build: bump golang.org/x/crypto to v0.36.0 to solve CVE-2025-22869

[tinyfoxy]

Description

there is a issue about [email protected]
https://ossindex.sonatype.org/vulnerability/CVE-2025-22869?component-type=golang&component-name=golang.org%2Fx%2Fcrypto&utm_source=nancy-client&utm_medium=integration&utm_content=1.0.46

Summary by CodeRabbit

• Chores
  • Upgraded several underlying dependencies to their latest stable versions for improved stability, performance, and security.

[coderabbitai]

📝 Walkthrough

Walkthrough

The changes update several dependency versions in the project's go.mod files across multiple modules. The version numbers for key libraries such as golang.org/x/crypto, golang.org/x/sync, golang.org/x/sys, golang.org/x/term, and golang.org/x/text have been increased to more recent releases. These modifications are confined to dependency version updates without altering public APIs or introducing new functionalities.

Changes

File

Change Summary

go.mod, client/v2/go.mod, server/v2/cometbft/go.mod, simapp/v2/go.mod, tests/go.mod, tools/benchmark/go.mod, x/accounts/defaults/base/go.mod, x/accounts/defaults/lockup/go.mod, x/accounts/defaults/multisig/go.mod, x/accounts/go.mod, x/authz/go.mod, x/bank/go.mod, x/circuit/go.mod, x/consensus/go.mod, x/distribution/go.mod, x/epochs/go.mod, x/evidence/go.mod, x/feegrant/go.mod, x/gov/go.mod, x/group/go.mod, x/mint/go.mod, x/nft/go.mod, x/protocolpool/go.mod, x/slashing/go.mod, x/staking/go.mod, x/upgrade/go.mod

Updated dependency versions: - golang.org/x/crypto: v0.32.0 → v0.36.0 - golang.org/x/sync: v0.10.0 → v0.12.0 - golang.org/x/sys: v0.29.0 → v0.31.0 - golang.org/x/term: v0.28.0 → v0.30.0 - golang.org/x/text: v0.21.0 → v0.23.0

Possibly related PRs

• build(deps): bump cometbft to v1.0.0-rc2 #22577: The changes in the main PR and the retrieved PR are related as both involve updates to the go.mod file, specifically upgrading the version of golang.org/x/crypto and other dependencies, indicating a direct connection in dependency management.

Suggested labels

C:x/upgrade

Suggested reviewers

• JulianToledano
• kocubinski
• facundomedica
• tac0turtle
• sontrinh16

Warning

There were issues while running some tools. Please review the errors and either fix the tool’s configuration or disable the tool if it’s a critical failure.

🔧 golangci-lint (1.62.2)

level=warning msg="[runner] Can't run linter goanalysis_metalinter: buildir: failed to load package sqlite3: could not load export data: no export data for "github.com/bvinc/go-sqlite-lite/sqlite3""
level=error msg="Running error: can't run linter goanalysis_metalinter\nbuildir: failed to load package sqlite3: could not load export data: no export data for "github.com/bvinc/go-sqlite-lite/sqlite3""

---

📜 Recent review details

Configuration used: .coderabbit.yml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b0597cf and 5fe51e9.

⛔ Files ignored due to path filters (26)

• client/v2/go.sum is excluded by !**/*.sum
• go.sum is excluded by !**/*.sum
• server/v2/cometbft/go.sum is excluded by !**/*.sum
• simapp/v2/go.sum is excluded by !**/*.sum
• tests/go.sum is excluded by !**/*.sum
• tools/benchmark/go.sum is excluded by !**/*.sum
• x/accounts/defaults/base/go.sum is excluded by !**/*.sum
• x/accounts/defaults/lockup/go.sum is excluded by !**/*.sum
• x/accounts/defaults/multisig/go.sum is excluded by !**/*.sum
• x/accounts/go.sum is excluded by !**/*.sum
• x/authz/go.sum is excluded by !**/*.sum
• x/bank/go.sum is excluded by !**/*.sum
• x/circuit/go.sum is excluded by !**/*.sum
• x/consensus/go.sum is excluded by !**/*.sum
• x/distribution/go.sum is excluded by !**/*.sum
• x/epochs/go.sum is excluded by !**/*.sum
• x/evidence/go.sum is excluded by !**/*.sum
• x/feegrant/go.sum is excluded by !**/*.sum
• x/gov/go.sum is excluded by !**/*.sum
• x/group/go.sum is excluded by !**/*.sum
• x/mint/go.sum is excluded by !**/*.sum
• x/nft/go.sum is excluded by !**/*.sum
• x/protocolpool/go.sum is excluded by !**/*.sum
• x/slashing/go.sum is excluded by !**/*.sum
• x/staking/go.sum is excluded by !**/*.sum
• x/upgrade/go.sum is excluded by !**/*.sum

📒 Files selected for processing (26)

• client/v2/go.mod (1 hunks)
• go.mod (2 hunks)
• server/v2/cometbft/go.mod (1 hunks)
• simapp/v2/go.mod (1 hunks)
• tests/go.mod (1 hunks)
• tools/benchmark/go.mod (1 hunks)
• x/accounts/defaults/base/go.mod (1 hunks)
• x/accounts/defaults/lockup/go.mod (1 hunks)
• x/accounts/defaults/multisig/go.mod (1 hunks)
• x/accounts/go.mod (1 hunks)
• x/authz/go.mod (1 hunks)
• x/bank/go.mod (1 hunks)
• x/circuit/go.mod (1 hunks)
• x/consensus/go.mod (1 hunks)
• x/distribution/go.mod (1 hunks)
• x/epochs/go.mod (1 hunks)
• x/evidence/go.mod (1 hunks)
• x/feegrant/go.mod (1 hunks)
• x/gov/go.mod (1 hunks)
• x/group/go.mod (1 hunks)
• x/mint/go.mod (1 hunks)
• x/nft/go.mod (1 hunks)
• x/protocolpool/go.mod (1 hunks)
• x/slashing/go.mod (1 hunks)
• x/staking/go.mod (1 hunks)
• x/upgrade/go.mod (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• go.mod

🧰 Additional context used

📓 Path-based instructions (1)

`tests/**/*`: "Assess the integration and e2e test code asse...

tests/**/*: "Assess the integration and e2e test code assessing sufficient code coverage for the changes associated in the pull request"

• tests/go.mod

⏰ Context from checks skipped due to timeout of 90000ms (3)

• GitHub Check: tests (00)
• GitHub Check: test-system-v2
• GitHub Check: Summary

🔇 Additional comments (29)

x/mint/go.mod (2)

132-132: Update golang.org/x/crypto to v0.36.0.
This update directly addresses CVE-2025-22869 by bumping the vulnerable version from v0.32.0 to v0.36.0. Please verify that any consumers of this dependency in the module are compatible with the changes introduced in the new version.

---

136-139: Update related golang.org/x dependencies.
The versions of golang.org/x/sync, golang.org/x/sys, golang.org/x/term, and golang.org/x/text have been updated, which helps maintain consistency across modules and ensures that bug fixes and improvements from upstream are incorporated. Confirm that these updated versions are compatible with the rest of the codebase.

client/v2/go.mod (2)

150-150: Bump golang.org/x/crypto to v0.36.0.
As with other modules, this change mitigates CVE-2025-22869 by updating the dependency from v0.32.0 to v0.36.0. Make sure that any direct usages or transitive dependencies are still resolved correctly.

---

154-157: Upgrade additional golang.org/x dependencies.
The updates to golang.org/x/sync, golang.org/x/sys, golang.org/x/term, and golang.org/x/text bring these libraries to their latest recommended versions. It’s advisable to run integration tests to ensure that these upgrades do not introduce any unexpected issues.

x/epochs/go.mod (1)

5-21: Ensure consistent dependency updates across modules.
This module’s go.mod reflects updated dependency versions that align with the changes in other modules (e.g. the updated golang.org/x/crypto version and related packages). Please verify that these updates are harmonized project-wide and that no dependency conflicts are introduced.

x/circuit/go.mod (1)

1-41: Consistent dependency version alignment in the x/circuit module.
The updated dependencies—including the bump of golang.org/x/crypto to v0.36.0 and the corresponding version upgrades for related libraries—ensure that this module is in sync with the rest of the repository. It is recommended to double-check compatibility, especially if any module-specific functionality relies on subtle behaviors of these libraries.

x/bank/go.mod (2)

133-133: Upgrade golang.org/x/crypto to v0.36.0.
This change addresses the security vulnerability CVE-2025-22869 by moving from v0.32.0 to v0.36.0. Ensure that the new version does not break any existing functionality that depends on this dependency.

---

137-140: Update additional golang.org/x dependencies.
The versions for golang.org/x/sync, golang.org/x/sys, golang.org/x/term, and golang.org/x/text have been updated. It is important to verify that these dependencies continue to integrate smoothly with the rest of the module and that no subtle compatibility issues arise.

x/upgrade/go.mod (2)

178-178: Update golang.org/x/crypto Version
The dependency has been bumped to v0.36.0 to address CVE-2025-22869. Please double-check that this update does not introduce any breaking changes in users of this module.

---

183-186: Synchronize Indirect Dependency Versions
The versions for golang.org/x/sync (v0.12.0), golang.org/x/sys (v0.31.0), golang.org/x/term (v0.30.0), and golang.org/x/text (v0.23.0) have been updated. This ensures consistency across modules and helps mitigate potential vulnerabilities.

x/gov/go.mod (1)

1-32: Align Dependency Versions in x/gov Module
The dependency versions for key packages—including golang.org/x/crypto, golang.org/x/sync, golang.org/x/sys, golang.org/x/term, and golang.org/x/text—have been updated (from older versions to v0.36.0, v0.12.0, v0.31.0, v0.30.0, and v0.23.0 respectively). This change aligns with the coordinated update strategy across the project.

x/group/go.mod (1)

149-157: Update Dependency Versions in x/group Module
The indirect dependencies for golang.org/x/crypto, golang.org/x/sync, golang.org/x/sys, golang.org/x/term, and golang.org/x/text have been updated to v0.36.0, v0.12.0, v0.31.0, v0.30.0, and v0.23.0 respectively. This update helps address the referenced CVE and maintains consistency across modules.

x/accounts/defaults/lockup/go.mod (1)

136-143: Update Dependencies in Lockup Module
Within the require block, the versions for golang.org/x/crypto, golang.org/x/sync, golang.org/x/sys, golang.org/x/term, and golang.org/x/text have been updated to v0.36.0, v0.12.0, v0.31.0, v0.30.0, and v0.23.0 respectively. This update is crucial to mitigate CVE-2025-22869 and to align with the rest of the project.

simapp/v2/go.mod (1)

227-235: Update Dependency Versions in SimApp Module
The indirect dependencies for golang.org/x/crypto, golang.org/x/sync, golang.org/x/sys, golang.org/x/term, and golang.org/x/text have been updated to v0.36.0, v0.12.0, v0.31.0, v0.30.0, and v0.23.0 respectively. This change addresses the security vulnerability CVE-2025-22869 and ensures consistency with dependency updates in other modules.

x/protocolpool/go.mod (1)

144-151: Dependency Version Bump for Security Compliance

The updated dependencies for:

• golang.org/x/crypto v0.36.0
• golang.org/x/sync v0.12.0
• golang.org/x/sys v0.31.0
• golang.org/x/term v0.30.0
• golang.org/x/text v0.23.0

are correctly bumped to address CVE-2025-22869 and to maintain consistency across the project. Please confirm that these versions integrate well with the rest of the toolchain.

x/accounts/defaults/multisig/go.mod (1)

1-18: Consistent Dependency Updates Across Modules

The dependency versions (including the upgrade of golang.org/x/crypto to v0.36.0, along with updates to x/sync, x/sys, x/term, and x/text) appear to be updated in line with the overall project strategy. These changes should help ensure that all modules remain in sync with the latest security and performance improvements.

x/authz/go.mod (1)

1-26: Synchronization of Dependency Versions

The updates in this module reflect the coordinated bump of critical dependencies to:

• golang.org/x/crypto v0.36.0
• golang.org/x/sync v0.12.0
• golang.org/x/sys v0.31.0
• golang.org/x/term v0.30.0
• golang.org/x/text v0.23.0

This ensures improved security (addressing CVE-2025-22869) and compatibility across the codebase. It is advisable to run module-specific tests to confirm that nothing is broken by these updates.

x/staking/go.mod (1)

1-32: Up-to-Date Dependency Management

The staking module’s go.mod reflects the updated dependency versions consistent with the overall project:

• golang.org/x/crypto v0.36.0
• golang.org/x/sync v0.12.0
• golang.org/x/sys v0.31.0
• golang.org/x/term v0.30.0
• golang.org/x/text v0.23.0

This update should mitigate the known security vulnerability and benefit from the latest fixes and improvements. Verification through integration tests is recommended to ensure smooth operation.

tools/benchmark/go.mod (1)

132-139: Benchmark Tool Dependency Upgrades

The benchmark tool’s dependencies have been updated as follows:

• golang.org/x/crypto v0.36.0
• golang.org/x/sync v0.12.0
• golang.org/x/sys v0.31.0
• golang.org/x/term v0.30.0
• golang.org/x/text v0.23.0

These updates not only address security concerns but also ensure that performance testing is done using the latest library improvements. Please ensure that existing benchmark comparisons remain valid post-update.

x/accounts/defaults/base/go.mod (1)

141-148: Update of Critical Dependency Versions

The versions for golang.org/x/crypto, golang.org/x/sync, golang.org/x/sys, golang.org/x/term, and golang.org/x/text have been bumped to v0.36.0, v0.12.0, v0.31.0, v0.30.0, and v0.23.0 respectively. These updates address CVE-2025-22869 and ensure consistency and improved security across the codebase.

x/consensus/go.mod (1)

141-141: Consistent Dependency Upgrade in Consensus Module

The indirect dependencies have been updated accordingly:

• golang.org/x/crypto is now v0.36.0,
• golang.org/x/sync is now v0.12.0,
• golang.org/x/sys is now v0.31.0,
• golang.org/x/term is now v0.30.0, and
• golang.org/x/text is now v0.23.0.

These changes align with the overall security improvements and should help mitigate CVE-2025-22869 without affecting module interoperability.

Also applies to: 145-148

x/feegrant/go.mod (1)

1-183: Aligned Dependency Version Bump in Feegrant Module

Although explicit diff markers are not visible, the <ai_summary> indicates that the versions for golang.org/x/crypto, golang.org/x/sync, golang.org/x/sys, golang.org/x/term, and golang.org/x/text have been updated in this module as well. This consistency across modules is essential for addressing CVE-2025-22869. Please verify that integration tests pass with these new versions.

x/accounts/go.mod (1)

148-148: Security and Consistency Update in Accounts Module

The dependency versions have been updated:

• golang.org/x/crypto to v0.36.0,
• golang.org/x/sync to v0.12.0,
• golang.org/x/sys to v0.31.0,
• golang.org/x/term to v0.30.0, and
• golang.org/x/text to v0.23.0.

This update ensures that the accounts module benefits from the latest fixes and improvements, aligning with the security objective of this PR.

Also applies to: 152-155

x/slashing/go.mod (1)

146-153: Updated Dependency Versions in Slashing Module

The slashing module’s indirect dependencies for critical libraries (e.g., golang.org/x/crypto, golang.org/x/sync, golang.org/x/sys, golang.org/x/term, and golang.org/x/text) have been upgraded to their respective new versions. This coordinated update is key to mitigating CVE-2025-22869 while ensuring consistent dependency management across the project.

x/distribution/go.mod (1)

143-150: Dependency Version Updates Verified.
The bumped versions for golang.org/x/crypto (v0.36.0), along with the updates for golang.org/x/sync, golang.org/x/sys, golang.org/x/term, and golang.org/x/text, are correctly applied here. These updates address CVE-2025-22869 and ensure consistency with the security fix across the project.

tests/go.mod (1)

213-221: Consistent Dependency Upgrades in Tests Module.
The dependency versions for golang.org/x/crypto (v0.36.0), golang.org/x/sync (v0.12.0), golang.org/x/sys (v0.31.0), golang.org/x/term (v0.30.0), and golang.org/x/text (v0.23.0) are updated to match the changes in other modules. This coordinated update helps ensure that the tests run with the secure and consistent dependency versions.

x/nft/go.mod (1)

1-169: Verify Transitive Dependency Resolution.
Although this module’s go.mod does not explicitly list golang.org/x/crypto, please verify that the transitive dependency is resolved to v0.36.0 as intended. Ensuring consistency here is important for patching CVE-2025-22869 across all modules.

server/v2/cometbft/go.mod (1)

169-176: Version Bump Applied Correctly.
The updates for golang.org/x/crypto (v0.36.0), golang.org/x/sync (v0.12.0), golang.org/x/sys (v0.31.0), golang.org/x/term (v0.30.0), and golang.org/x/text (v0.23.0) are correctly reflected in this module. This change is key to addressing the underlying security issue and ensures consistency with the rest of the codebase.

x/evidence/go.mod (1)

1-26: Ensure Transitive Dependency Consistency.
golang.org/x/crypto isn’t explicitly declared in this module’s direct dependencies. Please confirm that the transitive dependency resolves to v0.36.0 in alignment with the other modules. This step is crucial for ensuring the security patch (CVE-2025-22869) is effective project‑wide.

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

go.mod (1)

158-161: Verify consistency of indirect dependency updates.

The updates for golang.org/x/sync (v0.12.0), golang.org/x/sys (v0.31.0), golang.org/x/term (v0.30.0), and golang.org/x/text (v0.23.0) appear consistent with the overall bump in dependency versions. Confirm that these new versions do not introduce any unintended side effects in the modules that depend on them.

📜 Review details

Configuration used: .coderabbit.yml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 548ca00 and b0597cf.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod (2 hunks)

🧰 Additional context used

🪛 GitHub Actions: v2 core Tests

go.mod

[warning] 1-1: updates to go.mod needed, disabled by -mod=readonly; to update it: go mod tidy

⏰ Context from checks skipped due to timeout of 90000ms (5)

• GitHub Check: tests (03)
• GitHub Check: tests (02)
• GitHub Check: tests (01)
• GitHub Check: tests (00)
• GitHub Check: Summary

🔇 Additional comments (2)

go.mod (2)

53-53: Update to golang.org/x/crypto for CVE mitigation.

The version bump from v0.32.0 to v0.36.0 directly addresses CVE-2025-22869. Ensure that this update has been tested against your codebase to verify there are no compatibility issues.

---

1-206:

Details

✅ Verification successful

Run go mod tidy to update module metadata.

The pipeline failure indicates that updates to go.mod are being blocked by the -mod=readonly flag. After updating dependency versions, please run go mod tidy to refresh both the go.mod and go.sum files.

To verify, run the following command:

---

🏁 Script executed:

go mod tidy

Length of output: 10512

---

Update Verified – Module Metadata Refreshed

The output from running go mod tidy shows that dependency downloads were triggered without any errors, indicating that the module metadata (both go.mod and go.sum) has been refreshed. Please ensure that the updated files are committed to the repository so that the pipeline no longer encounters issues with the -mod=readonly flag.

• Confirm that the updated go.mod and go.sum files reflect the necessary dependency changes.
• Commit these changes, if not already done, to unblock the pipeline.

🧰 Tools

🪛 GitHub Actions: v2 core Tests

[warning] 1-1: updates to go.mod needed, disabled by -mod=readonly; to update it: go mod tidy