chore: bump deps

[joe-bowman]

1. Summary

Bump depdendencies

Summary by CodeRabbit

• Chores
  • Updated Go toolchain from version 1.24.5 to 1.24.9.
  • Updated multiple direct and indirect dependencies to newer compatible versions across all modules, including Prometheus, Celestia-related packages, Google Cloud libraries, and development tools.

[coderabbitai]

Walkthrough

Go toolchain bumped from 1.24.5 to 1.24.9 across three modules (go.mod, icq-relayer/go.mod, xcclookup/go.mod). Numerous direct and indirect dependencies updated, including Prometheus, spf13 packages, Celestia libraries, Kubernetes, protobuf, gRPC, and golang.org/x packages. No API changes.

Changes

Cohort / File(s)

Summary

Go Toolchain and Dependency Updates go.mod, icq-relayer/go.mod, xcclookup/go.mod

Go version bumped from 1.24.5 to 1.24.9. Direct dependencies updated: spf13 packages (cast, cobra, viper, afero, pflag), Prometheus (client_golang, common), Celestia libraries (go-square, nmt), golangci-lint, testify, golang.org/x packages (net, oauth2, sync, sys, term, text, tools), mvdan.cc packages (gofumpt, unparam), protobuf, and gRPC. Numerous indirect transitive dependencies reconciled and version-pinned.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Dependencies requiring compatibility verification: Verify no breaking changes in direct dependencies (spf13 packages, Prometheus, Celestia libraries) and their interactions across three separate modules.
• Transitive dependency alignment: Validate that indirect dependency versions are compatible and resolve correctly in each module's dependency graph.
• Cross-module consistency: Ensure versions of shared transitive dependencies are consistent or intentionally different across modules.

Possibly related PRs

• Release v1.9.0 #1931: Updates dependency versions in the same go.mod files (icq-relayer/go.mod and xcclookup/go.mod), representing concurrent or related dependency modernization efforts.

Suggested labels

dependencies, go

Suggested reviewers

• faddat
• ajansari95
• minhngoc274

Poem

🐰 Hop hop, the versions grow,
From 1.24.5 to 9 we go,
Dependencies dance in harmony,
Prometheus, Spf13, Celestia—so free!
A garden of packages, tidy and bright,
The rabbit approves—all looks right! 🌿✨

Pre-merge checks and finishing touches

❌ Failed checks (2 warnings, 1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description is largely incomplete, providing only a summary section with a typo ('depdendencies') and missing all required sections including type of change, implementation details, testing information, and checklist.	Complete the pull request description by filling out all required sections from the template, including type of change, implementation details, testing approach, and the author checklist.
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.
Title check	❓ Inconclusive	The title 'chore: bump deps' is vague and generic, using the non-descriptive abbreviation 'deps' without specifying which dependencies or scope of changes.	Consider using a more descriptive title like 'chore: bump Go toolchain and dependencies to patch releases' to better communicate the scope of changes.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch bump-deps

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 88a6ac7 and dc45525.

⛔ Files ignored due to path filters (5)

• go.sum is excluded by !**/*.sum
• go.work is excluded by !**/*.work
• go.work.sum is excluded by !**/*.sum
• icq-relayer/go.sum is excluded by !**/*.sum
• xcclookup/go.sum is excluded by !**/*.sum

📒 Files selected for processing (3)

• go.mod (6 hunks)
• icq-relayer/go.mod (8 hunks)
• xcclookup/go.mod (12 hunks)

🧰 Additional context used

🧠 Learnings (3)

📓 Common learnings

Learnt from: joe-bowman
Repo: quicksilver-zone/quicksilver PR: 1821
File: icq-relayer/go.mod:214-214
Timestamp: 2025-02-16T19:50:23.555Z
Learning: The icq-relayer daemon in the Quicksilver project requires using the local version of the quicksilver module (`../`) via the `replace` directive in its go.mod, as it needs to always use the current version from the same repository.

📚 Learning: 2025-02-16T19:50:23.555Z

Learnt from: joe-bowman
Repo: quicksilver-zone/quicksilver PR: 1821
File: icq-relayer/go.mod:214-214
Timestamp: 2025-02-16T19:50:23.555Z
Learning: The icq-relayer daemon in the Quicksilver project requires using the local version of the quicksilver module (`../`) via the `replace` directive in its go.mod, as it needs to always use the current version from the same repository.

Applied to files:

• icq-relayer/go.mod
• go.mod
• xcclookup/go.mod

📚 Learning: 2025-04-04T13:22:01.808Z

Learnt from: joe-bowman
Repo: quicksilver-zone/quicksilver PR: 1833
File: proto/osmosis/lockup/tx.proto:4-4
Timestamp: 2025-04-04T13:22:01.808Z
Learning: In Cosmos SDK projects using Protocol Buffers, imports like "amino/amino.proto" may be provided through buf's dependency resolution system rather than existing as local files. Static analysis tools may incorrectly flag these as errors, but they are valid imports that will be resolved during compilation.

Applied to files:

• xcclookup/go.mod

🪛 OSV Scanner (2.2.4)

xcclookup/go.mod

[HIGH] 13-13: github.com/cometbft/cometbft 0.37.15: CometBFT allows a malicious peer to make node stuck in blocksync in github.com/cometbft/cometbft

(GO-2025-3442)

---

[HIGH] 13-13: github.com/cometbft/cometbft 0.37.15: CometBFT allows a malicious peer to stall network by disseminating valid-looking block parts in github.com/cometbft/cometbft

(GO-2025-3443)

---

[HIGH] 13-13: github.com/cometbft/cometbft 0.37.15: CometBFT allows a malicious peer to make node stuck in blocksync

(GHSA-22qq-3xwm-r5x4)

---

[HIGH] 13-13: github.com/cometbft/cometbft 0.37.15: ASA-2024-004: Default configuration param for Evidence may limit window of validity

(GHSA-555p-m4v6-cqxv)

---

[HIGH] 13-13: github.com/cometbft/cometbft 0.37.15: CometBFT's invalid BitArray handling can lead to network halt

(GHSA-hrhf-2vcr-ghch)

---

[HIGH] 13-13: github.com/cometbft/cometbft 0.37.15: CometBFT allows a malicious peer to stall the network by disseminating seemingly valid block parts

(GHSA-r3r4-g7hq-pq4f)

---

[HIGH] 16-16: github.com/cosmos/cosmos-sdk 0.47.17: The x/crisis package does not cause chain halt in github.com/cosmos/cosmos-sdk

(GO-2023-1821)

---

[HIGH] 16-16: github.com/cosmos/cosmos-sdk 0.47.17: The x/crisis package does not charge ConstantFee in github.com/cosmos/cosmos-sdk

(GO-2023-1881)

---

[HIGH] 16-16: github.com/cosmos/cosmos-sdk 0.47.17: Integer Overflow vulnerability in its Validator Rewards pool can cause a chain halt in github.com/cosmos/cosmos-sdk

(GO-2025-3803)

---

[HIGH] 16-16: github.com/cosmos/cosmos-sdk 0.47.17: Cosmos SDK's Integer Overflow vulnerability in its Validator Rewards pool can cause a chain halt

(GHSA-p22h-3m2v-cmgh)

---

[HIGH] 16-16: github.com/cosmos/cosmos-sdk 0.47.17: github.com/cosmos/cosmos-sdk's x/crisis does not charge ConstantFee

(GHSA-w5w5-2882-47pc)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (19)

• GitHub Check: DevSkim
• GitHub Check: build quicksilver (darwin, arm64)
• GitHub Check: build quicksilver (amd64, linux)
• GitHub Check: build quicksilver (amd64, darwin)
• GitHub Check: build quicksilver (amd64, windows)
• GitHub Check: test quicksilver (amd64, linux)
• GitHub Check: test quicksilver (amd64, windows)
• GitHub Check: test quicksilver (darwin, arm64)
• GitHub Check: Analyze
• GitHub Check: lint
• GitHub Check: test (1.24.5, ubuntu-latest)
• GitHub Check: test (1.24.5, macos-latest)
• GitHub Check: build (1.24.5, ubuntu-latest)
• GitHub Check: test (1.24.5, macos-latest)
• GitHub Check: build (1.24.5, macos-latest)
• GitHub Check: build (1.24.5, ubuntu-latest)
• GitHub Check: build (1.24.5, macos-latest)
• GitHub Check: test (1.24.5, macos-latest)
• GitHub Check: test (1.24.5, ubuntu-latest)

🔇 Additional comments (6)

go.mod (3)

3-3: Go toolchain version bump is clean.

Version upgrade from 1.24.5 to 1.24.9 aligns across all three modules (main, icq-relayer, xcclookup).

---

10-11: Direct dependency updates align across the repository.

Key upgrades (spf13 packages, Prometheus, Celestia libs, protobuf/gRPC ecosystem) appear coordinated and reasonable. No breaking API changes detected.

Also applies to: 27-28, 30-30, 32-32

---

1-45: I'll verify the security vulnerability claims by searching for the specific CVEs mentioned in the review comment.

Let me verify the specific cosmos-sdk 0.47.17 vulnerability claims and check the GO advisory references:

Review comment is inaccurate and requires correction.

Based on verification, the review comment contains multiple errors:

1. GHSA-22qq-3xwm-r5x4 is Medium severity (CVSS 6.9), not HIGH - it involves blocksync disruption from malicious peers, not a critical network halt.

2. GHSA-555p-m4v6-cqxv is rated as Low severity, not HIGH.

3. GHSA-p22h-3m2v-cmgh (integer overflow) affects cosmos-sdk versions <= v0.50.13 and <= v0.53.2, which does not include the v0.47.x branch that contains cosmos-sdk 0.47.17.

4. cosmos-sdk v0.47.17 was confirmed to patch ISA-2025-002 (GHSA-47ww-ff84-4jrg) for the x/group module halt issue.

5. The GO advisory IDs referenced (GO-2025-3442, GO-2025-3443, GO-2023-1821, GO-2023-1881, GO-2025-3803) could not be verified through public advisory databases.

Recommendation: Remove this review comment. The pinned versions appear to either address the vulnerabilities mentioned or are not affected by them. The severity classifications and CVE references are inaccurate and do not reflect the actual state of cosmos-sdk 0.47.17 and cometbft 0.37.15.

Likely an incorrect or invalid review comment.

icq-relayer/go.mod (1)

3-3: Go version and spf13 ecosystem dependencies updated consistently.

Bump to 1.24.9 and viper/cobra updates align with main module changes.

Also applies to: 18-19

xcclookup/go.mod (2)

3-3: Direct dependencies updated appropriately for xcclookup module.

Go version bump to 1.24.9 and upgrades to golangci-lint (v2.6.1), testify, tools, and gofumpt are all reasonable increments within compatible ranges. No breaking changes expected.

Also applies to: 11-11, 14-14, 16-16, 18-18

---

21-311: Indirect dependencies synchronized across repository.

Extensive indirect dependency updates (golang toolchain ecosystem, Prometheus, spf13 packages, protobuf/gRPC, observability libs) are consistent with changes in the main go.mod. This coordination across modules is appropriate and helps maintain a coherent dependency graph.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 58.81%. Comparing base (88a6ac7) to head (dc45525).

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #2001   +/-   ##
=======================================
  Coverage   58.81%   58.81%           
=======================================
  Files         171      171           
  Lines       12251    12251           
=======================================
  Hits         7205     7205           
  Misses       4275     4275           
  Partials      771      771           

Flag	Coverage Δ
unittests	58.81% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.