Bump @cosmjs/encoding from 0.34.0 to 0.37.0 in /packages/xchain-cosmos

[dependabot]

Bumps @cosmjs/encoding from 0.34.0 to 0.37.0.

Release notes

Sourced from @​cosmjs/encoding's releases.

v0.37.0

Highlights in this release

• Add client for CometBFT 1.x (Comet1Client)
• Modernize dependencies to reduce bundle size and reliability
• Set exports field to all packages. This prevents users from importing non-public interfaces and prepares for and ESM world.
• Deprecate executeKdf from both @​cosmjs/amino and @​cosmjs/proto-signing as wallet encryption will be removed (cosmos/cosmjs#1796).

Changelog: https://github.com/cosmos/cosmjs/blob/main/CHANGELOG.md#0370---2025-10-29 All changes: cosmos/cosmjs@v0.36.1...v0.37.0

0.36.0

Encrypted wallet serialization deprecated!

• The use of encrypted wallet storage is deprecated. In particular this means:

  • Secp256k1HdWallet.serialize/.serializeWithEncryptionKey
  • Secp256k1HdWallet.deserialize/.deserializeWithEncryptionKey
  • DirectSecp256k1HdWallet.serialize/.serializeWithEncryptionKey
  • DirectSecp256k1HdWallet.deserialize/.deserializeWithEncryptionKey

  If you are using any of those methods, please comment at cosmos/cosmjs#1796.

  A scream test was established which slows down the key derivation function a lot. This simulates the use of a pure-JS implementation of Argon2 which we will use on one of the next releases. If this causes problems for your app, switch back to ^0.35.0 and comment in the issue.

• Migrate from libsodium to different implementation in order to reduce bundle size and improve compatibility.

  • ed25519 now uses @​noble/curves
  • xchacha20poly1305 now uses @​noble/ciphers
  • Argon2 now uses hash-wasm

0.35.0

Cosmos client

• Add timeout option to CometBFT clients
• Avoid unnecessary status request when connecting a Comet38Client, Tendermint37Client or Tendermint34Client
• Upgrade CosmJS types to Cosmos SDK 0.50
• Kill @​cosmjs/cli to reduce maintenance burden
• Fix block result types in CometBFT clients

Modern JS

• Replace bn.js dependency with native bigints
• Modernize codebase for Node.js 20+
• Migrate away from axios to native fetch, reducing bundle size and external dependencies
• Preparation for better ES6 module support
• Replace the Node.js „crypto“ import with native crypto APIs to reduce problems with other environments
• All JS output is now ES2022

CI / tooling

• Migrate all CI jobs from CircleCI to GitHub Actions
• Migrate lint tooling to latest versions of eslint and typescript-eslint

... (truncated)

Changelog

Sourced from @​cosmjs/encoding's changelog.

[0.37.0] - 2025-10-29

Added

• @​cosmjs/tendermint-rpc: Add dedicated Comet1Client for compatibility with CometBFT 1.x RPC. The module comet1 contains all CometBFT 1.x specific types. connectComet now uses this client automatically when connecting to a 1.x RPC backend. Before CosmJS 0.37 the Comet38Client was used for both 0.38 and 1.0 backends. However it turned out that there are breaking API changes between those versions. (#1787)

#1787: cosmos/cosmjs#1787

Changed

• all: The package.jsons now all use the modern exports field instead of the classic main/types to define the entry points. This ensures only symbols from the top level module can be imported (like import { toBech32 } from "@cosmjs/encoding"). Other import paths like import { toBech32 } from "@cosmjs/encoding/src/bech32" are not allowed anymore. As all public interfaces used to be exported from the top level for a long time, this should not affect most users. However, if you accidentally imported a subpath before you will get an error now. This can typically be resolved like this:

  -import { toBech32 } from "@cosmjs/encoding/src/bech32"
  +import { toBech32 } from "@cosmjs/encoding"

  (#1819)

• Replace bech32 implementation by @​scure/base. This changes a bunch of error messages but is otherwise not breaking user code. (#1825)

• Replace bip39 implementation by @​scure/bip39. This changes a bunch of error messages but is otherwise not breaking user code. (#1843)

• @​cosmjs/tendermint-rpc: connectComet now returns a Comet1Client when a CometBFT 1.x RPC is found. CometClient now includes Comet1Client. (#1827)

• @​cosmjs/cosmwasm-stargate: use native compression APIs instead of pako for gzip. (#1764)

#1764: cosmos/cosmjs#1764 #1819: cosmos/cosmjs#1819 #1825: cosmos/cosmjs#1825 #1827: cosmos/cosmjs#1827 #1843: cosmos/cosmjs#1843

Deprecated

... (truncated)

Commits

• 4cee1ba Set version 0.37.0
• 9349bad Add 0.35.2 to main CHANGELOG
• ef0d066 Deprecate Tendermint 0.34 client (#1891)
• 06c9325 Bump version of tar dependency (#1889)
• 148c45d Fix typo startusResponse -> statusResponse
• 4b36220 Add publish-backports command
• cfcece3 Merge remote-tracking branch 'refs/remotes/origin/main'
• 22bf7a7 Merge pull request #1888 from MamunC0der/patch-1
• f853f2b Update lint.yml
• d920d93 Set version 0.37.0-rc.1
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}