Bump the akka group with 4 updates#43
Closed
dependabot[bot] wants to merge 799 commits into
Closed
Conversation
Add Http3SettingsExchange orchestrator for bidirectional HTTP/3 settings exchange with SETTINGS_MAX_FIELD_SECTION_SIZE enforcement and HTTP/2 reserved setting rejection. 25 new unit tests covering full exchange lifecycle, field section size validation, and forbidden setting detection.
Implement Http3ConnectionReuseEvaluator and Http3CertificateValidator for HTTP/3 connection coalescing decisions. Same-origin connections are always reusable; cross-origin reuse requires the server certificate to cover the target hostname (SAN dNSName or CN fallback per RFC 6125 §6.4). GOAWAY, scheme mismatch, and port mismatch force new connections. 60 unit tests.
Add Http3IdleTimeoutHandler for tracking connection idle state with configurable timeout, activity recording, stream count tracking, and effective timeout computation (minimum of local/remote values). Add Http3ReconnectionPolicy with exponential backoff, max attempt limits, and connection-loss-reason-aware reconnection decisions (protocol errors are not retried). 33 unit tests covering timeout expiry, activity reset, effective timeout computation, backoff progression, and all reconnection scenarios.
Add Http3MaxPushIdHandler to manage MAX_PUSH_ID state for HTTP/3 connections. The handler creates MAX_PUSH_ID frames for the client control stream, enforces the non-decreasing constraint, and validates server push IDs against the current limit. 22 unit tests cover all acceptance criteria.
Add Http3PushPromiseValidator that validates incoming PUSH_PROMISE frames: push ID range checks via Http3MaxPushIdHandler, duplicate push ID detection, and promised request header validation (required pseudo-headers, safe+cacheable method, connection-specific header rejection). 30 unit tests covering all acceptance criteria.
Add Http3CancelPushHandler for managing CANCEL_PUSH frame creation and processing. Supports cancelling unwanted server pushes, validates push IDs against MAX_PUSH_ID limits, and correctly treats unknown push IDs as non-errors per RFC 9114 §7.2.3. Includes 16 unit tests.
…rialization (RFC 9114 §7) Add Http30EncoderStage (FlowShape<Http3Frame, IOutputItem>) that serializes HTTP/3 frames to bytes using MemoryPool<byte> rental and the frame's WriteTo(ref Span<byte>) method. Includes 10 stream tests covering all 7 frame types, empty frames, multi-frame encoding, and round-trip verification against Http3Frame.Serialize().
…serialization (RFC 9114 §7)
…assembly (RFC 9114 §4.1) Assembles HEADERS + DATA frames into HttpResponseMessage with QPACK decoding and content-encoding decompression. 15 stage tests covering status codes, body concatenation, gzip decompression, and edge cases.
…ction-level management (RFC 9114 §6.2.1, §5.2, §7.2.4) Implements bidirectional GraphStage handling control stream frames (SETTINGS/GOAWAY) and routing request-stream frames between app and server. Flow control is delegated to QUIC transport layer per RFC 9000 §4.
…quest-to-frame conversion (RFC 9114 §4.1) Implements Http30Request2FrameStage that converts HttpRequestMessage to Http3Frame sequences using QPACK header compression. Produces HEADERS frames for all requests and DATA frames for request bodies. Unlike HTTP/2, no stream ID is needed (QUIC handles multiplexing).
Replace NotSupportedException stub with complete HTTP/3 Akka.Streams pipeline: Request2Frame → ConnectionStage → EncoderStage (outbound) and DecoderStage → ConnectionStage → StreamStage (inbound), with BatchWeighted consolidation for throughput. Add H3EngineFakeConnectionStage test helper and 5 end-to-end engine tests covering GET/POST round-trips, gzip decompression, SETTINGS emission, and body content preservation.
…e pipeline Wire the http30Factory parameter from Engine.CreateFlow through BuildExtendedPipeline to ProtocolCoreGraphBuilder.Build, completing HTTP/3 version routing. Add EROUTE-005 test verifying HTTP/3 requests are dispatched to Http30Engine.
…C 9114 §3.2) Add validation in QuicClientProvider to reject null/empty hostnames before establishing QUIC connections, ensuring SNI extension is always present in the TLS handshake. Add 11 unit tests covering hostname propagation, missing SNI rejection, ALPN protocol verification, and certificate callback forwarding.
…9114 §10.3 - Enhanced Http3FieldValidator with token character validation (reject spaces, control chars, separators, high-byte chars in field names) and field value validation (reject NUL, CR, LF to prevent response splitting) - Added Http3OriginValidator to reject prohibited origins (userinfo in authority, fragment identifiers in path) - Integrated origin validation into Http3RequestEncoder.Encode() - 20 new unit tests in 29_IntermediaryEncapsulationTests.cs, all passing - Build: 0 errors, 685 RFC9114 tests green
Add Http3PushLimiter to enforce configurable ceiling on server push promises per connection. Exceeding the limit triggers H3_EXCESSIVE_LOAD connection error. Includes RecommendedMaxPushId for aligning MAX_PUSH_ID with the DoS limit. 17 unit tests covering construction, enforcement, integration with Http3PushPromiseValidator, and flood scenarios.
…red (RFC 9114 §9) Fix DecodeAll to filter null frames from unknown types instead of adding nulls to the result list. Add 34 unit tests covering GREASE patterns (0x1f*N+0x21), HTTP/2 reserved frame types, unknown settings preservation, partial reassembly, and mixed known/unknown frame streams.
Wire RFC 9114 §4.2 field validation into the HTTP/3 response header pipeline. Http3FieldValidator.Validate() is now called after QPACK decode and before status/header extraction, rejecting uppercase field names, connection-specific headers, forbidden characters (NUL/CR/LF), and TE with non-trailers values. Added 6 stream tests covering all validation paths.
…Stage Wire Http3OriginValidator.Validate() into Http30Request2FrameStage.OnPush() before request encoding to prevent intermediary encapsulation attacks per RFC 9114 §10.3. CONNECT method detection passes isConnect=true for relaxed path validation. Invalid URIs (userinfo, empty scheme, empty path, fragments) throw Http3ConnectionException which propagates as stage failure.
…ider After QuicConnection.ConnectAsync(), validate server certificate hostname coverage via Http3CertificateValidator.CoversHostname() per RFC 9114 §3.3. Ensures connection coalescing safety with SAN/CN matching and wildcard support. Validation skipped when custom ServerCertificateValidationCallback is configured. On failure, connection is closed and Http3ConnectionException thrown with GeneralProtocolError.
…Stage Wire Http3IdleTimeoutHandler into Http30ConnectionStage to track idle connections per RFC 9114 §5.1. The stage now detects stale QUIC connections via periodic ScheduleOnce timer checks and sends GOAWAY when idle timeout expires with zero active streams.
ConnectionReuseStage now checks response.Version.Major >= 3 and routes HTTP/3 responses to Http3ConnectionReuseEvaluator.Evaluate() instead of the HTTP/1.x ConnectionReuseEvaluator. Parameters (scheme, host, port) are sourced from RequestMessage.RequestUri. serverCertificate and isGoingAway are not yet available in the response context — documented in XML remarks with guidance on how to thread them through the pipeline. HTTP/1.x and HTTP/2 behavior is unchanged (78 existing tests pass).
…PUSH_ID=0) Wire Http3MaxPushIdHandler, Http3PushLimiter, Http3CancelPushHandler, and Http3PushPromiseValidator into Http30ConnectionStage to defensively reject all server pushes per RFC 9114 §10.5. On PreStart, send MAX_PUSH_ID=0 on the control stream; any incoming PUSH_PROMISE triggers ExcessiveLoad error; CANCEL_PUSH frames are recorded via the cancel handler. GOAWAY-state prevents new MAX_PUSH_ID frames by design (only sent once at startup).
…ontrolStream and Http3SettingId Http3SettingsExchange was a thin wrapper around Http3ControlStream with no additional state. Migrated unique methods: ValidateFieldSectionSize and CalculateFieldSectionSize to Http3ControlStream, RejectForbiddenH2Settings to Http3SettingId. All 25 tests in 22_SettingsExchangeTests.cs updated to use the target classes directly.
Add 6 new test files in TurboHttp.StreamTests/RFC9114/ covering field validation, origin validation, certificate validation, idle timeout, connection reuse, and push rejection stages. - 07_Http30FieldValidationStageTests.cs (8 tests) — uppercase rejection, connection-specific headers, TE validation, forbidden chars - 08_Http30OriginValidationStageTests.cs (5 tests) — userinfo rejection, valid URI pass-through - 09_Http30CertificateValidationTests.cs (11 tests) — SAN match, wildcard, CN fallback, reuse evaluator integration - 10_Http30IdleTimeoutStageTests.cs (6 tests) — GOAWAY on idle expiry, timeout disabled, negative timeout, effective timeout - 11_Http30ConnectionReuseTests.cs (6 tests) — HTTP/3 version dispatch, endpoint key, mixed version boundary - 12_Http30PushRejectionStageTests.cs (6 tests) — MAX_PUSH_ID=0 at startup, PUSH_PROMISE ExcessiveLoad, CANCEL_PUSH absorption
All acceptance criteria verified: - Build: 0 errors, 0 warnings - Tests: 2,679/2,681 pass (2 pre-existing failures in HTTP/1.1 infrastructure) - Port naming: 33 stages, 91 ports, 0 violations - Zero Http3SettingsExchange references in production code - All 9 active HTTP/3 handlers integrated in production stages - No new [Obsolete] markers introduced
- Add `SupportsMultipleStreams` default interface property to `IClientProvider` (false for TCP/TLS, true for QUIC) - Refactor `QuicClientProvider.GetStreamAsync()` to use lazy connection establishment via `SemaphoreSlim`-guarded `EnsureConnectedAsync()` - First call connects + opens stream; subsequent calls reuse connection and open new streams - Catch `QuicException` on dead connection, clear connection ref, wrap as reconnectable `InvalidOperationException` - Use `Volatile.Read`/`Volatile.Write` and `Interlocked.CompareExchange` for thread-safe connection field access - Add 13 unit tests covering: SupportsMultipleStreams property (4), SNI validation (2), Close safety (2), RemoteEndPoint (1), multi-stream reuse (1), concurrent thread-safety (1), reconnect on dead connection (1), error wrapping (1)
…tProvider implementations - IClientProvider now extends IAsyncDisposable - QuicClientProvider.DisposeAsync() properly awaits QuicConnection.DisposeAsync() - TcpClientProvider.DisposeAsync() closes socket synchronously (wrapped in ValueTask) - TlsClientProvider.DisposeAsync() awaits SslStream.DisposeAsync() then delegates to TCP - Removed all fire-and-forget `_ = connection.DisposeAsync()` patterns from QuicClientProvider - ClientRunner.PostStop() now calls DisposeAsync() instead of Close() - ValidateCertificateHostname made async to properly await connection disposal on validation failure - Added unit test verifying DisposeAsync completes before actor terminates - Updated all fake IClientProvider implementations in test projects
…exing Add QUIC-aware connection pooling to HostPool and ConnectionActor so HTTP/3 requests multiplex over a single QUIC connection via OpenNewStream messages, while HTTP/1.x and HTTP/2 retain existing direct-handle behavior. Production changes: - ConnectionState: add SupportsMultipleStreams property (true for HTTP/3) - ConnectionActor: add OpenNewStream message, shared provider management, multi-runner lifecycle with BecomeStacked routing, pending stream queue - HostPool: version-aware HandleEnsureHost (QUIC sends OpenNewStream to connection actor), limiter bypass for QUIC, QUIC-aware HandleConnectionReady and ServeQueuedRequesters, suppress extra connection spawns while QUIC connection is still connecting - ClientRunner: skip disposal for shared QUIC providers (SupportsMultipleStreams) - IOActorTestBase: add Key30/QuicOptions, FakeConnectionActor message forwarding Test coverage (14 new tests): - 7 HostPool QUIC tests (QUIC-001 through QUIC-007): spawn, reuse, limiter bypass, HTTP/1.1+HTTP/2 regression, queued requesters, StreamCompleted - 3 ConnectionActor QUIC tests (CQ-001 through CQ-003): OpenNewStream ignored for TCP, message properties, ConnectionReady handle preservation - 4 ConnectionState tests (TASK-9-003-017 through 020): SupportsMultipleStreams for HTTP/1.x/2/3, HTTP/3 MaxConcurrentStreams, HTTP/3 HasAvailableSlot
--- updated-dependencies: - dependency-name: slopwatch.cmd dependency-version: 0.4.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps Akka.Hosting from 1.5.65 to 1.5.67 Bumps Akka.Streams from 1.5.65 to 1.5.67 Bumps Akka.Streams.TestKit from 1.5.65 to 1.5.67 Bumps Akka.TestKit.Xunit from 1.5.65 to 1.5.67 --- updated-dependencies: - dependency-name: Akka.Hosting dependency-version: 1.5.67 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: akka - dependency-name: Akka.Streams dependency-version: 1.5.67 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: akka - dependency-name: Akka.Streams.TestKit dependency-version: 1.5.67 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: akka - dependency-name: Akka.TestKit.Xunit dependency-version: 1.5.67 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: akka ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
.NET
Contributor
Author
|
This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests. To ignore these dependencies, configure ignore rules in dependabot.yml |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Updated Akka.Hosting from 1.5.65 to 1.5.67.
Release notes
Sourced from Akka.Hosting's releases.
1.5.67
1.5.67 April 26th 2026
New Features
WithStrictSerializationhelper — resolves issue #734. AddsWithStrictSerialization(bool enabled = true)extension onAkkaConfigurationBuilderthat setsakka.actor.serialization-settings.allow-unregistered-types = off, disabling the Newtonsoft.Json fallback and throwingSerializationExceptionfor unregistered types.Updates
Commits viewable in compare view.
Updated Akka.Streams from 1.5.65 to 1.5.67.
Release notes
Sourced from Akka.Streams's releases.
1.5.67
1.5.67 April 25th, 2026
Akka.NET v1.5.67 is a hotfix release that reverts a breaking change to the persistence plugin contract introduced in v1.5.66.
Akka.Persistence: Revert async
WriteMessagesAsync/SaveAsyncdispatch (#8163)v1.5.66 added
Task.Yield()insideAsyncWriteJournal.ExecuteBatchandSnapshotStoreto move persistence pluginWriteMessagesAsync/SaveAsynccalls off the actor thread. While this improved throughput in benchmarks, it silently broke the implicit contract that persistence plugins rely on — that the synchronous preamble of these methods executes in actor context.This caused failures in plugins that:
SelfinsideWriteMessagesAsync(e.g. Akka.Persistence.Sql, Akka.Persistence.EventStore) — throwsNotSupportedExceptionoff the actor threadDictionary<string, Task>) — concurrent access from actor thread and thread pool causesInvalidOperationExceptionThis release removes the
Task.Yield()calls and restores the original dispatch behavior. A future version may reintroduce this optimization with a more targeted approach that preserves the plugin threading contract.If you are on v1.5.66, upgrade to v1.5.67 immediately if you use any third-party persistence plugin.
Changes:
This list of changes was auto generated.
1.5.66
1.5.66 April 24th, 2026
Akka.NET v1.5.66 is a significant release with persistence bug fixes, major Akka.Streams improvements including OpenTelemetry trace propagation and non-blocking materialized values, and new serialization security controls.
Akka.Streams: OpenTelemetry Trace Context Propagation
Akka.Streams now propagates
System.Diagnostics.Activitytrace context end-to-end through stream graphs, including across async stage boundaries, fan-in merges, and fan-out broadcasts. This enables full distributed tracing visibility into stream pipelines when using OpenTelemetry.For full documentation, see: https://getakka.net/articles/streams/stream-tracing.html
Akka.Streams: Non-Blocking Materialized-Value TaskCompletionSource
All
TaskCompletionSourceinstances used for materialized values across Akka.Streams now useTaskCreationOptions.RunContinuationsAsynchronously, eliminating potential deadlocks and thread-pool starvation when continuations run synchronously on completion.Akka.Persistence
Akka.Core
New Features
allow-unregistered-typesserialization setting — when set tofalse,FindSerializerForTypethrowsSerializationExceptionif no explicit serializer binding exists, rather than falling back to the default serializer.Documentation
4 contributors since release 1.5.65
To see the full set of changes in Akka.NET v1.5.66, click here.
Changes:
... (truncated)
Commits viewable in compare view.
Updated Akka.Streams.TestKit from 1.5.65 to 1.5.67.
Release notes
Sourced from Akka.Streams.TestKit's releases.
1.5.67
1.5.67 April 25th, 2026
Akka.NET v1.5.67 is a hotfix release that reverts a breaking change to the persistence plugin contract introduced in v1.5.66.
Akka.Persistence: Revert async
WriteMessagesAsync/SaveAsyncdispatch (#8163)v1.5.66 added
Task.Yield()insideAsyncWriteJournal.ExecuteBatchandSnapshotStoreto move persistence pluginWriteMessagesAsync/SaveAsynccalls off the actor thread. While this improved throughput in benchmarks, it silently broke the implicit contract that persistence plugins rely on — that the synchronous preamble of these methods executes in actor context.This caused failures in plugins that:
SelfinsideWriteMessagesAsync(e.g. Akka.Persistence.Sql, Akka.Persistence.EventStore) — throwsNotSupportedExceptionoff the actor threadDictionary<string, Task>) — concurrent access from actor thread and thread pool causesInvalidOperationExceptionThis release removes the
Task.Yield()calls and restores the original dispatch behavior. A future version may reintroduce this optimization with a more targeted approach that preserves the plugin threading contract.If you are on v1.5.66, upgrade to v1.5.67 immediately if you use any third-party persistence plugin.
Changes:
This list of changes was auto generated.
1.5.66
1.5.66 April 24th, 2026
Akka.NET v1.5.66 is a significant release with persistence bug fixes, major Akka.Streams improvements including OpenTelemetry trace propagation and non-blocking materialized values, and new serialization security controls.
Akka.Streams: OpenTelemetry Trace Context Propagation
Akka.Streams now propagates
System.Diagnostics.Activitytrace context end-to-end through stream graphs, including across async stage boundaries, fan-in merges, and fan-out broadcasts. This enables full distributed tracing visibility into stream pipelines when using OpenTelemetry.For full documentation, see: https://getakka.net/articles/streams/stream-tracing.html
Akka.Streams: Non-Blocking Materialized-Value TaskCompletionSource
All
TaskCompletionSourceinstances used for materialized values across Akka.Streams now useTaskCreationOptions.RunContinuationsAsynchronously, eliminating potential deadlocks and thread-pool starvation when continuations run synchronously on completion.Akka.Persistence
Akka.Core
New Features
allow-unregistered-typesserialization setting — when set tofalse,FindSerializerForTypethrowsSerializationExceptionif no explicit serializer binding exists, rather than falling back to the default serializer.Documentation
4 contributors since release 1.5.65
To see the full set of changes in Akka.NET v1.5.66, click here.
Changes:
... (truncated)
Commits viewable in compare view.
Updated Akka.TestKit.Xunit from 1.5.65 to 1.5.67.
Release notes
Sourced from Akka.TestKit.Xunit's releases.
1.5.67
1.5.67 April 25th, 2026
Akka.NET v1.5.67 is a hotfix release that reverts a breaking change to the persistence plugin contract introduced in v1.5.66.
Akka.Persistence: Revert async
WriteMessagesAsync/SaveAsyncdispatch (#8163)v1.5.66 added
Task.Yield()insideAsyncWriteJournal.ExecuteBatchandSnapshotStoreto move persistence pluginWriteMessagesAsync/SaveAsynccalls off the actor thread. While this improved throughput in benchmarks, it silently broke the implicit contract that persistence plugins rely on — that the synchronous preamble of these methods executes in actor context.This caused failures in plugins that:
SelfinsideWriteMessagesAsync(e.g. Akka.Persistence.Sql, Akka.Persistence.EventStore) — throwsNotSupportedExceptionoff the actor threadDictionary<string, Task>) — concurrent access from actor thread and thread pool causesInvalidOperationExceptionThis release removes the
Task.Yield()calls and restores the original dispatch behavior. A future version may reintroduce this optimization with a more targeted approach that preserves the plugin threading contract.If you are on v1.5.66, upgrade to v1.5.67 immediately if you use any third-party persistence plugin.
Changes:
This list of changes was auto generated.
1.5.66
1.5.66 April 24th, 2026
Akka.NET v1.5.66 is a significant release with persistence bug fixes, major Akka.Streams improvements including OpenTelemetry trace propagation and non-blocking materialized values, and new serialization security controls.
Akka.Streams: OpenTelemetry Trace Context Propagation
Akka.Streams now propagates
System.Diagnostics.Activitytrace context end-to-end through stream graphs, including across async stage boundaries, fan-in merges, and fan-out broadcasts. This enables full distributed tracing visibility into stream pipelines when using OpenTelemetry.For full documentation, see: https://getakka.net/articles/streams/stream-tracing.html
Akka.Streams: Non-Blocking Materialized-Value TaskCompletionSource
All
TaskCompletionSourceinstances used for materialized values across Akka.Streams now useTaskCreationOptions.RunContinuationsAsynchronously, eliminating potential deadlocks and thread-pool starvation when continuations run synchronously on completion.Akka.Persistence
Akka.Core
New Features
allow-unregistered-typesserialization setting — when set tofalse,FindSerializerForTypethrowsSerializationExceptionif no explicit serializer binding exists, rather than falling back to the default serializer.Documentation
4 contributors since release 1.5.65
To see the full set of changes in Akka.NET v1.5.66, click here.
Changes:
... (truncated)
Commits viewable in compare view.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore <dependency name> major versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)@dependabot ignore <dependency name> minor versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)@dependabot ignore <dependency name>will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)@dependabot unignore <dependency name>will remove all of the ignore conditions of the specified dependency@dependabot unignore <dependency name> <ignore condition>will remove the ignore condition of the specified dependency and ignore conditions