Bump github.com/cometbft/cometbft from 0.38.18 to 0.38.21

[dependabot]

Bumps github.com/cometbft/cometbft from 0.38.18 to 0.38.21.

Release notes

Sourced from github.com/cometbft/cometbft's releases.

v0.38.21

What's Changed

• chore(statesync): add max snapshot chunks configuration (v0.38.x) by @​mattac21 in cometbft/cometbft#5548
• test: add unit tests for TotalVotingPowerSafe (backport #5570) by @​mergify[bot] in cometbft/cometbft#5581

Full Changelog: cometbft/cometbft@v0.38.20...v0.38.21

v0.38.20

What's Changed

• Create NOTICE (backport #5495) by @​mergify[bot] in cometbft/cometbft#5496
• chore: add voting power validation (v0.38.x) by @​technicallyty in cometbft/cometbft#5520

Full Changelog: cometbft/cometbft@v0.38.19...v0.38.20

v0.38.19

This is a security patch release to the CometBFT v0.38.x family that fixes GHSA-hrhf-2vcr-ghch

What's Changed

• chore: fix test docker image by @​aljo242 in cometbft/cometbft#5299
• chore: refactor changelogs by @​aljo242 in cometbft/cometbft#5303
• chore: update and fix mockery tooling on v0.38 by @​aljo242 in cometbft/cometbft#5301
• chore: fix the linter by @​aljo242 in cometbft/cometbft#5304
• fix(store): Properly prune extended commits (backport #5276) by @​mergify[bot] in cometbft/cometbft#5313
• chore: clean up the repo by @​aljo242 in cometbft/cometbft#5315
• fix: remove exposed dockertest port to unblock postgres test by @​almk-dev in cometbft/cometbft#5325
• fix(consensus/reactor): reject oversized proposals (backport #5324) by @​mergify[bot] in cometbft/cometbft#5407
• GHSA-hrhf-2vcr-ghch

Full Changelog: cometbft/cometbft@v0.38.18...v0.38.19

Changelog

Sourced from github.com/cometbft/cometbft's changelog.

v0.38.21

January 23, 2026

IMPROVEMENTS

• [statesync] Add configurable max-snapshot-chunks parameter to validate max amount of chunks in a SnapshotResponse. (#5549)

v0.38.20

December 12, 2025

v0.38.19

October 14, 2025

This release fixes two security issues, including (ASA-2025-003). Users are encouraged to upgrade as soon as possible.

Additionally included is a bug fix to properly prune extended commits (with vote extensions).

BUG-FIXES

• [consensus] Reject oversized proposals (#5324)
• [store] Prune extended commits properly (5275)
• [bits] Validate BitArray mismatched Bits and Elems length (ASA-2025-003)

Commits

• c56d64e Merge commit from fork
• 01d5ea5 test: add unit tests for TotalVotingPowerSafe (backport #5570) (#5581)
• bd517d2 test: remove unnecessary loop variable capture
• 7c43155 test: add coverage for TotalVotingPowerSafe
• eeb4a59 fix test cases in validation
• 161f7ac fix tests
• a4e41a1 fix linter errors
• 26dc17f Add ValidateBlock tests for median time
• c36a8ed fix verbs
• dcf7e3b add test and fix a test
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.