deps: bump github.com/go-chi/chi/v5 from 5.2.5 to 5.3.0 (#2396)

dependabot[bot] · web-flow · commit a239a229226b · 2026-05-30T23:30:51.000Z
Bumps [github.com/go-chi/chi/v5](https://github.com/go-chi/chi) from 5.2.5 to 5.3.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/go-chi/chi/releases">github.com/go-chi/chi/v5's releases</a>.</em></p> <blockquote> <h2>v5.3.0</h2> <h2>What's Changed</h2> <ul> <li>Use strings.ReplaceAll where applicable by <a href="https://github.com/JRaspass"><code>@​JRaspass</code></a> in <a href="https://redirect.github.com/go-chi/chi/pull/1046">go-chi/chi#1046</a></li> <li>Propagate inline middlewares across mounted subrouters by <a href="https://github.com/LukasJenicek"><code>@​LukasJenicek</code></a> in <a href="https://redirect.github.com/go-chi/chi/pull/1049">go-chi/chi#1049</a></li> <li>add go 1.26 to ci by <a href="https://github.com/pkieltyka"><code>@​pkieltyka</code></a> in <a href="https://redirect.github.com/go-chi/chi/pull/1052">go-chi/chi#1052</a></li> <li>Remove last uses of io/ioutil by <a href="https://github.com/JRaspass"><code>@​JRaspass</code></a> in <a href="https://redirect.github.com/go-chi/chi/pull/1054">go-chi/chi#1054</a></li> <li>Simplify chi.walk with slices.Concat by <a href="https://github.com/JRaspass"><code>@​JRaspass</code></a> in <a href="https://redirect.github.com/go-chi/chi/pull/1053">go-chi/chi#1053</a></li> <li>Apply the stringscutprefix modernizer by <a href="https://github.com/JRaspass"><code>@​JRaspass</code></a> in <a href="https://redirect.github.com/go-chi/chi/pull/1051">go-chi/chi#1051</a></li> <li>Bump minimum Go to 1.23, always use request.Pattern by <a href="https://github.com/JRaspass"><code>@​JRaspass</code></a> in <a href="https://redirect.github.com/go-chi/chi/pull/1048">go-chi/chi#1048</a></li> <li>middleware: fix httpFancyWriter.ReadFrom double-counting bytes with Tee by <a href="https://github.com/alliasgher"><code>@​alliasgher</code></a> in <a href="https://redirect.github.com/go-chi/chi/pull/1085">go-chi/chi#1085</a></li> <li>Fix typo in Route doc comment by <a href="https://github.com/gouwazi"><code>@​gouwazi</code></a> in <a href="https://redirect.github.com/go-chi/chi/pull/1073">go-chi/chi#1073</a></li> <li>fix: set Request.Pattern from RoutePattern() by <a href="https://github.com/leno23"><code>@​leno23</code></a> in <a href="https://redirect.github.com/go-chi/chi/pull/1097">go-chi/chi#1097</a></li> <li>feat: middleware.ClientIP, a replacement for middleware.RealIP by <a href="https://github.com/VojtechVitek"><code>@​VojtechVitek</code></a> in <a href="https://redirect.github.com/go-chi/chi/pull/967">go-chi/chi#967</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/LukasJenicek"><code>@​LukasJenicek</code></a> made their first contribution in <a href="https://redirect.github.com/go-chi/chi/pull/1049">go-chi/chi#1049</a></li> <li><a href="https://github.com/alliasgher"><code>@​alliasgher</code></a> made their first contribution in <a href="https://redirect.github.com/go-chi/chi/pull/1085">go-chi/chi#1085</a></li> <li><a href="https://github.com/gouwazi"><code>@​gouwazi</code></a> made their first contribution in <a href="https://redirect.github.com/go-chi/chi/pull/1073">go-chi/chi#1073</a></li> <li><a href="https://github.com/leno23"><code>@​leno23</code></a> made their first contribution in <a href="https://redirect.github.com/go-chi/chi/pull/1097">go-chi/chi#1097</a></li> </ul> <h2>SECURITY: middleware.ClientIP, a replacement for middleware.RealIP</h2> <p><a href="https://github.com/VojtechVitek"><code>@​VojtechVitek</code></a> submitted PR <a href="https://redirect.github.com/go-chi/chi/issues/967">#967</a>, which introduces middleware.ClientIP — a replacement for middleware.RealIP that closes the three open spoofing advisories:</p> <ul> <li><a href="https://github.com/go-chi/chi/security/advisories/GHSA-9g5q-2w5x-hmxf">GHSA-9g5q-2w5x-hmxf</a> — IP spoofing via XFF in <code>RemoteAddr</code> resolution (convto)</li> <li><a href="https://github.com/go-chi/chi/security/advisories/GHSA-rjr7-jggh-pgcp">GHSA-rjr7-jggh-pgcp</a> — RealIP allows IP spoofing via unvalidated XFF (rezmoss)</li> <li><a href="https://github.com/go-chi/chi/security/advisories/GHSA-3fxj-6jh8-hvhx">GHSA-3fxj-6jh8-hvhx</a> — IP spoofing in <code>middleware.RealIP</code> (Saku0512, Critical / 9.3)</li> </ul> <p>It also addresses issues outlined at:</p> <ul> <li><a href="https://redirect.github.com/go-chi/chi/issues/708">go-chi/chi#708</a></li> <li><a href="https://adam-p.ca/blog/2022/03/x-forwarded-for/">https://adam-p.ca/blog/2022/03/x-forwarded-for/</a></li> <li><a href="https://redirect.github.com/go-chi/chi/issues/711">go-chi/chi#711</a></li> <li><a href="https://redirect.github.com/go-chi/chi/issues/453">go-chi/chi#453</a></li> <li><a href="https://redirect.github.com/go-chi/chi/pull/908">go-chi/chi#908</a></li> </ul> <p><code>middleware.RealIP</code> is deprecated in this PR with pointers to the new API.</p> <p>The deprecation only adds a <code>// Deprecated:</code> doc comment; the function keeps working for backward compatibility.</p> <h3>Why a new middleware (not &quot;fix RealIP in place&quot;)</h3> <p><code>RealIP</code> has two unfixable design choices: it mutates <code>r.RemoteAddr</code>, and it tries to be a one-size-fits-all default by walking a hard-coded list of headers any client can supply. Per <a href="https://adam-p.ca/blog/2022/03/x-forwarded-for/">adam-p's &quot;The perils of the 'real' client IP&quot;</a> (which calls chi out by name on this), there is no safe default — the user must pick their trust source explicitly.</p> <h3>The new API</h3> <p>Four middlewares, two accessors. Pick exactly one middleware based on your infrastructure, read the result with one of the two accessors:</p> <pre lang="go"><code>// One of the four. There is no safe default — pick exactly one. func ClientIPFromHeader(trustedHeader string) func(http.Handler) http.Handler func ClientIPFromXFF(trustedIPPrefixes ...string) func(http.Handler) http.Handler func ClientIPFromXFFTrustedProxies(numTrustedProxies int) func(http.Handler) http.Handler &lt;/tr&gt;&lt;/table&gt; </code></pre> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/go-chi/chi/commit/3b171578ca44dfd75ca3c5cbddc7b44c600a7b49"><code>3b17157</code></a> feat: middleware.ClientIP, a replacement for middleware.RealIP (<a href="https://redirect.github.com/go-chi/chi/issues/967">#967</a>)</li> <li><a href="https://github.com/go-chi/chi/commit/818fdcfc4786168651768377ba647cf9dd5b3953"><code>818fdcf</code></a> fix: set Request.Pattern from RoutePattern() (<a href="https://redirect.github.com/go-chi/chi/issues/1097">#1097</a>)</li> <li><a href="https://github.com/go-chi/chi/commit/f975af0cb10cbefaccf0422385420fe62722d648"><code>f975af0</code></a> Fix typo in Route doc comment (<a href="https://redirect.github.com/go-chi/chi/issues/1073">#1073</a>)</li> <li><a href="https://github.com/go-chi/chi/commit/4ef87eaf2cfb27d3126d48194e1a84806acc1aed"><code>4ef87ea</code></a> middleware: fix httpFancyWriter.ReadFrom double-counting bytes with Tee (<a href="https://redirect.github.com/go-chi/chi/issues/1085">#1085</a>)</li> <li><a href="https://github.com/go-chi/chi/commit/a54874f0e2f12647a19e82ee70dfa8185014100c"><code>a54874f</code></a> Bump minimum Go to 1.23, always use request.Pattern (<a href="https://redirect.github.com/go-chi/chi/issues/1048">#1048</a>)</li> <li><a href="https://github.com/go-chi/chi/commit/3328d4d3ab8a08547fa419ed657017355e6d3c4d"><code>3328d4d</code></a> Apply the stringscutprefix modernizer (<a href="https://redirect.github.com/go-chi/chi/issues/1051">#1051</a>)</li> <li><a href="https://github.com/go-chi/chi/commit/be60b2ec5755a9072cdf27af3ba3034e84781d12"><code>be60b2e</code></a> Simplify chi.walk with slices.Concat (<a href="https://redirect.github.com/go-chi/chi/issues/1053">#1053</a>)</li> <li><a href="https://github.com/go-chi/chi/commit/a36a925a6a195943ec104100d7d18757543e745f"><code>a36a925</code></a> Remove last uses of io/ioutil (<a href="https://redirect.github.com/go-chi/chi/issues/1054">#1054</a>)</li> <li><a href="https://github.com/go-chi/chi/commit/7d93ee3e86b4d477c20d809c9b1ce9a281dfd706"><code>7d93ee3</code></a> add go 1.26 to ci (<a href="https://redirect.github.com/go-chi/chi/issues/1052">#1052</a>)</li> <li><a href="https://github.com/go-chi/chi/commit/903cff2596eac0f72538ac46d696058351f1c3fb"><code>903cff2</code></a> Propagate inline middlewares across mounted subrouters (<a href="https://redirect.github.com/go-chi/chi/issues/1049">#1049</a>)</li> <li>Additional commits viewable in <a href="https://github.com/go-chi/chi/compare/v5.2.5...v5.3.0">compare view</a></li> </ul> </details> <br /> <details> <summary>Most Recent Ignore Conditions Applied to This Pull Request</summary> | Dependency Name | Ignore Conditions | | --- | --- | | github.com/go-chi/chi/v5 | [< 5.1, > 5.0.11] | </details> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/go-chi/chi/v5&package-manager=go_modules&previous-version=5.2.5&new-version=5.3.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
diff --git a/go.mod b/go.mod
@@ -3,7 +3,7 @@ module github.com/microsoft/retina
 go 1.25.5
 
 require (
-	github.com/go-chi/chi/v5 v5.2.5
+	github.com/go-chi/chi/v5 v5.3.0
 	github.com/google/uuid v1.6.0
 	github.com/prometheus/client_golang v1.23.2
 	github.com/spf13/cobra v1.10.2
diff --git a/go.sum b/go.sum
@@ -606,8 +606,8 @@ github.com/gliderlabs/ssh v0.3.8 h1:a4YXD1V7xMF9g5nTkdfnja3Sxy1PVDCj1Zg4Wb8vY6c=
 github.com/gliderlabs/ssh v0.3.8/go.mod h1:xYoytBv1sV0aL3CavoDuJIQNURXkkfPA/wxQ1pL1fAU=
 github.com/go-chi/chi v4.1.2+incompatible h1:fGFk2Gmi/YKXk0OmGfBh0WgmN3XB8lVnEyNz34tQRec=
 github.com/go-chi/chi v4.1.2+incompatible/go.mod h1:eB3wogJHnLi3x/kFX2A+IbTBlXxmMeXJVKy9tTv1XzQ=
-github.com/go-chi/chi/v5 v5.2.5 h1:Eg4myHZBjyvJmAFjFvWgrqDTXFyOzjj7YIm3L3mu6Ug=
-github.com/go-chi/chi/v5 v5.2.5/go.mod h1:X7Gx4mteadT3eDOMTsXzmI4/rwUpOwBHLpAfupzFJP0=
+github.com/go-chi/chi/v5 v5.3.0 h1:halUjDxhshgXHMrao5bB8eNBXo/rnzwr8m5m36glehM=
+github.com/go-chi/chi/v5 v5.3.0/go.mod h1:R+tYY2hNuVUUjxoPtqUdgBqevM9s9njzkTLutVsOCto=
 github.com/go-critic/go-critic v0.14.3 h1:5R1qH2iFeo4I/RJU8vTezdqs08Egi4u5p6vOESA0pog=
 github.com/go-critic/go-critic v0.14.3/go.mod h1:xwntfW6SYAd7h1OqDzmN6hBX/JxsEKl5up/Y2bsxgVQ=
 github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA=
