chore(deps): bump quinn-proto 0.11.14 → 0.11.15 (RUSTSEC-2026-0185)

[proggeramlug]

What

Lockfile-only bump of quinn-proto 0.11.14 → 0.11.15.

Why

The security-audit CI job started failing on every open PR (and main) the moment RUSTSEC-2026-0185 landed in the advisory DB — unrelated to any in-tree code change. The advisory:

• Crate: quinn-proto v0.11.14
• Title: Remote memory exhaustion from unbounded out-of-order stream reassembly
• Solution: Upgrade to >=0.11.15

quinn-proto is a transitive dependency (HTTP/3 path via the reqwest/quinn stack).

How

cargo update -p quinn-proto --precise 0.11.15

Touches only the two Cargo.lock lines (version + checksum) — no other dependency churn.

Verification

Ran cargo audit locally with CI's exact ignore set:

cargo audit --ignore RUSTSEC-2023-0071 --ignore RUSTSEC-2026-0118 --ignore RUSTSEC-2026-0119

→ exit 0, only the 7 pre-existing allowed warnings remain.

Once this lands on main, other open PRs (e.g. #5559) clear the same audit failure on rebase.

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)

• Cargo.lock is excluded by !**/*.lock

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: b8835306-5f8c-4069-ba67-afc74dc229e7

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/audit-quinn-proto-0.11.15

---

_{Comment @coderabbitai help to get the list of available commands.}