@@ -6,10 +6,7 @@ All loops read from here and write back after execution. State is external, not
66## Dependency Upgrade Loop
77
88### Run History
9- (first run pending)
10-
11- ### Pending
12- - [ ] First run: scan all upgradable dependencies
9+ (first run pending — cron installed, will run at 02:00 daily)
1310
1411### Last Run
1512- Date: N/A
@@ -20,10 +17,7 @@ All loops read from here and write back after execution. State is external, not
2017## CI Fix Loop
2118
2219### Run History
23- (first run pending)
24-
25- ### Pending Human Action
26- (none)
20+ (first run pending — cron installed, will run at 03:00 daily)
2721
2822### Last Run
2923- Date: N/A
@@ -34,7 +28,7 @@ All loops read from here and write back after execution. State is external, not
3428## Issue Triage Loop
3529
3630### Run History
37- (first run pending)
31+ (first run pending — cron installed, will run at 04:00 daily )
3832
3933### Last Run
4034- Date: N/A
@@ -45,7 +39,7 @@ All loops read from here and write back after execution. State is external, not
4539## PR Review Loop
4640
4741### Run History
48- (first run pending)
42+ (first run pending — cron installed, will run at 05:00 daily )
4943
5044### Last Run
5145- Date: N/A
@@ -58,67 +52,38 @@ All loops read from here and write back after execution. State is external, not
5852### Current Baselines
5953- Go stdlib net/http: 2024-09-10 (ad6ee2)
6054- golang.org/x/net/http2: 2024-09-06 (3c333c)
61- - quic-go: v0.57.1
55+ - quic-go: v0.59.0
56+ - utls: v1.8.2
6257
6358### Run History
64- (first run pending)
59+ (first run pending — cron installed, will run at 01:00 daily )
6560
6661### Last Run
6762- Date: N/A
6863- Result: not run
6964
7065---
7166
72- ## Issue Analysis Snapshot (manual, 2026-06-27)
73-
74- ### Priority — Needs Immediate Action
75-
76- | # | Title | Type | Notes |
77- | ---| ------| ------| ------|
78- | #482 | Adapt to quic-go v0.59.0 (ConnectionTracingID removed) | ** modified-code sync·urgent** | quic-go v0.59.0 removed ` ConnectionTracingID ` /` ConnectionTracingKey ` , breaks compilation. PR #485 exists, ** review cautiously** — contributor may not understand modified-code implications. Affects ` internal/http3/transport.go ` , ` client.go ` , ` conn.go ` . Cannot merge directly |
79- | #489 | Security: custom auth header leak on cross-domain redirect | ** security·high** | ` SetCommonHeader ` auth headers (X-API-Key etc.) not stripped on cross-domain redirect. CWE-200, CVSS 7.4. Root cause: ` middleware.go:528-540 ` , ` client.go:334 ` |
80- | #485 | PR: upgrade quic-go to v0.59.0 | ** PR review·caution** | Corresponds to #482 . 260+/124- lines. Removes deprecated API, replaces hijacker callbacks with RawClientConn, fixes SupportsDatagrams check. ** Must manually verify modified-code compatibility** |
81-
82- ### quic-go Related (Caution Required)
83-
84- | # | Title | Notes |
85- | ---| ------| ------|
86- | #460 | Suggest using x/net quic instead of quic-go | Author replied: switch when stdlib matures. Long-term tracking |
87- | #457 | HTTP/3 AddConn and RoundTrip race | ` internal/http3/transport.go ` ` t.newClientConn ` init race, panic under high concurrency. Has repro stacktrace and fix suggestion |
88- | #372 | Does http3 support SetTLSFingerprint? | Feature question, involves HTTP/3 + TLS fingerprint |
89-
90- ### Bug/Performance
91-
92- | # | Title | Notes |
93- | ---| ------| ------|
94- | #495 | dialConn memory overusage | Unlimited connection pool, suggest MaxConnsPerHost default |
95- | #433 | Large file upload buffers entire file in memory | ` middleware.go:122-123 ` multipart CreatePart triggers full buffering, 670MB file uses 1.7GB |
96- | #397 | concurrent map read and map write | ` middleware.go:537 ` parseRequestHeader concurrent read/write of client headers map |
97- | #436 | Retry limit reached but no error returned | Unexpected behavior |
98- | #419 | Keep-alive long connection SetTimeout incorrectly disconnects | |
99- | #416 | ParallelDownload does not close output file | |
100- | #376 | HTTP/2 frequent errors | 9 comments, may involve modified ` internal/http2/ ` |
101-
102- ### Feature Requests
103-
104- | # | Title | Notes |
105- | ---| ------| ------|
106- | #475 | Read retryOption in middleware | |
107- | #473 | Socks4 proxy support | |
108- | #459 /#454 | utls fingerprint update to 133 / Chrome133, Firefox133/135 | utls version upgrade |
109- | #431 | jsonrpc2 support | |
110- | #425 | zstd content encoding support | |
111- | #406 | Response body size limit | |
112- | #404 | Generate cURL debug code | |
113- | #394 | GraphQL request support | |
114- | #369 | SSE (Server-Sent Events) support | |
115-
116- ### Pending PR Review (non-quic-go)
117-
118- | PR | Title | Notes |
119- | ----| ------| ------|
120- | #491 | fix: retry on GOAWAY errors (HTTP/2 cached conn) | Involves modified HTTP/2, verify |
121- | #486 | fix: SetCookieJarFactory return http.CookieJar | Corresponds to #415 |
122- | #478 /#477 | JA3 support / ClientHelloSpec setting | TLS fingerprint related |
123- | #472 | chrome headers accept add application/json | Corresponds to #471 , small change |
124- | #465 | Unmarshal should check error by status-code |
67+ ## Manual Actions Log (2026-06-27)
68+
69+ ### Resolved
70+ - #482 : quic-go v0.59.0 ported (commit 8b018a5, 29f0e6d)
71+ - #489 : SensitiveHeadersRedirectPolicy added (commit b144240)
72+ - #471 /#472 : Chrome accept header add application/json (commit 1e34ab9)
73+ - #415 /#486 : SetCookieJarFactory returns http.CookieJar (commit d702aad)
74+ - #491 : GOAWAY retry on cached HTTP/2 connections (commit 5754208)
75+ - #459 : utls upgraded to v1.8.2 security update (commit dcc8516)
76+ - PR #485 closed (superseded by 8b018a5)
77+ - PR #472 closed (merged as 1e34ab9)
78+ - PR #486 closed (merged as d702aad)
79+ - PR #491 closed (merged as 5754208)
80+
81+ ### Still Open
82+ - PR #478 /#477 : JA3 / ClientHelloSpec support — needs careful review, TLS fingerprint changes
83+ - PR #465 : Unmarshal status-code check — needs review
84+ - #495 : dialConn memory overusage — consider default MaxConnsPerHost
85+ - #433 : Large file upload memory buffering — middleware.go fix needed
86+ - #397 : concurrent map read/write in parseRequestHeader — needs locking
87+ - #457 : HTTP/3 AddConn/RoundTrip race condition
88+ - #376 : HTTP/2 frequent errors (9 comments)
89+ - 50 open issues total, mostly feature requests and usage questions
0 commit comments