From 388059cf91bb25a4179fd52a2ac6b2ed3b23c8d6 Mon Sep 17 00:00:00 2001
From: Toby Hede <toby@cipherstash.com>
Date: Mon, 16 Mar 2026 14:54:56 +1100
Subject: [PATCH 1/2] fix(deps): bump quinn-proto from 0.11.12 to 0.11.14

Fixes CVE-2026-31812: remote DoS via panic on malformed QUIC transport
parameters.

Resolves CIP-2901.
---
 Cargo.lock | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 115f5f49..7553b8f5 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -3112,9 +3112,9 @@ dependencies = [
 
 [[package]]
 name = "quinn-proto"
-version = "0.11.12"
+version = "0.11.14"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "49df843a9161c85bb8aae55f101bc0bac8bcafd637a620d9122fd7e0b2f7422e"
+checksum = "434b42fec591c96ef50e21e886936e66d3cc3f737104fdb9b737c40ffb94c098"
 dependencies = [
  "aws-lc-rs",
  "bytes",

From a6abdf01ffe00c6e7b3dcd3bd0afb6ff81edde82 Mon Sep 17 00:00:00 2001
From: Toby Hede <toby@cipherstash.com>
Date: Mon, 16 Mar 2026 14:59:28 +1100
Subject: [PATCH 2/2] fix(deps): bump metrics from 0.24.1 to 0.24.3

Fixes compilation error with quinn-proto 0.11.14.
---
 Cargo.lock | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 7553b8f5..81e67120 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2453,9 +2453,9 @@ checksum = "78ca9ab1a0babb1e7d5695e3530886289c18cf2f87ec19a575a0abdce112e3a3"
 
 [[package]]
 name = "metrics"
-version = "0.24.1"
+version = "0.24.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7a7deb012b3b2767169ff203fadb4c6b0b82b947512e5eb9e0b78c2e186ad9e3"
+checksum = "5d5312e9ba3771cfa961b585728215e3d972c950a3eed9252aa093d6301277e8"
 dependencies = [
  "ahash 0.8.11",
  "portable-atomic",