Skip to content

chore(deps): bump github.com/quic-go/quic-go from 0.48.2 to 0.50.1#4197

Merged
appleboy merged 1 commit intomasterfrom
dependabot/go_modules/github.com/quic-go/quic-go-0.50.1
Apr 20, 2025
Merged

chore(deps): bump github.com/quic-go/quic-go from 0.48.2 to 0.50.1#4197
appleboy merged 1 commit intomasterfrom
dependabot/go_modules/github.com/quic-go/quic-go-0.50.1

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Mar 25, 2025
edited
Loading

Bumps github.com/quic-go/quic-go from 0.48.2 to 0.50.1.

Release notes

Sourced from github.com/quic-go/quic-go's releases.

v0.50.1

This patch release contains a backported fix for a remote-triggered panic in the probe packet loss detection logic: #4998.

Full Changelog: quic-go/quic-go@v0.50.0...v0.50.1

v0.50.0

This release implements server-side path-probing (as described in section 9 of RFC 9000): #4932, #4933, #4935, #4938, #4939, #4940, #4941, #4944, #4947, #4959.

When the server receives a packet for an existing connection from a different IP address / port, it first needs to probe the new path before it can send packets on that path. This happens when the client experiences a NAT rebinding, and when the client attempts to migrate to a new connection. Previous versions of quic-go would accept the packets from the new path, but never switch to the new path.

Note that the client side connection migration logic (#234) is not yet implemented in quic-go (but we're working on it!).

Major Changes

  • use the new crypto/tls 0-RTT API that we helped design in 2023: #4953
  • use a ringbuffer to store received packets, significantly reducing memory consumption: #4929
  • according to our Go version policy, we removed support for Go 1.22. quic-go now requires Go 1.23 or Go 1.24: #4880
  • the connection timer logic was refactored, enabling future changes to this code path: #4927

Other Fixes

  • fix busy-looping when pacing packets and the send queue blocks: #4943
  • don't drop undecryptable packets when deriving 2 sets of keys at the same time (i.e. when resuming a 0-RTT connection): #4950

Go 1.24 FIPS 140-3 Caveats

Go 1.24 made several changes related to FIPS 140-3 compliance. Among others, it introduced a fips-only mode (enabled by setting GODEBUG="fips140=only").

It is not possible to use quic-go in fips-only mode, since the QUIC RFC requires initializing an AES GCM cipher with a fixed nonce, which is considered unsafe according to FIPS 140-3, or at least the Go team's interpretation thereof. See quic-go/quic-go#4894 and the discussion on [Go issue #69536](golang/go#69536).

Before v0.50.0, quic-go would initialize the AES cipher on init, leading to a panic when using fips-only mode. For v0.50.0 we changed this behavior to lazy initialization (quic-go/quic-go#4916). Note that this still means it's not possible to use QUIC in fips-only mode.

Changelog

... (truncated)

Commits
  • b90058a ackhandler: fix panic in probe packet tracking logic (#4998)
  • d726a79 remove unneeded tracking of acknowledgments for PATH_CHALLENGEs (#4959)
  • 9f704c7 ackhandler: fix handling of lost path probes on loss timer (#4956)
  • bf28da8 handshake: use new crypto/tls 0-RTT API (#4953)
  • b32f1fa ackhandler: use Go iterators to iterate over sent packets (#4952)
  • 12f2be0 bump go.mod version to Go 1.23, run 1.23 and 1.24 on CI (#4880)
  • 5af3916 ci: update golangci-lint to v1.64.4 (#4951)
  • 48b8182 keep undecryptable packets when deriving 0-RTT and handshake keys (#4950)
  • 5a1a34d implement server-side path validation logic (#4944)
  • ca26e98 migrate the connection ID generator tests away from Ginkgo (#4948)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Mar 25, 2025
@dependabot dependabot bot mentioned this pull request Mar 25, 2025
Closed
@dependabot
chore(deps): bump github.com/quic-go/quic-go from 0.48.2 to 0.50.1
7f7f1c7 
Bumps [github.com/quic-go/quic-go](https://github.com/quic-go/quic-go) from 0.48.2 to 0.50.1.
- [Release notes](https://github.com/quic-go/quic-go/releases)
- [Changelog](https://github.com/quic-go/quic-go/blob/master/Changelog.md)
- [Commits](quic-go/quic-go@v0.48.2...v0.50.1)

---
updated-dependencies:
- dependency-name: github.com/quic-go/quic-go
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot force-pushed the dependabot/go_modules/github.com/quic-go/quic-go-0.50.1 branch from 4d7fb04 to 7f7f1c7 Compare April 20, 2025 16:02
@appleboy appleboy merged commit bb82473 into master Apr 20, 2025
23 checks passed
@appleboy appleboy deleted the dependabot/go_modules/github.com/quic-go/quic-go-0.50.1 branch April 20, 2025 16:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@appleboy appleboy appleboy approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file go Pull requests that update Go code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@appleboy