Skip to content

chore(deps): bump github.com/quic-go/quic-go from 0.54.0 to 0.57.0#34

Merged
vuon9 merged 1 commit intomainfrom
dependabot/go_modules/github.com/quic-go/quic-go-0.57.0
Mar 29, 2026
Merged

chore(deps): bump github.com/quic-go/quic-go from 0.54.0 to 0.57.0#34
vuon9 merged 1 commit intomainfrom
dependabot/go_modules/github.com/quic-go/quic-go-0.57.0

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Feb 8, 2026
edited
Loading

Bumps github.com/quic-go/quic-go from 0.54.0 to 0.57.0.

Release notes

Sourced from github.com/quic-go/quic-go's releases.

v0.57.0

This release contains a fix for CVE-2025-64702 by reworking the HTTP/3 header processing logic:

  • Both client and server now send their respective header size constraints using the SETTINGS_MAX_FIELD_SECTION_SIZE setting: #5431
  • For any QPACK-related errors, the correct error code (QPACK_DECOMPRESSION_FAILED) is now used: #5439
  • QPACK header parsing is now incremental (instead of parsing all headers at once), which is ~5-10% faster and reduces allocations: #5435 (and quic-go/qpack#67)
  • The server now sends a 431 status code (Request Header Fields Too Large) when encountering HTTP header fields exceeding the size constraint: #5452

 

Breaking Changes

  • http3: Transport.MaxResponseBytes is now an int (before: int64): #5433  

Notable Fixes

  • qlogwriter: fix storing of event schemas (this prevented qlog event logging from working for HTTP/3): #5430
  • http3: errors sending the request are now ignored, instead, the response from the server is read (thereby allowing the client to read the status code, for example): #5432

What's Changed

New Contributors

Full Changelog: quic-go/quic-go@v0.56.0...v0.57.0

v0.56.0

This release introduces qlog support for HTTP/3 (#5367, #5372, #5374, #5375, #5376, #5381, #5383).

For this, we completely changed how connection tracing works. Instead of a general-purpose logging.ConnectionTracer (which we removed entirely), we now have a qlog-specific tracer (#5356, #5417). quic-go users can now implement their own qlog events.

It also removes the Prometheus-based metrics collection. Please comment on the tracking issue (#5294) if you rely on metrics and are interested in seeing metrics brought back in a future release.

Notable Changes

  • replaced the unmaintained gojay with a custom, performance-optimized JSON encoder (#5353, #5371)

... (truncated)

Commits
  • 5b2d212 http3: limit size of decompressed headers (#5452)
  • e80b378 qlogwriter: use synctest to make tests deterministic (#5454)
  • d43c589 README: add nodepass to list of projects (#5448)
  • ca2835d don’t arm connection timer for connection ID retirement (#5449)
  • e84ebae ackhandler: don’t generate an immediate ACK for the first packet (#5447)
  • d4d168f add documentation for Conn.NextConnection (#5442)
  • 4cdebbe http3: use QPACK_DECOMPRESSION_FAILED for QPACK errors (#5439)
  • b7886d5 update qpack to v0.6.0 (#5434)
  • 2fc9705 http3: add a benchmark for header parsing (#5435)
  • dafdd6f http3: make Transport.MaxResponseBytes an int (#5433)
  • Additional commits viewable in compare view

@dependabot dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels Feb 8, 2026
@dependabot dependabot bot force-pushed the dependabot/go_modules/github.com/quic-go/quic-go-0.57.0 branch from ac50320 to cb53ede Compare February 9, 2026 17:32
@vuon9 vuon9 force-pushed the dependabot/go_modules/github.com/quic-go/quic-go-0.57.0 branch from cb53ede to b9978ea Compare February 12, 2026 14:04
@vuon9
Copy link
Copy Markdown
Owner

vuon9 commented Mar 29, 2026

@dependabot rebase

@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot bot commented on behalf of github Mar 29, 2026

Looks like this PR has been edited by someone other than Dependabot. That means Dependabot can't rebase it - sorry!

If you're happy for Dependabot to recreate it from scratch, overwriting any edits, you can request @dependabot recreate.

@vuon9
Copy link
Copy Markdown
Owner

vuon9 commented Mar 29, 2026

@dependabot recreate.

@dependabot
build(deps): bump github.com/quic-go/quic-go from 0.54.0 to 0.57.0
0de0e2a 
Bumps [github.com/quic-go/quic-go](https://github.com/quic-go/quic-go) from 0.54.0 to 0.57.0.
- [Release notes](https://github.com/quic-go/quic-go/releases)
- [Commits](quic-go/quic-go@v0.54.0...v0.57.0)

---
updated-dependencies:
- dependency-name: github.com/quic-go/quic-go
  dependency-version: 0.57.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot changed the title build(deps): bump github.com/quic-go/quic-go from 0.54.0 to 0.57.0 chore(deps): bump github.com/quic-go/quic-go from 0.54.0 to 0.57.0 Mar 29, 2026
@dependabot dependabot bot force-pushed the dependabot/go_modules/github.com/quic-go/quic-go-0.57.0 branch from b9978ea to 0de0e2a Compare March 29, 2026 12:49
@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 29, 2026

Code Coverage

Package Line Rate Health
devtoolbox/internal/barcode 90%
devtoolbox/internal/codeformatter 75%
devtoolbox/internal/converter 60%
devtoolbox/internal/datagenerator 79%
devtoolbox/internal/datetimeconverter 74%
devtoolbox/internal/jwt 42%
devtoolbox/internal/numberconverter 0%
devtoolbox/internal/settings 0%
Summary 65% (3410 / 5275)

Minimum allowed line rate is 60%

@vuon9 vuon9 enabled auto-merge (squash) March 29, 2026 12:50
@vuon9 vuon9 merged commit 6e0892d into main Mar 29, 2026
2 checks passed
@vuon9 vuon9 deleted the dependabot/go_modules/github.com/quic-go/quic-go-0.57.0 branch March 29, 2026 12:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file go Pull requests that update go code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@vuon9