update cometbft to v0.37.18

[gsk967]

Description

update cometbft to v0.37.18

---

Author Checklist

All items are required. Please add a note to the item if the item is not applicable and
please add links to any relevant follow up issues.

I have...

• included the correct type prefix in the PR title
• added ! to the type prefix if API or client breaking change
• added appropriate labels to the PR
• targeted the correct branch (see PR Targeting)
• provided a link to the relevant issue or specification
• added a changelog entry to CHANGELOG.md
• included comments for documenting Go code
• updated the relevant documentation or specification
• reviewed "Files changed" and left comments if necessary
• confirmed all CI checks have passed

Reviewers Checklist

All items are required. Please add a note if the item is not applicable and please add
your handle next to the items reviewed if you only reviewed selected items.

I have...

• confirmed the correct type prefix in the PR title
• confirmed all author checklist items have been addressed
• reviewed state machine logic
• reviewed API design and naming
• reviewed documentation is accurate
• reviewed tests and test coverage
• manually tested (if applicable)

Summary by CodeRabbit

• Chores
  • Updated core and supporting dependencies to latest stable versions, including CometBFT (v0.37.18), Go experimental libraries, and cryptographic components. These updates include performance improvements and maintenance patches to ensure system stability and security.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request updates four Go module dependencies in go.mod: CometBFT is bumped from v0.37.13 to v0.37.18, golang.org/x/exp is updated to a newer version, and two indirect dependencies (creachadair/taskgroup and decred/dcrd secp256k1) are incremented to newer patch versions.

Changes

Cohort / File(s)	Summary
Go Module Dependencies go.mod	Updated four dependencies: CometBFT (v0.37.13 → v0.37.18), golang.org/x/exp, creachadair/taskgroup (v0.10.0 → v0.13.0), and decred/dcrd secp256k1 (v4.1.0 → v4.3.0).

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• feat: downgrade comet-db #2618: Updates the same CometBFT dependency in go.mod across different PRs.
• build(deps): Bump github.com/cometbft/cometbft from 0.37.8 to 0.37.9 #2571: Also modifies the CometBFT version in go.mod via dependency bumping.
• build(deps): Bump github.com/cometbft/cometbft from 0.37.9 to 0.37.10 #2590: Patches the CometBFT dependency to different versions in go.mod.

Suggested labels

T:Dependencies, A:Automerge

Suggested reviewers

• abdulgig

Poem

🐰 Hop hop, the versions grow tall,
Four deps march down the digital hall,
CometBFT shines, secp256k1 too,
A careful bump to keep things new! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'update cometbft to v0.37.18' directly and specifically describes the main change in the pull request, which is updating the cometbft dependency from v0.37.13 to v0.37.18.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch sai/update_cometbft_v0.37.18

Tip

🧪 Unit Test Generation v2 is now available!

We have significantly improved our unit test generation capabilities.

To enable: Add this to your .coderabbit.yaml configuration:

reviews:
  finishing_touches:
    unit_tests:
      enabled: true

Try it out by using the @coderabbitai generate unit tests command on your code files or under ✨ Finishing Touches on the walkthrough!

Have feedback? Share your thoughts on our Discord thread!

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@go.mod`:
- Line 14: Update the CometBFT dependency from v0.37.18 to v0.38.17 in go.mod
and adjust your chain consensus evidence settings: locate where consensus
parameters are initialized (e.g., ConsensusParams or EvidenceParams) and set
EvidenceParams.MaxAgeDuration to a value greater than your chain's unbonding
period and EvidenceParams.MaxAgeNumBlocks to a value greater than the number of
blocks expected during unbonding; ensure imports and any API changes between
cometbft v0.37.x and v0.38.x are addressed after the upgrade.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

GHSA-r3r4-g7hq-pq4f CometBFT security advisory fixed version

💡 Result:

GHSA-r3r4-g7hq-pq4f (CometBFT) is fixed in:

• v0.38.17 (for the 0.38.x line) [1][2]
• v1.0.1 (for the 1.0.x line; affected from v1.0.0-alpha.1 up to but not including v1.0.1) [1][2]

Sources: [1] Go vulnerability report (GO-2025-3443) / pkg.go.dev, [2] GitLab Advisory Database.

---

🌐 Web query:

GHSA-22qq-3xwm-r5x4 CometBFT security advisory fixed version

💡 Result:

GHSA-22qq-3xwm-r5x4 (CometBFT) is fixed in:

• CometBFT v0.38.x: upgrade to v0.38.17 or later. [1]
• CometBFT v1.0.x (internal/blocksync module line): upgrade to v1.0.1 or later. [1][2]

---

🌐 Web query:

GHSA-555p-m4v6-cqxv CometBFT security advisory fixed version

💡 Result:

GHSA-555p-m4v6-cqxv (CometBFT) has no fixed/patched release version — “Patched versions: None.” Affected versions are CometBFT <= 0.38.5. Mitigation is to adjust the chain’s consensus parameters (EvidenceParams.MaxAgeNumBlocks / EvidenceParams.MaxAgeDuration) rather than upgrading to a specific CometBFT release. [1], [2]

Sources: [1] GitHub Advisory Database (GHSA-555p-m4v6-cqxv) [2] GitLab Advisory Database (GHSA-555p-m4v6-cqxv)

---

🌐 Web query:

CometBFT v0.37.18 security advisories ASA-2024-004

💡 Result:

ASA-2024-004 (GHSA-555p-m4v6-cqxv) for CometBFT is a low-criticality “insecure default” advisory: CometBFT’s default evidence parameters may be too small for many chains, so evidence can expire before the chain’s full unbonding period, which in turn can prevent slashing in certain cases (i.e., Byzantine behavior might go unpunished if evidence is discovered after the evidence window). [1][2]

Does it affect CometBFT v0.37.18? Yes—this advisory is marked as affecting all versions (and at least through 0.38.5 in the advisory databases), which includes v0.37.18. [1][2]

Mitigation / what to do

• Set consensus parameters to cover (exceed) your chain’s unbonding window:
  • EvidenceParams.MaxAgeDuration > Staking.UnbondingTime
  • EvidenceParams.MaxAgeNumBlocks > expected number of blocks produced during the unbonding period [1][2]

Notes

• This is not described as a code patch / CVE-style remote exploit; it’s primarily about chain configuration needing to be set appropriately. [1][2]

Sources: [1] OSV entry for GHSA-555p-m4v6-cqxv (ASA-2024-004) [2] GitLab Advisory Database entry for GHSA-555p-m4v6-cqxv

---

Upgrade CometBFT to v0.38.17 and configure evidence parameters.

Dependency Review is failing with three CometBFT advisories that v0.37.18 does not resolve. Two (GHSA-r3r4-g7hq-pq4f and GHSA-22qq-3xwm-r5x4) are fixed in v0.38.17+. The third (GHSA-555p-m4v6-cqxv / ASA-2024-004) has no code patch and instead requires adjusting consensus parameters: set EvidenceParams.MaxAgeDuration to exceed your chain's unbonding time and EvidenceParams.MaxAgeNumBlocks to exceed the expected block count during unbonding. Upgrade to v0.38.17 and apply these configuration changes so CI passes.

🤖 Prompt for AI Agents

In `@go.mod` at line 14, Update the CometBFT dependency from v0.37.18 to v0.38.17
in go.mod and adjust your chain consensus evidence settings: locate where
consensus parameters are initialized (e.g., ConsensusParams or EvidenceParams)
and set EvidenceParams.MaxAgeDuration to a value greater than your chain's
unbonding period and EvidenceParams.MaxAgeNumBlocks to a value greater than the
number of blocks expected during unbonding; ensure imports and any API changes
between cometbft v0.37.x and v0.38.x are addressed after the upgrade.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 62.47%. Comparing base (7f05ad4) to head (1ce786f).
⚠️ Report is 603 commits behind head on main.

❌ Your project status has failed because the head coverage (62.47%) is below the target coverage (65.50%). You can increase the head coverage or adjust the target coverage.

Additional details and impacted files

@@             Coverage Diff             @@
##             main    #2776       +/-   ##
===========================================
- Coverage   75.38%   62.47%   -12.92%     
===========================================
  Files         100      275      +175     
  Lines        8025    16069     +8044     
===========================================
+ Hits         6050    10039     +3989     
- Misses       1589     5252     +3663     
- Partials      386      778      +392     

see 240 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[stale]

This PR has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.