build(deps): bump the go-deps group across 1 directory with 7 updates by dependabot[bot] · Pull Request #9 · MattJackson/basement

dependabot · 2026-05-30T15:18:21Z

Bumps the go-deps group with 6 updates in the / directory:

Package	From	To
github.com/aws/aws-sdk-go-v2	`1.41.7`	`1.41.12`
github.com/aws/aws-sdk-go-v2/config	`1.32.17`	`1.32.23`
github.com/aws/aws-sdk-go-v2/service/s3	`1.101.0`	`1.103.2`
github.com/go-chi/chi/v5	`5.2.5`	`5.3.0`
github.com/yuin/goldmark	`1.5.4`	`1.8.2`
golang.org/x/crypto	`0.51.0`	`0.52.0`

Updates github.com/aws/aws-sdk-go-v2 from 1.41.7 to 1.41.12

Commits

7146c2b Release 2026-06-04
5aef2fd Regenerated Clients
f94c044 Update API model
f00b205 bump to smithy-go v1.27.1 (#3434)
c4ad7de drop service/internal/benchmark (#3433)
91eca46 Release 2026-06-03.2
e9d9e15 Regenerated Clients
def6a3a Update API model
fa369bd Release 2026-06-03
960ee4d Regenerated Clients
Additional commits viewable in compare view

Updates github.com/aws/aws-sdk-go-v2/config from 1.32.17 to 1.32.23

Commits

7146c2b Release 2026-06-04
5aef2fd Regenerated Clients
f94c044 Update API model
f00b205 bump to smithy-go v1.27.1 (#3434)
c4ad7de drop service/internal/benchmark (#3433)
91eca46 Release 2026-06-03.2
e9d9e15 Regenerated Clients
def6a3a Update API model
fa369bd Release 2026-06-03
960ee4d Regenerated Clients
Additional commits viewable in compare view

Updates github.com/aws/aws-sdk-go-v2/credentials from 1.19.16 to 1.19.22

Commits

7146c2b Release 2026-06-04
5aef2fd Regenerated Clients
f94c044 Update API model
f00b205 bump to smithy-go v1.27.1 (#3434)
c4ad7de drop service/internal/benchmark (#3433)
91eca46 Release 2026-06-03.2
e9d9e15 Regenerated Clients
def6a3a Update API model
fa369bd Release 2026-06-03
960ee4d Regenerated Clients
Additional commits viewable in compare view

Updates github.com/aws/aws-sdk-go-v2/service/s3 from 1.101.0 to 1.103.2

Commits

7146c2b Release 2026-06-04
5aef2fd Regenerated Clients
f94c044 Update API model
f00b205 bump to smithy-go v1.27.1 (#3434)
c4ad7de drop service/internal/benchmark (#3433)
91eca46 Release 2026-06-03.2
e9d9e15 Regenerated Clients
def6a3a Update API model
fa369bd Release 2026-06-03
960ee4d Regenerated Clients
Additional commits viewable in compare view

Updates github.com/go-chi/chi/v5 from 5.2.5 to 5.3.0

Release notes

Sourced from github.com/go-chi/chi/v5's releases.

v5.3.0

What's Changed

Use strings.ReplaceAll where applicable by @JRaspass in go-chi/chi#1046

Propagate inline middlewares across mounted subrouters by @LukasJenicek in go-chi/chi#1049

add go 1.26 to ci by @pkieltyka in go-chi/chi#1052

Remove last uses of io/ioutil by @JRaspass in go-chi/chi#1054

Simplify chi.walk with slices.Concat by @JRaspass in go-chi/chi#1053

Apply the stringscutprefix modernizer by @JRaspass in go-chi/chi#1051

Bump minimum Go to 1.23, always use request.Pattern by @JRaspass in go-chi/chi#1048

middleware: fix httpFancyWriter.ReadFrom double-counting bytes with Tee by @alliasgher in go-chi/chi#1085

Fix typo in Route doc comment by @gouwazi in go-chi/chi#1073

fix: set Request.Pattern from RoutePattern() by @leno23 in go-chi/chi#1097

feat: middleware.ClientIP, a replacement for middleware.RealIP by @VojtechVitek in go-chi/chi#967

New Contributors

@LukasJenicek made their first contribution in go-chi/chi#1049

@alliasgher made their first contribution in go-chi/chi#1085

@gouwazi made their first contribution in go-chi/chi#1073

@leno23 made their first contribution in go-chi/chi#1097

SECURITY: middleware.ClientIP, a replacement for middleware.RealIP

@VojtechVitek submitted PR #967, which introduces middleware.ClientIP — a replacement for middleware.RealIP that closes the three open spoofing advisories:

GHSA-9g5q-2w5x-hmxf — IP spoofing via XFF in RemoteAddr resolution (convto)

GHSA-rjr7-jggh-pgcp — RealIP allows IP spoofing via unvalidated XFF (rezmoss)

GHSA-3fxj-6jh8-hvhx — IP spoofing in middleware.RealIP (Saku0512, Critical / 9.3)

It also addresses issues outlined at:

go-chi/chi#708

https://adam-p.ca/blog/2022/03/x-forwarded-for/

go-chi/chi#711

go-chi/chi#453

go-chi/chi#908

middleware.RealIP is deprecated in this PR with pointers to the new API.

The deprecation only adds a // Deprecated: doc comment; the function keeps working for backward compatibility.

Why a new middleware (not "fix RealIP in place")

RealIP has two unfixable design choices: it mutates r.RemoteAddr, and it tries to be a one-size-fits-all default by walking a hard-coded list of headers any client can supply. Per adam-p's "The perils of the 'real' client IP" (which calls chi out by name on this), there is no safe default — the user must pick their trust source explicitly.

The new API

Four middlewares, two accessors. Pick exactly one middleware based on your infrastructure, read the result with one of the two accessors:
// One of the four. There is no safe default — pick exactly one.
func ClientIPFromHeader(trustedHeader string) func(http.Handler) http.Handler
func ClientIPFromXFF(trustedIPPrefixes ...string) func(http.Handler) http.Handler
func ClientIPFromXFFTrustedProxies(numTrustedProxies int) func(http.Handler) http.Handler
</tr></table> 

... (truncated)

Commits

3b17157 feat: middleware.ClientIP, a replacement for middleware.RealIP (#967)
818fdcf fix: set Request.Pattern from RoutePattern() (#1097)
f975af0 Fix typo in Route doc comment (#1073)
4ef87ea middleware: fix httpFancyWriter.ReadFrom double-counting bytes with Tee (#1085)
a54874f Bump minimum Go to 1.23, always use request.Pattern (#1048)
3328d4d Apply the stringscutprefix modernizer (#1051)
be60b2e Simplify chi.walk with slices.Concat (#1053)
a36a925 Remove last uses of io/ioutil (#1054)
7d93ee3 add go 1.26 to ci (#1052)
903cff2 Propagate inline middlewares across mounted subrouters (#1049)
Additional commits viewable in compare view

Updates github.com/yuin/goldmark from 1.5.4 to 1.8.2

Release notes

Sourced from github.com/yuin/goldmark's releases.

v1.8.2

fix: setext headings positions

v1.8.1

fix: block positions

v1.8.0

feat: add position information to all nodes

add position information to all nodes, including inline nodes and link reference definition nodes.

Now link reference definition nodes are represented as a new node type.

Link and image nodes have a new field Reference which is a pointer to the reference link if this link is a reference link. This field is nil for non-reference links.

v1.7.17 release

Full Changelog: yuin/goldmark@v1.7.16...v1.7.17

v1.7.16 release

No release notes provided.

v1.7.15 release

No release notes provided.

v1.7.14 release

No release notes provided.

v1.7.13 release

No release notes provided.

v1.7.12 release

No release notes provided.

v1.7.11 release

No release notes provided.

v1.7.10 release

No release notes provided.

v1.7.9 release

No release notes provided.

v1.7.8 release

No release notes provided.

v1.7.7 release

No release notes provided.

v1.7.6 release

... (truncated)

Commits

379bf24 fix: setext headings positions
e8f2337 fix: block positions
dfa1ae1 feat: add position information to all nodes
cb46bbc fix: prevent XSS by escaping dangerous URLs in links and images
d8b123c refactor: simplify codes
db34c99 Merge pull request #535 from Sebbito/master
5a2a2bf Merge pull request #545 from maxatome/fix-table-panic
9aca462 fix(table): if table cell attribute is a string, a panic occurs
246a6f1 fix: #542
2589b6a fix: #541
Additional commits viewable in compare view

Updates golang.org/x/crypto from 0.51.0 to 0.52.0

Commits

a1c0d99 go.mod: update golang.org/x dependencies
3c7c869 ssh: fix deadlock on unexpected channel responses
533fb3f ssh: fix source-address critical option bypass
abbc44d ssh: fix incorrect operator order
e052873 ssh: fix infinite loop on large channel writes due to integer overflow
b61cf85 ssh: enforce user presence verification for security keys
9c2cd33 ssh: enforce strict limits on DSA key parameters
8907318 ssh: reject RSA keys with excessively large moduli
ffd87b4 ssh: fix panic when authority callbacks are nil
4e7a738 ssh: fix deadlock on unexpected global responses
Additional commits viewable in compare view

Bumps the go-deps group with 6 updates in the / directory: | Package | From | To | | --- | --- | --- | | [github.com/aws/aws-sdk-go-v2](https://github.com/aws/aws-sdk-go-v2) | `1.41.7` | `1.41.12` | | [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2) | `1.32.17` | `1.32.23` | | [github.com/aws/aws-sdk-go-v2/service/s3](https://github.com/aws/aws-sdk-go-v2) | `1.101.0` | `1.103.2` | | [github.com/go-chi/chi/v5](https://github.com/go-chi/chi) | `5.2.5` | `5.3.0` | | [github.com/yuin/goldmark](https://github.com/yuin/goldmark) | `1.5.4` | `1.8.2` | | [golang.org/x/crypto](https://github.com/golang/crypto) | `0.51.0` | `0.52.0` | Updates `github.com/aws/aws-sdk-go-v2` from 1.41.7 to 1.41.12 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](aws/aws-sdk-go-v2@v1.41.7...v1.41.12) Updates `github.com/aws/aws-sdk-go-v2/config` from 1.32.17 to 1.32.23 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](aws/aws-sdk-go-v2@config/v1.32.17...config/v1.32.23) Updates `github.com/aws/aws-sdk-go-v2/credentials` from 1.19.16 to 1.19.22 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](aws/aws-sdk-go-v2@credentials/v1.19.16...credentials/v1.19.22) Updates `github.com/aws/aws-sdk-go-v2/service/s3` from 1.101.0 to 1.103.2 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](aws/aws-sdk-go-v2@service/s3/v1.101.0...service/s3/v1.103.2) Updates `github.com/go-chi/chi/v5` from 5.2.5 to 5.3.0 - [Release notes](https://github.com/go-chi/chi/releases) - [Changelog](https://github.com/go-chi/chi/blob/master/CHANGELOG.md) - [Commits](go-chi/chi@v5.2.5...v5.3.0) Updates `github.com/yuin/goldmark` from 1.5.4 to 1.8.2 - [Release notes](https://github.com/yuin/goldmark/releases) - [Commits](yuin/goldmark@v1.5.4...v1.8.2) Updates `golang.org/x/crypto` from 0.51.0 to 0.52.0 - [Commits](golang/crypto@v0.51.0...v0.52.0) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2 dependency-version: 1.41.9 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go-deps - dependency-name: github.com/aws/aws-sdk-go-v2/config dependency-version: 1.32.20 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go-deps - dependency-name: github.com/aws/aws-sdk-go-v2/credentials dependency-version: 1.19.19 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go-deps - dependency-name: github.com/aws/aws-sdk-go-v2/service/s3 dependency-version: 1.102.2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-deps - dependency-name: github.com/go-chi/chi/v5 dependency-version: 5.3.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-deps - dependency-name: github.com/yuin/goldmark dependency-version: 1.8.2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-deps - dependency-name: golang.org/x/crypto dependency-version: 0.52.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-deps ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot · 2026-06-07T22:22:31Z

Looks like these dependencies are updatable in another way, so this is no longer needed.

dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels May 30, 2026

dependabot Bot requested a review from MattJackson as a code owner May 30, 2026 15:18

dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels May 30, 2026

dependabot Bot force-pushed the dependabot/go_modules/go-deps-ad3ac9903d branch from 2665cfa to 95ba391 Compare June 6, 2026 15:17

dependabot Bot closed this Jun 7, 2026

dependabot Bot deleted the dependabot/go_modules/go-deps-ad3ac9903d branch June 7, 2026 22:22

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

build(deps): bump the go-deps group across 1 directory with 7 updates#9

build(deps): bump the go-deps group across 1 directory with 7 updates#9
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/go-deps-ad3ac9903d

dependabot Bot commented on behalf of github May 30, 2026 •

edited

Loading

Uh oh!

dependabot Bot commented on behalf of github Jun 7, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github May 30, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

v5.3.0

What's Changed

New Contributors

SECURITY: middleware.ClientIP, a replacement for middleware.RealIP

Why a new middleware (not "fix RealIP in place")

The new API

v1.8.2

v1.8.1

v1.8.0

v1.7.17 release

v1.7.16 release

v1.7.15 release

v1.7.14 release

v1.7.13 release

v1.7.12 release

v1.7.11 release

v1.7.10 release

v1.7.9 release

v1.7.8 release

v1.7.7 release

v1.7.6 release

Uh oh!

dependabot Bot commented on behalf of github Jun 7, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

dependabot Bot commented on behalf of github May 30, 2026 •

edited

Loading