Node v24.16.0 nsolid v6.3.0 release

[santigimeno]

Summary by CodeRabbit

Release Notes

• New Features

  • Added OpenSSL 3.5 support for QUIC.
  • Enhanced HTTP/3 implementation with improved settings versioning and protocol handling.
  • Added stream and datagram padding flags for optimized packet construction.
  • Improved path validation flow with new callback mechanisms.

• Improvements

  • Enhanced rate limiting and glitch detection for handling suspicious peer behavior.
  • Updated congestion control algorithms (BBR and CUBIC).
  • Upgraded dependencies: ngtcp2, nghttp3, corepack, llhttp, and other libraries.
  • Improved CI/workflow configurations with multiple GitHub Actions updates.

• Chores

  • Updated Node.js ICU version and various build configurations.
  • Refactored internal data structures for improved performance.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 2c885c07-19d9-4886-a9b2-998fb1bf00e5

📥 Commits

Reviewing files that changed from the base of the PR and between 8e90ca3 and fb1a189.

📒 Files selected for processing (5)

• .github/workflows/commit-queue.yml
• .github/workflows/coverage-linux-without-intl.yml
• .github/workflows/coverage-linux.yml
• common.gypi
• configure.py

💤 Files with no reviewable changes (2)

• common.gypi
• configure.py

✅ Files skipped from review due to trivial changes (1)

• .github/workflows/coverage-linux-without-intl.yml

🚧 Files skipped from review as they are similar to previous changes (2)

• .github/workflows/commit-queue.yml
• .github/workflows/coverage-linux.yml

---

Walkthrough

Repository tooling, benchmark/docs, and transport-stack vendored dependencies are updated together. The PR also refreshes ngtcp2/nghttp3 APIs and implementations, adds QUIC-related workflow support, and bumps several embedded dependency versions.

Changes

Repo tooling, workflows, and dependency metadata

Layer / File(s)	Summary
Workflow and action updates *.github/workflows/*, .github/actions/*	actions/setup-node, sccache, Codecov, create-pull-request, and stale/undici WPT automation are updated, and several workflow triggers and paths are narrowed or expanded.
Benchmark and documentation refresh benchmark/*, CHANGELOG.md, deps/*/README.md	New benchmarks are added, existing benchmark inputs are extended, and release/docs text is updated for the refreshed dependency set.
Build and release metadata common.gypi, configure.py, deps/*/package.json, deps/*/*.json	Node/V8 embedder/version metadata, QUIC configure flags, package versions, and release manifests are updated together.

Vendored QUIC and HTTP transport stack

Layer / File(s)	Summary
nghttp3 public API and data model deps/ngtcp2/nghttp3/lib/includes/nghttp3/*, `deps/ngtcp2/nghttp3/lib/nghttp3_{buf,callbacks,frame,gaptr,ksl,map,pq,qpack,range,ratelim,ringbuf,settings}.c	h`
nghttp3 connection, stream, and parser logic `deps/ngtcp2/nghttp3/lib/nghttp3_{conn,http,stream,conv,err,tnode,unreachable,version}.c	h, deps/ngtcp2/nghttp3/lib/sfparse/*`
ngtcp2 transport, crypto, and congestion control deps/ngtcp2/ngtcp2/lib/includes/ngtcp2/*, `deps/ngtcp2/ngtcp2/lib/ngtcp2_{acktr,bbr,buf,callbacks,cc,cid,conn,conn_stat,dcidtr,frame_chain,ksl,log}.c	h, deps/ngtcp2/ngtcp2/crypto/*`
Support libraries and vendored dependencies deps/googletest/*, deps/icu-small/*, deps/llhttp/*, deps/minimatch/*, deps/corepack/*, deps/nbytes/*, deps/ncrypto/ncrypto.cc	Vendored dependencies receive API, version, parser, and packaging updates, including sharding flags, ICU version bumps, llhttp leniency support, minimatch behavior tweaks, corepack release metadata, and ncrypto OpenSSL context handling.

Sequence Diagram(s)

sequenceDiagram
  participant ngtcp2_conn
  participant ngtcp2_callbacks
  participant ngtcp2_settings
  participant ngtcp2_ratelim
  participant ngtcp2_qpack
  ngtcp2_conn->>ngtcp2_callbacks: convert latest callbacks/settings
  ngtcp2_conn->>ngtcp2_settings: load versioned defaults
  ngtcp2_conn->>ngtcp2_ratelim: initialize glitch limiter
  ngtcp2_conn->>ngtcp2_qpack: seed encoder/decoder and set indexing strategy

Loading

Estimated code review effort

🎯 5 (Critical) | ⏱️ ~120+ minutes

Possibly related PRs

• nodesource/nsolid#451: Also updates common.gypi’s v8_embedder_string build variable.
• nodesource/nsolid#445: Also changes common.gypi build metadata tied to the embedder string.
• nodesource/nsolid#473: This PR includes the QUIC/ngtcp2-nghttp3 refresh and workflow support shown here.

Suggested reviewers

• RafaelGSS

Poem

A bunny hopped through CI’s light,
With QUIC and queues all set aright.
New frames, new flags, new hops to see,
And carrots for the build tree 🥕
The rabbit taps: “Compile, be free!”

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch node-v24.16.0-nsolid-v6.3.0-release

[coderabbitai]

Actionable comments posted: 9

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/commit-lint.yml:
- Around line 3-7: The branch glob for the GitHub Actions trigger under
on.pull_request.branches is using a regex-like pattern `v[0-9]+.x-staging` which
GitHub interprets as a glob, so replace that pattern with a proper glob (e.g.,
`v*.x-staging`) in the commit-lint workflow; update the branches array value
referenced as on.pull_request.branches to use the glob `v*.x-staging` so PRs to
versioned staging branches like v24.x-staging are matched.

In `@deps/llhttp/src/llhttp.c`:
- Around line 3488-3490: The transition in the state machine (case 10)
incorrectly routes an already-consumed '\n' into
s_n_llhttp__internal__n_req_http_complete_crlf via
s_n_llhttp__internal__n_invoke_test_lenient_flags_26; instead, ensure bare-LF
request lines are not sent through the CRLF-completion state: in the case 10
path (and the mirrored 8984-8990 region) detect that the '\n' was already
consumed and, unless the lenient_flags_8 "allow bare LF as CRLF" is set, do not
goto s_n_llhttp__internal__n_req_http_complete_crlf — instead handle it as the
"missing CR" path (or call the same missing-CR handler you use when a '\n'
arrives without a preceding '\r'), preserving existing behavior for
lenient_flags_1 only when appropriate; update the transition logic around
s_n_llhttp__internal__n_invoke_test_lenient_flags_26 to check lenient_flags_8
before routing into s_n_llhttp__internal__n_req_http_complete_crlf.

In `@deps/ngtcp2/nghttp3/lib/sfparse/sfparse.c`:
- Around line 724-727: The percent-decoding lookup table pct_tbl currently only
maps lowercase hex letters causing uppercase escapes (e.g. "%2F") to be
rejected; update the table construction used in pct_tbl (and the equivalent
tables around the other instances) so that HEXALPHAS includes uppercase hex
digits as well (or add the uppercase mapping alongside the existing HEXALPHAS
macro) so both 'a-f' and 'A-F' are accepted by the percent-decoder; ensure the
same change is applied to the other similar tables referenced in the diff (the
tables around the other occurrences).

In `@deps/ngtcp2/ngtcp2/crypto/ossl/ossl.c`:
- Around line 928-946: The current ngtcp2_crypto_set_local_transport_params
asserts and leaks/overwrites ossl_ctx->remote_params on a second non-empty call;
change it to allow replacement by removing the assert and freeing or
reallocating the previous buffer before assigning a new one. Specifically, in
ngtcp2_crypto_set_local_transport_params: if len != 0 and
ossl_ctx->remote_params is already set, free it (or use realloc) before
allocating the new buffer, handle malloc failure by leaving state consistent
(set remote_params to NULL on error), and ensure
SSL_set_quic_tls_transport_params(ossl_ctx->ssl, ossl_ctx->remote_params, len)
is still called with the correct pointer (use NULL when len == 0). This
preserves the documented ngtcp2_conn_set_local_transport_params() flow and
avoids leaks before ngtcp2_conn_install_tx_handshake_key().
- Around line 681-776: In ngtcp2_crypto_hkdf_extract, ngtcp2_crypto_hkdf_expand,
and ngtcp2_crypto_hkdf guard the allocations for EVP_KDF *kdf and EVP_KDF_CTX
*kctx after calling crypto_kdf_hkdf() and EVP_KDF_CTX_new(kdf): if kdf or kctx
is NULL, clean up any allocated resource (free kdf if allocated), set rv = -1
and return immediately instead of calling EVP_KDF_derive; ensure the same
NULL-check pattern is applied in each function around the existing
EVP_KDF_derive call so allocation failures or provider errors return -1 rather
than dereferencing NULL.

In `@deps/ngtcp2/ngtcp2/lib/includes/ngtcp2/ngtcp2.h`:
- Around line 5648-5687: The aggregate-packet API declares ngtcp2_write_pkt as
taking a void *user_data but ngtcp2_conn_write_aggregate_pkt_versioned (and
related overloads such as ngtcp2_conn_write_aggregate_pkt) do not accept or
forward any user_data, making the public API inconsistent; fix by adding a void
*user_data parameter to ngtcp2_conn_write_aggregate_pkt_versioned (and the other
aggregate helpers at lines ~6080-6084) and ensure the implementation forwards
that pointer into the ngtcp2_write_pkt calls and into the final
ngtcp2_conn_update_pkt_tx_time invocation so caller state passed to
ngtcp2_write_pkt is preserved.

In `@deps/ngtcp2/ngtcp2/lib/ngtcp2_conn.c`:
- Around line 13913-13920: The function currently returns a negative error from
write_pkt() even if prior iterations already wrote packets into buf; instead,
modify the loop handling around write_pkt (referencing write_pkt, nwrite, wbuf,
buf) so that if write_pkt() returns < 0 but some bytes have already been
produced (wbuf > buf), you convert that outcome into returning the number of
bytes produced (set nwrite = wbuf - buf and break from the loop) rather than
propagating the negative error; only propagate the negative error when no bytes
were produced. Apply the same fix to the analogous block around the second
occurrence mentioned (lines referencing nwrite and wbuf in the later iteration).
- Around line 5646-5669: The code is consuming glitch_rlim budget
(ngtcp2_ratelim_drain(&conn->glitch_rlim,...)) for idempotent/benign cases
(duplicate/older MAX_STREAM_DATA, CRYPTO/STREAM duplicates, repeated
RESET_STREAM/STOP_SENDING) before returning 0; remove those ngtcp2_ratelim_drain
calls from the early-return branches so duplicates are ignored without charging
the rate limiter and only use glitch_rlim for actual protocol errors.
Specifically, in the MAX_STREAM_DATA handling around
strm->tx.max_offset/fr->max_stream_data and the NGTCP2_STRM_FLAG_SHUT_WR branch
remove the ngtcp2_ratelim_drain+return sequence and simply return 0 for the
idempotent cases; apply the same change pattern to the other affected blocks
(the other listed ranges) and keep the conn_call_extend_max_stream_data(...) and
error paths unchanged.
- Around line 9898-9905: The condition in the migration check is comparing the
wrong endpoint: active migration should detect changes in the peer/remote
address, not the server's local socket. Update the predicate that currently
compares &conn->dcid.current.ps.path.local and &path->local to compare the
remote/peer addresses (e.g., &conn->dcid.current.ps.path.remote vs
&path->remote) and pass the remote address into
conn_server_preferred_addr_migration accordingly so the check disables migration
only when the peer/remote addr changed while disable_active_migration is set;
keep the existing ngtcp2_log_info message and return behavior.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ce602b49-0681-4142-b5b3-22a72d8bf6e3

📥 Commits

Reviewing files that changed from the base of the PR and between 8444f6d and 110a5e1.

⛔ Files ignored due to path filters (36)

• deps/amaro/dist/index.js is excluded by !**/dist/**
• deps/amaro/dist/package.json is excluded by !**/dist/**
• deps/corepack/dist/lib/corepack.cjs is excluded by !**/dist/**
• deps/icu-small/source/data/in/icudt78l.dat.bz2 is excluded by !**/*.bz2
• deps/minimatch/dist/commonjs/ast.d.ts is excluded by !**/dist/**
• deps/minimatch/dist/commonjs/ast.d.ts.map is excluded by !**/dist/**, !**/*.map
• deps/minimatch/dist/commonjs/ast.js is excluded by !**/dist/**
• deps/minimatch/dist/commonjs/ast.js.map is excluded by !**/dist/**, !**/*.map
• deps/minimatch/dist/commonjs/escape.d.ts is excluded by !**/dist/**
• deps/minimatch/dist/commonjs/escape.d.ts.map is excluded by !**/dist/**, !**/*.map
• deps/minimatch/dist/commonjs/escape.js.map is excluded by !**/dist/**, !**/*.map
• deps/minimatch/dist/commonjs/index.d.ts is excluded by !**/dist/**
• deps/minimatch/dist/commonjs/index.d.ts.map is excluded by !**/dist/**, !**/*.map
• deps/minimatch/dist/commonjs/index.js is excluded by !**/dist/**
• deps/minimatch/dist/commonjs/index.js.map is excluded by !**/dist/**, !**/*.map
• deps/minimatch/dist/commonjs/unescape.d.ts is excluded by !**/dist/**
• deps/minimatch/dist/commonjs/unescape.d.ts.map is excluded by !**/dist/**, !**/*.map
• deps/minimatch/dist/commonjs/unescape.js is excluded by !**/dist/**
• deps/minimatch/dist/commonjs/unescape.js.map is excluded by !**/dist/**, !**/*.map
• deps/minimatch/dist/esm/ast.d.ts is excluded by !**/dist/**
• deps/minimatch/dist/esm/ast.d.ts.map is excluded by !**/dist/**, !**/*.map
• deps/minimatch/dist/esm/ast.js is excluded by !**/dist/**
• deps/minimatch/dist/esm/ast.js.map is excluded by !**/dist/**, !**/*.map
• deps/minimatch/dist/esm/escape.d.ts is excluded by !**/dist/**
• deps/minimatch/dist/esm/escape.d.ts.map is excluded by !**/dist/**, !**/*.map
• deps/minimatch/dist/esm/escape.js.map is excluded by !**/dist/**, !**/*.map
• deps/minimatch/dist/esm/index.d.ts is excluded by !**/dist/**
• deps/minimatch/dist/esm/index.d.ts.map is excluded by !**/dist/**, !**/*.map
• deps/minimatch/dist/esm/index.js is excluded by !**/dist/**
• deps/minimatch/dist/esm/index.js.map is excluded by !**/dist/**, !**/*.map
• deps/minimatch/dist/esm/unescape.d.ts is excluded by !**/dist/**
• deps/minimatch/dist/esm/unescape.d.ts.map is excluded by !**/dist/**, !**/*.map
• deps/minimatch/dist/esm/unescape.js is excluded by !**/dist/**
• deps/minimatch/dist/esm/unescape.js.map is excluded by !**/dist/**, !**/*.map
• deps/minimatch/package-lock.json is excluded by !**/package-lock.json
• deps/nsolid-cli/node_modules/ini/LICENSE is excluded by !**/node_modules/**

📒 Files selected for processing (264)

• .editorconfig
• .github/CODEOWNERS
• .github/actions/undici-wpt-current/action.yml
• .github/actions/undici-wpt-legacy/action.yml
• .github/dependabot.yml
• .github/workflows/auto-start-ci.yml
• .github/workflows/build-tarball.yml
• .github/workflows/close-stale-feature-requests.yml
• .github/workflows/close-stale-pull-requests.yml
• .github/workflows/codeql.yml
• .github/workflows/commit-lint.yml
• .github/workflows/commit-queue.yml
• .github/workflows/coverage-linux-without-intl.yml
• .github/workflows/coverage-linux.yml
• .github/workflows/coverage-windows.yml
• .github/workflows/create-release-proposal.yml
• .github/workflows/daily-wpt-fyi.yml
• .github/workflows/daily.yml
• .github/workflows/doc.yml
• .github/workflows/find-inactive-collaborators.yml
• .github/workflows/find-inactive-tsc.yml
• .github/workflows/license-builder.yml
• .github/workflows/lint-release-proposal.yml
• .github/workflows/notify-on-push.yml
• .github/workflows/post-release.yml
• .github/workflows/scorecard.yml
• .github/workflows/stale.yml
• .github/workflows/test-internet.yml
• .github/workflows/test-linux.yml
• .github/workflows/test-macos.yml
• .github/workflows/timezone-update.yml
• .github/workflows/tools.yml
• .github/workflows/update-openssl.yml
• .github/workflows/update-v8.yml
• .github/workflows/update-wpt.yml
• CHANGELOG.md
• benchmark/misc/webidl-buffer-source.js
• benchmark/process/handled-rejections.js
• benchmark/url/url-searchparams-mutation.js
• benchmark/util/style-text.js
• benchmark/util/type-check.js
• benchmark/v8/startup-snapshot-callbacks.js
• common.gypi
• configure.py
• deps/amaro/README.md
• deps/amaro/package.json
• deps/corepack/CHANGELOG.md
• deps/corepack/README.md
• deps/corepack/package.json
• deps/googletest/include/gtest/gtest.h
• deps/googletest/src/gtest-internal-inl.h
• deps/googletest/src/gtest.cc
• deps/icu-small/source/common/unicode/utfiterator.h
• deps/icu-small/source/common/unicode/uvernum.h
• deps/icu-small/source/i18n/nfrule.cpp
• deps/llhttp/CMakeLists.txt
• deps/llhttp/LICENSE
• deps/llhttp/README.md
• deps/llhttp/cmake/llhttpConfig.cmake.in
• deps/llhttp/include/llhttp.h
• deps/llhttp/src/api.c
• deps/llhttp/src/llhttp.c
• deps/minimatch/README.md
• deps/minimatch/index.js
• deps/minimatch/package.json
• deps/nbytes/.release-please-manifest.json
• deps/nbytes/CHANGELOG.md
• deps/nbytes/CMakeLists.txt
• deps/nbytes/include/nbytes.h
• deps/ncrypto/ncrypto.cc
• deps/ngtcp2/README.md
• deps/ngtcp2/nghttp3/lib/includes/nghttp3/nghttp3.h
• deps/ngtcp2/nghttp3/lib/includes/nghttp3/version.h
• deps/ngtcp2/nghttp3/lib/nghttp3_balloc.c
• deps/ngtcp2/nghttp3/lib/nghttp3_balloc.h
• deps/ngtcp2/nghttp3/lib/nghttp3_buf.c
• deps/ngtcp2/nghttp3/lib/nghttp3_buf.h
• deps/ngtcp2/nghttp3/lib/nghttp3_callbacks.c
• deps/ngtcp2/nghttp3/lib/nghttp3_callbacks.h
• deps/ngtcp2/nghttp3/lib/nghttp3_conn.c
• deps/ngtcp2/nghttp3/lib/nghttp3_conn.h
• deps/ngtcp2/nghttp3/lib/nghttp3_conv.c
• deps/ngtcp2/nghttp3/lib/nghttp3_conv.h
• deps/ngtcp2/nghttp3/lib/nghttp3_err.c
• deps/ngtcp2/nghttp3/lib/nghttp3_frame.c
• deps/ngtcp2/nghttp3/lib/nghttp3_frame.h
• deps/ngtcp2/nghttp3/lib/nghttp3_gaptr.c
• deps/ngtcp2/nghttp3/lib/nghttp3_gaptr.h
• deps/ngtcp2/nghttp3/lib/nghttp3_http.c
• deps/ngtcp2/nghttp3/lib/nghttp3_idtr.c
• deps/ngtcp2/nghttp3/lib/nghttp3_idtr.h
• deps/ngtcp2/nghttp3/lib/nghttp3_ksl.c
• deps/ngtcp2/nghttp3/lib/nghttp3_ksl.h
• deps/ngtcp2/nghttp3/lib/nghttp3_macro.h
• deps/ngtcp2/nghttp3/lib/nghttp3_map.c
• deps/ngtcp2/nghttp3/lib/nghttp3_map.h
• deps/ngtcp2/nghttp3/lib/nghttp3_pq.c
• deps/ngtcp2/nghttp3/lib/nghttp3_pq.h
• deps/ngtcp2/nghttp3/lib/nghttp3_qpack.c
• deps/ngtcp2/nghttp3/lib/nghttp3_qpack.h
• deps/ngtcp2/nghttp3/lib/nghttp3_qpack_huffman.c
• deps/ngtcp2/nghttp3/lib/nghttp3_qpack_huffman.h
• deps/ngtcp2/nghttp3/lib/nghttp3_qpack_huffman_data.c
• deps/ngtcp2/nghttp3/lib/nghttp3_range.c
• deps/ngtcp2/nghttp3/lib/nghttp3_ratelim.c
• deps/ngtcp2/nghttp3/lib/nghttp3_ratelim.h
• deps/ngtcp2/nghttp3/lib/nghttp3_ringbuf.c
• deps/ngtcp2/nghttp3/lib/nghttp3_ringbuf.h
• deps/ngtcp2/nghttp3/lib/nghttp3_settings.c
• deps/ngtcp2/nghttp3/lib/nghttp3_settings.h
• deps/ngtcp2/nghttp3/lib/nghttp3_stream.c
• deps/ngtcp2/nghttp3/lib/nghttp3_stream.h
• deps/ngtcp2/nghttp3/lib/nghttp3_tnode.c
• deps/ngtcp2/nghttp3/lib/nghttp3_tnode.h
• deps/ngtcp2/nghttp3/lib/nghttp3_unreachable.c
• deps/ngtcp2/nghttp3/lib/nghttp3_version.c
• deps/ngtcp2/nghttp3/lib/sfparse/sfparse.c
• deps/ngtcp2/nghttp3/lib/sfparse/sfparse.h
• deps/ngtcp2/ngtcp2.gyp
• deps/ngtcp2/ngtcp2/crypto/includes/ngtcp2/ngtcp2_crypto.h
• deps/ngtcp2/ngtcp2/crypto/includes/ngtcp2/ngtcp2_crypto_ossl.h
• deps/ngtcp2/ngtcp2/crypto/includes/ngtcp2/ngtcp2_crypto_picotls.h
• deps/ngtcp2/ngtcp2/crypto/ossl/ossl.c
• deps/ngtcp2/ngtcp2/lib/includes/ngtcp2/ngtcp2.h
• deps/ngtcp2/ngtcp2/lib/includes/ngtcp2/version.h
• deps/ngtcp2/ngtcp2/lib/ngtcp2_acktr.c
• deps/ngtcp2/ngtcp2/lib/ngtcp2_bbr.c
• deps/ngtcp2/ngtcp2/lib/ngtcp2_bbr.h
• deps/ngtcp2/ngtcp2/lib/ngtcp2_buf.c
• deps/ngtcp2/ngtcp2/lib/ngtcp2_buf.h
• deps/ngtcp2/ngtcp2/lib/ngtcp2_callbacks.c
• deps/ngtcp2/ngtcp2/lib/ngtcp2_callbacks.h
• deps/ngtcp2/ngtcp2/lib/ngtcp2_cc.c
• deps/ngtcp2/ngtcp2/lib/ngtcp2_cc.h
• deps/ngtcp2/ngtcp2/lib/ngtcp2_cid.c
• deps/ngtcp2/ngtcp2/lib/ngtcp2_cid.h
• deps/ngtcp2/ngtcp2/lib/ngtcp2_conn.c
• deps/ngtcp2/ngtcp2/lib/ngtcp2_conn.h
• deps/ngtcp2/ngtcp2/lib/ngtcp2_conn_stat.h
• deps/ngtcp2/ngtcp2/lib/ngtcp2_dcidtr.c
• deps/ngtcp2/ngtcp2/lib/ngtcp2_dcidtr.h
• deps/ngtcp2/ngtcp2/lib/ngtcp2_frame_chain.h
• deps/ngtcp2/ngtcp2/lib/ngtcp2_ksl.h
• deps/ngtcp2/ngtcp2/lib/ngtcp2_log.c
• deps/ngtcp2/ngtcp2/lib/ngtcp2_map.c
• deps/ngtcp2/ngtcp2/lib/ngtcp2_map.h
• deps/ngtcp2/ngtcp2/lib/ngtcp2_pcg.c
• deps/ngtcp2/ngtcp2/lib/ngtcp2_pcg.h
• deps/ngtcp2/ngtcp2/lib/ngtcp2_pkt.c
• deps/ngtcp2/ngtcp2/lib/ngtcp2_pkt.h
• deps/ngtcp2/ngtcp2/lib/ngtcp2_ppe.c
• deps/ngtcp2/ngtcp2/lib/ngtcp2_ppe.h
• deps/ngtcp2/ngtcp2/lib/ngtcp2_ratelim.c
• deps/ngtcp2/ngtcp2/lib/ngtcp2_ratelim.h
• deps/ngtcp2/ngtcp2/lib/ngtcp2_ringbuf.h
• deps/ngtcp2/ngtcp2/lib/ngtcp2_rob.c
• deps/ngtcp2/ngtcp2/lib/ngtcp2_rob.h
• deps/ngtcp2/ngtcp2/lib/ngtcp2_rst.c
• deps/ngtcp2/ngtcp2/lib/ngtcp2_rst.h
• deps/ngtcp2/ngtcp2/lib/ngtcp2_rtb.c
• deps/ngtcp2/ngtcp2/lib/ngtcp2_rtb.h
• deps/ngtcp2/ngtcp2/lib/ngtcp2_settings.c
• deps/ngtcp2/ngtcp2/lib/ngtcp2_settings.h
• deps/ngtcp2/ngtcp2/lib/ngtcp2_strm.c
• deps/ngtcp2/ngtcp2/lib/ngtcp2_strm.h
• deps/ngtcp2/ngtcp2/lib/ngtcp2_transport_params.c
• deps/ngtcp2/ngtcp2/lib/ngtcp2_vec.c
• deps/ngtcp2/ngtcp2/lib/ngtcp2_vec.h
• deps/openssl/config/archs/BSD-x86/asm/configdata.pm
• deps/openssl/config/archs/BSD-x86/asm/crypto/buildinf.h
• deps/openssl/config/archs/BSD-x86/asm/include/openssl/cmp.h
• deps/openssl/config/archs/BSD-x86/asm/include/openssl/opensslv.h
• deps/openssl/config/archs/BSD-x86/asm_avx2/configdata.pm
• deps/openssl/config/archs/BSD-x86/asm_avx2/crypto/buildinf.h
• deps/openssl/config/archs/BSD-x86/asm_avx2/include/openssl/cmp.h
• deps/openssl/config/archs/BSD-x86/asm_avx2/include/openssl/opensslv.h
• deps/openssl/config/archs/BSD-x86/no-asm/configdata.pm
• deps/openssl/config/archs/BSD-x86/no-asm/crypto/buildinf.h
• deps/openssl/config/archs/BSD-x86/no-asm/include/openssl/cmp.h
• deps/openssl/config/archs/BSD-x86/no-asm/include/openssl/opensslv.h
• deps/openssl/config/archs/BSD-x86_64/asm/configdata.pm
• deps/openssl/config/archs/BSD-x86_64/asm/crypto/buildinf.h
• deps/openssl/config/archs/BSD-x86_64/asm/include/openssl/cmp.h
• deps/openssl/config/archs/BSD-x86_64/asm/include/openssl/opensslv.h
• deps/openssl/config/archs/BSD-x86_64/asm_avx2/configdata.pm
• deps/openssl/config/archs/BSD-x86_64/asm_avx2/crypto/buildinf.h
• deps/openssl/config/archs/BSD-x86_64/asm_avx2/include/openssl/cmp.h
• deps/openssl/config/archs/BSD-x86_64/asm_avx2/include/openssl/opensslv.h
• deps/openssl/config/archs/BSD-x86_64/no-asm/configdata.pm
• deps/openssl/config/archs/BSD-x86_64/no-asm/crypto/buildinf.h
• deps/openssl/config/archs/BSD-x86_64/no-asm/include/openssl/cmp.h
• deps/openssl/config/archs/BSD-x86_64/no-asm/include/openssl/opensslv.h
• deps/openssl/config/archs/VC-WIN32/asm/configdata.pm
• deps/openssl/config/archs/VC-WIN32/asm/crypto/buildinf.h
• deps/openssl/config/archs/VC-WIN32/asm/include/openssl/cmp.h
• deps/openssl/config/archs/VC-WIN32/asm/include/openssl/opensslv.h
• deps/openssl/config/archs/VC-WIN32/asm_avx2/configdata.pm
• deps/openssl/config/archs/VC-WIN32/asm_avx2/crypto/buildinf.h
• deps/openssl/config/archs/VC-WIN32/asm_avx2/include/openssl/cmp.h
• deps/openssl/config/archs/VC-WIN32/asm_avx2/include/openssl/opensslv.h
• deps/openssl/config/archs/VC-WIN32/no-asm/configdata.pm
• deps/openssl/config/archs/VC-WIN32/no-asm/crypto/buildinf.h
• deps/openssl/config/archs/VC-WIN32/no-asm/include/openssl/cmp.h
• deps/openssl/config/archs/VC-WIN32/no-asm/include/openssl/opensslv.h
• deps/openssl/config/archs/VC-WIN64-ARM/no-asm/configdata.pm
• deps/openssl/config/archs/VC-WIN64-ARM/no-asm/crypto/buildinf.h
• deps/openssl/config/archs/VC-WIN64-ARM/no-asm/include/openssl/cmp.h
• deps/openssl/config/archs/VC-WIN64-ARM/no-asm/include/openssl/opensslv.h
• deps/openssl/config/archs/VC-WIN64A/asm/configdata.pm
• deps/openssl/config/archs/VC-WIN64A/asm/crypto/buildinf.h
• deps/openssl/config/archs/VC-WIN64A/asm/include/openssl/cmp.h
• deps/openssl/config/archs/VC-WIN64A/asm/include/openssl/opensslv.h
• deps/openssl/config/archs/VC-WIN64A/asm_avx2/configdata.pm
• deps/openssl/config/archs/VC-WIN64A/asm_avx2/crypto/buildinf.h
• deps/openssl/config/archs/VC-WIN64A/asm_avx2/include/openssl/cmp.h
• deps/openssl/config/archs/VC-WIN64A/asm_avx2/include/openssl/opensslv.h
• deps/openssl/config/archs/VC-WIN64A/no-asm/configdata.pm
• deps/openssl/config/archs/VC-WIN64A/no-asm/crypto/buildinf.h
• deps/openssl/config/archs/VC-WIN64A/no-asm/include/openssl/cmp.h
• deps/openssl/config/archs/VC-WIN64A/no-asm/include/openssl/opensslv.h
• deps/openssl/config/archs/aix64-gcc-as/asm/configdata.pm
• deps/openssl/config/archs/aix64-gcc-as/asm/crypto/buildinf.h
• deps/openssl/config/archs/aix64-gcc-as/asm/include/openssl/cmp.h
• deps/openssl/config/archs/aix64-gcc-as/asm/include/openssl/opensslv.h
• deps/openssl/config/archs/aix64-gcc-as/asm_avx2/configdata.pm
• deps/openssl/config/archs/aix64-gcc-as/asm_avx2/crypto/buildinf.h
• deps/openssl/config/archs/aix64-gcc-as/asm_avx2/include/openssl/cmp.h
• deps/openssl/config/archs/aix64-gcc-as/asm_avx2/include/openssl/opensslv.h
• deps/openssl/config/archs/aix64-gcc-as/no-asm/configdata.pm
• deps/openssl/config/archs/aix64-gcc-as/no-asm/crypto/buildinf.h
• deps/openssl/config/archs/aix64-gcc-as/no-asm/include/openssl/cmp.h
• deps/openssl/config/archs/aix64-gcc-as/no-asm/include/openssl/opensslv.h
• deps/openssl/config/archs/darwin-i386-cc/asm/configdata.pm
• deps/openssl/config/archs/darwin-i386-cc/asm/crypto/buildinf.h
• deps/openssl/config/archs/darwin-i386-cc/asm/include/openssl/cmp.h
• deps/openssl/config/archs/darwin-i386-cc/asm/include/openssl/opensslv.h
• deps/openssl/config/archs/darwin-i386-cc/asm_avx2/configdata.pm
• deps/openssl/config/archs/darwin-i386-cc/asm_avx2/crypto/buildinf.h
• deps/openssl/config/archs/darwin-i386-cc/asm_avx2/include/openssl/cmp.h
• deps/openssl/config/archs/darwin-i386-cc/asm_avx2/include/openssl/opensslv.h
• deps/openssl/config/archs/darwin-i386-cc/no-asm/configdata.pm
• deps/openssl/config/archs/darwin-i386-cc/no-asm/crypto/buildinf.h
• deps/openssl/config/archs/darwin-i386-cc/no-asm/include/openssl/cmp.h
• deps/openssl/config/archs/darwin-i386-cc/no-asm/include/openssl/opensslv.h
• deps/openssl/config/archs/darwin64-arm64-cc/asm/configdata.pm
• deps/openssl/config/archs/darwin64-arm64-cc/asm/crypto/buildinf.h
• deps/openssl/config/archs/darwin64-arm64-cc/asm/crypto/sm4/vpsm4_ex-armv8.S
• deps/openssl/config/archs/darwin64-arm64-cc/asm/include/openssl/cmp.h
• deps/openssl/config/archs/darwin64-arm64-cc/asm/include/openssl/opensslv.h
• deps/openssl/config/archs/darwin64-arm64-cc/asm_avx2/configdata.pm
• deps/openssl/config/archs/darwin64-arm64-cc/asm_avx2/crypto/buildinf.h
• deps/openssl/config/archs/darwin64-arm64-cc/asm_avx2/crypto/sm4/vpsm4_ex-armv8.S
• deps/openssl/config/archs/darwin64-arm64-cc/asm_avx2/include/openssl/cmp.h
• deps/openssl/config/archs/darwin64-arm64-cc/asm_avx2/include/openssl/opensslv.h
• deps/openssl/config/archs/darwin64-arm64-cc/no-asm/configdata.pm
• deps/openssl/config/archs/darwin64-arm64-cc/no-asm/crypto/buildinf.h
• deps/openssl/config/archs/darwin64-arm64-cc/no-asm/include/openssl/cmp.h
• deps/openssl/config/archs/darwin64-arm64-cc/no-asm/include/openssl/opensslv.h
• deps/openssl/config/archs/darwin64-x86_64-cc/asm/configdata.pm
• deps/openssl/config/archs/darwin64-x86_64-cc/asm/crypto/buildinf.h
• deps/openssl/config/archs/darwin64-x86_64-cc/asm/include/openssl/cmp.h
• deps/openssl/config/archs/darwin64-x86_64-cc/asm/include/openssl/opensslv.h
• deps/openssl/config/archs/darwin64-x86_64-cc/asm_avx2/configdata.pm
• deps/openssl/config/archs/darwin64-x86_64-cc/asm_avx2/crypto/buildinf.h

💤 Files with no reviewable changes (7)

• deps/ngtcp2/nghttp3/lib/nghttp3_tnode.h
• .github/workflows/close-stale-feature-requests.yml
• deps/ngtcp2/ngtcp2/lib/ngtcp2_frame_chain.h
• .github/workflows/close-stale-pull-requests.yml
• deps/ngtcp2/nghttp3/lib/nghttp3_pq.c
• deps/ngtcp2/nghttp3/lib/nghttp3_pq.h
• deps/amaro/README.md

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

In GitHub Actions on.pull_request.branchesmatching, doesv[0-9]+.x-stagingtreat+as a regex quantifier or a literal character? Would it matchv24.x-staging?

💡 Result:

In GitHub Actions, the on.pull_request.branches filter uses glob patterns rather than regular expressions [1][2]. The + character is treated as a literal character in this context unless it is intended to function as part of a glob pattern (where it is specifically listed as a special character that may require escaping for literal matches) [1]. Because GitHub Actions uses glob matching, your pattern v[0-9]+.x-staging will not function as a regex that matches "one or more digits". Instead, it will be evaluated as a glob pattern that literally looks for the characters [, 0, -, 9, ], +, ., x, -, s, t, a, g, i, n, g [1]. It would not match v24.x-staging. If you need to match branch names using regex, you should not use the branches filter directly [3][4]. Instead, you can: 1. Use a standard on.pull_request trigger without branch filters (or with broad filters). 2. Add a job with an if conditional that uses the github.ref_name or github.event.pull_request.head.ref context along with a regex evaluation [3][5]. Since GitHub Actions expressions do not have a built-in matches or regex function for strings, you can use the contains function for simple logic [5] or use a dedicated third-party action that supports regex matching to perform the validation [6][7].

Citations:

• 1: https://docs.github.com/actions/using-workflows/workflow-syntax-for-github-actions
• 2: https://support.huaweicloud.com/intl/en-us/usermanual-pipeline/pipeline_01_0012.html
• 3: https://stackoverflow.com/questions/58862864/github-actions-ci-conditional-regex
• 4: https://stackoverflow.com/questions/68078004/why-doesnt-my-github-action-trigger-on-a-regex-tag
• 5: https://stackoverflow.com/questions/58139406/only-run-job-on-specific-branch-with-github-actions
• 6: https://github.com/IamPekka058/branchMatchRegex
• 7: https://github.com/marketplace/actions/conditional-regex-search-and-replace

---

Fix PR branch glob pattern in .github/workflows/commit-lint.yml

GitHub Actions on.pull_request.branches uses glob patterns, not regex. The value v[0-9]+.x-staging won’t be interpreted as “one or more digits” (so it won’t match v24.x-staging), which can cause PRs to the staging branches to be missed. Use a glob like v*.x-staging instead.

Suggested fix

     branches:
       - main
-      - v[0-9]+.x-staging
+      - v*.x-staging

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	on:
	pull_request:
	branches:
	- main
	- v[0-9]+.x-staging
	on:
	pull_request:
	branches:
	- main
	- v*.x-staging

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/commit-lint.yml around lines 3 - 7, The branch glob for
the GitHub Actions trigger under on.pull_request.branches is using a regex-like
pattern `v[0-9]+.x-staging` which GitHub interprets as a glob, so replace that
pattern with a proper glob (e.g., `v*.x-staging`) in the commit-lint workflow;
update the branches array value referenced as on.pull_request.branches to use
the glob `v*.x-staging` so PRs to versioned staging branches like v24.x-staging
are matched.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Don't route bare-LF request lines through the CRLF state.

Line 8987 sends the already-consumed \n path into s_n_llhttp__internal__n_req_http_complete_crlf. That state is for the byte after \r, so the next header byte falls into the "missing LF after CR" path unless lenient_flags_8 is also set. In practice, lenient_flags_1 alone no longer permits bare-LF request lines.

💡 Suggested fix

   s_n_llhttp__internal__n_invoke_test_lenient_flags_26: {
     switch (llhttp__internal__c_test_lenient_flags_1(state, p, endp)) {
       case 1:
-        goto s_n_llhttp__internal__n_req_http_complete_crlf;
+        goto s_n_llhttp__internal__n_headers_start;
       default:
         goto s_n_llhttp__internal__n_error_69;
     }
     UNREACHABLE;
   }

Also applies to: 8984-8990

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@deps/llhttp/src/llhttp.c` around lines 3488 - 3490, The transition in the
state machine (case 10) incorrectly routes an already-consumed '\n' into
s_n_llhttp__internal__n_req_http_complete_crlf via
s_n_llhttp__internal__n_invoke_test_lenient_flags_26; instead, ensure bare-LF
request lines are not sent through the CRLF-completion state: in the case 10
path (and the mirrored 8984-8990 region) detect that the '\n' was already
consumed and, unless the lenient_flags_8 "allow bare LF as CRLF" is set, do not
goto s_n_llhttp__internal__n_req_http_complete_crlf — instead handle it as the
"missing CR" path (or call the same missing-CR handler you use when a '\n'
arrives without a preceding '\r'), preserving existing behavior for
lenient_flags_1 only when appropriate; update the transition logic around
s_n_llhttp__internal__n_invoke_test_lenient_flags_26 to check lenient_flags_8
before routing into s_n_llhttp__internal__n_req_http_complete_crlf.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Accept uppercase hex digits in percent-decoding.

The lookup/conversion path only recognizes a-f, so uppercase escapes (e.g. %2F) are rejected in display-string decoding.

🔧 Proposed fix

-#define HEXALPHAS(N)                                                           \
-  ['a'] = (N), ['b'] = (N), ['c'] = (N), ['d'] = (N), ['e'] = (N), ['f'] = (N)
+#define HEXALPHAS(N)                                                           \
+  ['A'] = (N), ['B'] = (N), ['C'] = (N), ['D'] = (N), ['E'] = (N), ['F'] = (N), \
+  ['a'] = (N), ['b'] = (N), ['c'] = (N), ['d'] = (N), ['e'] = (N), ['f'] = (N)
@@
-    c = (uint8_t)((b - 'a' + 10) << 4);
+    c = (uint8_t)((((b | 0x20) - 'a') + 10) << 4);
@@
-    c |= (uint8_t)(b - 'a' + 10);
+    c |= (uint8_t)(((b | 0x20) - 'a') + 10);

Also applies to: 732-740, 750-758

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@deps/ngtcp2/nghttp3/lib/sfparse/sfparse.c` around lines 724 - 727, The
percent-decoding lookup table pct_tbl currently only maps lowercase hex letters
causing uppercase escapes (e.g. "%2F") to be rejected; update the table
construction used in pct_tbl (and the equivalent tables around the other
instances) so that HEXALPHAS includes uppercase hex digits as well (or add the
uppercase mapping alongside the existing HEXALPHAS macro) so both 'a-f' and
'A-F' are accepted by the percent-decoder; ensure the same change is applied to
the other similar tables referenced in the diff (the tables around the other
occurrences).

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Guard the HKDF fetch/context allocations before EVP_KDF_derive.

Line 685 / Line 718 / Line 751 can return a NULL EVP_KDF *, and Line 686 / Line 719 / Line 752 can return a NULL EVP_KDF_CTX *. All three helpers dereference those values unconditionally, so an OpenSSL provider failure or OOM turns handshake setup into a crash instead of -1.

Suggested fix pattern

   EVP_KDF *kdf = crypto_kdf_hkdf();
-  EVP_KDF_CTX *kctx = EVP_KDF_CTX_new(kdf);
+  EVP_KDF_CTX *kctx;
+  if (kdf == NULL) {
+    return -1;
+  }
+  kctx = EVP_KDF_CTX_new(kdf);
+  if (kctx == NULL) {
+    if (!crypto_initialized) {
+      EVP_KDF_free(kdf);
+    }
+    return -1;
+  }

Apply the same guard in ngtcp2_crypto_hkdf_extract, ngtcp2_crypto_hkdf_expand, and ngtcp2_crypto_hkdf.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	int ngtcp2_crypto_hkdf_extract(uint8_t *dest, const ngtcp2_crypto_md *md,
	const uint8_t *secret, size_t secretlen,
	const uint8_t *salt, size_t saltlen) {
	const EVP_MD *prf = md->native_handle;
	EVP_KDF *kdf = crypto_kdf_hkdf();
	EVP_KDF_CTX *kctx = EVP_KDF_CTX_new(kdf);
	int mode = EVP_KDF_HKDF_MODE_EXTRACT_ONLY;
	OSSL_PARAM params[] = {
	OSSL_PARAM_construct_int(OSSL_KDF_PARAM_MODE, &mode),
	OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
	(char *)EVP_MD_get0_name(prf), 0),
	OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, (void *)secret,
	secretlen),
	OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT, (void *)salt,
	saltlen),
	OSSL_PARAM_construct_end(),
	};
	int rv = 0;
	if (!crypto_initialized) {
	EVP_KDF_free(kdf);
	}
	if (EVP_KDF_derive(kctx, dest, (size_t)EVP_MD_size(prf), params) <= 0) {
	rv = -1;
	}
	EVP_KDF_CTX_free(kctx);
	return rv;
	}
	int ngtcp2_crypto_hkdf_expand(uint8_t *dest, size_t destlen,
	const ngtcp2_crypto_md *md, const uint8_t *secret,
	size_t secretlen, const uint8_t *info,
	size_t infolen) {
	const EVP_MD *prf = md->native_handle;
	EVP_KDF *kdf = crypto_kdf_hkdf();
	EVP_KDF_CTX *kctx = EVP_KDF_CTX_new(kdf);
	int mode = EVP_KDF_HKDF_MODE_EXPAND_ONLY;
	OSSL_PARAM params[] = {
	OSSL_PARAM_construct_int(OSSL_KDF_PARAM_MODE, &mode),
	OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
	(char *)EVP_MD_get0_name(prf), 0),
	OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, (void *)secret,
	secretlen),
	OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, (void *)info,
	infolen),
	OSSL_PARAM_construct_end(),
	};
	int rv = 0;
	if (!crypto_initialized) {
	EVP_KDF_free(kdf);
	}
	if (EVP_KDF_derive(kctx, dest, destlen, params) <= 0) {
	rv = -1;
	}
	EVP_KDF_CTX_free(kctx);
	return rv;
	}
	int ngtcp2_crypto_hkdf(uint8_t *dest, size_t destlen,
	const ngtcp2_crypto_md *md, const uint8_t *secret,
	size_t secretlen, const uint8_t *salt, size_t saltlen,
	const uint8_t *info, size_t infolen) {
	const EVP_MD *prf = md->native_handle;
	EVP_KDF *kdf = crypto_kdf_hkdf();
	EVP_KDF_CTX *kctx = EVP_KDF_CTX_new(kdf);
	OSSL_PARAM params[] = {
	OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
	(char *)EVP_MD_get0_name(prf), 0),
	OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, (void *)secret,
	secretlen),
	OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT, (void *)salt,
	saltlen),
	OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, (void *)info,
	infolen),
	OSSL_PARAM_construct_end(),
	};
	int rv = 0;
	if (!crypto_initialized) {
	EVP_KDF_free(kdf);
	}
	if (EVP_KDF_derive(kctx, dest, destlen, params) <= 0) {
	rv = -1;
	}
	EVP_KDF_CTX_free(kctx);
	return rv;
	int ngtcp2_crypto_hkdf_extract(uint8_t *dest, const ngtcp2_crypto_md *md,
	const uint8_t *secret, size_t secretlen,
	const uint8_t *salt, size_t saltlen) {
	const EVP_MD *prf = md->native_handle;
	EVP_KDF *kdf = crypto_kdf_hkdf();
	EVP_KDF_CTX *kctx;
	int mode = EVP_KDF_HKDF_MODE_EXTRACT_ONLY;
	OSSL_PARAM params[] = {
	OSSL_PARAM_construct_int(OSSL_KDF_PARAM_MODE, &mode),
	OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
	(char *)EVP_MD_get0_name(prf), 0),
	OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, (void *)secret,
	secretlen),
	OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT, (void *)salt,
	saltlen),
	OSSL_PARAM_construct_end(),
	};
	int rv = 0;
	if (kdf == NULL) {
	return -1;
	}
	kctx = EVP_KDF_CTX_new(kdf);
	if (kctx == NULL) {
	if (!crypto_initialized) {
	EVP_KDF_free(kdf);
	}
	return -1;
	}
	if (EVP_KDF_derive(kctx, dest, (size_t)EVP_MD_size(prf), params) <= 0) {
	rv = -1;
	}
	EVP_KDF_CTX_free(kctx);
	return rv;
	}
	int ngtcp2_crypto_hkdf_expand(uint8_t *dest, size_t destlen,
	const ngtcp2_crypto_md *md, const uint8_t *secret,
	size_t secretlen, const uint8_t *info,
	size_t infolen) {
	const EVP_MD *prf = md->native_handle;
	EVP_KDF *kdf = crypto_kdf_hkdf();
	EVP_KDF_CTX *kctx;
	int mode = EVP_KDF_HKDF_MODE_EXPAND_ONLY;
	OSSL_PARAM params[] = {
	OSSL_PARAM_construct_int(OSSL_KDF_PARAM_MODE, &mode),
	OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
	(char *)EVP_MD_get0_name(prf), 0),
	OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, (void *)secret,
	secretlen),
	OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, (void *)info,
	infolen),
	OSSL_PARAM_construct_end(),
	};
	int rv = 0;
	if (kdf == NULL) {
	return -1;
	}
	kctx = EVP_KDF_CTX_new(kdf);
	if (kctx == NULL) {
	if (!crypto_initialized) {
	EVP_KDF_free(kdf);
	}
	return -1;
	}
	if (EVP_KDF_derive(kctx, dest, destlen, params) <= 0) {
	rv = -1;
	}
	EVP_KDF_CTX_free(kctx);
	return rv;
	}
	int ngtcp2_crypto_hkdf(uint8_t *dest, size_t destlen,
	const ngtcp2_crypto_md *md, const uint8_t *secret,
	size_t secretlen, const uint8_t *salt, size_t saltlen,
	const uint8_t *info, size_t infolen) {
	const EVP_MD *prf = md->native_handle;
	EVP_KDF *kdf = crypto_kdf_hkdf();
	EVP_KDF_CTX *kctx;
	OSSL_PARAM params[] = {
	OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
	(char *)EVP_MD_get0_name(prf), 0),
	OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, (void *)secret,
	secretlen),
	OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT, (void *)salt,
	saltlen),
	OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, (void *)info,
	infolen),
	OSSL_PARAM_construct_end(),
	};
	int rv = 0;
	if (kdf == NULL) {
	return -1;
	}
	kctx = EVP_KDF_CTX_new(kdf);
	if (kctx == NULL) {
	if (!crypto_initialized) {
	EVP_KDF_free(kdf);
	}
	return -1;
	}
	if (EVP_KDF_derive(kctx, dest, destlen, params) <= 0) {
	rv = -1;
	}
	EVP_KDF_CTX_free(kctx);
	return rv;
	}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@deps/ngtcp2/ngtcp2/crypto/ossl/ossl.c` around lines 681 - 776, In
ngtcp2_crypto_hkdf_extract, ngtcp2_crypto_hkdf_expand, and ngtcp2_crypto_hkdf
guard the allocations for EVP_KDF *kdf and EVP_KDF_CTX *kctx after calling
crypto_kdf_hkdf() and EVP_KDF_CTX_new(kdf): if kdf or kctx is NULL, clean up any
allocated resource (free kdf if allocated), set rv = -1 and return immediately
instead of calling EVP_KDF_derive; ensure the same NULL-check pattern is applied
in each function around the existing EVP_KDF_derive call so allocation failures
or provider errors return -1 rather than dereferencing NULL.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Allow local transport parameters to be replaced before handshake keys are installed.

Line 933 hard-fails on a second non-empty call, and in release builds Lines 935-940 overwrite the old buffer without freeing it. That conflicts with the documented ngtcp2_conn_set_local_transport_params() flow where the server may update transport parameters after ALPN selection but before ngtcp2_conn_install_tx_handshake_key().

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@deps/ngtcp2/ngtcp2/crypto/ossl/ossl.c` around lines 928 - 946, The current
ngtcp2_crypto_set_local_transport_params asserts and leaks/overwrites
ossl_ctx->remote_params on a second non-empty call; change it to allow
replacement by removing the assert and freeing or reallocating the previous
buffer before assigning a new one. Specifically, in
ngtcp2_crypto_set_local_transport_params: if len != 0 and
ossl_ctx->remote_params is already set, free it (or use realloc) before
allocating the new buffer, handle malloc failure by leaving state consistent
(set remote_params to NULL on error), and ensure
SSL_set_quic_tls_transport_params(ossl_ctx->ssl, ossl_ctx->remote_params, len)
is still called with the correct pointer (use NULL when len == 0). This
preserves the documented ngtcp2_conn_set_local_transport_params() flow and
avoids leaks before ngtcp2_conn_install_tx_handshake_key().

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

The aggregate-packet helper exposes no way to pass ngtcp2_write_pkt context.

Lines 5648-5651 require write_pkt(..., void *user_data), but Lines 5684-5687 and 6080-6084 do not accept any matching argument. As written, the new helper cannot forward caller state into the callback, so this public API is inconsistent on first release.

Suggested API alignment

 NGTCP2_EXTERN ngtcp2_ssize ngtcp2_conn_write_aggregate_pkt_versioned(
   ngtcp2_conn *conn, ngtcp2_path *path, int pkt_info_version,
   ngtcp2_pkt_info *pi, uint8_t *buf, size_t buflen, size_t *pgsolen,
-  ngtcp2_write_pkt write_pkt, ngtcp2_tstamp ts);
+  ngtcp2_write_pkt write_pkt, ngtcp2_tstamp ts, void *user_data);

 `#define` ngtcp2_conn_write_aggregate_pkt(CONN, PATH, PI, BUF, BUFLEN, PGSOLEN,  \
-                                        WRITE_PKT, TS)                         \
+                                        WRITE_PKT, TS, USER_DATA)             \
   ngtcp2_conn_write_aggregate_pkt_versioned(                                   \
     (CONN), (PATH), NGTCP2_PKT_INFO_VERSION, (PI), (BUF), (BUFLEN), (PGSOLEN), \
-    (WRITE_PKT), (TS))
+    (WRITE_PKT), (TS), (USER_DATA))

Also applies to: 6080-6084

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@deps/ngtcp2/ngtcp2/lib/includes/ngtcp2/ngtcp2.h` around lines 5648 - 5687,
The aggregate-packet API declares ngtcp2_write_pkt as taking a void *user_data
but ngtcp2_conn_write_aggregate_pkt_versioned (and related overloads such as
ngtcp2_conn_write_aggregate_pkt) do not accept or forward any user_data, making
the public API inconsistent; fix by adding a void *user_data parameter to
ngtcp2_conn_write_aggregate_pkt_versioned (and the other aggregate helpers at
lines ~6080-6084) and ensure the implementation forwards that pointer into the
ngtcp2_write_pkt calls and into the final ngtcp2_conn_update_pkt_tx_time
invocation so caller state passed to ngtcp2_write_pkt is preserved.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Don't spend glitch_rlim budget on valid retransmissions.

These branches are all reachable through normal QUIC loss/reordering: older MAX_STREAM_DATA, duplicate CRYPTO/STREAM, and repeated RESET_STREAM/STOP_SENDING are idempotent and should be ignored. Charging them against glitch_rlim means ordinary PTO/retransmit traffic can eventually surface as NGTCP2_ERR_INTERNAL and tear down a healthy connection.

Also applies to: 7154-7160, 7171-7195, 7240-7245, 7432-7446, 7491-7500, 7690-7695, 7822-7828

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@deps/ngtcp2/ngtcp2/lib/ngtcp2_conn.c` around lines 5646 - 5669, The code is
consuming glitch_rlim budget (ngtcp2_ratelim_drain(&conn->glitch_rlim,...)) for
idempotent/benign cases (duplicate/older MAX_STREAM_DATA, CRYPTO/STREAM
duplicates, repeated RESET_STREAM/STOP_SENDING) before returning 0; remove those
ngtcp2_ratelim_drain calls from the early-return branches so duplicates are
ignored without charging the rate limiter and only use glitch_rlim for actual
protocol errors. Specifically, in the MAX_STREAM_DATA handling around
strm->tx.max_offset/fr->max_stream_data and the NGTCP2_STRM_FLAG_SHUT_WR branch
remove the ngtcp2_ratelim_drain+return sequence and simply return 0 for the
idempotent cases; apply the same change pattern to the other affected blocks
(the other listed ranges) and keep the conn_call_extend_max_stream_data(...) and
error paths unchanged.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

disable_active_migration is checking the wrong side of the path.

This predicate compares path->local, but active migration is about the peer changing its address. As written, a client can still migrate while keeping the same server socket, and benign server-local address changes get dropped instead.

[suggested fix]

Patch sketch

-  if (conn->server && conn->local.transport_params.disable_active_migration &&
-      !ngtcp2_addr_eq(&conn->dcid.current.ps.path.local, &path->local) &&
-      !conn_server_preferred_addr_migration(conn, &path->local)) {
+  if (conn->server && conn->local.transport_params.disable_active_migration &&
+      !ngtcp2_addr_eq(&conn->dcid.current.ps.path.remote, &path->remote)) {

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if (conn->server && conn->local.transport_params.disable_active_migration &&
	!ngtcp2_addr_eq(&conn->dcid.current.ps.path.local, &path->local) &&
	!conn_server_preferred_addr_migration(conn, &path->local)) {
	ngtcp2_log_info(&conn->log, NGTCP2_LOG_EVENT_PKT,
	"packet is discarded because active migration is disabled");
	return 0;
	}
	if (conn->server && conn->local.transport_params.disable_active_migration &&
	!ngtcp2_addr_eq(&conn->dcid.current.ps.path.remote, &path->remote)) {
	ngtcp2_log_info(&conn->log, NGTCP2_LOG_EVENT_PKT,
	"packet is discarded because active migration is disabled");
	return 0;
	}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@deps/ngtcp2/ngtcp2/lib/ngtcp2_conn.c` around lines 9898 - 9905, The condition
in the migration check is comparing the wrong endpoint: active migration should
detect changes in the peer/remote address, not the server's local socket. Update
the predicate that currently compares &conn->dcid.current.ps.path.local and
&path->local to compare the remote/peer addresses (e.g.,
&conn->dcid.current.ps.path.remote vs &path->remote) and pass the remote address
into conn_server_preferred_addr_migration accordingly so the check disables
migration only when the peer/remote addr changed while disable_active_migration
is set; keep the existing ngtcp2_log_info message and return behavior.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Don't return a negative error after earlier packets were already produced.

After the first successful write_pkt() call, packet numbers, retransmission state, and frame queues have already advanced. If a later iteration fails and this function returns that negative value, the caller will treat the whole aggregate write as failed even though buf already contains committed packets. That can desynchronize sender state from what the caller actually sends or discards.

Also applies to: 13963-13967

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@deps/ngtcp2/ngtcp2/lib/ngtcp2_conn.c` around lines 13913 - 13920, The
function currently returns a negative error from write_pkt() even if prior
iterations already wrote packets into buf; instead, modify the loop handling
around write_pkt (referencing write_pkt, nwrite, wbuf, buf) so that if
write_pkt() returns < 0 but some bytes have already been produced (wbuf > buf),
you convert that outcome into returning the number of bytes produced (set nwrite
= wbuf - buf and break from the loop) rather than propagating the negative
error; only propagate the negative error when no bytes were produced. Apply the
same fix to the analogous block around the second occurrence mentioned (lines
referencing nwrite and wbuf in the later iteration).

[RafaelGSS]

RSLGTM

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​esbuild@​0.23.1
	npm/​esbuild-plugin-copy@​2.1.1
	npm/​@​types/​node@​25.3.3 ⏵ 22.19.20	+1		+1
	npm/​rimraf@​6.1.3
	npm/​typescript@​5.9.3
	npm/​@​biomejs/​biome@​1.8.3

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm ajv is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: deps/nsolid-cli/package-lock.json → npm/ajv@4.11.8 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ajv@4.11.8. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[coderabbitai]

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

SECURITY.md (1)

20-33: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Clean unresolved merge conflicts in security policy.

Line 20 through Line 33, Line 48 through Line 53, and Line 438 contain conflict markers. This makes the vulnerability reporting policy ambiguous and error-prone for reporters.

Also applies to: 48-53, 438-438

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@SECURITY.md` around lines 20 - 33, The file SECURITY.md contains unresolved
git merge conflict markers (e.g., <<<<<<< HEAD, =======, >>>>>>> v24.16.0)
around the "Node.js bug bounty program" and "Reporting a bug in a third-party
module" sections; clean these by choosing and merging the correct text: remove
all conflict markers and duplicate blocks, consolidate the intended paragraphs
under the "## Reporting a bug in a third‑party module" and "### Node.js bug
bounty program" headings so the policy reads coherently (ensure the 14‑day
escalation sentence is preserved if desired), and verify there are no remaining
markers at the referenced locations (lines ~20–33, ~48–53, ~438) before
committing.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/linters.yml:
- Around line 54-55: There are unresolved Git conflict markers (<<<<<<<,
=======, >>>>>>>) left in the workflow YAML which break parsing; open the
.github workflow definition that contains these markers and remove the conflict
markers, merge the two conflicting blocks into the correct intended content
(choose the desired version of the steps/keys or combine them sensibly), and
ensure the resulting YAML for the linters workflow contains only valid
keys/values and passes a YAML/CI linter; specifically target the conflict
markers "<<<<<<<", "=======", and ">>>>>>>" in the linters.yml content and
resolve them so the file is valid YAML.

In `@CONTRIBUTING.md`:
- Around line 13-17: Remove the unresolved Git merge conflict markers (e.g.,
<<<<<<< HEAD, =======, and >>>>>>>) from the CONTRIBUTING.md content and resolve
the conflicting sections into a single coherent paragraph; specifically, delete
the marker lines and choose the correct wording for the Node.js build
instructions (or merge both sensible parts) and remove the duplicate/conflicting
block around the other occurrence near line 43 so the file contains no conflict
artifacts and reads as one consistent contributor guide.

In `@README.md`:
- Around line 42-44: Remove the unresolved Git conflict markers (<<<<<<<,
=======, >>>>>>>) in the README and choose the correct content for the
conflicting section (e.g., restore the intended "Contributing to the project"
link syntax or merge both sides sensibly), then delete the leftover markers and
any duplicate lines; also search for and fix the second occurrence around the
other reported spot (the block referenced at 817) so the markdown is valid and
the link reference [Contributing to the project][] is correctly defined or
converted to an inline link.

---

Outside diff comments:
In `@SECURITY.md`:
- Around line 20-33: The file SECURITY.md contains unresolved git merge conflict
markers (e.g., <<<<<<< HEAD, =======, >>>>>>> v24.16.0) around the "Node.js bug
bounty program" and "Reporting a bug in a third-party module" sections; clean
these by choosing and merging the correct text: remove all conflict markers and
duplicate blocks, consolidate the intended paragraphs under the "## Reporting a
bug in a third‑party module" and "### Node.js bug bounty program" headings so
the policy reads coherently (ensure the 14‑day escalation sentence is preserved
if desired), and verify there are no remaining markers at the referenced
locations (lines ~20–33, ~48–53, ~438) before committing.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: b0e2f9c0-315a-4ff7-bd86-cea0feda157d

📥 Commits

Reviewing files that changed from the base of the PR and between 110a5e1 and bc0a99c.

📒 Files selected for processing (10)

• .github/workflows/commit-queue.yml
• .github/workflows/coverage-linux-without-intl.yml
• .github/workflows/coverage-linux.yml
• .github/workflows/linters.yml
• CONTRIBUTING.md
• README.md
• SECURITY.md
• agents/otlp/src/otlp_common.cc
• common.gypi
• configure.py

💤 Files with no reviewable changes (3)

• common.gypi
• agents/otlp/src/otlp_common.cc
• configure.py

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/commit-queue.yml