feat: bump ledger dependencies for latest fw support

[troian]

Description

Closes: #XXXX

---

Author Checklist

All items are required. Please add a note to the item if the item is not applicable and
please add links to any relevant follow-up issues.

I have...

• included the correct type prefix in the PR title
• added ! to the type prefix if API or client breaking change
• targeted the correct branch (see PR Targeting)
• provided a link to the relevant issue or specification
• included the necessary unit and integration tests
• added a changelog entry to CHANGELOG.md
• included comments for documenting Go code
• updated the relevant documentation or specification
• reviewed "Files changed" and left comments if necessary
• confirmed all CI checks have passed

[coderabbitai]

Walkthrough

Updates to go.mod that bump many direct and indirect dependencies and adjust multiple replace directives, shifting several modules to akash-network forks and updating Prometheus, spf13, golang.org/x, gRPC, zondax, protobuf/tooling, and related packages. (≤50 words)

Changes

Cohort / File(s)

Summary

Dependency manifest go.mod

Large set of version upgrades for direct and indirect modules; added/updated replace directives pointing several Cosmos/Akash/Tendermint-related modules to akash-network forks or newer patches; upgrades include Prometheus client, spf13 family (cobra, viper, pflag, cast), golang.org/x/* packages, google.golang.org/grpc, zondax/*, protobuf/protoc-gen tooling, xxhash, ristretto, fsnotify, md2man, zap, and other runtime/observability/security/tooling libs.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Potential focus areas:

• Verify replace directives for akash-network forks (cosmos-sdk, ledger, tendermint/cometbft) for API/compatibility changes.
• Check protobuf/protoc-gen and zondax updates for codegen/regression risks.
• Confirm Prometheus and gRPC upgrades do not alter instrumentation or metrics semantics.

Poem

I nibble at tags and hop through trees,
Versions tumble down like autumn leaves.
Forks find new burrows, modules align,
A tidy go.mod, my carrot divine.
I thump my foot — builds run just fine! 🐇✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.
Description Check	❓ Inconclusive	The PR description consists almost entirely of the repository's template boilerplate, including an incomplete "Closes: #XXXX" reference and placeholder text that reads "Add a description of the changes that this PR introduces..." with no actual substantive content added. The description provides virtually no information about what changes are being made, which dependencies are being updated, or why these updates are necessary, making it too vague and generic to meaningfully describe the changeset.	The author should complete the PR description with details about the scope of dependency upgrades, the rationale for the changes (particularly regarding ledger firmware support), and any relevant issue references to replace the "Closes: #XXXX" placeholder. Additionally, the Author Checklist items should be reviewed and updated to confirm completion of required tasks such as adding changelog entries and ensuring CI checks pass.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The PR title "feat: bump ledger dependencies for latest fw support" refers to a real and verifiable aspect of the changeset, as the raw summary confirms that ledger-related dependencies were indeed updated (ledger-cosmos-go, ledger-go, and zondax-related mappings). However, the actual changeset is significantly broader, encompassing major upgrades to Prometheus, gRPC, protobuf, spf13 modules, x-packages, crypto utilities, and many indirect dependencies. The title captures only a portion of the overall changes and does not reflect the main scope of the dependency updates, though it remains accurate for the subset it describes.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch ledger

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.5.0)

Error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions
The command is terminated due to an error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4ab1cd9 and a166406.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod (7 hunks)

🧰 Additional context used

🪛 OSV Scanner (2.2.3)

go.mod

[HIGH] 39-39: google.golang.org/grpc 1.33.2: Denial of service from HTTP/2 Rapid Reset in google.golang.org/grpc

(GO-2023-2153)

---

[HIGH] 39-39: google.golang.org/grpc 1.33.2: gRPC-Go HTTP/2 Rapid Reset vulnerability

(GHSA-m425-mq94-257g)

[github-actions]

Marked as stale; will be closed in five days.
Cut bait or go fishing!

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a166406 and d3f8f8a.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod (7 hunks)

🧰 Additional context used

🪛 OSV Scanner (2.2.3)

go.mod

[HIGH] 39-39: google.golang.org/grpc 1.33.2: Denial of service from HTTP/2 Rapid Reset in google.golang.org/grpc

(GO-2023-2153)

---

[HIGH] 39-39: google.golang.org/grpc 1.33.2: gRPC-Go HTTP/2 Rapid Reset vulnerability

(GHSA-m425-mq94-257g)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (7)

• GitHub Check: tests
• GitHub Check: sims
• GitHub Check: release-dry-run
• GitHub Check: coverage
• GitHub Check: lint
• GitHub Check: build-bins
• GitHub Check: build-macos

🔇 Additional comments (5)

go.mod (5)

55-58: Ledger ecosystem forks updated; verify Cosmos SDK and ledger API compatibility.

The PR bumps ledger support by updating forks:

• Line 55: cosmos-sdk → akash-network/cosmos-sdk v0.45.16-akash.7 (patch bump)
• Line 58: cosmos/ledger-cosmos-go → akash-network/ledger-go/cosmos v0.15.0 (new fork)

Verify that:

1. The Cosmos SDK fork is compatible with the rest of the dependency tree (especially gRPC, once unblocked).
2. The new ledger-cosmos-go fork location is the correct canonical source for this project.
3. All ledger API calls in the codebase are compatible with the v0.15.0 API surface.

---

73-74: Clarify the purpose of the zondax/hid fork to a personal account.

Line 73 replaces zondax/hid with troian/hid v0.13.2 (a personal fork), while line 74 replaces zondax/ledger-go with the official akash-network/ledger-go v0.15.1 fork. The inconsistency—routing one dependency to a personal fork and another to an organizational fork—raises concerns:

1. Is the personal troian/hid fork maintained and secure?
2. Why not use the zondax official version or an akash-network fork instead?
3. Does this fork carry any customizations or patches required for ledger hardware support?

Please clarify the rationale and confirm this fork is production-ready and security-audited.

---

36-39: Direct dependency upgrades are substantial; confirm test coverage.

Lines 36–39 bump several golang.org/x and gRPC dependencies:

• golang.org/x/mod v0.26.0 (significant jump)
• golang.org/x/oauth2 v0.30.0 (significant jump)
• golang.org/x/sync v0.16.0 (significant jump)
• google.golang.org/grpc v1.75.0 (major upgrade once blocker is resolved)

These are foundational packages. Ensure:

1. The codebase is tested against these new versions (especially gRPC API changes).
2. No breaking changes in mod, oauth2, or sync are silently breaking internal usage.

Please confirm that integration tests have run successfully with these upgraded versions.

---

24-32: Prometheus and spf13 suite upgrades are substantial; review for breaking changes.

Lines 24–32 bump observability and CLI tooling:

• prometheus/client_golang v1.23.0 (from v1.18.0, per comment: avoid certain upstream changes)
• spf13/cobra v1.9.1, spf13/viper v1.20.1, spf13/pflag v1.0.6, spf13/cast v1.9.2 (multi-package update)
• stretchr/testify v1.11.1 (test framework)

The inline comment on line 23 warns against upgrading Prometheus past v1.16.0 due to SDK compatibility. Confirm v1.23.0 aligns with that constraint or that the constraint has been relaxed.

For spf13, verify that the CLI configuration (Cobra/Viper) and flag parsing changes are compatible with current command definitions and configuration loading logic.

---

202-205: Protobuf and genproto tooling bumped significantly; verify compatibility with modified proto compiler.

Lines 202–205 bump gRPC code generation and protocol buffer dependencies:

• google.golang.org/genproto v0.0.0-20250603155806-513f23925822 (new timestamp)
• google.golang.org/genproto/googleapis/api and /rpc (new timestamps, rpc updated to later date)
• google.golang.org/protobuf v1.36.8 (significant bump)

The comment on lines 75–76 mentions that "latest grpc doesn't work with cosmos-sdk modified proto compiler." Confirm that the protobuf v1.36.8 tooling is compatible with any custom compiler modifications the project uses.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🔴 BLOCKER: Unresolved gRPC DoS vulnerability still pinned in replace directive.

Line 77 still forces google.golang.org/grpc v1.33.2, which is affected by the HTTP/2 Rapid Reset DoS (GO-2023-2153 / GHSA-m425-mq94-257g). This was flagged in the previous review and remains unresolved. The direct dependency already specifies v1.75.0 (line 39), which contains the fix—the replace override defeats this upgrade.

To unblock this PR:

• Remove or update the gRPC replace directive to allow v1.75.0 or confirm that the Cosmos SDK modified proto compiler works with a safe version (≥ v1.56.3).
• Run go get google.golang.org/[email protected] && go mod tidy (and update vendor if used).
• If the replace is genuinely required for proto compatibility, document why and pin a safe version instead.