Skip to content

[9.3](backport #7100) build(deps): bump github.com/go-chi/chi/v5 from 5.2.5 to 5.3.0#7105

Merged
swiatekm merged 1 commit into
9.3from
mergify/bp/9.3/pr-7100
May 25, 2026
Merged

[9.3](backport #7100) build(deps): bump github.com/go-chi/chi/v5 from 5.2.5 to 5.3.0#7105
swiatekm merged 1 commit into
9.3from
mergify/bp/9.3/pr-7100

Conversation

@mergify
Copy link
Copy Markdown
Contributor

@mergify mergify Bot commented May 25, 2026

Bumps github.com/go-chi/chi/v5 from 5.2.5 to 5.3.0.

Release notes

Sourced from github.com/go-chi/chi/v5's releases.

v5.3.0

What's Changed

New Contributors

SECURITY: middleware.ClientIP, a replacement for middleware.RealIP

@​VojtechVitek submitted PR #967, which introduces middleware.ClientIP — a replacement for middleware.RealIP that closes the three open spoofing advisories:

It also addresses issues outlined at:

middleware.RealIP is deprecated in this PR with pointers to the new API.

The deprecation only adds a // Deprecated: doc comment; the function keeps working for backward compatibility.

Why a new middleware (not "fix RealIP in place")

RealIP has two unfixable design choices: it mutates r.RemoteAddr, and it tries to be a one-size-fits-all default by walking a hard-coded list of headers any client can supply. Per adam-p's "The perils of the 'real' client IP" (which calls chi out by name on this), there is no safe default — the user must pick their trust source explicitly.

The new API

Four middlewares, two accessors. Pick exactly one middleware based on your infrastructure, read the result with one of the two accessors:

// One of the four. There is no safe default — pick exactly one.
func ClientIPFromHeader(trustedHeader string) func(http.Handler) http.Handler
func ClientIPFromXFF(trustedIPPrefixes ...string) func(http.Handler) http.Handler
func ClientIPFromXFFTrustedProxies(numTrustedProxies int) func(http.Handler) http.Handler
</tr></table>

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
This is an automatic backport of pull request #7100 done by [Mergify](https://mergify.com).

@dependabot @mergify
build(deps): bump github.com/go-chi/chi/v5 from 5.2.5 to 5.3.0 (#7100)
678b9fe 
* build(deps): bump github.com/go-chi/chi/v5 from 5.2.5 to 5.3.0

Bumps [github.com/go-chi/chi/v5](https://github.com/go-chi/chi) from 5.2.5 to 5.3.0.
- [Release notes](https://github.com/go-chi/chi/releases)
- [Changelog](https://github.com/go-chi/chi/blob/master/CHANGELOG.md)
- [Commits](go-chi/chi@v5.2.5...v5.3.0)

---
updated-dependencies:
- dependency-name: github.com/go-chi/chi/v5
  dependency-version: 5.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* Post dependabot file modifications

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: dependabot[bot] <dependabot[bot]@users.noreply.github.com>
(cherry picked from commit cfc9257)
@mergify mergify Bot requested a review from a team as a code owner May 25, 2026 12:25
@mergify mergify Bot added the backport label May 25, 2026
@mergify mergify Bot requested review from lorienhu and macdewee May 25, 2026 12:25
@mergify mergify Bot added the backport label May 25, 2026
@github-actions github-actions Bot added automation dependency Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team labels May 25, 2026
@mergify mergify Bot mentioned this pull request May 25, 2026
Merged
@swiatekm swiatekm enabled auto-merge (squash) May 25, 2026 12:27
@swiatekm swiatekm merged commit e128356 into 9.3 May 25, 2026
8 checks passed
@swiatekm swiatekm deleted the mergify/bp/9.3/pr-7100 branch May 25, 2026 14:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@swiatekm swiatekm swiatekm approved these changes

@lorienhu lorienhu Awaiting requested review from lorienhu lorienhu is a code owner automatically assigned from elastic/elastic-agent-control-plane

@macdewee macdewee Awaiting requested review from macdewee macdewee is a code owner automatically assigned from elastic/elastic-agent-control-plane

Assignees

No one assigned

Labels

automation backport dependency Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@swiatekm