build(deps): bump github.com/envoyproxy/envoy from 1.37.2 to 1.38.0 in /golang-network/simple in the examples-golang-network group

[dependabot]

Bumps the examples-golang-network group in /golang-network/simple with 1 update: github.com/envoyproxy/envoy.

Updates github.com/envoyproxy/envoy from 1.37.2 to 1.38.0

Release notes

Sourced from github.com/envoyproxy/envoy's releases.

v1.38.0

Summary of changes

Breaking changes

• tcp_proxy: max_early_data_bytes must be set explicitly for upstream_connect_mode values other than IMMEDIATE; missing configurations now fail validation at startup.
• on_demand: the on-demand filter no longer performs internal redirects after a successful CDS fetch, so earlier filters are not invoked twice (revertible via envoy.reloadable_features.on_demand_cluster_no_recreate_stream).
• BoringSSL/FIPS: the --define=boringssl=fips flag has been removed; use --config=boringssl-fips.
• TLS: enforce_rsa_key_usage now defaults to true; the option will be removed in the next release.
• ext_proc: the processing_effect_lib has moved from extensions/filters/http/ext_proc to extensions/filters/common/processing_effect.

Dynamic modules

• New extension points: tracers, TLS certificate validators, custom clusters, load balancing policies, input matchers, upstream HTTP-to-TCP bridge, and listener filters with HTTP callouts.
• Bootstrap extensions gained init-manager integration, drain/shutdown lifecycle hooks, listener-lifecycle callbacks, timer and admin-handler APIs, and metrics support.
• Network filter callbacks for flow-control and connection state (read_disable, watermarks, half-close, buffer limits, etc.) and persistent read/write buffers across callbacks.
• Listener-filter socket and TLS introspection (SNI, ALPN, JA3/JA4, SSL SANs/subject) plus write_to_socket/close_socket callbacks enabling Postgres SSL, MySQL, and similar protocol negotiation.
• Module loading from local file paths and remote HTTP sources (SHA256-verified, cached, with optional NACK-on-cache-miss).
• Process-wide function and shared-data registries for zero-copy cross-module interactions.
• Rust SDK: unified declare_all_init_functions! macro for registering any combination of HTTP/network/listener/UDP/bootstrap/access-logger filters, opt-in CatchUnwind panic wrapper, multi-logger support.
• Custom metrics on load balancers with configurable metrics_namespace, get_host_health_by_address fast path, host-membership update callbacks.
• ABI forward-compatibility: modules built against the v1.38 SDK can be loaded by a v1.39 Envoy binary.
• New envoy_dynamic_module_callback_is_validation_mode callback and typed filter-state support.

MCP (Model Context Protocol) and A2A

• MCP router: full method coverage — resources/list|read|subscribe|unsubscribe, resources/templates/list, prompts/list|get, completion/complete, logging/setLevel, plus notifications/cancelled and notifications/roots/list_changed.
• SSE streaming support: pass-through for tools/call and fan-out aggregation for tools/list, initialize, resources/list, and prompts/list.
• MCP filter: HTTP DELETE session termination, relaxed application/json Content-Type matching, optional traceparent/tracestate/baggage propagation from MCP parameters, statistics added to the MCP router, and default metadata namespace changed to envoy.filters.http.mcp.
• New MCP JSON REST Bridge HTTP filter (work-in-progress) transcoding JSON-RPC to REST, with tools/call request transcoding and session negotiation.
• Added parsing support for the A2A (Agent2Agent) JSON-RPC protocol.

HTTP, routing and protocol

• HTTP/2: new max_header_field_size_kb to raise the nghttp2 64 KiB per-header limit; applied the nghttp2 CVE-2026-27135 patch.
• HTTP/1: optional strict chunked-encoding parsing behind a runtime guard.
• Optional JSON format for the x-forwarded-client-cert (XFCC) header.
• New envoy.filters.http.sse_to_metadata filter (extract SSE event values into dynamic metadata, useful for LLM token-usage metrics), with a pluggable envoy.content_parsers.json parser.
• New envoy.filters.http.file_server filter for serving files directly from disk.
• Refactored route(), clusterInfo(), and virtualHost() to return OptRef<const T>, with new *SharedPtr() companions.
• Happy Eyeballs now handles interleaving of non-IP addresses.

TLS, security and authorization

• TLS certificate compression (RFC 8879) extended: brotli added to QUIC, and both brotli and zlib added to TCP TLS.
• enforce_rsa_key_usage defaults to true on upstream TLS contexts; the option will be removed next release.
• On-demand upstream certificate fetching via SDS using the envoy.tls.certificate_selectors.on_demand_secret extension.
• Exposed verified issuer SHA-256 fingerprint and serial number via %DOWNSTREAM_PEER_ISSUER_FINGERPRINT_256% / %DOWNSTREAM_PEER_ISSUER_SERIAL% and corresponding Lua accessors.
• Per-connection SPIFFE trust-domain selection for multi-tenant deployments; reduced file-watch overhead and support for watched_directory.
• ext_authz — shadow_mode (decision written to filter state without terminating requests), path_override, honoring status_on_error on 5xx/HTTP-call failures, fix for propagating headers from denied responses.
• OAuth2 — per-route configuration, TLS_CLIENT_AUTH (RFC 8705 mTLS client auth), OauthExpires cookie cleared on logout, oauth2_encrypt_tokens runtime guard removed (encryption now default, opt-out via disable_token_encryption).
• RBAC header matcher now validates each header value individually (guarded) to prevent concatenation-based bypasses.
• Query-parameter values added via query_parameter_mutations are now URL-encoded to prevent injection.
• OpenSSL can now be used as an alternative to the default BoringSSL (build with --config=openssl Bazel flag); HTTP/3 (QUIC) is disabled and OpenSSL builds are not covered by the Envoy security policy.

... (truncated)

Changelog

Sourced from github.com/envoyproxy/envoy's changelog.

Release Process

Active development

Active development is happening on the main branch, and a new version is released from it.

Stable releases

Stable releases of Envoy include:

• Major releases in which a new version a created directly from the main branch.
• Minor releases for versions covered by the extended maintenance window (any version released in the last 12 months).
  • Security fixes backported from the main branch (including those deemed not worthy of creating a CVE).
  • Stability fixes backported from the main branch (anything that can result in a crash, including crashes triggered by a trusted control plane).
  • Bugfixes, deemed worthwhile by the maintainers of stable releases.

Major releases happen quartely and follow the schedule below. Security fixes typically happen quarterly as well, but this depends on the number and severity of security bugs. Other releases are ad-hoc and best-effort.

Security releases

Critical security fixes are owned by the Envoy security team, which provides fixes for the main branch. Once those fixes are ready, the maintainers of stable releases backport them to the remaining supported stable releases.

Backports

All other security and reliability fixes can be nominated for backporting to stable releases by adding the backport/review label (this can be done using [repokitteh]'s /backport command on PRs).

Only security and reliability fixes are backported, so please consider this before proposing a backport.

Envoy release maintainers will try to review and include any pending proposed backports prior to patch releases. Backports can also be proposed directly, by raising a PR against the relevant release branch, eg release/v1.37.

When raising a backport, please raise against all supported branches, that are affected.

Backport PRs should pick specific commits from the main branch, and should be kept as specific commits while tracking the upstream release branch, before landing.

For this reason, change should be managed using rebase rather than merge, and if adjustments are required they should be squashed into the relevant commit.

Release branches are published as part of the security schedule described below, and immediately

... (truncated)

Commits

• f1dd21b repo: Release v1.38.0
• e026e46 test: Fix flaky histogram assertion in OpenTelemetry custom conversion test (...
• 81a09e2 changelogs: Add summary for release v1.38.0 (#44613)
• ac8ea19 Scone release note (#44610)
• 3249660 ext_proc: reordering fields to have better alignment ==> reduce RAM usage (#4...
• a340162 test: disable flaky chained FULL_DUPLEX_STREAMED ext_proc integration tests (...
• d7bc39f ci/codeql: ignore bundled libc++ headers in CodeQL analysis (#44609)
• c95e4b5 shared_pool: fix leak when last reference drops on worker thread during dispa...
• 7a86d60 Scone support for QUIC in envoy (#44543)
• 7be853f fix uhv underscore header sanitization use-after-free path (#44086)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions