Backport yamux fix

[gilescope]

Overview

Backport fix for yamux vulnerability GHSA-vxx9-2994-q338. A malicious peer could crash a node by sending crafted yamux frames that trigger a panic via checked_add(...).expect(...) overflow in increase_send_window_by.

Changes:

• Bump yamux 0.13.8 → 0.13.10 (contains the fix)
• Patch yamux 0.12.1 → 0.12.2 via custom fork (midnightntwrk/rust-yamux) since upstream 0.12.x has no fix
• Add regression tests verifying the node does not panic on:
  • WindowUpdate with u32::MAX credit (overflow)
  • Oversized Data|SYN frame exceeding default credit
  • Two consecutive WindowUpdates that together overflow

🗹 TODO before merging

• Ready

📌 Submission Checklist

• Changes are backward-compatible (or flagged if breaking)
• Pull request description explains why the change is needed
• Self-reviewed the diff
• I have included a change file, or skipped for this reason: security fix backport
• If the changes introduce a new feature, I have bumped the node minor version
• Update documentation (if relevant)
• Updated AGENTS.md if build commands, architecture, or workflows changed
• No new todos introduced

🧪 Testing Evidence

• Additional tests are provided (if possible)

Three regression tests added in node/tests/yamux_vulnerability.rs that reproduce the attack vectors from the advisory and verify the patched yamux handles them gracefully (no panic).

🔱 Fork Strategy

• Node Runtime Update
• Node Client Update
• Other:
• N/A

Links

• Advisory: GHSA-vxx9-2994-q338
• Custom fork for 0.12.x fix: https://github.com/midnightntwrk/rust-yamux/tree/yamux-v0.12.2