fix(deps): update module github.com/quic-go/quic-go to v0.57.0 [security]

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/quic-go/quic-go	v0.35.1 → v0.57.0

GitHub Vulnerability Alerts

CVE-2023-49295

An attacker can cause its peer to run out of memory sending a large number of PATH_CHALLENGE frames. The receiver is supposed to respond to each PATH_CHALLENGE frame with a PATH_RESPONSE frame. The attacker can prevent the receiver from sending out (the vast majority of) these PATH_RESPONSE frames by collapsing the peers congestion window (by selectively acknowledging received packets) and by manipulating the peer's RTT estimate.

I published a more detailed description of the attack and its mitigation in this blog post: https://seemann.io/posts/2023-12-18-exploiting-quics-path-validation/

There's no way to mitigate this attack, please update quic-go to a version that contains the fix.

CVE-2024-22189

An attacker can cause its peer to run out of memory by sending a large number of NEW_CONNECTION_ID frames that retire old connection IDs. The receiver is supposed to respond to each retirement frame with a RETIRE_CONNECTION_ID frame. The attacker can prevent the receiver from sending out (the vast majority of) these RETIRE_CONNECTION_ID frames by collapsing the peers congestion window (by selectively acknowledging received packets) and by manipulating the peer's RTT estimate.

I published a more detailed description of the attack and its mitigation in this blog post: https://seemann.io/posts/2024-03-19-exploiting-quics-connection-id-management/.
I also presented this attack in the IETF QUIC working group session at IETF 119: https://youtu.be/JqXtYcZAtIA?si=nJ31QKLBSTRXY35U&t=3683

There's no way to mitigate this attack, please update quic-go to a version that contains the fix.

CVE-2024-53259

Impact

An off-path attacker can inject an ICMP Packet Too Large packet. Since affected quic-go versions used IP_PMTUDISC_DO, the kernel would then return a "message too large" error on sendmsg, i.e. when quic-go attempts to send a packet that exceeds the MTU claimed in that ICMP packet.

By setting this value to smaller than 1200 bytes (the minimum MTU for QUIC), the attacker can disrupt a QUIC connection. Crucially, this can be done after completion of the handshake, thereby circumventing any TCP fallback that might be implemented on the application layer (for example, many browsers fall back to HTTP over TCP if they're unable to establish a QUIC connection).

As far as I understand, the kernel tracks the MTU per 4-tuple, so the attacker needs to at least know the client's IP and port tuple to mount an attack (assuming that it knows the server's IP and port).

Patches

The fix is easy: Use IP_PMTUDISC_PROBE instead of IP_PMTUDISC_DO. This socket option only sets the DF bit, but disables the kernel's MTU tracking.

Has the problem been patched? What versions should users upgrade to?

Fixed in https://github.com/quic-go/quic-go/pull/4729
Released in https://github.com/quic-go/quic-go/releases/tag/v0.48.2

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Use iptables to drop ICMP Unreachable packets.

References

Are there any links users can visit to find out more?

This bug was discovered while doing research for my new IETF draft on IP fragmentation: https://datatracker.ietf.org/doc/draft-seemann-tsvwg-udp-fragmentation/

CVE-2025-59530

Summary

A misbehaving or malicious server can trigger an assertion in a quic-go client (and crash the process) by sending a premature HANDSHAKE_DONE frame during the handshake.

Impact

A misbehaving or malicious server can cause a denial-of-service (DoS) attack on the quic-go client by triggering an assertion failure, leading to a process crash. This requires no authentication and can be exploited during the handshake phase. Observed in the wild with certain server implementations (e.g. Solana's Firedancer QUIC).

Affected Versions

• All versions prior to v0.49.1 (for the 0.49 branch)
• Versions v0.50.0 to v0.54.0 (inclusive)
• Fixed in v0.49.1, v0.54.1, and v0.55.0 onward

Users are recommended to upgrade to the latest patched version in their respective maintenance branch or to v0.55.0 or later.

Details

For a regular 1-RTT handshake, QUIC uses three sets of keys to encrypt / decrypt QUIC packets:

• Initial keys (derived from a static key and the connection ID)
• Handshake keys (derived from the client's and server's key shares in the TLS handshake)
• 1-RTT keys (derived when the TLS handshake finishes)

On the client side, Initial keys are discarded when the first Handshake packet is sent. Handshake keys are discarded when the server's HANDSHAKE_DONE frame is received, as specified in section 4.9.2 of RFC 9001. Crucially, Initial keys are always dropped before Handshake keys in a standard handshake.

Due to packet reordering, it is possible to receive a packet with a higher encryption level before the key for that encryption level has been derived. For example, the server's Handshake packets (containing, among others, the TLS certificate) might arrive before the server's Initial packet (which contains the TLS ServerHello). In that case, the client queues the Handshake packets and decrypts them as soon as it has processed the ServerHello and derived Handshake keys.

After completion of the handshake, Initial and Handshake packets are not needed anymore and will be dropped. quic-go implements an assertion that no packets are queued after completion of the handshake.

A misbehaving or malicious server can trigger this assertion, and thereby cause a panic, by sending a HANDSHAKE_DONE frame before actually completing the handshake. In that case, Handshake keys would be dropped before Initial keys.

This can only happen if the server implementation is misbehaving: the server can only complete the handshake after receiving the client's TLS Finished message (which is sent in Handshake packets).

The Fix

quic-go needs to be able to handle misbehaving server implementations, including those that prematurely send a HANDSHAKE_DONE frame. We now discard Initial keys when receiving a HANDSHAKE_DONE frame, thereby correctly handling premature HANDSHAKE_DONE frames. The fix was implemented in https://github.com/quic-go/quic-go/pull/5354.

CVE-2025-64702

Summary

An attacker can cause excessive memory allocation in quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large header field section (many unique header names and/or large values). The implementation builds an http.Header (used on the http.Request and http.Response, respectively), while only enforcing limits on the size of the (QPACK-compressed) HEADERS frame, but not on the decoded header, leading to memory exhaustion.

Impact

A misbehaving or malicious peer can cause a denial-of-service (DoS) attack on quic-go's HTTP/3 servers or clients by triggering excessive memory allocation, potentially leading to crashes or exhaustion. It affects both servers and clients due to symmetric header construction.

Details

In HTTP/3, headers are compressed using QPACK (RFC 9204). quic-go's HTTP/3 server (and client) decodes the QPACK-encoded HEADERS frame into header fields, then constructs an http.Request (or response).

http3.Server.MaxHeaderBytes and http3.Transport.MaxResponseHeaderBytes, respectively, limit encoded HEADERS frame size (default: 1 MB server, 10 MB client), but not decoded size. A maliciously crafted HEADERS frame can expand to ~50x the encoded size using QPACK static table entries with long names / values.

RFC 9114 requires enforcing decoded field section size limits via SETTINGS, which quic-go did not do.

The Fix

quic-go now enforces RFC 9114 decoded field section size limits, sending SETTINGS_MAX_FIELD_SECTION_SIZE and using incremental QPACK decoding to check the header size after each entry, aborting early on violations with HTTP 431 (on the server side) and stream reset (on the client side).

---

Release Notes

quic-go/quic-go (github.com/quic-go/quic-go)

v0.57.0

Compare Source

This release reworks the HTTP/3 header processing logic:

• Both client and server now send their respective header size constraints using the SETTINGS_MAX_FIELD_SECTION_SIZE setting: #​5431
• For any QPACK-related errors, the correct error code (QPACK_DECOMPRESSION_FAILED) is now used: #​5439
• QPACK header parsing is now incremental (instead of parsing all headers at once), which is ~5-10% faster and reduces allocations: #​5435 (and quic-go/qpack#67)
• The server now sends a 431 status code (Request Header Fields Too Large) when encountering HTTP header fields exceeding the size constraint: #​5452

 

Breaking Changes

• http3: Transport.MaxResponseBytes is now an int (before: int64): #​5433
   

Notable Fixes

• qlogwriter: fix storing of event schemas (this prevented qlog event logging from working for HTTP/3): #​5430
• http3: errors sending the request are now ignored, instead, the response from the server is read (thereby allowing the client to read the status code, for example): #​5432

What's Changed

• build(deps): bump golangci/golangci-lint-action from 8 to 9 by @​dependabot[bot] in #​5426
• qlogwriter: fix storing of event schemas by @​marten-seemann in #​5430
• http3: send SETTINGS_MAX_FIELD_SECTION_SIZE in the SETTINGS frame by @​marten-seemann in #​5431
• http3: read response after encountering error sending the request by @​marten-seemann in #​5432
• http3: make Transport.MaxResponseBytes an int by @​marten-seemann in #​5433
• http3: add a benchmark for header parsing by @​marten-seemann in #​5435
• update qpack to v0.6.0 by @​marten-seemann in #​5434
• http3: use QPACK_DECOMPRESSION_FAILED for QPACK errors by @​marten-seemann in #​5439
• add documentation for Conn.NextConnection by @​marten-seemann in #​5442
• ackhandler: don’t generate an immediate ACK for the first packet by @​marten-seemann in #​5447
• don’t arm connection timer for connection ID retirement by @​marten-seemann in #​5449
• README: add nodepass to list of projects by @​yosebyte in #​5448
• qlogwriter: use synctest to make tests deterministic by @​marten-seemann in #​5454
• http3: limit size of decompressed headers by @​marten-seemann in #​5452

New Contributors

• @​yosebyte made their first contribution in #​5448

Full Changelog: quic-go/quic-go@v0.56.0...v0.57.0

v0.56.0

Compare Source

This release introduces qlog support for HTTP/3 (#​5367, #​5372, #​5374, #​5375, #​5376, #​5381, #​5383).

For this, we completely changed how connection tracing works. Instead of a general-purpose logging.ConnectionTracer (which we removed entirely), we now have a qlog-specific tracer (#​5356, #​5417). quic-go users can now implement their own qlog events.

It also removes the Prometheus-based metrics collection. Please comment on the tracking issue (#​5294) if you rely on metrics and are interested in seeing metrics brought back in a future release.

Notable Changes

• replaced the unmaintained gojay with a custom, performance-optimized JSON encoder (#​5353, #​5371)
• quicvarint: improved panic message for numbers larger than 2^62 (#​5410)

Behind the Scenes

Go 1.25 introduced support for testing concurrent code using testing/synctest. We've been working on transitioning tests to use synctest (#​5357, #​5391, #​5393, #​5397, #​5398, #​5403, #​5414, #​5415), using @​MarcoPolo's simnet package to simulate a network in memory.

Using synctest makes test execution more reliable (reducing flakiness). The use of a synthetic clock leads to a massive speedup; the execution time of some integration tests was reduced from 20s to less than 1ms. The work will continue for the next release (see tracking issue: #​5386).

Changelog

• qlog: implement a minimal jsontext-like JSON encoder by @​marten-seemann in #​5353
• ci: remove 386 (32 bit x86) by @​MarcoPolo in #​5352
• use synctest in more connection tests by @​marten-seemann in #​5357
• qlog: split serializiation and event definitions, remove logging abstraction by @​marten-seemann in #​5356
• qlogwriter: implement the draft-12 trace header by @​marten-seemann in #​5360
• qlogwriter: add support for event_schemas in the trace header by @​marten-seemann in #​5361
• qlogwriter: pass the event time to Event.Encode by @​marten-seemann in #​5362
• ackhandler: fix qlogging of alarm timer expiration time by @​marten-seemann in #​5363
• qlog: privatize Encode functions of non-Event structs by @​marten-seemann in #​5364
• fix qlogging of the short header payload length by @​marten-seemann in #​5365
• ci: include OS and Go version in Codecov test report upload by @​marten-seemann in #​5370
• http3: add basic server-side qlog support by @​marten-seemann in #​5367
• jsontext: add support for encoding null by @​marten-seemann in #​5371
• qlog: use PathEndpointInfo in connection_started by @​marten-seemann in #​5368
• http3: fix qlog encoding of frame_parsed and frame_created events by @​marten-seemann in #​5372
• http3: add basic client-side qlog support by @​marten-seemann in #​5374
• readme: update oss-fuzz link by @​kriztalz in #​5377
• http3: qlog sent and received GOAWAY frames by @​marten-seemann in #​5376
• http3: qlog sent and received DATAGRAMs by @​marten-seemann in #​5375
• http3: move qlogging of frames into the frame parser by @​marten-seemann in #​5378
• http3: qlog sent and received SETTINGS frames by @​marten-seemann in #​5379
• http3: qlog the frame length and payload length of parsed frames by @​marten-seemann in #​5380
• http3: qlog reserved, unsupported and unknown frames by @​marten-seemann in #​5381
• http3: add the qlog event schema to trace header by @​marten-seemann in #​5383
• use default RTT (100ms) for 0-RTT if no prior estimate by @​marten-seemann in #​5388
• congestion: avoid overflows when calculating pacer budget by @​marten-seemann in #​5390
• add simnet package to simulate a net.PacketConn in memory by @​marten-seemann in #​5385
• use synctest for transport tests by @​marten-seemann in #​5391
• use simnet in CONNECTION_CLOSE retransmission test by @​marten-seemann in #​5395
• use synctest for the packet drop test by @​marten-seemann in #​5393
• use synctest for the handshake drop test by @​marten-seemann in #​5397
• use synctest for the datagram test by @​marten-seemann in #​5398
• use synctest for the timeout tests by @​marten-seemann in #​5403
• fix flaky TestConnectionUnpackFailureDropped by @​Copilot in #​5382
• fix flaky TestServerTransportClose by @​Copilot in #​5407
• ci: use gcassert to check that quicvarint.Len is inlined by @​marten-seemann in #​5409
• quicvarint: improve panic message for numbers larger 2^62 by @​marten-seemann in #​5410
• ci: bump actions/upload-artifact from 4 to 5 by @​dependabot[bot] in #​5411
• ci: update golangci-lint to v2.6.0 by @​marten-seemann in #​5412
• qlog: rename owner to initiator by @​marten-seemann in #​5416
• use synctest for the stateless reset tests by @​marten-seemann in #​5415
• ackhandler: fix qlogging of RTT values by @​marten-seemann in #​5418
• qlog: rework the ConnectionClosed event by @​marten-seemann in #​5417
• qlog: split the PTO count updates ouf of the MetricsUpdated event by @​marten-seemann in #​5421

New Contributors

• @​kriztalz made their first contribution in #​5377
• @​Copilot made their first contribution in #​5382

Full Changelog: quic-go/quic-go@v0.55.0...v0.56.0

v0.55.0

Compare Source

This release contains a number of improvements and fixes, and it updates the supported Go versions to 1.24 and 1.25.

Optimizations

When sending packets on a QUIC connection, RFC 9002 requires us to save the timestamp for every packet sent. In #​5344, we implemented a memory-optimized drop-in replacement for time.Time, which reduces the memory required from 24 to 8 bytes, and vastly speeds up timer calculations (which happen very frequently).

New Features

• Basic connection statistics are now exposed via Conn.ConnectionStats, thanks to @​MarcoPolo
• On some links, packet reordering can lead to spurious detections of packet loss when using the loss detection logic specified in RFC 9002. #​5355 adds logic detect when packet loss is detected spuriously.

Notable Fixes

• http3: don't allow usage of closed Transport: #​5324, thanks to @​Glonee
• http3: fix race in concurrent Transport.Roundtrip calls: #​5323, thanks to @​Glonee
• improve and fix connection timer logic: #​5339, thanks to @​sukunrt for a very comprehensive code review

Behind the Scenes

We have started transitioning tests to make use of the new synctest package that was added in Go 1.25 (and was available as a GOEXPERIMENT in Go 1.24): #​5291, #​5296, #​5298, #​5299, #​5302, #​5304, #​5305, #​5306, #​5317. This is a lot of work, but it makes the test execution both faster and more reliable.

Changelog

• wire: implement parsing and writing of the ACK_FREQUENCY frame by @​marten-seemann in #​5264
• wire: implement parsing and writing of the IMMEDIATE_ACK frame by @​marten-seemann in #​5265
• fuzzing: fix timeout in frame parser by @​jannis-seemann in #​5268
• wire: add support for the min_ack_delay transport parameter by @​marten-seemann in #​5266
• fix missing log statement for STREAM, DATAGRAM and ACK by @​jannis-seemann in #​5273
• qlog: add support for ACK_FREQUENCY and IMMEDIATE_ACK frames by @​marten-seemann in #​5276
• ackhandler: remove unused time from receivedPacketHandler.ReceivedPacket by @​marten-seemann in #​5277
• quicvarint: extend benchmark to use quicvarint.Reader by @​marten-seemann in #​5278
• quicvarint: tolerate empty reads of the underlying io.Reader by @​bemasc in #​5275
• http3: fix documentation for Server.ServeListener by @​WeidiDeng in #​5282
• expose connection stats via Conn.ConnectionStats by @​marten-seemann in #​5281
• ackhandler: generalize check for missing packets below threshold by @​marten-seemann in #​5260
• update to Go 1.25, drop Go 1.23, use go tool for gomock by @​marten-seemann in #​5283
• replace interface{} with any by @​marten-seemann in #​5290
• use testing.B.Loop in all benchmark tests by @​marten-seemann in #​5285
• build(deps): bump actions/checkout from 4 to 5 by @​dependabot[bot] in #​5293
• use synctest to make receive stream tests fully deterministc by @​marten-seemann in #​5291
• use synctest to make streams map tests fully deterministic by @​marten-seemann in #​5296
• ci: cache the Go build cache for cross-compilation workflow by @​marten-seemann in #​5297
• ci: fix cache save and restore logic for cross compile workflow by @​marten-seemann in #​5300
• restore previously deleted TestStreamsMapConcurrent test by @​marten-seemann in #​5301
• use synctest to make the send queue tests fully deterministic by @​marten-seemann in #​5302
• use synctest to make the send stream tests fully deterministic by @​marten-seemann in #​5298
• ci: use go mod tidy -diff to check for tidied go.mod by @​marten-seemann in #​5303
• use synctest to make the datagram queue tests fully deterministic by @​marten-seemann in #​5305
• utils: use synctest to make the timer tests fully deterministic by @​marten-seemann in #​5306
• ackhandler: fix resetting of packet.isPathProbePacket by @​marten-seemann in #​5310
• ackhandler: use an iterator to process received packet ranges by @​marten-seemann in #​5309
• ackhandler: use a typed mock for the ECNHandler by @​marten-seemann in #​5311
• ackhandler: immediately clear ackedPacket slice after processing ACK by @​marten-seemann in #​5313
• ci: improve cache key generation for the cross compilation job by @​marten-seemann in #​5315
• ci: fix cache paths in cross compile workflow by @​marten-seemann in #​5318
• ackhandler: avoid storing packet number in packet struct by @​marten-seemann in #​5312
• ackhandler: store skipped packet numbers separately by @​marten-seemann in #​5314
• ackhandler: account for skipped packets in packet threshold calculation by @​marten-seemann in #​5316
• ackhandler: store the last four skipped packets by @​marten-seemann in #​5322
• http3: fix data race in Transport by @​Glonee in #​5323
• qlog: add a benchmark for the ConnectionTracer by @​marten-seemann in #​5328
• qlog: merge event category and name by @​marten-seemann in #​5329
• http3: don't allow usage of closed Transport by @​Glonee in #​5324
• build(deps): bump actions/setup-go from 5 to 6 by @​dependabot[bot] in #​5330
• fix: return stream frames to pool on error paths by @​lidel in #​5327
• ackhandler: add a benchmark for sending and acknowledging packets by @​marten-seemann in #​5333
• implement a memory-optimized time.Time replacement by @​marten-seemann in #​5334
• add a benchmark test for data transfers by @​marten-seemann in #​5335
• improve connection timer logic by @​marten-seemann in #​5339
• use synctest to make the connection tests fully deterministic by @​marten-seemann in #​5317
• drop initial packets when the handshake is confirmed by @​marten-seemann in #​5354
• protocol: optimize ConnectionID.String by @​marten-seemann in #​5351
• fix missing tracing of restored transport parameters by @​marten-seemann in #​5349
• ackhandler: track lost packets and detect spurious losses by @​marten-seemann in #​5355

New Contributors

• @​bemasc made their first contribution in #​5275
• @​lidel made their first contribution in #​5327

Full Changelog: quic-go/quic-go@v0.54.0...v0.55.0

v0.54.1

Compare Source

v0.54.0

Compare Source

This release adds support for QUIC Stream Resets with Partial Delivery, a QUIC extension that allows resetting a stream, while guaranteeing delivery of stream data up to a certain byte offset (#​5155, #​5158, #​5160, #​5235, #​5242, #​5243). This extension is a requirement of newer versions of WebTransport over HTTP/3.

Other Notable Changes

• http3: the package now doesn't depend on any internal quic-go packages: #​5256
• wire: return concrete structs (instead of a wire.Frame) for common frame types (STREAM, DATAGRAM, ACK), speeding up STREAM frame parsing by ~18%: #​5253, #​5227, thanks to @​jannis-seemann

Fixes

• fix retransmission logic for path probing packets: #​5241
• close the Transport when DialAddr fails: #​5259, thanks to @​rbqvq

Changelog

• fix retransmission logic for path probing packets by @​marten-seemann in #​5241
• implement receiver side behavior for RESET_STREAM_AT by @​marten-seemann in #​5235
• implement sender side behavior for RESET_STREAM_AT by @​marten-seemann in #​5242
• fix flaky TestTransportReplaceWithClosed by @​marten-seemann in #​5245
• fix flaky TestDrainServerAcceptQueue by @​marten-seemann in #​5247
• fix flaky TestServerReceiveQueue by @​marten-seemann in #​5249
• http3: fix flaky TestConnGoAwayFailures by @​marten-seemann in #​5252
• add a Config and ConnectionState flag for RESET_STREAM_AT by @​marten-seemann in #​5243
• fix flaky TestPostQuantumClientHello by @​marten-seemann in #​5253
• http3: Remove dependency on quic internal package by @​rthellend in #​5256
• close Transport when DialAddr fails by @​rbqvq in #​5259
• wire: improve frame parsing benchmarks by @​jannis-seemann in #​5263
• optimize parsing logic for STREAM, DATAGRAM and ACK frames by @​jannis-seemann in #​5227

New Contributors

• @​rbqvq made their first contribution in #​5259

Full Changelog: quic-go/quic-go@v0.53.0...v0.54.0

v0.53.0

Compare Source

This release introduces a massive overhaul of the quic-go API. See this blog post for more details about the motivation. Most users will need to make some changes when upgrading to this version.

• The Connection interface was removed in favor of a Conn struct (#​5195).
• The ReceiveStream, SendStream and Stream interfaces were replaced with structs of the same name (#​5149, #​5172, #​5173, #​5214).

In most cases, migrating downstream code should be fairly straightforward. For example, a method that used to accept a quic.Connection as a parameter now needs to accept a *quic.Conn, and a function handling a quic.Stream now needs to handle a *quic.Stream. Of course, consumers of quic-go are free to define their own interfaces.

Similarly, on the HTTP/3 layer:

• The Connection interface was replaced with a Conn struct (#​5204).
• The RequestStream interface was converted to a struct (#​5153, #​5216).
• The Stream interface was converted to a struct (#​5154).

We expect that most HTTP/3 users won't need to adjust their code, if they use the package to run an HTTP/3 server and dial HTTP/3 connection. More advanced use cases, such as WebTransport and the various MASQUE protocols, will require updates. We have already released new versions of webtransport-go and masque-go to support these changes.

Other Breaking Changes

• http3: the deprecated SingleDestinationRoundTripper was removed (#​5217)

Notable Fixes and Improvements

• fix Goroutine leak when receiving a Version Negotiation packets race with dial context cancellation (#​5203)
• drain the server accept queue when closing the transport (#​5237), thanks to @​sukunrt
• fix a race condition when closing transport (#​5220), thanks to @​sukunrt
• quicvarint: speed up parsing of 1, 2 and 4-byte varints (~12.5% for 1 and 2 bytes, ~1% for 4 bytes) (#​5229), thanks to @​jannis-seemann
• http3: expose ClientConn.Context, CloseWithError and Conn: #​5219
• http3: RequestStream could be misused in many different ways, that's why we tightened the error checks (#​5231)

Behind The Scenes

We've completed the migration of the entire test suite away from Ginkgo (#​3652) and towards standard Go tests (#​5084, #​5150, #​5151, #​5193, #​5194, #​5196, #​5198). This was a major undertaking, spanning roughly 9 months and resulting in a complete rewrite of quic-go's test suite (> 40,000 lines of code!). Users will now benefit from a significantly slimmed-down dependency tree when upgrading.

Changelog

• http3: migrate the stream tests away from Ginkgo by @​marten-seemann in #​5150
• http3: migrate the state tracking stream tests away from Ginkgo by @​marten-seemann in #​5151
• implement parsing and writing of RESET_STREAM_AT frames by @​marten-seemann in #​5155
• wire: add support for the reset_stream_at transport parameter by @​marten-seemann in #​5158
• qlog: add support for reset_stream_at frame and transport parameter by @​marten-seemann in #​5160
• http3: convert RequestStream from an interface to a struct by @​marten-seemann in #​5153
• http3: convert Stream from an interface to a struct by @​marten-seemann in #​5154
• http3: simplify HTTP datagram handling by @​marten-seemann in #​5156
• http3: use actual QUIC connection and stream in server tests by @​marten-seemann in #​5161
• http3: use actual QUIC connection and stream in client tests by @​marten-seemann in #​5162
• http3: use actual QUIC connection and stream in conn tests by @​marten-seemann in #​5163
• http3: use actual QUIC connection in transport tests by @​marten-seemann in #​5164
• http3: use actual QUIC stream in state tracking stream tests by @​marten-seemann in #​5166
• http3: use actual QUIC connection in frames tests by @​marten-seemann in #​5165
• http3: fix flaky TestClientStreamHijacking by @​marten-seemann in #​5169
• http3: use actual QUIC connection in stream tests by @​marten-seemann in #​5170
• mockquic: remove package by @​marten-seemann in #​5171
• fix flaky TestDatagramLoss by @​marten-seemann in #​5174
• fix flaky TestConnectionPathValidation by @​marten-seemann in #​5175
• fix flaky TestHTTPRequestAfterGracefulShutdown by @​marten-seemann in #​5178
• fix flaky TestGracefulShutdownPendingStreams by @​marten-seemann in #​5179
• fix flaky TestTransportReplaceWithClosed by @​marten-seemann in #​5181
• http3: fix flaky TestClientResponseValidation by @​marten-seemann in #​5183
• http3: fix flaky TestServerRequestHeaderTooLarge by @​marten-seemann in #​5186
• http3: fix flaky TestConnControlStreamFailure by @​marten-seemann in #​5188
• avoid triggering macOS dual-stack flakiness in HTTP/3 integration tests by @​marten-seemann in #​5187
• convert Stream interface to a struct by @​marten-seemann in #​5149
• convert SendStream interface to a struct by @​marten-seemann in #​5172
• convert ReceiveStream interface to a struct by @​marten-seemann in #​5173
• ackhandler: migrate the ECN tests away from Ginkgo by @​marten-seemann in #​5084
• congestion: migrate tests away from Ginkgo by @​marten-seemann in #​5193
• ci: stop using Ginkgo test command by @​marten-seemann in #​5194
• mocks: simplify mockgen command to generate MockCryptoSetup by @​marten-seemann in #​5197
• ci: remove leftover check for Ginkgo imports by @​marten-seemann in #​5198
• http3: simplify connection closing in the frame parser by @​marten-seemann in #​5196
• fix Goroutine leak on version negotiation race with context cancel by @​marten-seemann in #​5203
• simplify stream ID handling in the incoming streams map by @​marten-seemann in #​5207
• simplify stream ID handling in the outgoing streams map by @​marten-seemann in #​5209
• ci: enable Codecov test analysis by @​marten-seemann in #​5210
• remove connection flow controller mock by @​marten-seemann in #​5213
• handle stream-related frame in the streams map by @​marten-seemann in #​5212
• explictly expose all method on the Stream by @​marten-seemann in #​5214
• convert Connection interface to Conn struct by @​marten-seemann in [#​5195](https://redirect.github.com/quic-go/quic-go/

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 4 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.20 -> 1.22
golang.org/x/net	v0.11.0 -> v0.28.0
golang.org/x/crypto	v0.10.0 -> v0.26.0
golang.org/x/exp	v0.0.0-20230522175609-2e198f4a06a1 -> v0.0.0-20240506185415-9bf2ced13842
golang.org/x/mod	v0.11.0 -> v0.18.0

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	github.com/​quic-go/​quic-go@​v0.35.1 ⏵ v0.57.0	+1	+26
	golang.org/​x/​net@​v0.11.0 ⏵ v0.43.0	+1	+22

View full report

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 2 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.20 -> 1.24
golang.org/x/net	v0.11.0 -> v0.43.0
golang.org/x/crypto	v0.10.0 -> v0.41.0