build(deps): bump github.com/go-chi/chi/v5 from 5.2.5 to 5.3.0

[dependabot]

Bumps github.com/go-chi/chi/v5 from 5.2.5 to 5.3.0.

Release notes

Sourced from github.com/go-chi/chi/v5's releases.

v5.3.0

What's Changed

• Use strings.ReplaceAll where applicable by @​JRaspass in go-chi/chi#1046
• Propagate inline middlewares across mounted subrouters by @​LukasJenicek in go-chi/chi#1049
• add go 1.26 to ci by @​pkieltyka in go-chi/chi#1052
• Remove last uses of io/ioutil by @​JRaspass in go-chi/chi#1054
• Simplify chi.walk with slices.Concat by @​JRaspass in go-chi/chi#1053
• Apply the stringscutprefix modernizer by @​JRaspass in go-chi/chi#1051
• Bump minimum Go to 1.23, always use request.Pattern by @​JRaspass in go-chi/chi#1048
• middleware: fix httpFancyWriter.ReadFrom double-counting bytes with Tee by @​alliasgher in go-chi/chi#1085
• Fix typo in Route doc comment by @​gouwazi in go-chi/chi#1073
• fix: set Request.Pattern from RoutePattern() by @​leno23 in go-chi/chi#1097
• feat: middleware.ClientIP, a replacement for middleware.RealIP by @​VojtechVitek in go-chi/chi#967

New Contributors

• @​LukasJenicek made their first contribution in go-chi/chi#1049
• @​alliasgher made their first contribution in go-chi/chi#1085
• @​gouwazi made their first contribution in go-chi/chi#1073
• @​leno23 made their first contribution in go-chi/chi#1097

SECURITY: middleware.ClientIP, a replacement for middleware.RealIP

@​VojtechVitek submitted PR #967, which introduces middleware.ClientIP — a replacement for middleware.RealIP that closes the three open spoofing advisories:

• GHSA-9g5q-2w5x-hmxf — IP spoofing via XFF in RemoteAddr resolution (convto)
• GHSA-rjr7-jggh-pgcp — RealIP allows IP spoofing via unvalidated XFF (rezmoss)
• GHSA-3fxj-6jh8-hvhx — IP spoofing in middleware.RealIP (Saku0512, Critical / 9.3)

It also addresses issues outlined at:

• go-chi/chi#708
• https://adam-p.ca/blog/2022/03/x-forwarded-for/
• go-chi/chi#711
• go-chi/chi#453
• go-chi/chi#908

middleware.RealIP is deprecated in this PR with pointers to the new API.

The deprecation only adds a // Deprecated: doc comment; the function keeps working for backward compatibility.

Why a new middleware (not "fix RealIP in place")

RealIP has two unfixable design choices: it mutates r.RemoteAddr, and it tries to be a one-size-fits-all default by walking a hard-coded list of headers any client can supply. Per adam-p's "The perils of the 'real' client IP" (which calls chi out by name on this), there is no safe default — the user must pick their trust source explicitly.

The new API

Four middlewares, two accessors. Pick exactly one middleware based on your infrastructure, read the result with one of the two accessors:

// One of the four. There is no safe default — pick exactly one.
func ClientIPFromHeader(trustedHeader string) func(http.Handler) http.Handler
func ClientIPFromXFF(trustedIPPrefixes ...string) func(http.Handler) http.Handler
func ClientIPFromXFFTrustedProxies(numTrustedProxies int) func(http.Handler) http.Handler
</tr></table> 

... (truncated)

Commits

• 3b17157 feat: middleware.ClientIP, a replacement for middleware.RealIP (#967)
• 818fdcf fix: set Request.Pattern from RoutePattern() (#1097)
• f975af0 Fix typo in Route doc comment (#1073)
• 4ef87ea middleware: fix httpFancyWriter.ReadFrom double-counting bytes with Tee (#1085)
• a54874f Bump minimum Go to 1.23, always use request.Pattern (#1048)
• 3328d4d Apply the stringscutprefix modernizer (#1051)
• be60b2e Simplify chi.walk with slices.Concat (#1053)
• a36a925 Remove last uses of io/ioutil (#1054)
• 7d93ee3 add go 1.26 to ci (#1052)
• 903cff2 Propagate inline middlewares across mounted subrouters (#1049)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

TL;DR

check-ci failed because this dependency bump changed the module graph, and CI regenerated NOTICE.txt / NOTICE-fips.txt during mage check:ci; those regenerated files were not committed in the PR.

Remediation

• Run mage check:notice on this branch and commit the resulting updates to NOTICE.txt and NOTICE-fips.txt.
• Re-run CI (.buildkite/scripts/check_ci.sh) after committing those files.

Investigation details

Root Cause

check:ci runs Check.Notice before Check.NoChanges (magefile.go lines 640-643). Check.NoChanges then fails if generated files differ from HEAD via git update-index --refresh / git diff-index (magefile.go lines 624-631).

This PR commit only updates go.mod and go.sum (commit 145934d90a49f65374f1f9ab9968f5916fae127f), so the NOTICE artifacts were left stale.

Evidence

• Build: https://buildkite.com/elastic/fleet-server/builds/14868
• Job/step: Run check-ci
• Key log excerpt (/tmp/gh-aw/buildkite-logs/fleet-server-white_check_mark-run-check-ci.txt):
  • diff --git a/NOTICE-fips.txt b/NOTICE-fips.txt showing github.com/go-chi/chi/v5 version change v5.2.5 -> v5.3.0 (lines 67-101)
  • diff --git a/NOTICE.txt b/NOTICE.txt with same version bump (lines 103-137)
  • NOTICE-fips.txt: needs update and NOTICE.txt: needs update (lines 139-142)
  • Error: git update-index failure (line 143)

Verification

Not run locally in this detective workflow (read-only diagnosis from CI artifacts/logs).

Follow-up

No flaky-test signature here; this is deterministic generated-file drift from dependency changes.

Note

🔒 Integrity filter blocked 2 items

The following items were blocked because they don't meet the GitHub integrity level.

• build(deps): bump github.com/go-chi/chi/v5 from 5.2.5 to 5.3.0 #7100 pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• build(deps): bump github.com/go-chi/chi/v5 from 5.2.5 to 5.3.0 #7100 issue_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

---

What is this? | From workflow: PR Buildkite Detective

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

[github-actions]

@Mergifyio backport 9.4 9.3 8.19

[mergify]

backport 9.4 9.3 8.19

✅ Backports have been created

Details

• #7104 [9.4](backport #7100) build(deps): bump github.com/go-chi/chi/v5 from 5.2.5 to 5.3.0 has been created for branch 9.4 but encountered conflicts

Cherry-pick of cfc9257 has failed:

On branch mergify/bp/9.4/pr-7100
Your branch is up to date with 'origin/9.4'.

You are currently cherry-picking commit cfc9257.
  (fix conflicts and run "git cherry-pick --continue")
  (use "git cherry-pick --skip" to skip this patch)
  (use "git cherry-pick --abort" to cancel the cherry-pick operation)

Changes to be committed:
	modified:   NOTICE-fips.txt
	modified:   NOTICE.txt

Unmerged paths:
  (use "git add <file>..." to mark resolution)
	both modified:   go.mod
	both modified:   go.sum

To fix up this pull request, you can check it out locally. See documentation: https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/checking-out-pull-requests-locally

• #7105 [9.3](backport #7100) build(deps): bump github.com/go-chi/chi/v5 from 5.2.5 to 5.3.0 has been created for branch 9.3
• #7106 [8.19](backport #7100) build(deps): bump github.com/go-chi/chi/v5 from 5.2.5 to 5.3.0 has been created for branch 8.19 but encountered conflicts

Cherry-pick of cfc9257 has failed:

On branch mergify/bp/8.19/pr-7100
Your branch is up to date with 'origin/8.19'.

You are currently cherry-picking commit cfc9257.
  (fix conflicts and run "git cherry-pick --continue")
  (use "git cherry-pick --skip" to skip this patch)
  (use "git cherry-pick --abort" to cancel the cherry-pick operation)

Changes to be committed:
	modified:   NOTICE-fips.txt
	modified:   NOTICE.txt
	modified:   go.sum

Unmerged paths:
  (use "git add <file>..." to mark resolution)
	both modified:   go.mod

To fix up this pull request, you can check it out locally. See documentation: https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/checking-out-pull-requests-locally