deps: update nghttp3 to 1.14.0

[nodejs-github-bot]

This is an automated update of nghttp3 to 1.14.0.

[nodejs-github-bot]

Review requested:

• @nodejs/security-wg

[targos]

@nodejs/quic

[diffray-bot]

Changes Summary

This PR updates the nghttp3 HTTP/3 library from v1.13.1 to v1.14.0 in the Node.js dependencies. The update includes API additions (new proto_settings struct and recv_settings2 callback), internal refactoring for better const-correctness, and code simplifications including a major restructuring of the sfparse module.

Type: config

Components Affected: nghttp3 HTTP/3 library, QUIC/HTTP3 support, Protocol settings handling, Settings frame processing, Range and gap tracking, Structured field parsing

Files Changed

File	Summary	Change	Impact
deps/ngtcp2/nghttp3/lib/includes/nghttp3/version.h	Version updated from 1.13.1 to 1.14.0	✏️	🟢
deps/ngtcp2/nghttp3/lib/includes/nghttp3/nghttp3.h	New nghttp3_proto_settings struct added, new recv_settings2 callback introduced, old recv_settings callback deprecated, NGHTTP3_CALLBACKS_VERSION bumped to V3, documentation on max_field_section_size updated	✏️	🔴
deps/ngtcp2/nghttp3/lib/nghttp3_conn.h	Remote settings field changed from nghttp3_settings to nghttp3_proto_settings struct	✏️	🔴
deps/ngtcp2/nghttp3/lib/nghttp3_conn.c	Settings processing updated to use new recv_settings2 callback, proto_settings struct handling added	✏️	🔴
deps/ngtcp2/nghttp3/lib/nghttp3_stream.c	Stream handling refactored with initialization changes and const-correctness improvements	✏️	🟡
deps/ngtcp2/nghttp3/lib/nghttp3_tnode.h	num_children field removed from nghttp3_tnode struct	✏️	🟡
deps/ngtcp2/nghttp3/lib/sfparse/sfparse.c	Major code simplification: removed large multi-line macro definitions (280+ lines) and replaced with inline usage, reducing file by 137 lines	✏️	🟡
deps/ngtcp2/nghttp3/lib/nghttp3_gaptr.c	Functions made const-correct (gaptr_first_gap_offset, gaptr_get_first_gap_after, gaptr_is_pushed now take const gaptr parameter), initialized ranges moved inline	✏️	🟢
deps/ngtcp2/nghttp3/lib/nghttp3_ksl.h	KSL block keys changed from union with align buffer to direct uint8_t pointer for cleaner memory allocation	✏️	🟡
deps/ngtcp2/nghttp3/lib/nghttp3_frame.h	Added nghttp3_frame_hd struct, settings_entry iv changed to pointer, priority_update union reordered for zero-initialization convenience	✏️	🔴
deps/ngtcp2/nghttp3/lib/nghttp3_range.c	Refactored to use C99 compound literals for range initialization instead of field-by-field assignment	✏️	🟢
deps/ngtcp2/nghttp3/lib/nghttp3_callbacks.c	Callback handling updated to support new recv_settings2 callback version	✏️	🟢
deps/ngtcp2/nghttp3/lib/nghttp3_conv.c	Conversion logic updated for proto_settings struct usage	✏️	🟢
deps/ngtcp2/nghttp3/lib/nghttp3_balloc.h	Minor changes to object allocation structures	✏️	🟢
deps/ngtcp2/nghttp3/lib/nghttp3_buf.c	Buffer handling updated	✏️	🟢

Architecture Impact

• New Patterns: New proto_settings struct separates HTTP/3 protocol-level settings from library settings, Callback versioning pattern (V1, V2, V3) for API evolution, C99 compound literals for struct initialization (improved code clarity)
• Dependencies: nghttp3 library bumped from 1.13.1 to 1.14.0
• Coupling: Settings handling now more decoupled: new nghttp3_proto_settings struct isolates protocol settings from implementation-specific settings, reducing tight coupling between protocol and library configuration
• Breaking Changes: nghttp3_recv_settings callback deprecated in favor of nghttp3_recv_settings2 (old callback will not receive new settings), nghttp3_settings struct replaced with nghttp3_proto_settings in remote.settings field, nghttp3_tnode.num_children field removed, nghttp3_frame_priority_update union member order changed (struct moved after unnamed struct)

Risk Areas: Settings callback compatibility - applications using old nghttp3_recv_settings callback will no longer receive new settings, KSL key buffer allocation changes - memory layout changed from inline to pointer, requires correct allocation/deallocation, Frame struct layout changes - union member reordering in priority_update may affect binary compatibility or initialization patterns, Proto_settings struct adoption - remote connection settings now use different struct type which requires careful handling in callbacks

Suggestions

• Verify Node.js HTTP/3 APIs properly handle the new recv_settings2 callback and deprecation of recv_settings
• Ensure all internal uses of nghttp3_settings have been updated to use nghttp3_proto_settings where applicable
• Review and test settings frame handling with the new callback system to ensure no settings are lost
• Test const-correctness changes to ensure no issues with pointer aliasing or unintended mutations
• Validate memory layout of frame structures, especially priority_update union, for any ABI compatibility concerns

_{Full review in progress... | Powered by diffray}

[targos]

^ @nodejs/moderation