build(deps): Bump the go_modules group across 2 directories with 3 updates

[dependabot]

Bumps the go_modules group with 1 update in the /apps/evm/single directory: github.com/consensys/gnark-crypto.
Bumps the go_modules group with 3 updates in the /execution/evm/test directory: github.com/consensys/gnark-crypto, github.com/cometbft/cometbft and github.com/dvsekhvalnov/jose2go.

Updates github.com/consensys/gnark-crypto from 0.18.0 to 0.18.1

Release notes

Sourced from github.com/consensys/gnark-crypto's releases.

v0.18.1

Full Changelog: Consensys/gnark-crypto@v0.18.0...v0.18.1

Changelog

Sourced from github.com/consensys/gnark-crypto's changelog.

[v0.18.1] - 2025-10-28

Docs

• add CHANGELOG for 0.18.1

Perf

• limit memory allocation during Vector deserialization (#759)

Commits

• fb04e95 docs: add CHANGELOG for 0.18.1
• 0a4d04a perf: limit memory allocation during Vector deserialization (#759)
• See full diff in compare view

Updates github.com/consensys/gnark-crypto from 0.18.0 to 0.18.1

Release notes

Sourced from github.com/consensys/gnark-crypto's releases.

v0.18.1

Full Changelog: Consensys/gnark-crypto@v0.18.0...v0.18.1

Changelog

Sourced from github.com/consensys/gnark-crypto's changelog.

[v0.18.1] - 2025-10-28

Docs

• add CHANGELOG for 0.18.1

Perf

• limit memory allocation during Vector deserialization (#759)

Commits

• fb04e95 docs: add CHANGELOG for 0.18.1
• 0a4d04a perf: limit memory allocation during Vector deserialization (#759)
• See full diff in compare view

Updates github.com/cometbft/cometbft from 0.38.17 to 0.38.19

Release notes

Sourced from github.com/cometbft/cometbft's releases.

v0.38.19

This is a security patch release to the CometBFT v0.38.x family that fixes GHSA-hrhf-2vcr-ghch

What's Changed

• chore: fix test docker image by @​aljo242 in cometbft/cometbft#5299
• chore: refactor changelogs by @​aljo242 in cometbft/cometbft#5303
• chore: update and fix mockery tooling on v0.38 by @​aljo242 in cometbft/cometbft#5301
• chore: fix the linter by @​aljo242 in cometbft/cometbft#5304
• fix(store): Properly prune extended commits (backport #5276) by @​mergify[bot] in cometbft/cometbft#5313
• chore: clean up the repo by @​aljo242 in cometbft/cometbft#5315
• fix: remove exposed dockertest port to unblock postgres test by @​almk-dev in cometbft/cometbft#5325
• fix(consensus/reactor): reject oversized proposals (backport #5324) by @​mergify[bot] in cometbft/cometbft#5407
• GHSA-hrhf-2vcr-ghch

Full Changelog: cometbft/cometbft@v0.38.18...v0.38.19

v0.38.18

What's Changed

• fix: remove redundant error check for PubKeyToProto by @​islishude in cometbft/cometbft#4917
• ci: remove govulncheck (backport #4946) by @​mergify[bot] in cometbft/cometbft#4961
• build(deps): Bump docker/setup-buildx-action from 3.8.0 to 3.9.0 by @​dependabot[bot] in cometbft/cometbft#4936
• fix(ci): Fix docker builds (backport #4949) by @​mergify[bot] in cometbft/cometbft#4963
• build(deps): Bump docker/build-push-action from 6.13.0 to 6.14.0 by @​dependabot[bot] in cometbft/cometbft#4972
• build(deps): Bump docker/setup-buildx-action from 3.9.0 to 3.10.0 by @​dependabot[bot] in cometbft/cometbft#5008
• build(deps): Bump docker/build-push-action from 6.14.0 to 6.15.0 by @​dependabot[bot] in cometbft/cometbft#5009
• build(deps): Bump golang.org/x/sync from 0.10.0 to 0.11.0 by @​dependabot[bot] in cometbft/cometbft#4990
• build(deps): Bump github.com/spf13/cobra from 1.8.1 to 1.9.1 by @​dependabot[bot] in cometbft/cometbft#4992
• build(deps): Bump golang.org/x/net from 0.34.0 to 0.35.0 by @​dependabot[bot] in cometbft/cometbft#4998
• build(deps): Bump github.com/decred/dcrd/dcrec/secp256k1/v4 from 4.3.0 to 4.4.0 by @​dependabot[bot] in cometbft/cometbft#4997
• build(deps): Bump google.golang.org/protobuf from 1.36.4 to 1.36.5 by @​dependabot[bot] in cometbft/cometbft#4994
• build(deps): Bump github.com/prometheus/client_golang from 1.20.5 to 1.21.0 by @​dependabot[bot] in cometbft/cometbft#4995
• chore: fix typo in workflow_dispatch (backport #5164) by @​mergify[bot] in cometbft/cometbft#5166
• ci(testapp-docker): release two images, not one (backport #5014) by @​mergify[bot] in cometbft/cometbft#5168
• chore: add supported version to e2e image tag (backport #5169) by @​mergify[bot] in cometbft/cometbft#5171
• chore: remove tag from individual builds (backport #5173) by @​mergify[bot] in cometbft/cometbft#5174
• refactor: e2e-node docker build (backport #5176) by @​mergify[bot] in cometbft/cometbft#5178
• refactor: cometbft image build (backport #5179) by @​mergify[bot] in cometbft/cometbft#5181
• fix: add git to docker ignore (backport #5214) by @​mergify[bot] in cometbft/cometbft#5216
• fix: do multistage builds for e2e-node (backport #5220) by @​mergify[bot] in cometbft/cometbft#5222
• fix: add libs to e2e tests v0.38.x by @​zrbecker in cometbft/cometbft#5234
• chore: reindex to event sink from cli (backport #5209) by @​mergify[bot] in cometbft/cometbft#5240
• feat: precommit metrics by @​technicallyty in cometbft/cometbft#5251
• chore: prep release for v0.38.18 by @​technicallyty in cometbft/cometbft#5253

Full Changelog: cometbft/cometbft@v0.38.17...v0.38.18

Changelog

Sourced from github.com/cometbft/cometbft's changelog.

v0.38.19

October 14, 2025

This release fixes two security issues, including (ASA-2025-003). Users are encouraged to upgrade as soon as possible.

Additionally included is a bug fix to properly prune extended commits (with vote extensions).

BUG-FIXES

• [consensus] Reject oversized proposals (#5324)
• [store] Prune extended commits properly (5275)
• [bits] Validate BitArray mismatched Bits and Elems length (ASA-2025-003)

v0.38.18

July 3, 2025

Adds precommit metrics and reindex CLI command.

IMPROVEMENTS

• Adds metrics that emit precommit data; precommit quorum delay from proposal, and precommit vote count and stake weight within timeout commit period. (#5251)

Commits

• be5677c Merge commit from fork
• 2cd5d91 fix(consensus/reactor): reject oversized proposals (backport #5324) (#5407)
• bb538f0 fix: remove exposed dockertest port to unblock postgres test (#5325)
• 61b60f6 chore: clean up the repo (#5315)
• 9806733 fix(store): Properly prune extended commits (backport #5276) (#5313)
• c789138 chore: fix the linter (#5304)
• 840e709 chore: update and fix mockery tooling on v0.38 (#5301)
• 020c7cf chore: refactor changelogs (#5303)
• 91348c6 chore: fix test docker image (#5299)
• 5344a6e chore: prep release for v0.38.18 (#5253)
• Additional commits viewable in compare view

Updates github.com/dvsekhvalnov/jose2go from 1.6.0 to 1.7.0

Commits

• 0a0673d Merge pull request #34 from dvsekhvalnov/issue-33-deflate-limit
• c3fff7c docs
• e51b47f docs
• c7dde52 fixing workflow
• a194baa added go versions and OSs to matrix
• f31cfc6 fixing yaml
• 1a4ba55 added matrix to workflow
• d2baff2 go workflow
• b14c81a added limitation for deflate decompression stream
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[claude]

Claude finished @dependabot[bot]'s task —— View job

---

Code Review Complete

I've reviewed this Dependabot PR that updates Go module dependencies across 2 directories with 3 package updates. Here's my comprehensive analysis:

Tasks

• Read changed files
• Analyze security implications
• Check for breaking changes
• Verify dependency compatibility
• Provide comprehensive review feedback

---

Summary

This PR updates three dependencies with patch/minor version bumps:

1. github.com/consensys/gnark-crypto: v0.18.0 → v0.18.1 (patch)
2. github.com/cometbft/cometbft: v0.38.17 → v0.38.19 (patch)
3. github.com/dvsekhvalnov/jose2go: v1.6.0 → v1.7.0 (minor)

Recommendation: ✅ Approve after CI passes

---

Detailed Review

1. Code Quality & Architecture ✅

Verdict: No issues

• Changes are limited to go.mod and go.sum files only
• No code changes required - these are indirect dependencies
• All updates follow semantic versioning appropriately
• The modular go.mod structure (apps/evm/single and execution/evm/test) is maintained correctly

2. Security Analysis 🔒

Verdict: Important security fixes included

Critical Security Fix in CometBFT v0.38.19

The CometBFT update includes ASA-2025-003 (GHSA-hrhf-2vcr-ghch):

• Issue: Validates BitArray mismatched Bits and Elems length
• Impact: This fixes a potential denial-of-service vulnerability
• Additional fixes:
  • Rejects oversized proposals (consensus/reactor)
  • Properly prunes extended commits (store)

This is a security-critical update and should be merged promptly.

dvsekhvalnov/jose2go v1.7.0

From the commits, this version adds:

• Limitation for deflate decompression stream (issue #33)
• This prevents potential DoS attacks via zip bomb-style compression attacks

This is also a security-related improvement.

consensys/gnark-crypto v0.18.1

• Performance improvement: Limits memory allocation during Vector deserialization (#759)
• Prevents potential memory exhaustion issues

3. Breaking Changes Analysis ✅

Verdict: No breaking changes detected

All updates are patch or minor version bumps:

• gnark-crypto (0.18.0 → 0.18.1): Patch - backward compatible
• cometbft (0.38.17 → 0.38.19): Patch - backward compatible
• jose2go (1.6.0 → 1.7.0): Minor - backward compatible per semantic versioning

The changes are performance and security fixes without API modifications.

4. Dependency Compatibility ✅

Verdict: Compatible

All three dependencies are indirect dependencies (marked with // indirect in go.mod):

• They are pulled in by other direct dependencies
• No code in ev-node directly imports these packages
• The updates maintain compatibility with existing direct dependencies

Affected Modules:

• /apps/evm/single/go.mod - gnark-crypto only
• /execution/evm/test/go.mod - all three updates
• /test/e2e/go.mod - cometbft, gnark-crypto, jose2go (also updated in the diff)

5. Testing & Reliability ⏳

Verdict: Waiting for CI

• CI checks are currently queued/in progress
• Unit tests should pass as these are indirect dependencies with no breaking changes
• Integration tests will verify compatibility with the consensus layer (important for CometBFT)
• E2E tests will validate the full stack

Recommendation: Wait for CI to complete before merging, particularly:

• make test - unit tests
• make test-integration - integration tests
• make test-e2e - end-to-end tests

6. Resource Efficiency & Performance ✅

Verdict: Performance improvements included

All three updates include performance/resource efficiency improvements:

1. gnark-crypto: Limits memory allocation during deserialization (reduces memory pressure)
2. cometbft: Properly prunes extended commits (reduces storage growth)
3. jose2go: Limits deflate decompression (prevents resource exhaustion)

---

Specific Observations

File: apps/evm/single/go.mod

- github.com/consensys/gnark-crypto v0.18.0 // indirect
+ github.com/consensys/gnark-crypto v0.18.1 // indirect

✅ Good: Minimal, focused update to patch version only.

File: execution/evm/test/go.mod

- github.com/cometbft/cometbft v0.38.17 // indirect
+ github.com/cometbft/cometbft v0.38.19 // indirect
- github.com/consensys/gnark-crypto v0.18.0 // indirect
+ github.com/consensys/gnark-crypto v0.18.1 // indirect
- github.com/dvsekhvalnov/jose2go v1.6.0 // indirect
+ github.com/dvsekhvalnov/jose2go v1.7.0 // indirect

✅ Good: All updates are appropriate for a test module.

Additional Change: Workflow File

- go-version: "1.22"
+ check-latest: true

✅ Good: The workflow now uses the latest Go version, which aligns with the project's go 1.24.6 requirement in go.mod files. This ensures CI uses an up-to-date Go toolchain.

---

Recommendations

Immediate Actions

1. ✅ Approve this PR - The dependency updates are beneficial and necessary
2. ⏳ Wait for CI to pass - Ensure all tests pass before merging
3. 🚀 Merge promptly - The CometBFT security fix (ASA-2025-003) should be deployed soon

Post-Merge Actions

1. Monitor - Watch for any unexpected behavior in consensus operations (CometBFT impact area)
2. Deploy - Consider expedited deployment given the security fixes
3. Verify - Confirm proper operation of:
   • JWT token processing (jose2go affected)
   • ZK proof operations (gnark-crypto affected)
   • Consensus and block validation (CometBFT affected)

Follow-up (Optional)

Consider adding automated security scanning in CI to catch vulnerable dependencies earlier:

- name: Run govulncheck
  run: go run golang.org/x/vuln/cmd/govulncheck@latest ./...

---

Risk Assessment

Risk Area	Level	Notes
Breaking Changes	🟢 Low	All semantic versioning compatible
Security Impact	🔴 High (positive)	Critical security fixes included
Performance Impact	🟢 Low (positive)	Memory and storage improvements
Integration Risk	🟡 Medium	CometBFT consensus changes require validation
Rollback Complexity	🟢 Low	Simple dependency revert if needed

Overall Risk: Low - The benefits significantly outweigh the risks.

---

Conclusion

This is a well-structured, security-focused dependency update that:

• ✅ Fixes critical security vulnerabilities (CometBFT ASA-2025-003)
• ✅ Improves resource efficiency and performance
• ✅ Maintains backward compatibility
• ✅ Follows semantic versioning principles
• ✅ Includes no breaking changes

Final Recommendation: Approve and merge after CI passes 🎯

The security fixes in CometBFT (ASA-2025-003) and jose2go make this update important for production security posture.

---

[github-actions]

The latest Buf updates on your PR. Results from workflow CI / buf-check (pull_request).

Build	Format	Lint	Breaking	Updated (UTC)
✅ passed	⏩ skipped	✅ passed	✅ passed	Nov 17, 2025, 12:06 PM

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 64.76%. Comparing base (6238251) to head (321e2fc).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2846      +/-   ##
==========================================
+ Coverage   64.66%   64.76%   +0.09%     
==========================================
  Files          81       81              
  Lines        7169     7169              
==========================================
+ Hits         4636     4643       +7     
+ Misses       1993     1986       -7     
  Partials      540      540              

Flag	Coverage Δ
combined	64.76% <ø> (+0.09%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.