Releases: go-chi/chi
Release list
v5.3.1
What's Changed
- Honor Discard() in httpFancyWriter.ReadFrom by @DucMinhNe in #1110
- Tidy build directives by @JRaspass in #1113
- feat(middleware): add text/xml and application/xml to default compressible types by @VojtechVitek in #1127
- Fix defaultLogEntry.Panic not respecting NoColor setting by @doganarif in #1050
- middleware: document printPrettyStack and harden NoColor panic test by @VojtechVitek in #1131
- feat(mux): support http QUERY method ietf rfc10008 by @VojtechVitek in #1132
- ci: pin GitHub Actions to full commit SHAs by @XananasX7 in #1116
New Contributors
- @DucMinhNe made their first contribution in #1110
- @doganarif made their first contribution in #1050
- @XananasX7 made their first contribution in #1116
Full Changelog: v5.3.0...v5.3.1
v5.3.0
What's Changed
- Use strings.ReplaceAll where applicable by @JRaspass in #1046
- Propagate inline middlewares across mounted subrouters by @LukasJenicek in #1049
- add go 1.26 to ci by @pkieltyka in #1052
- Remove last uses of io/ioutil by @JRaspass in #1054
- Simplify chi.walk with slices.Concat by @JRaspass in #1053
- Apply the stringscutprefix modernizer by @JRaspass in #1051
- Bump minimum Go to 1.23, always use request.Pattern by @JRaspass in #1048
- middleware: fix httpFancyWriter.ReadFrom double-counting bytes with Tee by @alliasgher in #1085
- Fix typo in Route doc comment by @gouwazi in #1073
- fix: set Request.Pattern from RoutePattern() by @leno23 in #1097
- feat: middleware.ClientIP, a replacement for middleware.RealIP by @VojtechVitek in #967
New Contributors
- @LukasJenicek made their first contribution in #1049
- @alliasgher made their first contribution in #1085
- @gouwazi made their first contribution in #1073
- @leno23 made their first contribution in #1097
SECURITY: middleware.ClientIP, a replacement for middleware.RealIP
@VojtechVitek submitted PR #967, which introduces middleware.ClientIP — a replacement for middleware.RealIP that closes the three open spoofing advisories:
- GHSA-9g5q-2w5x-hmxf — IP spoofing via XFF in
RemoteAddrresolution (convto) - GHSA-rjr7-jggh-pgcp — RealIP allows IP spoofing via unvalidated XFF (rezmoss)
- GHSA-3fxj-6jh8-hvhx — IP spoofing in
middleware.RealIP(Saku0512, Critical / 9.3)
It also addresses issues outlined at:
middleware.RealIP is deprecated in this PR with pointers to the new API.
The deprecation only adds a // Deprecated: doc comment; the function keeps working for backward compatibility.
Why a new middleware (not "fix RealIP in place")
RealIP has two unfixable design choices: it mutates r.RemoteAddr, and it tries to be a one-size-fits-all default by walking a hard-coded list of headers any client can supply. Per adam-p's "The perils of the 'real' client IP" (which calls chi out by name on this), there is no safe default — the user must pick their trust source explicitly.
The new API
Four middlewares, two accessors. Pick exactly one middleware based on your
infrastructure, read the result with one of the two accessors:
// One of the four. There is no safe default — pick exactly one.
func ClientIPFromHeader(trustedHeader string) func(http.Handler) http.Handler
func ClientIPFromXFF(trustedIPPrefixes ...string) func(http.Handler) http.Handler
func ClientIPFromXFFTrustedProxies(numTrustedProxies int) func(http.Handler) http.Handler
func ClientIPFromRemoteAddr(h http.Handler) http.Handler
// Read the result.
func GetClientIP(ctx context.Context) string // for logs, rate-limit keys
func GetClientIPAddr(ctx context.Context) netip.Addr // for typed workExample usage:
// Pick a single ClientIP middleware based on your deployment
// Cloudflare.
r.Use(middleware.ClientIPFromHeader("CF-Connecting-IP"))
// Nginx with ngx_http_realip_module.
r.Use(middleware.ClientIPFromHeader("X-Real-IP"))
// Apache with mod_remoteip.
r.Use(middleware.ClientIPFromHeader("X-Client-IP"))
// AWS CloudFront, or any proxy fleet with known CIDRs.
r.Use(middleware.ClientIPFromXFF(
"13.32.0.0/15", // CloudFront IPv4
"52.46.0.0/18", // CloudFront IPv4
"2600:9000::/28", // CloudFront IPv6
))
// Behind exactly 2 trusted proxies with dynamic IPs (autoscaling pools,
// ephemeral containers, dynamic CDN edges).
r.Use(middleware.ClientIPFromXFFTrustedProxies(2))
// Server directly on the public internet, no proxy in front.
r.Use(middleware.ClientIPFromRemoteAddr)And in your handler or downstream middleware:
clientIP := middleware.GetClientIP(r.Context())
// log it, use it as a rate-limit key, etc.Thanks to @adam-p, @c2h5oh, @rezmoss, @Saku0512, @convto, @Dirbaio, @jawnsy, @lrstanley, @mfridman, @n33pm, @pkieltyka for the prior discussions, detailed reviews, advisory reports, and test contributions that shaped this PR.
Full Changelog: v5.2.5...v5.3.0
v5.2.5
What's Changed
- Bump minimum Go to 1.22 and use new features by @JRaspass in #1017
- Refactor graceful shutdown example by @mikereid1 in #994
- Refactor to use atomic type by @cuiweixie in #1019
- update reverseMethodMap in RegisterMethod by @cixel in #1022
- Update comment about min Go version by @JRaspass in #1023
- middleware: harden RedirectSlashes handler by @pkieltyka in #1044
- Fix(middleware): Prevent double handler invocation in RouteHeaders with empty router by @mahanadh in #1045
New Contributors
- @mikereid1 made their first contribution in #994
- @cuiweixie made their first contribution in #1019
- @cixel made their first contribution in #1022
- @mahanadh made their first contribution in #1045
Full Changelog: v5.2.3...v5.2.5
v5.2.3
What's Changed
- Add pathvalue example to README and implement PathValue handler. by @catatsuy in #985
- Allow multiple whitespace between method & pattern by @JRaspass in #1013
- Avoid potential nil dereference by @ProjectMutilation in #1008
- feat(mux): support http.Request.Pattern in Go 1.23 by @Gusted in #986
- fix/608 - Fix flaky Throttle middleware test by synchronizing token usage by @OtavioBernardes in #1016
- Optimize throttle middleware by avoiding unnecessary timer creation by @vasayxtx in #1011
- Simplify wildcard replacement in route patterns by @srpvpn in #1012
- Replace methodTypString func with reverseMethodMap by @JRaspass in #1018
New Contributors
- @ProjectMutilation made their first contribution in #1008
- @Gusted made their first contribution in #986
- @OtavioBernardes made their first contribution in #1016
- @srpvpn made their first contribution in #1012
Full Changelog: v5.2.2...v5.2.3
v5.2.2
What's Changed
- Use strings.Cut in a few places by @JRaspass in #971
- Fix non-constant format strings in t.Fatalf by @JRaspass in #972
- Apply fieldalignment fixes to optimize struct memory layout by @pixel365 in #974
- go 1.24 by @pkieltyka in #977
- chore: delint ioutil usage by @costela in #962
- Fixed typo in Router interface definition by @mithileshgupta12 in #958
- Add support for TinyGo by @efraimbart in #978
- Exclude middleware/profiler.go in TinyGo, as there's no net/http/pprof pkg by @cxjava in #982
- Make use of strings.Cut by @scop in #1005
- Change install command format to code block by @sglkc in #1001
- Correct documentation by @mrdomino in #992
Security fix
- Fixes GHSA-vrw8-fxc6-2r93 - "Host Header Injection Leads to Open Redirect in RedirectSlashes" commit
- a lower-severity Open Redirect that can't be exploited in browser or email client, as it requires manipulation of a Host header
- reported by Anuraag Baishya, @anuraagbaishya. Thank you!
New Contributors
- @pixel365 made their first contribution in #974
- @mithileshgupta12 made their first contribution in #958
- @efraimbart made their first contribution in #978
- @cxjava made their first contribution in #982
- @sglkc made their first contribution in #1001
- @mrdomino made their first contribution in #992
Full Changelog: v5.2.1...v5.2.2
v5.2.1
⚠️ Chi supports Go 1.20+
Starting this release, we will now support the four most recent major versions of Go. See #963 for related discussion.
What's Changed
- Support the four most recent major versions of Go by @VojtechVitek in #969
Full Changelog: v5.2.0...v5.2.1
v5.2.0
What's Changed
- update credits section to link to goji license by @pkieltyka in #944
- go 1.23 by @pkieltyka in #945
- Make Context.RoutePattern() nil-safe by @gaiaz-iusipov in #927
- govet: Fix non-constant format string by @marcofranssen in #952
- Add
FindtoRoutesinterface by @joeriddles in #872 - Fix grammar error by @AntonC9018 in #917
feat(): add CF-Connecting-IP by @n33pm in #908Revert "feat(): add CF-Connecting-IP" by @VojtechVitek in #966
- Fixed incorrect comment about routing by @jtams in #887
- Fix condition in TestRedirectSlashes by @tchssk in #856
- middleware: Add strip prefix middleware by @m1k1o in #875
- Set up go module for
_examples/versionsby @hongkuancn in #948 - Ability to specify response HTTP status code for Throttle middleware by @vasayxtx in #571
- Support Content-Type headers with charset/boundary parameters by @GocaMaric in #880
- Fix
Mux.Findnot correctly handling nested routes by @joeriddles in #954 - fix(WrapResponseWriter): allow multiple informational statuses by @costela in #961
New Contributors
- @gaiaz-iusipov made their first contribution in #927
- @marcofranssen made their first contribution in #952
- @joeriddles made their first contribution in #872
- @AntonC9018 made their first contribution in #917
- @n33pm made their first contribution in #908
- @jtams made their first contribution in #887
- @tchssk made their first contribution in #856
- @m1k1o made their first contribution in #875
- @hongkuancn made their first contribution in #948
- @GocaMaric made their first contribution in #880
- @costela made their first contribution in #961
Full Changelog: v5.1.0...v5.2.0
v5.1.0
What's Changed
- middleware: add Discard method to WrapResponseWriter by @patrislav in #926
- Adds
Discard()method to themiddleware.WrapResponseWriterinterface. This is technically an API breaking change. However after some discussion at #926 (comment), we decided to move forward, and release as minor version, as we don't expect anyone to rely on this interface / implement it externally.
- Adds
New Contributors
- @patrislav made their first contribution in #926
Full Changelog: v5.0.14...v5.1.0
v5.0.14
What's Changed
- middleware: fix typo in RealIP doc by @l2dy in #903
- reduce size of Context struct from 216 bytes to 208 bytes by @juburr in #912
- Avoid possible memory leak in compress middleware by @Neurostep in #919
- docs: Update stale links in docs for contributing by @Lutherwaves in #904
- Revert "Avoid possible memory leak in compress middleware" by @VojtechVitek in #924
New Contributors
- @l2dy made their first contribution in #903
- @juburr made their first contribution in #912
- @Neurostep made their first contribution in #919
- @Lutherwaves made their first contribution in #904
Full Changelog: v5.0.12...v5.0.14
v5.0.13
What's Changed
- middleware: fix typo in RealIP doc by @l2dy in #903
- reduce size of Context struct from 216 bytes to 208 bytes by @juburr in #912
- Avoid possible memory leak in compress middleware by @Neurostep in #919
New Contributors
- @l2dy made their first contribution in #903
- @juburr made their first contribution in #912
- @Neurostep made their first contribution in #919
Full Changelog: v5.0.12...v5.0.13