fix(deps): update module github.com/refraction-networking/utls to v1.8.2 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/refraction-networking/utls	v1.8.0 → v1.8.2

GitHub Vulnerability Alerts

CVE-2026-27017

There is a fingerprint mismatch with Chrome when using GREASE ECH, having to do with ciphersuite selection. When Chrome selects the preferred ciphersuite in the outer ClientHello and the ciphersuite for ECH, it does so consistently based on hardware support. That means, for example, if it prefers AES for the outer ciphersuite, it would also use AES for ECH. The Chrome parrot in utls hardcodes AES preference for outer ciphersuites but selects the ECH ciphersuite randomly between AES and ChaCha20. So there is a 50% chance of selecting ChaCha20 for ECH while using AES for the outer ciphersuite, which is impossible in Chrome.

This is only a problem in GREASE ECH, since in real ECH Chrome selects the first valid ciphersuite when AES is preferred, which is the same in utls. So no change is done there.

Affected symbols: HelloChrome_120, HelloChrome_120_PQ, HelloChrome_131, HelloChrome_133

Fix commit: 24bd1e05a788c1add7f3037f4532ea552b2cee07

Thanks to telegram @​acgdaily for reporting this issue.

CVE-2026-26995

The padding extension was incorrectly removed in utls for the non-pq variant of Chrome 120 fingerprint. Chrome removed this extension only when sending pq keyshares. Only this fingerprint is affected since newer fingerprints have pq keyshares by default and older fingerprints have this extension.

Affected symbols: HelloChrome_120

Fix commit: 8fe0b08e9a0e7e2d08b268f451f2c79962e6acd0

Thanks to telegram @​acgdaily for reporting this issue.

---

Release Notes

refraction-networking/utls (github.com/refraction-networking/utls)

v1.8.2: security update

Compare Source

Fixes a fingerprint mismatch on the Chrome 120 fingerprint. Credit to telegram @​acgdaily for reporting this issue.

What's Changed

• fix: add missing padding extension for chrome 120 by @​mingyech in #​381

Full Changelog: refraction-networking/utls@v1.8.1...v1.8.2

v1.8.1: Bug fixes

Compare Source

This update includes several bug fixes.

In particular, users of Chrome>=120 parrots should update ASAP. See #​375 for details. Thanks to the original reporter for reporting this issue.

What's Changed

• fix: PubServerHelloMsg.ServerShare is not exported correctly by @​wwqgtxx in #​361
• fix: use AES in GREASE ECH for Chrome fingerprint by @​mingyech in #​375

New Contributors

• @​wwqgtxx made their first contribution in #​361

Full Changelog: refraction-networking/utls@v1.8.0...v1.8.1

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 64.97%. Comparing base (c3d5470) to head (2e66821).

Additional details and impacted files

@@            Coverage Diff             @@
##           master     #328      +/-   ##
==========================================
+ Coverage   62.47%   64.97%   +2.50%     
==========================================
  Files          39       39              
  Lines        3187     2618     -569     
==========================================
- Hits         1991     1701     -290     
+ Misses       1020      743     -277     
+ Partials      176      174       -2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.