[9.4](backport #7100) build(deps): bump github.com/go-chi/chi/v5 from 5.2.5 to 5.3.0

[mergify]

Bumps github.com/go-chi/chi/v5 from 5.2.5 to 5.3.0.

Release notes

Sourced from github.com/go-chi/chi/v5's releases.

v5.3.0

What's Changed

• Use strings.ReplaceAll where applicable by @​JRaspass in go-chi/chi#1046
• Propagate inline middlewares across mounted subrouters by @​LukasJenicek in go-chi/chi#1049
• add go 1.26 to ci by @​pkieltyka in go-chi/chi#1052
• Remove last uses of io/ioutil by @​JRaspass in go-chi/chi#1054
• Simplify chi.walk with slices.Concat by @​JRaspass in go-chi/chi#1053
• Apply the stringscutprefix modernizer by @​JRaspass in go-chi/chi#1051
• Bump minimum Go to 1.23, always use request.Pattern by @​JRaspass in go-chi/chi#1048
• middleware: fix httpFancyWriter.ReadFrom double-counting bytes with Tee by @​alliasgher in go-chi/chi#1085
• Fix typo in Route doc comment by @​gouwazi in go-chi/chi#1073
• fix: set Request.Pattern from RoutePattern() by @​leno23 in go-chi/chi#1097
• feat: middleware.ClientIP, a replacement for middleware.RealIP by @​VojtechVitek in go-chi/chi#967

New Contributors

• @​LukasJenicek made their first contribution in go-chi/chi#1049
• @​alliasgher made their first contribution in go-chi/chi#1085
• @​gouwazi made their first contribution in go-chi/chi#1073
• @​leno23 made their first contribution in go-chi/chi#1097

SECURITY: middleware.ClientIP, a replacement for middleware.RealIP

@​VojtechVitek submitted PR #967, which introduces middleware.ClientIP — a replacement for middleware.RealIP that closes the three open spoofing advisories:

• GHSA-9g5q-2w5x-hmxf — IP spoofing via XFF in RemoteAddr resolution (convto)
• GHSA-rjr7-jggh-pgcp — RealIP allows IP spoofing via unvalidated XFF (rezmoss)
• GHSA-3fxj-6jh8-hvhx — IP spoofing in middleware.RealIP (Saku0512, Critical / 9.3)

It also addresses issues outlined at:

• go-chi/chi#708
• https://adam-p.ca/blog/2022/03/x-forwarded-for/
• go-chi/chi#711
• go-chi/chi#453
• go-chi/chi#908

middleware.RealIP is deprecated in this PR with pointers to the new API.

The deprecation only adds a // Deprecated: doc comment; the function keeps working for backward compatibility.

Why a new middleware (not "fix RealIP in place")

RealIP has two unfixable design choices: it mutates r.RemoteAddr, and it tries to be a one-size-fits-all default by walking a hard-coded list of headers any client can supply. Per adam-p's "The perils of the 'real' client IP" (which calls chi out by name on this), there is no safe default — the user must pick their trust source explicitly.

The new API

Four middlewares, two accessors. Pick exactly one middleware based on your infrastructure, read the result with one of the two accessors:

// One of the four. There is no safe default — pick exactly one.
func ClientIPFromHeader(trustedHeader string) func(http.Handler) http.Handler
func ClientIPFromXFF(trustedIPPrefixes ...string) func(http.Handler) http.Handler
func ClientIPFromXFFTrustedProxies(numTrustedProxies int) func(http.Handler) http.Handler
</tr></table> 

... (truncated)

Commits

• 3b17157 feat: middleware.ClientIP, a replacement for middleware.RealIP (#967)
• 818fdcf fix: set Request.Pattern from RoutePattern() (#1097)
• f975af0 Fix typo in Route doc comment (#1073)
• 4ef87ea middleware: fix httpFancyWriter.ReadFrom double-counting bytes with Tee (#1085)
• a54874f Bump minimum Go to 1.23, always use request.Pattern (#1048)
• 3328d4d Apply the stringscutprefix modernizer (#1051)
• be60b2e Simplify chi.walk with slices.Concat (#1053)
• a36a925 Remove last uses of io/ioutil (#1054)
• 7d93ee3 add go 1.26 to ci (#1052)
• 903cff2 Propagate inline middlewares across mounted subrouters (#1049)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

This is an automatic backport of pull request #7100 done by [Mergify](https://mergify.com).

[mergify]

Cherry-pick of cfc9257 has failed:

On branch mergify/bp/9.4/pr-7100
Your branch is up to date with 'origin/9.4'.

You are currently cherry-picking commit cfc9257.
  (fix conflicts and run "git cherry-pick --continue")
  (use "git cherry-pick --skip" to skip this patch)
  (use "git cherry-pick --abort" to cancel the cherry-pick operation)

Changes to be committed:
	modified:   NOTICE-fips.txt
	modified:   NOTICE.txt

Unmerged paths:
  (use "git add <file>..." to mark resolution)
	both modified:   go.mod
	both modified:   go.sum

To fix up this pull request, you can check it out locally. See documentation: https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/checking-out-pull-requests-locally

[swiatekm]

@copilot fix the backport conflict.

[Copilot]

@copilot fix the backport conflict.

Fixed in commit f1a87bf. I resolved the backport conflict markers in go.mod and go.sum, kept the intended github.com/go-chi/chi/v5 bump to v5.3.0, and preserved the 9.4 branch’s unrelated dependency versions.

[ebeahan]

/test

[github-actions]

TL;DR

The Buildkite E2E step failed, but the available log is truncated to the final ~149 lines and does not include the first failing error, so the root cause cannot be proven from current artifacts. Immediate action is to rerun with full E2E output attached (or printed) and then fix based on the first failing line.

Remediation

• Update the E2E CI step to upload build/test-e2e-*.out on failure (this file is written by mage test:e2e in magefile.go) and/or print the full file when go test exits non-zero.
• Re-run the Buildkite job and use the first failure line in test-e2e-*.out to classify/fix (code bug vs flaky/infrastructure).
• If the rerun points to a known flaky case, link it to an existing flaky-test issue; I checked open flaky-test issues and did not find one matching a concrete failing test name from this run.

Investigation details

Root Cause

No definitive root cause is visible in the provided Buildkite log artifact. The log ends with all listed subtests in TestStandAloneRunningSuite marked PASS, followed by package-level FAIL and exit status 1, but no preceding failing assertion/race/panic line is present in the available file.

Relevant code path for artifact generation:

• magefile.go:2120-2173 (Test.E2eRun) writes build/test-e2e-<os>.out
• magefile.go:1697-1728 (Test.JunitReport) converts build/*.out to JUnit XML
• .buildkite/scripts/e2e_test.sh:16 runs mage test:e2e test:junitReport

Evidence

• Build: https://buildkite.com/elastic/fleet-server/builds/14893
• Job/step: E2E Test (.buildkite/scripts/e2e_test.sh)
• Key log excerpt:
  • --- PASS: TestStandAloneRunningSuite ...
  • FAIL github.com/elastic/fleet-server/testing/e2e 1369.483s
  • Error: exit status 1
  • Artifact upload reported: No files matched paths: build/*.xml;build/e2e-coverage.out

Verification

• Not run locally in this workflow (analysis-only context with pre-fetched Buildkite logs).

Follow-up

Once the full test-e2e-*.out content is available for this exact run, root-cause classification and concrete code-level remediation can be provided immediately.

Note

🔒 Integrity filter blocked 3 items

The following items were blocked because they don't meet the GitHub integrity level.

• [9.4](backport #7100) build(deps): bump github.com/go-chi/chi/v5 from 5.2.5 to 5.3.0 #7104 pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• [9.4](backport #7100) build(deps): bump github.com/go-chi/chi/v5 from 5.2.5 to 5.3.0 #7104 issue_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #5181 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

---

What is this? | From workflow: PR Buildkite Detective

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.