fix: bump quinn-proto to 0.11.14 to patch CVE-2026-31812 DoS vuln

[Vui-Chee]

Summary

• Bumps quinn-proto from 0.11.13 to 0.11.14 via cargo update --precise
• Resolves dependabot alert #12 (GHSA-6xvm-j4wr-6v98 / CVE-2026-31812)
• No reth or op crates were changed — this is a pure Cargo.lock update

Background

quinn-proto < 0.11.14 panics on attacker-controlled malformed QUIC transport parameters (unwrap() on Err(UnexpectedEnd)), allowing unauthenticated remote DoS with a single UDP packet. The fix is a patch-level bump with no API changes.

Dependency chain: xlayer-builder → libp2p → libp2p-quic → quinn → quinn-proto

[Vui-Chee]

@review

[github-actions]

Claude finished @Vui-Chee's task in 1m 45s —— View job

---

PR Review: fix: bump quinn-proto to 0.11.14 to patch CVE-2026-31812 DoS vuln

• Read repo guidelines
• Analyze Cargo.lock diff
• Verify CVE details and version bump correctness
• Post final review

---

Summary

This PR bumps quinn-proto from 0.11.13 → 0.11.14 via a Cargo.lock-only update to patch CVE-2026-31812 (GHSA-6xvm-j4wr-6v98), a remote DoS vulnerability where an attacker can crash a node with a single malformed UDP packet by triggering a panic via unwrap() on malformed QUIC transport parameters.

Only Cargo.lock is modified — no Cargo.toml, no source files.

---

Diff Analysis

Change 1 — Target fix (correct):

-version = "0.11.13"
-checksum = "f1906b49b0c3bc04b5fe5d86a77925ae6524a19b816ae38ce1e426255f1d8a31"
+version = "0.11.14"
+checksum = "434b42fec591c96ef50e21e886936e66d3cc3f737104fdb9b737c40ffb94c098"

Version and checksum match the published quinn-proto 0.11.14 on crates.io. ✅

Change 2 — Incidental dependency resolution side-effect:

 # data-encoding-macro-internal 0.1.17
-"syn 2.0.117",
+"syn 1.0.109",

data-encoding-macro-internal 0.1.17 switched its resolved syn dependency from 2.x to 1.x. This is a benign dependency resolution artifact from cargo update --precise:

• The package checksum (7ab67060...) is unchanged — the crate itself is identical
• syn 1.0.109 was already present in the lock file (6 other usages); this just adds one more use
• syn 2.x drops from 93 → 92 references; no packages are removed
• data-encoding-macro-internal's own Cargo.toml declares syn = "1", so this is actually the more correct resolution

No issue here. ✅

---

Security Assessment

• Vulnerability is real and patched: quinn-proto < 0.11.14 panics in read_transport_params when encountering malformed QUIC transport parameters, reachable by any unauthenticated peer via a single UDP packet. The fix adds proper error handling instead of unwrap(). The patch-level bump introduces no API changes.
• Dependency chain is accurate: xlayer-builder → libp2p → libp2p-quic → quinn → quinn-proto — the path is plausible and consistent with the lock file.
• No new dependencies introduced: Only the version of an existing transitive dependency changes.
• No secrets, no hardcoded values: N/A for a lock file change.

---

Issues

None. This is a minimal, correct, and well-scoped security patch.

---

Positives

• Correct approach: using cargo update --precise is the right way to patch a transitive dep not listed in any workspace Cargo.toml
• Clear and informative PR description — includes CVE ID, GHSA ID, dependency chain, and rationale
• Zero blast radius: pure lock file update, no behavior changes for any non-QUIC code paths
• Tests are not applicable here (the fix is in the library, not in this repo's logic)

---

Verdict: ✅ LGTM

Safe to merge. No blocking issues.