Skip to content

build(deps): bump github.com/go-chi/chi/v5 from 5.2.5 to 5.3.0#2882

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/github.com/go-chi/chi/v5-5.3.0
Open

build(deps): bump github.com/go-chi/chi/v5 from 5.2.5 to 5.3.0#2882
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/github.com/go-chi/chi/v5-5.3.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 2, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Bumps github.com/go-chi/chi/v5 from 5.2.5 to 5.3.0.

Release notes

Sourced from github.com/go-chi/chi/v5's releases.

v5.3.0

What's Changed

New Contributors

SECURITY: middleware.ClientIP, a replacement for middleware.RealIP

@​VojtechVitek submitted PR #967, which introduces middleware.ClientIP — a replacement for middleware.RealIP that closes the three open spoofing advisories:

It also addresses issues outlined at:

middleware.RealIP is deprecated in this PR with pointers to the new API.

The deprecation only adds a // Deprecated: doc comment; the function keeps working for backward compatibility.

Why a new middleware (not "fix RealIP in place")

RealIP has two unfixable design choices: it mutates r.RemoteAddr, and it tries to be a one-size-fits-all default by walking a hard-coded list of headers any client can supply. Per adam-p's "The perils of the 'real' client IP" (which calls chi out by name on this), there is no safe default — the user must pick their trust source explicitly.

The new API

Four middlewares, two accessors. Pick exactly one middleware based on your infrastructure, read the result with one of the two accessors:

// One of the four. There is no safe default — pick exactly one.
func ClientIPFromHeader(trustedHeader string) func(http.Handler) http.Handler
func ClientIPFromXFF(trustedIPPrefixes ...string) func(http.Handler) http.Handler
func ClientIPFromXFFTrustedProxies(numTrustedProxies int) func(http.Handler) http.Handler
</tr></table>

... (truncated)

Commits

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels Jun 2, 2026
@codacy-production

codacy-production Bot commented Jun 2, 2026
edited
Loading

Copy link
Copy Markdown

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 complexity · 0 duplication

Metric Results
Complexity 0
Duplication 0

View in Codacy

NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.

@dependabot dependabot Bot force-pushed the dependabot/go_modules/github.com/go-chi/chi/v5-5.3.0 branch from 97d79e2 to 0f92dc7 Compare June 10, 2026 07:37
@rhafer

rhafer commented Jun 16, 2026

Copy link
Copy Markdown
Member

@dependabot recreate

@dependabot
build(deps): bump github.com/go-chi/chi/v5 from 5.2.5 to 5.3.0
9ac5ed9 
Bumps [github.com/go-chi/chi/v5](https://github.com/go-chi/chi) from 5.2.5 to 5.3.0.
- [Release notes](https://github.com/go-chi/chi/releases)
- [Changelog](https://github.com/go-chi/chi/blob/master/CHANGELOG.md)
- [Commits](go-chi/chi@v5.2.5...v5.3.0)

---
updated-dependencies:
- dependency-name: github.com/go-chi/chi/v5
  dependency-version: 5.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/go_modules/github.com/go-chi/chi/v5-5.3.0 branch from 0f92dc7 to 9ac5ed9 Compare June 16, 2026 10:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file go Pull requests that update go code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rhafer