chore(deps): bump the cargo group across 2 directories with 1 update

[dependabot]

Bumps the cargo group with 1 update in the / directory: quiche.
Bumps the cargo group with 1 update in the /crates directory: quiche.

Updates quiche from 0.22.0 to 0.24.5

Release notes

Sourced from quiche's releases.

➰ 0.24.5

⚠️ Security:

• Improves sender side handling of RETIRE_CONNECTION_ID frames. Without this an attacker could trigger an infinite loop by sending a specially-crafted set of frames that trigger a connection ID retirement (CVE-2025-7054).

Highlights:

• Added Config::set_initial_rtt() to allow control of a connection's initial RTT estimate.
• Improvements and bug fixes to datagram packetization layer path MTU discovery (DPLPMTUD).
• Other bug fixes and performance improvements.

🛡️ 0.24.4

⚠️ Security:

• Implemented proper ACK range validation. Without this an attacker could cause the congestion window to grow beyond typical expectations by sending ACK frames covering a large range of packet numbers, which could potentially lead to an overflow and a crash (CVE-2025-4821).
• Implemented mitigations for optimistic ACK attacks. Without this an attacker could cause the congestion window to grow beyond typical expectations by sending ACK frames covering a large range of packet numbers, allowing more bytes in flight than the path might really support (CVE-2025-4820).

Highlights:

• Added Config::set_send_capacity_factor() to control the amount of stream data that can be buffered within quiche.
• Added a new stat for reporting spuriously lost packets.
• Many more bug fixes and performance improvements.

Full changelog at cloudflare/quiche@0.24.0...0.24.4

quiche 0.24.2

What's Changed

• remove unnecessary &mut by @​birneee in cloudflare/quiche#2032
• Allow queueing at least 1 millisecond worth of packets in advance. by @​antoniovicente in cloudflare/quiche#2036
• quiche: release 0.24.2 by @​antoniovicente in cloudflare/quiche#2037

New Contributors

• @​birneee made their first contribution in cloudflare/quiche#2032

Full Changelog: cloudflare/quiche@0.24.1...0.24.2

🥼 0.24.0

Breaking Changes:

• The Connection now takes a generic BufFactory. A default factory is provided, so in practice this shouldn't affect applications, but it's potentially a breaking change.

Highlights:

• Added experimental APIs for providing custom buffer allocators (see accept_with_buf_factory() and connect_with_buffer_factory()), and related "zero-copy" stream send operations.
• Many more bug fixes and performance improvements.

Full changelog at cloudflare/quiche@0.23.7...0.24.0

🩹 0.23.7

Highlights:

... (truncated)

Commits

• 5ea8d8e quiche: release 0.24.5
• f33411d lib: improve connection ID retirement
• ecaf004 ci: properly gate internal_pacing_rate_override test on internal feature
• 1400aae refactor: remove enum_dispatch indirection from CongestionControl trait now t...
• ca324bc ci: update cargo ndk arguments
• 465b774 Remove deref to network_model for mode.
• 3bbdd1f Add option to override initial pacing rate (#2115)
• 90163bd Pacer should not implement the CongestionControl trait.
• 01b32bd add some documentation about creating releases
• bc31516 tokio-quiche: close connection when H3Event receiver closes
• Additional commits viewable in compare view

Updates quiche from 0.22.0 to 0.24.5

Release notes

Sourced from quiche's releases.

➰ 0.24.5

⚠️ Security:

• Improves sender side handling of RETIRE_CONNECTION_ID frames. Without this an attacker could trigger an infinite loop by sending a specially-crafted set of frames that trigger a connection ID retirement (CVE-2025-7054).

Highlights:

• Added Config::set_initial_rtt() to allow control of a connection's initial RTT estimate.
• Improvements and bug fixes to datagram packetization layer path MTU discovery (DPLPMTUD).
• Other bug fixes and performance improvements.

🛡️ 0.24.4

⚠️ Security:

• Implemented proper ACK range validation. Without this an attacker could cause the congestion window to grow beyond typical expectations by sending ACK frames covering a large range of packet numbers, which could potentially lead to an overflow and a crash (CVE-2025-4821).
• Implemented mitigations for optimistic ACK attacks. Without this an attacker could cause the congestion window to grow beyond typical expectations by sending ACK frames covering a large range of packet numbers, allowing more bytes in flight than the path might really support (CVE-2025-4820).

Highlights:

• Added Config::set_send_capacity_factor() to control the amount of stream data that can be buffered within quiche.
• Added a new stat for reporting spuriously lost packets.
• Many more bug fixes and performance improvements.

Full changelog at cloudflare/quiche@0.24.0...0.24.4

quiche 0.24.2

What's Changed

• remove unnecessary &mut by @​birneee in cloudflare/quiche#2032
• Allow queueing at least 1 millisecond worth of packets in advance. by @​antoniovicente in cloudflare/quiche#2036
• quiche: release 0.24.2 by @​antoniovicente in cloudflare/quiche#2037

New Contributors

• @​birneee made their first contribution in cloudflare/quiche#2032

Full Changelog: cloudflare/quiche@0.24.1...0.24.2

🥼 0.24.0

Breaking Changes:

• The Connection now takes a generic BufFactory. A default factory is provided, so in practice this shouldn't affect applications, but it's potentially a breaking change.

Highlights:

• Added experimental APIs for providing custom buffer allocators (see accept_with_buf_factory() and connect_with_buffer_factory()), and related "zero-copy" stream send operations.
• Many more bug fixes and performance improvements.

Full changelog at cloudflare/quiche@0.23.7...0.24.0

🩹 0.23.7

Highlights:

... (truncated)

Commits

• 5ea8d8e quiche: release 0.24.5
• f33411d lib: improve connection ID retirement
• ecaf004 ci: properly gate internal_pacing_rate_override test on internal feature
• 1400aae refactor: remove enum_dispatch indirection from CongestionControl trait now t...
• ca324bc ci: update cargo ndk arguments
• 465b774 Remove deref to network_model for mode.
• 3bbdd1f Add option to override initial pacing rate (#2115)
• 90163bd Pacer should not implement the CongestionControl trait.
• 01b32bd add some documentation about creating releases
• bc31516 tokio-quiche: close connection when H3Event receiver closes
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.