Sourced from github.com/go-chi/chi/v5's releases.

v5.3.0

What's Changed

• Use strings.ReplaceAll where applicable by @​JRaspass in go-chi/chi#1046
• Propagate inline middlewares across mounted subrouters by @​LukasJenicek in go-chi/chi#1049
• add go 1.26 to ci by @​pkieltyka in go-chi/chi#1052
• Remove last uses of io/ioutil by @​JRaspass in go-chi/chi#1054
• Simplify chi.walk with slices.Concat by @​JRaspass in go-chi/chi#1053
• Apply the stringscutprefix modernizer by @​JRaspass in go-chi/chi#1051
• Bump minimum Go to 1.23, always use request.Pattern by @​JRaspass in go-chi/chi#1048
• middleware: fix httpFancyWriter.ReadFrom double-counting bytes with Tee by @​alliasgher in go-chi/chi#1085
• Fix typo in Route doc comment by @​gouwazi in go-chi/chi#1073
• fix: set Request.Pattern from RoutePattern() by @​leno23 in go-chi/chi#1097
• feat: middleware.ClientIP, a replacement for middleware.RealIP by @​VojtechVitek in go-chi/chi#967

New Contributors

• @​LukasJenicek made their first contribution in go-chi/chi#1049
• @​alliasgher made their first contribution in go-chi/chi#1085
• @​gouwazi made their first contribution in go-chi/chi#1073
• @​leno23 made their first contribution in go-chi/chi#1097

SECURITY: middleware.ClientIP, a replacement for middleware.RealIP

@​VojtechVitek submitted PR #967, which introduces middleware.ClientIP — a replacement for middleware.RealIP that closes the three open spoofing advisories:

• GHSA-9g5q-2w5x-hmxf — IP spoofing via XFF in RemoteAddr resolution (convto)
• GHSA-rjr7-jggh-pgcp — RealIP allows IP spoofing via unvalidated XFF (rezmoss)
• GHSA-3fxj-6jh8-hvhx — IP spoofing in middleware.RealIP (Saku0512, Critical / 9.3)

It also addresses issues outlined at:

• go-chi/chi#708
• https://adam-p.ca/blog/2022/03/x-forwarded-for/
• go-chi/chi#711
• go-chi/chi#453
• go-chi/chi#908

middleware.RealIP is deprecated in this PR with pointers to the new API.

The deprecation only adds a // Deprecated: doc comment; the function keeps working for backward compatibility.

Why a new middleware (not "fix RealIP in place")

RealIP has two unfixable design choices: it mutates r.RemoteAddr, and it tries to be a one-size-fits-all default by walking a hard-coded list of headers any client can supply. Per adam-p's "The perils of the 'real' client IP" (which calls chi out by name on this), there is no safe default — the user must pick their trust source explicitly.

The new API

Four middlewares, two accessors. Pick exactly one middleware based on your infrastructure, read the result with one of the two accessors:

// One of the four. There is no safe default — pick exactly one.
func ClientIPFromHeader(trustedHeader string) func(http.Handler) http.Handler
func ClientIPFromXFF(trustedIPPrefixes ...string) func(http.Handler) http.Handler
func ClientIPFromXFFTrustedProxies(numTrustedProxies int) func(http.Handler) http.Handler
</tr></table> 

... (truncated)

• 3b17157 feat: middleware.ClientIP, a replacement for middleware.RealIP (#967)
• 818fdcf fix: set Request.Pattern from RoutePattern() (#1097)
• f975af0 Fix typo in Route doc comment (#1073)
• 4ef87ea middleware: fix httpFancyWriter.ReadFrom double-counting bytes with Tee (#1085)
• a54874f Bump minimum Go to 1.23, always use request.Pattern (#1048)
• 3328d4d Apply the stringscutprefix modernizer (#1051)
• be60b2e Simplify chi.walk with slices.Concat (#1053)
• a36a925 Remove last uses of io/ioutil (#1054)
• 7d93ee3 add go 1.26 to ci (#1052)
• 903cff2 Propagate inline middlewares across mounted subrouters (#1049)
• Additional commits viewable in compare view

• 643da9b go.mod: update golang.org/x dependencies
• ccc3cdf zip: include 'but content has correct sum' note in TestVCS
• ab30318 zip: update zip hashes for new flate compression
• 03901d3 go.mod: update golang.org/x dependencies
• 1ac721d go.mod: update golang.org/x dependencies
• fb1fac8 all: upgrade go directive to at least 1.25.0 [generated]
• See full diff in compare view

• f33a730 windows: support nil security descriptor on GetNamedSecurityInfo
• 493d172 cpu: add runtime import in cpu_darwin_arm64_other.go
• 2c2be75 windows: use syscall.SyscallN in Proc.Call
• a76ec62 cpu: roll back "use IsProcessorFeaturePresent to calculate ARM64 on windows"
• See full diff in compare view

• 52b71d3 go.mod: update golang.org/x dependencies
• See full diff in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions