[8.19](backport #7100) build(deps): bump github.com/go-chi/chi/v5 from 5.2.5 to 5.3.0

[mergify]

Bumps github.com/go-chi/chi/v5 from 5.2.5 to 5.3.0.

Release notes

Sourced from github.com/go-chi/chi/v5's releases.

v5.3.0

What's Changed

• Use strings.ReplaceAll where applicable by @​JRaspass in go-chi/chi#1046
• Propagate inline middlewares across mounted subrouters by @​LukasJenicek in go-chi/chi#1049
• add go 1.26 to ci by @​pkieltyka in go-chi/chi#1052
• Remove last uses of io/ioutil by @​JRaspass in go-chi/chi#1054
• Simplify chi.walk with slices.Concat by @​JRaspass in go-chi/chi#1053
• Apply the stringscutprefix modernizer by @​JRaspass in go-chi/chi#1051
• Bump minimum Go to 1.23, always use request.Pattern by @​JRaspass in go-chi/chi#1048
• middleware: fix httpFancyWriter.ReadFrom double-counting bytes with Tee by @​alliasgher in go-chi/chi#1085
• Fix typo in Route doc comment by @​gouwazi in go-chi/chi#1073
• fix: set Request.Pattern from RoutePattern() by @​leno23 in go-chi/chi#1097
• feat: middleware.ClientIP, a replacement for middleware.RealIP by @​VojtechVitek in go-chi/chi#967

New Contributors

• @​LukasJenicek made their first contribution in go-chi/chi#1049
• @​alliasgher made their first contribution in go-chi/chi#1085
• @​gouwazi made their first contribution in go-chi/chi#1073
• @​leno23 made their first contribution in go-chi/chi#1097

SECURITY: middleware.ClientIP, a replacement for middleware.RealIP

@​VojtechVitek submitted PR #967, which introduces middleware.ClientIP — a replacement for middleware.RealIP that closes the three open spoofing advisories:

• GHSA-9g5q-2w5x-hmxf — IP spoofing via XFF in RemoteAddr resolution (convto)
• GHSA-rjr7-jggh-pgcp — RealIP allows IP spoofing via unvalidated XFF (rezmoss)
• GHSA-3fxj-6jh8-hvhx — IP spoofing in middleware.RealIP (Saku0512, Critical / 9.3)

It also addresses issues outlined at:

• go-chi/chi#708
• https://adam-p.ca/blog/2022/03/x-forwarded-for/
• go-chi/chi#711
• go-chi/chi#453
• go-chi/chi#908

middleware.RealIP is deprecated in this PR with pointers to the new API.

The deprecation only adds a // Deprecated: doc comment; the function keeps working for backward compatibility.

Why a new middleware (not "fix RealIP in place")

RealIP has two unfixable design choices: it mutates r.RemoteAddr, and it tries to be a one-size-fits-all default by walking a hard-coded list of headers any client can supply. Per adam-p's "The perils of the 'real' client IP" (which calls chi out by name on this), there is no safe default — the user must pick their trust source explicitly.

The new API

Four middlewares, two accessors. Pick exactly one middleware based on your infrastructure, read the result with one of the two accessors:

// One of the four. There is no safe default — pick exactly one.
func ClientIPFromHeader(trustedHeader string) func(http.Handler) http.Handler
func ClientIPFromXFF(trustedIPPrefixes ...string) func(http.Handler) http.Handler
func ClientIPFromXFFTrustedProxies(numTrustedProxies int) func(http.Handler) http.Handler
</tr></table> 

... (truncated)

Commits

• 3b17157 feat: middleware.ClientIP, a replacement for middleware.RealIP (#967)
• 818fdcf fix: set Request.Pattern from RoutePattern() (#1097)
• f975af0 Fix typo in Route doc comment (#1073)
• 4ef87ea middleware: fix httpFancyWriter.ReadFrom double-counting bytes with Tee (#1085)
• a54874f Bump minimum Go to 1.23, always use request.Pattern (#1048)
• 3328d4d Apply the stringscutprefix modernizer (#1051)
• be60b2e Simplify chi.walk with slices.Concat (#1053)
• a36a925 Remove last uses of io/ioutil (#1054)
• 7d93ee3 add go 1.26 to ci (#1052)
• 903cff2 Propagate inline middlewares across mounted subrouters (#1049)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

This is an automatic backport of pull request #7100 done by [Mergify](https://mergify.com).

[mergify]

Cherry-pick of cfc9257 has failed:

On branch mergify/bp/8.19/pr-7100
Your branch is up to date with 'origin/8.19'.

You are currently cherry-picking commit cfc9257.
  (fix conflicts and run "git cherry-pick --continue")
  (use "git cherry-pick --skip" to skip this patch)
  (use "git cherry-pick --abort" to cancel the cherry-pick operation)

Changes to be committed:
	modified:   NOTICE-fips.txt
	modified:   NOTICE.txt
	modified:   go.sum

Unmerged paths:
  (use "git add <file>..." to mark resolution)
	both modified:   go.mod

To fix up this pull request, you can check it out locally. See documentation: https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/checking-out-pull-requests-locally

[github-actions]

TL;DR

Both failing Buildkite steps are blocked by an unresolved merge conflict committed into go.mod, so Go tooling cannot parse modules. Resolve the conflict markers in go.mod and re-run CI.

Remediation

• Resolve conflict markers in go.mod at the github.com/go-chi/chi/v5 / github.com/gofrs/uuid section (currently contains <<<<<<<, =======, >>>>>>>).
• Keep a single valid dependency set that matches the target branch imports, then regenerate module consistency if needed (go mod tidy / dependency update flow used in this repo) and re-run Buildkite.

Investigation details

Root Cause

The PR diff itself includes unresolved conflict markers in go.mod (introduced in this backport/cherry-pick), which makes go.mod syntactically invalid.

• go.mod in PR commit 07b28cdb2b8526f67a3e11fc035aabf6a16f8424 contains:
  • <<<<<<< HEAD
  • =======
  • >>>>>>> cfc9257 ...
• This appears in the dependency block around go.mod lines 15–21 in the failing file content.

Evidence

• Build: https://buildkite.com/elastic/fleet-server/builds/14882
• Jobs/steps:
  • Run check-ci (.buildkite/scripts/check_ci.sh)
  • Detect FIPS crypto imports (.buildkite/scripts/check_detect_fips_crypto.sh)
• Key log excerpt (both jobs):

go: errors parsing go.mod:
go.mod:15: malformed module path "<<<<<<<": invalid char '<'
go.mod:18: usage: require module/path v1.2.3
go.mod:21: usage: require module/path v1.2.3

Verification

• Not run locally (workflow is read-only and investigation-only); conclusion is based on PR diff and failing job logs.

Follow-up

After resolving go.mod, rerun the same Buildkite build; these two steps should unblock immediately if no additional issues exist.

Note

🔒 Integrity filter blocked 2 items

The following items were blocked because they don't meet the GitHub integrity level.

• [8.19](backport #7100) build(deps): bump github.com/go-chi/chi/v5 from 5.2.5 to 5.3.0 #7106 pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• [8.19](backport #7100) build(deps): bump github.com/go-chi/chi/v5 from 5.2.5 to 5.3.0 #7106 issue_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

---

What is this? | From workflow: PR Buildkite Detective

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

[ebeahan]

@copilot fix the merge conflicts on this PR.

[Copilot]

@copilot fix the merge conflicts on this PR.

Fixed in commit 2f4974dc. The go.mod had unresolved conflict markers from the cherry-pick. Resolved by accepting github.com/go-chi/chi/v5 v5.3.0 (the purpose of this PR) while keeping github.com/gofrs/uuid v4.4.0+incompatible since the 8.19 branch code still uses the v4 import paths across ~24 files.