Skip to content

chore(deps): bump github.com/go-chi/chi/v5 from 5.2.5 to 5.3.0#4472

Open
dependabot[bot] wants to merge 3 commits into
mainfrom
dependabot/go_modules/github.com/go-chi/chi/v5-5.3.0
Open

chore(deps): bump github.com/go-chi/chi/v5 from 5.2.5 to 5.3.0#4472
dependabot[bot] wants to merge 3 commits into
mainfrom
dependabot/go_modules/github.com/go-chi/chi/v5-5.3.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 2, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Bumps github.com/go-chi/chi/v5 from 5.2.5 to 5.3.0.

Release notes

Sourced from github.com/go-chi/chi/v5's releases.

v5.3.0

What's Changed

New Contributors

SECURITY: middleware.ClientIP, a replacement for middleware.RealIP

@​VojtechVitek submitted PR #967, which introduces middleware.ClientIP — a replacement for middleware.RealIP that closes the three open spoofing advisories:

It also addresses issues outlined at:

middleware.RealIP is deprecated in this PR with pointers to the new API.

The deprecation only adds a // Deprecated: doc comment; the function keeps working for backward compatibility.

Why a new middleware (not "fix RealIP in place")

RealIP has two unfixable design choices: it mutates r.RemoteAddr, and it tries to be a one-size-fits-all default by walking a hard-coded list of headers any client can supply. Per adam-p's "The perils of the 'real' client IP" (which calls chi out by name on this), there is no safe default — the user must pick their trust source explicitly.

The new API

Four middlewares, two accessors. Pick exactly one middleware based on your infrastructure, read the result with one of the two accessors:

// One of the four. There is no safe default — pick exactly one.
func ClientIPFromHeader(trustedHeader string) func(http.Handler) http.Handler
func ClientIPFromXFF(trustedIPPrefixes ...string) func(http.Handler) http.Handler
func ClientIPFromXFFTrustedProxies(numTrustedProxies int) func(http.Handler) http.Handler
</tr></table>

... (truncated)

Commits

@dependabot dependabot Bot added area/dependencies Pull requests that update a dependency file dependency/go Pull requests that update Go code release-note/dependency-update Release note: Dependency Updates labels Jun 2, 2026
@dependabot dependabot Bot requested a review from a team as a code owner June 2, 2026 10:41
@dependabot dependabot Bot added area/dependencies Pull requests that update a dependency file dependency/go Pull requests that update Go code release-note/dependency-update Release note: Dependency Updates labels Jun 2, 2026
@dependabot dependabot Bot force-pushed the dependabot/go_modules/github.com/go-chi/chi/v5-5.3.0 branch from ed56627 to 631c9f0 Compare June 11, 2026 08:44
@dependabot dependabot Bot force-pushed the dependabot/go_modules/github.com/go-chi/chi/v5-5.3.0 branch from 631c9f0 to 1c83d21 Compare June 11, 2026 09:07
@dependabot @chrisgacsal
chore(deps): bump github.com/go-chi/chi/v5 from 5.2.5 to 5.3.0
5df9a36 
Bumps [github.com/go-chi/chi/v5](https://github.com/go-chi/chi) from 5.2.5 to 5.3.0.
- [Release notes](https://github.com/go-chi/chi/releases)
- [Changelog](https://github.com/go-chi/chi/blob/master/CHANGELOG.md)
- [Commits](go-chi/chi@v5.2.5...v5.3.0)

---
updated-dependencies:
- dependency-name: github.com/go-chi/chi/v5
  dependency-version: 5.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@chrisgacsal chrisgacsal force-pushed the dependabot/go_modules/github.com/go-chi/chi/v5-5.3.0 branch from 1c83d21 to 92d7ac1 Compare June 11, 2026 11:38
@chrisgacsal chrisgacsal force-pushed the dependabot/go_modules/github.com/go-chi/chi/v5-5.3.0 branch from 92d7ac1 to 2c1fa13 Compare June 11, 2026 11:49
@chrisgacsal chrisgacsal force-pushed the dependabot/go_modules/github.com/go-chi/chi/v5-5.3.0 branch from 2c1fa13 to deb10c8 Compare June 11, 2026 11:51
@chrisgacsal chrisgacsal force-pushed the dependabot/go_modules/github.com/go-chi/chi/v5-5.3.0 branch from deb10c8 to 99b1a3f Compare June 11, 2026 12:40
@greptile-apps

greptile-apps Bot commented Jun 11, 2026

Copy link
Copy Markdown

Greptile Summary

This PR bumps github.com/go-chi/chi/v5 from 5.2.5 to 5.3.0 and adopts the new middleware.ClientIP* API introduced in that release, replacing the deprecated (and security-advisory-bearing) middleware.RealIP with a configurable, explicitly-opted-in IP resolution strategy.

  • Adds ClientIPMiddlewareConfig to ServerConfig, wired through the application graph, with a safe default of remote-address (socket peer — immune to header spoofing); operators who need XFF resolution must explicitly configure the new clientIPMiddleware block.
  • Replaces all middleware.RealIP usage in both the v1 and v3 router groups with the new configurable middleware, and updates GetRequestAttributes to read the resolved client IP via middleware.GetClientIPAddr for telemetry.

Confidence Score: 4/5

Safe to merge; the chi bump and ClientIP wiring are well-validated and the default remote-address source eliminates the IP-spoofing surface from the old RealIP middleware.

The core change is a careful, well-tested migration away from middleware.RealIP. The only finding is that the r.RemoteAddr fallback in GetRequestAttributes carries a host:port string into a semconv attribute that expects a bare IP, causing inconsistent observability data when GetClientIPAddr is not set.

pkg/server/attributes.go — the r.RemoteAddr fallback should strip the port before storing it in the network.peer.address attribute.

Important Files Changed

Filename Overview
pkg/server/attributes.go GetRequestAttributes now prefers middleware.GetClientIPAddr (IP-only string) over r.RemoteAddr for network.peer.address; fallback still stores host:port string, inconsistent with semconv expectation.
app/config/server.go Adds ClientIPMiddlewareConfig with validation that guards against chi panics (invalid CIDR prefixes via netip, TrustedProxies < 1); defaults to remote-address source.
app/common/server.go NewClientIPMiddleware wires the config to chi's new ClientIP* functions; named type wrapper prevents wire ambiguity.
openmeter/server/server.go Replaces middleware.RealIP with config.ClientIPMiddleware in both v1 and v3 router groups; adds Config.Validate() with nil-check guard.
app/config/server_test.go Comprehensive table-driven tests for ClientIPMiddlewareConfig.Validate() covering all sources, edge cases (leading-zero CIDR, X-Forwarded-For rejection, zero proxies).
app/common/server_test.go Integration tests driving requests through NewClientIPMiddleware for all sources; pins the TrustedIPPrefixes-over-TrustedProxies precedence behavior.
go.mod Version bump of go-chi/chi/v5 from 5.2.5 to 5.3.0.
collector/go.mod Version bump of go-chi/chi/v5 from 5.2.5 to 5.3.0 in the collector module.

Flowchart

 
%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[HTTP Request arrives] --> B[ClientIPMiddleware]
    B --> C{cfg.Source}

    C -->|remote-address| D[ClientIPFromRemoteAddr\nsocket peer only]
    C -->|header| E[ClientIPFromHeader\ncfg.Header]
    C -->|x-forwarded-for| F{TrustedIPPrefixes set?}

    F -->|yes| G[ClientIPFromXFF\ntrusted CIDR list]
    F -->|no| H[ClientIPFromXFFTrustedProxies\ncount = TrustedProxies]

    D --> I[IP stored in ctx via middleware.GetClientIPAddr]
    E --> I
    G --> I
    H --> I

    I --> J[middleware.RequestID]
    J --> K[GetRequestAttributes]
    K --> L{GetClientIPAddr valid?}
    L -->|yes| M[network.peer.address = IP only]
    L -->|no| N[network.peer.address = r.RemoteAddr\nhost:port fallback]

    M --> O[Handler]
    N --> O
Loading

Fix All in Claude Code

Reviews (1): Last reviewed commit: "chore: review" | Re-trigger Greptile

greptile-apps[bot]
greptile-apps Bot reviewed Jun 11, 2026
View reviewed changes
Comment thread pkg/server/attributes.go
Comment on lines +27 to +32
// Prefer the resolved client IP, falling back to the socket peer so telemetry
// never loses source attribution when client IP resolution fails closed.
peerAddr := r.RemoteAddr
if clientIP := middleware.GetClientIPAddr(ctx); clientIP.IsValid() {
peerAddr = clientIP.String()
}

@greptile-apps greptile-apps Bot Jun 11, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 The fallback peerAddr = r.RemoteAddr stores a host:port string (Go's http.Request.RemoteAddr is always "IP:port"), while the OTel network.peer.address semconv expects a bare IP address. The happy-path value from clientIP.String() is already port-free, so the two branches are inconsistent and the fallback will produce malformed telemetry whenever the client-IP middleware is not in context.

Suggested change
// Prefer the resolved client IP, falling back to the socket peer so telemetry
// never loses source attribution when client IP resolution fails closed.
peerAddr := r.RemoteAddr
if clientIP := middleware.GetClientIPAddr(ctx); clientIP.IsValid() {
peerAddr = clientIP.String()
}
// Prefer the resolved client IP, falling back to the socket peer so telemetry
// never loses source attribution when client IP resolution fails closed.
peerAddr := r.RemoteAddr
if host, _, err := net.SplitHostPort(r.RemoteAddr); err == nil {
peerAddr = host
}
if clientIP := middleware.GetClientIPAddr(ctx); clientIP.IsValid() {
peerAddr = clientIP.String()
}

Fix in Claude Code

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

area/dependencies Pull requests that update a dependency file dependency/go Pull requests that update Go code release-note/dependency-update Release note: Dependency Updates

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tothandras @chrisgacsal