chore(deps): update module github.com/quic-go/quic-go to v0.60.0

[CubicrootXYZ]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/quic-go/quic-go	v0.59.1 → v0.60.0

---

Release Notes

quic-go/quic-go (github.com/quic-go/quic-go)

v0.60.0

Compare Source

Starting with v0.60.0, quic-go is ready for use in FIPS 140-3 environments when built with Go 1.26 or newer and used with the Go Cryptographic Module. See FIPS140.md for details.

This required a number of changes:

• switch QUIC HKDF usage to the standard library crypto/hkdf: #​5461
• use the Go standard library's TLS 1.3 AES-GCM implementation for QUIC packet protection AEADs: #​5624
• use cipher.NewGCMWithRandomNonce for address validation token encryption: #​5625
• disable FIPS 140-3 enforcement for the Retry packet integrity tag, which is outside the FIPS 140-3 scope: #​5630
• disable FIPS 140-3 enforcement for Initial packet protection, whose secrets are derived from public RFC constants: #​5640
• guard the internal ChaCha20-Poly1305 code path so it is not used in FIPS 140-3 mode: #​5633
• add FIPS / non-FIPS data transfer integration tests, including Retry and key updates: #​5646

Breaking Changes

• quic-go now requires Go 1.25 or newer: #​5561

Notable Fixes

• path probe packets now correctly pass the OOB data (needed to select the correct network interface in some system configurations): #​5544, thanks to @​on-keyday
• cancel the Stream and SendStream context when the connection is closed: #​5556, thanks to @​zvdy
• http3: validate Extended CONNECT ``:protocol` pseudo-header values according to HTTP token syntax: #​5639
• http3: always set http.Request.Scheme and http.Request.Host: #​5554, thanks to @​qiulaidongfeng
• http3: fixed a nil pointer dereference when Server.Logger is unset: #​5671
• fix maximum datagram size estimation after MTU discovery: #​5650, thanks to @​jinq0123
• OpenStreamSync now reliably returns the context error when the context is cancelled: #​5660

Behind the scenes

In the last couple of months, we have reworked our fuzz setup and the integration into OSS-Fuzz: First of all, all fuzzers were rewritten to Go native fuzzing (#​5592, #​5599, #​5600, #​5603, #​5613). We also added new fuzzers for the HTTP/3 frame parser (#​5595), HTTP/3 request, response and trailer decoding (#​5602) and the STREAM / CRYPTO frame sorter (#​5620).

Since native Go fuzzing uses a different seed corpus format, we now use the newly implemented go-ossfuzz-seeds library to generate OSS-Fuzz compatible seed corpus files from f.Add calls.

We also enable ClusterFuzzLite batch fuzzing (#​5605), including. a seed corpus (#​5607). Fuzz coverage for both ClusterFuzzLite batch fuzzing (#​5641) and for OSS-Fuzz fuzzing (#​5655) is now submitted to Codecov.

Changelog

• README: update nodepass link and description in #​5545
• ci: always use the latest Go patch release by @​marten-seemann in #​5560
• ci: update golangci-lint to v2.9.0 by @​marten-seemann in #​5559
• update to Go 1.26, drop Go 1.24 by @​marten-seemann in #​5561
• remove synctest wrapper needed for Go 1.24 by @​marten-seemann in #​5563
• ci: remove stray golangci-lint rule for ConnectionTracing(ID|Key) by @​marten-seemann in #​5565
• handshake: use the tls.QUICErrorEvent added in Go 1.26 by @​marten-seemann in #​5564
• pass OOB data to select network interface when sending path probes by @​on-keyday in #​5544
• remove special treatment for Go 1.24 in tests by @​marten-seemann in #​5568
• remove unneeded version switches for ECH ClientHello fragmentation test by @​marten-seemann in #​5567
• use sync.WaitGroup.Go added in Go 1.25 by @​marten-seemann in #​5566
• README: Fix NodePass GitHub stars badge link in #​5570
• cancel stream context when the connection is closed by @​zvdy in #​5556
• http3: always set Scheme and Host of Request.URL field by @​qiulaidongfeng in #​5554
• build(deps): bump actions/upload-artifact from 6 to 7 by @​dependabot[bot] in #​5576
• http3: fix misleading error when parsing the :path header fails by @​Copilot in #​5579
• build(deps): bump docker/setup-buildx-action from 3 to 4 by @​dependabot[bot] in #​5581
• build(deps): bump docker/login-action from 3 to 4 by @​dependabot[bot] in #​5584
• build(deps): bump docker/setup-qemu-action from 3 to 4 by @​dependabot[bot] in #​5583
• build(deps): bump docker/build-push-action from 6 to 7 by @​dependabot[bot] in #​5582
• build(deps): bump codecov/codecov-action from 5 to 6 by @​dependabot[bot] in #​5588
• ci: run govulncheck by @​marten-seemann in #​5586
• http3: fix typo in qlog quarter_stream_id by @​marten-seemann in #​5590
• ci: update golangci-lint to v2.11.4 by @​marten-seemann in #​5591
• ci: use the Go version provided in the OSS-Fuzz Go image by @​marten-seemann in #​5593
• ci: remove obsolete -lresolv workaround for OSS-Fuzz by @​marten-seemann in #​5594
• wire: use Go’s native fuzzing for the frame parser by @​marten-seemann in #​5592
• ci: fix oss-fuzz build of native Go fuzzer by @​marten-seemann in #​5598
• wire: use Go native fuzzing for the transport parameter parser by @​marten-seemann in #​5599
• http3: add a fuzzer for frame parsing by @​marten-seemann in #​5595
• wire: use Go native fuzzing for the header parser by @​marten-seemann in #​5600
• http3: add a fuzzer for request, response and trailer decoding by @​marten-seemann in #​5602
• ci: switch to native Go fuzzing for QPACK by @​marten-seemann in #​5603
• remove the fuzzer for resumption and retry tokens by @​marten-seemann in #​5606
• ci: enable ClusterFuzzLite batch fuzzing by @​marten-seemann in #​5605
• ci: use seed corpus for ClusterFuzzLite PR fuzzing by @​marten-seemann in #​5607
• Remove unnecessary apt-get dependencies from ClusterFuzzLite Dockerfile by @​Copilot in #​5609
• ci: fix path to QPACK fuzzer for OSS-Fuzz by @​marten-seemann in #​5612
• handshake: use Go native fuzzing for the handshake fuzzer by @​marten-seemann in #​5613
• wire: fuzz splitting of CRYPTO and DATAGRAM, truncation of ACK frames by @​marten-seemann in #​5615
• wire: improve fuzz coverage of the header fuzzer by @​marten-seemann in #​5616
• ci: set permissions on all CI workflows by @​marten-seemann in #​5617
• remove unused fuzzing helper functions by @​marten-seemann in #​5618
• wire: increase fuzz coverage of transport parameter fuzzer by @​marten-seemann in #​5619
• handshake: switch to crypto/hkdf instead of golang.org/x/crypto/hkdf by @​marten-seemann in #​5461
• handshake: use cipher.NewGCMWithRandomNonce for token protector AEAD by @​marten-seemann in #​5625
• fix .gitignore entry for fuzzing testdata by @​marten-seemann in #​5627
• generate an OSS-Fuzz compatible seed corpus from f.Add calls by @​marten-seemann in #​5626
• wire: limit size of frames to split off in the frame fuzzer by @​marten-seemann in #​5628
• wire: use a valid size parameter for the frame fuzzer corpus by @​marten-seemann in #​5629
• handshake: disable FIPS 140 enforcement for the Retry AEAD by @​marten-seemann in #​5630
• ci: run Codspeed once per day by @​marten-seemann in #​5636
• ci: pin non-GitHub-owned GitHub Actions by @​marten-seemann in #​5637
• add detailed instructions how to interact with OSS-Fuzz fuzzers by @​marten-seemann in #​5638
• http3: add validation logic for the :protocol pseudo-header field by @​marten-seemann in #​5639
• handshake: disable FIPS 140 enforcement for Initial AEAD by @​marten-seemann in #​5640
• ci: obtain coverage for ClusterFuzzLite Batch fuzzing by @​marten-seemann in #​5641
• http3: implement trailer validation logic by @​marten-seemann in #​5642
• handshake: use crypto/tls.aeadAESGCMTLS13 to construct FIPS 140 AEAD by @​marten-seemann in #​5624
• handshake: disable ChaCha20 code path in FIPS 140 mode by @​marten-seemann in #​5633
• rename fuzz targets of recently rewritten fuzz tests by @​marten-seemann in #​5648
• add FIPS / non-FIPS data transfer integration test by @​marten-seemann in #​5646
• run go fix across the entire codebase by @​marten-seemann in #​5652
• ci: run go fix by @​marten-seemann in #​5653
• update golang.org/x/net to v0.55.0 by @​marten-seemann in #​5656
• ci: run govulncheck on a schedule instead of on every push by @​marten-seemann in #​5657
• document FIPS 140 considerations by @​marten-seemann in #​5651
• ci: add a workflow to submit OSS-Fuzz coverage to Codecov by @​marten-seemann in #​5655
• ci: run ClusterFuzz Lite without corpus repo on forks by @​marten-seemann in #​5658
• honor context cancellation in OpenStreamSync by @​marten-seemann in #​5660
• fix flaky TestStreamsMapOutgoingRandomizedWithCancellation by @​marten-seemann in #​5661
• ci: add a summary ClusterFuzz corpus downloads by @​marten-seemann in #​5662
• ci: fix ClusterFuzz coverage source paths by @​marten-seemann in #​5663
• add a fuzzer for the frame sorter by @​marten-seemann in #​5620
• ci: bump codecov/codecov-action from 6.0.0 to 6.0.1 by @​dependabot[bot] in #​5664
• ci: bump docker/build-push-action from 7.1.0 to 7.2.0 by @​dependabot[bot] in #​5667
• ci: bump golangci/golangci-lint-action from 9.2.0 to 9.2.1 by @​dependabot[bot] in #​5666
• ci: bump docker/setup-buildx-action from 4.0.0 to 4.1.0 by @​dependabot[bot] in #​5665
• ci: bump docker/login-action from 4.1.0 to 4.2.0 by @​dependabot[bot] in #​5668
• make the frame sorter fuzz corpus accessible to OSS-Fuzz by @​marten-seemann in #​5670
• http3: fix nil pointer dereference when Server.Logger is unset by @​jedda-jamf in #​5671
• ci: bump docker/setup-qemu-action from 4.0.0 to 4.1.0 by @​dependabot[bot] in #​5673
• log build date and revisions in OSS-Fuzz build script by @​marten-seemann in #​5674
• fix maximum datagram size estimation after MTU discovery by @​jinq0123 in #​5650

New Contributors

• @​on-keyday made their first contribution in #​5544
• @​zvdy made their first contribution in #​5556
• @​qiulaidongfeng made their first contribution in #​5554
• @​jedda-jamf made their first contribution in #​5671
• @​jinq0123 made their first contribution in #​5650

Full Changelog: quic-go/quic-go@v0.59.0...v0.60.0

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.