quinn-proto 0.11.12 in bridge/Cargo.lock vulnerable to CVE-2026-31812 (unauthenticated remote DoS)

[dtjldamien]

Summary

The bundled temporalio/bridge/Cargo.lock pins quinn-proto to v0.11.12, which is affected by CVE-2026-31812 — an unauthenticated remote DoS via panic in QUIC transport parameter parsing.

See: https://github.com/temporalio/sdk-python/blob/main/temporalio/bridge/Cargo.lock

Fix

Updating quinn-proto to >= 0.11.14 resolves the CVE.

[dtjldamien]

looks like this is resolved by #1357