Skip to content

chore(deps): Bump quiche from 0.22.0 to 0.24.5 in /benchmark/baselines/quiche#1

Open
dependabot[bot] wants to merge 2 commits into
mainfrom
dependabot/cargo/benchmark/baselines/quiche/quiche-0.24.5
Open

chore(deps): Bump quiche from 0.22.0 to 0.24.5 in /benchmark/baselines/quiche#1
dependabot[bot] wants to merge 2 commits into
mainfrom
dependabot/cargo/benchmark/baselines/quiche/quiche-0.24.5

Conversation

@dependabot
Copy link
Copy Markdown

@dependabot dependabot Bot commented on behalf of github Jun 5, 2026

Bumps quiche from 0.22.0 to 0.24.5.

Release notes

Sourced from quiche's releases.

➰ 0.24.5

⚠️ Security:

  • Improves sender side handling of RETIRE_CONNECTION_ID frames. Without this an attacker could trigger an infinite loop by sending a specially-crafted set of frames that trigger a connection ID retirement (CVE-2025-7054).

Highlights:

  • Added Config::set_initial_rtt() to allow control of a connection's initial RTT estimate.
  • Improvements and bug fixes to datagram packetization layer path MTU discovery (DPLPMTUD).
  • Other bug fixes and performance improvements.

🛡️ 0.24.4

⚠️ Security:

  • Implemented proper ACK range validation. Without this an attacker could cause the congestion window to grow beyond typical expectations by sending ACK frames covering a large range of packet numbers, which could potentially lead to an overflow and a crash (CVE-2025-4821).
  • Implemented mitigations for optimistic ACK attacks. Without this an attacker could cause the congestion window to grow beyond typical expectations by sending ACK frames covering a large range of packet numbers, allowing more bytes in flight than the path might really support (CVE-2025-4820).

Highlights:

  • Added Config::set_send_capacity_factor() to control the amount of stream data that can be buffered within quiche.
  • Added a new stat for reporting spuriously lost packets.
  • Many more bug fixes and performance improvements.

Full changelog at cloudflare/quiche@0.24.0...0.24.4

quiche 0.24.2

What's Changed

New Contributors

Full Changelog: cloudflare/quiche@0.24.1...0.24.2

🥼 0.24.0

Breaking Changes:

  • The Connection now takes a generic BufFactory. A default factory is provided, so in practice this shouldn't affect applications, but it's potentially a breaking change.

Highlights:

Full changelog at cloudflare/quiche@0.23.7...0.24.0

🩹 0.23.7

Highlights:

... (truncated)

Commits
  • 5ea8d8e quiche: release 0.24.5
  • f33411d lib: improve connection ID retirement
  • ecaf004 ci: properly gate internal_pacing_rate_override test on internal feature
  • 1400aae refactor: remove enum_dispatch indirection from CongestionControl trait now t...
  • ca324bc ci: update cargo ndk arguments
  • 465b774 Remove deref to network_model for mode.
  • 3bbdd1f Add option to override initial pacing rate (#2115)
  • 90163bd Pacer should not implement the CongestionControl trait.
  • 01b32bd add some documentation about creating releases
  • bc31516 tokio-quiche: close connection when H3Event receiver closes
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

ehsanmok and others added 2 commits June 5, 2026 04:51
@ehsanmok @cursoragent
Update README and docs
43ef871 
Sweep the user-facing surfaces (README, docs, examples, top-level
__init__.mojo, h3 bench baseline) so the HTTP/3 status is 100% accurate
now that the match-or-beat-quiche gate is met:

- Replace stale "Phase E / wire I/O in flight / scaffold / gate not
  met / 351 req/s" claims with the live gate-met state (flare h3 leads
  at 74,653 req/s, +2.9% over quiche, sigma 0.50%).
- Drop the never-built recvmmsg / UDP_GRO / sendmmsg reactor mechanism
  text; describe the actual non-blocking recv_from drain + coalesced
  1-RTT egress path.
- Fix the contradictory HTTP/3 benchmark lede that introduced the
  gate-met table while still saying the gate was unmet.

Co-authored-by: Cursor Agent <cursoragent@cursor.com>
@dependabot
chore(deps): Bump quiche in /benchmark/baselines/quiche
a13dd3c 
Bumps [quiche](https://github.com/cloudflare/quiche) from 0.22.0 to 0.24.5.
- [Release notes](https://github.com/cloudflare/quiche/releases)
- [Commits](cloudflare/quiche@0.22.0...0.24.5)

---
updated-dependencies:
- dependency-name: quiche
  dependency-version: 0.24.5
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file rust Pull requests that update rust code labels Jun 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file rust Pull requests that update rust code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ehsanmok