deps: update nghttp2 to 1.69.0, with fixes for some integration issues

[pimterry]

See #62381 and #60661 for context.

This is a manual dep update due to changes in nghttp2 v1.67.0+ which now treats some stream-level errors as session errors, and internally sends GOAWAY frames to kill the connection (without calling the on_invalid_frame callback). That requires some fixes here to detect those internally triggered GOAWAYs and expose these as HTTP/2 session errors at the end of the core nghttp2 write loop.

Some of these changes will result in user-visible differences to how protocol errors are exposed in Node, moving some error events from the stream to the session, and exposing some errors where previously they were swallowed. After the changes in 1.69.0 (as opposed to 1.67 & 1.68) this only applies to low-level protocol failures like broken flow control or compression failures, not to HTTP validation errors more generally.

This is unfortunate, and in that context it's debatable whether this is a breaking change (new errors from the same traffic) or just a bugfix (we shouldn't silently swallow serious protocol errors) but we can't realistically avoid this if we want to keep nghttp2 up to date, and in some unbundled scenarios the latest nghttp2 will be used regardless. For anything non-trivial this shouldn't cause problems since session errors need to be handled by all applications to deal with existing common production issues like connection resets anyway. The changed behaviour only applies to connections that hit serious protocol errors, and doesn't change anything in normal expected flows.

See the test changes for some examples of how this changes behaviour in practice - the vast majority of h2 tests are unchanged, it's just a couple of specific invalid traffic cases that change. I've also added a new test as well to confirm specifically that we cover the new internally triggered GOAWAYs correctly, and tightened up some checks on the existing tests to confirm everything is working correctly there.

Fixes #60661

[nodejs-github-bot]

Review requested:

• @nodejs/http2
• @nodejs/net
• @nodejs/security-wg

[codecov]

Codecov Report

❌ Patch coverage is 87.50000% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 89.60%. Comparing base (a6e8368) to head (425e347).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
src/node_http2.cc	87.50%	0 Missing and 2 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #62867      +/-   ##
==========================================
- Coverage   89.62%   89.60%   -0.03%     
==========================================
  Files         706      706              
  Lines      219140   219156      +16     
  Branches    41984    41987       +3     
==========================================
- Hits       196415   196381      -34     
- Misses      14618    14658      +40     
- Partials     8107     8117      +10     

Files with missing lines	Coverage Δ
src/node_http2.h	91.61% <ø> (ø)
src/node_http2.cc	82.13% <87.50%> (+0.04%)	⬆️

... and 30 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.