From 4e2ee7a4fd86fa92d8001c0aa2f70a9727e55fd9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 4 Jun 2026 15:14:09 +0000 Subject: [PATCH 1/2] Bump github.com/go-chi/chi/v5 from 5.2.5 to 5.3.0 Bumps [github.com/go-chi/chi/v5](https://github.com/go-chi/chi) from 5.2.5 to 5.3.0. - [Release notes](https://github.com/go-chi/chi/releases) - [Changelog](https://github.com/go-chi/chi/blob/master/CHANGELOG.md) - [Commits](https://github.com/go-chi/chi/compare/v5.2.5...v5.3.0) --- updated-dependencies: - dependency-name: github.com/go-chi/chi/v5 dependency-version: 5.3.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 199c8c8..976d0f1 100644 --- a/go.mod +++ b/go.mod @@ -13,7 +13,7 @@ require ( github.com/git-pkgs/spdx v0.1.4 github.com/git-pkgs/vers v0.2.6 github.com/git-pkgs/vulns v0.1.5 - github.com/go-chi/chi/v5 v5.2.5 + github.com/go-chi/chi/v5 v5.3.0 github.com/jmoiron/sqlx v1.4.0 github.com/lib/pq v1.12.3 github.com/prometheus/client_golang v1.23.2 diff --git a/go.sum b/go.sum index 23c3df7..340d964 100644 --- a/go.sum +++ b/go.sum @@ -272,8 +272,8 @@ github.com/git-pkgs/vulns v0.1.5 h1:mtX88/27toFl+B95kaH5QbAdOCQ3YIDGjJrlrrnqQTE= github.com/git-pkgs/vulns v0.1.5/go.mod h1:bZFikfrR/5gC0ZMwXh7qcEu2gpKfXMBhVsy4kF12Ae0= github.com/github/go-spdx/v2 v2.7.0 h1:GzfXx4wFdlilARxmFRXW/mgUy3A4vSqZocCMFV6XFdQ= github.com/github/go-spdx/v2 v2.7.0/go.mod h1:Ftc45YYG1WzpzwEPKRVm9Jv8vDqOrN4gWoCkK+bHer0= -github.com/go-chi/chi/v5 v5.2.5 h1:Eg4myHZBjyvJmAFjFvWgrqDTXFyOzjj7YIm3L3mu6Ug= -github.com/go-chi/chi/v5 v5.2.5/go.mod h1:X7Gx4mteadT3eDOMTsXzmI4/rwUpOwBHLpAfupzFJP0= +github.com/go-chi/chi/v5 v5.3.0 h1:halUjDxhshgXHMrao5bB8eNBXo/rnzwr8m5m36glehM= +github.com/go-chi/chi/v5 v5.3.0/go.mod h1:R+tYY2hNuVUUjxoPtqUdgBqevM9s9njzkTLutVsOCto= github.com/go-critic/go-critic v0.14.3 h1:5R1qH2iFeo4I/RJU8vTezdqs08Egi4u5p6vOESA0pog= github.com/go-critic/go-critic v0.14.3/go.mod h1:xwntfW6SYAd7h1OqDzmN6hBX/JxsEKl5up/Y2bsxgVQ= github.com/go-jose/go-jose/v4 v4.1.3 h1:CVLmWDhDVRa6Mi/IgCgaopNosCaHz7zrMeF9MlZRkrs= From 609b511a2d249c77e89d502f3f371d3e397b5609 Mon Sep 17 00:00:00 2001 From: Andrew Nesbitt Date: Sat, 6 Jun 2026 11:06:09 +0100 Subject: [PATCH 2/2] Drop deprecated middleware.RealIP chi 5.3.0 deprecated middleware.RealIP because it trusts X-Forwarded-For, True-Client-IP, and X-Real-IP unconditionally, which is spoofable when the service is not strictly behind a trusted proxy (GHSA-3fxj-6jh8-hvhx, GHSA-rjr7-jggh-pgcp, GHSA-9g5q-2w5x-hmxf). The only consumer of r.RemoteAddr in this codebase is the request log; no auth, rate limiting, or other security decisions depend on it, so removing the middleware is safe. If we ever need real client IPs in logs behind an LB, add a trusted-proxy-aware middleware then. --- internal/server/server.go | 1 - 1 file changed, 1 deletion(-) diff --git a/internal/server/server.go b/internal/server/server.go index 7de5041..7ed9075 100644 --- a/internal/server/server.go +++ b/internal/server/server.go @@ -173,7 +173,6 @@ func (s *Server) Start() error { // Add middleware r.Use(middleware.RequestID) r.Use(RequestIDMiddleware) - r.Use(middleware.RealIP) r.Use(s.LoggerMiddleware) r.Use(middleware.Recoverer) r.Use(func(next http.Handler) http.Handler {