chore(test/interchain): upgrade cosmos-sdk and celestia-core versions

[tskoyo]

Updated the dependency versions in the test/interchain module. This resolves build conflicts caused by differing replacement directives for:

• github.com/cosmos/cosmos-sdk
• github.com/tendermint/tendermint

Changes:

• Updated github.com/cosmos/cosmos-sdk to github.com/celestiaorg/cosmos-sdk v1.25.0-sdk-v0.46.16.
• Updated github.com/tendermint/tendermint to github.com/tendermint/tendermint => github.com/celestiaorg/celestia-core v1.44.0-tm-v0.34.35.

Tested with make build and make test to ensure compatibility.

[coderabbitai]

Warning

There were issues while running some tools. Please review the errors and either fix the tool’s configuration or disable the tool if it’s a critical failure.

🔧 golangci-lint (1.62.2)

level=error msg="Running error: context loading failed: no go files to analyze: running go mod tidy may solve the problem"

📝 Walkthrough

📝 Walkthrough

Walkthrough

The go.mod file for the github.com/celestiaorg/celestia-app/test/interchain module has been updated to reflect several dependency version changes. The Go version remains at 1.23.1. Multiple indirect dependencies have been upgraded to their latest versions, including updates for cloud.google.com/go/compute/metadata, github.com/BurntSushi/toml, and various Prometheus and OpenTelemetry packages. Some older dependencies have been removed and replaced with newer versions, ensuring compatibility with the latest libraries.

Changes

File	Change Summary
test/interchain/go.mod	- Updated cloud.google.com/go/compute/metadata from v0.2.3 to v0.3.0
	- Updated github.com/BurntSushi/toml from v1.3.2 to v1.4.1-0.20240526193622-a339e1f7089c
	- Updated github.com/celestiaorg/nmt from v0.22.0 to v0.22.2
	- Updated github.com/prometheus/client_golang from v1.19.1 to v1.20.3
	- Updated github.com/prometheus/client_model from v0.6.0 to v0.6.1
	- Updated github.com/prometheus/common from v0.53.0 to v0.55.0
	- Updated github.com/prometheus/procfs from v0.12.0 to v0.15.1
	- Updated go.opentelemetry.io/otel and related packages from v1.24.0 to v1.30.0
	- Updated github.com/cosmos/cosmos-sdk from v1.24.0-sdk-v0.46.16 to v1.25.0-sdk-v0.46.16
	- Updated github.com/tendermint/tendermint from v1.40.0-tm-v0.34.29 to v1.44.0-tm-v0.34.35
	- Removed older versions of golang.org/x/crypto, golang.org/x/net, and google.golang.org/grpc

Possibly related PRs

• chore(deps): upgrade to celestia-core v1.37.0-tm-v0.34.29 #3607: This PR updates the go.mod file for github.com/celestiaorg/celestia-app/v2, including a version bump for github.com/celestiaorg/nmt, which is also updated in the main PR.
• chore(deps): upgrade to cosmos-sdk v1.23.0 #3629: This PR updates the go.mod file in test/interchain, including updates to prometheus/client_golang and cosmos/cosmos-sdk, which are also reflected in the main PR.
• chore(deps): upgrade to celestia-core v1.38.0 #3659: This PR updates the go.mod file in test/interchain, specifically updating the github.com/tendermint/tendermint dependency, which is similarly updated in the main PR.
• chore(deps): upgrade to celestia-core v1.44.0 #4059: This PR upgrades the github.com/tendermint/tendermint dependency in go.mod, which aligns with the updates made in the main PR.

Suggested labels

backport:v3.x, testing

Suggested reviewers

• staheri14
• ninabarbakadze
• evan-forbes
• cmwaters
• rootulp

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

‼️ IMPORTANT
Auto-reply has been disabled for this repository in the CodeRabbit settings. The CodeRabbit bot will not respond to your replies unless it is explicitly tagged.

• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Experiment)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

📝 Walkthrough

Walkthrough

The go.mod file for the github.com/celestiaorg/celestia-app/test/interchain module has been updated to reflect changes in dependency versions. The Go version remains at 1.23.1, with several indirect dependencies being upgraded to newer versions. Some dependencies were also removed, and the replace section was modified to update specific package versions.

Changes

File	Change Summary
test/interchain/go.mod	- Updated multiple dependencies to newer versions, including:
	- cloud.google.com/go/compute/metadata from v0.2.3 to v0.3.0
	- github.com/BurntSushi/toml from v1.3.2 to v1.4.1-0.20240526193622-a339e1f7089c
	- github.com/celestiaorg/nmt from v0.22.0 to v0.22.2
	- github.com/cespare/xxhash/v2 from v2.2.0 to v2.3.0
	- github.com/go-logr/logr from v1.4.1 to v1.4.2
	- github.com/golang/glog from v1.2.0 to v1.2.1
	- github.com/gorilla/websocket from v1.5.0 to v1.5.3
	- github.com/prometheus/client_golang from v1.19.1 to v1.20.3
	- go.opentelemetry.io/otel from v1.24.0 to v1.30.0
	- golang.org/x/crypto from v0.21.0 to v0.27.0
	- Removed several dependencies, including google.golang.org/appengine and older versions.
	- Updated replace section for github.com/cosmos/cosmos-sdk and github.com/tendermint/tendermint.

Possibly related PRs

• chore(deps): upgrade to celestia-core v1.37.0-tm-v0.34.29 #3607: This PR updates the go.mod file for test/interchain, which includes a version bump for github.com/celestiaorg/nmt, similar to the updates in the main PR.
• chore(deps): upgrade to cosmos-sdk v1.23.0 #3629: The go.mod file in this PR also updates the github.com/cosmos/cosmos-sdk dependency, which is relevant to the changes made in the main PR.
• chore(deps): upgrade to celestia-core v1.38.0 #3659: This PR updates the github.com/tendermint/tendermint dependency in the test/interchain/go.mod, which aligns with the updates in the main PR.
• chore(deps): upgrade to celestia-core v1.44.0 #4059: This PR involves an upgrade to github.com/tendermint/tendermint in the go.mod file, which is related to the dependency updates in the main PR.

Suggested labels

backport:v3.x

Suggested reviewers

• staheri14
• ninabarbakadze
• evan-forbes
• cmwaters

---

📜 Recent review details

Configuration used: .coderabbit.yaml
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 61aa46b and 66c54e8.

⛔ Files ignored due to path filters (1)

• test/interchain/go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• test/interchain/go.mod (9 hunks)

🔇 Additional comments (4)

test/interchain/go.mod (4)

Line range hint 1-11: LGTM: Direct dependencies are appropriate for testing

The module configuration and direct dependencies are well-structured and aligned with the testing requirements.

---

227-232: LGTM: Celestia-specific replacements align with PR objectives

The updates to cosmos-sdk and tendermint versions match the PR objectives:

- github.com/cosmos/cosmos-sdk => github.com/celestiaorg/cosmos-sdk v1.24.0-sdk-v0.46.16
+ github.com/cosmos/cosmos-sdk => github.com/celestiaorg/cosmos-sdk v1.25.0-sdk-v0.46.16
- github.com/tendermint/tendermint => github.com/celestiaorg/celestia-core v0.34.29
+ github.com/tendermint/tendermint => github.com/celestiaorg/celestia-core v1.44.0-tm-v0.34.35

---

Line range hint 219-225: Verify interchaintest replacement compatibility

The replacement of interchaintest with a forked version needs verification:

- github.com/strangelove-ventures/interchaintest/v6 => github.com/rootulp/interchaintest/v6 v6.1.0

This is noted as temporary until PR #1051 is merged.

---

Line range hint 12-216: Verify compatibility with major version updates

Several dependencies have significant version updates. While these updates are generally good for security and features, please ensure compatibility, particularly for:

• cloud.google.com/go/compute/metadata v0.2.3 → v0.3.0
• github.com/prometheus/* packages with major version bumps
• go.opentelemetry.io/otel v1.24.0 → v1.30.0

✅ Verification successful

Dependency updates appear safe to proceed

The version updates are minor and patch releases that maintain backward compatibility:

• Prometheus client libraries (v1.19.1 → v1.20.3): Minor version bump with no direct usage in the codebase
• OpenTelemetry (v1.24.0 → v1.30.0): Patch version changes within the same major version
• No direct usage of these libraries was found in the codebase
• No conflicting replace directives exist for these packages

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for breaking changes in major version updates

# Check if the updated versions have any known compatibility issues
echo "Checking prometheus/client_golang compatibility..."
gh api repos/prometheus/client_golang/releases/tags/v1.20.3 | jq -r '.body' | grep -i "breaking"

echo "Checking opentelemetry-go compatibility..."
gh api repos/open-telemetry/opentelemetry-go/releases/tags/v1.30.0 | jq -r '.body' | grep -i "breaking"

Length of output: 402

---

Script:

#!/bin/bash
# Let's try a different approach to check for potential breaking changes
# by examining the go.mod changes and dependency usage

# Find all Go files that might use these dependencies
echo "Files using prometheus/client_golang:"
rg --type go "github.com/prometheus/client_golang" -l

echo -e "\nFiles using opentelemetry:"
rg --type go "go.opentelemetry.io/otel" -l

echo -e "\nChecking go.mod history for these dependencies:"
git diff HEAD~1 test/interchain/go.mod | grep -E "github.com/prometheus/|opentelemetry"

# Check if there are any replace directives for these packages
echo -e "\nChecking replace directives:"
grep -A 5 "^replace" test/interchain/go.mod

Length of output: 2463

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

‼️ IMPORTANT
Auto-reply has been disabled for this repository in the CodeRabbit settings. The CodeRabbit bot will not respond to your replies unless it is explicitly tagged.

• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Experiment)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[rootulp]

Thanks for the PR

[rootulp]

this version number looks suspect so I looked into why

$ go mod why github.com/BurntSushi/toml
go: downloading github.com/google/pprof v0.0.0-20240827171923-fa2c70bbbfe5
go: downloading github.com/cncf/xds/go v0.0.0-20240423153145-555b57ec207b
# github.com/BurntSushi/toml
github.com/celestiaorg/celestia-app/test/interchain/chainspec
github.com/strangelove-ventures/interchaintest/v6/testutil
github.com/BurntSushi/toml

https://github.com/strangelove-ventures/interchaintest/blob/8f0bb15278f0d3ac33dba9e330e50b5319ab2bc2/go.mod#L19

and then I tried the bumping the versions used in the replace directive and ran go mod tidy and got the same result so seems fine

[ninabarbakadze]

thanks! could you please resolve conflicts and i'll reapprove!

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 66c54e8 and 1526f8f.

⛔ Files ignored due to path filters (1)

• test/interchain/go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• test/interchain/go.mod (10 hunks)

🔇 Additional comments (1)

test/interchain/go.mod (1)

227-227: Version updates align with PR objectives

The replace directives have been updated to use:

• github.com/celestiaorg/cosmos-sdk v1.25.0-sdk-v0.46.16
• github.com/celestiaorg/celestia-core v1.44.0-tm-v0.34.35

These updates align with the PR's objective to resolve build conflicts from differing replacement directives.

Let's verify these are the latest compatible versions:

Also applies to: 232-232

✅ Verification successful

Versions are up-to-date with the latest compatible releases

The replace directives in the PR are using the most recent compatible versions:

• v1.25.0-sdk-v0.46.16 is the latest release of celestiaorg/cosmos-sdk for the v0.46.x series
• v1.44.0-tm-v0.34.35 is the latest release of celestiaorg/celestia-core for the v0.34.x series

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the latest compatible versions

# Check latest cosmos-sdk releases from celestiaorg fork
gh api repos/celestiaorg/cosmos-sdk/releases --jq '.[].tag_name | select(contains("sdk-v0.46"))' | head -n 5

# Check latest celestia-core releases
gh api repos/celestiaorg/celestia-core/releases --jq '.[].tag_name | select(contains("tm-v0.34"))' | head -n 5

Length of output: 432

[coderabbitai]

💡 Codebase verification

Update monitoring dependencies to latest stable versions

The current versions in the go.mod file are behind the latest stable releases:

• prometheus/client_golang: v1.20.3 (latest: v1.20.5)
• opentelemetry-go: v1.30.0 (latest: v1.33.0)

Consider updating these dependencies to their latest stable versions for improved monitoring capabilities and security fixes.

🔗 Analysis chain

Monitoring tools have been significantly updated

The Prometheus and OpenTelemetry dependencies have been updated to their latest versions. These updates typically include performance improvements and bug fixes for monitoring capabilities.

Let's verify if these versions are the latest stable releases:

Also applies to: 177-179

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the latest stable versions of monitoring tools

# Check latest Prometheus client releases
gh api repos/prometheus/client_golang/releases/latest --jq .tag_name

# Check latest OpenTelemetry releases
gh api repos/open-telemetry/opentelemetry-go/releases/latest --jq .tag_name

Length of output: 164

[coderabbitai]

💡 Codebase verification

Security vulnerabilities found in dependencies - Action Required

Critical security issues detected in current dependency versions:

• Docker v24.0.1 is vulnerable to "Authz zero length regression" (Critical severity, published July 2024)

  • Affects versions >= 24.0.0, < 25.0.6
  • Update to at least version 25.0.6 recommended

• btcd/btcec v2.3.4 appears to be safe from the latest known vulnerabilities, as the reported issues affect earlier versions

Actions needed:

• Update docker dependency to a version >= 25.0.6 to address the critical vulnerability
• Review the docker version override in the replace directive

🔗 Analysis chain

Verify security implications of dependency updates

Several security-sensitive packages have been updated:

• Crypto packages (btcd/btcec)
• Docker-related packages
• Core dependencies (cosmos-sdk, tendermint)

Please ensure these versions have been properly vetted for security vulnerabilities.

Let's check for known vulnerabilities:

Also applies to: 229-229, 230-230

---

Let me check the specific version being used in the go.mod file to compare against these vulnerabilities.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for known vulnerabilities in updated dependencies

# Check for security advisories for btcd
gh api graphql -f query='
{
  securityVulnerabilities(first: 5, ecosystem: GO, package: "github.com/btcsuite/btcd") {
    nodes {
      advisory {
        summary
        severity
        publishedAt
      }
      vulnerableVersionRange
    }
  }
}'

# Check for security advisories for docker
gh api graphql -f query='
{
  securityVulnerabilities(first: 5, ecosystem: GO, package: "github.com/docker/docker") {
    nodes {
      advisory {
        summary
        severity
        publishedAt
      }
      vulnerableVersionRange
    }
  }
}'

Length of output: 1929

---

Script:

#!/bin/bash
# Get the exact version of btcd/btcec being used
cat test/interchain/go.mod | grep "btcd/btcec"

# Check if there are any other docker-related dependencies
cat test/interchain/go.mod | grep "docker"

Length of output: 441

[tskoyo]

Is this something to be concerned about?

[rootulp]

hmm I think we can upgrade the docker version in a separate PR so it shouldn't block this PR.

[tskoyo]

thanks! could you please resolve conflicts and i'll reapprove!

done!

[rootulp]

Thanks for the PR!

[ninabarbakadze]

thanks!

[gitpoap-bot]

Congrats, your important contribution to this open-source project has earned you a GitPOAP!

GitPOAP: 2024 Celestia Contributor:

Head to gitpoap.io & connect your GitHub account to mint!

Learn more about GitPOAPs here.