Merge tag 'v0.38.17' into cometbft-0.38.9

Tagged v0.38.17 release

Author: iKapitonau

.changelog/v0.38.1/improvements/1558-experimental-gossip-limiting.md

@@ -4,6 +4,6 @@
   ([\#1584](https://github.com/cometbft/cometbft/pull/1584))
 - `[config]` Add mempool parameters `experimental_max_gossip_connections_to_persistent_peers` and
   `experimental_max_gossip_connections_to_non_persistent_peers` for limiting the number of peers to
-  which the node gossip transactions. 
+  which the node gossip transactions.
   ([\#1558](https://github.com/cometbft/cometbft/pull/1558))
   ([\#1584](https://github.com/cometbft/cometbft/pull/1584))

.changelog/v0.38.12/dependencies/4605-fix-mockery-version.md

@@ -0,0 +1,3 @@
+- pinned mockery's version to v2.49.2 to prevent potential
+  changes in mocks after each new release of mockery
+  ([\#4605](https://github.com/cometbft/cometbft/pull/4605))

.changelog/v0.38.13/bug-fixes/4019-mempool-metric-rejected-txs.md

@@ -0,0 +1,2 @@
+- `[metrics]` Call unused `rejected_txs` metric in mempool
+  ([\#4019](https://github.com/cometbft/cometbft/pull/4019))

.changelog/v0.38.13/bug-fixes/4295-copy-value-state-indexer.md

@@ -0,0 +1,3 @@
+- `[state/indexer]` Fix the tx_search results not returning all results by changing the logic in the indexer to copy the key and values instead of reusing an iterator. This issue only arises when upgrading to cometbft-db v0.13 or later.
+  ([\#4295](https://github.com/cometbft/cometbft/issues/4295)). Special thanks to @faddat for reporting the issue.
+

.changelog/v0.38.13/dependencies/4059-update-cometbft-db.md

@@ -0,0 +1,2 @@
+- `[go/runtime]` Bump Go version to 1.22
+  ([\#4073](https://github.com/cometbft/cometbft/pull/4073))

.changelog/v0.38.13/dependencies/4321-update-cometbft-db.md

@@ -0,0 +1,2 @@
+- Bump cometbft-db version to v0.14.1
+  ([\#4321](https://github.com/cometbft/cometbft/pull/4321))

.changelog/v0.38.13/features/4294-remove-secp256k1-wrapper.md

@@ -0,0 +1 @@
+- `[crypto]` use decred secp256k1 directly ([#4294](https://github.com/cometbft/cometbft/pull/4294))

.changelog/v0.38.13/improvements/4019-mempool-metric-evicted-txs.md

@@ -0,0 +1,2 @@
+- `[metrics]` Add `evicted_txs` metric to mempool
+  ([\#4019](https://github.com/cometbft/cometbft/pull/4019))

.changelog/v0.38.13/improvements/4123-mempool-is-full-log.md

@@ -0,0 +1,2 @@
+- `[log]` Change "mempool is full" log to debug level
+  ([\#4123](https://github.com/cometbft/cometbft/pull/4123)) Special thanks to @yihuang.

.changelog/v0.38.13/summary.md

@@ -0,0 +1,7 @@
+*October 24, 2024*
+
+This patch release addresses the issue where tx_search was not returning all results, which only arises when upgrading
+to CometBFT-DB version 0.13 or later. It includes a fix in the state indexer to resolve this problem. We recommend
+upgrading to this patch release if you are affected by this issue.
+
+

.changelog/v0.38.14/bug-fixes/0021-abc-panic-precommit-validator-index.md

@@ -0,0 +1,3 @@
+- `[consensus]` Do not panic if the validator index of a `Vote` message is out
+  of bounds, when vote extensions are enabled
+  ([\#ABC-0021](https://github.com/cometbft/cometbft/security/advisories/GHSA-p7mv-53f2-4cwj))

.changelog/v0.38.14/dependencies/4297-update-cometbft-db.md

@@ -0,0 +1,2 @@
+- Bump cometbft-db version to v0.15.0
+  ([\#4297](https://github.com/cometbft/cometbft/pull/4297))

.changelog/v0.38.14/dependencies/4297-update-go.md

@@ -0,0 +1,2 @@
+- `[go/runtime]` Bump Go version to 1.23
+  ([\#4297](https://github.com/cometbft/cometbft/pull/4297))

.changelog/v0.38.14/improvements/3519-p2p-reconnect-interval-1day.md

@@ -0,0 +1,2 @@
+- `[p2p]` fix exponential backoff logic to increase reconnect retries close to 24 hours
+ ([\#3519](https://github.com/cometbft/cometbft/issues/3519))

.changelog/v0.38.14/summary.md

@@ -0,0 +1,7 @@
+*November 6, 2024*
+
+This release fixes a security vulnerability in the vote extensions (VE)
+validation logic. For more details, please refer to
+[ASA-2024-011](https://github.com/cometbft/cometbft/security/advisories/GHSA-p7mv-53f2-4cwj).
+
+We recommend upgrading ASAP if you’re using vote extensions (VE).

.changelog/v0.38.15/summary.md

@@ -0,0 +1,9 @@
+*November 6, 2024*
+
+This release supersedes [`v0.38.14`](#v03814), which mistakenly updated the Go version to
+`1.23`, introducing an unintended breaking change. It sets the Go version back
+to `1.22.7` by reverting [\#4297](https://github.com/cometbft/cometbft/pull/4297).
+
+The release includes the bug fixes, performance improvements, and importantly,
+the fix for the security vulnerability in the vote extensions (VE) validation
+logic that were part of `v0.38.14`. For more details, please refer to [ASA-2024-011](https://github.com/cometbft/cometbft/security/advisories/GHSA-p7mv-53f2-4cwj).

.changelog/v0.38.16/bug-fixes/4521-fixes-breaking-mock.md

@@ -0,0 +1,3 @@
+- `[mocks]` Mockery `v2.49.0` broke the mocks. We had to add a `.mockery.yaml` to
+properly handle this change.
+  ([\#4521](https://github.com/cometbft/cometbft/pull/4521))

.changelog/v0.38.16/summary.md

@@ -0,0 +1,7 @@
+*December 20 2024*
+
+This release:
+- fixes a bug that caused a node produce errors caused by the sending of next PEX requests too soon.
+As a consequence of this incorrect behavior a node would be marked as BAD.
+- Adds a proper description of `ExtendedVoteInfo` and `VoteInfo` in the spec.
+

.changelog/v0.38.17/bug-fixes/2025-001-malicious-peer-can-make-node-stuck-in-blocksync.md

@@ -0,0 +1,2 @@
+- `[blocksync]` Ban peer if it reports height lower than what was previously reported
+  ([ASA-2025-001](https://github.com/cometbft/cometbft/security/advisories/GHSA-22qq-3xwm-r5x4))

.changelog/v0.38.17/bug-fixes/2025-002-block-part-validation.md

@@ -0,0 +1,2 @@
+- `[types]` Check that `Part.Index` equals `Part.Proof.Index`
+  ([ASA-2025-001](https://github.com/cometbft/cometbft/security/advisories/GHSA-r3r4-g7hq-pq4f))

.changelog/v0.38.17/dependencies/4891-update-go.md

@@ -0,0 +1,2 @@
+- `[go/runtime]` Bump minimum Go version to 1.22.11
+  ([\#4891](https://github.com/cometbft/cometbft/pull/4891))

.changelog/v0.38.17/summary.md

@@ -0,0 +1,4 @@
+*February 3, 2025*
+
+This release fixes two security issues (ASA-2025-001, ASA-2025-002). Users are
+encouraged to upgrade as soon as possible.

.github/CODEOWNERS

@@ -7,6 +7,6 @@
 # global owners are only requested if there isn't a more specific
 # codeowner specified below. For this reason, the global codeowners
 # are often repeated in package-level definitions.
-*     @CometBFT/engineering
+*     @cometbft/engineering @cometbft/devrel @cometbft/interchain-inc
 
-/spec @CometBFT/research @CometBFT/engineering
+/spec @cometbft/research @cometbft/engineering @cometbft/interchain-inc

.github/workflows/build.yml

@@ -21,7 +21,7 @@ jobs:
     steps:
       - uses: actions/setup-go@v5
         with:
-          go-version: "1.21"
+          go-version: "1.22"
       - uses: actions/checkout@v4
       - uses: technote-space/get-diff-action@v6
         with:
@@ -43,7 +43,7 @@ jobs:
     steps:
       - uses: actions/setup-go@v5
         with:
-          go-version: "1.21"
+          go-version: "1.22"
       - uses: actions/checkout@v4
       - uses: technote-space/get-diff-action@v6
         with:
@@ -65,7 +65,7 @@ jobs:
     steps:
       - uses: actions/setup-go@v5
         with:
-          go-version: "1.21"
+          go-version: "1.22"
       - uses: actions/checkout@v4
       - uses: technote-space/get-diff-action@v6
         with:

.github/workflows/check-generated.yml

@@ -18,7 +18,7 @@ jobs:
     steps:
       - uses: actions/setup-go@v5
         with:
-          go-version: "1.21"
+          go-version: "1.22"
 
       - uses: actions/checkout@v4
 
@@ -44,7 +44,7 @@ jobs:
     steps:
       - uses: actions/setup-go@v5
         with:
-          go-version: "1.21"
+          go-version: "1.22"
 
       - uses: actions/checkout@v4
         with:

.github/workflows/cometbft-docker.yml

@@ -41,7 +41,7 @@ jobs:
           platforms: all
 
       - name: Set up Docker Build
-        uses: docker/setup-buildx-action@v3.6.1
+        uses: docker/setup-buildx-action@v3.8.0
 
       - name: Login to DockerHub
         if: ${{ github.event_name != 'pull_request' }}
@@ -51,7 +51,7 @@ jobs:
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Publish to Docker Hub
-        uses: docker/build-push-action@v6.7.0
+        uses: docker/build-push-action@v6.13.0
         with:
           context: .
           file: ./DOCKER/Dockerfile

.github/workflows/e2e-manual-multiversion.yml

@@ -17,7 +17,7 @@ jobs:
     steps:
       - uses: actions/setup-go@v5
         with:
-          go-version: '1.21'
+          go-version: '1.22'
 
       - uses: actions/checkout@v4
 

.github/workflows/e2e-manual.yml

@@ -17,7 +17,7 @@ jobs:
     steps:
       - uses: actions/setup-go@v5
         with:
-          go-version: '1.21'
+          go-version: '1.22'
 
       - uses: actions/checkout@v4