrec/secp256k1/v4: v4.3.0 → v4.4.0; github.com/klauspost/compress: v1.17.9 → v1.17.11
Logging & testing go.mod	github.com/golang/glog: v1.2.2 → v1.2.3; github.com/stretchr/testify: v1.9.0 → v1.10.0
Misc/indirects go.mod	Indirect/replace graph updated to align with new versions

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• Update dependencies #2985 — Similar go.mod dependency bumps across gRPC, genproto (api/rpc), GCE metadata, and x/oauth2; likely parallel dependency maintenance.

Suggested reviewers

• mitch1024

Poem

Thump-thump go the deps, I hop with glee,
Version carrots stacked as far as I can see.
Toolchain moon, a shiny go1.24,
I nibble mods, then bounce for more.
With tidy paws I sign and say:
“All updated—hip hop hooray!” 🥕🐇

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title clearly indicates a dependency version bump for the cometbft module, which is indeed part of the changeset. It is concise, specific, and free of extraneous wording or emojis. Although the pull request updates multiple dependencies, the title accurately reflects one of the real changes made.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.5.0)

Error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions
The command is terminated due to an error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ab7502b and 35ee2d8.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod (9 hunks)

🧰 Additional context used

🪛 OSV Scanner (2.2.3)

go.mod

[HIGH] 69-69: golang.org/x/crypto 0.33.0: Potential denial of service in golang.org/x/crypto

(GO-2025-3487)

---

[HIGH] 69-69: golang.org/x/crypto 0.33.0: golang.org/x/crypto Vulnerable to Denial of Service (DoS) via Slow or Incomplete Key Exchange

(GHSA-hcg3-q754-cr77)

---

[HIGH] 184-184: github.com/golang/glog 1.2.3: Vulnerability when creating log files in github.com/golang/glog

(GO-2025-3372)

---

[HIGH] 184-184: github.com/golang/glog 1.2.3: Insecure Temporary File usage in github.com/golang/glog

(GHSA-6wxm-mpqj-6jpf)

---

[HIGH] 258-258: golang.org/x/oauth2 0.24.0: Unexpected memory consumption during token parsing in golang.org/x/oauth2

(GO-2025-3488)

---

[HIGH] 258-258: golang.org/x/oauth2 0.24.0: golang.org/x/oauth2 Improper Validation of Syntactic Correctness of Input vulnerability

(GHSA-6v2p-p543-phr9)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Run Unit Tests

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Security regression: golang.org/x/crypto v0.33.0 ships a known DoS vulnerability.

OSV reports GO-2025-3487 / GHSA-hcg3-q754-cr77 flag this exact release for a slow/incomplete key exchange DoS. Please bump to the patched version (or roll back) before merging so we don’t ship a known vulnerability. Based on static analysis hints.

🧰 Tools

🪛 OSV Scanner (2.2.3)

[HIGH] 69-69: golang.org/x/crypto 0.33.0: Potential denial of service in golang.org/x/crypto

(GO-2025-3487)

---

[HIGH] 69-69: golang.org/x/crypto 0.33.0: golang.org/x/crypto Vulnerable to Denial of Service (DoS) via Slow or Incomplete Key Exchange

(GHSA-hcg3-q754-cr77)

🤖 Prompt for AI Agents

go.mod lines 69-71: the project pins golang.org/x/crypto to v0.33.0 which
contains a known DoS vuln; update the dependency to a patched release (e.g., at
least v0.34.0 or the latest stable patch) by running `go get
golang.org/x/[email protected]` (or `@latest`), then run `go mod tidy` to update
go.mod/go.sum and run tests/lint to verify; commit the updated go.mod and go.sum
files before merging.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Security regression: github.com/golang/glog v1.2.3 is flagged for insecure temp-file handling.

OSV ID GO-2025-3372 / GHSA-6wxm-mpqj-6jpf marks 1.2.3 as vulnerable when creating log files. Please move to the patched release that fixes this issue prior to release. Based on static analysis hints.

🧰 Tools

🪛 OSV Scanner (2.2.3)

[HIGH] 184-184: github.com/golang/glog 1.2.3: Vulnerability when creating log files in github.com/golang/glog

(GO-2025-3372)

---

[HIGH] 184-184: github.com/golang/glog 1.2.3: Insecure Temporary File usage in github.com/golang/glog

(GHSA-6wxm-mpqj-6jpf)

🤖 Prompt for AI Agents

In go.mod around lines 184 to 186, the dependency github.com/golang/glog is
pinned to v1.2.3 which is flagged for insecure temp-file handling; update the
glog requirement to a patched non-vulnerable release (bump the version to the
patched v1.x tag), then run go get github.com/golang/glog@<patched-version> and
go mod tidy to update go.sum, rebuild/run tests to verify no breakages, and
commit the updated go.mod and go.sum.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Security regression: golang.org/x/oauth2 v0.24.0 carries high-severity parsing flaws.

Per GO-2025-3488 / GHSA-6v2p-p543-phr9 this version can consume excessive memory when parsing tokens due to lax validation. Upgrade to the patched version (or revert) to avoid introducing the issue. Based on static analysis hints.

🧰 Tools

🪛 OSV Scanner (2.2.3)

[HIGH] 258-258: golang.org/x/oauth2 0.24.0: Unexpected memory consumption during token parsing in golang.org/x/oauth2

(GO-2025-3488)

---

[HIGH] 258-258: golang.org/x/oauth2 0.24.0: golang.org/x/oauth2 Improper Validation of Syntactic Correctness of Input vulnerability

(GHSA-6v2p-p543-phr9)

🤖 Prompt for AI Agents

In go.mod around lines 258-260, golang.org/x/oauth2 is pinned at v0.24.0 which
has a high-severity parsing vulnerability; update the module to a patched
release (e.g., v0.25.0 or later) by changing the version requirement, run go get
golang.org/x/[email protected] (or newer), then run go mod tidy and rebuild/test to
ensure the dependency graph and indirect references are updated and no
regressions occur.