Double-check whether we need something from (tm)#7768 #8
Assignees
Milestone
Comments
This was referenced Dec 22, 2022
|
Closed by #7 |
3 tasks
melekes
added a commit
that referenced
this issue
Jan 28, 2025
due to sec vuln Vulnerability #1: GO-2025-3420 Sensitive headers incorrectly sent after cross-domain redirect in net/http More info: https://pkg.go.dev/vuln/GO-2025-3420 Standard library Found in: net/http@go1.23.1 Fixed in: net/http@go1.23.5 Example traces found: Error: #1: rpc/jsonrpc/client/http_json_client.go:231:34: client.Client.Call calls http.Client.Do Error: #2: libs/cli/setup.go:89:26: cli.Executor.Execute calls cobra.Command.Execute, which eventually calls http.Client.Get Error: #3: cmd/cometbft/commands/debug/util.go:70:23: debug.dumpProfile calls http.Get Vulnerability #2: GO-2025-3373 Usage of IPv6 zone IDs can bypass URI name constraints in crypto/x509 More info: https://pkg.go.dev/vuln/GO-2025-3373 Standard library Found in: crypto/x509@go1.23.1 Fixed in: crypto/x509@go1.23.5 Example traces found: Error: #1: abci/tutorials/abci-v2-forum-app/model/db.go:143:20: model.DB.Close calls badger.DB.Close, which eventually calls x509.CertPool.AppendCertsFromPEM Error: #2: internal/autofile/group.go:468:30: autofile.GroupReader.Read calls bufio.Reader.Read, which eventually calls x509.Certificate.Verify Error: #3: rpc/jsonrpc/client/ws_client.go:290:29: client.WSClient.dial calls websocket.Dialer.Dial, which eventually calls x509.Certificate.VerifyHostname Error: #4: light/errors.go:483:84: light.errBadWitness.Error calls x509.HostnameError.Error Error: #5: rpc/jsonrpc/server/http_server.go:166:19: server.ServeTLSWithShutdown calls http.Server.ServeTLS, which eventually calls x509.ParseCertificate Error: #6: rpc/jsonrpc/server/http_server.go:166:19: server.ServeTLSWithShutdown calls http.Server.ServeTLS, which eventually calls x509.ParseECPrivateKey Error: #7: rpc/jsonrpc/server/http_server.go:166:19: server.ServeTLSWithShutdown calls http.Server.ServeTLS, which eventually calls x509.ParsePKCS1PrivateKey Error: #8: rpc/jsonrpc/server/http_server.go:166:19: server.ServeTLSWithShutdown calls http.Server.ServeTLS, which eventually calls x509.ParsePKCS8PrivateKey
github-merge-queue bot
pushed a commit
that referenced
this issue
Jan 30, 2025
due to sec vuln Vulnerability #1: GO-2025-3420 Sensitive headers incorrectly sent after cross-domain redirect in net/http More info: https://pkg.go.dev/vuln/GO-2025-3420 Standard library Found in: net/http@go1.23.1 Fixed in: net/http@go1.23.5 Example traces found: Error: #1: rpc/jsonrpc/client/http_json_client.go:231:34: client.Client.Call calls http.Client.Do Error: #2: libs/cli/setup.go:89:26: cli.Executor.Execute calls cobra.Command.Execute, which eventually calls http.Client.Get Error: #3: cmd/cometbft/commands/debug/util.go:70:23: debug.dumpProfile calls http.Get Vulnerability #2: GO-2025-3373 Usage of IPv6 zone IDs can bypass URI name constraints in crypto/x509 More info: https://pkg.go.dev/vuln/GO-2025-3373 Standard library Found in: crypto/x509@go1.23.1 Fixed in: crypto/x509@go1.23.5 Example traces found: Error: #1: abci/tutorials/abci-v2-forum-app/model/db.go:143:20: model.DB.Close calls badger.DB.Close, which eventually calls x509.CertPool.AppendCertsFromPEM Error: #2: internal/autofile/group.go:468:30: autofile.GroupReader.Read calls bufio.Reader.Read, which eventually calls x509.Certificate.Verify Error: #3: rpc/jsonrpc/client/ws_client.go:290:29: client.WSClient.dial calls websocket.Dialer.Dial, which eventually calls x509.Certificate.VerifyHostname Error: #4: light/errors.go:483:84: light.errBadWitness.Error calls x509.HostnameError.Error Error: #5: rpc/jsonrpc/server/http_server.go:166:19: server.ServeTLSWithShutdown calls http.Server.ServeTLS, which eventually calls x509.ParseCertificate Error: #6: rpc/jsonrpc/server/http_server.go:166:19: server.ServeTLSWithShutdown calls http.Server.ServeTLS, which eventually calls x509.ParseECPrivateKey Error: #7: rpc/jsonrpc/server/http_server.go:166:19: server.ServeTLSWithShutdown calls http.Server.ServeTLS, which eventually calls x509.ParsePKCS1PrivateKey Error: #8: rpc/jsonrpc/server/http_server.go:166:19: server.ServeTLSWithShutdown calls http.Server.ServeTLS, which eventually calls x509.ParsePKCS8PrivateKey
mergify bot
pushed a commit
that referenced
this issue
Jan 30, 2025
due to sec vuln Vulnerability #1: GO-2025-3420 Sensitive headers incorrectly sent after cross-domain redirect in net/http More info: https://pkg.go.dev/vuln/GO-2025-3420 Standard library Found in: net/http@go1.23.1 Fixed in: net/http@go1.23.5 Example traces found: Error: #1: rpc/jsonrpc/client/http_json_client.go:231:34: client.Client.Call calls http.Client.Do Error: #2: libs/cli/setup.go:89:26: cli.Executor.Execute calls cobra.Command.Execute, which eventually calls http.Client.Get Error: #3: cmd/cometbft/commands/debug/util.go:70:23: debug.dumpProfile calls http.Get Vulnerability #2: GO-2025-3373 Usage of IPv6 zone IDs can bypass URI name constraints in crypto/x509 More info: https://pkg.go.dev/vuln/GO-2025-3373 Standard library Found in: crypto/x509@go1.23.1 Fixed in: crypto/x509@go1.23.5 Example traces found: Error: #1: abci/tutorials/abci-v2-forum-app/model/db.go:143:20: model.DB.Close calls badger.DB.Close, which eventually calls x509.CertPool.AppendCertsFromPEM Error: #2: internal/autofile/group.go:468:30: autofile.GroupReader.Read calls bufio.Reader.Read, which eventually calls x509.Certificate.Verify Error: #3: rpc/jsonrpc/client/ws_client.go:290:29: client.WSClient.dial calls websocket.Dialer.Dial, which eventually calls x509.Certificate.VerifyHostname Error: #4: light/errors.go:483:84: light.errBadWitness.Error calls x509.HostnameError.Error Error: #5: rpc/jsonrpc/server/http_server.go:166:19: server.ServeTLSWithShutdown calls http.Server.ServeTLS, which eventually calls x509.ParseCertificate Error: #6: rpc/jsonrpc/server/http_server.go:166:19: server.ServeTLSWithShutdown calls http.Server.ServeTLS, which eventually calls x509.ParseECPrivateKey Error: #7: rpc/jsonrpc/server/http_server.go:166:19: server.ServeTLSWithShutdown calls http.Server.ServeTLS, which eventually calls x509.ParsePKCS1PrivateKey Error: #8: rpc/jsonrpc/server/http_server.go:166:19: server.ServeTLSWithShutdown calls http.Server.ServeTLS, which eventually calls x509.ParsePKCS8PrivateKey (cherry picked from commit e4cbca8) # Conflicts: # .golangci.yml
mergify bot
added a commit
that referenced
this issue
Jan 30, 2025
due to sec vuln Vulnerability #1: GO-2025-3420 Sensitive headers incorrectly sent after cross-domain redirect in net/http More info: https://pkg.go.dev/vuln/GO-2025-3420 Standard library Found in: net/http@go1.23.1 Fixed in: net/http@go1.23.5 Example traces found: Error: #1: rpc/jsonrpc/client/http_json_client.go:231:34: client.Client.Call calls http.Client.Do Error: #2: libs/cli/setup.go:89:26: cli.Executor.Execute calls cobra.Command.Execute, which eventually calls http.Client.Get Error: #3: cmd/cometbft/commands/debug/util.go:70:23: debug.dumpProfile calls http.Get Vulnerability #2: GO-2025-3373 Usage of IPv6 zone IDs can bypass URI name constraints in crypto/x509 More info: https://pkg.go.dev/vuln/GO-2025-3373 Standard library Found in: crypto/x509@go1.23.1 Fixed in: crypto/x509@go1.23.5 Example traces found: Error: #1: abci/tutorials/abci-v2-forum-app/model/db.go:143:20: model.DB.Close calls badger.DB.Close, which eventually calls x509.CertPool.AppendCertsFromPEM Error: #2: internal/autofile/group.go:468:30: autofile.GroupReader.Read calls bufio.Reader.Read, which eventually calls x509.Certificate.Verify Error: #3: rpc/jsonrpc/client/ws_client.go:290:29: client.WSClient.dial calls websocket.Dialer.Dial, which eventually calls x509.Certificate.VerifyHostname Error: #4: light/errors.go:483:84: light.errBadWitness.Error calls x509.HostnameError.Error Error: #5: rpc/jsonrpc/server/http_server.go:166:19: server.ServeTLSWithShutdown calls http.Server.ServeTLS, which eventually calls x509.ParseCertificate Error: #6: rpc/jsonrpc/server/http_server.go:166:19: server.ServeTLSWithShutdown calls http.Server.ServeTLS, which eventually calls x509.ParseECPrivateKey Error: #7: rpc/jsonrpc/server/http_server.go:166:19: server.ServeTLSWithShutdown calls http.Server.ServeTLS, which eventually calls x509.ParsePKCS1PrivateKey Error: #8: rpc/jsonrpc/server/http_server.go:166:19: server.ServeTLSWithShutdown calls http.Server.ServeTLS, which eventually calls x509.ParsePKCS8PrivateKey <hr>This is an automatic backport of pull request #4888 done by [Mergify](https://mergify.com). --------- Co-authored-by: Anton Kaliaev <anton.kalyaev@gmail.com>
yihuang
added a commit
to yihuang/cometbft
that referenced
this issue
Feb 3, 2025
* build(deps): Bump google.golang.org/protobuf from 1.34.2 to 1.35.1 (cometbft#4380) Bumps google.golang.org/protobuf from 1.34.2 to 1.35.1. [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> * build(deps): Bump github.com/decred/dcrd/dcrec/secp256k1/v4 from 4.0.1 to 4.3.0 (cometbft#4381) Bumps [github.com/decred/dcrd/dcrec/secp256k1/v4](https://github.com/decred/dcrd) from 4.0.1 to 4.3.0. <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/decred/dcrd/commit/08d8572807872f2b9737f8a118b16c320a04b077"><code>08d8572</code></a> secp256k1: Prepare v4.3.0.</li> <li><a href="https://github.com/decred/dcrd/commit/fe9a28cd1e4f341105001496b135a58d09717647"><code>fe9a28c</code></a> secp256k1: No allocs in slow scalar base mult path.</li> <li><a href="https://github.com/decred/dcrd/commit/2104419fc012bb162222a5e0a2c06e4d806cbfae"><code>2104419</code></a> wire: Fix typo in comment.</li> <li><a href="https://github.com/decred/dcrd/commit/b9d8d49c901bb7cbb19ed36d636c3e3d86a1fe43"><code>b9d8d49</code></a> wire: add p2p mixing messages</li> <li><a href="https://github.com/decred/dcrd/commit/25adf60a9f4e12aec13565f6345f769965b0135a"><code>25adf60</code></a> secp256k1: Add scalar base mult variant benchmarks.</li> <li><a href="https://github.com/decred/dcrd/commit/2ee2ebeb678398d3f9333a2cfa937378efe27cfb"><code>2ee2ebe</code></a> secp256k1: Add TinyGo support.</li> <li><a href="https://github.com/decred/dcrd/commit/c6322d513aee03139d91a4e45490dc02d070f278"><code>c6322d5</code></a> docker: Update image to golang:1.22.1-alpine3.19.</li> <li><a href="https://github.com/decred/dcrd/commit/20dedca001392442f83a7d5b218fe54a92c1c565"><code>20dedca</code></a> server: Update required minimum protocol version.</li> <li><a href="https://github.com/decred/dcrd/commit/eb3de8e7299ba919d4ccd67cb1b56a17030f85b7"><code>eb3de8e</code></a> docs: Update README.md to required Go 1.21/1.22.</li> <li><a href="https://github.com/decred/dcrd/commit/fedbaf982b460c7b639d1c577efe51e3f255f8dc"><code>fedbaf9</code></a> build: Test against Go 1.22.</li> <li>Additional commits viewable in <a href="https://github.com/decred/dcrd/compare/dcrjson/v4.0.1...dcrec/secp256k1/v4.3.0">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> * build(deps): Bump github.com/prometheus/common from 0.59.1 to 0.60.1 (cometbft#4382) Bumps [github.com/prometheus/common](https://github.com/prometheus/common) from 0.59.1 to 0.60.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/prometheus/common/releases">github.com/prometheus/common's releases</a>.</em></p> <blockquote> <h2>v0.60.1</h2> <h2>What's Changed</h2> <ul> <li>promslog: Only log basename, not full path by <a href="https://github.com/roidelapluie"><code>@roidelapluie</code></a> in <a href="https://redirect.github.com/prometheus/common/pull/705">prometheus/common#705</a></li> <li>Reload certificates even when no CA is used by <a href="https://github.com/roidelapluie"><code>@roidelapluie</code></a> in <a href="https://redirect.github.com/prometheus/common/pull/707">prometheus/common#707</a></li> <li>Synchronize common files from prometheus/prometheus by <a href="https://github.com/prombot"><code>@prombot</code></a> in <a href="https://redirect.github.com/prometheus/common/pull/701">prometheus/common#701</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/prometheus/common/compare/v0.60.0...v0.60.1">https://github.com/prometheus/common/compare/v0.60.0...v0.60.1</a></p> <h2>v0.60.0</h2> <h2>What's Changed</h2> <ul> <li>Synchronize common files from prometheus/prometheus by <a href="https://github.com/prombot"><code>@prombot</code></a> in <a href="https://redirect.github.com/prometheus/common/pull/692">prometheus/common#692</a></li> <li>slog: expose io.Writer by <a href="https://github.com/jkroepke"><code>@jkroepke</code></a> in <a href="https://redirect.github.com/prometheus/common/pull/694">prometheus/common#694</a></li> <li>Synchronize common files from prometheus/prometheus by <a href="https://github.com/prombot"><code>@prombot</code></a> in <a href="https://redirect.github.com/prometheus/common/pull/695">prometheus/common#695</a></li> <li>promslog: use UTC timestamps for go-kit log style by <a href="https://github.com/dswarbrick"><code>@dswarbrick</code></a> in <a href="https://redirect.github.com/prometheus/common/pull/696">prometheus/common#696</a></li> <li>feat: add <code>promslog.NewNopLogger()</code> convenience func by <a href="https://github.com/tjhop"><code>@tjhop</code></a> in <a href="https://redirect.github.com/prometheus/common/pull/697">prometheus/common#697</a></li> <li>Bump golang.org/x/net from 0.28.0 to 0.29.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/prometheus/common/pull/699">prometheus/common#699</a></li> <li>Bump golang.org/x/oauth2 from 0.22.0 to 0.23.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/prometheus/common/pull/698">prometheus/common#698</a></li> <li>Update supported Go versions by <a href="https://github.com/SuperQ"><code>@SuperQ</code></a> in <a href="https://redirect.github.com/prometheus/common/pull/700">prometheus/common#700</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/prometheus/common/compare/v0.59.1...v0.60.0">https://github.com/prometheus/common/compare/v0.59.1...v0.60.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/prometheus/common/commit/653e0fa37b474f7af331bbfb409c0f654fb04a94"><code>653e0fa</code></a> Update common Prometheus files (<a href="https://redirect.github.com/prometheus/common/issues/701">#701</a>)</li> <li><a href="https://github.com/prometheus/common/commit/0d2e2e509b05032929d08ab69362a58ce540fcb1"><code>0d2e2e5</code></a> Reload certificates even when no CA is used (<a href="https://redirect.github.com/prometheus/common/issues/707">#707</a>)</li> <li><a href="https://github.com/prometheus/common/commit/a9d2e3ff1686621e6f772f7b503b12d242701c48"><code>a9d2e3f</code></a> Merge pull request <a href="https://redirect.github.com/prometheus/common/issues/705">#705</a> from roidelapluie/sourcefile</li> <li><a href="https://github.com/prometheus/common/commit/fdc50c720a071b6796bcb5e08c3a1a03cc6ef121"><code>fdc50c7</code></a> promslog: Only log basename, not full path</li> <li><a href="https://github.com/prometheus/common/commit/dae848db5327d2a4e2e06cbe883093a71b4226d7"><code>dae848d</code></a> Update supported Go versions (<a href="https://redirect.github.com/prometheus/common/issues/700">#700</a>)</li> <li><a href="https://github.com/prometheus/common/commit/63ff77eeea3cfd552d81d455b44546db75a3b4ac"><code>63ff77e</code></a> Bump golang.org/x/oauth2 from 0.22.0 to 0.23.0 (<a href="https://redirect.github.com/prometheus/common/issues/698">#698</a>)</li> <li><a href="https://github.com/prometheus/common/commit/b7aa68c1be77461e7ed0987ee66a288bbaa324ae"><code>b7aa68c</code></a> Bump golang.org/x/net from 0.28.0 to 0.29.0 (<a href="https://redirect.github.com/prometheus/common/issues/699">#699</a>)</li> <li><a href="https://github.com/prometheus/common/commit/4e3a6fd348a3c764fff5193cd0ee34eea4402318"><code>4e3a6fd</code></a> feat: add <code>promslog.NewNopLogger()</code> convenience func (<a href="https://redirect.github.com/prometheus/common/issues/697">#697</a>)</li> <li><a href="https://github.com/prometheus/common/commit/d66e745b02ad50e6763ec5a0765aae5014a6c188"><code>d66e745</code></a> promslog: use UTC timestamps for go-kit log style (<a href="https://redirect.github.com/prometheus/common/issues/696">#696</a>)</li> <li><a href="https://github.com/prometheus/common/commit/14bac55a992f7b83ab9d147a041e274606bdb607"><code>14bac55</code></a> Merge pull request <a href="https://redirect.github.com/prometheus/common/issues/695">#695</a> from prometheus/repo_sync</li> <li>Additional commits viewable in <a href="https://github.com/prometheus/common/compare/v0.59.1...v0.60.1">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> * build(deps): Bump golang.org/x/net from 0.29.0 to 0.30.0 (cometbft#4384) Bumps [golang.org/x/net](https://github.com/golang/net) from 0.29.0 to 0.30.0. <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/golang/net/commit/6cc5ac4e9a03d73b331eb1d6db98a02e558243b7"><code>6cc5ac4</code></a> go.mod: update golang.org/x dependencies</li> <li><a href="https://github.com/golang/net/commit/f88258d67e0f0f144c79964ca05bb81d51ee8411"><code>f88258d</code></a> websocket: update nhooyr.io/websocket to github.com/coder/websocket</li> <li><a href="https://github.com/golang/net/commit/7191757bc637cf79a7ece0546e33f903bf5e9709"><code>7191757</code></a> http2: add support for net/http HTTP2 config field</li> <li><a href="https://github.com/golang/net/commit/4790dc7047441aed4889873cdd30e1e6adf49735"><code>4790dc7</code></a> http2: add support for server-originated pings</li> <li><a href="https://github.com/golang/net/commit/541dbe58b6bc869fc1c7de361846682a34365325"><code>541dbe5</code></a> http2: add Server.WriteByteTimeout</li> <li><a href="https://github.com/golang/net/commit/3c333c0c5288a7cf127e427ddda5b1b54020a2b4"><code>3c333c0</code></a> route: fix address parsing of messages on Darwin</li> <li>See full diff in <a href="https://github.com/golang/net/compare/v0.29.0...v0.30.0">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): Bump bufbuild/buf-setup-action from 1.45.0 to 1.46.0 (cometbft#4414) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: use the latest cometbft-db in v0.38.x (cometbft#4297) Co-authored-by: Anton Kaliaev <anton.kalyaev@gmail.com> * fix(p2p): adjust backoff seconds to increase reconnect retries close to 24 hours (backport cometbft#4377) (cometbft#4425) close: cometbft#3519 Adjust `reconnectBackOffBaseSeconds` to increase reconnect retries to up 1 day (~24 hours). The new value can be validated here: https://go.dev/play/p/k8F5rS-i24p, which will show that the total time is increased to almost 24 hours. Initial reconnecting time: 2m8.493s Total reconnecting time. : 23h55m56.249s The `reconnectBackOffBaseSeconds` is increased by a bit over 10% (from 3.0 to 3.4 seconds) so this would not affect reconnection retries too much. #### PR checklist - [ ] ~~Tests written/updated~~ - [x] Changelog entry added in `.changelog` (we use [unclog](https://github.com/informalsystems/unclog) to manage our changelog) - [x] Updated relevant documentation (`docs/` or `spec/`) and code comments <hr>This is an automatic backport of pull request cometbft#4377 done by [Mergify](https://mergify.com). --------- Co-authored-by: Andy Nogueira <me@andynogueira.dev> * Merge commit from fork * remove toolchain --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> Co-authored-by: Jacob Gadikian <jacobgadikian@gmail.com> Co-authored-by: Anton Kaliaev <anton.kalyaev@gmail.com> Co-authored-by: Andy Nogueira <me@andynogueira.dev>
jmalicevic
pushed a commit
to informalsystems/cometbft
that referenced
this issue
May 14, 2025
fix: backport NRP-VoteExtension changes
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
When we retracted
v0.35.xand went back tov0.34.x, we lost the context management that had been put in place over many months.As (tm)#7768 was fixing some contexts in
v0.36.x, the goal here is to try to bring whatever makes sense tomain.Original issue: tendermint/tendermint#9954
The text was updated successfully, but these errors were encountered: