build(deps): bump github.com/cometbft/cometbft from 0.38.15 to 0.38.19 in /example_chain by dependabot[bot] · Pull Request #92

build(deps): bump github.com/cometbft/cometbft from 0.38.15 to 0.38.19 in /example_chain by dependabot[bot] · Pull Request #92 · evmos/os

Bumps github.com/cometbft/cometbft from 0.38.15 to 0.38.19.

Release notes

Sourced from github.com/cometbft/cometbft's releases.

v0.38.19

This is a security patch release to the CometBFT v0.38.x family that fixes GHSA-hrhf-2vcr-ghch

What's Changed

chore: fix test docker image by @aljo242 in cometbft/cometbft#5299

chore: refactor changelogs by @aljo242 in cometbft/cometbft#5303

chore: update and fix mockery tooling on v0.38 by @aljo242 in cometbft/cometbft#5301

chore: fix the linter by @aljo242 in cometbft/cometbft#5304

fix(store): Properly prune extended commits (backport #5276) by @mergify[bot] in cometbft/cometbft#5313

chore: clean up the repo by @aljo242 in cometbft/cometbft#5315

fix: remove exposed dockertest port to unblock postgres test by @almk-dev in cometbft/cometbft#5325

fix(consensus/reactor): reject oversized proposals (backport #5324) by @mergify[bot] in cometbft/cometbft#5407

GHSA-hrhf-2vcr-ghch

Full Changelog: cometbft/cometbft@v0.38.18...v0.38.19

v0.38.18

What's Changed

fix: remove redundant error check for PubKeyToProto by @islishude in cometbft/cometbft#4917

ci: remove govulncheck (backport #4946) by @mergify[bot] in cometbft/cometbft#4961

build(deps): Bump docker/setup-buildx-action from 3.8.0 to 3.9.0 by @dependabot[bot] in cometbft/cometbft#4936

fix(ci): Fix docker builds (backport #4949) by @mergify[bot] in cometbft/cometbft#4963

build(deps): Bump docker/build-push-action from 6.13.0 to 6.14.0 by @dependabot[bot] in cometbft/cometbft#4972

build(deps): Bump docker/setup-buildx-action from 3.9.0 to 3.10.0 by @dependabot[bot] in cometbft/cometbft#5008

build(deps): Bump docker/build-push-action from 6.14.0 to 6.15.0 by @dependabot[bot] in cometbft/cometbft#5009

build(deps): Bump golang.org/x/sync from 0.10.0 to 0.11.0 by @dependabot[bot] in cometbft/cometbft#4990

build(deps): Bump github.com/spf13/cobra from 1.8.1 to 1.9.1 by @dependabot[bot] in cometbft/cometbft#4992

build(deps): Bump golang.org/x/net from 0.34.0 to 0.35.0 by @dependabot[bot] in cometbft/cometbft#4998

build(deps): Bump github.com/decred/dcrd/dcrec/secp256k1/v4 from 4.3.0 to 4.4.0 by @dependabot[bot] in cometbft/cometbft#4997

build(deps): Bump google.golang.org/protobuf from 1.36.4 to 1.36.5 by @dependabot[bot] in cometbft/cometbft#4994

build(deps): Bump github.com/prometheus/client_golang from 1.20.5 to 1.21.0 by @dependabot[bot] in cometbft/cometbft#4995

chore: fix typo in workflow_dispatch (backport #5164) by @mergify[bot] in cometbft/cometbft#5166

ci(testapp-docker): release two images, not one (backport #5014) by @mergify[bot] in cometbft/cometbft#5168

chore: add supported version to e2e image tag (backport #5169) by @mergify[bot] in cometbft/cometbft#5171

chore: remove tag from individual builds (backport #5173) by @mergify[bot] in cometbft/cometbft#5174

refactor: e2e-node docker build (backport #5176) by @mergify[bot] in cometbft/cometbft#5178

refactor: cometbft image build (backport #5179) by @mergify[bot] in cometbft/cometbft#5181

fix: add git to docker ignore (backport #5214) by @mergify[bot] in cometbft/cometbft#5216

fix: do multistage builds for e2e-node (backport #5220) by @mergify[bot] in cometbft/cometbft#5222

fix: add libs to e2e tests v0.38.x by @zrbecker in cometbft/cometbft#5234

chore: reindex to event sink from cli (backport #5209) by @mergify[bot] in cometbft/cometbft#5240

feat: precommit metrics by @technicallyty in cometbft/cometbft#5251

chore: prep release for v0.38.18 by @technicallyty in cometbft/cometbft#5253

Full Changelog: cometbft/cometbft@v0.38.17...v0.38.18

v0.38.17

See the CHANGELOG for this release.

... (truncated)

Changelog

Sourced from github.com/cometbft/cometbft's changelog.

v0.38.19

October 14, 2025

This release fixes two security issues, including (ASA-2025-003). Users are encouraged to upgrade as soon as possible.

Additionally included is a bug fix to properly prune extended commits (with vote extensions).

BUG-FIXES

[consensus] Reject oversized proposals (#5324)

[store] Prune extended commits properly (5275)

[bits] Validate BitArray mismatched Bits and Elems length (ASA-2025-003)

v0.38.18

July 3, 2025

Adds precommit metrics and reindex CLI command.

IMPROVEMENTS

Adds metrics that emit precommit data; precommit quorum delay from proposal, and precommit vote count and stake weight within timeout commit period. (#5251)

v0.38.17

February 3, 2025

This release fixes two security issues (ASA-2025-001, ASA-2025-002). Users are encouraged to upgrade as soon as possible.

BUG FIXES

[blocksync] Ban peer if it reports height lower than what was previously reported (ASA-2025-001)

[types] Check that Part.Index equals Part.Proof.Index (ASA-2025-001)

DEPENDENCIES

[go/runtime] Bump minimum Go version to 1.22.11 (#4891)

v0.38.16

... (truncated)

Commits

be5677c Merge commit from fork
2cd5d91 fix(consensus/reactor): reject oversized proposals (backport #5324) (#5407)
bb538f0 fix: remove exposed dockertest port to unblock postgres test (#5325)
61b60f6 chore: clean up the repo (#5315)
9806733 fix(store): Properly prune extended commits (backport #5276) (#5313)
c789138 chore: fix the linter (#5304)
840e709 chore: update and fix mockery tooling on v0.38 (#5301)
020c7cf chore: refactor changelogs (#5303)
91348c6 chore: fix test docker image (#5299)
5344a6e chore: prep release for v0.38.18 (#5253)
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the Security Alerts page.