chore: Update dependencies

[iverc]

Description

This PR updates dependencies to address multiple security vulnerabilities.

Tasks

• Fixes https://github.com/sourcenetwork/sourcehub/security/dependabot/65
• Fixes https://github.com/sourcenetwork/sourcehub/security/dependabot/66
• Fixes https://github.com/sourcenetwork/sourcehub/security/dependabot/67
• Fixes https://github.com/sourcenetwork/sourcehub/security/dependabot/68
• Fixes https://github.com/sourcenetwork/sourcehub/security/dependabot/69
• Fixes https://github.com/sourcenetwork/sourcehub/security/dependabot/70

[coderabbitai]

📝 Walkthrough

Walkthrough

Updated Go module dependencies in go.mod, including cometbft (v0.38.19 to v0.38.21), ethereum/go-ethereum (v1.15.5 to v1.16.8), quic-go (v0.54.1 to v0.57.0), mapstructure/v2 (v2.0.0 to v2.4.0), bitset (v1.17.0 to v1.20.0), and x/time (v0.9.0 to v0.12.0). Added zkvm_runtime as an indirect dependency and removed uber/mock.

Changes

Cohort / File(s)	Summary
Go Module Dependencies go.mod	Version updates for direct and transitive dependencies including CometBFT, Ethereum, QUIC, and utility packages. Added zkvm_runtime indirect dependency and removed uber/mock.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Tip

Issue Planner is now in beta. Read the docs and try it out! Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@go.mod`:
- Line 110: The go.mod now includes a transitive pseudo-version dependency
github.com/ProjectZKM/Ziren/crates/go-runtime/zkvm_runtime introduced via the
go-ethereum chain (referenced through cosmos/ibc-go/v10 →
ethereum/go-ethereum/crypto); verify whether this transitive zkvm_runtime
pseudo-version is acceptable for our security/stability requirements and either
(a) accept it and add a comment in go.mod or changelog explaining it is
transitive from go-ethereum, or (b) pin to a stable release by updating the
upstream dependency (e.g., upgrade or replace cosmos/ibc-go/v10 or
ethereum/go-ethereum/crypto) or add an explicit require/replace for
github.com/ProjectZKM/Ziren/crates/go-runtime/zkvm_runtime to a desired stable
version to avoid the pseudo-version.
- Line 187: Bump of github.com/ethereum/go-ethereum to v1.16.8 may change
RPC/behavior; audit any code that constructs or calls Ethereum RPCs (search for
eth_getLogs, eth_getBlockReceipts, eth_getProof, Clique-related RPCs or any code
that sets archive node flags like --state.scheme) and update logic and tests to
handle: eth_getLogs responses including blockTimestamp, eth_getBlockReceipts
returning null for missing blocks, eth_getProof not supporting historical blocks
when path-based state is used, and absence of Clique RPCs; run integration tests
against a node with eth/69 behavior and adjust callers to defensively handle
null receipts, new fields, removed Clique endpoints, or to use latest supported
proof APIs.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1bce440 and 1d969e1.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: test

🔇 Additional comments (6)

go.mod (6)

28-452: The go.mod file shows proper dependency updates with explicit CVE/GHSA fixes already in place (e.g., GHSA-h395-qcrw-5vmq for gin-gonic/gin). The go.sum file is present and properly maintained with 3608 entries. However, the specific Dependabot alerts (65-70) referenced in the original review cannot be verified in the repository. Without confirmation that these alerts actually exist or are associated with this PR, the verification requests cannot be properly scoped.

If Dependabot alerts were indeed created for this repository, please provide their links or reference numbers to enable proper verification of whether the dependency updates resolve the claimed issues.

---

216-216: Update mapstructure/v2 to v2.4.0 fixes CVE-2025-11065.

This update addresses an information disclosure vulnerability (GHSA-2464-8j7c-4cjm / GO-2025-3900) where error messages can leak sensitive values into logs when processing malformed input. Versions prior to v2.4.0 are affected; this is the patched release.

---

363-364: Only quic-go v0.57.0 is a security fix; qpack v0.6.0 is not.

quic-go v0.57.0 fixes CVE-2025-64702 (HTTP/3 QPACK header expansion DoS), but qpack v0.6.0 is an API/performance improvement release with no security fixes. No new vulnerabilities exist in either version.

Likely an incorrect or invalid review comment.

---

123-123: Remove the assumption about security vulnerability. The bitset v1.20.0 update does not address a published security advisory—no security advisories exist for this package. The version is valid and publicly available, but this appears to be a routine dependency update rather than a security fix.

Likely an incorrect or invalid review comment.

---

28-28: Confirmed: cometbft v0.38.21 addresses critical security vulnerability CSA-2026-001 "Tachyon".

The version update from v0.38.19 to v0.38.21 is verified to fix GHSA-c32p-wcqj-j677, a consensus-level vulnerability in BFT Time where inconsistencies between commit signature verification and block time derivation can break guarantees preventing faulty processes from arbitrarily increasing block time. This affects any chain logic relying on timestamps. The vulnerability impacts all v0.38.x versions ≤ v0.38.20, and no effective workaround exists—upgrade is required.

---

452-452: No security vulnerability exists for golang.org/x/time v0.12.0. The Go Vulnerability Database does not list any published advisories for this package. The referenced Dependabot alerts do not appear in the codebase. This is a routine indirect dependency update.

Likely an incorrect or invalid review comment.

_{✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.}

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Trace the dependency chain for zkvm_runtime
go mod why github.com/ProjectZKM/Ziren/crates/go-runtime/zkvm_runtime

Repository: sourcenetwork/sourcehub

Length of output: 17073

---

Understand that zkvm_runtime is a transitive dependency from go-ethereum.

The zkvm_runtime pseudo-version dependency originates from go-ethereum (pulled transitively through cosmos/ibc-go/v10 → ethereum/go-ethereum/crypto). This is an indirect consequence of upgrading ibc-go, not a direct change to this repository. Confirm that go-ethereum's dependency chain is expected and acceptable for your use case; if you need a stable version of zkvm_runtime, consider pinning or updating your upstream dependencies.

🤖 Prompt for AI Agents

In `@go.mod` at line 110, The go.mod now includes a transitive pseudo-version
dependency github.com/ProjectZKM/Ziren/crates/go-runtime/zkvm_runtime introduced
via the go-ethereum chain (referenced through cosmos/ibc-go/v10 →
ethereum/go-ethereum/crypto); verify whether this transitive zkvm_runtime
pseudo-version is acceptable for our security/stability requirements and either
(a) accept it and add a comment in go.mod or changelog explaining it is
transitive from go-ethereum, or (b) pin to a stable release by updating the
upstream dependency (e.g., upgrade or replace cosmos/ibc-go/v10 or
ethereum/go-ethereum/crypto) or add an explicit require/replace for
github.com/ProjectZKM/Ziren/crates/go-runtime/zkvm_runtime to a desired stable
version to avoid the pseudo-version.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

go-ethereum v1.16.8 release notes changelog

💡 Result:

go-ethereum v1.16.8 (“Moisture Filters”) was released January 13, 2026. [1][2]

Release notes / changelog (v1.16.8)

• Security fix release (recommended for all users). [1]
• Fixes two peer-to-peer (p2p) vulnerabilities reported via the Ethereum Foundation bug bounty program. [1]

Sources: official GitHub release notes and the Geth downloads page. [1][2]

---

🌐 Web query:

go-ethereum 1.16.0 breaking changes migration guide

💡 Result:

go-ethereum (geth) v1.16.0 — breaking changes / migration notes

1) Archive nodes: new “path-based archive” behavior (big operational change)

• v1.16.0 introduces a new experimental archive-node implementation for --gcmode=archive that works with path-based state (--state.scheme=path). Key implications: much smaller disk footprint (~1.9 TB for full mainnet state history, excluding tx-by-hash and log indexes), ability to place historical state on a separate (optionally slower) disk, and configurable retained history via --history.state (default keeps ~last 90k blocks, pruning older history as the chain advances). Historical state is only available once an index finishes building (can take ~30h on mainnet), and geth reports this via eth_syncing. [1]
• Breaking limitation: with --state.scheme=path, eth_getProof is not supported for historical blocks; geth can only serve state proofs for the latest 128 blocks. If you need older proofs, you must keep using a hash-based archive (--state.scheme=hash). [1]

Migration guidance

• If you run archive for historical balance/storage queries (but not historical proofs), consider moving to path-based archive:
  • geth ... --gcmode=archive --state.scheme=path [--history.state <N>]
  • Expect a “warm-up” period while the archive index builds; don’t treat missing historical results during that time as data loss. [1]
• If you require historical eth_getProof, do not migrate to path-based archive; stay on --state.scheme=hash. [1]

2) RPC/API behavior changes (client-facing)

• eth_getLogs (and similar) now returns an additional blockTimestamp field. If your log parsers use strict JSON decoding, update them to tolerate/consume this new field. [1]
  • Note: v1.16.1 changed blockTimestamp to be hex-encoded (so if you upgrade beyond 1.16.0, handle that encoding). [2]
• eth_getBlockReceipts now returns null (instead of an error) when a block is not found—update callers that treat “not found” as an exception. [1]
• Clique RPC APIs removed: “Geth no longer provides clique-related RPC APIs.” If you have tooling that calls clique endpoints, it will break and must be replaced/removed. [1]

3) Protocol / networking change (possible compatibility implications)

• Geth implements eth/69. If you operate custom networking code, protocol gating, or metrics/peer filters, validate eth protocol version handling. [1]

4) Other notable changes that may affect ops/tooling

• Default block gas limit is now 45M (mainnet behavior is ultimately driven by the network, but this can affect private/dev chains and expectations). [1]
• New support for era1 files when running with pruned history + geth download-era to fetch them (relevant if your workflows depend on accessing older history while pruning). [1]

Sources:
[1] Geth v1.16.0 release notes (Terran Rivets) — ethereum/go-ethereum GitHub release page. (github.com)
[2] Geth v1.16.1 release notes (follow-up fix: blockTimestamp hex encoding). (github.com)

Citations:

• 1: https://github.com/ethereum/go-ethereum/releases/tag/v1.16.0
• 2: https://github.com/ethereum/go-ethereum/releases

---

Verify code compatibility with go-ethereum v1.16.8 breaking changes.

The update from v1.15.5 to v1.16.8 introduces breaking changes in v1.16.0:

• RPC API changes: eth_getLogs adds blockTimestamp field; eth_getBlockReceipts now returns null instead of error for missing blocks
• Archive node behavior changed if --state.scheme=path is used; eth_getProof no longer supports historical blocks with path-based state
• Clique RPC APIs removed entirely
• Protocol changed to eth/69

Verify that the codebase does not depend on these changed behaviors. v1.16.8 is a stable security release (fixes two p2p vulnerabilities), but integration testing should confirm no RPC calls or archive configurations are broken by these changes.

🤖 Prompt for AI Agents

In `@go.mod` at line 187, Bump of github.com/ethereum/go-ethereum to v1.16.8 may
change RPC/behavior; audit any code that constructs or calls Ethereum RPCs
(search for eth_getLogs, eth_getBlockReceipts, eth_getProof, Clique-related RPCs
or any code that sets archive node flags like --state.scheme) and update logic
and tests to handle: eth_getLogs responses including blockTimestamp,
eth_getBlockReceipts returning null for missing blocks, eth_getProof not
supporting historical blocks when path-based state is used, and absence of
Clique RPCs; run integration tests against a node with eth/69 behavior and
adjust callers to defensively handle null receipts, new fields, removed Clique
endpoints, or to use latest supported proof APIs.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 47.84%. Comparing base (6f52d93) to head (1d969e1).
⚠️ Report is 2 commits behind head on dev.

Additional details and impacted files

@@            Coverage Diff             @@
##              dev      #95      +/-   ##
==========================================
+ Coverage   47.75%   47.84%   +0.09%     
==========================================
  Files         276      276              
  Lines       16194    16195       +1     
==========================================
+ Hits         7733     7749      +16     
+ Misses       7657     7642      -15     
  Partials      804      804              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.