upgrade cosmos-sdk and cometbft for security patch GHSA-hrhf-2vcr-ghch

[tqin7]

Changelist

See dydxprotocol/cometbft#52

Test Plan

[Describe how this PR was tested (if applicable)]

Author/Reviewer Checklist

• If this PR has changes that result in a different app state given the same prior state and transaction list, manually add the state-breaking label.
• If the PR has breaking postgres changes to the indexer add the indexer-postgres-breaking label.
• If this PR isn't state-breaking but has changes that modify behavior in PrepareProposal or ProcessProposal, manually add the label proposal-breaking.
• If this PR is one of many that implement a specific feature, manually label them all feature:[feature-name].
• If you wish to for mergify-bot to automatically create a PR to backport your change to a release branch, manually add the label backport/[branch-name].
• Manually add any of the following labels: refactor, chore, bug.

Summary by CodeRabbit

• Chores
  • Updated internal dependency references to newer revisions.
  • No changes to public APIs or exported interfaces.
  • No user-facing behavior changes; potential behind-the-scenes stability or performance improvements.

[coderabbitai]

Walkthrough

Updated protocol/go.mod replace directives to point the dydxprotocol forks of github.com/cometbft/cometbft and github.com/cosmos/cosmos-sdk at newer commit-based revisions. No other files or exported API declarations were changed.

Changes

Cohort / File(s)	Summary
Dependency replace updates protocol/go.mod	Updated replace directives for forks: github.com/cometbft/cometbft bumped from a 2025-09 commit revision to a 2025-10-14 commit revision (v0.38.6-0.2025101420...), and github.com/cosmos/cosmos-sdk bumped to a 2025-10-14 commit revision (v0.50.6-0.2025101421...). No other require/replace entries modified.

Sequence Diagram(s)

Not applicable.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• update cosmos-sdk and cometbft version to enable proposer set reduction #3019 — Also updates CometBFT and Cosmos SDK replace directives to newer commit revisions in protocol/go.mod.
• Bump SDK - Always Reset OE #2531 — Modifies protocol/go.mod to bump the same Cosmos SDK and CometBFT fork revisions.
• Bump Comet version #2556 — Similar bump of cometbft and cosmos-sdk replace entries to newer commits.

Suggested reviewers

• teddyding
• roy-dydx
• vincentwschau

Poem

I’m a rabbit in the code-lined glen,
I nudged two commits, then hopped again.
New hashes set, the build hums light,
Small changes made before the night.
Thump-thump, I cheer — deps tucked tight. 🐇✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description Check	⚠️ Warning	The pull request description includes the required template sections but fails to detail the actual changes in the Changelist, instead pointing to an external PR, and leaves the Test Plan section as a placeholder without describing any testing. The Author/Reviewer Checklist is present but no labels have been applied to reflect the nature of the changes. Consequently, the description does not satisfy the repository’s template requirements.	Please expand the Changelist section to enumerate the specific modifications introduced by this PR and fill in the Test Plan section with concrete steps or results of testing. Also update the Author/Reviewer Checklist by checking or adding any relevant labels (state-breaking, indexer-postgres-breaking, proposal-breaking, feature, backport, refactor, chore, bug) to accurately classify the changes.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The title clearly and concisely summarizes the main change by indicating that both cosmos-sdk and cometbft are being upgraded to address the specific security patch GHSA-hrhf-2vcr-ghch, which aligns directly with the modifications in the go.mod file. It is focused, descriptive, and allows a reader to understand the primary intent of the pull request at a glance.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch tq/security-patch-GHSA-hrhf-2vcr-ghch

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[tqin7]

@Mergifyio backport release/protocol/v9.x

[mergify]

backport release/protocol/v9.x

✅ Backports have been created

Details

• #3151 upgrade cosmos-sdk and cometbft for security patch GHSA-hrhf-2vcr-ghch (backport #3148) has been created for branch release/protocol/v9.x