Skip to content

Bump github.com/pires/go-proxyproto from 0.14.0 to 0.15.0#6464

Merged
RPRX merged 1 commit into
mainfrom
dependabot/go_modules/github.com/pires/go-proxyproto-0.15.0
Jul 10, 2026
Merged

Bump github.com/pires/go-proxyproto from 0.14.0 to 0.15.0#6464
RPRX merged 1 commit into
mainfrom
dependabot/go_modules/github.com/pires/go-proxyproto-0.15.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 10, 2026

Copy link
Copy Markdown
Contributor

Bumps github.com/pires/go-proxyproto from 0.14.0 to 0.15.0.

Release notes

Sourced from github.com/pires/go-proxyproto's releases.

v0.15.0

This release aligns the library with PROXY protocol spec 3.4 (2026/04/27). It tightens parsing and trust behavior to match the spec's requirements — which makes some previously accepted inputs and configurations fail loudly — and adds first-class support for the PROXY protocol over UDP.

⚠️ Breaking changes

The PROXY header is now required by default (2cd5f00e2b3010a0fa64f52f077a20fb304b72fa)

  • A new DefaultPolicy package variable, set to REQUIRE, is applied by NewConn and Listener.Accept when no policy is configured. The spec forbids guessing whether a header is present, so headerless connections now fail their first Read with ErrNoProxyProtocol.
  • To restore the previous lax behavior: proxyproto.DefaultPolicy = proxyproto.USE.
  • TrustProxyHeaderFrom is now strict: trusted peers get REQUIRE and untrusted peers are dropped by Accept with an error wrapping ErrInvalidUpstream. Previously, untrusted headerless clients could slip through as raw connections.

Stricter v1/v2 header parsing per spec 3.4 (5914db81c566830347865256ec22808fc39a0787)

  • v1: the full PROXY token is validated; IPv6 zone IDs are rejected; plain IPv4 addresses in TCP6 lines are rejected (set V1AcceptIPv4InTCP6 for nginx interop); ports are parsed with leading zeros rejected and ranges validated on formatting.
  • v2: the family/transport whitelist now applies to LOCAL commands too, rejecting undefined bytes per spec 2.2. LOCAL headers with a valid address block decode addresses and TLVs and round-trip; ill-fitting ones are normalized to UNSPEC.
  • New MaxV2HeaderSize variable bounds the declared v2 length (default 4096) — raise it if you carry large TLVs such as PP2_SUBTYPE_SSL_CLIENT_CERT.

✨ New features

PROXY protocol over UDP (499ef90567292b68d14248845f4050f5d917fa5e, fixes #79)

  • New ParseUDPDatagram and Header.FormatUDPDatagram implement the spec's per-datagram semantics (header and payload share a single datagram) for use with any net.PacketConn.
  • The library deliberately ships no net.PacketConn wrapper — reply routing needs an application-policy flow table — but examples/udppacketconn is a runnable sketch of that pattern, alongside examples/udpserver and examples/udpclient for the plain paths.

Reworked trust policies (2cd5f00e2b3010a0fa64f52f077a20fb304b72fa)

  • New PolicyFromRanges(ranges, matched, unmatched) and MustPolicyFromRanges supersede the whitelist policy family, which is deprecated and now delegates to them. The (REQUIRE, IGNORE) combination covers mixed proxied/direct traffic the old family couldn't express.
  • New CIDR-capable TrustProxyHeaderFromRanges.
  • All built-in policies wrap address-classification failures in ErrInvalidUpstream, so a single unclassifiable peer can no longer stop an accept loop.

TLV registry and PP2SSL caught up to spec 3.4 (4e80228ed95019bd7cba1d215fb169a008c146f5)

  • Registered() now includes PP2_TYPE_GROUP, PP2_SUBTYPE_SSL_SIG_SCHEME, and PP2_SUBTYPE_SSL_CLIENT_CERT.
  • New PP2SSL accessors: SSLSigAlg, SSLKeyAlg, SSLGroup, SSLSigScheme.

🐛 Fixes

  • Header.EqualsTo no longer panics on nil addresses (5914db81c566830347865256ec22808fc39a0787).
  • formatVersion2 folds TLV length into the declared length for Unix families instead of emitting TLVs past it (5914db81c566830347865256ec22808fc39a0787).

🧪 Testing & CI

  • New fuzz/table suites: exhaustive 256-transport-byte sweeps for both v2 commands, a LOCAL decode matrix, byte-for-byte round-trip stability, and FuzzRead parse–format–reparse invariants (5914db81c566830347865256ec22808fc39a0787).
  • CI gains a fuzz job that auto-discovers fuzz targets and uploads crashers as artifacts; workflow actions bumped across the board (af4b18ccae4375269802ff0831e5edf8c26c33c6).
  • Coverage for the http2 serveConn TLS handshake-failure branch (b01bea45dfd89272ed4ee72c7e7f96c94f1c89fc).

📚 Documentation

  • README rewritten against spec 3.4: new Security section with the spec's trust requirements, a UDP section, an examples table, and warnings about the new REQUIRE default (bd986c0a99dccc91fea506d5a6b8c14c5e0cda7c).
Commits
  • bd986c0 docs: rewrite README against PROXY protocol spec 3.4
  • af4b18c ci: add fuzz job, bump workflow actions
  • b01bea4 test: cover http2 serveConn TLS handshake failure
  • 499ef90 feat: support the PROXY protocol over UDP datagrams
  • 4e80228 feat: catch TLV registry and PP2SSL parsing up to spec 3.4
  • 2cd5f00 feat!: require the PROXY header by default and rework trust policies
  • 5914db8 fix!: align v1/v2 header parsing with PROXY protocol spec 3.4
  • See full diff in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [github.com/pires/go-proxyproto](https://github.com/pires/go-proxyproto) from 0.14.0 to 0.15.0.
- [Release notes](https://github.com/pires/go-proxyproto/releases)
- [Commits](pires/go-proxyproto@v0.14.0...v0.15.0)

---
updated-dependencies:
- dependency-name: github.com/pires/go-proxyproto
  dependency-version: 0.15.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Jul 10, 2026
@RPRX RPRX merged commit e2ad0ac into main Jul 10, 2026
48 checks passed
@dependabot dependabot Bot deleted the dependabot/go_modules/github.com/pires/go-proxyproto-0.15.0 branch July 10, 2026 01:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file go Pull requests that update Go code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant