v0.40.3

.changelog/v0.40.3/bug-fixes/2025-003-check-duplicate-votes.md

@@ -0,0 +1,2 @@
+- `[light-client-verifier]` check for duplicate votes
+  ([ISA-2025-003](https://github.com/informalsystems/tendermint-rs/security/advisories/GHSA-6jrf-4jv4-r9mw))

.changelog/v0.40.3/summary.md

@@ -0,0 +1,4 @@
+*April 8, 2025*
+
+This release fixes a security vulnerability. All users are advised to update
+ASAP.

CHANGELOG.md

@@ -1,16 +1,20 @@
 # CHANGELOG
 
-## Unreleased
+## v0.40.3
 
-> Nothing yet.
+*April 8, 2025*
 
-## 0.40.2
-
-*April 3rd, 2025*
+This release fixes a security vulnerability. All users are advised to update
+ASAP.
 
 ### BUG FIXES
 
-- [tendermint-rpc] Strip auth info from URL to avoid double `Authorization` header ([\#1494](https://github.com/informalsystems/tendermint-rs/pull/1494))
+- [tendermint] export `abci::event::v0_37` to construct `EventAttribute::V037` variants.
+  ([\#1479](https://github.com/informalsystems/tendermint-rs/pull/1479), ([\#1480](https://github.com/informalsystems/tendermint-rs/pull/1480))
+- [tendermint-light-client-js] bump `serde-wasm-bindgen` to `v0.6.5` and `js-sys` to `=v0.3.70` to
+  fix compilation failure of `wasm-bindgen-test`. ([\#1481](https://github.com/informalsystems/tendermint-rs/pull/1481))
+- `[light-client-verifier]` check for duplicate votes
+  ([ISA-2025-003](https://github.com/informalsystems/tendermint-rs/security/advisories/GHSA-6jrf-4jv4-r9mw))
 
 ## 0.40.1
 
@@ -46,7 +50,7 @@ This release adds a new dialect for CometBFT `v0.38.x`, enabling the correct ser
 
 *August 9th, 2024*
 
-This is a bugfix release which addresses a couple issues found in the v0.39.0 release.
+This is a bugfix release which addresses a few issues found in the v0.39.0 release.
 
 Users of v0.39.0 are strongly encouraged to upgrade to v0.39.1.
 
@@ -106,7 +110,6 @@ This release enhances `/block_results` response handling, relaxes `Block` valida
 - `[tendermint-proto]`: Update `prost` to v0.13 and `tonic` to v0.12
   ([\#1444](https://github.com/informalsystems/tendermint-rs/pull/1444))
 
-
 ### BUG
 
 - `[tendermint-rpc]` Deserialize an empty JSON object as `None` for the `consensus_param_updates`
@@ -132,26 +135,33 @@ Additionally, this release fixes a couple of issues with the `serde`-based deser
 ### BREAKING CHANGES
 
 - `[tendermint-proto]` Upgrade `tonic` to v0.11 ([\#1422](https://github.com/informalsystems/tendermint-rs/pull/1422))
-- `[tendermint-light-client-verifier]` Restores the commit verification interfaces of `PredicateVerifier<P, C, V>` from `<= 0.35.0` ([\#1423](https://github.com/informalsystems/tendermint-rs/pull/1423))
+- `[tendermint-light-client-verifier]` Restores the commit verification interfaces of `PredicateVerifier<P, C, V>` from `<= 0.35.0`.
   * `verify_commit(&self. untrusted: &UntrustedBlockState<'_>)` is restored, as in <= 0.35.0.
   * `verify_commit(&self, untrusted: &UntrustedBlockState<'_>, trusted: &TrustedBlockState<'_>,)` introduced in 0.36.0 is renamed to `verify_commit_against_trusted`.
   The performance improvements made in the `0.36.0` release are still intact.
+  ([\#1423](https://github.com/informalsystems/tendermint-rs/pull/1423))
+
+### BUG FIXES
+
+- `[tendermint-abci]` Add serde default for Event.type since it has omitempty in the Go
+  implementation.
+  ([\#1416](https://github.com/informalsystems/tendermint-rs/pull/1416))
 
 ### FEATURES
 
-* `[tendermint-rpc]` Add a way to specify custom User-Agent for `HttpClient` ([#1425](https://github.com/informalsystems/tendermint-rs/issues/1425))
-- `[tendermint-rpc]` Add a `client()` method on `transport::http::Builder` to override the underlying `reqwest` client ([\#1421](https://github.com/informalsystems/tendermint-rs/pull/1421))
-- `[tendermint-rpc]` Add a `from_raw_parts()` method on `transport::http::HttpClient` to allow supplying the underlying `reqwest` client ([\#1421](https://github.com/informalsystems/tendermint-rs/pull/1421))
+- `[tendermint-rpc]` Add a `client()` method on `transport::http::Builder` to override the underlying `reqwest` client.
+  ([\#1421](https://github.com/informalsystems/tendermint-rs/pull/1421))
+- `[tendermint-rpc]` Add a `from_raw_parts()` method on `transport::http::HttpClient` to allow supplying the underlying `reqwest` client.
+  ([\#1421](https://github.com/informalsystems/tendermint-rs/pull/1421))
 
-### BUG FIXES
+### IMPROVEMENTS
 
+* `[tendermint-rpc]` Add a way to specify custom User-Agent for HttpClient
+  ([#1425](https://github.com/informalsystems/tendermint-rs/issues/1425))
 - `[tendermint]` Fix `FinalizeBlock::validator_updates` deserialization as `nullable` ([\#1428](https://github.com/informalsystems/tendermint-rs/pull/1428))
-- `[tendermint-abci]` Add serde `default` annotation for `Event::type` to match `omitempty` in the Go implementation ([\#1416](https://github.com/informalsystems/tendermint-rs/pull/1416))
 
 ## v0.36.0
 
-*April 25th, 2024*
-
 This release brings substantial performance improvements to the voting power computation within the light client, improves the handling of misformed blocks (eg. with empty `last_commit` on non-first block) when decoding them from Protobuf or RPC responses, and adds missing `serde` derives on some Protobuf definitions.
 
 This release also technically contains a breaking change in `tendermint-proto`, but this should not impact normal use of the library, as the `ToPrimitive` impl that was removed on `BlockIdFlag` trait did not provide any additional functionality.
@@ -198,12 +208,12 @@ This release also technically contains a breaking change in `tendermint-proto`,
 - `[tendermint]` Allow misformed blocks (eg. with empty `last_commit`
   on non-first block) when decoding them from Protobuf or RPC responses
   ([\#1403](https://github.com/informalsystems/tendermint-rs/issues/1403))
-- `[tendermint]` Check `index ≤ i32::MAX` invariant when converting `usize`
-  into `ValidatorIndex`.
-  ([\#1411](https://github.com/informalsystems/tendermint-rs/issues/1411))
 - `[light-client-verifier]` Optimise validators lookup in
   `ProvidedVotingPowerCalculator::voting_power_in` method.
   ([\#1407](https://github.com/informalsystems/tendermint-rs/pull/1407))
+- `[tendermint]` Check `index ≤ i32::MAX` invariant when converting `usize`
+  into `ValidatorIndex`.
+  ([\#1411](https://github.com/informalsystems/tendermint-rs/issues/1411))
 - `[tendermint-light-client-verifier]` Reuse buffer used to store
   sign_bytes to reduce number of allocations and deallocations.
   ([\#1413](https://github.com/informalsystems/tendermint-rs/pull/1413))
@@ -212,7 +222,7 @@ This release also technically contains a breaking change in `tendermint-proto`,
 
 This release brings breaking changes related to `flex-error`,
 `EventAttribute` fields and `/tx_broadcast` `Response`  struct,
-as well as a critical bug fix for `tendermint-p2p`,
+as well as a critical bug fix for `tendermint-p2p`, 
 multiple improvements to `tendermint-rpc` and
 a performance optimization for `tendermint-light-client-verifier`.
 
@@ -226,28 +236,30 @@ a performance optimization for `tendermint-light-client-verifier`.
   `EventAttribute` when deserializing. The serialization schema for the fields
   is changed to `Option<String>`
   ([\#1375](https://github.com/informalsystems/tendermint-rs/issues/1375)).
-- `[tendermint-rpc]` Add the `codespace` field to the Tx sync and async broadcast `Response`
+- Add the `codespace` field to the Tx sync and async broadcast `Response`
   ([\#1382](https://github.com/informalsystems/tendermint-rs/issues/1382))
 
 ### BUG FIXES
 
+- `[tendermint-rpc]` Fix deserialization of `/block_results` response when some
+  tx results are non-ok ([\#1391](https://github.com/informalsystems/tendermint-
+  rs/pull/1391))
 - `[tendermint-p2p]` Fix data corruption on sending long messages via `SecretConnection`
   ([\#1393](https://github.com/informalsystems/tendermint-rs/pull/1393))
-- `[tendermint-rpc]` Fix deserialization of `/block_results` response when some
-  tx results are non-ok ([\#1391](https://github.com/informalsystems/tendermint-rs/pull/1391))
 
 ### IMPROVEMENTS
 
+- `[tendermint-rpc]` Add `FromStr`, `Serialize` and `Deserialize` instances
+  to `CompatMode` ([\#1374](https://github.com/informalsystems/tendermint-
+  rs/issues/1374))
 - `[tendermint-rpc]` Export the `http`, `websocket`
   modules under `client`, each with the public `Builder` type
   ([\#1378](https://github.com/informalsystems/tendermint-rs/pull/1378)).
-- `[tendermint-rpc]` Allow specifying a request timeout for the RPC `HttpClient`.
+- Allow specifying a request timeout for the RPC `HttpClient`.
   `http::Builder` now provides a `.timeout(Duration)` method to specify the request timeout.
   If not specified, the default value is 30 seconds.
   ([\#1379](https://github.com/informalsystems/tendermint-rs/issues/1379))
-- `[tendermint-rpc]` Add `FromStr`, `Serialize` and `Deserialize` instances
-  to `CompatMode` ([\#1374](https://github.com/informalsystems/tendermint-rs/issues/1374))
-- `[tendermint-light-client-verifier]` Optimizing voting power calculation by breaking the loop when we have enough voting power
+- `[tendermint-light-client-verifer]` Optimizing voting power calculation by breaking the loop when we have enough voting power 
   ([#1378](https://github.com/informalsystems/tendermint-rs/pull/1395)).
 
 ## v0.34.0
@@ -289,8 +301,6 @@ Support for Secp256k1 consensus keys has been added as an optional feature.
 - `[tendermint-rpc]` Turn non-200 HTTP response into an error
   instead of trying to parse the body as a JSON-RPC response
   ([\#1359](https://github.com/informalsystems/tendermint-rs/issues/1359))
-- `[tendermint-rpc]` Make `rpc::Client` and `SubscriptionClient` traits `?Send` under `wasm32` target.
-  ([\#1385](https://github.com/informalsystems/tendermint-rs/issues/1385))
 
 ### SECURITY
 
@@ -578,7 +588,7 @@ should be able to interoperate with CometBFT nodes based on 0.34.x and
 ### IMPROVEMENTS
 
 - [`tendermint-proto`] Generate prost bindings for Tendermint 0.34 and 0.37 side by side.
-  The version-specific structs are placed under the `tendermint::v0_34` and
+  The version-specific structs are placed under the `tendermint::v0_34` and 
   `tendermint::v0_37` module namespaces, respectively. The names under
   `tendermint::v0_37` are also re-exported under `tendermint`.
   ([#1193](https://github.com/informalsystems/tendermint-rs/pull/1193))
@@ -803,7 +813,7 @@ further breaking changes in subsequent breaking releases.
   endpoint has been changed to base64 (from hex) to accommodate discrepancies in
   how the Tendermint RPC encodes this field for different RPC interfaces
   ([#942](https://github.com/informalsystems/tendermint-rs/issues/942))
-- Allow a `TrustThresholdFraction` of 1
+- Allow a `TrustThresholdFraction` of 1  
   ([#1208](https://github.com/informalsystems/tendermint-rs/issues/1208))
 
 ### ENHANCEMENTS
@@ -1076,18 +1086,18 @@ not yet support `no_std`.
 - Upgraded Prost to the official v0.9 release to finally resolve the security
   issue introduced by v0.7
   ([#925](https://github.com/informalsystems/tendermint-rs/issues/925))
-- `[tendermint, tendermint-config]` The `tendermint::config`
-  module has now been broken out into its own crate (`tendermint-
-  config`) to help towards facilitating `no_std` compatibility
-  ([#983](https://github.com/informalsystems/tendermint-rs/issues/983))
-- `[tendermint]` The `tendermint::node::info::OtherInfo::rpc_address`
-  field type has been changed from `tendermint::net::Address`
-  to `String` toward facilitating `no_std` compatibility
-  ([#983](https://github.com/informalsystems/tendermint-rs/issues/983))
 - `[tendermint]` The `tendermint::node::info::ListenAddress::to_net_address`
   method was replaced with a simple `as_str` method toward facilitating
   `no_std` compatibility ([#983](https://github.com/informalsystems/tendermint-
   rs/issues/983))
+- `[tendermint]` The `tendermint::node::info::OtherInfo::rpc_address`
+  field type has been changed from `tendermint::net::Address`
+  to `String` toward facilitating `no_std` compatibility
+  ([#983](https://github.com/informalsystems/tendermint-rs/issues/983))
+- `[tendermint, tendermint-config]` The `tendermint::config`
+  module has now been broken out into its own crate (`tendermint-
+  config`) to help towards facilitating `no_std` compatibility
+  ([#983](https://github.com/informalsystems/tendermint-rs/issues/983))
 
 ### FEATURES
 
@@ -1638,8 +1648,8 @@ documentation, for further details.
 
 *Aug 31, 2020*
 
-This release is the first release of the [testgen][testgen-dir] utility,
-a generator for Tendermint types for unit and integration tests and for model-based testing.
+This release is the first release of the [testgen][testgen-dir] utility, 
+a generator for Tendermint types for unit and integration tests and for model-based testing. 
 It is a utility for producing tendermint datastructures from minimal input, targeted for testing.
 
 The release also contains various Rust API-breaking changes. It remains compatible with v0.33 of Tendermint Core.
@@ -1697,7 +1707,7 @@ Together they provide a complete Tendermint light client implementation that per
 and attempts to detect forks across its peers. Complete TLA+ specifications for light client verification are included,
 along with work-in-progress specs for fork detection. The implementation is compatible with v0.33 of Tendermint Core.
 
-Note that both the [light-client][light-client-dir]  and [light-node][light-node-dir] crates are to be considered experimental software that will still undergo a
+Note that both the [light-client][light-client-dir]  and [light-node][light-node-dir] crates are to be considered experimental software that will still undergo a 
 lot of improvements and iterations. The goal of releasing an early version of our Light Client is to make it accessible, to get people use it, and to receive feedback.
 
 An overview of the current design of the light client is provided in [ADR-006]
@@ -1713,9 +1723,9 @@ and [ADR-007].
 ### FEATURES:
 
 - [light-client] Rewrite and expansion of `lite`, the prior light client
-  verification module, into a new fully-featured `light-client` crate. The crate provides a db,
+  verification module, into a new fully-featured `light-client` crate. The crate provides a db, 
   functions for complete light client verification, peer management, fork detection, and evidence reporting,
-  along with extensive testing. Components are composed via a `Supervisor`, which is run in its own thread,
+  along with extensive testing. Components are composed via a `Supervisor`, which is run in its own thread, 
   and exposes a Handle trait to broker access to underlying state and
   functionality. See the [light-client][light-client-dir] crate for details.
 - [light-node] New binary crate with CLI for running the light client as a daemon,

abci/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name        = "tendermint-abci"
-version     = "0.40.2"
+version     = "0.40.3"
 authors     = ["Informal Systems <hello@informal.systems>"]
 edition     = "2021"
 license     = "Apache-2.0"
@@ -33,7 +33,7 @@ binary = [
 [dependencies]
 bytes = { version = "1.0", default-features = false }
 prost = { version = "0.13", default-features = false }
-tendermint-proto = { version = "0.40.2", default-features = false, path = "../proto" }
+tendermint-proto = { version = "0.40.3", default-features = false, path = "../proto" }
 tracing = { version = "0.1", default-features = false }
 flex-error = { version = "0.4.4", default-features = false }
 structopt = { version = "0.3", optional = true, default-features = false }

config/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name       = "tendermint-config"
-version    = "0.40.2" # Also update depending crates (rpc, light-node, ..) when bumping this.
+version    = "0.40.3" # Also update depending crates (rpc, light-node, ..) when bumping this.
 license    = "Apache-2.0"
 homepage   = "https://www.tendermint.com/"
 repository = "https://github.com/informalsystems/tendermint-rs/tree/main/tendermint"
@@ -24,7 +24,7 @@ all-features = true
 rustdoc-args = ["--cfg", "docsrs"]
 
 [dependencies]
-tendermint = { version = "0.40.2", default-features = false, features = ["rust-crypto"], path = "../tendermint" }
+tendermint = { version = "0.40.3", default-features = false, features = ["rust-crypto"], path = "../tendermint" }
 flex-error = { version = "0.4.4", default-features = false }
 serde = { version = "1", features = ["derive"] }
 serde_json = "1"

light-client-cli/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name       = "tendermint-light-client-cli"
-version    = "0.40.2"
+version    = "0.40.3"
 edition    = "2021"
 license    = "Apache-2.0"
 readme     = "README.md"
@@ -23,10 +23,10 @@ all-features = true
 rustdoc-args = ["--cfg", "docsrs"]
 
 [dependencies]
-tendermint = { version = "0.40.2", path = "../tendermint" }
-tendermint-rpc = { version = "0.40.2", path = "../rpc", features = ["http-client"] }
-tendermint-light-client = { version = "0.40.2", path = "../light-client" }
-tendermint-light-client-detector = { version = "0.40.2", path = "../light-client-detector" }
+tendermint = { version = "0.40.3", path = "../tendermint" }
+tendermint-rpc = { version = "0.40.3", path = "../rpc", features = ["http-client"] }
+tendermint-light-client = { version = "0.40.3", path = "../light-client" }
+tendermint-light-client-detector = { version = "0.40.3", path = "../light-client-detector" }
 
 clap = { version = "4.1.8", features = ["derive"] }
 color-eyre = "0.6.2"

light-client-detector/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name       = "tendermint-light-client-detector"
-version    = "0.40.2"
+version    = "0.40.3"
 edition    = "2021"
 license    = "Apache-2.0"
 readme     = "README.md"
@@ -23,10 +23,10 @@ all-features = true
 rustdoc-args = ["--cfg", "docsrs"]
 
 [dependencies]
-tendermint = { version = "0.40.2", path = "../tendermint" }
-tendermint-rpc = { version = "0.40.2", path = "../rpc", features = ["http-client"] }
-tendermint-proto = { version = "0.40.2", path = "../proto" }
-tendermint-light-client = { version = "0.40.2", path = "../light-client" }
+tendermint = { version = "0.40.3", path = "../tendermint" }
+tendermint-rpc = { version = "0.40.3", path = "../rpc", features = ["http-client"] }
+tendermint-proto = { version = "0.40.3", path = "../proto" }
+tendermint-light-client = { version = "0.40.3", path = "../light-client" }
 
 crossbeam-channel = { version = "0.5.11", default-features = false }
 derive_more = { version = "0.99.5", default-features = false, features = ["display"] }

light-client-js/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name        = "tendermint-light-client-js"
-version     = "0.40.2"
+version     = "0.40.3"
 authors     = ["Informal Systems <hello@informal.systems>"]
 edition     = "2021"
 license     = "Apache-2.0"
@@ -22,8 +22,8 @@ default = ["console_error_panic_hook"]
 [dependencies]
 serde = { version = "1.0", default-features = false, features = [ "derive" ] }
 serde_json = { version = "1.0", default-features = false }
-tendermint = { version = "0.40.2", default-features = false, path = "../tendermint" }
-tendermint-light-client-verifier = { version = "0.40.2", features = ["rust-crypto"], default-features = false, path = "../light-client-verifier" }
+tendermint = { version = "0.40.3", default-features = false, path = "../tendermint" }
+tendermint-light-client-verifier = { version = "0.40.3", features = ["rust-crypto"], default-features = false, path = "../light-client-verifier" }
 wasm-bindgen = { version = "0.2.63", default-features = false, features = [ "serde-serialize" ] }
 serde-wasm-bindgen = { version = "0.6.5", default-features = false }
 js-sys = { version = "=0.3.70", default-features = false }

light-client-verifier/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name       = "tendermint-light-client-verifier"
-version    = "0.40.2"
+version    = "0.40.3"
 edition    = "2021"
 license    = "Apache-2.0"
 readme     = "README.md"
@@ -27,7 +27,7 @@ default = ["rust-crypto", "flex-error/std"]
 rust-crypto = ["tendermint/rust-crypto"]
 
 [dependencies]
-tendermint = { version = "0.40.2", path = "../tendermint", default-features = false }
+tendermint = { version = "0.40.3", path = "../tendermint", default-features = false }
 
 derive_more = { version = "0.99.5", default-features = false, features = ["display"] }
 serde = { version = "1.0.106", default-features = false }