chore(deps): bump Go version to 1.23.5 (cometbft#4888)

due to sec vuln

Vulnerability #1: GO-2025-3420
Sensitive headers incorrectly sent after cross-domain redirect in
net/http
  More info: https://pkg.go.dev/vuln/GO-2025-3420
  Standard library
    Found in: net/[email protected]
    Fixed in: net/[email protected]
    Example traces found:
Error: #1: rpc/jsonrpc/client/http_json_client.go:231:34:
client.Client.Call calls http.Client.Do
Error: #2: libs/cli/setup.go:89:26: cli.Executor.Execute calls
cobra.Command.Execute, which eventually calls http.Client.Get
Error: #3: cmd/cometbft/commands/debug/util.go:70:23: debug.dumpProfile
calls http.Get

Vulnerability #2: GO-2025-3373
Usage of IPv6 zone IDs can bypass URI name constraints in crypto/x509
  More info: https://pkg.go.dev/vuln/GO-2025-3373
  Standard library
    Found in: crypto/[email protected]
    Fixed in: crypto/[email protected]
    Example traces found:
Error: #1: abci/tutorials/abci-v2-forum-app/model/db.go:143:20:
model.DB.Close calls badger.DB.Close, which eventually calls
x509.CertPool.AppendCertsFromPEM
Error: #2: internal/autofile/group.go:468:30: autofile.GroupReader.Read
calls bufio.Reader.Read, which eventually calls x509.Certificate.Verify
Error: #3: rpc/jsonrpc/client/ws_client.go:290:29: client.WSClient.dial
calls websocket.Dialer.Dial, which eventually calls
x509.Certificate.VerifyHostname
Error: #4: light/errors.go:483:84: light.errBadWitness.Error calls
x509.HostnameError.Error
Error: #5: rpc/jsonrpc/server/http_server.go:166:19:
server.ServeTLSWithShutdown calls http.Server.ServeTLS, which eventually
calls x509.ParseCertificate
Error: #6: rpc/jsonrpc/server/http_server.go:166:19:
server.ServeTLSWithShutdown calls http.Server.ServeTLS, which eventually
calls x509.ParseECPrivateKey
Error: #7: rpc/jsonrpc/server/http_server.go:166:19:
server.ServeTLSWithShutdown calls http.Server.ServeTLS, which eventually
calls x509.ParsePKCS1PrivateKey
Error: #8: rpc/jsonrpc/server/http_server.go:166:19:
server.ServeTLSWithShutdown calls http.Server.ServeTLS, which eventually
calls x509.ParsePKCS8PrivateKey

Author: melekes

.github/workflows/go-version.env

@@ -1,2 +1,2 @@
 # .github/workflows/go-version.env
-GO_VERSION=1.23.1
+GO_VERSION=1.23.5

.golangci.yml

@@ -9,12 +9,12 @@ linters:
     - contextcheck
     - cyclop
     - dupword
-    - errorlint
-    - errname
     - err113
+    - errname
+    - errorlint
+    - execinquery
     - exhaustive
     - exhaustruct
-    - execinquery
     - forbidigo
     - forcetypeassert
     - funlen
@@ -24,6 +24,7 @@ linters:
     - gocyclo
     - godox
     - gomnd
+    - gomoddirectives
     - interfacebloat
     - intrange
     - ireturn

README.md

@@ -75,7 +75,7 @@ Please see [SECURITY.md](./SECURITY.md).
 
 | CometBFT version | Requirement | Version        | Tested with  |
 |------------------|-------------|----------------|--------------|
-| main             | Go version  | 1.23 or higher | up to 1.23.1 |
+| main             | Go version  | 1.23 or higher | up to 1.23.5 |
 | v1.x             | Go version  | 1.23 or higher | up to 1.23.1 |
 | v0.38.x          | Go version  | 1.22 or higher | up to 1.22   |
 

api/go.mod

@@ -1,6 +1,6 @@
 module github.com/cometbft/cometbft/api
 
-go 1.23.1
+go 1.23.5
 
 require (
 	github.com/cosmos/gogoproto v1.4.12

docs/tutorials/go-built-in.md

@@ -48,7 +48,7 @@ have installed and the computer platform):
 
 ```bash
 $ go version
-go version go1.23.1 darwin/amd64
+go version go1.23.5 darwin/amd64
 
 ```
 
@@ -122,7 +122,7 @@ go: to add module requirements and sums:
 	go mod tidy
 ```
 
-go 1.23.1
+go 1.23.5
 Now, lets add `cometbft` as a dependency to our project. Run the `go get` command below:
 
 ```bash
@@ -143,7 +143,7 @@ The go.mod file should look similar to:
 ```go
 module kvstore
 
-go 1.23.1
+go 1.23.5
 
 require github.com/cometbft/cometbft v1.0.0 // indirect
 ```

docs/tutorials/go.md

@@ -46,7 +46,7 @@ Verify that you have the latest version of Go installed (refer to the [official
 
 ```bash
 $ go version
-go version go1.23.1 darwin/amd64
+go version go1.23.5 darwin/amd64
 ```
 
 ## 1.1 Installing CometBFT
@@ -137,7 +137,7 @@ The go.mod file should look similar to:
 ```go
 module kvstore
 
-go 1.23.1
+go 1.23.5
 
 
 require github.com/cometbft/cometbft v1.0.0 // indirect

go.mod

@@ -1,6 +1,8 @@
 module github.com/cometbft/cometbft
 
-go 1.23.1
+go 1.23.5
+
+replace github.com/cometbft/cometbft/api => ./api
 
 require (
 	github.com/BurntSushi/toml v1.4.0

go.sum

@@ -81,8 +81,6 @@ github.com/cometbft/cometbft-db v1.0.1 h1:SylKuLseMLQKw3+i8y8KozZyJcQSL98qEe2CGM
 github.com/cometbft/cometbft-db v1.0.1/go.mod h1:EBrFs1GDRiTqrWXYi4v90Awf/gcdD5ExzdPbg4X8+mk=
 github.com/cometbft/cometbft-load-test v0.3.0 h1:z6iZZvFwhci29ca/EZQaWh/d92NLe8bK4eBvFyv2EKY=
 github.com/cometbft/cometbft-load-test v0.3.0/go.mod h1:zKrQpRm3Ay5+RfeRTNWoLniFJNIPnw9JPEM1wuWS3TA=
-github.com/cometbft/cometbft/api v1.0.0 h1:gGBwvsJi/gnHJEtwYfjPIGs2AKg/Vfa1ZuKCPD1/Ko4=
-github.com/cometbft/cometbft/api v1.0.0/go.mod h1:EkQiqVSu/p2ebrZEnB2z6Re7r8XNe//M7ylR0qEwWm0=
 github.com/containerd/continuity v0.3.0 h1:nisirsYROK15TAMVukJOUyGJjz4BNQJBVsNvAXZJ/eg=
 github.com/containerd/continuity v0.3.0/go.mod h1:wJEAIwKOm/pBZuBd0JmeTvnLquTB1Ag8espWhkykbPM=
 github.com/cosmos/gogoproto v1.7.0 h1:79USr0oyXAbxg3rspGh/m4SWNyoz/GLaAh0QlCe2fro=

go.work

@@ -1,4 +1,4 @@
-go 1.23.1
+go 1.23.5
 
 use (
 	.

test/e2e/docker/Dockerfile

@@ -1,7 +1,7 @@
 # We need to build in a Linux environment to support C libraries, e.g. RocksDB.
 # We use Debian instead of Alpine, so that we can use binary database packages
 # instead of spending time compiling them.
-FROM cometbft/cometbft-db-testing:v1.0.1
+FROM cometbft/cometbft-db-testing:v1.0.2
 
 RUN apt-get -qq update -y && apt-get -qq upgrade -y >/dev/null
 

test/e2e/docker/Dockerfile.debug

@@ -1,7 +1,7 @@
 # We need to build in a Linux environment to support C libraries, e.g. RocksDB.
 # We use Debian instead of Alpine, so that we can use binary database packages
 # instead of spending time compiling them.
-FROM cometbft/cometbft-db-testing:v1.0.1
+FROM cometbft/cometbft-db-testing:v1.0.2
 
 RUN apt-get -qq update -y && apt-get -qq upgrade -y >/dev/null
 RUN apt-get -qq install -y zsh vim >/dev/null