fix: audit test failures

[joeyzhao2018]

Summary

Resolves a critical security advisory in a transitive dependency.

RUSTSEC-2026-0037 — quinn-proto Denial of Service

Receiving QUIC transport parameters containing invalid values could lead to a panic due to unwrap() calls in the transport parameters parsing code.
CVSS 4.0 score: High (AV:N/AC:L/AT:N/PR:N/UI:N/VA:H)

Root cause

quinn-proto 0.11.13 was pulled in transitively via:

reqwest → quinn → quinn-proto

Fix

Bumped quinn-proto from 0.11.13 to 0.11.14 (the patched version) by running:

cargo update quinn-proto

Only Cargo.lock is changed — no direct dependency declarations needed updating since quinn-proto is a transitive dep.

Notes

The audit also reported 6 unmaintained warnings (async-std, buf_redux, multipart, rustls-pemfile, safemem, twoway). These are informational only and did not cause the CI failure —
they have no patched versions available and are tracked separately.

What actually happened with itertools:

quinn-proto 0.11.13 depended on itertools 0.13.0. quinn-proto 0.11.14 dropped that dependency entirely. itertools 0.13.0 was removed from the lock file because nothing else needs it anymore.
bindgen also uses itertools, but its version constraint accepts ^0.11. While 0.13.0 was present (shared with quinn-proto), cargo resolved bindgen to use it. Once 0.13.0 was gone, cargo resolved bindgen to 0.11.0 — which was already in the lock file for some other crate, so it's just re-using what's there. This isn't a real downgrade for bindgen; 0.11.0 is fully within its declared constraint.

Why not itertools 0.14.0?

cargo update quinn-proto is deliberately minimal — it only changes what's necessary to resolve quinn-proto's update and nothing else. It won't opportunistically upgrade unrelated crates like itertools for bindgen. To get 0.14.0 you'd need to run cargo update itertools separately, but that's a separate concern and would need its own testing/review.