@@ -103,10 +103,10 @@ require (

 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.43.0

 	go.opentelemetry.io/otel/sdk v1.43.0

 	go.opentelemetry.io/otel/trace v1.43.0

-	golang.org/x/net v0.52.0

+	golang.org/x/net v0.53.0

 	golang.org/x/sync v0.20.0

-	golang.org/x/sys v0.42.0

-	golang.org/x/text v0.35.0

+	golang.org/x/sys v0.43.0

+	golang.org/x/text v0.36.0

 	golang.org/x/time v0.15.0

 	google.golang.org/genproto/googleapis/api v0.0.0-20260401024825-9d38bb4040a9

 	google.golang.org/grpc v1.80.0

@@ -287,10 +287,10 @@ require (

 	go.uber.org/zap v1.27.1 // indirect

 	go.yaml.in/yaml/v2 v2.4.3 // indirect

 	go.yaml.in/yaml/v3 v3.0.4 // indirect

-	golang.org/x/crypto v0.49.0 // indirect

+	golang.org/x/crypto v0.50.0 // indirect

 	golang.org/x/mod v0.34.0 // indirect

 	golang.org/x/oauth2 v0.36.0 // indirect

-	golang.org/x/term v0.41.0 // indirect

+	golang.org/x/term v0.42.0 // indirect

 	golang.org/x/tools v0.43.0 // indirect

 	google.golang.org/api v0.260.0 // indirect

 	google.golang.org/genproto v0.0.0-20260401024825-9d38bb4040a9 // indirect

@@ -904,8 +904,8 @@ golang.org/x/crypto v0.0.0-20201124201722-c8d3bf9c5392/go.mod h1:jdWPYTVW3xRLrWP

 golang.org/x/crypto v0.0.0-20201208171446-5f87f3452ae9/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=

 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=

 golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=

-golang.org/x/crypto v0.49.0 h1:+Ng2ULVvLHnJ/ZFEq4KdcDd/cfjrrjjNSXNzxg0Y4U4=

-golang.org/x/crypto v0.49.0/go.mod h1:ErX4dUh2UM+CFYiXZRTcMpEcN8b/1gxEuv3nODoYtCA=

+golang.org/x/crypto v0.50.0 h1:zO47/JPrL6vsNkINmLoo/PH1gcxpls50DNogFvB5ZGI=

+golang.org/x/crypto v0.50.0/go.mod h1:3muZ7vA7PBCE6xgPX7nkzzjiUq87kRItoJQM1Yo8S+Q=

 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=

 golang.org/x/exp v0.0.0-20250911091902-df9299821621 h1:2id6c1/gto0kaHYyrixvknJ8tUK/Qs5IsmBtrc+FtgU=

 golang.org/x/exp v0.0.0-20250911091902-df9299821621/go.mod h1:TwQYMMnGpvZyc+JpB/UAuTNIsVJifOlSkrZkhcvpVUk=

@@ -939,8 +939,8 @@ golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug

 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=

 golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=

 golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=

-golang.org/x/net v0.52.0 h1:He/TN1l0e4mmR3QqHMT2Xab3Aj3L9qjbhRm78/6jrW0=

-golang.org/x/net v0.52.0/go.mod h1:R1MAz7uMZxVMualyPXb+VaqGSa3LIaUqk0eEt3w36Sw=

+golang.org/x/net v0.53.0 h1:d+qAbo5L0orcWAr0a9JweQpjXF19LMXJE8Ey7hwOdUA=

+golang.org/x/net v0.53.0/go.mod h1:JvMuJH7rrdiCfbeHoo3fCQU24Lf5JJwT9W3sJFulfgs=

 golang.org/x/oauth2 v0.0.0-20170912212905-13449ad91cb2/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=

 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=

 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=

@@ -986,15 +986,15 @@ golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

 golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

-golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=

-golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=

+golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI=

+golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=

 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=

 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=

 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=

 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=

 golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=

-golang.org/x/term v0.41.0 h1:QCgPso/Q3RTJx2Th4bDLqML4W6iJiaXFq2/ftQF13YU=

-golang.org/x/term v0.41.0/go.mod h1:3pfBgksrReYfZ5lvYM0kSO0LIkAl4Yl2bXOkKP7Ec2A=

+golang.org/x/term v0.42.0 h1:UiKe+zDFmJobeJ5ggPwOshJIVt6/Ft0rcfrXZDLWAWY=

+golang.org/x/term v0.42.0/go.mod h1:Dq/D+snpsbazcBG5+F9Q1n2rXV8Ma+71xEjTRufARgY=

 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=

 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=

 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=

@@ -1002,8 +1002,8 @@ golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=

 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=

 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=

 golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=

-golang.org/x/text v0.35.0 h1:JOVx6vVDFokkpaq1AEptVzLTpDe9KGpj5tR4/X+ybL8=

-golang.org/x/text v0.35.0/go.mod h1:khi/HExzZJ2pGnjenulevKNX1W67CUy0AsXcNubPGCA=

+golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg=

+golang.org/x/text v0.36.0/go.mod h1:NIdBknypM8iqVmPiuco0Dh6P5Jcdk8lJL0CUebqK164=

 golang.org/x/time v0.0.0-20170424234030-8be79e1e0910/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=

 golang.org/x/time v0.15.0 h1:bbrp8t3bGUeFOx08pvsMYRTCVSMk89u4tKbNOZbp88U=

 golang.org/x/time v0.15.0/go.mod h1:Y4YMaQmXwGQZoFaVFk4YpCt4FLQMYKZe9oeV/f4MSno=

@@ -586,7 +586,7 @@ func (c *cbcCipher) writeCipherPacket(seqNum uint32, w io.Writer, rand io.Reader

 	// Length of encrypted portion of the packet (header, payload, padding).

 	// Enforce minimum padding and packet size.

-	encLength := maxUInt32(prefixLen+len(packet)+cbcMinPaddingSize, cbcMinPaddingSize)

+	encLength := maxUInt32(prefixLen+len(packet)+cbcMinPaddingSize, cbcMinPacketSize)

 	// Enforce block size.

 	encLength = (encLength + effectiveBlockSize - 1) / effectiveBlockSize * effectiveBlockSize

@@ -274,10 +274,14 @@ func pickSignatureAlgorithm(signer Signer, extensions map[string][]byte) (MultiA

 	}

 	// Filter algorithms based on those supported by MultiAlgorithmSigner.

+	// Iterate over the signer's algorithms first to preserve its preference order.

+	supportedKeyAlgos := algorithmsForKeyFormat(keyFormat)

 	var keyAlgos []string

-	for _, algo := range algorithmsForKeyFormat(keyFormat) {

-		if slices.Contains(as.Algorithms(), underlyingAlgo(algo)) {

-			keyAlgos = append(keyAlgos, algo)

+	for _, signerAlgo := range as.Algorithms() {

+		if idx := slices.IndexFunc(supportedKeyAlgos, func(algo string) bool {

+			return underlyingAlgo(algo) == signerAlgo

+		}); idx >= 0 {

+			keyAlgos = append(keyAlgos, supportedKeyAlgos[idx])

 		}

 	}

@@ -6,6 +6,7 @@ package hpack

 import (

 	"fmt"

+	"strings"

 )

 // headerFieldTable implements a list of HeaderFields.

@@ -54,10 +55,16 @@ func (t *headerFieldTable) len() int {

 // addEntry adds a new entry.

 func (t *headerFieldTable) addEntry(f HeaderField) {

+	// Prevent f from escaping to the heap.

+	f2 := HeaderField{

+		Name:      strings.Clone(f.Name),

+		Value:     strings.Clone(f.Value),

+		Sensitive: f.Sensitive,

+	}

 	id := uint64(t.len()) + t.evictCount + 1

-	t.byName[f.Name] = id

-	t.byNameValue[pairNameValue{f.Name, f.Value}] = id

-	t.ents = append(t.ents, f)

+	t.byName[f2.Name] = id

+	t.byNameValue[pairNameValue{f2.Name, f2.Value}] = id

+	t.ents = append(t.ents, f2)

 }

 // evictOldest evicts the n oldest entries in the table.

@@ -718,9 +718,6 @@ func canRetryError(err error) bool {

 }

 func (t *Transport) dialClientConn(ctx context.Context, addr string, singleUse bool) (*ClientConn, error) {

-	if t.transportTestHooks != nil {

-		return t.newClientConn(nil, singleUse, nil)

-	}

 	host, _, err := net.SplitHostPort(addr)

 	if err != nil {

 		return nil, err

@@ -2861,6 +2858,9 @@ func (rl *clientConnReadLoop) processSettingsNoWrite(f *SettingsFrame) error {

 	var seenMaxConcurrentStreams bool

 	err := f.ForeachSetting(func(s Setting) error {

+		if err := s.Valid(); err != nil {

+			return err

+		}

 		switch s.ID {

 		case SettingMaxFrameSize:

 			cc.maxFrameSize = s.Val

@@ -2892,9 +2892,6 @@ func (rl *clientConnReadLoop) processSettingsNoWrite(f *SettingsFrame) error {

 			cc.henc.SetMaxDynamicTableSize(s.Val)

 			cc.peerMaxHeaderTableSize = s.Val

 		case SettingEnableConnectProtocol:

-			if err := s.Valid(); err != nil {

-				return err

-			}

 			// If the peer wants to send us SETTINGS_ENABLE_CONNECT_PROTOCOL,

 			// we require that it do so in the first SETTINGS frame.

 			//

@@ -6,6 +6,8 @@

 package cpu

+import "runtime"

+

 func doinit() {

 	setMinimalFeatures()

@@ -2,7 +2,7 @@

 // Use of this source code is governed by a BSD-style

 // license that can be found in the LICENSE file.

-//go:build !darwin && !linux && !netbsd && !openbsd && !windows && arm64

+//go:build !darwin && !linux && !netbsd && !openbsd && arm64

 package cpu

deleted file mode 100644

@@ -1,42 +0,0 @@

-// Copyright 2026 The Go Authors. All rights reserved.

-// Use of this source code is governed by a BSD-style

-// license that can be found in the LICENSE file.

-

-package cpu

-

-import (

-	"golang.org/x/sys/windows"

-)

-

-func doinit() {

-	// set HasASIMD and HasFP to true as per

-	// https://learn.microsoft.com/en-us/cpp/build/arm64-windows-abi-conventions?view=msvc-170#base-requirements

-	//

-	// The ARM64 version of Windows always presupposes that it's running on an ARMv8 or later architecture.

-	// Both floating-point and NEON support are presumed to be present in hardware.

-	//

-	ARM64.HasASIMD = true

-	ARM64.HasFP = true

-

-	if windows.IsProcessorFeaturePresent(windows.PF_ARM_V8_CRYPTO_INSTRUCTIONS_AVAILABLE) {

-		ARM64.HasAES = true

-		ARM64.HasPMULL = true

-		ARM64.HasSHA1 = true

-		ARM64.HasSHA2 = true

-	}

-	ARM64.HasSHA3 = windows.IsProcessorFeaturePresent(windows.PF_ARM_SHA3_INSTRUCTIONS_AVAILABLE)

-	ARM64.HasCRC32 = windows.IsProcessorFeaturePresent(windows.PF_ARM_V8_CRC32_INSTRUCTIONS_AVAILABLE)

-	ARM64.HasSHA512 = windows.IsProcessorFeaturePresent(windows.PF_ARM_SHA512_INSTRUCTIONS_AVAILABLE)

-	ARM64.HasATOMICS = windows.IsProcessorFeaturePresent(windows.PF_ARM_V81_ATOMIC_INSTRUCTIONS_AVAILABLE)

-	if windows.IsProcessorFeaturePresent(windows.PF_ARM_V82_DP_INSTRUCTIONS_AVAILABLE) {

-		ARM64.HasASIMDDP = true

-		ARM64.HasASIMDRDM = true

-	}

-	if windows.IsProcessorFeaturePresent(windows.PF_ARM_V83_LRCPC_INSTRUCTIONS_AVAILABLE) {

-		ARM64.HasLRCPC = true

-		ARM64.HasSM3 = true

-	}

-	ARM64.HasSVE = windows.IsProcessorFeaturePresent(windows.PF_ARM_SVE_INSTRUCTIONS_AVAILABLE)

-	ARM64.HasSVE2 = windows.IsProcessorFeaturePresent(windows.PF_ARM_SVE2_INSTRUCTIONS_AVAILABLE)

-	ARM64.HasJSCVT = windows.IsProcessorFeaturePresent(windows.PF_ARM_V83_JSCVT_INSTRUCTIONS_AVAILABLE)

-}

@@ -163,42 +163,7 @@ func (p *Proc) Addr() uintptr {

 // (according to the semantics of the specific function being called) before consulting

 // the error. The error will be guaranteed to contain windows.Errno.

 func (p *Proc) Call(a ...uintptr) (r1, r2 uintptr, lastErr error) {

-	switch len(a) {

-	case 0:

-		return syscall.Syscall(p.Addr(), uintptr(len(a)), 0, 0, 0)

-	case 1:

-		return syscall.Syscall(p.Addr(), uintptr(len(a)), a[0], 0, 0)

-	case 2:

-		return syscall.Syscall(p.Addr(), uintptr(len(a)), a[0], a[1], 0)

-	case 3:

-		return syscall.Syscall(p.Addr(), uintptr(len(a)), a[0], a[1], a[2])

-	case 4:

-		return syscall.Syscall6(p.Addr(), uintptr(len(a)), a[0], a[1], a[2], a[3], 0, 0)

-	case 5:

-		return syscall.Syscall6(p.Addr(), uintptr(len(a)), a[0], a[1], a[2], a[3], a[4], 0)

-	case 6:

-		return syscall.Syscall6(p.Addr(), uintptr(len(a)), a[0], a[1], a[2], a[3], a[4], a[5])

-	case 7:

-		return syscall.Syscall9(p.Addr(), uintptr(len(a)), a[0], a[1], a[2], a[3], a[4], a[5], a[6], 0, 0)

-	case 8:

-		return syscall.Syscall9(p.Addr(), uintptr(len(a)), a[0], a[1], a[2], a[3], a[4], a[5], a[6], a[7], 0)

-	case 9:

-		return syscall.Syscall9(p.Addr(), uintptr(len(a)), a[0], a[1], a[2], a[3], a[4], a[5], a[6], a[7], a[8])

-	case 10:

-		return syscall.Syscall12(p.Addr(), uintptr(len(a)), a[0], a[1], a[2], a[3], a[4], a[5], a[6], a[7], a[8], a[9], 0, 0)

-	case 11:

-		return syscall.Syscall12(p.Addr(), uintptr(len(a)), a[0], a[1], a[2], a[3], a[4], a[5], a[6], a[7], a[8], a[9], a[10], 0)

-	case 12:

-		return syscall.Syscall12(p.Addr(), uintptr(len(a)), a[0], a[1], a[2], a[3], a[4], a[5], a[6], a[7], a[8], a[9], a[10], a[11])

-	case 13:

-		return syscall.Syscall15(p.Addr(), uintptr(len(a)), a[0], a[1], a[2], a[3], a[4], a[5], a[6], a[7], a[8], a[9], a[10], a[11], a[12], 0, 0)

-	case 14:

-		return syscall.Syscall15(p.Addr(), uintptr(len(a)), a[0], a[1], a[2], a[3], a[4], a[5], a[6], a[7], a[8], a[9], a[10], a[11], a[12], a[13], 0)

-	case 15:

-		return syscall.Syscall15(p.Addr(), uintptr(len(a)), a[0], a[1], a[2], a[3], a[4], a[5], a[6], a[7], a[8], a[9], a[10], a[11], a[12], a[13], a[14])

-	default:

-		panic("Call " + p.Name + " with too many arguments " + itoa(len(a)) + ".")

-	}

+	return syscall.SyscallN(p.Addr(), a...)

 }

 // A LazyDLL implements access to a single DLL.

@@ -1438,13 +1438,17 @@ func GetSecurityInfo(handle Handle, objectType SE_OBJECT_TYPE, securityInformati

 }

 // GetNamedSecurityInfo queries the security information for a given named object and returns the self-relative security

-// descriptor result on the Go heap.

+// descriptor result on the Go heap. The security descriptor might be nil, even when err is nil, if the object exists

+// but has no security descriptor.

 func GetNamedSecurityInfo(objectName string, objectType SE_OBJECT_TYPE, securityInformation SECURITY_INFORMATION) (sd *SECURITY_DESCRIPTOR, err error) {

 	var winHeapSD *SECURITY_DESCRIPTOR

 	err = getNamedSecurityInfo(objectName, objectType, securityInformation, nil, nil, nil, nil, &winHeapSD)

 	if err != nil {

 		return

 	}

+	if winHeapSD == nil {

+		return nil, nil

+	}

 	defer LocalFree(Handle(unsafe.Pointer(winHeapSD)))

 	return winHeapSD.copySelfRelativeSecurityDescriptor(), nil

 }

@@ -1831,7 +1831,7 @@ go.yaml.in/yaml/v2

 # go.yaml.in/yaml/v3 v3.0.4

 ## explicit; go 1.16

 go.yaml.in/yaml/v3

-# golang.org/x/crypto v0.49.0

+# golang.org/x/crypto v0.50.0

 ## explicit; go 1.25.0

 golang.org/x/crypto/argon2

 golang.org/x/crypto/blake2b

@@ -1861,7 +1861,7 @@ golang.org/x/crypto/ssh/internal/bcrypt_pbkdf

 ## explicit; go 1.25.0

 golang.org/x/mod/semver

 golang.org/x/mod/sumdb/note

-# golang.org/x/net v0.52.0

+# golang.org/x/net v0.53.0

 ## explicit; go 1.25.0

 golang.org/x/net/bpf

 golang.org/x/net/context

@@ -1897,7 +1897,7 @@ golang.org/x/sync/errgroup

 golang.org/x/sync/semaphore

 golang.org/x/sync/singleflight

 golang.org/x/sync/syncmap

-# golang.org/x/sys v0.42.0

+# golang.org/x/sys v0.43.0

 ## explicit; go 1.25.0

 golang.org/x/sys/cpu

 golang.org/x/sys/plan9

@@ -1908,10 +1908,10 @@ golang.org/x/sys/windows/svc

 golang.org/x/sys/windows/svc/debug

 golang.org/x/sys/windows/svc/eventlog

 golang.org/x/sys/windows/svc/mgr

-# golang.org/x/term v0.41.0

+# golang.org/x/term v0.42.0

 ## explicit; go 1.25.0

 golang.org/x/term

-# golang.org/x/text v0.35.0

+# golang.org/x/text v0.36.0

 ## explicit; go 1.25.0

 golang.org/x/text/encoding

 golang.org/x/text/encoding/internal