diff --git a/CHANGES b/CHANGES
index 11596a376c..ee598dffd4 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,9 @@
+7.2.0-dev.91 | 2025-01-14 18:20:04 +0100
+
+  * Bump auxil/spicy to latest development snapshot (Benjamin Bannier, Corelight)
+
+  * Prevent unneeded copies in QUIC C++ helper code (Benjamin Bannier, Corelight)
+
 7.2.0-dev.88 | 2025-01-14 14:39:14 +0000
 
   * Raise warnings when for DNS events that are not raised due to dns_skip_all_addl (Johanna Amann, Corelight)
diff --git a/VERSION b/VERSION
index d711fefdb4..1099700a65 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-7.2.0-dev.88
+7.2.0-dev.91
diff --git a/auxil/spicy b/auxil/spicy
index 651c6b160a..8c7393744d 160000
--- a/auxil/spicy
+++ b/auxil/spicy
@@ -1 +1 @@
-Subproject commit 651c6b160abaee58f3b379d4737431882af94fe0
+Subproject commit 8c7393744d2aa2e02f73f2b3dff4c2d5a46327d7
diff --git a/src/analyzer/protocol/quic/decrypt_crypto.cc b/src/analyzer/protocol/quic/decrypt_crypto.cc
index 9658157962..0eb8ad2277 100644
--- a/src/analyzer/protocol/quic/decrypt_crypto.cc
+++ b/src/analyzer/protocol/quic/decrypt_crypto.cc
@@ -25,7 +25,6 @@ refactors as C++ development is not our main profession.
 #include <cstdint>
 #include <cstdlib>
 #include <memory>
-#include <string>
 #include <vector>
 
 // OpenSSL imports
@@ -366,11 +365,11 @@ public:
                                         0x71, 0x75, 0x69, 0x63, 0x20, 0x68, 0x70, 0x00};
 
         std::vector<HkdfCtxParam> hkdf_ctx_params = {
-            {&hkdf_ctxs.client_in_ctx, CLIENT_INITIAL_INFO},
-            {&hkdf_ctxs.server_in_ctx, SERVER_INITIAL_INFO},
-            {&hkdf_ctxs.key_info_ctx, KEY_INFO},
-            {&hkdf_ctxs.iv_info_ctx, IV_INFO},
-            {&hkdf_ctxs.hp_info_ctx, HP_INFO},
+            {&hkdf_ctxs.client_in_ctx, std::move(CLIENT_INITIAL_INFO)},
+            {&hkdf_ctxs.server_in_ctx, std::move(SERVER_INITIAL_INFO)},
+            {&hkdf_ctxs.key_info_ctx, std::move(KEY_INFO)},
+            {&hkdf_ctxs.iv_info_ctx, std::move(IV_INFO)},
+            {&hkdf_ctxs.hp_info_ctx, std::move(HP_INFO)},
         };
 
         QuicPacketProtection::Initialize(hkdf_ctx_params);
@@ -419,11 +418,11 @@ public:
                                            0x75, 0x69, 0x63, 0x76, 0x32, 0x20, 0x68, 0x70, 0x00};
 
         std::vector<HkdfCtxParam> hkdf_ctx_params = {
-            {&hkdf_ctxs.client_in_ctx, CLIENT_INITIAL_INFO_V2},
-            {&hkdf_ctxs.server_in_ctx, SERVER_INITIAL_INFO_V2},
-            {&hkdf_ctxs.key_info_ctx, KEY_INFO_V2},
-            {&hkdf_ctxs.iv_info_ctx, IV_INFO_V2},
-            {&hkdf_ctxs.hp_info_ctx, HP_INFO_V2},
+            {&hkdf_ctxs.client_in_ctx, std::move(CLIENT_INITIAL_INFO_V2)},
+            {&hkdf_ctxs.server_in_ctx, std::move(SERVER_INITIAL_INFO_V2)},
+            {&hkdf_ctxs.key_info_ctx, std::move(KEY_INFO_V2)},
+            {&hkdf_ctxs.iv_info_ctx, std::move(IV_INFO_V2)},
+            {&hkdf_ctxs.hp_info_ctx, std::move(HP_INFO_V2)},
         };
 
         QuicPacketProtection::Initialize(hkdf_ctx_params);
@@ -483,7 +482,7 @@ hilti::rt::Bytes QUIC_decrypt_crypto_payload(const hilti::rt::integer::safe<uint
     DecryptionInformation decryptInfo = remove_header_protection(hp, encrypted_offset, all_data);
 
     // Calculate the correct nonce for the decryption
-    decryptInfo.nonce = calculate_nonce(iv, decryptInfo.packet_number);
+    decryptInfo.nonce = calculate_nonce(std::move(iv), decryptInfo.packet_number);
 
     return decrypt(key, all_data, payload_length, decryptInfo);
 }