fix(deps): Apply the required CometBFT security fix (CSA-2026-001) by upgrading CometBFT to the patched v0.37.18 across the root module and internal test modules

[Unique-Divine]

Primary Purpose

Applies required CometBFT security fix (CSA-2026-001) by upgrading CometBFT to the patched v0.37.18 across the root module and internal test modules, addressing a critical issue

Other Changes

• Refreshes related dependency versions (gRPC/protobuf, OpenTelemetry, Prometheus, Viper/Cobra, websocket/CORS, and others) to stay compatible with the updated stack and reduce exposure to known issues in older transitive dependencies.
• Updates the vendored Cosmos SDK toolchain to Go 1.22.7 (with toolchain go1.22.12) to standardize builds on a modern Go version and better match the upgraded dependency set.

---

Note

Medium Risk
Although mostly dependency updates, this touches consensus-engine and networking/telemetry stacks (CometBFT, gRPC, OpenTelemetry), which can cause subtle runtime or compatibility issues and should be validated via integration/regression testing.

Overview
Applies the CometBFT security patch by upgrading github.com/cometbft/cometbft to v0.37.18 in the root go.mod and the internal Cosmos SDK/test modules.

Also refreshes a large set of related dependencies (notably gRPC/protobuf, OpenTelemetry, Prometheus, Viper/Cobra, websocket/CORS, and various transitive libs) and updates the vendored Cosmos SDK module to Go 1.22.7 with toolchain go1.22.12, with corresponding go.sum churn.

^{Written by Cursor Bugbot for commit ffca07d. Configure here.}

[gemini-code-assist]

Code Review

This pull request applies a critical security fix for CometBFT by upgrading it to v0.37.18. It also includes a wide range of other dependency updates to ensure compatibility and modernize the toolchain, including an upgrade to Go 1.22.

My review focuses on the consistency of these dependency updates. I've found several instances where dependencies in the vendored internal/cosmos-sdk module and its test modules are out of sync with the versions specified in the root go.mod. While the build might succeed by picking the highest version, this can lead to subtle compatibility issues. I've left detailed comments with suggestions to align these versions for better stability and maintainability.

[gemini-code-assist]

The version of github.com/tidwall/gjson is v1.14.2 here, while the root go.mod uses v1.17.0. For consistency across the project, it would be best to align this version.

github.com/tidwall/gjson v1.17.0

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}