upgrade cometbft and cosmos-sdk for tachyon security fix

[tqin7]

see dydxprotocol/cometbft#55

Summary by CodeRabbit

• Chores
  • Updated core protocol dependencies to newer versions.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

The protocol/go.mod file is updated to adjust dependencies and replace directives. The golang-lru/v2 indirect dependency is removed, go-buffer-pool v0.1.0 is added, and replace directives for cometbft and cosmos-sdk are updated to reference new dydxprotocol fork versions.

Changes

Cohort / File(s)	Summary
Dependency Updates protocol/go.mod	Removed golang-lru/v2 indirect dependency; added go-buffer-pool v0.1.0. Updated replace directives for cometbft (v0.38.6-0.20260126154011-467083c7ba0b) and cosmos-sdk (v0.50.6-0.20260126162345-69ba38d4ae69) to point to new dydxprotocol fork revisions.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• upgrade cosmos-sdk dependency to include security patch ISA-2025-005 #2962: Updates go.mod replace directive for cosmos-sdk to a different fork commit
• Bump Comet version #2556: Modifies protocol/go.mod replace entries for cometbft and cosmos-sdk dependencies
• upgrade cosmos-sdk and cometbft for security patch GHSA-hrhf-2vcr-ghch #3148: Updates the same protocol/go.mod replace directives for cometbft and cosmos-sdk with new fork revisions

Suggested labels

protocol

Suggested reviewers

• vincentwschau
• shrenujb
• anmolagrawal345

Poem

🐰 Dependencies dance and versions align,
Old lru bids farewell, buffer-pool joins the line,
cometbft and cosmos-sdk forks, fresh and bright,
Protocol chains updated—onward to the night! ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is minimal and incomplete, lacking required sections like Changelist, Test Plan, and Author/Reviewer Checklist specified in the repository template.	Add comprehensive Changelist section describing changes, Test Plan section documenting testing approach, and complete the Author/Reviewer Checklist items.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly describes the main change: upgrading cometbft and cosmos-sdk versions for a specific security fix (Tachyon), which matches the dependency updates in the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[tqin7]

@Mergifyio backport release/protocol/v9.x

[mergify]

backport release/protocol/v9.x

✅ Backports have been created

Details

• #3321 upgrade cometbft and cosmos-sdk for tachyon security fix (backport #3320) has been created for branch release/protocol/v9.x but encountered conflicts

Cherry-pick of 07b2c96 has failed:

On branch mergify/bp/release/protocol/v9.x/pr-3320
Your branch is up to date with 'origin/release/protocol/v9.x'.

You are currently cherry-picking commit 07b2c964.
  (fix conflicts and run "git cherry-pick --continue")
  (use "git cherry-pick --skip" to skip this patch)
  (use "git cherry-pick --abort" to cancel the cherry-pick operation)

Unmerged paths:
  (use "git add <file>..." to mark resolution)
	both modified:   protocol/go.mod
	both modified:   protocol/go.sum

no changes added to commit (use "git add" and/or "git commit -a")

To fix up this pull request, you can check it out locally. See documentation: https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/checking-out-pull-requests-locally