Bump github.com/quic-go/quic-go from 0.36.2 to 0.37.4

[dependabot[bot]]

Bumps github.com/quic-go/quic-go from 0.36.2 to 0.37.4.

Release notes

Sourced from github.com/quic-go/quic-go's releases.

v0.37.4

This release contains a fix for a last-minute breaking API change in Go 1.21: quic-go/quic-go#4020

Full Changelog: https://github.com/quic-go/quic-go/compare/v0.37.3...v0.37.4

v0.37.3

This patch release

• fixes handling of ACK frames serialized after CRYPTO frames: #4018
• sets a net.Conn on the tls.ClientHelloInfo used on GetCertificate and GetConfigForClient, for tls.Configs returned (recursively) from GetConfigForClient: quic-go/quic-go#4016

Full Changelog: https://github.com/quic-go/quic-go/compare/v0.37.2...v0.37.3

v0.37.2

This patch release

• contains a backport of the fix that triggered the Go 1.20.7 / 1.19.12 patch release (https://github.com/golang/go/commit/2350afd2e8ab054390e284c95d5b089c142db017): quic-go/quic-go#4012
• sets a net.Conn with the correct addresses on the tls.ClientHelloInfo used in tls.Config.GetCertificate: quic-go/quic-go#4015

Note that in order to be protected against the DoS attack making use of large RSA keys, it's necessary to update to this patch release (for Go 1.20). For Go 1.21, please update the Go compiler.

Full Changelog: https://github.com/quic-go/quic-go/compare/v0.37.1...v0.37.2

v0.37.1

This is a patch release fixing two regressions introduced in the v0.37.0 release:

• http3: fix check for content length of the response by @​imroc in quic-go/quic-go#3998
• set a net.Conn with the correct addresses on the tls.ClientHelloInfo by @​marten-seemann in quic-go/quic-go#4001

New Contributors

• @​imroc made their first contribution in quic-go/quic-go#3998

Full Changelog: https://github.com/quic-go/quic-go/compare/v0.37.0...v0.37.1

v0.37.0

crypto/tls changes

With the upcoming Go 1.21 release, we're now able to rely on the Go standard library's TLS implementation's QUIC support.

If you're curious, here are the discussions that happened in the Go project's GitHub:

• QUIC support for crypto/tls (without 0-RTT): golang/go#44886
• QUIC 0-RTT support for crypto/tls: golang/go#60107
• Advanced session ticket API (needed for 0-RTT): golang/go#60105

Special thanks to @​FiloSottile and @​neild for the constructive discussions around the new API, and for making this happen!

Using this new API required major changes to the way quic-go interacts with the TLS stack (#3860 and #3939), but ultimately, the new API is a lot cleaner than what we had before.

This means that starting with Go 1.21, we won't have to fork crypto/tls anymore, resolving a longstanding issue (#2727). This also resolves a major pain point for the community, since quic-go now doesn't have to enforce a specific compiler version any longer. Note that this release still supports Go 1.20 (in line with our policy to always support the two most recent Go versions), which still uses (a completely rewritten) fork of crypto/tls. We're looking forward to dropping support for Go 1.20 once Go 1.22 is released next year.

... (truncated)

Commits

• 4345a2d fix compatibility with API breaking change in Go 1.21 (#4020)
• b6a4725 fix handling of ACK frames serialized after CRYPTO frames (#4018)
• 4eedeb0 add tls.ClientHelloInfo.Conn for recursive GetConfigForClient calls (#4016)
• 38b703e add error handling when confirming handshake on HANDSHAKE_DONE frames (#4017)
• a0a2e5f set a net.Conn for tls.ClientHelloInfo.Conn used by GetCertificate (#4014)
• b8aa6a8 update qtls to restrict RSA keys in certificates to <= 8192 bits (#4012)
• f3a0ce1 set a net.Conn with the correct addresses on the tls.ClientHelloInfo (#4001)
• 44a58dc ci: update Go 1.21 to rc3 (#3994)
• 32f8b20 http3: fix check for content length of the response (#3998)
• 469a615 use a synchronous API for the crypto setup (#3939)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[mstmdev]

@dependabot rebase

[codecov[bot]]

Codecov Report

Merging #234 (d126801) into main (c679eeb) will not change coverage. The diff coverage is n/a.

@@            Coverage Diff            @@
##              main      #234   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files           56        56           
  Lines         1699      1699           
=========================================
  Hits          1699      1699           

:mega: We’re building smart automated test selection to slash your CI/CD build times. Learn more