chore(test/interchain): upgrade cosmos-sdk and celestia-core versions

[tskoyo]

Updated the dependency versions in the test/interchain module. This resolves build conflicts caused by differing replacement directives for:

• github.com/cosmos/cosmos-sdk
• github.com/tendermint/tendermint

Changes:

• Updated github.com/cosmos/cosmos-sdk to github.com/celestiaorg/cosmos-sdk v1.25.0-sdk-v0.46.16.
• Updated github.com/tendermint/tendermint to github.com/tendermint/tendermint => github.com/celestiaorg/celestia-core v1.44.0-tm-v0.34.35.

Tested with make build and make test to ensure compatibility.

[coderabbitai]

📝 Walkthrough

Walkthrough

The go.mod file for the github.com/celestiaorg/celestia-app/test/interchain module has been updated to reflect several dependency version changes. The Go version remains at 1.23.1. Multiple indirect dependencies have been upgraded to their latest versions, including updates for cloud.google.com/go/compute/metadata, github.com/BurntSushi/toml, and various Prometheus and OpenTelemetry packages. Some older dependencies have been removed and replaced with newer versions, ensuring compatibility with the latest libraries.

Changes

File	Change Summary
test/interchain/go.mod	- Updated cloud.google.com/go/compute/metadata from v0.2.3 to v0.3.0
	- Updated github.com/BurntSushi/toml from v1.3.2 to v1.4.1-0.20240526193622-a339e1f7089c
	- Updated github.com/celestiaorg/nmt from v0.22.0 to v0.22.2
	- Updated github.com/prometheus/client_golang from v1.19.1 to v1.20.3
	- Updated github.com/prometheus/client_model from v0.6.0 to v0.6.1
	- Updated github.com/prometheus/common from v0.53.0 to v0.55.0
	- Updated github.com/prometheus/procfs from v0.12.0 to v0.15.1
	- Updated go.opentelemetry.io/otel and related packages from v1.24.0 to v1.30.0
	- Updated github.com/cosmos/cosmos-sdk from v1.24.0-sdk-v0.46.16 to v1.25.0-sdk-v0.46.16
	- Updated github.com/tendermint/tendermint from v1.40.0-tm-v0.34.29 to v1.44.0-tm-v0.34.35
	- Removed older versions of golang.org/x/crypto, golang.org/x/net, and google.golang.org/grpc

Possibly related PRs

• chore(deps): upgrade to celestia-core v1.37.0-tm-v0.34.29 #3607: This PR updates the go.mod file for test/interchain, which is directly related to the main PR's changes in the same file, specifically regarding dependency updates for github.com/celestiaorg/nmt.
• chore(deps): upgrade to cosmos-sdk v1.23.0 #3629: This PR also modifies the go.mod file for test/interchain, updating dependencies including github.com/prometheus/client_golang, which aligns with the dependency updates in the main PR.
• chore(deps): upgrade to celestia-core v1.38.0 #3659: This PR updates the go.mod file for test/interchain, specifically the github.com/tendermint/tendermint dependency, which is relevant to the changes made in the main PR.
• chore(deps): upgrade to celestia-core v1.44.0 #4059: This PR updates the go.mod file to reflect changes in the github.com/tendermint/tendermint dependency, which is consistent with the dependency management updates in the main PR.

Suggested labels

backport:v3.x

Suggested reviewers

• staheri14
• ninabarbakadze
• evan-forbes
• cmwaters

---

📜 Recent review details

Configuration used: .coderabbit.yaml
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 61aa46b and 66c54e8.

⛔ Files ignored due to path filters (1)

• test/interchain/go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• test/interchain/go.mod (9 hunks)

🔇 Additional comments (3)

test/interchain/go.mod (3)

Line range hint 4-11: LGTM: Direct dependencies are well-defined

The direct dependencies are minimal and appropriate for an interchain test module.

---

142-145: Verify security advisories for monitoring dependencies

The updates to Prometheus and OpenTelemetry packages are significant. Let's verify there are no known security issues with these versions.

Also applies to: 177-179

✅ Verification successful

Prometheus and OpenTelemetry dependencies are secure at current versions

The security check reveals:

• No known vulnerabilities for OpenTelemetry packages
• The only known Prometheus vulnerability (HIGH severity, from Feb 2022) affects versions < 1.11.1
• Current version (1.20.3) is well above the vulnerable range

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for security advisories for prometheus and opentelemetry packages

# Check for Prometheus client security advisories
gh api graphql -f query='
{
  securityVulnerabilities(first: 5, ecosystem: GO, package: "github.com/prometheus/client_golang") {
    nodes {
      advisory {
        summary
        severity
        publishedAt
      }
      vulnerableVersionRange
      firstPatchedVersion {
        identifier
      }
    }
  }
}'

# Check for OpenTelemetry security advisories
gh api graphql -f query='
{
  securityVulnerabilities(first: 5, ecosystem: GO, package: "go.opentelemetry.io/otel") {
    nodes {
      advisory {
        summary
        severity
        publishedAt
      }
      vulnerableVersionRange
      firstPatchedVersion {
        identifier
      }
    }
  }
}'

Length of output: 932

---

227-227: LGTM: Version updates align with PR objectives

The updates to cosmos-sdk and tendermint versions match the PR objectives to resolve version conflicts. Let's verify the compatibility of these versions.

Also applies to: 232-232

✅ Verification successful

Version updates are consistently applied across the codebase

The verification shows that both version updates (cosmos-sdk v1.25.0-sdk-v0.46.16 and celestia-core v1.44.0-tm-v0.34.35) are consistently applied in both the main go.mod and test/interchain/go.mod files. The replacements are properly synchronized across the codebase, maintaining version consistency.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify version compatibility between cosmos-sdk and tendermint

# Check for any known issues or breaking changes between these specific versions
rg -l "breaking.*change|compatibility.*issue" -g "CHANGELOG.md" | while read -r file; do
  echo "=== Checking $file ==="
  rg "v1.25.0-sdk-v0.46.16|v1.44.0-tm-v0.34.35" "$file" -C 5
done

Length of output: 227

---

Script:

#!/bin/bash
# Let's try a different approach to verify version compatibility

# 1. Check go.mod files for these specific versions
echo "=== Checking go.mod files for version references ==="
rg "v1.25.0-sdk-v0.46.16|v1.44.0-tm-v0.34.35" -g "go.mod"

# 2. Look for any version-related files or documentation
echo -e "\n=== Checking for version documentation ==="
fd -g "*version*.{md,txt}" -g "*UPGRADE*.{md,txt}" -g "CHANGELOG.md"

# 3. Check for any dependency constraints or requirements
echo -e "\n=== Checking dependency requirements ==="
rg "require.*cosmos-sdk|require.*tendermint" -g "go.mod"

Length of output: 1085

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

‼️ IMPORTANT
Auto-reply has been disabled for this repository in the CodeRabbit settings. The CodeRabbit bot will not respond to your replies unless it is explicitly tagged.

• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Experiment)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

📝 Walkthrough

Walkthrough

The go.mod file for the github.com/celestiaorg/celestia-app/test/interchain module has been updated to reflect changes in dependency versions. The Go version remains at 1.23.1, with several indirect dependencies being upgraded to newer versions. Some dependencies were also removed, and the replace section was modified to update specific package versions.

Changes

File	Change Summary
test/interchain/go.mod	- Updated multiple dependencies to newer versions, including:
	- cloud.google.com/go/compute/metadata from v0.2.3 to v0.3.0
	- github.com/BurntSushi/toml from v1.3.2 to v1.4.1-0.20240526193622-a339e1f7089c
	- github.com/celestiaorg/nmt from v0.22.0 to v0.22.2
	- github.com/cespare/xxhash/v2 from v2.2.0 to v2.3.0
	- github.com/go-logr/logr from v1.4.1 to v1.4.2
	- github.com/golang/glog from v1.2.0 to v1.2.1
	- github.com/gorilla/websocket from v1.5.0 to v1.5.3
	- github.com/prometheus/client_golang from v1.19.1 to v1.20.3
	- go.opentelemetry.io/otel from v1.24.0 to v1.30.0
	- golang.org/x/crypto from v0.21.0 to v0.27.0
	- Removed several dependencies, including google.golang.org/appengine and older versions.
	- Updated replace section for github.com/cosmos/cosmos-sdk and github.com/tendermint/tendermint.

Possibly related PRs

• chore(deps): upgrade to celestia-core v1.37.0-tm-v0.34.29 #3607: This PR updates the go.mod file for test/interchain, which includes a version bump for github.com/celestiaorg/nmt, similar to the updates in the main PR.
• chore(deps): upgrade to cosmos-sdk v1.23.0 #3629: The go.mod file in this PR also updates the github.com/cosmos/cosmos-sdk dependency, which is relevant to the changes made in the main PR.
• chore(deps): upgrade to celestia-core v1.38.0 #3659: This PR updates the github.com/tendermint/tendermint dependency in the test/interchain/go.mod, which aligns with the updates in the main PR.
• chore(deps): upgrade to celestia-core v1.44.0 #4059: This PR involves an upgrade to github.com/tendermint/tendermint in the go.mod file, which is related to the dependency updates in the main PR.

Suggested labels

backport:v3.x

Suggested reviewers

• staheri14
• ninabarbakadze
• evan-forbes
• cmwaters

---

📜 Recent review details

Configuration used: .coderabbit.yaml
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 61aa46b and 66c54e8.

⛔ Files ignored due to path filters (1)

• test/interchain/go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• test/interchain/go.mod (9 hunks)

🔇 Additional comments (4)

test/interchain/go.mod (4)

Line range hint 1-11: LGTM: Direct dependencies are appropriate for testing

The module configuration and direct dependencies are well-structured and aligned with the testing requirements.

---

227-232: LGTM: Celestia-specific replacements align with PR objectives

The updates to cosmos-sdk and tendermint versions match the PR objectives:

- github.com/cosmos/cosmos-sdk => github.com/celestiaorg/cosmos-sdk v1.24.0-sdk-v0.46.16
+ github.com/cosmos/cosmos-sdk => github.com/celestiaorg/cosmos-sdk v1.25.0-sdk-v0.46.16
- github.com/tendermint/tendermint => github.com/celestiaorg/celestia-core v0.34.29
+ github.com/tendermint/tendermint => github.com/celestiaorg/celestia-core v1.44.0-tm-v0.34.35

---

Line range hint 219-225: Verify interchaintest replacement compatibility

The replacement of interchaintest with a forked version needs verification:

- github.com/strangelove-ventures/interchaintest/v6 => github.com/rootulp/interchaintest/v6 v6.1.0

This is noted as temporary until PR #1051 is merged.

---

Line range hint 12-216: Verify compatibility with major version updates

Several dependencies have significant version updates. While these updates are generally good for security and features, please ensure compatibility, particularly for:

• cloud.google.com/go/compute/metadata v0.2.3 → v0.3.0
• github.com/prometheus/* packages with major version bumps
• go.opentelemetry.io/otel v1.24.0 → v1.30.0

✅ Verification successful

Dependency updates appear safe to proceed

The version updates are minor and patch releases that maintain backward compatibility:

• Prometheus client libraries (v1.19.1 → v1.20.3): Minor version bump with no direct usage in the codebase
• OpenTelemetry (v1.24.0 → v1.30.0): Patch version changes within the same major version
• No direct usage of these libraries was found in the codebase
• No conflicting replace directives exist for these packages

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for breaking changes in major version updates

# Check if the updated versions have any known compatibility issues
echo "Checking prometheus/client_golang compatibility..."
gh api repos/prometheus/client_golang/releases/tags/v1.20.3 | jq -r '.body' | grep -i "breaking"

echo "Checking opentelemetry-go compatibility..."
gh api repos/open-telemetry/opentelemetry-go/releases/tags/v1.30.0 | jq -r '.body' | grep -i "breaking"

Length of output: 402

---

Script:

#!/bin/bash
# Let's try a different approach to check for potential breaking changes
# by examining the go.mod changes and dependency usage

# Find all Go files that might use these dependencies
echo "Files using prometheus/client_golang:"
rg --type go "github.com/prometheus/client_golang" -l

echo -e "\nFiles using opentelemetry:"
rg --type go "go.opentelemetry.io/otel" -l

echo -e "\nChecking go.mod history for these dependencies:"
git diff HEAD~1 test/interchain/go.mod | grep -E "github.com/prometheus/|opentelemetry"

# Check if there are any replace directives for these packages
echo -e "\nChecking replace directives:"
grep -A 5 "^replace" test/interchain/go.mod

Length of output: 2463

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

‼️ IMPORTANT
Auto-reply has been disabled for this repository in the CodeRabbit settings. The CodeRabbit bot will not respond to your replies unless it is explicitly tagged.

• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Experiment)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[rootulp]

Thanks for the PR

[rootulp]

this version number looks suspect so I looked into why

$ go mod why github.com/BurntSushi/toml
go: downloading github.com/google/pprof v0.0.0-20240827171923-fa2c70bbbfe5
go: downloading github.com/cncf/xds/go v0.0.0-20240423153145-555b57ec207b
# github.com/BurntSushi/toml
github.com/celestiaorg/celestia-app/test/interchain/chainspec
github.com/strangelove-ventures/interchaintest/v6/testutil
github.com/BurntSushi/toml

https://github.com/strangelove-ventures/interchaintest/blob/8f0bb15278f0d3ac33dba9e330e50b5319ab2bc2/go.mod#L19

and then I tried the bumping the versions used in the replace directive and ran go mod tidy and got the same result so seems fine