cloudflare/quiche 0.29.0

🧱 0.29.0

Repository: cloudflare/quiche

Tag: 0.29.0

Published: 2026-06-18T14:10:32Z

Prerelease: no

Release notes: Breaking Changes:

• Removed the openssl and boringssl-vendored features, as well as the vendored BoringSSL source. The default TLS backend is now boringssl-boring-crate.
• The minimum supported Rust version was raised to 1.88.
• `Connection::stream_send_zc()` no longer takes the len argument. Callers now pass the stream ID, buffer, and FIN flag.
• `Stats`, `PathStats`, and `h3::Stats` are now marked #[non_exhaustive], so downstream code should not construct or exhaustively match them.

Highlights:

• Added `Stats::amplification_limited_count` to count sends blocked by the anti-amplification limit.
• Added `PathStats::dgram_lost` to track lost DATAGRAM frames per path.
• Added the C API quiche_config_set_use_initial_max_data_as_flow_control_win().
• Hardened HTTP/3 request-stream frame processing, rejected unsupported push streams on both endpoints, and fixed varint parsing for PRIORITY_UPDATE and PUSH_PROMISE.
• Fixed PTO and loss-detection overflow cases that could cause panics or tight timeout loops.
• Made C FFI *_free(NULL) calls safe, and fixed a source connection ID accounting underflow during connection ID rotation.
• `Config::set_ack_delay_exponent()` now clamps values to RFC 9000's maximum, exposed as `MAX_ACK_DELAY_EXPONENT`.
• Other bug fixes and performance improvements.

Full changelog at 0.28.0...0.29.0