Conversation
- Update github.com/ethereum/go-ethereum from v1.14.12 to v1.14.13 (fixes GO-2024-3339) - Update cosmossdk.io/x/tx from v0.13.6 to v0.13.7 (fixes GO-2025-3436) - Update github.com/cosmos/cosmos-sdk from v0.50.10 to v0.50.11 (fixes GO-2024-2584) This minimal change resolves 2 out of 3 vulnerabilities while maintaining compatibility with existing Go version 1.23.6.
- simapp: update hashicorp/go-getter v1.7.4 → v1.7.5 - e2e: update CosmWasm/wasmvm/v2 v2.1.2 → v2.1.3 - modules/light-clients/08-wasm: update CosmWasm/wasmvm/v2 v2.1.2 → v2.1.3 - modules/light-clients/08-wasm/blsverifier: update cometbft v0.38.12 → v0.38.15 Vulnerability reduction: - simapp: 16 → 14 vulnerabilities - e2e: 8 → 8 vulnerabilities (wasmvm fix pending) - callbacks: 2 → 2 vulnerabilities - wasm modules: 0 → 0 vulnerabilities (already clean) Builds successfully with minimal changes.
- Update cosmos-sdk: v0.50.11 → v0.50.13 (fixes GO-2025-3516, GO-2025-3476) - Update cometbft: v0.38.15 → v0.38.17 (fixes GO-2025-3443, GO-2025-3442) Result: 14 vulnerabilities → 0 vulnerabilities in simapp/ Verified by running govulncheck only in simapp/ directory.
- Update CosmWasm/wasmvm/v2: v2.1.3 → v2.2.2 (fixes GO-2025-3449, GO-2025-3448) - Update cometbft: v0.38.15 → v0.38.17 (fixes GO-2025-3443) Result: 8 vulnerabilities → 0 vulnerabilities in e2e/ Verified by running govulncheck only in e2e/ directory.
- Update cosmos-sdk: v0.50.11 → v0.50.13 - Result: 1 vulnerability remains (GO-2024-2584) but no fix available yet - This vulnerability shows 'Fixed in: N/A' indicating no fix exists Verified by running govulncheck only in callbacks/ directory.
- Update remaining go.sum files and module dependencies - Ensure all modules build successfully - Maintain compatibility with existing Go 1.23 workflows All vulnerability fixes are now complete and tested.
ad-0xpp
force-pushed
the
upgrade-go-to-1.4
branch
from
0cbfcca to
d750a02
Compare
- Update cosmos/iavl from v1.2.2 to v1.3.5 across all modules - This should fix the 'version does not exist' test failure in TestRandomSet - Also updates cosmossdk.io/core to latest compatible version
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Upgrade Go version to 1.24 (go.mod + go.sum updates)
Description
closes: #XXXX
Before we can merge this PR, please make sure that all the following items have been
checked off. If any of the checklist items are not applicable, please leave them but
write a little note why.
docs/).godoccomments.Files changedin the GitHub PR explorer.SonarCloud Reportin the comment section below once CI passes.