Bump iavl to v1.2.8 for upstream bugfixes

[lukasz-zimnoch]

References:

Introduction

github.com/cosmos/iavl currently resolves to v1.2.0. It is not imported directly by any first-party package; it is pulled in transitively through our cosmossdk.io/store fork (github.com/mezo-org/cosmos-sdk/store v1.1.1-mezo), whose go.mod pins v1.2.0. This PR raises the resolved version to v1.2.8 so the node picks up the bugfixes released on the upstream iavl 1.2.x line since v1.2.0, without otherwise touching the store fork.

Changes

go.mod / go.sum

Adds a direct require github.com/cosmos/iavl v1.2.8. Because Minimal Version Selection takes the maximum of all requirements, this raises the resolved version above the v1.2.0 floor contributed by the store fork while leaving the fork itself unchanged. The dependency stays marked // indirect (no first-party package imports iavl; it is reached only via cosmossdk.io/store/rootmulti), and a comment on the require line records why it is pinned ahead of the fork's version, together with version bounds: a v1.2.8 floor, and a guard against advancing to a higher major/minor iavl line (e.g. v1.3.x) without first bumping and re-tagging the cosmossdk.io/store fork. go.sum is updated with the v1.2.8 checksums.

Testing

• go list -m github.com/cosmos/iavl resolves to v1.2.8; go mod why confirms the chain app → cosmos-sdk/baseapp → cosmossdk.io/store/rootmulti → iavl. go mod tidy is a no-op against the change and go mod verify reports all modules verified.
• make test-unit — all packages pass under -race, no failures.
• tests/system — the EVM, opcode, token-transfer, and state suites (MEZOTransfers, BTCTransfers, Push0Check, McopyCheck, TransientStorageCheck, Selfdestruct6780Check, SelfdestructSupplyInvariant, RandaoCheck, ClzCheck, ModexpCheck, InitcodeLimitCheck, RecipientGuard) pass against a localnode built from this branch — 238 passing, 0 failing.
• The bump is API-compatible (no source changes were required to build the full client) and storage-format-neutral: the committed state root hashes produced through the cosmossdk.io/store/iavl path are identical to those produced on v1.2.0. This makes the change non-consensus-breaking and safe to roll out without a coordinated chain halt.

---

Author's checklist

• Provided the appropriate description of the pull request
• Updated relevant unit and integration tests
• Updated relevant documentation (docs/) or specification (x/<module>/spec/)
• Assigned myself in the Assignees field
• Assigned mezod-developers in the Reviewers field and notified them on Discord

Reviewer's checklist

• Confirmed all author's checklist items have been addressed
• Considered security implications of the code changes
• Considered performance implications of the code changes
• Tested the changes and summarized covered scenarios and results in a comment