deps: update nghttp2 to 1.69.0

[nodejs-github-bot]

This is an automated update of nghttp2 to 1.69.0.

[nodejs-github-bot]

Review requested:

• @nodejs/http2
• @nodejs/net
• @nodejs/security-wg

[pimterry]

This replaces #62867, implementing the same changes but kicked off via the automated dep update as a separate commit. See #62381 for context, this fixes #60661. Bringing the description from the previous PR for reference:

---

This is a dep update with fixes due to changes in nghttp2 v1.67.0+ which now treats some stream-level errors as session errors, and internally sends GOAWAY frames to kill the connection (without calling the on_invalid_frame callback). That requires some fixes here to detect those internally triggered GOAWAYs and expose these as HTTP/2 session errors at the end of the core nghttp2 write loop.

Some of these changes will result in user-visible differences to how protocol errors are exposed in Node, moving some error events from the stream to the session, and exposing some errors where previously they were swallowed. After the changes in 1.69.0 (as opposed to 1.67 & 1.68) this only applies to low-level protocol failures like broken flow control or compression failures, not to HTTP validation errors more generally.

This is unfortunate, and in that context it's debatable whether this is a breaking change (new errors from the same traffic) or just a bugfix (we shouldn't silently swallow serious protocol errors) but we can't realistically avoid this if we want to keep nghttp2 up to date, and in some unbundled scenarios the latest nghttp2 will be used regardless. For anything non-trivial this shouldn't cause problems since session errors need to be handled by all applications to deal with existing common production issues like connection resets anyway. The changed behaviour only applies to connections that hit serious protocol errors, and doesn't change anything in normal expected flows.

See the test changes for some examples of how this changes behaviour in practice - the vast majority of h2 tests are unchanged, it's just a couple of specific invalid traffic cases that change. I've also added a new test as well to confirm specifically that we cover the new internally triggered GOAWAYs correctly, and tightened up some checks on the existing tests to confirm everything is working correctly there.

[codecov]

Codecov Report

❌ Patch coverage is 87.50000% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 89.62%. Comparing base (3a53447) to head (314cc5b).
⚠️ Report is 5 commits behind head on main.

Files with missing lines	Patch %	Lines
src/node_http2.cc	87.50%	0 Missing and 2 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #62891      +/-   ##
==========================================
+ Coverage   89.60%   89.62%   +0.01%     
==========================================
  Files         706      706              
  Lines      219179   219195      +16     
  Branches    41993    41993              
==========================================
+ Hits       196400   196457      +57     
+ Misses      14675    14621      -54     
- Partials     8104     8117      +13     

Files with missing lines	Coverage Δ
src/node_http2.h	91.61% <ø> (ø)
src/node_http2.cc	82.09% <87.50%> (-0.11%)	⬇️

... and 38 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.