build(deps): bump github.com/go-chi/chi/v5 from 5.2.5 to 5.3.0 by dependabot[bot] · Pull Request #1463 · githedgehog/fabric

dependabot · 2026-05-26T03:21:26Z

Bumps github.com/go-chi/chi/v5 from 5.2.5 to 5.3.0.

Release notes

Sourced from github.com/go-chi/chi/v5's releases.

v5.3.0

What's Changed

Use strings.ReplaceAll where applicable by @JRaspass in go-chi/chi#1046

Propagate inline middlewares across mounted subrouters by @LukasJenicek in go-chi/chi#1049

add go 1.26 to ci by @pkieltyka in go-chi/chi#1052

Remove last uses of io/ioutil by @JRaspass in go-chi/chi#1054

Simplify chi.walk with slices.Concat by @JRaspass in go-chi/chi#1053

Apply the stringscutprefix modernizer by @JRaspass in go-chi/chi#1051

Bump minimum Go to 1.23, always use request.Pattern by @JRaspass in go-chi/chi#1048

middleware: fix httpFancyWriter.ReadFrom double-counting bytes with Tee by @alliasgher in go-chi/chi#1085

Fix typo in Route doc comment by @gouwazi in go-chi/chi#1073

fix: set Request.Pattern from RoutePattern() by @leno23 in go-chi/chi#1097

feat: middleware.ClientIP, a replacement for middleware.RealIP by @VojtechVitek in go-chi/chi#967

New Contributors

@LukasJenicek made their first contribution in go-chi/chi#1049

@alliasgher made their first contribution in go-chi/chi#1085

@gouwazi made their first contribution in go-chi/chi#1073

@leno23 made their first contribution in go-chi/chi#1097

SECURITY: middleware.ClientIP, a replacement for middleware.RealIP

@VojtechVitek submitted PR #967, which introduces middleware.ClientIP — a replacement for middleware.RealIP that closes the three open spoofing advisories:

GHSA-9g5q-2w5x-hmxf — IP spoofing via XFF in RemoteAddr resolution (convto)

GHSA-rjr7-jggh-pgcp — RealIP allows IP spoofing via unvalidated XFF (rezmoss)

GHSA-3fxj-6jh8-hvhx — IP spoofing in middleware.RealIP (Saku0512, Critical / 9.3)

It also addresses issues outlined at:

go-chi/chi#708

https://adam-p.ca/blog/2022/03/x-forwarded-for/

go-chi/chi#711

go-chi/chi#453

go-chi/chi#908

middleware.RealIP is deprecated in this PR with pointers to the new API.

The deprecation only adds a // Deprecated: doc comment; the function keeps working for backward compatibility.

Why a new middleware (not "fix RealIP in place")

RealIP has two unfixable design choices: it mutates r.RemoteAddr, and it tries to be a one-size-fits-all default by walking a hard-coded list of headers any client can supply. Per adam-p's "The perils of the 'real' client IP" (which calls chi out by name on this), there is no safe default — the user must pick their trust source explicitly.

The new API

Four middlewares, two accessors. Pick exactly one middleware based on your infrastructure, read the result with one of the two accessors:
// One of the four. There is no safe default — pick exactly one.
func ClientIPFromHeader(trustedHeader string) func(http.Handler) http.Handler
func ClientIPFromXFF(trustedIPPrefixes ...string) func(http.Handler) http.Handler
func ClientIPFromXFFTrustedProxies(numTrustedProxies int) func(http.Handler) http.Handler
</tr></table> 

... (truncated)

Commits

3b17157 feat: middleware.ClientIP, a replacement for middleware.RealIP (#967)
818fdcf fix: set Request.Pattern from RoutePattern() (#1097)
f975af0 Fix typo in Route doc comment (#1073)
4ef87ea middleware: fix httpFancyWriter.ReadFrom double-counting bytes with Tee (#1085)
a54874f Bump minimum Go to 1.23, always use request.Pattern (#1048)
3328d4d Apply the stringscutprefix modernizer (#1051)
be60b2e Simplify chi.walk with slices.Concat (#1053)
a36a925 Remove last uses of io/ioutil (#1054)
7d93ee3 add go 1.26 to ci (#1052)
903cff2 Propagate inline middlewares across mounted subrouters (#1049)
Additional commits viewable in compare view

coderabbitai · 2026-06-09T07:23:37Z

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 58746fba-4874-4ad6-8042-b02b18cc956b

📥 Commits

Reviewing files that changed from the base of the PR and between aa18de8 and fca3f7a.

⛔ Files ignored due to path filters (1)

go.sum is excluded by !**/*.sum

📒 Files selected for processing (15)

go.mod
pkg/boot/server/middleware.go
pkg/boot/server/server.go
vendor/github.com/go-chi/chi/v5/README.md
vendor/github.com/go-chi/chi/v5/chi.go
vendor/github.com/go-chi/chi/v5/middleware/client_ip.go
vendor/github.com/go-chi/chi/v5/middleware/compress.go
vendor/github.com/go-chi/chi/v5/middleware/logger.go
vendor/github.com/go-chi/chi/v5/middleware/realip.go
vendor/github.com/go-chi/chi/v5/middleware/wrap_writer.go
vendor/github.com/go-chi/chi/v5/mux.go
vendor/github.com/go-chi/chi/v5/pattern.go
vendor/github.com/go-chi/chi/v5/pattern_fallback.go
vendor/github.com/go-chi/chi/v5/tree.go
vendor/modules.txt

💤 Files with no reviewable changes (2)

vendor/github.com/go-chi/chi/v5/pattern_fallback.go
vendor/github.com/go-chi/chi/v5/pattern.go

✅ Files skipped from review due to trivial changes (3)

pkg/boot/server/middleware.go
vendor/github.com/go-chi/chi/v5/chi.go
vendor/modules.txt

🚧 Files skipped from review as they are similar to previous changes (9)

go.mod
vendor/github.com/go-chi/chi/v5/middleware/realip.go
vendor/github.com/go-chi/chi/v5/middleware/logger.go
vendor/github.com/go-chi/chi/v5/middleware/compress.go
vendor/github.com/go-chi/chi/v5/README.md
vendor/github.com/go-chi/chi/v5/tree.go
vendor/github.com/go-chi/chi/v5/middleware/wrap_writer.go
vendor/github.com/go-chi/chi/v5/mux.go
vendor/github.com/go-chi/chi/v5/middleware/client_ip.go

📝 Walkthrough

Walkthrough

chi HTTP router library updated to v5.3.0 with new client IP extraction middlewares supporting header-based and X-Forwarded-For traversal with CIDR validation. Logger middleware now integrates the new client IP functions. Router pattern handling simplified for Go 1.23+. Documentation expanded; RealIP marked deprecated.

Changes

chi v5.3.0 Upgrade

Layer / File(s)	Summary
Module version updates `go.mod`, `vendor/modules.txt`	Dependency bumped from v5.2.5 to v5.3.0, with declared Go version updated to 1.23.
New client IP middleware implementation `vendor/github.com/go-chi/chi/v5/middleware/client_ip.go`	Four middleware constructors extract client IP from headers (ClientIPFromHeader), X-Forwarded-For with CIDR validation (ClientIPFromXFF), XFF with hop count (ClientIPFromXFFTrustedProxies), or RemoteAddr (ClientIPFromRemoteAddr). Accessor functions GetClientIP and GetClientIPAddr retrieve stored IPs from context. Helpers provide lazy XFF traversal, CIDR membership testing, and IPv6 normalization.
Client IP middleware documentation `vendor/github.com/go-chi/chi/v5/README.md`	README updated with deprecation notice for RealIP, new core middleware entries, comprehensive selection guide with topology-based recommendations, and reference definitions for all new middleware and accessor functions.
Logger middleware integrates client IP `vendor/github.com/go-chi/chi/v5/middleware/logger.go`	DefaultLogFormatter caches request context and uses GetClientIP(ctx) with fallback to r.RemoteAddr instead of always using RemoteAddr.
Router pattern and middleware infrastructure updates `vendor/github.com/go-chi/chi/v5/mux.go`, `vendor/github.com/go-chi/chi/v5/tree.go`	mux.go sets r.Pattern directly from rctx.RoutePattern() without conditional pattern support checks. tree.go updates middleware aggregation to use slices.Concat, extends middleware from ChainHandler on wildcard routes, and normalizes route paths via strings.ReplaceAll.
Middleware fixes and deprecations `vendor/github.com/go-chi/chi/v5/middleware/wrap_writer.go`, `vendor/github.com/go-chi/chi/v5/middleware/compress.go`, `vendor/github.com/go-chi/chi/v5/middleware/realip.go`, `vendor/github.com/go-chi/chi/v5/chi.go`	wrap_writer.go fixes byte double-counting in ReadFrom by routing through basicWriter.Write. compress.go refactors wildcard content-type parsing with strings.CutSuffix. realip.go adds deprecation notice with spoofing vulnerability warning. chi.go corrects Route comment backtick formatting.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 A router leaps to version three,
With client IPs extracted gracefully,
No more RemoteAddr mutation strife,
New middlewares for proxy life!
Chi hops forward, deprecated old ways,
Normalized addresses bright the days. 🌟

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 78.57% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: bumping the go-chi/chi/v5 dependency from version 5.2.5 to 5.3.0.
Description check	✅ Passed	The description is directly related to the changeset, providing release notes and context for the dependency update, including security improvements and new features in v5.3.0.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

coderabbitai

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@vendor/github.com/go-chi/chi/v5/README.md`:
- Around line 382-387: The README links for ClientIPFromHeader, ClientIPFromXFF,
ClientIPFromXFFTrustedProxies, ClientIPFromRemoteAddr, GetClientIP and
GetClientIPAddr point to github.com/go-chi/chi/middleware but these symbols live
under the v5 module path; update each pkg.go.dev URL in
vendor/github.com/go-chi/chi/v5/README.md to include /v5/ (e.g. change
.../github.com/go-chi/chi/middleware#... to
.../github.com/go-chi/chi/v5/middleware#...) so the anchors resolve to the
correct v5 documentation for the listed symbols.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

Push a commit to this branch (recommended)
Create a new PR with the fixes

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 141a629b-fba5-41c8-a3dc-530789b3df6f

📥 Commits

Reviewing files that changed from the base of the PR and between 5c52939 and 4e41347.

⛔ Files ignored due to path filters (1)

go.sum is excluded by !**/*.sum

📒 Files selected for processing (13)

go.mod
vendor/github.com/go-chi/chi/v5/README.md
vendor/github.com/go-chi/chi/v5/chi.go
vendor/github.com/go-chi/chi/v5/middleware/client_ip.go
vendor/github.com/go-chi/chi/v5/middleware/compress.go
vendor/github.com/go-chi/chi/v5/middleware/logger.go
vendor/github.com/go-chi/chi/v5/middleware/realip.go
vendor/github.com/go-chi/chi/v5/middleware/wrap_writer.go
vendor/github.com/go-chi/chi/v5/mux.go
vendor/github.com/go-chi/chi/v5/pattern.go
vendor/github.com/go-chi/chi/v5/pattern_fallback.go
vendor/github.com/go-chi/chi/v5/tree.go
vendor/modules.txt

💤 Files with no reviewable changes (2)

vendor/github.com/go-chi/chi/v5/pattern_fallback.go
vendor/github.com/go-chi/chi/v5/pattern.go

Bumps [github.com/go-chi/chi/v5](https://github.com/go-chi/chi) from 5.2.5 to 5.3.0. - [Release notes](https://github.com/go-chi/chi/releases) - [Changelog](https://github.com/go-chi/chi/blob/master/CHANGELOG.md) - [Commits](go-chi/chi@v5.2.5...v5.3.0) --- updated-dependencies: - dependency-name: github.com/go-chi/chi/v5 dependency-version: 5.3.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Sergei Lukianov <me@slukjanov.name>

chi 5.3.0 deprecated RealIP for IP-spoofing reasons. The boot server binds directly to ControlVIP with no proxy in front, so use ClientIPFromRemoteAddr and read the client IP via GetClientIP in the request logger. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Signed-off-by: Sergei Lukianov <me@slukjanov.name>

github-actions · 2026-06-12T15:31:49Z

🚀 Temp artifacts published: v0-fca3f7af8 🚀

dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels May 26, 2026

dependabot Bot requested a review from a team as a code owner May 26, 2026 03:21

dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels May 26, 2026

Frostman previously approved these changes May 26, 2026

View reviewed changes

Frostman self-requested a review May 26, 2026 15:40

dependabot Bot force-pushed the dependabot/go_modules/github.com/go-chi/chi/v5-5.3.0 branch 2 times, most recently from 81871c9 to 4e41347 Compare June 9, 2026 07:23

coderabbitai Bot reviewed Jun 9, 2026

View reviewed changes

Comment thread vendor/github.com/go-chi/chi/v5/README.md

dependabot Bot force-pushed the dependabot/go_modules/github.com/go-chi/chi/v5-5.3.0 branch from 4e41347 to aa18de8 Compare June 10, 2026 18:30

Frostman dismissed their stale review via e25214b June 12, 2026 15:22

Frostman force-pushed the dependabot/go_modules/github.com/go-chi/chi/v5-5.3.0 branch from aa18de8 to e25214b Compare June 12, 2026 15:22

Frostman requested a review from a team as a code owner June 12, 2026 15:22

Frostman force-pushed the dependabot/go_modules/github.com/go-chi/chi/v5-5.3.0 branch from e25214b to 070195d Compare June 12, 2026 15:23

Frostman force-pushed the dependabot/go_modules/github.com/go-chi/chi/v5-5.3.0 branch from 070195d to fca3f7a Compare June 12, 2026 15:24

Frostman merged commit b6f9d6f into master Jun 12, 2026
23 checks passed

Frostman deleted the dependabot/go_modules/github.com/go-chi/chi/v5-5.3.0 branch June 12, 2026 16:25

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

build(deps): bump github.com/go-chi/chi/v5 from 5.2.5 to 5.3.0#1463

build(deps): bump github.com/go-chi/chi/v5 from 5.2.5 to 5.3.0#1463
Frostman merged 2 commits into
masterfrom
dependabot/go_modules/github.com/go-chi/chi/v5-5.3.0

dependabot Bot commented on behalf of github May 26, 2026 •

edited by coderabbitai Bot

Loading

Uh oh!

coderabbitai Bot commented Jun 9, 2026 •

edited

Loading

Walkthrough

Changes

Estimated code review effort

Poem

❌ Failed checks (1 warning)

Uh oh!

coderabbitai Bot left a comment

Uh oh!

Uh oh!

github-actions Bot commented Jun 12, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

dependabot Bot commented on behalf of github May 26, 2026 • edited by coderabbitai Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

v5.3.0

What's Changed

New Contributors

SECURITY: middleware.ClientIP, a replacement for middleware.RealIP

Why a new middleware (not "fix RealIP in place")

The new API

Uh oh!

coderabbitai Bot commented Jun 9, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Walkthrough

Changes

Estimated code review effort

Poem

❌ Failed checks (1 warning)

Uh oh!

coderabbitai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

github-actions Bot commented Jun 12, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

dependabot Bot commented on behalf of github May 26, 2026 •

edited by coderabbitai Bot

Loading

coderabbitai Bot commented Jun 9, 2026 •

edited

Loading