chore(deps): bump the go_modules group across 1 directory with 12 updates

[dependabot]

Bumps the go_modules group with 11 updates in the / directory:

Package	From	To
github.com/buger/jsonparser	1.1.1	1.1.2
github.com/go-jose/go-jose/v4	4.1.3	4.1.4
github.com/antchfx/xpath	1.3.4	1.3.6
github.com/cloudflare/circl	1.6.1	1.6.3
github.com/go-git/go-git/v5	5.16.4	5.17.1
github.com/gofiber/fiber/v2	2.52.11	2.52.12
github.com/jackc/pgx/v5	5.8.0	5.9.0
golang.org/x/image	0.25.0	0.38.0
github.com/ipld/go-ipld-prime	0.21.0	0.22.0
github.com/quic-go/quic-go	0.54.1	0.57.0
github.com/quic-go/webtransport-go	0.9.0	0.10.0

Updates github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream from 1.7.7 to 1.7.8

Commits

• e3b97d2 Release 2023-10-12
• 863010d Regenerated Clients
• 6946ef8 Update endpoints model
• 6d93ded Update API model
• bebc232 fix: fail to load config if configured profile doesn't exist (#2309)
• 5de4674 fix DNS timeout error not retried (#2300)
• See full diff in compare view

Updates github.com/buger/jsonparser from 1.1.1 to 1.1.2

Release notes

Sourced from github.com/buger/jsonparser's releases.

v1.1.2

What's Changed

• Updated travis to build for 1.13 to 1.15 by @​janreggie in buger/jsonparser#225
• • eliminate 2 allocations in EachKey() by @​Villenny in buger/jsonparser#223
• fix issue #150 (in deleting case) by @​daria-kay in buger/jsonparser#226
• fixing the oss-fuzz issue by @​daria-kay in buger/jsonparser#227
• Fix parseInt overflow check false negative by @​carsonip in buger/jsonparser#231
• Added bespoke error for null cases by @​jonomacd in buger/jsonparser#228
• Fuzzing: Add CIFuzz by @​AdamKorcz in buger/jsonparser#239
• Added latest versions of go to tests by @​moredure in buger/jsonparser#244
• fix EachKey pIdxFlags allocation by @​unxcepted in buger/jsonparser#241
• fix: prevent panic on negative slice index in Delete with malformed JSON (GO-2026-4514) by @​dbarrosop in buger/jsonparser#276

New Contributors

• @​janreggie made their first contribution in buger/jsonparser#225
• @​Villenny made their first contribution in buger/jsonparser#223
• @​daria-kay made their first contribution in buger/jsonparser#226
• @​carsonip made their first contribution in buger/jsonparser#231
• @​jonomacd made their first contribution in buger/jsonparser#228
• @​moredure made their first contribution in buger/jsonparser#244
• @​unxcepted made their first contribution in buger/jsonparser#241
• @​dbarrosop made their first contribution in buger/jsonparser#276

Full Changelog: buger/jsonparser@v1.1.1...v1.1.2

Commits

• a69e7e0 Merge pull request #276 from dbarrosop/master
• d3eacc0 fix: prevent panic on negative slice index in Delete with malformed JSON (GO-...
• 61b32cf Merge pull request #241 from unxcepted/master
• 2181e83 Merge pull request #244 from ScaleChamp/patch-2
• 1510b51 Added latest versions of go to tests
• 6fc2e48 fix: eachkey allocation
• a6f867e Merge pull request #239 from AdamKorcz/cifuzz1
• cbc01fd Fuzzing: Add CIFuzz
• dc92d69 Merge pull request #228 from jonomacd/null-handling
• 2d9d634 Merge pull request #231 from carsonip/fix-parseint-overflow-check
• Additional commits viewable in compare view

Updates github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4

Release notes

Sourced from github.com/go-jose/go-jose/v4's releases.

v4.1.4

What's Changed

Fixes Panic in JWE decryption. See GHSA-78h2-9frx-2jm8

Full Changelog: go-jose/go-jose@v4.1.3...v4.1.4

Commits

• 0e59876 Merge commit from fork
• ddffdbc Bump actions/checkout from 5 to 6 (#213)
• See full diff in compare view

Updates github.com/antchfx/xpath from 1.3.4 to 1.3.6

Release notes

Sourced from github.com/antchfx/xpath's releases.

v1.3.6

Merged PR:

• #120(@​mislav) - Fix last() predicate on grouped expr.

Fixed:

• #121

Release v1.3.5

Merged PR:

• #117(@​mislav）- fix ancestor:: axes with position predicate.

Fixed:

• #113 - (fix string() function)

Commits

• afd4762 fix #121
• a8ced8f Merge PR #120
• c92c3eb Fix last() predicate on grouped expressions
• 3cbab97 Merge PR #119
• 02c01b0 Fix chained predicates on ancestor axis
• 511abd5 Merge PR #117
• 060b154 Fix positional predicate for the "ancestor" axis
• 8d50c25 fix #112，#113
• See full diff in compare view

Updates github.com/cloudflare/circl from 1.6.1 to 1.6.3

Release notes

Sourced from github.com/cloudflare/circl's releases.

CIRCL v1.6.3

Fix a bug on ecc/p384 scalar multiplication.

What's Changed

• sign/mldsa: Check opts for nil value by @​armfazh in cloudflare/circl#582
• ecc/p384: Point addition must handle point doubling case. by @​armfazh in cloudflare/circl#583
• Release CIRCL v1.6.3 by @​armfazh in cloudflare/circl#584

Full Changelog: cloudflare/circl@v1.6.2...v1.6.3

CIRCL v1.6.2

• New SLH-DSA, improvements in ML-DSA for arm64.
• Tested compilation on WASM.

What's Changed

• Optimize pairing product computation by moving exponentiations to G1. by @​dfaranha in cloudflare/circl#547
• sign: Adding SLH-DSA signature by @​armfazh in cloudflare/circl#512
• Update code generators to CIRCL v1.6.1. by @​armfazh in cloudflare/circl#548
• ML-DSA: Add preliminary Wycheproof test vectors by @​bwesterb in cloudflare/circl#552
• go fmt by @​bwesterb in cloudflare/circl#554
• gz-compressing test vectors, use of HexBytes and ReadGzip functions. by @​armfazh in cloudflare/circl#555
• group: Removes use of elliptic Marshal and Unmarshal functions. by @​armfazh in cloudflare/circl#556
• Support encoding/decoding ML-DSA private keys (as long as they contain seeds) by @​bwesterb in cloudflare/circl#559
• Update to golangci-lint v2 by @​bwesterb in cloudflare/circl#560
• Preparation for ARM64 Implementation of poly operations for dilithium package. by @​elementrics in cloudflare/circl#562
• prepare power2Round for custom implementations in assembly by @​elementrics in cloudflare/circl#564
• ARM64 implementation for poly.PackLe16 by @​elementrics in cloudflare/circl#563
• add arm64 version of polyMulBy2toD by @​elementrics in cloudflare/circl#565
• add arm64 version of polySub by @​elementrics in cloudflare/circl#566
• group: add byteLen method for short groups and RandomScalar uses rand.Int by @​armfazh in cloudflare/circl#568
• add arm64 version of poly.Add/Sub by @​elementrics in cloudflare/circl#572
• group: Adding cryptobyte marshaling to scalars by @​armfazh in cloudflare/circl#569
• Bumping up to Go1.25 by @​armfazh in cloudflare/circl#574
• ci: Including WASM compilation. by @​armfazh in cloudflare/circl#577
• Revert to using package-declared HPKE errors for shortkem instead of standard library errors by @​harshiniwho in cloudflare/circl#578
• Release v1.6.2 by @​armfazh in cloudflare/circl#579

New Contributors

• @​dfaranha made their first contribution in cloudflare/circl#547
• @​elementrics made their first contribution in cloudflare/circl#562
• @​harshiniwho made their first contribution in cloudflare/circl#578

Full Changelog: cloudflare/circl@v1.6.1...v1.6.2

Commits

• 24ae53c Release CIRCL v1.6.3
• 581020b Rename method to oddMultiplesProjective.
• 12209a4 Removing unused cmov for jacobian points.
• fcba359 ecc/p384: use of complete projective formulas for scalar multiplication.
• 5e1bae8 ecc/p384: handle point doubling in point addition with Jacobian coordinates.
• 3416046 Check opts for nil value.
• a763d47 Release CIRCL v1.6.2
• 3c70bf9 Bump x/crypto x/sys dependencies.
• 3f0f15b Revert to using package-declared HPKE errors for shortkem instead of standard...
• 23491bd Adding generic Power2Round method.
• Additional commits viewable in compare view

Updates github.com/go-git/go-git/v5 from 5.16.4 to 5.17.1

Release notes

Sourced from github.com/go-git/go-git/v5's releases.

v5.17.1

What's Changed

• build: Update module github.com/cloudflare/circl to v1.6.3 [SECURITY] (releases/v5.x) by @​go-git-renovate[bot] in go-git/go-git#1930
• [v5] plumbing: format/index, Improve v4 entry name validation by @​pjbgf in go-git/go-git#1935
• [v5] plumbing: format/idxfile, Fix version and fanout checks by @​pjbgf in go-git/go-git#1937

Full Changelog: go-git/go-git@v5.17.0...v5.17.1

v5.17.0

What's Changed

• build: Update module github.com/go-git/go-git/v5 to v5.16.5 [SECURITY] (releases/v5.x) by @​go-git-renovate[bot] in go-git/go-git#1839
• git: worktree, optimize infiles function for very large repos by @​k-anshul in go-git/go-git#1853
• git: Add strict checks for supported extensions by @​pjbgf in go-git/go-git#1861
• backport, git: Improve Status() speed with new index.ModTime check by @​cedric-appdirect in go-git/go-git#1862
• storage: filesystem, Avoid overwriting loose obj files by @​pjbgf in go-git/go-git#1864

Full Changelog: go-git/go-git@v5.16.5...v5.17.0

v5.16.5

What's Changed

• build: Update module golang.org/x/crypto to v0.45.0 [SECURITY] (releases/v5.x) by @​go-git-renovate[bot] in go-git/go-git#1744
• build: Bump Go test versions to 1.23-1.25 (v5) by @​pjbgf in go-git/go-git#1746
• [v5] git: worktree, Don't delete local untracked files when resetting worktree by @​Ch00k in go-git/go-git#1800
• Expand packfile checks by @​pjbgf in go-git/go-git#1836

Full Changelog: go-git/go-git@v5.16.4...v5.16.5

Commits

• 5e23dfd Merge pull request #1937 from pjbgf/idx-v5
• 6b38a32 Merge pull request #1935 from pjbgf/index-v5
• cd757fc plumbing: format/idxfile, Fix version and fanout checks
• 3ec0d70 plumbing: format/index, Fix tree extension invalidated entry parsing
• dbe10b6 plumbing: format/index, Align V2/V3 long name and V4 prefix encoding with Git
• e9b65df plumbing: format/index, Improve v4 entry name validation
• adad18d Merge pull request #1930 from go-git/renovate/releases/v5.x-go-github.com-clo...
• 29470bd build: Update module github.com/cloudflare/circl to v1.6.3 [SECURITY]
• bdf0688 Merge pull request #1864 from pjbgf/v5-issue-55
• 5290e52 storage: filesystem, Avoid overwriting loose obj files. Fixes #55
• Additional commits viewable in compare view

Updates github.com/gofiber/fiber/v2 from 2.52.11 to 2.52.12

Release notes

Sourced from github.com/gofiber/fiber/v2's releases.

v2.52.12

🐛 Fixes

• CVE fix GHSA-mrq8-rjmw-wpq3

Full Changelog: gofiber/fiber@v2.52.11...v2.52.12

Commits

• 6cba195 Bump fiber package version to 2.52.12
• 5ebbee7 docs: update image paths to v2 in README files
• 5028167 Merge commit from fork
• 42380aa fix: adapt tests for v2 - use defer/recover pattern and correct Handler signa...
• 7cffe29 refactor: use helper function for param route generation in tests
• 5494de8 🐛 bug: add panic for routes with >30 parameters (GHSA-mrq8-rjmw-wpq3)
• See full diff in compare view

Updates github.com/jackc/pgx/v5 from 5.8.0 to 5.9.0

Changelog

Sourced from github.com/jackc/pgx/v5's changelog.

5.9.0 (March 21, 2026)

This release includes a number of new features such as SCRAM-SHA-256-PLUS support, OAuth authentication support, and PostgreSQL protocol 3.2 support.

It significantly reduces the amount of network traffic when using prepared statements (which are used automatically by default) by avoiding unnecessary Describe Portal messages. This also reduces local memory usage.

It also includes multiple fixes for potential DoS due to panic or OOM if connected to a malicious server that sends deliberately malformed messages.

• Require Go 1.25+
• Add SCRAM-SHA-256-PLUS support (Adam Brightwell)
• Add OAuth authentication support for PostgreSQL 18 (David Schneider)
• Add PostgreSQL protocol 3.2 support (Dirkjan Bussink)
• Add tsvector type support (Adam Brightwell)
• Skip Describe Portal for cached prepared statements reducing network round trips
• Make LoadTypes query easier to support on "postgres-like" servers (Jelte Fennema-Nio)
• Default empty user to current OS user matching libpq behavior (ShivangSrivastava)
• Optimize LRU statement cache with custom linked list and node pooling (Mathias Bogaert)
• Optimize date scanning by replacing regex with manual parsing (Mathias Bogaert)
• Optimize pgio append/set functions with direct byte shifts (Mathias Bogaert)
• Make RowsAffected faster (Abhishek Chanda)
• Fix: Pipeline.Close panic when server sends multiple FATAL errors (Varun Chawla)
• Fix: ContextWatcher goroutine leak (Hank Donnay)
• Fix: stdlib discard connections with open transactions in ResetSession (Jeremy Schneider)
• Fix: pipelineBatchResults.Exec silently swallowing lastRows error
• Fix: ColumnTypeLength using BPCharArrayOID instead of BPCharOID
• Fix: TSVector text encoding returning nil for valid empty tsvector
• Fix: wrong error messages for Int2 and Int4 underflow
• Fix: Numeric nil Int pointer dereference with Valid: true
• Fix: reversed strings.ContainsAny arguments in Numeric.ScanScientific
• Fix: message length parsing on 32-bit platforms
• Fix: FunctionCallResponse.Decode mishandling of signed result size
• Fix: returning wrong error in configTLS when DecryptPEMBlock fails (Maxim Motyshen)
• Fix: misleading ParseConfig error when default_query_exec_mode is invalid (Skarm)
• Fix: missed Unwatch in Pipeline error paths
• Clarify too many failed acquire attempts error message
• Better error wrapping with context and SQL statement (Aneesh Makala)
• Enable govet and ineffassign linters (Federico Guerinoni)
• Guard against various malformed binary messages (arrays, hstore, multirange, protocol messages)
• Fix various godoc comments (ferhat elmas)
• Fix typos in comments (Oleksandr Redko)

Commits

• b4d8e62 Release v5.9.0
• c227cd4 Bump minimum Go version from 1.24 to 1.25
• f492c14 Use reflect.TypeFor instead of reflect.TypeOf for static types
• ad8fb08 Use sync.WaitGroup.Go to simplify goroutine spawning
• 3033773 Remove go1.26 build tag from synctest test
• 83ffb3c Validate multirange element count against source length before allocating
• 828f214 Fix message length parsing on 32-bit platforms
• e196a39 Add fuzz test for SQL lexer in sanitize package
• 7f969f8 Rename TraceQueryute to traceExecute
• ab52391 Use single Stat snapshot in checkMinConns
• Additional commits viewable in compare view

Updates golang.org/x/image from 0.25.0 to 0.38.0

Commits

• 23ae9ed tiff: cap buffer growth to prevent OOM from malicious IFD offset
• e589e60 webp: allow VP8L + VP8X(with alpha)
• fe7d73d go.mod: update golang.org/x dependencies
• e3d762b all: upgrade go directive to at least 1.25.0 [generated]
• 833c6ed go.mod: update golang.org/x dependencies
• bc7fe0b go.mod: update golang.org/x dependencies
• c53c97f go.mod: update golang.org/x dependencies
• 9032ff7 all: eliminate vet diagnostics
• 9c9d08c go.mod: update golang.org/x dependencies
• 742b1b7 all: fix some comments
• Additional commits viewable in compare view

Updates github.com/ipld/go-ipld-prime from 0.21.0 to 0.22.0

Release notes

Sourced from github.com/ipld/go-ipld-prime's releases.

v0.22.0

What's Changed

• fix(bindnode): provide correct err msg on union member non-match by @​rvagg in ipld/go-ipld-prime#535
• ci: uci/delete-templates by @​web3-bot in ipld/go-ipld-prime#536
• ci: uci/copy-templates by @​web3-bot in ipld/go-ipld-prime#537
• fix: upgrade specs with downgraded go.mod by @​rvagg in ipld/go-ipld-prime#538
• ci: uci/copy-templates by @​web3-bot in ipld/go-ipld-prime#539
• build(deps): bump github.com/ipfs/go-block-format from 0.0.3 to 0.2.0 in /storage/bsadapter by @​dependabot[bot] in ipld/go-ipld-prime#540
• build(deps): bump github.com/ipfs/go-block-format from 0.0.3 to 0.2.0 in /storage/bsrvadapter by @​dependabot[bot] in ipld/go-ipld-prime#541
• docs: add SelectLinks example by @​rvagg in ipld/go-ipld-prime#542
• chore(deps): update storage package dependencies by @​rvagg in ipld/go-ipld-prime#543
• Corrected texts by @​criadoperez in ipld/go-ipld-prime#544
• build(deps): bump github.com/gogo/protobuf from 1.2.1 to 1.3.2 in /storage/benchmarks by @​dependabot[bot] in ipld/go-ipld-prime#545
• build(deps): bump github.com/ipfs/boxo from 0.12.0 to 0.13.1 in /storage/bsadapter by @​dependabot[bot] in ipld/go-ipld-prime#548
• build(deps): bump github.com/ipfs/boxo from 0.12.0 to 0.13.1 in /storage/bsrvadapter by @​dependabot[bot] in ipld/go-ipld-prime#547
• Multiple text corrections by @​criadoperez in ipld/go-ipld-prime#551
• Text corrections by @​criadoperez in ipld/go-ipld-prime#552
• feat: add EmptyPathSegment, distinct from PathSegment{} by @​rvagg in ipld/go-ipld-prime#546
• Corrections on go files by @​criadoperez in ipld/go-ipld-prime#553
• build(deps): bump github.com/google/go-cmp from 0.5.9 to 0.6.0 by @​dependabot[bot] in ipld/go-ipld-prime#554
• chore: add garbage roundtrip tests for dag-json to check refmt changes/fixes by @​rvagg in ipld/go-ipld-prime#550
• build(deps): bump github.com/ipfs/boxo from 0.13.1 to 0.15.0 in /storage/bsrvadapter by @​dependabot[bot] in ipld/go-ipld-prime#555
• build(deps): bump github.com/ipfs/boxo from 0.13.1 to 0.15.0 in /storage/bsadapter by @​dependabot[bot] in ipld/go-ipld-prime#556
• build(deps): bump github.com/ipfs/boxo from 0.15.0 to 0.16.0 in /storage/bsrvadapter by @​dependabot[bot] in ipld/go-ipld-prime#558
• build(deps): bump github.com/ipfs/boxo from 0.15.0 to 0.16.0 in /storage/bsadapter by @​dependabot[bot] in ipld/go-ipld-prime#557
• build(deps): bump golang.org/x/crypto from 0.1.0 to 0.17.0 by @​dependabot[bot] in ipld/go-ipld-prime#559
• build(deps): bump golang.org/x/crypto from 0.14.0 to 0.17.0 in /storage/bsrvadapter by @​dependabot[bot] in ipld/go-ipld-prime#560
• build(deps): bump golang.org/x/crypto from 0.14.0 to 0.17.0 in /storage/bsadapter by @​dependabot[bot] in ipld/go-ipld-prime#561
• ci: uci/update-go by @​web3-bot in ipld/go-ipld-prime#566
• ci: uci/copy-templates by @​web3-bot in ipld/go-ipld-prime#567
• feat(schema): expose useful functions for building schemas by @​hannahhoward in ipld/go-ipld-prime#569
• ci: uci/update-go by @​web3-bot in ipld/go-ipld-prime#570
• basicnode: don't panic on negative index by @​MichaelMure in ipld/go-ipld-prime#571
• Thread bindnode options through convenience calls by @​hannahhoward in ipld/go-ipld-prime#572
• Named type converters by @​hannahhoward in ipld/go-ipld-prime#573
• build(deps): bump golang.org/x/crypto from 0.17.0 to 0.31.0 in /storage/bsadapter by @​dependabot[bot] in ipld/go-ipld-prime#575
• build(deps): bump golang.org/x/crypto from 0.17.0 to 0.31.0 in /storage/bsrvadapter by @​dependabot[bot] in ipld/go-ipld-prime#577
• build(deps): bump golang.org/x/crypto from 0.17.0 to 0.31.0 by @​dependabot[bot] in ipld/go-ipld-prime#576
• build(deps): bump github.com/ipfs/go-cid from 0.4.1 to 0.5.0 by @​dependabot[bot] in ipld/go-ipld-prime#582
• build(deps): bump github.com/ipfs/go-cid from 0.4.1 to 0.5.0 in /storage/bsrvadapter by @​dependabot[bot] in ipld/go-ipld-prime#581
• build(deps): bump github.com/ipfs/go-cid from 0.4.1 to 0.5.0 in /storage/bsadapter by @​dependabot[bot] in ipld/go-ipld-prime#579
• ci: uci/update-go by @​web3-bot in ipld/go-ipld-prime#587
• build(deps): bump github.com/google/go-cmp from 0.6.0 to 0.7.0 by @​dependabot[bot] in ipld/go-ipld-prime#588
• ci: uci/copy-templates by @​web3-bot in ipld/go-ipld-prime#600
• ci: uci/update-go by @​web3-bot in ipld/go-ipld-prime#609
• chore: update deps by @​rvagg in ipld/go-ipld-prime#610
• feat(dagcbor): make decode budget configurable via DecodeOptions by @​rvagg in ipld/go-ipld-prime#611

New Contributors

• @​criadoperez made their first contribution in ipld/go-ipld-prime#544

... (truncated)

Changelog

Sourced from github.com/ipld/go-ipld-prime's changelog.

CHANGELOG

Here is collected some brief notes on major changes over time, sorted by tag in which they are first available.

Of course for the "detailed changelog", you can always check the commit log! But hopefully this summary helps.

Note about version numbering: All release tags are in the "v0.${x}" range. We do not expect to make a v1 release. Nonetheless, this should not be taken as a statement that the library isn't usable already. Much of this code is used in other libraries and products, and we do take some care about making changes. (If you're ever wondering about stability of a feature, ask -- or contribute more tests ;))

• Planned/Upcoming Changes
• Released Changes Log

Planned/Upcoming Changes

Here are some outlines of changes we intend to make that affect the public API:

• IPLD Amend: is likely to land soon; it implements a more efficient underlying architecture to support IPLD Patch and related features. IPLD Amend adds an interface to allow incremental changes to Nodes in an efficient way. Whereas IPLD Patch is a protocol for expressing changes. We're still working on figuring out exactly where it fits in the stack and making sure it won't be disruptive but early benchmarks are very promising for both Patch and traversal-based transforms. See ipld/go-ipld-prime#445 for more.
• Layered Node implementation optimizations: When layering different implementations of Node builders or consumers, having to defer through basicnode types can lead to large inefficiencies of memory and speed. We are looking at ways to improve this situation, including ways to assemble layered assemblers. See ipld/go-ipld-prime#443 for discussion and some initial plans.
• Selectors: There have been some recurring wishes to do something about the Selector package layout. There's no intended or prioritized date for this. See ipld/go-ipld-prime#236 for more.
• Absent / "Not found" values: There may be some upcoming changes to exactly how "not found" values are handled in order to clarify and standardize the subject. There's no finalized date for this. See ipld/go-ipld-prime#360 for more.

Released Changes

Commits

• 75f643e chore: v0.22.0 bump (#612)
• e43bf4a feat(dagcbor): make decode budget configurable via DecodeOptions (#611)
• 2fe6c72 chore: update deps
• a425e60 ci: uci/update-go (#609)
• 0a304bd ci: uci/copy-templates (#600)
• 7879a2e build(deps): bump github.com/google/go-cmp from 0.6.0 to 0.7.0
• 734605b fix: staticcheck complaints
• e3168d4 chore!: bump go.mod to Go 1.23 and run go fix
• 845b7c2 chore!: bump go.mod to Go 1.23 and run go fix
• 6685a3d chore!: bump go.mod to Go 1.23 and run go fix
• Additional commits viewable in compare view

Updates github.com/quic-go/quic-go from 0.54.1 to 0.57.0

Release notes

Sourced from github.com/quic-go/quic-go's releases.

v0.57.0

This release contains a fix for CVE-2025-64702 by reworking the HTTP/3 header processing logic:

• Both client and server now send their respective header size constraints using the SETTINGS_MAX_FIELD_SECTION_SIZE setting: #5431
• For any QPACK-related errors, the correct error code (QPACK_DECOMPRESSION_FAILED) is now used: #5439
• QPACK header parsing is now incremental (instead of parsing all headers at once), which is ~5-10% faster and reduces allocations: #5435 (and quic-go/qpack#67)
• The server now sends a 431 status code (Request Header Fields Too Large) when encountering HTTP header fields exceeding the size constraint: #5452

 

Breaking Changes

• http3: Transport.MaxResponseBytes is now an int (before: int64): #5433  

Notable Fixes

• qlogwriter: fix storing of event schemas (this prevented qlog event logging from working for HTTP/3): #5430
• http3: errors sending the request are now ignored, instead, the response from the server is read (thereby allowing the client to read the status code, for example): #5432

What's Changed

• build(deps): bump golangci/golangci-lint-action from 8 to 9 by @​dependabot[bot] in quic-go/quic-go#5426
• qlogwriter: fix storing of event schemas by @​marten-seemann in quic-go/quic-go#5430
• http3: send SETTINGS_MAX_FIELD_SECTION_SIZE in the SETTINGS frame by @​marten-seemann in quic-go/quic-go#5431
• http3: read response after encountering error sending the request by @​marten-seemann in quic-go/quic-go#5432
• http3: make Transport.MaxResponseBytes an int by @​marten-seemann in quic-go/quic-go#5433
• http3: add a benchmark for header parsing by @​marten-seemann in quic-go/quic-go#5435
• update qpack to v0.6.0 by @​marten-seemann in quic-go/quic-go#5434
• http3: use QPACK_DECOMPRESSION_FAILED for QPACK errors by @​marten-seemann in quic-go/quic-go#5439
• add documentation for Conn.NextConnection by @​marten-seemann in quic-go/quic-go#5442
• ackhandler: don’t generate an immediate ACK for the first packet by @​marten-seemann in quic-go/quic-go#5447
• don’t arm connection timer for connection ID retirement by @​marten-seemann in quic-go/quic-go#5449
• README: add nodepass to list of projects by @​yosebyte in quic-go/quic-go#5448
• qlogwriter: use synctest to make tests deterministic by @​marten-seemann in quic-go/quic-go#5454
• http3: limit size of decompressed headers by @​marten-seemann in quic-go/quic-go#5452

New Contributors

• @​yosebyte made their first contribution in quic-go/quic-go#5448

Full Changelog: quic-go/quic-go@v0.56.0...v0.57.0

v0.56.0

This release introduces qlog support for HTTP/3 (#5367, #5372, #5374, #5375, #5376, #5381, #5383).

For this, we completely changed how connection tracing works. Instead of a general-purpose logging.ConnectionTracer (which we removed entirely), we now have a qlog-specific tracer (#5356, #5417). quic-go users can now implement their own qlog events.

It also removes the Prometheus-based metrics collection. Please comment on the tracking issue (#5294) if you rely on metrics and are interested in seeing metrics brought back in a future release.

Notable Changes

• replaced the unmaintained gojay with a custom, performance-optimized JSON encoder (#5353, #5371)

... (truncated)

Commits

• 5b2d212 http3: limit size of decompressed headers (#5452)
• e80b378 qlogwriter: use synctest to make tests deterministic (#5454)
• d43c589 README: add nodepass to list of projects (#5448)
• ca2835d don’t arm connection timer for connection ID retirement (#5449)
• e84ebae ackhandler: don’t generate an immediate ACK for the first packet (#5447)
• d4d168f add documentation for Conn.NextConnection (#5442)
• 4cdebbe http3: use QPACK_DECOMPRESSION_FAILED for QPACK errors (#5439)
• b7886d5 update qpack to v0.6.0 (#5434)
• 2fc9705 http3: add a benchmark for header parsing (#5435)
• dafdd6f http3: make Transport.MaxResponseBytes an int (#5433)
• Additional commits viewable in compare view

Updates github.com/quic-go/webtransport-go from 0.9.0 to 0.10.0

Release notes

Sourced from github.com/quic-go/webtransport-go's releases.

v0.10.0

This release updates webtransport-go to use the new API introduced in quic-go v0.59.0 (#221): Instead of "hijacking" streams from the HTTP/3 layer, the underlying QUIC connection is now owned by WebTransport, and webtransport-go dispatches incoming streams to either the HTTP/3 layer or an existing or new WebTransport session.

New Features

• Implemented Application Protocol Negotiation: #190
• The QUIC Stream Resets with Partial Delivery is now used to enforce reliable delivery of the WebTransport stream header: #239

Breaking Changes

• Session.ConnectionState was renamed to SessionState: #189
• The StreamID method was removed from Stream, SendStream and ReceiveStream: #226
• The Server now embeds the http3.Server as a pointer (instead of by value): #215

Other Changes

• The Stream and the SendStream now expose a Context method: #176 (thanks to @​Sicilica)
• Delayed streams for alr...

  Description has been truncated

[dependabot]

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml