Skip to content

deps: bump github.com/imroc/req/v3 from 3.57.0 to 3.59.0#164

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/go_modules/github.com/imroc/req/v3-3.59.0
Open

deps: bump github.com/imroc/req/v3 from 3.57.0 to 3.59.0#164
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/go_modules/github.com/imroc/req/v3-3.59.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 5, 2026

Copy link
Copy Markdown

Bumps github.com/imroc/req/v3 from 3.57.0 to 3.59.0.

Release notes

Sourced from github.com/imroc/req/v3's releases.

v3.59.0 Release

Breaking Changes

  • Go 1.25+ required — quic-go v0.60.0 drops Go 1.24 support. The go directive in go.mod is now 1.25.0, and CI tests against Go 1.25.x and 1.26.x. Users on Go 1.24 should stay on v3.58.0.

Dependencies

  • Port quic-go v0.60.0 — full sync of all http3 changes from quic-go v0.59.0 → v0.60.0 into req's vendored internal/http3/:
    • Fix QuaterStreamIDQuarterStreamID field rename in qlog DatagramCreated / DatagramParsed (compile error with quic-go v0.60.0). Fixes #500.
    • Extract validateHeaderFieldNameAndValue, validateRegularHeaderField, validateTrailerHeaderField helper functions in headers.go
    • parseTrailers: add sizeLimit parameter with per-field size accounting and errHeaderTooLarge check
    • Add validExtendedConnectProtocol function (RFC 9220) and validate extended CONNECT :protocol in request_writer.go
    • Use strings.SplitSeq in extractAnnouncedTrailers

v3.58.0 Release

New Features

  • Add SetTLSFingerprintSpec for custom ClientHelloSpec support — accepts a *utls.ClientHelloSpec for fine-grained TLS fingerprint customization (JA3/JA4). Closes #477, #478.
  • Add SensitiveHeadersRedirectPolicy — strips custom auth headers (e.g. X-API-Key, X-Auth-Token) on cross-domain redirects to prevent credential leakage (CWE-200). Fixes #489.
  • Port quic-go v0.59.0 — aligns with quic-go v0.59.0 breaking changes: removes deprecated ConnectionTracingID/ConnectionTracingKey, removes stream hijacking API, replaces handleUnidirectionalStreams with per-stream callback, adds RawClientConn for fine-grained stream control, adds HandleBidirectionalStream (closes conn per RFC 9114), fixes SupportsDatagramsSupportsDatagrams.Remote. Fixes #482.

Bug Fixes

  • Unmarshal returns error on error status codes — now checks IsErrorState() before deserializing, preventing 4xx/5xx response bodies from being deserialized into target structs. Closes #465.
  • Retry on GOAWAY errors with cached HTTP/2 connectionsRoundTripOnlyCachedConn now falls through to create a new connection instead of returning errClientConnGotGoAway directly. Closes #491.
  • SetCookieJarFactory returns http.CookieJar interface — changes return type from *cookiejar.Jar to http.CookieJar, allowing custom cookie jar implementations. Closes #415.
  • Add application/json to Chrome impersonate accept header — matches Chrome's actual accept header for API requests expecting JSON. Closes #471.

Dependencies

  • Upgrade utls to v1.8.2 — security update from v1.8.1. Addresses #459.

Tests

  • Add comprehensive unit tests for HTTP/3 frames, headers, transport, and dump.
  • Add automated test gate infrastructure.
Commits
  • 57c9644 Merge pull request #501 from imroc/fix/quic-go-v0.60.0-compat
  • 6fd2554 docs: add mandatory upstream sync checklist to CODEBUDDY.md
  • 4c460fd Sync remaining http3 changes from quic-go v0.60.0
  • eb3e237 port quic-go v0.60.0: fix QuarterStreamID field rename
  • 5fec0ab feat: add project-level release skill for GitHub release workflow
  • 5ea6a44 fix: use $HOME instead of hardcoded /root in scripts
  • 1705272 update issue triage loop state: 2026-06-29 run 2 — all 10 issues already labe...
  • 1d9714a Update STATE.md: issue triage loop 2026-06-29
  • 1cb5c61 fix: cron PATH and persistent crontab for devcontainer
  • 19c0a70 feat: add SetTLSFingerprintSpec for custom ClientHelloSpec support
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [github.com/imroc/req/v3](https://github.com/imroc/req) from 3.57.0 to 3.59.0.
- [Release notes](https://github.com/imroc/req/releases)
- [Commits](imroc/req@v3.57.0...v3.59.0)

---
updated-dependencies:
- dependency-name: github.com/imroc/req/v3
  dependency-version: 3.59.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github

dependabot Bot commented on behalf of github Jul 5, 2026

Copy link
Copy Markdown
Author

Labels

The following labels could not be found: dependencies, go. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants