[9.4](backport #7100) build(deps): bump github.com/go-chi/chi/v5 from 5.2.5 to 5.3.0

[mergify]

Bumps github.com/go-chi/chi/v5 from 5.2.5 to 5.3.0.

Release notes

Sourced from github.com/go-chi/chi/v5's releases.

v5.3.0

What's Changed

• Use strings.ReplaceAll where applicable by @​JRaspass in go-chi/chi#1046
• Propagate inline middlewares across mounted subrouters by @​LukasJenicek in go-chi/chi#1049
• add go 1.26 to ci by @​pkieltyka in go-chi/chi#1052
• Remove last uses of io/ioutil by @​JRaspass in go-chi/chi#1054
• Simplify chi.walk with slices.Concat by @​JRaspass in go-chi/chi#1053
• Apply the stringscutprefix modernizer by @​JRaspass in go-chi/chi#1051
• Bump minimum Go to 1.23, always use request.Pattern by @​JRaspass in go-chi/chi#1048
• middleware: fix httpFancyWriter.ReadFrom double-counting bytes with Tee by @​alliasgher in go-chi/chi#1085
• Fix typo in Route doc comment by @​gouwazi in go-chi/chi#1073
• fix: set Request.Pattern from RoutePattern() by @​leno23 in go-chi/chi#1097
• feat: middleware.ClientIP, a replacement for middleware.RealIP by @​VojtechVitek in go-chi/chi#967

New Contributors

• @​LukasJenicek made their first contribution in go-chi/chi#1049
• @​alliasgher made their first contribution in go-chi/chi#1085
• @​gouwazi made their first contribution in go-chi/chi#1073
• @​leno23 made their first contribution in go-chi/chi#1097

SECURITY: middleware.ClientIP, a replacement for middleware.RealIP

@​VojtechVitek submitted PR #967, which introduces middleware.ClientIP — a replacement for middleware.RealIP that closes the three open spoofing advisories:

• GHSA-9g5q-2w5x-hmxf — IP spoofing via XFF in RemoteAddr resolution (convto)
• GHSA-rjr7-jggh-pgcp — RealIP allows IP spoofing via unvalidated XFF (rezmoss)
• GHSA-3fxj-6jh8-hvhx — IP spoofing in middleware.RealIP (Saku0512, Critical / 9.3)

It also addresses issues outlined at:

• go-chi/chi#708
• https://adam-p.ca/blog/2022/03/x-forwarded-for/
• go-chi/chi#711
• go-chi/chi#453
• go-chi/chi#908

middleware.RealIP is deprecated in this PR with pointers to the new API.

The deprecation only adds a // Deprecated: doc comment; the function keeps working for backward compatibility.

Why a new middleware (not "fix RealIP in place")

RealIP has two unfixable design choices: it mutates r.RemoteAddr, and it tries to be a one-size-fits-all default by walking a hard-coded list of headers any client can supply. Per adam-p's "The perils of the 'real' client IP" (which calls chi out by name on this), there is no safe default — the user must pick their trust source explicitly.

The new API

Four middlewares, two accessors. Pick exactly one middleware based on your infrastructure, read the result with one of the two accessors:

// One of the four. There is no safe default — pick exactly one.
func ClientIPFromHeader(trustedHeader string) func(http.Handler) http.Handler
func ClientIPFromXFF(trustedIPPrefixes ...string) func(http.Handler) http.Handler
func ClientIPFromXFFTrustedProxies(numTrustedProxies int) func(http.Handler) http.Handler
</tr></table> 

... (truncated)

Commits

• 3b17157 feat: middleware.ClientIP, a replacement for middleware.RealIP (#967)
• 818fdcf fix: set Request.Pattern from RoutePattern() (#1097)
• f975af0 Fix typo in Route doc comment (#1073)
• 4ef87ea middleware: fix httpFancyWriter.ReadFrom double-counting bytes with Tee (#1085)
• a54874f Bump minimum Go to 1.23, always use request.Pattern (#1048)
• 3328d4d Apply the stringscutprefix modernizer (#1051)
• be60b2e Simplify chi.walk with slices.Concat (#1053)
• a36a925 Remove last uses of io/ioutil (#1054)
• 7d93ee3 add go 1.26 to ci (#1052)
• 903cff2 Propagate inline middlewares across mounted subrouters (#1049)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

This is an automatic backport of pull request #7100 done by [Mergify](https://mergify.com).

[mergify]

Cherry-pick of cfc9257 has failed:

On branch mergify/bp/9.4/pr-7100
Your branch is up to date with 'origin/9.4'.

You are currently cherry-picking commit cfc9257.
  (fix conflicts and run "git cherry-pick --continue")
  (use "git cherry-pick --skip" to skip this patch)
  (use "git cherry-pick --abort" to cancel the cherry-pick operation)

Changes to be committed:
	modified:   NOTICE-fips.txt
	modified:   NOTICE.txt

Unmerged paths:
  (use "git add <file>..." to mark resolution)
	both modified:   go.mod
	both modified:   go.sum

To fix up this pull request, you can check it out locally. See documentation: https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/checking-out-pull-requests-locally

[swiatekm]

@copilot fix the backport conflict.

[Copilot]

@copilot fix the backport conflict.

Fixed in commit f1a87bf. I resolved the backport conflict markers in go.mod and go.sum, kept the intended github.com/go-chi/chi/v5 bump to v5.3.0, and preserved the 9.4 branch’s unrelated dependency versions.

[github-actions]

TL;DR

All six failed Buildkite jobs are blocked by the same parse error: go.mod in this PR commit contains unresolved merge-conflict markers (<<<<<<<, =======, >>>>>>>). Remove the conflict block and commit a resolved go.mod/go.sum so CI can run.

Remediation

• Resolve the conflict region in go.mod (around line 15) by removing merge markers and keeping the intended dependency versions for this backport.
• Regenerate and commit go.sum after resolution (go mod tidy / repo-standard dependency update flow), then re-run CI.

Investigation details

Root Cause

This is a configuration/merge-conflict failure introduced in the PR commit itself, not an infrastructure or flaky-test issue.

go.mod at PR head commit 7c52b80e7d711f9c2651e8e819971ea3706856c4 contains unresolved conflict markers:

• go.mod line 15: <<<<<<< HEAD
• go.mod line 18: =======
• go.mod line 21: >>>>>>> cfc9257 ...

(From repo://elastic/fleet-server/sha/7c52b80e7d711f9c2651e8e819971ea3706856c4/contents/go.mod.)

Evidence

• Build: https://buildkite.com/elastic/fleet-server/builds/14880
• Jobs/steps impacted:
  • Run check-ci
  • Detect FIPS crypto imports
  • Package x86_64
  • Package x86_64 FIPS
  • Package aarch64
  • Package aarch64 FIPS
• Key log excerpt (present in each failed step):

go: errors parsing go.mod:
go.mod:15: malformed module path "<<<<<<<": invalid char '<'
go.mod:18: usage: require module/path v1.2.3
go.mod:21: usage: require module/path v1.2.3

(Log files: /tmp/gh-aw/buildkite-logs/fleet-server-white_check_mark-run-check-ci.txt, /tmp/gh-aw/buildkite-logs/fleet-server-detect-fips-crypto-imports.txt, and all four package job logs.)

Verification

• Local command execution was not needed to confirm root cause; failure is directly evidenced by Buildkite logs and the PR head go.mod content.

Follow-up

• After conflict resolution, all six jobs should at least proceed past Go module parsing; any subsequent failures (if any) can then be evaluated on their own merits.

Note

🔒 Integrity filter blocked 1 item

The following item were blocked because they don't meet the GitHub integrity level.

• [9.4](backport #7100) build(deps): bump github.com/go-chi/chi/v5 from 5.2.5 to 5.3.0 #7104 pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

---

What is this? | From workflow: PR Buildkite Detective

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

[ebeahan]

/test