feat: sync with upstream (#8)

* build(deps): Bump google.golang.org/protobuf from 1.34.2 to 1.35.1 (cometbft#4380) Bumps google.golang.org/protobuf from 1.34.2 to 1.35.1. [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=google.golang.org/protobuf&package-manager=go_modules&previous-version=1.34.2&new-version=1.35.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> * build(deps): Bump github.com/decred/dcrd/dcrec/secp256k1/v4 from 4.0.1 to 4.3.0 (cometbft#4381) Bumps [github.com/decred/dcrd/dcrec/secp256k1/v4](https://github.com/decred/dcrd) from 4.0.1 to 4.3.0. <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/decred/dcrd/commit/08d8572807872f2b9737f8a118b16c320a04b077"><code>08d8572</code></a> secp256k1: Prepare v4.3.0.</li> <li><a href="https://github.com/decred/dcrd/commit/fe9a28cd1e4f341105001496b135a58d09717647"><code>fe9a28c</code></a> secp256k1: No allocs in slow scalar base mult path.</li> <li><a href="https://github.com/decred/dcrd/commit/2104419fc012bb162222a5e0a2c06e4d806cbfae"><code>2104419</code></a> wire: Fix typo in comment.</li> <li><a href="https://github.com/decred/dcrd/commit/b9d8d49c901bb7cbb19ed36d636c3e3d86a1fe43"><code>b9d8d49</code></a> wire: add p2p mixing messages</li> <li><a href="https://github.com/decred/dcrd/commit/25adf60a9f4e12aec13565f6345f769965b0135a"><code>25adf60</code></a> secp256k1: Add scalar base mult variant benchmarks.</li> <li><a href="https://github.com/decred/dcrd/commit/2ee2ebeb678398d3f9333a2cfa937378efe27cfb"><code>2ee2ebe</code></a> secp256k1: Add TinyGo support.</li> <li><a href="https://github.com/decred/dcrd/commit/c6322d513aee03139d91a4e45490dc02d070f278"><code>c6322d5</code></a> docker: Update image to golang:1.22.1-alpine3.19.</li> <li><a href="https://github.com/decred/dcrd/commit/20dedca001392442f83a7d5b218fe54a92c1c565"><code>20dedca</code></a> server: Update required minimum protocol version.</li> <li><a href="https://github.com/decred/dcrd/commit/eb3de8e7299ba919d4ccd67cb1b56a17030f85b7"><code>eb3de8e</code></a> docs: Update README.md to required Go 1.21/1.22.</li> <li><a href="https://github.com/decred/dcrd/commit/fedbaf982b460c7b639d1c577efe51e3f255f8dc"><code>fedbaf9</code></a> build: Test against Go 1.22.</li> <li>Additional commits viewable in <a href="https://github.com/decred/dcrd/compare/dcrjson/v4.0.1...dcrec/secp256k1/v4.3.0">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/decred/dcrd/dcrec/secp256k1/v4&package-manager=go_modules&previous-version=4.0.1&new-version=4.3.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> * build(deps): Bump github.com/prometheus/common from 0.59.1 to 0.60.1 (cometbft#4382) Bumps [github.com/prometheus/common](https://github.com/prometheus/common) from 0.59.1 to 0.60.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/prometheus/common/releases">github.com/prometheus/common's releases</a>.</em></p> <blockquote> <h2>v0.60.1</h2> <h2>What's Changed</h2> <ul> <li>promslog: Only log basename, not full path by <a href="https://github.com/roidelapluie"><code>@roidelapluie</code></a> in <a href="https://redirect.github.com/prometheus/common/pull/705">prometheus/common#705</a></li> <li>Reload certificates even when no CA is used by <a href="https://github.com/roidelapluie"><code>@roidelapluie</code></a> in <a href="https://redirect.github.com/prometheus/common/pull/707">prometheus/common#707</a></li> <li>Synchronize common files from prometheus/prometheus by <a href="https://github.com/prombot"><code>@prombot</code></a> in <a href="https://redirect.github.com/prometheus/common/pull/701">prometheus/common#701</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/prometheus/common/compare/v0.60.0...v0.60.1">https://github.com/prometheus/common/compare/v0.60.0...v0.60.1</a></p> <h2>v0.60.0</h2> <h2>What's Changed</h2> <ul> <li>Synchronize common files from prometheus/prometheus by <a href="https://github.com/prombot"><code>@prombot</code></a> in <a href="https://redirect.github.com/prometheus/common/pull/692">prometheus/common#692</a></li> <li>slog: expose io.Writer by <a href="https://github.com/jkroepke"><code>@jkroepke</code></a> in <a href="https://redirect.github.com/prometheus/common/pull/694">prometheus/common#694</a></li> <li>Synchronize common files from prometheus/prometheus by <a href="https://github.com/prombot"><code>@prombot</code></a> in <a href="https://redirect.github.com/prometheus/common/pull/695">prometheus/common#695</a></li> <li>promslog: use UTC timestamps for go-kit log style by <a href="https://github.com/dswarbrick"><code>@dswarbrick</code></a> in <a href="https://redirect.github.com/prometheus/common/pull/696">prometheus/common#696</a></li> <li>feat: add <code>promslog.NewNopLogger()</code> convenience func by <a href="https://github.com/tjhop"><code>@tjhop</code></a> in <a href="https://redirect.github.com/prometheus/common/pull/697">prometheus/common#697</a></li> <li>Bump golang.org/x/net from 0.28.0 to 0.29.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/prometheus/common/pull/699">prometheus/common#699</a></li> <li>Bump golang.org/x/oauth2 from 0.22.0 to 0.23.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/prometheus/common/pull/698">prometheus/common#698</a></li> <li>Update supported Go versions by <a href="https://github.com/SuperQ"><code>@SuperQ</code></a> in <a href="https://redirect.github.com/prometheus/common/pull/700">prometheus/common#700</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/prometheus/common/compare/v0.59.1...v0.60.0">https://github.com/prometheus/common/compare/v0.59.1...v0.60.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/prometheus/common/commit/653e0fa37b474f7af331bbfb409c0f654fb04a94"><code>653e0fa</code></a> Update common Prometheus files (<a href="https://redirect.github.com/prometheus/common/issues/701">#701</a>)</li> <li><a href="https://github.com/prometheus/common/commit/0d2e2e509b05032929d08ab69362a58ce540fcb1"><code>0d2e2e5</code></a> Reload certificates even when no CA is used (<a href="https://redirect.github.com/prometheus/common/issues/707">#707</a>)</li> <li><a href="https://github.com/prometheus/common/commit/a9d2e3ff1686621e6f772f7b503b12d242701c48"><code>a9d2e3f</code></a> Merge pull request <a href="https://redirect.github.com/prometheus/common/issues/705">#705</a> from roidelapluie/sourcefile</li> <li><a href="https://github.com/prometheus/common/commit/fdc50c720a071b6796bcb5e08c3a1a03cc6ef121"><code>fdc50c7</code></a> promslog: Only log basename, not full path</li> <li><a href="https://github.com/prometheus/common/commit/dae848db5327d2a4e2e06cbe883093a71b4226d7"><code>dae848d</code></a> Update supported Go versions (<a href="https://redirect.github.com/prometheus/common/issues/700">#700</a>)</li> <li><a href="https://github.com/prometheus/common/commit/63ff77eeea3cfd552d81d455b44546db75a3b4ac"><code>63ff77e</code></a> Bump golang.org/x/oauth2 from 0.22.0 to 0.23.0 (<a href="https://redirect.github.com/prometheus/common/issues/698">#698</a>)</li> <li><a href="https://github.com/prometheus/common/commit/b7aa68c1be77461e7ed0987ee66a288bbaa324ae"><code>b7aa68c</code></a> Bump golang.org/x/net from 0.28.0 to 0.29.0 (<a href="https://redirect.github.com/prometheus/common/issues/699">#699</a>)</li> <li><a href="https://github.com/prometheus/common/commit/4e3a6fd348a3c764fff5193cd0ee34eea4402318"><code>4e3a6fd</code></a> feat: add <code>promslog.NewNopLogger()</code> convenience func (<a href="https://redirect.github.com/prometheus/common/issues/697">#697</a>)</li> <li><a href="https://github.com/prometheus/common/commit/d66e745b02ad50e6763ec5a0765aae5014a6c188"><code>d66e745</code></a> promslog: use UTC timestamps for go-kit log style (<a href="https://redirect.github.com/prometheus/common/issues/696">#696</a>)</li> <li><a href="https://github.com/prometheus/common/commit/14bac55a992f7b83ab9d147a041e274606bdb607"><code>14bac55</code></a> Merge pull request <a href="https://redirect.github.com/prometheus/common/issues/695">#695</a> from prometheus/repo_sync</li> <li>Additional commits viewable in <a href="https://github.com/prometheus/common/compare/v0.59.1...v0.60.1">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/prometheus/common&package-manager=go_modules&previous-version=0.59.1&new-version=0.60.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> * build(deps): Bump golang.org/x/net from 0.29.0 to 0.30.0 (cometbft#4384) Bumps [golang.org/x/net](https://github.com/golang/net) from 0.29.0 to 0.30.0. <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/golang/net/commit/6cc5ac4e9a03d73b331eb1d6db98a02e558243b7"><code>6cc5ac4</code></a> go.mod: update golang.org/x dependencies</li> <li><a href="https://github.com/golang/net/commit/f88258d67e0f0f144c79964ca05bb81d51ee8411"><code>f88258d</code></a> websocket: update nhooyr.io/websocket to github.com/coder/websocket</li> <li><a href="https://github.com/golang/net/commit/7191757bc637cf79a7ece0546e33f903bf5e9709"><code>7191757</code></a> http2: add support for net/http HTTP2 config field</li> <li><a href="https://github.com/golang/net/commit/4790dc7047441aed4889873cdd30e1e6adf49735"><code>4790dc7</code></a> http2: add support for server-originated pings</li> <li><a href="https://github.com/golang/net/commit/541dbe58b6bc869fc1c7de361846682a34365325"><code>541dbe5</code></a> http2: add Server.WriteByteTimeout</li> <li><a href="https://github.com/golang/net/commit/3c333c0c5288a7cf127e427ddda5b1b54020a2b4"><code>3c333c0</code></a> route: fix address parsing of messages on Darwin</li> <li>See full diff in <a href="https://github.com/golang/net/compare/v0.29.0...v0.30.0">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=golang.org/x/net&package-manager=go_modules&previous-version=0.29.0&new-version=0.30.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): Bump bufbuild/buf-setup-action from 1.45.0 to 1.46.0 (cometbft#4414) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: use the latest cometbft-db in v0.38.x (cometbft#4297) Co-authored-by: Anton Kaliaev <[email protected]> * fix(p2p): adjust backoff seconds to increase reconnect retries close to 24 hours (backport cometbft#4377) (cometbft#4425) close: cometbft#3519 Adjust `reconnectBackOffBaseSeconds` to increase reconnect retries to up 1 day (~24 hours). The new value can be validated here: https://go.dev/play/p/k8F5rS-i24p, which will show that the total time is increased to almost 24 hours. Initial reconnecting time: 2m8.493s Total reconnecting time. : 23h55m56.249s The `reconnectBackOffBaseSeconds` is increased by a bit over 10% (from 3.0 to 3.4 seconds) so this would not affect reconnection retries too much. #### PR checklist - [ ] ~~Tests written/updated~~ - [x] Changelog entry added in `.changelog` (we use [unclog](https://github.com/informalsystems/unclog) to manage our changelog) - [x] Updated relevant documentation (`docs/` or `spec/`) and code comments <hr>This is an automatic backport of pull request cometbft#4377 done by [Mergify](https://mergify.com). --------- Co-authored-by: Andy Nogueira <[email protected]> * Merge commit from fork * remove toolchain --------- Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> Co-authored-by: Jacob Gadikian <[email protected]> Co-authored-by: Anton Kaliaev <[email protected]> Co-authored-by: Andy Nogueira <[email protected]>
crypto-org-chain · Nov 6, 2024 · ce418f8 · ce418f8
1 parent cee5fa0
commit ce418f8
Show file tree

Hide file tree

Showing 26 changed files with 165 additions and 78 deletions.
diff --git a/.changelog/unreleased/bug-fixes/0021-abc-panic-precommit-validator-index.md b/.changelog/unreleased/bug-fixes/0021-abc-panic-precommit-validator-index.md
@@ -0,0 +1,3 @@
+- `[consensus]` Do not panic if the validator index of a `Vote` message is out
+  of bounds, when vote extensions are enabled
+  ([\#ABC-0021](https://github.com/cometbft/cometbft/security/advisories/GHSA-p7mv-53f2-4cwj))
diff --git a/.changelog/unreleased/improvements/3519-p2p-reconnect-interval-1day.md b/.changelog/unreleased/improvements/3519-p2p-reconnect-interval-1day.md
@@ -0,0 +1,2 @@
+- `[p2p]` fix exponential backoff logic to increase reconnect retries close to 24 hours
+ ([\#3519](https://github.com/cometbft/cometbft/issues/3519))
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -21,7 +21,7 @@ jobs:
     steps:
       - uses: actions/setup-go@v5
         with:
-          go-version: "1.22"
+          go-version: "1.23"
       - uses: actions/checkout@v4
       - uses: technote-space/get-diff-action@v6
         with:
@@ -43,7 +43,7 @@ jobs:
     steps:
       - uses: actions/setup-go@v5
         with:
-          go-version: "1.22"
+          go-version: "1.23"
       - uses: actions/checkout@v4
       - uses: technote-space/get-diff-action@v6
         with:
@@ -65,7 +65,7 @@ jobs:
     steps:
       - uses: actions/setup-go@v5
         with:
-          go-version: "1.22"
+          go-version: "1.23"
       - uses: actions/checkout@v4
       - uses: technote-space/get-diff-action@v6
         with:

diff --git a/.github/workflows/check-generated.yml b/.github/workflows/check-generated.yml
@@ -18,7 +18,7 @@ jobs:
     steps:
       - uses: actions/setup-go@v5
         with:
-          go-version: "1.22"
+          go-version: "1.23"
 
       - uses: actions/checkout@v4
 
@@ -44,7 +44,7 @@ jobs:
     steps:
       - uses: actions/setup-go@v5
         with:
-          go-version: "1.22"
+          go-version: "1.23"
 
       - uses: actions/checkout@v4
         with:

diff --git a/.github/workflows/e2e-manual-multiversion.yml b/.github/workflows/e2e-manual-multiversion.yml
@@ -11,13 +11,13 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        group: ['00', '01', '02', '03', '04', '05']
+        group: ["00", "01", "02", "03", "04", "05"]
     runs-on: ubuntu-latest
     timeout-minutes: 60
     steps:
       - uses: actions/setup-go@v5
         with:
-          go-version: '1.22'
+          go-version: "1.23"
 
       - uses: actions/checkout@v4
 

diff --git a/.github/workflows/e2e-manual.yml b/.github/workflows/e2e-manual.yml
@@ -11,13 +11,13 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        group: ['00', '01', '02', '03', '04', '05']
+        group: ["00", "01", "02", "03", "04", "05"]
     runs-on: ubuntu-latest
     timeout-minutes: 60
     steps:
       - uses: actions/setup-go@v5
         with:
-          go-version: '1.22'
+          go-version: "1.23"
 
       - uses: actions/checkout@v4
 

diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
@@ -2,7 +2,7 @@ name: e2e
 # Runs the CI end-to-end test network on all pushes to v0.38.x
 # and every pull request, but only if any Go files have been changed.
 on:
-  workflow_dispatch:  # allow running workflow manually
+  workflow_dispatch: # allow running workflow manually
   pull_request:
   push:
     branches:
@@ -15,7 +15,7 @@ jobs:
     steps:
       - uses: actions/setup-go@v5
         with:
-          go-version: '1.22'
+          go-version: "1.23"
       - uses: actions/checkout@v4
       - uses: technote-space/get-diff-action@v6
         with:

diff --git a/.github/workflows/fuzz-nightly.yml b/.github/workflows/fuzz-nightly.yml
@@ -1,9 +1,9 @@
 # Runs fuzzing nightly.
 name: Fuzz Tests
 on:
-  workflow_dispatch:  # allow running workflow manually
+  workflow_dispatch: # allow running workflow manually
   schedule:
-    - cron: '0 3 * * *'
+    - cron: "0 3 * * *"
   pull_request:
     branches:
       - v0.38.x
@@ -16,7 +16,7 @@ jobs:
     steps:
       - uses: actions/setup-go@v5
         with:
-          go-version: '1.22'
+          go-version: "1.23"
 
       - uses: actions/checkout@v4
 

diff --git a/.github/workflows/govulncheck.yml b/.github/workflows/govulncheck.yml
@@ -16,7 +16,7 @@ jobs:
     steps:
       - uses: actions/setup-go@v5
         with:
-          go-version: "1.22"
+          go-version: "1.23"
           check-latest: true
       - uses: actions/checkout@v4
       - uses: technote-space/get-diff-action@v6

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -22,7 +22,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v5
         with:
-          go-version: '1.22'
+          go-version: "1.23"
       - uses: technote-space/get-diff-action@v6
         with:
           PATTERNS: |

diff --git a/.github/workflows/pre-release.yml b/.github/workflows/pre-release.yml
@@ -3,9 +3,9 @@ name: "Pre-release"
 on:
   push:
     tags:
-      - "v[0-9]+.[0-9]+.[0-9]+-alpha.[0-9]+"  # e.g. v0.37.0-alpha.1, v0.38.0-alpha.10
-      - "v[0-9]+.[0-9]+.[0-9]+-beta.[0-9]+"   # e.g. v0.37.0-beta.1, v0.38.0-beta.10
-      - "v[0-9]+.[0-9]+.[0-9]+-rc[0-9]+"      # e.g. v0.37.0-rc1, v0.38.0-rc10
+      - "v[0-9]+.[0-9]+.[0-9]+-alpha.[0-9]+" # e.g. v0.37.0-alpha.1, v0.38.0-alpha.10
+      - "v[0-9]+.[0-9]+.[0-9]+-beta.[0-9]+" # e.g. v0.37.0-beta.1, v0.38.0-beta.10
+      - "v[0-9]+.[0-9]+.[0-9]+-rc[0-9]+" # e.g. v0.37.0-rc1, v0.38.0-rc10
 
 jobs:
   prerelease:
@@ -18,7 +18,7 @@ jobs:
 
       - uses: actions/setup-go@v5
         with:
-          go-version: '1.22'
+          go-version: "1.23"
 
       # Similar check to ./release-version.yml, but enforces this when pushing
       # tags. The ./release-version.yml check can be bypassed and is mainly

diff --git a/.github/workflows/proto-lint.yml b/.github/workflows/proto-lint.yml
@@ -15,7 +15,7 @@ jobs:
     timeout-minutes: 5
     steps:
       - uses: actions/checkout@v4
-      - uses: bufbuild/buf-setup-action@v1.45.0
+      - uses: bufbuild/buf-setup-action@v1.46.0
       - uses: bufbuild/buf-lint-action@v1
         with:
           input: 'proto'
diff --git a/.github/workflows/release-version.yml b/.github/workflows/release-version.yml
@@ -5,7 +5,7 @@ name: Check release version
 on:
   push:
     branches:
-      - 'release/**'
+      - "release/**"
 
 jobs:
   check-version:
@@ -15,7 +15,7 @@ jobs:
 
       - uses: actions/setup-go@v5
         with:
-          go-version: '1.22'
+          go-version: "1.23"
 
       - name: Check version
         run: |

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -3,7 +3,7 @@ name: "Release"
 on:
   push:
     tags:
-      - "v[0-9]+.[0-9]+.[0-9]+"  # Push events to matching v*, i.e. v1.0, v20.15.10
+      - "v[0-9]+.[0-9]+.[0-9]+" # Push events to matching v*, i.e. v1.0, v20.15.10
 
 jobs:
   release:
@@ -16,7 +16,7 @@ jobs:
 
       - uses: actions/setup-go@v5
         with:
-          go-version: '1.22'
+          go-version: "1.23"
 
       # Similar check to ./release-version.yml, but enforces this when pushing
       # tags. The ./release-version.yml check can be bypassed and is mainly

diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -17,7 +17,7 @@ jobs:
     steps:
       - uses: actions/setup-go@v5
         with:
-          go-version: "1.22"
+          go-version: "1.23"
       - uses: actions/checkout@v4
       - uses: technote-space/get-diff-action@v6
         with:

diff --git a/DOCKER/Dockerfile b/DOCKER/Dockerfile
@@ -1,6 +1,6 @@
 # Use a build arg to ensure that both stages use the same,
 # hopefully current, go version.
-ARG GOLANG_BASE_IMAGE=golang:1.22-alpine
+ARG GOLANG_BASE_IMAGE=golang:1.23-alpine
 
 # stage 1 Generate CometBFT Binary
 FROM --platform=$BUILDPLATFORM $GOLANG_BASE_IMAGE as builder

diff --git a/consensus/errors.go b/consensus/errors.go
@@ -0,0 +1,9 @@
+package consensus
+
+type ErrInvalidVote struct {
+	Reason string
+}
+
+func (e ErrInvalidVote) Error() string {
+	return "invalid vote: " + e.Reason
+}
diff --git a/consensus/reactor_test.go b/consensus/reactor_test.go
@@ -26,6 +26,7 @@ import (
 	"github.com/cometbft/cometbft/libs/bytes"
 	"github.com/cometbft/cometbft/libs/json"
 	"github.com/cometbft/cometbft/libs/log"
+	cmtrand "github.com/cometbft/cometbft/libs/rand"
 	cmtsync "github.com/cometbft/cometbft/libs/sync"
 	mempl "github.com/cometbft/cometbft/mempool"
 	"github.com/cometbft/cometbft/p2p"
@@ -1126,3 +1127,39 @@ func TestMarshalJSONPeerState(t *testing.T) {
 			"block_parts":"0"}
 		}`, string(data))
 }
+
+func TestVoteMessageValidateBasic(t *testing.T) {
+	_, vss := randState(2)
+
+	randBytes := cmtrand.Bytes(tmhash.Size)
+	blockID := types.BlockID{
+		Hash: randBytes,
+		PartSetHeader: types.PartSetHeader{
+			Total: 1,
+			Hash:  randBytes,
+		},
+	}
+	vote := signVote(vss[1], cmtproto.PrecommitType, randBytes, blockID.PartSetHeader, true)
+
+	testCases := []struct {
+		malleateFn func(*VoteMessage)
+		expErr     string
+	}{
+		{func(_ *VoteMessage) {}, ""},
+		{func(msg *VoteMessage) { msg.Vote.ValidatorIndex = -1 }, "negative ValidatorIndex"},
+		// INVALID, but passes ValidateBasic, since the method does not know the number of active validators
+		{func(msg *VoteMessage) { msg.Vote.ValidatorIndex = 1000 }, ""},
+	}
+
+	for i, tc := range testCases {
+		t.Run(fmt.Sprintf("#%d", i), func(t *testing.T) {
+			msg := &VoteMessage{vote}
+
+			tc.malleateFn(msg)
+			err := msg.ValidateBasic()
+			if tc.expErr != "" && assert.Error(t, err) { //nolint:testifylint // require.Error doesn't work with the conditional here
+				assert.Contains(t, err.Error(), tc.expErr)
+			}
+		})
+	}
+}
diff --git a/consensus/state.go b/consensus/state.go
@@ -2196,6 +2196,14 @@ func (cs *State) addVote(vote *types.Vote, peerID p2p.ID) (added bool, err error
 			// Here, we verify the signature of the vote extension included in the vote
 			// message.
 			_, val := cs.state.Validators.GetByIndex(vote.ValidatorIndex)
+			if val == nil { // TODO: we should disconnect from this malicious peer
+				valsCount := cs.state.Validators.Size()
+				cs.Logger.Info("Peer sent us vote with invalid ValidatorIndex",
+					"peer", peerID,
+					"validator_index", vote.ValidatorIndex,
+					"len_validators", valsCount)
+				return added, ErrInvalidVote{Reason: fmt.Sprintf("ValidatorIndex %d is out of bounds [0, %d)", vote.ValidatorIndex, valsCount)}
+			}
 			if err := vote.VerifyExtension(cs.state.ChainID, val.PubKey); err != nil {
 				return false, err
 			}

diff --git a/consensus/state_test.go b/consensus/state_test.go
@@ -1938,6 +1938,33 @@ func TestVoteExtensionEnableHeight(t *testing.T) {
 	}
 }
 
+// TestStateDoesntCrashOnInvalidVote tests that the state does not crash when
+// receiving an invalid vote. In particular, one with the incorrect
+// ValidatorIndex.
+func TestStateDoesntCrashOnInvalidVote(t *testing.T) {
+	cs, vss := randState(2)
+	height, round := cs.Height, cs.Round
+	// create dummy peer
+	peer := p2pmock.NewPeer(nil)
+
+	startTestRound(cs, height, round)
+
+	vote := signVote(vss[1], cmtproto.PrecommitType, nil, types.PartSetHeader{}, true)
+	// Non-existent validator index
+	vote.ValidatorIndex = int32(len(vss))
+
+	voteMessage := &VoteMessage{vote}
+	assert.NotPanics(t, func() {
+		cs.handleMsg(msgInfo{voteMessage, peer.ID()})
+	})
+
+	added, err := cs.AddVote(vote, peer.ID())
+	assert.False(t, added)
+	assert.NoError(t, err)
+	// TODO: uncomment once we punish peer and return an error
+	// assert.Equal(t, ErrInvalidVote{Reason: "ValidatorIndex 2 is out of bounds [0, 2)"}, err)
+}
+
 // 4 vals, 3 Nil Precommits at P0
 // What we want:
 // P0 waits for timeoutPrecommit before starting next round
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		- `[p2p]` fix exponential backoff logic to increase reconnect retries close to 24 hours
		([\#3519](https://github.com/cometbft/cometbft/issues/3519))