build(deps): bump macbre/nginx-http3 from 1.29.3 to 1.29.5

[dependabot]

Bumps macbre/nginx-http3 from 1.29.3 to 1.29.5.

Release notes

Sourced from macbre/nginx-http3's releases.

nginx 1.29.5

Changes with nginx 1.29.5                                        04 Feb 2026
*) Security: an attacker might inject plain text data in the response
   from an SSL backend (CVE-2026-1642).
*) Bugfix: use-after-free might occur after switching to the next gRPC

or HTTP/2 backend.
*) Bugfix: an invalid HTTP/2 request might be sent after switching to

the next upstream.
*) Bugfix: a response with multiple ranges might be larger than the

source response.
*) Bugfix: fixed setting HTTP_HOST when proxying to FastCGI, SCGI, and

uwsgi backends.
*) Bugfix: fixed warning when compiling with MSVC 2022 x86.
*) Change: the logging level of the "ech_required" SSL error has been

lowered from "crit" to "info".

nginx 1.29.4

Changes with nginx 1.29.4                                        09 Dec 2025
*) Feature: the ngx_http_proxy_module supports HTTP/2.
*) Feature: Encrypted ClientHello TLS extension support when using

OpenSSL ECH feature branch; the "ssl_ech_file" directive.

Thanks to Stephen Farrell.
*) Change: validation of host and port in the request line, "Host"

header field, and ":authority" pseudo-header field has been changed

to follow RFC 3986.
*) Change: now a single LF used as a line terminator in a chunked

request or response body is considered an error.
*) Bugfix: when using HTTP/3 with OpenSSL 3.5.1 or newer a segmentation

fault might occur in a worker process; the bug had appeared in

1.29.1.

Thanks to Jan Svojanovsky.
*) Bugfix: a segmentation fault might occur in a worker process if the

"try_files" directive and "proxy_pass" with a URI were used.

Commits

• dfe798f nginx 1.29.5 (#181)
• e503d19 Update njs to version 0.9.5 (#179)
• c7f76ce Dockerfile: v1.29.4 + clone from the git repository (#178)
• 8413ac5 Bump actions/checkout from 5 to 6 (#177)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)