[CP-593] v0.50.x iavl bump

[maxim-inj]

IAVL bumps are safe, there is a bugfix for pruning issues (re: version does not exist)

https://injectivelabsinc.slack.com/archives/C047X1T6ERK/p1755761832701979?thread_ts=1755707386.832549&cid=C047X1T6ERK

Summary by CodeRabbit

• Chores
  • Updated an indirect dependency (github.com/cosmos/iavl) to v1.2.6 project-wide.
  • Versions aligned across client, core, tooling, tests, and modules for consistent builds.
  • No changes to public APIs or user-facing behavior.
  • No configuration changes or migrations required.

[coderabbitai]

Walkthrough

All changes update the indirect dependency github.com/cosmos/iavl to v1.2.6 across multiple module go.mod files; no source code or API/control-flow changes are included.

Changes

Cohort / File(s)	Summary of changes
Bump iavl v1.2.2 → v1.2.6 go.mod, simapp/go.mod, tests/go.mod, x/circuit/go.mod, x/evidence/go.mod, x/feegrant/go.mod, x/nft/go.mod, x/upgrade/go.mod	Updated indirect dependency github.com/cosmos/iavl from v1.2.2 to v1.2.6.
Bump iavl v1.1.2 → v1.2.6 client/v2/go.mod, tools/confix/go.mod	Updated indirect dependency github.com/cosmos/iavl from v1.1.2 to v1.2.6.
Bump iavl v1.2.0 → v1.2.6 store/go.mod	Updated indirect dependency github.com/cosmos/iavl from v1.2.0 to v1.2.6.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

I hop through mods, a tidy sweep,
Nudging iavl while others sleep.
Versions aligned, the garden neat,
Carrots counted, deps complete.
Thump-thump—release is light on feet. 🥕✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title "CP-593 v0.50.x iavl bump" is short, focused, and correctly describes the primary change (an iavl dependency bump on the v0.50.x line) while including the issue reference; it is clear enough for a reviewer scanning PR history and contains no irrelevant noise.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch cp-593/v0.50.x-iavlfix-inj

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 48eb906 and 15af035.

⛔ Files ignored due to path filters (11)

• client/v2/go.sum is excluded by !**/*.sum
• go.sum is excluded by !**/*.sum
• simapp/go.sum is excluded by !**/*.sum
• store/go.sum is excluded by !**/*.sum
• tests/go.sum is excluded by !**/*.sum
• tools/confix/go.sum is excluded by !**/*.sum
• x/circuit/go.sum is excluded by !**/*.sum
• x/evidence/go.sum is excluded by !**/*.sum
• x/feegrant/go.sum is excluded by !**/*.sum
• x/nft/go.sum is excluded by !**/*.sum
• x/upgrade/go.sum is excluded by !**/*.sum

📒 Files selected for processing (11)

• client/v2/go.mod (1 hunks)
• go.mod (1 hunks)
• simapp/go.mod (1 hunks)
• store/go.mod (1 hunks)
• tests/go.mod (1 hunks)
• tools/confix/go.mod (1 hunks)
• x/circuit/go.mod (1 hunks)
• x/evidence/go.mod (1 hunks)
• x/feegrant/go.mod (1 hunks)
• x/nft/go.mod (1 hunks)
• x/upgrade/go.mod (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (11)

• client/v2/go.mod
• simapp/go.mod
• go.mod
• tests/go.mod
• x/upgrade/go.mod
• tools/confix/go.mod
• x/circuit/go.mod
• x/feegrant/go.mod
• x/nft/go.mod
• store/go.mod
• x/evidence/go.mod

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (19)

• GitHub Check: tests (02)
• GitHub Check: tests (03)
• GitHub Check: tests (00)
• GitHub Check: tests (01)
• GitHub Check: Socket Security: Pull Request Alerts
• GitHub Check: test-x-feegrant
• GitHub Check: test-x-nft
• GitHub Check: test-x-upgrade
• GitHub Check: test-x-circuit
• GitHub Check: test-simapp
• GitHub Check: test-sim-nondeterminism
• GitHub Check: liveness-test
• GitHub Check: test-integration
• GitHub Check: test-e2e
• GitHub Check: golangci-lint
• GitHub Check: build (arm64)
• GitHub Check: build (arm)
• GitHub Check: build (amd64)
• GitHub Check: Gosec

Tip

👮 Agentic pre-merge checks are now available in preview!

Pro plan users can now enable pre-merge checks in their settings to enforce checklists before merging PRs.

• Built-in checks – Quickly apply ready-made checks to enforce title conventions, require pull request descriptions that follow templates, validate linked issues for compliance, and more.
• Custom agentic checks – Define your own rules using CodeRabbit’s advanced agentic capabilities to enforce organization-specific policies and workflows. For example, you can instruct CodeRabbit’s agent to verify that API documentation is updated whenever API schema files are modified in a PR. Note: Upto 5 custom checks are currently allowed during the preview period. Pricing for this feature will be announced in a few weeks.

Please see the documentation for more information.

Example:

reviews:
  pre_merge_checks:
    custom_checks:
      - name: "Undocumented Breaking Changes"
        mode: "warning"
        instructions: |
          Pass/fail criteria: All breaking changes to public APIs, CLI flags, environment variables, configuration keys, database schemas, or HTTP/GraphQL endpoints must be documented in the "Breaking Change" section of the PR description and in CHANGELOG.md. Exclude purely internal or private changes (e.g., code not exported from package entry points or explicitly marked as internal).

Please share your feedback with us on this Discord post.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	github.com/​InjectiveLabs/​cometbft@​v1.0.1-inj.2
	cosmossdk.io/​api@​v0.7.6
	cosmossdk.io/​depinject@​v1.1.0
	github.com/​cockroachdb/​errors@​v1.10.0 ⏵ v1.11.3	+1
	cosmossdk.io/​store@​v1.1.1
	cosmossdk.io/​x/​tx@​v0.13.7
	github.com/​InjectiveLabs/​metrics@​v0.0.10
	cosmossdk.io/​math@​v1.4.0
	github.com/​InjectiveLabs/​cometbft/​api@​v1.0.0-inj.2

View full report

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

tests/go.mod (1)

80-80: Tests follow v1.2.6 — LGTM.

Optional: add a regression test that enables pruning, advances height, prunes, restarts, and queries historical versions to guard against “version does not exist” regressions.

I can draft a small e2e test harness for this if helpful.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between ac26c4b and 48eb906.

⛔ Files ignored due to path filters (11)

• client/v2/go.sum is excluded by !**/*.sum
• go.sum is excluded by !**/*.sum
• simapp/go.sum is excluded by !**/*.sum
• store/go.sum is excluded by !**/*.sum
• tests/go.sum is excluded by !**/*.sum
• tools/confix/go.sum is excluded by !**/*.sum
• x/circuit/go.sum is excluded by !**/*.sum
• x/evidence/go.sum is excluded by !**/*.sum
• x/feegrant/go.sum is excluded by !**/*.sum
• x/nft/go.sum is excluded by !**/*.sum
• x/upgrade/go.sum is excluded by !**/*.sum

📒 Files selected for processing (11)

• client/v2/go.mod (1 hunks)
• go.mod (1 hunks)
• simapp/go.mod (1 hunks)
• store/go.mod (1 hunks)
• tests/go.mod (1 hunks)
• tools/confix/go.mod (1 hunks)
• x/circuit/go.mod (1 hunks)
• x/evidence/go.mod (1 hunks)
• x/feegrant/go.mod (1 hunks)
• x/nft/go.mod (1 hunks)
• x/upgrade/go.mod (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (14)

• GitHub Check: test-x-nft
• GitHub Check: test-x-circuit
• GitHub Check: test-x-upgrade
• GitHub Check: test-x-evidence
• GitHub Check: test-x-feegrant
• GitHub Check: test-simapp
• GitHub Check: test-sim-nondeterminism
• GitHub Check: test-e2e
• GitHub Check: test-integration
• GitHub Check: Gosec
• GitHub Check: build (arm64)
• GitHub Check: build (amd64)
• GitHub Check: build (arm)
• GitHub Check: golangci-lint

🔇 Additional comments (8)

x/nft/go.mod (1)

64-64: IAVL v1.2.6 bump (indirect) — LGTM.

This aligns with the repo-wide pin to pick up the pruning fixes.

store/go.mod (1)

14-14: Direct dependency set to v1.2.6 — LGTM.

This is the primary module consuming IAVL; the direct pin here is correct and consistent with the workspace.

x/upgrade/go.mod (1)

78-78: IAVL v1.2.6 bump (indirect) — LGTM.

Matches the root pin; no action needed.

client/v2/go.mod (1)

51-51: Use a precise go.mod lookup and confirm v1.2.6 everywhere
The previous script’s pattern (fd -a go.mod) matched any “gomod” file (e.g. .md files), so none of the modules’ go list calls actually saw the bumped dependency. Replace with a strict file-name search and verify under your workspace (or go.work) so every module’s MVS resolution of github.com/cosmos/iavl is v1.2.6. For example:

#!/bin/bash
set -euo pipefail
find . -name go.mod | while read -r gomod; do
  dir=$(dirname "$gomod")
  pushd "$dir" >/dev/null
  ver=$(go list -m -f '{{if .Version}}{{.Version}}{{else}}<unresolved>{{end}}' github.com/cosmos/iavl 2>/dev/null || true)
  echo "$dir → iavl: $ver"
  [[ "$ver" == "v1.2.6" ]] || echo "⚠️ Mismatch in $dir"
  popd >/dev/null
done

Run this from the repo root (with go.work loaded, if in use) and address any mismatches so the pruning fix takes effect in every module.

x/evidence/go.mod (1)

67-67: Aligned to v1.2.6; looks good.

No other changes in this module; keep it in sync with the rest of the workspace.

x/feegrant/go.mod (1)

68-68: Consistent iavl upgrade; approve.

No API/control-flow deltas in this module; indirect pin suffices.

x/circuit/go.mod (1)

63-63: OK to bump iavl here as well.

Matches the repo-wide target version.

tools/confix/go.mod (1)

51-51: Tooling module updated; approve.

Good to keep dev tools on the same iavl floor to avoid accidental downgrades via transitive deps.

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Good pin: iavl v1.2.6 includes pruning fixes relevant to “version does not exist”.

Tags v1.2.5/v1.2.6 explicitly mention fixes for versions not found during pruning and a legacy pruning fix; staying on the 1.2.x line is appropriate for SDK v0.50.x. (github.com)

Run this to ensure every module is on v1.2.6 and no replaces override it:

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "Check go.mod pins:"
rg -n --glob '**/go.mod' -e $'github.com/cosmos/iavl\\s+v' -e $'^replace\\s+github.com/cosmos/iavl' -C1

echo
echo "Assert only v1.2.6 appears:"
if rg -n --glob '**/go.mod' -e $'github.com/cosmos/iavl\\s+v(?!1\\.2\\.6\\b)'; then
  echo "Found non-1.2.6 iavl versions above — please align."; exit 1
fi

echo
echo "Ensure go.sum contains v1.2.6 entries (optional signal):"
rg -n --glob '**/go.sum' 'github.com/cosmos/iavl v1\.2\.6' || true

Length of output: 5557

---

Pin all iavl references to v1.2.6
Two modules still reference v1.0.1—update them to v1.2.6 to align all dependencies.

• tools/hubl/go.mod (line 49): change github.com/cosmos/iavl v1.0.1 → v1.2.6
• tools/cosmovisor/go.mod (line 55): change github.com/cosmos/iavl v1.0.1 → v1.2.6

🤖 Prompt for AI Agents

In go.mod (line 99) and in tools/hubl/go.mod (line 49) and
tools/cosmovisor/go.mod (line 55), there are references to
github.com/cosmos/iavl that must be pinned to v1.2.6; update the version strings
from v1.0.1 to v1.2.6 in the two tools/* go.mod files (and ensure go.mod
indirect entry matches v1.2.6), then run go mod tidy in each module (or at repo
root) to sync dependencies and vendor files.

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

IAVL bump to v1.2.6 looks fine; please verify repo-wide consistency and absence of overrides.

Since SimApp replaces cosmossdk.io/store to a local module, ensure every go.mod in the workspace pins iavl to v1.2.6 and that no replace directives redirect it. Also consider adding/adjusting a pruning test to guard against the "version does not exist" regression this bump targets.

Run this to confirm all modules use v1.2.6 and that there are no iavl replaces:

I can draft a lightweight pruning E2E/integration test for SimApp that creates N blocks, snapshots, prunes to a window, and queries historical versions to ensure they exist. Want me to propose it?

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "Checking github.com/cosmos/iavl version across go.mod files..."
fd -a go.mod | while read -r mod; do
  echo "== $mod =="
  rg -nP '\bgithub\.com/cosmos/iavl\b' "$mod" || true
done

echo
echo "Ensuring no replace directives for iavl..."
rg -nP '^(replace\s+github\.com/cosmos/iavl\b)|^\s*github\.com/cosmos/iavl\b.*=>\s' -g '**/go.mod' || echo "No iavl replace directives found."

echo
echo "Suggested follow-ups:"
echo "- Run: go mod tidy in each module after the bump"
echo "- Add/verify an integration test that snapshots, prunes, and loads historical versions to catch pruning regressions"

Length of output: 5898

---

Pin iavl to v1.2.6 in all modules
Update the remaining go.mod files that still reference v1.0.1:

• tools/cosmovisor/go.mod (line 55)
• tools/hubl/go.mod (line 49)

No replace directives for github.com/cosmos/iavl were detected. After bumping, run go mod tidy in each module. Also add or adjust an E2E/integration test that snapshots, prunes, and loads historical versions to catch pruning regressions.